exploit

72 Articles

Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic

January 21, 2020 by 49 Comments

Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.

As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.

In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.

We really thought [Bosnianbill]’s attack would be electronic, like that time [Dave Jones] cracked a safe with an oscilloscope. Who’d have thought a screwdriver would be the best way past the wireless stack?

Continue reading “Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic”

Hackaday Links Column Banner

Hackaday Links: November 17, 2019

November 17, 2019 by 8 Comments

Friday, November 15, 2019 – PASADENA. The 2019 Hackaday Superconference is getting into high gear as I write this. Sitting in the Supplyframe HQ outside the registration desk is endlessly entertaining, as attendees pour in and get their swag bags and badges. It’s like watching a parade of luminaries from the hardware hacking world, and everyone looks like they came ready to work. The workshops are starting, the SMD soldering challenge is underway, and every nook and cranny seems to have someone hunched over the amazing Hackaday Superconference badge, trying to turn it into something even more amazing. The talks start on Saturday, and if you’re not one of the lucky hundreds here this weekend, make sure you tune into the livestream so you don’t miss any of the action.

The day when the average person is able to shoot something out of the sky with a laser is apparently here. Pablo, who lives in Argentina, has beeing keeping tabs on the mass protests going on in neighboring Chile. Huge crowds have been gathering regularly over the last few weeks to protest inequality. The crowd gathered in the capital city of Santiago on Wednesday night took issue with the sudden appearance of a police UAV overhead. In an impressive feat of cooperation, they trained 40 to 50 green laser pointers on the offending drone. The videos showing the green beams lancing through the air are quite amazing, and even more amazing is the fact that the drone was apparently downed by the lasers. Whether it was blinding the operator through the FPV camera or if the accumulated heat of dozens of lasers caused some kind of damage to the drone is hard to say, and we’d guess that the drone was not treated too kindly by the protestors when it landed in the midsts, so there’s likely not much left of the craft to do a forensic analysis, which is a pity. We will note that the protestors also trained their lasers on a police helicopter, an act that’s extremely dangerous to the human pilots which we can’t condone.

In news that should shock literally nobody, Chris Petrich reports that there’s a pretty good chance the DS18B20 temperature sensor chips you have in your parts bin are counterfeits. Almost all of the 500 sensors he purchased from two dozen vendors on eBay tested as fakes. His Github readme has an extensive list that lumps the counterfeits into four categories of fake-ness, with issues ranging from inaccurate temperature offsets to sensors without EEPROM that don’t work with parasitic power. What’s worse, a lot of the fakes test almost-sorta like authentic chips, meaning that they may work in your design, but that you’re clearly not getting what you paid for. The short story to telling real chips from the fakes is that Maxim chips have laser-etched markings, while the imposters sport printed numbers. If you need the real deal, Chris suggests sticking with reputable suppliers with validated supply chains. Caveat emptor.

A few weeks back we posted a link to the NXP Homebrew RF Design Challenge, which tasked participants to build something cool with NXP’s new LDMOS RF power transistors. The three winners of the challenge were just announced, and we’re proud to see that Razvan’s wonderfully engineered broadband RF power amp, which we recently featured, won second place. First place went to Jim Veatch for another broadband amp that can be built for $80 using an off-the-shelf CPU heatsink for thermal management. Third prize was awarded to a team lead by Weston Braun, which came up with a switch-mode RF amp for the plasma cavity for micro-thrusters for CubeSats, adorably named the Pocket Rocket. We’ve featured similar thrusters recently, and we’ll be doing a Hack Chat on the topic in December. Congratulations to the winners for their excellent designs.

Side-Channel Attack Shows Vulnerabilities Of Cryptocurrency Wallets

September 13, 2019 by 13 Comments

What’s in your crypto wallet? The simple answer should be fat stacks of Bitcoin or Ethereum and little more. But if you use a hardware cryptocurrency wallet, you may be carrying around a bit fat vulnerability, too.

