Security Hacks

1459 Articles

WOPR: Security Loses Some Of Its Obscurity

March 28, 2019 by 11 Comments

As we’ve seen time and time again, the word “hacker” takes on a different meaning depending on who you’re talking to. If you ask the type of person who reads this fine digital publication, they’ll probably tell you that a hacker is somebody who likes to learn how things work and who has a penchant for finding creative solutions to problems. But if you ask the average passerby on the street to describe a hacker, they might imagine somebody wearing a balaclava and pounding away at their laptop in a dimly lit abandoned warehouse. Thanks, Hollywood.

The “Hollywood Hacker” Playset

Naturally, we don’t prescribe to the idea of hackers being digital villains hell-bent on stealing your identity, but we’ll admit that there’s something of rift between what we call hacking versus what happens in the information security realm. If you see mention of Red Teams and Blue Teams on Hackaday, it’s more likely to be in reference to somebody emulating Pokemon on the ESP32 than anything to do with penetration testing. We’re not entirely sure where this fragmentation of the hacking community came from, but it’s definitely pervasive.

In an attempt bridge the gap, the recent WOPR Summit brought together talks and presentations from all sections of the larger hacking world. The goal of the event was to show that the different facets of the community have far more in common than they might realize, and featured a number of talks that truly blurred the lines. The oscilloscope toting crew learned a bit about the covert applications of their gadgets, and the high-level security minded individuals got a good look at how the silicon sausage gets made.

Two of these talks which should particularly resonate with the Hackaday crowd were Charles Sgrillo’s An Introduction to IoT Penetration Testing and Ham Hacks: Breaking into Software Defined Radio by Kelly Albrink. These two presentations dealt with the security implications of many of the technologies we see here at Hackaday on what seems like a daily basis: Bluetooth Low Energy (BLE), Software Defined Radio (SDR), home automation, embedded Linux firmware, etc. Unfortunately, the talks were not recorded for the inaugural WOPR Summit, but both presenters were kind of enough to provide their slides for reference.

Continue reading “WOPR: Security Loses Some Of Its Obscurity”

What To Do When The Botnet Comes Knocking

March 21, 2019 by 34 Comments

“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”

Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.

Continue reading “What To Do When The Botnet Comes Knocking”

Spoiler, Use-After-Free, And Ghidra: This Week In Computer Security

March 13, 2019 by 24 Comments

The past few days have been busy if you’re trying to keep up with the pace of computer security news. Between a serious Chromium bug that’s actively being exploited on Windows 7 systems, the NSA releasing one of their tools as an open source project, and a new Spectre-like speculative execution flaw in Intel processors, there’s a lot to digest.
Continue reading “Spoiler, Use-After-Free, And Ghidra: This Week In Computer Security”

Hackers Turn Hard Drive Into Microphone That Can Listen In On Your Computer’s Fan Whine

March 13, 2019 by 28 Comments

As reported by The Register, hackers can now listen in on conversations happening around your computer by turning a hard drive into a microphone. There are caveats: the hack only works if these conversations are twice as loud as a blender, or about as loud as a lawn mower. In short, no one talks that loud, move along, nothing to see here.

The attack is to be presented at the 2019 IEEE Symposium on Security and Privacy, and describes the attack as a modification of the firmware on a disk drive to read the Position Error Signal that keeps read/write heads in the optimal position. This PES is affected by air pressure, and if something is affected by air pressure, you’ve got a microphone. In this case, it’s a terrible microphone that’s mechanically coupled to a machine that has a lot of vibrations including the spinning platter and a bunch of fans inside the computer. This is an academic exercise, and not a real attack, and either way to exfiltrate this data you need to root the computer the hard drive is attached to. It’s attacks all the way down.

The limiting factor in this attack is that it requires a very loud conversation to be held near a hard drive. To record speech, the researchers had to pump up the volume to 85 dBA, or about the same volume as a blender crushing some ice. Recording music through this microphone so that Shazam could identify the track meant playing the track back at 90 dBA, or about the same volume as a lawnmower. Basically, this isn’t happening.

