Unlocking God Mode On X86 Processors

February 3, 2019 by Jonathan Bennett 39 Comments

We missed this Blackhat talk back in August, but it’s so good we’re glad to find out about it now. [Christopher Domas] details his obsession with hidden processor instructions, and how he discovered an intentional backdoor in certain x86 processors. These processors have a secondary RISC core, and an undocumented procedure to run code on that core, bypassing the normal user/kernel separation mechanisms.

The result is that these specific processors have an intentional mechanism that allows any unprivileged user to jump directly to root level access. The most fascinating part of the talk is the methodical approach [Domas] took to discover the details of this undocumented feature. Once he had an idea of what he was looking for, he automated the process of checking every possible x86 instruction, looking for the one instruction that allowed running code on that extra core. The whole talk is entertaining and instructional, check it out after the break!

There’s a ton of research poking at the instruction level of complication processors. One of our favorites, also by [Domas], is sandsifter which searches for undocumented instructions.

Continue reading “Unlocking God Mode On X86 Processors” →

This Tiny Router Could Be The Next Big Thing

February 1, 2019 by Tom Nardi 22 Comments

It seems like only yesterday that the Linksys WRT54G and the various open source firmware replacements for it were the pinnacle of home router hacking. But like everything else, routers have gotten smaller and faster over the last few years. The software we run on them has also gotten more advanced, and at this point we’ve got routers that you could use as a light duty Linux desktop in a pinch.

But even with no shortage of pocket-sized Linux devices in our lives, the GL-USB150 “Microrouter” that [Mason Taylor] recently brought to our attention is hard to ignore. Inside this USB flash drive sized router is a 400 MHz Qualcomm QCA9331 SoC, 64 MB of RAM, and a healthy 16 MB of storage; all for around $20 USD. Oh, and did we mention it comes with OpenWRT pre-installed? Just plug it in, and you’ve got a tiny WiFi enabled Linux computer ready to do your bidding.

On his blog [Mason] gives a quick rundown on how to get started with the GL-USB150, and details some of the experiments he’s been doing with it as part of his security research, such as using the device as a remote source for Wireshark running on his desktop. He explains that the diminutive router works just fine when plugged into a USB battery bank, offering a very discreet way to deploy a small Linux box wherever you may need it. But when plugged into a computer, things get really interesting.

If you plug the GL-USB150 into a computer, it shows up to the operating system as a USB Ethernet adapter and can be used as the primary Internet connection. All of the traffic from the computer will then be routed through the device to whatever link to the Internet its been configured to use. Depending on how you look at it, this could be extremely useful or extremely dangerous.

For one, it means that something that looks all the world like a normal USB flash drive could be covertly plugged into a computer and become a “wiretap” through which all of the network traffic is routed. That’s the bad news. On the flip side, it also means you could configure the GL-USB150 as a secure endpoint that lets you quickly and easily funnel all the computer’s traffic through a VPN or Tor without any additional setup.

We’ve seen all manner of hacks and projects that made use of small Linux-compatible routers such as the TP-Link TL-MR3020, but we expect the GL-USB150 and devices like it will be the ones to beat going forward. Let’s just hope one of them doesn’t show up uninvited in your network closet.

Don’t Toss That Bulb, It Knows Your Password

January 29, 2019 by Tom Nardi 70 Comments

Whether it was here on Hackaday or elsewhere on the Internet, you’ve surely heard more than a few cautionary tales about the “Internet of Things” by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point we’re all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulb’s WiFi module. Recovering that information is just a process of finding the correct traces on the bulb’s PCB (often there are test points which make this very easy), and dumping the chip’s contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the “cloud” platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

(Some days later…)

[Limited Results] had hinted to us that he had previously disclosed some vulnerabilities to the bulb’s maker, but that until they fixed them, he didn’t want to make them public. They’re fixed now, and it appears that the bulbs were sending everything over the network unencrypted — your data, OTA firmware upgrades, everything. They’re using TLS now, so good job [Limited Results]! If you’re running an old version of their lightbulbs, you might have a look.

On WiFi credentials, we were told: “In the case where sensitive information in the flash memory wasn’t encrypted, the new version will include encrypted storage processing, and the customer will be able to select this version of the security chips, which can effectively avoid future security problems.” Argue about what that actually means in the comments.

What Happens When A Regular Person Finds A Huge Security Flaw?

January 29, 2019 by Brian Benchoff 38 Comments

The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.

So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.

But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.

