Security Hacks

1538 Articles

Fooling Fingerprint Scanners With A Resin Printer

April 8, 2019 by 12 Comments

Biometrics have often been used as a form of access control. While this was initially limited to bank vaults in Hollywood movies, it’s now common to see such features on many laptops and smartphones. Despite the laundry list of reasons why this is a bad idea, the technology continues to grow in popularity. [darkshark] has shown us an easy exploit, using a 3D printer to fool the Galaxy S10’s fingerprint scanner.

The Galaxy S10 is interesting for its use of an ultrasonic fingerprint sensor, which continues to push to hardware development of phones minimal-to-no bezels by placing the sensor below the screen. The sensor is looking for the depth of the ridges of your fingerprint, while the touchscreen verifies the capacitive presence of your meaty digit. This hack satisfies both of those checks.

[darkshark] starts with a photograph of a fingerprint on a wineglass. This is then manipulated in Photoshop, before being used to create geometry in 3DSMAX to replicate the original finger. After making the part on an AnyCubic Photon LCD resin printer, the faux-finger pad is able to successfully unlock the phone by placing the print on the glass and touching your finger on top of it.ster

[darkshark] notes that the fingerprint was harvested at close range, but a camera with the right lenses could capture similar detail at a distance. The other thing to note is that if your phone is stolen, it’s likely covered in greasy fingerprints anyway. As usual, it serves as an excellent reminder that fingerprints are not passwords, and should not be treated as such. If you need to brush up on the fundamentals, we’ve got a great primer on how fingerprint scanners work, and another on why using fingerprints for security is a bad plan.

[via reddit, thanks to TheEngineer for the tip!]

Hash And Roll Your Way To Secure Passwords

March 30, 2019 by 17 Comments

In the electronic battlefield that is 2019, the realm of password security is fraught with dangers. Websites from companies big and small leak like sieves, storing user data in completely unsecure ways. Just about the worst thing you can do is use the same password across several services, meaning that an attack on one gives entry to multiple accounts. The challenge is to generate a unique and secure password for each and every application, and [Ilia]’s way of doing that is called HashDice.

No, it’s not a password manager, or an app – it’s a simple method that can be readily applied by anyone with the right tools. A simple dice is used to create random numbers, which are used to select words from a list to form the basic secret phrase. This is then combined with the name of the service or application to be accessed, the date, and a salt, before hashing using the SHA256 algorithm. The final hash is then truncated to create the password. You can do it all on a device that’s airgapped from the world, ensuring your core secret is never exposed, thus maintaining security.

There are some pitfalls to this method, of course. Many websites make things harder by requiring special characters or enforcing length limits on passwords. [Ilia] helpfully suggests several workarounds for this, but admits that no system is perfect in the face of these obstacles.

If you’re now wondering if your current password is safe, there are ways to investigate that, too.

 

WOPR: Security Loses Some Of Its Obscurity

March 28, 2019 by 11 Comments

As we’ve seen time and time again, the word “hacker” takes on a different meaning depending on who you’re talking to. If you ask the type of person who reads this fine digital publication, they’ll probably tell you that a hacker is somebody who likes to learn how things work and who has a penchant for finding creative solutions to problems. But if you ask the average passerby on the street to describe a hacker, they might imagine somebody wearing a balaclava and pounding away at their laptop in a dimly lit abandoned warehouse. Thanks, Hollywood.

The “Hollywood Hacker” Playset

Naturally, we don’t prescribe to the idea of hackers being digital villains hell-bent on stealing your identity, but we’ll admit that there’s something of rift between what we call hacking versus what happens in the information security realm. If you see mention of Red Teams and Blue Teams on Hackaday, it’s more likely to be in reference to somebody emulating Pokemon on the ESP32 than anything to do with penetration testing. We’re not entirely sure where this fragmentation of the hacking community came from, but it’s definitely pervasive.

In an attempt bridge the gap, the recent WOPR Summit brought together talks and presentations from all sections of the larger hacking world. The goal of the event was to show that the different facets of the community have far more in common than they might realize, and featured a number of talks that truly blurred the lines. The oscilloscope toting crew learned a bit about the covert applications of their gadgets, and the high-level security minded individuals got a good look at how the silicon sausage gets made.

