Infrared Brute Force Attack Unlocks TiVo

While the era of the TiVo (and frankly, the idea of recording TV broadcasts) has largely come to a close, there are still dedicated users out there who aren’t quite ready to give up on the world’s best known digital video recorder. One such TiVo fanatic is [Gavan McGregor], who recently tried to put a TiVo Series 3 recorder into service, only to find the device was stuck in the family-friendly “KidZone” mode.

Without the code to get it out of this mode, and with TiVo dropping support for this particular recorder years ago, he had to hack his way back into this beloved recorder on his own. The process was made easier by the simplistic nature of the passcode system, which only uses four digits and apparently doesn’t impose any kind of penalty for incorrect entries. With only 10,000 possible combinations for the code and nothing to stop him from trying each one of them in sequence, [Gavan] just needed a way to bang them out.

After doing some research on the TiVo remote control protocol, he came up with some code for the Arduino using the IRLib2 library that would brute force the KidZone passcode by sending the appropriate infrared codes for each digit. He fiddled around with the timing and the delay between sending each digit, and found that the most reliable speed would allow his device to run through all 10,000 combinations in around 12 hours.

The key thing to remember here is that [Gavan] didn’t actually care what the passcode was, he just needed it to be entered correctly to get the TiVo out of the KidZone mode. So he selected the “Exit KidZone” option on the TiVo’s menu, placed his Arduino a few inches away from the DVR, and walked away. When he came back the next day, the TiVo was back into its normal mode. If you actually wanted to recover the code, the easiest way (ironically) would be to record the TV as the gadget works its way through all the possible digits.

Back in 2004, there were so many TiVo hacks hitting the front page of Hackaday that we actually gave them a dedicated subdomain. But by the end of 2007, we were asking what hackers would do with the increasingly discarded Linux-powered devices. That people are still hacking on these gadgets over a decade later is truly a testament to how dedicated the TiVo fanbase really is.

[Thanks to Chris for the tip.]

IoT Security is Hard: Here’s What You Need to Know

Security for anything you connect to the internet is important. Think of these devices as doorways. They either allow access to services or provides services for someone else. Doorways need to be secure — you wouldn’t leave your door unlocked if you lived in the bad part of a busy city, would you? Every internet connection is the bad part of a busy city. The thing is, building hardware that is connected to the internet is the new hotness these days. So let’s walk through the basics you need to know to start thinking security with your projects.

If you have ever run a server and checked your logs you have probably noticed that there is a lot of automated traffic trying to gain access to your server on a nearly constant basis. An insecure device on a network doesn’t just compromise itself, it presents a risk to all other networked devices too.

The easiest way to secure a device is to turn it off, but lets presume you want it on. There are many things you can do to protect your IoT device. It may seem daunting to begin with but as you start becoming more security conscious things begin to click together a bit like a jigsaw and it becomes a lot easier.

Continue reading “IoT Security is Hard: Here’s What You Need to Know”

Python Solution To A Snake Cube Puzzle

Puzzles provide many hours of applied fun beyond any perfunctory tasks that occupy our days. When your son or daughter receives a snake cube puzzle as a Christmas gift — and it turns out to be deceptively complex — you can sit there for hours to try to figure out a solution, or use the power of Python to sort out the serpentine conundrum and use brute-force to solve it.

Continue reading “Python Solution To A Snake Cube Puzzle”

Brute Forcing an Android Phone

[Brett’s] girlfriend is very concerned about cell phone security — So much so that she used a PIN so secure, even she couldn’t remember it.

Beyond forgetting the PIN, the phone also had encryption enabled, the bootloader locked, and zero permissions for the Android Device Manager to change the PIN. Lucky for her, [Brett] had purchased an STM32F4Discovery Development Board a few months ago, and was itching for a suitable project for it.

