DIY Rubber Ducky Is As Cheap As Its Namesake

September 17, 2018 by Tom Nardi 26 Comments

The “Rubber Ducky” by Hak5 is a very powerful tool that lets the user perform rapid keystroke injection attacks, which is basically a fancy way of saying the device can type fast. Capable of entering text at over 1000 WPM, Mavis Beacon’s got nothing on this $45 gadget. Within just a few seconds of plugging it in, a properly programmed script can do all sorts of damage. Just think of all the havoc that can be caused by an attacker typing in commands on the local machine, and now image they are also the Flash.

But unless you’re a professional pentester, $45 might be a bit more than you’re looking to spend. Luckily for the budget conscious hackers out there, [Tomas C] has posted a guide on using open source software to create a DIY version of Hak5’s tool for $3 a pop. At that cost, you don’t even have to bother recovering the things when you deploy them; just hold on tight to your balaclava and make a run for it.

The hardware side of this hack is the Attiny85-based Digispark, clones of which can be had for as low as $1.50 USD depending on how long your willing to wait on the shipping from China. Even the official ones are only $8, though as of the time of this writing are not currently available. Encapsulating the thing in black shrink tubing prevents it from shorting out, and as an added bonus, gives it that legit hacker look. Of course, it wouldn’t be much of a hack if you could just buy one of these little guys and install the Rubber Ducky firmware on it.

In an effort to make it easier to use, the official Rubber Ducky runs scripts written in a BASIC-like scripting language. [Tomas C] used a tool called duck2spark by [Marcus Mengs], which lets you take a Rubber Ducky script (which have been released by Hak5 as open source) and compile it into a binary for flashing to the Digispark.

Not quite as convenient as just copying the script to the original Ducky’s microSD card, but what do you want for less than 1/10th the original’s price? Like we’ve seen in previous DIY builds inspired by Hak5 products, the trade-off is often cost for ease of use.

[Thanks to Javier for the tip.]

Researcher uses antenna to clone Tesla key fob

Tesla Opens With Precomputed Key Fob Attack

September 13, 2018 by Jonathan Bennett 43 Comments

This clever precomputation attack was developed by a group of researchers at KU Leuven in Belgium. Unlike previous key fob attacks that we’ve covered in the past which have been essentially relay attacks, this hack precomputes a ton of data, looks for a collision in the dataset, and opens the door. Here’s how it works.

Continue reading “Tesla Opens With Precomputed Key Fob Attack” →

Source Of Evil – A Botnet Code Collection

September 9, 2018 by Sven Gregori 9 Comments

In case you’re looking for a variety of IRC client implementations, or always wondered how botnets and other malware looks on the inside, [maestron] has just the right thing for you. After years of searching and gathering the source code of hundreds of real-world botnets, he’s now published them on GitHub.

With C++ being the dominant language in the collection, you will also find sources in C, PHP, BASIC, Pascal, the occasional assembler, and even Java. And if you want to consider the psychological aspect of it, who knows, seeing their malicious creations in their rawest form might even give you a glimpse into the mind of their authors.

These sources are of course for educational purposes only, and it should go without saying that you probably wouldn’t want to experiment with them outside a controlled environment. But in case you do take a closer look at them and are someone who generally likes to get things in order, [maestron] is actually looking for ideas how to properly sort and organize the collection. And if you’re more into old school viruses, and want to see them run in a safe environment, there’s always the malware museum.

FOSSCON 2018: Developing The FreedomBox

September 3, 2018 by Tom Nardi 11 Comments

The modern Internet can be a dangerous place, especially for those who might not have the technical wherewithal to navigate its pitfalls. Whether it’s malware delivered to your browser through a “drive-by” or online services selling your data to the highest bidder, its gotten a lot harder over the last decade or so to use the Internet as an effective means of communication and information gathering without putting yourself at risk.

But those are just the passive threats that we all have to contend with. What if you’re being actively targeted? Perhaps your government has shut down access to the Internet, or the authorities are looking to prevent you from organizing peaceful protests. What if you’re personal information is worth enough to some entity that they’ll subpoena it from your service providers?

It’s precisely for these sort of situations that the FreedomBox was developed. As demonstrated by Danny Haidar at FOSSCON 2018 in Philadelphia, the FreedomBox promises to help anyone deploy a secure and anonymous Internet access point in minutes with minimal user interaction.

It’s a concept privacy advocates have been talking about for years, but with the relatively recent advent of low-cost ARM Linux boards, may finally be practical enough to go mainstream. While there’s still work to be done, the project is already being used to provide Internet gateways in rural India.

Continue reading “FOSSCON 2018: Developing The FreedomBox” →

New Mooltipass Begins Development With Call For Collaborators

August 31, 2018 by Mike Szczys 14 Comments

One of the most interesting aspects of our modern world is the ability to work collaboratively despite the challenges of geography and time zones. Distributed engineering is a trend which we’ve watched pick up steam over the years. One such example is the Mooltipass offline password keeper which was built by a distributed engineering team from all over the world. The project is back, and this time the goal is to add BLE to the mini version of the hardware. The call for collaborators was just posted on the project page so head over and check out how the collaboration works.

