The saying “time and tide wait for no man” is usually used as a verbal kick in the pants, a reminder that sometimes an opportunity must be seized quickly before it passes by. But it can also be interpreted as a warning about the perpetual march of time and how it impacts the world around us. In that case, we would do well to add cellular technology to the list of proverbial things that wait for no one. Do you need 5G? No. Do you want it? Probably not. But it’s here, so be a good consumer and dump all your 4G hardware in the name of technical progress.
This line of logic may explain how the Verizon-branded Netgear AC791L 4G “Jetpack” hotspot you see here, despite being in perfect working order, found itself in the trash. The onset of 5G must have been particularly quick for the previous owner, since they didn’t even bother to wipe their configuration information from the device. In the name of journalistic integrity I won’t divulge the previous owner’s identity; but I will say that their endearing choice of WPA2 key, iluvphysics, makes for a nice fit with our publication.
A quick check of eBay shows these devices, and ones like it, are in ample supply. At the time of this writing, there were more than 1,500 auctions matching the search term “Verizon jetpack”, with most of them going for between $20 and $50 USD. We like cheap and easily obtainable gadgets that can be hacked, but is there anything inside one of these hotspots that we can actually use? Let’s find out.
Continue reading “Teardown: Verizon AC791L Jetpack 4G Mobile Hotspot”
We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format,
.dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in
dbfview, but that wasn’t enough.
Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.
Normally we’d wrap by telling you to go get the update, but OpenOffice doesn’t have a stable release with this fix in it. There is a release candidate that does contain the fix, but every stable install of OpenOffice in the world is currently vulnerable to this RCE. The vulnerability report was sent way back on May 4th, over 90 days before full disclosure. And what about LibreOffice, the fork of OpenOffice? Surely it is also vulnerable? Nope. LibreOffice fixed this in routine code maintenance back in 2014. The truth of the matter is that when the two projects forked, the programmers who really understood the codebase went to LibreOffice, and OpenOffice has had a severe programmer shortage ever since. I’ve said it before: Use LibreOffice, OpenOffice is known to be unsafe. Continue reading “This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea”
Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.
The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.
Continue reading “Hacking A Netgear Router”
A home security camera can be great for peace of mind, and keeping an eye on the house while you’re away. The popular option these days is an IP-based device that is accessible over the Internet through an ethernet or wireless connection to your home router. But what if you could cut out the middle man, and instead turn your router itself into the security camera? [Fred] is here to show us how it’s done.
The hack begins by parsing the original router’s firmware. Through a simple text search, a debug page was identified which allowed telnet access to the router to be enabled. This gives access to a root shell, allowing full control over the Linux system running the show.
After backing everything up, [Fred] grabbed the source code from Netgear and recompiled the kernal with USB video and Video4Linux2 support. This allows the router to talk to a standard USB webcam. It’s then a simple matter of using opkg to install software to set up the router to record video when motion is detected.
Overall, it’s fairly straightforward, but [Fred] came up with an ingenious twist. Because the router itself is acting as the security camera, he is able to set up the camera to only arm itself when his smartphone (and thus, [Fred] himself) is not at home. This prevents the recording of footage of [Fred] moving around the house, allowing the router to only record important footage for security purposes.
It’s possible to do great things with routers – most of them are just tiny boxes running Linux anyway. Check out this one used as an online energy meter.
It’s always unfortunate to find a FedEx tag on your door saying you missed a delivery; especially when you were home the whole time. After having this problem a few times [Lee] decided to rig up a doorbell notifier for his Android phone.
[Lee]’s doorbell uses a 10 VAC supply to ring a chime. To reduce modifications to the doorbell, he added an integrated rectifier and a PNP transistor. The rectifier drives the transistor when the bell rings, and pulls a line to ground.
An old Netgear router running OpenWRT senses this on a GPIO pin. Hotplugd is used to run a script when the button push is detected.
The software is discussed in a separate post. The router runs a simple UDP server written in C. The phone polls this server periodically using SL4A: a Python scripting layer for the Android platform. To put it all together, hotplugd sends a UNIX signal to the UDP server when the doorbell is pushed. Once the phone polls the server a notification will appear, and [Lee] can pick up his package without delay.
a.ntivir.us wanted to use a different antenna for their Netgear mbr624gu WiFi router. Unfortunately, this model comes with an antenna that is not removable. As with other antenna retrofits, this involves no soldering. But because there is already a mounting area for an antenna, no case altering is needed either. After opening the router with a Torx driver it was discovered that the non-removable antenna was connected to the board with a mini rf connector (U.FL). The antenna and its mounting bracket were removed and a U.FL to RP-SMA adapter was put in its place using a washer to secure it to the rear plate of the router. Now any external antenna can be used and the router still looks brand new.
Netgear recently launched the WGR614L wireless router targeted specifically at open source firmware enthusiasts. It can use Tomato, DD-WRT, and soon OpenWRT. The core is a 240MHz MIPS processor with 16MB of flash and 4MB of RAM. You’ll probably remember when Linksys decided to dump Linux from their iconic WRT54G line in favor of VxWorks; they released the similarly speced WRT54GL for enthusiasts. Netgear seems to be arriving pretty late in the game, but they’ve set up a community specifically for this router. Time will tell whether community support is enough to make this the router of choice for hackers. We wish someone would release an x86 based router in the same price range just to make porting stupidly simple.