Getting Data Out Of Air-Gapped Networks Through The Power Cable

If you are an organisation that is custodian of sensitive information or infrastructure, it would be foolhardy of you to place it directly on the public Internet. No matter how good your security might be, there is always the risk that a miscreant could circumvent it, and perform all sorts of mischief. The solution employed therefore is to physically isolate such sensitive equipment from the rest of the world, creating an air gap. Nothing can come in and nothing can go out, or so goes the theory.

Well, that’s the theory, anyway. [Davidl] sends us some work that punches a hole in some air-gapped networks, allowing low-speed data to escape the air gap even if it doesn’t allow the reverse.

So how is this seemingly impossible task performed? The answer comes through the mains electrical infrastructure, if the air gap is bridged by a mains cable then the load on that mains cable can be modulated by altering the work undertaken by a computer connected to it. This modulation can then be detected with a current transformer, or even by compromising a UPS or electricity meter outside the air gap.

Of course, the Hackaday readership are all upstanding and law-abiding citizens of good standing, to whom such matters are of purely academic interest. Notwithstanding that, the article goes into the subject in great detail, and makes for a fascinating read.

We’ve touched on this subject before with such various techniques as broadcast radio interference and the noise from a fan,  as well as with an in-depth feature.

Broadpwn – All Your Mobiles are Belong to Us

Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

  • Samsung Galaxy from S3 through S8, inclusive
  • All Samsung Notes3. Nexus 5, 6, 6X and 6P
  • All iPhones after iPhone 5

So how did this happen? And how does a bug affect so many different devices?

A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.

Continue reading “Broadpwn – All Your Mobiles are Belong to Us”

Superconference Interview: Samy Kamkar

Samy Kamkar has an incredible arsenal of self-taught skills that have grown into a remarkable career as a security researcher. He dropped out of high school to found a company based on Open Source Software and became infamous for releasing the Samy worm on the MySpace platform. But in our minds Samy has far outpaced that notoriety with the hardware-based security exploits he’s uncovered over the last decade. And he’s got a great gift for explaining these hacks — from his credit card magstripe spoofing experiments to hacking keyless entry systems and garage door opener remotes — in great depth during his talk at the 2016 Hackaday Superconference.

We pulled Samy aside after his talk to discuss how the security scene has grown up over the years and asked him to share his advice for people just coming up now. We’re happy to publish it for the first time today, it can be seen below.

Now it’s your turn. The Call for Proposals is now open for the 2017 Hackaday Superconference. You don’t need to be Samy Kamkar to qualify for a talk. You just need an interesting story of hardware engineering, creativity in technical design, an adventure with product design, or a sordid tale of your prototyping experiences. We hope everyone with a story will submit their proposal, but for those who don’t tickets are now available. The Hackaday Superconference will take place in Pasadena, California on November 11th and 12th.

Smart Gun Beaten by Dumb Magnets

[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video below the break.

Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.

Not stopping there, [Plore] went to the other extreme, creating what he calls an “electromagnetic compatibility tester” (in other words, a jammer) that jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!

Not one to call it quits, [Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.

Now, we’ve already covered the many hurdles that smart guns face, and this specific investigation of the state of smart gun technology doesn’t make the picture look any brighter. We’re aware that hindsight is always 20/20, so let us know in the comments how you would fix the problems with the Armatix IP1.
Continue reading “Smart Gun Beaten by Dumb Magnets”

Sneak Thieves Beware: A Pi Watcheth

Ever have that strange feeling that somebody is breaking into your workshop? Well, Hackaday.io user [Kenny] has whipped up a tutorial on how to scratch that itch by turning a spare Raspberry Pi you may have kicking around into a security camera system that notifies you at a moment’s notice.

The system works like this: a Raspberry Pi 3 and connected camera module remain vigilant, constantly scanning for motion and recording video. If motion is detected, it immediately snaps and sends a picture to the user’s mobile via PushBullet, then begins recording video. If there is still movement after a few seconds, the process repeats until the area is once again devoid of motion. This also permits a two-way communication with your Pi security system, so you can check in on the live feed whenever you feel the urge.

To get this working for you — assuming that your Pi has been recently updated — setup requires setting up a PushBullet account as well as installing it on your mobile and  linking it with an API. For your Pi, you can go ahead with setting up some Python PushBullet libraries, installing FFmpeg, Pi Camera Notifier, and others. Or, install the ready-to-go image [Kenny] has prepared. He gets into the nitty-gritty of the code in his guide, so check that out or watch the tutorial video after the break.

Continue reading “Sneak Thieves Beware: A Pi Watcheth”

Dropping Zip Bombs on Vulnerability Scanners

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.

Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.

Hacking Into…. A Wind Farm?

Pick a lock, plug in a WiFi-enabled Raspberry Pi and that’s nearly all there is to it.

There’s more than that of course, but the wind farms that [Jason Staggs] and his fellow researchers at the University of Tulsa had permission to access were — alarmingly — devoid of security measures beyond a padlock or tumbler lock on the turbines’ server closet. Being that wind farms are generally  in open fields away from watchful eyes, there is little indeed to deter a would-be attacker.

[Staggs] notes that a savvy intruder has the potential to shut down or cause considerable — and expensive — damage to entire farms without alerting their operators, usually needing access to only one turbine to do so. Once they’d entered the turbine’s innards, the team made good on their penetration test by plugging their Pi into the turbine’s programmable automation controller and circumventing the modest network security.

The team are presenting their findings from the five farms they accessed at the Black Hat security conference — manufacturers, company names, locations and etc. withheld for obvious reasons. One hopes that security measures are stepped up in the near future if wind power is to become an integral part of the power grid.

All this talk of hacking and wind reminds us of our favourite wind-powered wanderer: the Strandbeest!

[via WIRED]