Two of these talks which should particularly resonate with the Hackaday crowd were Charles Sgrillo’s An Introduction to IoT Penetration Testing and Ham Hacks: Breaking into Software Defined Radio by Kelly Albrink. These two presentations dealt with the security implications of many of the technologies we see here at Hackaday on what seems like a daily basis: Bluetooth Low Energy (BLE), Software Defined Radio (SDR), home automation, embedded Linux firmware, etc. Unfortunately, the talks were not recorded for the inaugural WOPR Summit, but both presenters were kind of enough to provide their slides for reference.

Continue reading “WOPR: Security Loses Some Of Its Obscurity”

What To Do When The Botnet Comes Knocking

March 21, 2019 by 34 Comments

“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”

Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.

Continue reading “What To Do When The Botnet Comes Knocking”

Spoiler, Use-After-Free, And Ghidra: This Week In Computer Security

March 13, 2019 by 24 Comments

The past few days have been busy if you’re trying to keep up with the pace of computer security news. Between a serious Chromium bug that’s actively being exploited on Windows 7 systems, the NSA releasing one of their tools as an open source project, and a new Spectre-like speculative execution flaw in Intel processors, there’s a lot to digest.
Continue reading “Spoiler, Use-After-Free, And Ghidra: This Week In Computer Security”

Hackers Turn Hard Drive Into Microphone That Can Listen In On Your Computer’s Fan Whine

March 13, 2019 by 28 Comments

As reported by The Register, hackers can now listen in on conversations happening around your computer by turning a hard drive into a microphone. There are caveats: the hack only works if these conversations are twice as loud as a blender, or about as loud as a lawn mower. In short, no one talks that loud, move along, nothing to see here.

The attack is to be presented at the 2019 IEEE Symposium on Security and Privacy, and describes the attack as a modification of the firmware on a disk drive to read the Position Error Signal that keeps read/write heads in the optimal position. This PES is affected by air pressure, and if something is affected by air pressure, you’ve got a microphone. In this case, it’s a terrible microphone that’s mechanically coupled to a machine that has a lot of vibrations including the spinning platter and a bunch of fans inside the computer. This is an academic exercise, and not a real attack, and either way to exfiltrate this data you need to root the computer the hard drive is attached to. It’s attacks all the way down.

The limiting factor in this attack is that it requires a very loud conversation to be held near a hard drive. To record speech, the researchers had to pump up the volume to 85 dBA, or about the same volume as a blender crushing some ice. Recording music through this microphone so that Shazam could identify the track meant playing the track back at 90 dBA, or about the same volume as a lawnmower. Basically, this isn’t happening.

The interesting bit of this hack isn’t using a hard drive as a microphone. It’s modifying the firmware on a hard drive to do something. We’ve seen some hacks like this before, but the latest public literature on hard drive firmware hacking is years old. If you’ve got a tip on how to hack hard drives, even if it’s to do something that’s horribly impractical, we’d love to see it.

What Hardware Lies Beneath? Companies Swear They Never Meant To Violate Your Privacy

March 11, 2019 by 76 Comments

“Don’t Be Evil” was the mantra of Google from years before even Gmail was created. While certainly less vague than their replacement slogan “Do the Right Thing”, there has been a lot of criticism directed at Google over the past decade and a half for repeatedly being at odds with one of their key values. It seems as though they took this criticism to heart (or found it easier to make money without the slogan), and subsequently dropped it in 2018. Nothing at Google changed, though, as the company has continued with several practices which at best could be considered shady.

The latest was the inclusion of an undisclosed microphone in parts of their smart home system, the Nest Guard. This is a member of the Nest family of products — it is not the thermostat itself, but a base station for a set of home security hardware you can install yourself. The real issue is that this base station was never billed as being voice activated. If you’re someone who has actively avoided installing “always-listening” style devices in your home, it’s infuriating to learn there is hardware out that have microphones in them but no mention of that in the marketing of the product. Continue reading “What Hardware Lies Beneath? Companies Swear They Never Meant To Violate Your Privacy”