At the 35C3 conference last year, [Thomas Roth], [Josh Datko], and [Dmitry Nedospasov] presented a side-channel attack on a hardware crypto wallet. The wallet in question is a Ledger Blue, a smartphone-sized device which seems to be discontinued by the manufacturer but is still available in the secondary market. The wallet sports a touch-screen interface for managing your crypto empire, and therein lies the weakness that these researchers exploited.

By using a HackRF SDR and a simple whip antenna, they found that the wallet radiated a distinctive and relatively strong signal at 169 MHz every time a virtual key was pressed to enter a PIN. Each burst started with a distinctive 11-bit data pattern; with the help of a logic analyzer, they determined that each packet contained the location of the key icon on the screen.

Next step: put together a training set. They rigged up a simple automatic button-masher using a servo and some 3D-printed parts, and captured signals from the SDR for 100 presses of each key. The raw data was massaged a bit to prepare it for TensorFlow, and the trained network proved accurate enough to give any hardware wallet user pause – especially since they captured the data from two meters away with relatively simple and concealable gear.

Every lock contains the information needed to defeat it, requiring only a motivated attacker with the right tools and knowledge. We’ve covered other side-channel attacks before; sadly, they’ll probably only get easier as technologies like SDR and machine learning rapidly advance.

[via RTL-SDR.com]

Faxsploit – Exploiting A Fax With A Picture

May 4, 2019 by 26 Comments

Security researchers have found a way to remotely execute code on a fax machine by sending a specially crafted document to it. So… who cares about fax? Well apparently a lot of persons are still using it in many institutions, governments and industries, including the healthcare industry, legal, banking and commercial. Bureaucracy and old procedures tend to die hard.

This is one of those exploits that deserve proper attention, for many reasons. It is well documented and is a great piece of proper old school hacking and reverse engineering. [Eyal Itkin], [Yannay Livneh] and [Yaniv Balmas] show us their process in a nicely done article that you can read here. If you are into security hacks, it’s really worth reading and also worth watching the DEFCON video. They focused their attention in a all-in-one printer/scanner/fax and the results were as good as it gets.

Our research set out to ask what would happen if an attacker, with merely a phone line at his disposal and equipped with nothing more than his target`s fax number, was able to attack an all-in-one printer by sending a malicious fax to it.

In fact, we found several critical vulnerabilities in all-in-one printers which allowed us to ‘faxploit’ the all-in-one printer and take complete control over it by sending a maliciously crafted fax.

As the researchers note, once an all-in-one printer has been compromised, it could be used to a wide array of malicious activity, from infiltrating the internal network, to stealing printed documents even to mining Bitcoin. In theory they could even produce a fax worm, replicating via the phone line.

The attack summary video is bellow, demonstrating an exploit that allows an attacker to pivot into an internal network and taking over a Windows machine using Eternal Blue NSA exploit.

Continue reading “Faxsploit – Exploiting A Fax With A Picture”

35C3: A Deep Dive Into DOS Viruses And Pranks

December 31, 2018 by 29 Comments

Oh, the hijinks that the early days of the PC revolution allowed. Back in the days when a 20MB hard drive was a big deal and MS-DOS 3.1 ruled over every plain beige PC-clone cobbled together by enthusiasts like myself, it was great fun to “set up” someone else’s machine to do something unexpected. This generally amounted to finding an unattended PC — the rooms of the residence hall where I lived in my undergrad days were a target-rich environment in this regard — and throwing something annoying in the AUTOEXEC.BAT file. Hilarity ensued when the mark next booted the machine and was greeted with something like an inverted display or a faked hard drive formatting. Control-G was good to me too.

So it was with a sense of great nostalgia that I watched [Ben Cartwright-Cox]’s recent 35C3 talk on the anatomy and physiology of viruses from the DOS days. Fair warning to the seasoned reader that a sense of temporal distortion is inevitable while watching someone who was born almost a decade after the last meaningful release of MS-DOS discuss its inner workings with such ease. After a great overview of the DOS API elements that were key to getting anything done back then, malware or regular programs alike, he dives into his efforts to mine an archive of old DOS viruses, the payloads of most of which were harmless pranks. He built some tools to find viruses that triggered based on the system date, and used an x86 emulator he designed to test every day between 1980 and 2005. He found about 10,000 malware samples and explored their payloads, everything from well-wishes for the New Year to a bizarre foreshadowing of the Navy Seal Copypasta meme.