Now unfortunately, Android allows you to pick a PIN of anywhere between 4 and 8 digits, which as you can guess, results in a massive number of possible permutations. She was pretty sure it was only 6 digits, and that she didn’t use a 1, 2, or 3… and she thought it started with a 4 or a 7… and she didn’t think any of the digits were repeated… This helped narrow it down a bit, from 1 million possibilities to about 5,000 — assuming all of the boundary conditions she remembers are in fact correct.

[Brett] started by writing a C library to generate permutations of the PIN, testing the board on his own phone to make sure it works with a known PIN, and boom, they were in business.

28,250 PIN attempts later, they decided they were not. Did we mention you can only enter 5 PINs in every 30 seconds?

Continue reading “Brute Forcing an Android Phone”

Brute force attack Xbox 360 parental controls

brute-force-xbox-360-parental-controls

The Xbox 360 has the option of parental controls. It limits the rating of games which can be played on the system. [Oscar] didn’t really need to remove the lock-out. It was simply an interesting proof of concept for him. In the image above he’s holding up a Vinciduino board. It has an ATmega32u4 chip that can brute-force attack the Xbox 360 parental code (translated).

We’ve seen quite a few of these attacks lately. Like the recent iPad pin attack this uses the microcontroller to emulate a keyboard. As you can see in the video, [Oscar] first navigates the menu system to the unlock code screen, then plugs in his device.

The unlock screen calls for a four-digit numeric PIN. That’s a total of 10000 possible combinations. It looks pretty slow in the demo, but according to his calculations the worst case scenario would still break the code in less than seventeen hours. Apparently there’s no lock-out for the max number of wrong codes.

Continue reading “Brute force attack Xbox 360 parental controls”

iOS keyboard exploit allows brute force iPad lock screen attack

It’s quite common to have a timed lockout after entering several bad passwords. This simple form of security makes automated brute force attacks unfeasible by ballooning the time it would take to try every possible permutation. The lock screen on iOS devices like iPad and iPhone have this built in. Enter your code incorrectly several times and the system will make you wait 1, 5, 15, and 60 minutes between entries as you keep inputting the wrong code. But there is an exploit that gets around this. [Pierre Dandumont] is showing off his hardware-based iPad lock screen attack in the image above.

He was inspired to try this out after reading about some Mac EFI attacks using the Teensy 3. That approach used the microcontroller to spoof a keyboard to try every PIN combination possible. By using the camera kit for iPad [Pierre] was able to do the same. This technique lets you connect wired keyboards to the iPad, but apparently not the iPhone. A bluetooth keyboard can also be used. These external keyboards get around the timing lockout associated with the virtual lockscreen keyboard.

We’re of the opinion that this is indeed a security vulnerability. If you forget your passcode you can simply restore the device to remove it. That wipes all of your personal data which can then be loaded from an iTunes backup. Lockscreens are paramount if a device is stolen. They will give you the time you need to change any online credentials which might be remembered by the device.

Continue reading “iOS keyboard exploit allows brute force iPad lock screen attack”

Master lock auto-cracker built as coursework at University

We love the beginning of May because the final projects for college coursework start rolling into our tips line. Here’s one of the latest, it’s an automatic Master lock combination cracker which was built by [Ross Aiken] and his classmates as part of their ECE453 Embedded Microprocessor System Design class at the University of Wisconsin – Madison.

We’ve talked about the ease with which these locks can be cracked. But [Ross] points out that the resources we linked to before are flawed. To get the combination as quickly as possible the team has implemented an algorithm discussed here. Their machine uses a stepper motor to turn the dial with a big solenoid to pull on the shackle. The system is sensitive enough to detect the “sticky” spots of the lock, which are then used to narrow the number of possible combinations before brute forcing the combination. As you can see in the video after the break, the shackle moves slightly when pulled after an incorrect combination. The long vertical pin near the solenoid will pass through an optical sensor when the correct combination is found.

Do you have your own final project to show off? What are you waiting for, send us a tip about it!

Continue reading “Master lock auto-cracker built as coursework at University”