The interesting bit of this hack isn’t using a hard drive as a microphone. It’s modifying the firmware on a hard drive to do something. We’ve seen some hacks like this before, but the latest public literature on hard drive firmware hacking is years old. If you’ve got a tip on how to hack hard drives, even if it’s to do something that’s horribly impractical, we’d love to see it.

What Hardware Lies Beneath? Companies Swear They Never Meant To Violate Your Privacy

March 11, 2019 by 76 Comments

“Don’t Be Evil” was the mantra of Google from years before even Gmail was created. While certainly less vague than their replacement slogan “Do the Right Thing”, there has been a lot of criticism directed at Google over the past decade and a half for repeatedly being at odds with one of their key values. It seems as though they took this criticism to heart (or found it easier to make money without the slogan), and subsequently dropped it in 2018. Nothing at Google changed, though, as the company has continued with several practices which at best could be considered shady.

The latest was the inclusion of an undisclosed microphone in parts of their smart home system, the Nest Guard. This is a member of the Nest family of products — it is not the thermostat itself, but a base station for a set of home security hardware you can install yourself. The real issue is that this base station was never billed as being voice activated. If you’re someone who has actively avoided installing “always-listening” style devices in your home, it’s infuriating to learn there is hardware out that have microphones in them but no mention of that in the marketing of the product. Continue reading “What Hardware Lies Beneath? Companies Swear They Never Meant To Violate Your Privacy”

1 Trillion USD Refund! (PDF Enclosed)

March 6, 2019 by 5 Comments

Security researchers have found that it is possible to alter a digitally signed PDF without invalidating its signatures. To demonstrate it, they produced a fake document “refund order” of $1,000,000,000,000 dollars, with a valid signature from Amazon. This sparked my attention, since I was quite sure that they didn’t use some sort of quantum device to break the cryptography involved in the signing process. So what exactly is going on?

The researchers claim to found at least three different ways to, in their words:

… use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by invoicing@amazon.de to refund us one trillion dollars.

That’s not good news if you take into account that the main purpose of digitally signing a document is, well, prevent unauthorized changes in that document. The good news is that you can update your software to fix this flaws because of this research; the main PDF readers companies were given time to fix the issues. The bad news is that if you rely on the signature verification for any sensitive process, you likely want to go back and see if you were using vulnerable software previously and check that documents were correctly validated. I’m thinking about government institutions, banks, insurance companies and so on.

The implications are yet to be seen and probably won’t even be fully known.

There are three classes of attacks that work on different software. I’ll try to go into each one from what I could tell from reading the research.

Continue reading “1 Trillion USD Refund! (PDF Enclosed)”

WiFi Hides Inside A USB Cable

February 18, 2019 by 42 Comments

If you weren’t scared of USB cables before, you should be now. The O.MG cable (or Offensive MG kit) from [MG] hides a backdoor inside the shell of a USB connector. Plug this cable into your computer and you’ll be the victim of remote attacks over WiFi.

You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device. Think of it as a BadUSB device, like the USB Rubber Ducky from Hak5, but one that you can remote control. It is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.

In the years BadUSB — an exploit hidden in a device’s USB controller itself — was released upon the world, [MG] has been tirelessly working on making his own malicious USB device, and now it’s finally ready. The O.MG cable hides a backdoor inside the shell of a standard, off-the-shelf USB cable.

The construction of this device is quite impressive, in that it fits entirely inside a USB plug. But this isn’t a just a PCB from a random Chinese board house: [MG] spend 300 hours and $4000 in the last month putting this project together with a Bantam mill and created his own PCBs, with silk screen. That’s impressive no matter how you cut it.

Future updates to this cable that will hack any computer might include a port of ESPloitV2, an Open Source WiFi controlled USB HID keyboard emulator. That will bring a lot of power to this device that’s already extremely capable. In the video attached to this tweet you can see the O.MG cable connected to a MacBook, with [MG] opening up a webpage remotely.