Continue reading “What Happens When A Regular Person Finds A Huge Security Flaw?” →

Solar-Powered OpenWRT Router For Mobile Privacy

January 24, 2019 by Tom Nardi 25 Comments

Let’s not pretend we aren’t all guilty of it: at some point we’ve all connected to a public WiFi network to check our email or log into some site or service. We know the risks, we know better. But in a weak moment we can let the convenience of that public network get the better of us. What if you had a small secure router that you could use as an encrypted VPN endpoint, allowing you to connect to those enticing public networks while keeping your traffic secure? That’s precisely what [David] had in mind when he built this pint-sized solar-powered OpenWRT router.

At the heart of this gadget is the TP-Link TL-MR3020, a tiny OpenWRT-compatible router that’s no stranger to the pages of Hackaday. Its small size and low cost have made it a natural choice for a wide array of projects, so it’s little surprise that [David] gravitated towards it. But simply getting OpenWRT installed on the MR3020 and configuring OpenVPN doesn’t exactly grant you entrance into the Hackaday Pantheon, so obviously there’s a bit more to the story.

For one, [David] didn’t like the idea of a USB flash drive hanging out of the side of his router. Since the flash drive would essentially be a permanent part of the router, as it is being used to expand the rather meager internal storage of the MR3020 he decided to wack the USB end off the flash drive and solder it directly to the router’s PCB. This gave him a much cleaner looking package, but it still wasn’t as portable as he’d like.

He decided to order a solar-charged USB power bank to become the new home of his hacked MR3020. He kept the solar panel and charge controller from the original gadget, and after some researched settled on a pair of LG-HG2 3000 mAh batteries as the power source. [David] went through a few charge and discharge cycles making sure everything worked as expected before buttoning up the case. In the future he says he might transplant the electronics into a 3D printed case, but for now he’s pretty pleased with the results.

If you’d like to try your hand at hacking these popular micro routers, you’ll need to start with an OpenWRT firmware. After you’ve got a full blown Linux distro running on this little fellow, the only limitation is your own imagination.

Win Back Some Privacy With A Cone Of Silence For Your Smart Speaker

January 17, 2019 by Dan Maloney 81 Comments

To quote the greatest philosopher of the 20th century: “The future ain’t what it used to be.” Take personal assistants such as Amazon Echo and Google Home. When first predicted by sci-fi writers, the idea of instant access to the sum total of human knowledge with a few utterances seemed like a no-brainer; who wouldn’t want that? But now that such things are a reality, having something listening to you all the time and potentially reporting everything it hears back to some faceless corporate monolith is unnerving, to say the least.

There’s a fix for that, though, with this cone of silence for your smart speaker. Dubbed “Project Alias” by [BjørnKarmann], the device consists of a Raspberry Pi with a couple of microphones and speakers inside a 3D-printed case. The Pi is programmed to emit white noise from its speakers directly into the microphones of the Echo or Home over which it sits, masking out the sounds in the room while simultaneously listening for a hot-word. It then mutes the white noise, plays a clip of either “Hey Google” or “Alexa” to wake the device up, and then business proceeds as usual. The bonus here is that the hot-word is customizable, so that in addition to winning back a measure of privacy, all the [Alexas] in your life can get their names back too. The video below shows people interacting with devices named [Doris], [Marvin], [Petey], and for some reason, [Milkshake].

We really like this idea, and the fact that no modifications are needed to the smart speaker is pretty slick, as is the fact that with a few simple changes to the code and the print files it can be used with any smart speaker. And some degree of privacy from the AI that we know is always listening through these things is no small comfort either.

Continue reading “Win Back Some Privacy With A Cone Of Silence For Your Smart Speaker” →

RSA Encryption Cracked Easily (Sometimes)

January 16, 2019 by Al Williams 32 Comments

A large chunk of the global economy now rests on public key cryptography. We generally agree that with long enough keys, it is infeasible to crack things encoded that way. Until such time as it isn’t, that is. Researchers published a paper a few years ago where they cracked a large number of keys in a very short amount of time. It doesn’t work on any key, as you’ll see in a bit, but here’s the interesting part: they used an undescribed algorithm to crack the codes in a very short amount of time on a single-core computer. This piqued [William Kuszmaul’s] interest and he found some follow up papers that revealed the algorithms in question. You can read his analysis, and decide for yourself how badly this compromises common algorithms.

The basis for public key cryptography is that you multiply two large prime numbers to form a product and post it publicly. Because it is computationally difficult to find prime factors of large numbers, this is reasonably secure because it is difficult to find those prime numbers that are selected randomly.

However, the random selection leads to an unusual attack. Public keys, by their very nature, are available all over the Internet. Most of them were generated with the same algorithm and random number generation isn’t actually totally random. That means some keys share prime factors and finding a common factor between two numbers isn’t nearly as difficult.

Continue reading “RSA Encryption Cracked Easily (Sometimes)” →