I recently spent a largely sleepless night at a hotel, and out of equal parts curiosity and boredom, decided to kill some time scanning the guest network to see what my fellow travelers might be up to. As you’d probably expect, I saw a veritable sea of Samsung and Apple devices. But buried among the seemingly endless number of smartphones charging next to their sleeping owners, I found something rather interesting. I was as picking up a number of Amazon-made devices, all of which had port 5555 open.
As a habitual Android tinkerer, this struck me as very odd. Port 5555 is used for Android Debug Bridge (ADB), a development tool used to control and perform various administrative tasks on an Android device over the network or (more commonly) locally over USB. The number of users who would have legitimately needed to enable network ADB on their devices is surely rather low, so to see a half dozen of them on the network at the same time seemed improbable to say the least.
Why would so many devices manufactured by Amazon all have network ADB enabled? I realized there must be a connection, and it didn’t take long to figure it out.
Believe it or not, there are quite a few people out there who have purchased gun safes that can be remotely unlocked by Bluetooth. Now we can understand why somebody might think this was a good idea: the convenience of being able to hit a button on your phone and have your weapon available in the heat of the moment is arguably a big selling point for people who are purchasing something like this for home defense. But those with a more technical mind will likely wonder if the inherent risks of having your firearm (or other valuables) protected by a protocol that often relies on security by obscurity outweighs the convenience of not needing to enter in a combination on the keypad.
[Two Six Labs] has not publicly released the complete source code of the software demonstrated in their YouTube video for very obvious reasons, but the page on their site does go into fantastic detail on how they uncovered the multiple vulnerabilities that allowed them to write it. Even if you’re not the kind of person who would ever need a gun safe, the information contained in their documentation about analyzing Bluetooth communications is fascinating reading.
It was discovered that the PIN for the safe was actually being transmitted by the accompanying smartphone application in plain-text, which would be bad enough normally. But after further analysis, it became clear that the safe wasn’t even bothering to check the PIN code anyway.
For extra style points, [Two Six Labs] also show a way to brute force the PIN using the Vaultek Android application by writing a Python script that punches in codes sequentially until it hits on the right one; the developers didn’t even bother to put in limits on failed attempts.
For a device that is ostensibly designed to contain a deadly weapon, the security flaws the team at [Two Six Labs] discovered are absolutely inexcusable. But there is a positive outcome, as the manufacturer has vowed to update the vulnerable safes and make a better effort in the future to more rigorously design and test their Bluetooth implementation. This is the goal of responsible disclosure, and we’re encouraged to see the manufacturer doing the right thing
During the development of the greatest member of the Apple II family, the Apple IIgs, someone suggested to [Woz] that a sort of universal serial bus was needed for keyboards, mice, trackballs, and other desktop peripherals. [Woz] disappeared for a time and came back with something wonderful: a protocol that could be daisy-chained from keyboard to a graphics tablet to a mouse. This protocol was easily implemented on a cheap microcontroller, provided 500mA to the entire bus, and was used for everything from license dongles to modems.
The Apple Desktop Bus, or ADB, was a decade ahead of its time, and was a mainstay of the Mac platform until Apple had the courage to kill it off with the iMac. At that time, an industry popped up overnight for ADB to USB converters. Even today, there’s a few mechanical keyboard aficionados installing Teensies in their favorite input devices to give them a USB port.
While plugging an old Apple keyboard into a modern computer is a noble pursuit — this post was written on an Apple M0116 keyboard with salmon Alps switches — sometimes you want to go the other way. Wouldn’t it be cool to use a modern USB mouse and keyboard with an old Mac? That’s what [anthon] thought, so he developed the ADB Busboy.
The NeXT slabs and cubes were interesting computers for their time, with new interesting applications that are commonplace today seen first in this block of black plastic. Web browsers, for example, were first seen on the NeXT.
Running one of these machines today isn’t exactly easy; there are odd video connectors but you can modify some of the parts and stick them in an LCD monitor. It’s a tradeoff between a big, classic, heavy but contemporary CRT and a modern, light, and efficient LCD, but it’s still a great way to get a cube or slab up and running if you don’t have the huge monitor handy.
The NeXT cube doesn’t have a single wire going between the computer and the monitor; that would be far too simple. Instead, a NeXT Sound Box sits between the two, providing the user a place to plug the monitor, keyboard, mouse, and audio connectors into. [Brian] took the board from this Sound Box and put it inside an old NEC LCD monitor he had sitting around. 12V and 5V rails were wired in, the video lines were wired in, and [Brian] created a new NeXT monitor.
There are two versions of the NeXT Sound Box – one for ADB peripherals (Apple IIgs and beige Macs), and another for non-ADB peripherals. [Brian] also put together a tutorial for using non-ADB peripherals with the much more common ADB Sound Board.
To some of us, hacking an RC Car to simply follow a black line or avoid obstacles is too easy, and we’re sure [Shazin] would agree with that, since he created an RC Car that follows your face!
The first step to this project was to take control of the RC Car, but instead of hijacking the transmitter, [Shazin] decided to control the car directly. This isn’t any high-end RC Car though, so forget about PWM control. Instead, a single IC (RX-2) was found to handle both the RF Receiver and H-Bridges. After a bit of probing, the 4 control lines (forward/back and left/right) were identified and connected to an Arduino.
[Shazin] paired the Arduino with a USB Host Shield and connected it up with his Android phone through the ADB (Android Debug Bridge). He then made some modifications to the OpenCV Android Face Detection app to send commands to the Arduino based on ‘where’ the Face is detected; if the face is in the right half of the screen, turn right, if not, turn left and go forward.
This is a really interesting project with a lot of potential; we’re just hoping [Shazin] doesn’t have any evil plans for this device like strapping it to a Tank Drone that locks on to targets!
If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.
USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell.
To test their theory, [Michael] and [Kyle] rigged up a simple USB plug to UART adapter (seen above) that included a specific value of resistor to enable a shell on their test phone. Amazingly, it worked and the thought of having a secure phone was never had again.
The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware. If you’re interested in helping them out with their project, they have a project site up with all the information to get up to speed on this very ingenious hack.
This screen is not just cracked, it’s devastated. We can all agree that you’re not going to be carrying this around with you anymore, but it might still be useful in other endeavors. [Mr Westie] wanted to use it for the camera which is undamaged. The issue is how do you control an Android device with a broken screen?
He knew there are apps out there that let you control your device remotely. But these still depend on you being able to install and launch the program. He found he could get the image from the screen on his computer using a package called Screencast. It runs on your computer and doesn’t need to be installed on the phone, but it will require a rooted phone and the user must click to authorize root access. He got around that hangup by pushing keypress commands to the phone via ADB. The only problem left is if debugging mode is not enable.