We found [Ben]’s talk a real treat, and it’s good to see someone from the current generation take such a deep dive into the ways many of us cut our teeth in the computing world.

Continue reading “35C3: A Deep Dive Into DOS Viruses And Pranks”

Manhattan Mystery Of Creepy Jingles And Random Noises Solved

December 15, 2018 by 23 Comments

Here’s a puzzler for you: If you’re phreaking something that’s not exactly a phone, are you still a phreak?

That question probably never crossed the minds of New Yorkers who were acoustically assaulted on the normally peaceful sidewalks of Manhattan over the summer by creepy sounds emanating from streetside WiFi kiosks. The auditory attacks caused quite a stir locally, leading to wild theories that Russian hackers were behind it all. Luckily, the mystery has been solved, and it turns out to have been part prank, part protest, and part performance art piece.

To understand the exploit, realize that New York City has removed thousands of traditional pay phones from city sidewalks recently and replaced them with LinkNYC kiosks, which are basically WiFi hotspots with giant HDTV displays built into them. For the price of being blitzed with advertisements while strolling by, anyone can make a free phone call using the built-in VOIP app. That was the key that allowed [Mark Thomas], an old-school phreak and die-hard fan of the pay telephones that these platforms supplanted, to launch his attack. It’s not exactly rocket surgery; [Mark] dials one of the dozens of conference call numbers he has set up with pre-recorded audio snippets. A one-minute delay lets him crank the speakerphone volume up to 11 and abscond. The recordings vary, but everyone seemed most creeped out by the familiar jingle of the [Mr. Softee] ice cream truck franchise, slowed down and distorted to make it sound like something from a fever dream.

Yes, it’s a minimal hack, and normally we don’t condone the misuse of public facilities, even ones as obnoxious as LinkNYC appears to be. But it does make a statement about the commercialization of the public square, and honestly, we’re glad to see something that at least approaches phreaking again. It’s a little less childish than blasting porn audio from a Target PA system, and far less dangerous than activating a public safety siren remotely.

Continue reading “Manhattan Mystery Of Creepy Jingles And Random Noises Solved”

Redirected Walking In VR Done Via Exploit Of Eyeballs

April 11, 2018 by 55 Comments

[Anjul Patney] and [Qi Sun] demonstrated a fascinating new technique at NVIDIA’s GPU Technology Conference (GTC) for tricking a human into thinking a VR space is larger than it actually is. The way it works is this: when a person walks around in VR, they invariably make turns. During these turns, it’s possible to fool the person into thinking they have pivoted more or less than they have actually physically turned. With a way to manipulate perception of turns comes a way for software to gently manipulate a person’s perception of how large a virtual space is. Unlike other methods that rely on visual distortions, this method is undetectable by the viewer.

Saccadic movements

The software essentially exploits a quirk of how our eyes work. When a human’s eyes move around to look at different things, the eyeballs don’t physically glide smoothly from point to point. The eyes make frequent but unpredictable darting movements called saccades. There are a number of deeply interesting things about saccades, but the important one here is the fact that our eyes essentially go offline during saccadic movement. Our vision is perceived as a smooth and unbroken stream, but that’s a result of the brain stitching visual information into a cohesive whole, and filling in blanks without us being aware of it.

Part one of [Anjul] and [Qi]’s method is to manipulate perception of a virtual area relative to actual physical area by making a person’s pivots not a 1:1 match. In VR, it may appear one has turned more or less than one has in the real world, and in this way the software can guide the physical motion while making it appear in VR as though nothing is amiss. But by itself, this isn’t enough. To make the mismatches imperceptible, the system watches the eye for saccades and times its adjustments to occur only while they are underway. The brain ignores what happens during saccadic movement, stitches together the rest, and there you have it: a method to gently steer a human being in a way that a virtual space is larger than the physical area available.

Embedded below is a video demonstration and overview, which mentions other methods of manipulating perception of space in VR and how it avoids the pitfalls of other methods.

Continue reading “Redirected Walking In VR Done Via Exploit Of Eyeballs”