The key to the hardware is the use of a smartcard with proven encryption to store your passwords. Mooltipass is a secure interface between this card and a computer via USB. The new version will be a challenge as it introduces BLE for connectivity with smart phones. To help mitigate security risks, a second microcontroller is added to the existing design to act as a gatekeeper between the secure hardware and the BLE connection.

Mathieu Stephan is the driving force behind the Mooltipass project, which was one of the first projects on Hackaday.io and has been wildly successful in crowd funding and on Tindie. Mathieu and five other team members already have a proof of concept for the hardware. However, more collaborators are needed to help see all aspects of the project — hardware, firmware, and software — through to the end. This is a product, and in addition to building something awesome, the goal is to turn a profit.

How do you reconcile work on an Open Source project with a share of the spoils? Their plan is to log hours spent bringing the new Mooltipass to life and share the revenue using a site like colony.io. This is a tool built on the Ethereum blockchain to track contributions to open projects, assigning tokens that equate to value in the project. It’s an interesting approach and we’re excited to see how it takes shape.

You can catch up on the last few years of the Mooltipass adventure my checking out Mathieu’s talk during the 2017 Hackaday Superconference. If this article has you as excited about distributed engineer as we are, you need to check out the crew that’s building this year’s Open Hardware Summit badge!

Foreshadow: The Sky Is Falling Again For Intel Chips

August 14, 2018 by Brian Benchoff 46 Comments

It’s been at least a month or two since the last vulnerability in Intel CPUs was released, but this time it’s serious. Foreshadow is the latest speculative execution attack that allows balaclava-wearing hackers to steal your sensitive information. You know it’s a real 0-day because it already has a domain, a logo, and this time, there’s a video explaining in simple terms anyone can understand why the sky is falling. The video uses ukuleles in the sound track, meaning it’s very well produced.

The Foreshadow attack relies on Intel’s Software Guard Extension (SGX) instructions that allow user code to allocate private regions of memory. These private regions of memory, or enclaves, were designed for VMs and DRM.

How Foreshadow Works

The Foreshadow attack utilizes speculative execution, a feature of modern CPUs most recently in the news thanks to the Meltdown and Spectre vulnerabilities. The Foreshadow attack reads the contents of memory protected by SGX, allowing an attacker to copy and read back private keys and other personal information. There is a second Foreshadow attack, called Foreshadow-NG, that is capable of reading anything inside a CPU’s L1 cache (effectively anything in memory with a little bit of work), and might also be used to read information stored in other virtual machines running on a third-party cloud. In the worst case scenario, running your own code on an AWS or Azure box could expose data that isn’t yours on the same AWS or Azure box. Additionally, countermeasures to Meltdown and Spectre attacks might be insufficient to protect from Foreshadown-NG

The researchers behind the Foreshadow attacks have talked with Intel, and the manufacturer has confirmed Foreshadow affects all SGX-enabled Skylake and Kaby Lake Core processors. Atom processors with SGX support remain unaffected. For the Foreshadow-NG attack, many more processors are affected, including second through eighth generation Core processors, and most Xeons. This is a significant percentage of all Intel CPUs currently deployed. Intel has released a security advisory detailing all the affected CPUs.

Side Channel Attacks Against Mixed Signal Microcontrollers

July 30, 2018 by Brian Benchoff 7 Comments

You shouldn’t transmit encryption keys over Bluetooth, but that’s exactly what some popular wireless-enabled microcontrollers are already doing. This is the idea behind Screaming Channels, an exploit published by researchers at EUERCOM, and will be a talk at Black Hat next week. So far, the researchers have investigated side-channel attacks on Bluetooth-enabled microcontrollers, allowing them to extract tinyAES keys from up to 10 meters away in controlled environments. A PDF of the paper is available and all the relevant code is available on GitHub.

The experimental setup for this exploit consisted of a BLE Nano, a breakout board for a Nordic nRF52832 Bluetooth microcontroller, a Hack RF, a USRB N210 software defined radio from Ettus, and a few high-gain antennas and LNAs. The example attack relies on installing firmware on the BLE Nano that runs through a few loops and encrypts something with tinyAES. Through very careful analysis of the RF spectrum, the AES keys can be extracted from the ether.

Side channel attacks have received a bit more popularity over recent years. What was once limited to Three Letter Agency-level Van Eck phreaking can now be done inexpensively and in a system with devices like the ChipWhisperer.

Of course, this is only a demonstration of what is possible with side-channel attacks in a highly controlled environment with a significant amount of work gone into the firmware running on the microcontroller. This isn’t evidence that balaclava-wearing hackers are sniffing your phone from across the parking lot to get the password to your Instagram account, but it does show what is possible with relatively cheap, off-the-shelf hardware.