An Open Hardware Rubber Ducky

No it’s not an open source version of Bert’s favorite bathtime toy (though seriously, let us know if you see one), the PocketAdmin by [Radik Bechmetov] is intended to be an alternative to the well-known “USB Rubber Ducky” penetration testing tool from Hak5. It might look like a standard USB flash drive, but underneath that black plastic enclosure is a whole lot of digital mischief waiting to spill out.

The general idea is that the PocketAdmin appears to the host computer as either a USB Human Interface Device (keyboard, mouse, etc) or a USB Mass Storage Device. In either event, the user has the ability to craft custom payloads which can exploit the operating system’s inherent trust in locally connected devices. The most common example is mimicking a USB keyboard that starts “typing” once connected to the computer.

You can even configure what vendor and product IDs the PocketAdmin advertises, allowing you to more accurately spoof various devices. [Radik] has included some other interesting features, such as the ability to launch different payloads depending on the detected operating system. That way it won’t waste time trying to bang out Windows commands when it’s connected to a Linux box.

The hardware is designed to be as easy and cheap to replicate as possible. The heavy lifting is done by a STM32F072C8T6 microcontroller, coupled with a W25Q256FVFG 32MiB flash chip to store the payloads. Beyond that, the BOM consists mainly of passives and a few obvious bits like the male USB connector. [Radik] has even provided a link to where you can buy the convincing looking USB “flash drive” enclosure.

We’ve seen low-cost DIY versions of the USB Rubber Ducky in the past, but PocketAdmin is interesting in that it seems like [Radik] is looking to break new ground with this project rather than just copy what’s already been done. This will definitely be one to watch as the 2019 Hackaday Prize heats up.

“Watch Dogs” Inspired Hacking Drone Takes Flight

They say that life imitates art, which in modern parlance basically means if you see something cool in a video game, movie or TV show, you might be inclined to try and build your own version. Naturally, such things generally come in the form of simple props, perhaps with the occasional embedded LED or noise making circuit. It’s not as if you can really build a phaser from Star Trek or a phone booth that’s bigger on the inside.

But after seeing the hacking quadcopter featured in the video game Watch Dogs 2, [Glytch] was inspired to start work on a real-world version. It doesn’t look much like the drone from the game, but that was never the point. The idea was to see how practical a small flying penetration testing platform is with current technology, and judging by the final build, we’d say he got his answer.

All the flight electronics are off the shelf quadcopter gear. It’s running on a Betaflight OMNIBUS F4 Pro V2 Flight controller with an M8N GPS mounted in the front and controlling the 2006 2400KV motors with a DYS F20A ESC. Interestingly [Glytch] is experimenting with using LG HG2 lithium-ion cells to power the quad rather than the more traditional lithium-polymer pack, though he does mention there are some issues with the voltage curve between the two battery technologies.

But the real star of the show is the payload: a Hak5 Pineapple Nano. As the Pineapple provides a turn-key penetration testing platform on its own, [Glytch] just needed a way to safely carry it and keep it powered. The custom frame keeps it snug, and the 5 Volt Battery Eliminator Circuit (BEC) on the DYS F20A ESC combined with a female USB port allows powering the Pineapple without having to make any hardware modifications.

We’ve seen quadcopters with digital weaponry before, though not nearly as many as you might think. But as even the toy grade quadcopters become increasingly capable, we imagine the airborne hacking revolution isn’t far away.

Continue reading ““Watch Dogs” Inspired Hacking Drone Takes Flight”

Seek And Exploit Security Vulnerabilities In An Infusion Pump

Infusion pumps and other medical devices are not your typical everyday, off-the-shelf embedded system. Best case scenario, you will rarely, if ever, come across one in your life. So for wide-spread exploitation, chances are that they simply seem too exotic for anyone to bother exploring their weaknesses. Yet their impact on a person’s well-being makes potential security holes tremendously more severe in case someone decides to bother one day after all.

[Scott Gayou] is one of those someones, and he didn’t shy away from spending hundreds of hours of his free time inspecting the Smiths Medical Medfusion 4000 infusion pump for any possible security vulnerabilities. Looking at different angles for his threat model, he started with the physical handling of the device’s user interface. This allowed him to enable the external communication protocols settings, which in turn opened to the device’s FTP and Telnet ports. Not to give too much away, but he manages to gain access to both the file system content and — as a result of that — to the system’s login credentials. This alone can be clearly considered a success, but for [Scott], it merely opened a door that eventually resulted in desoldering the memory chips to reverse engineer the bootloader and firmware, and ultimately executing his own code on the device.

Understanding the implications of his discoveries, [Scott] waited long enough to publish his research so the manufacturer could address and handle these security issues. So kudos to him for fighting the good fight. And just in case the thought of someone gaining control over a machine that is crucial to your vitality doesn’t scare you enough yet, go ahead and imagine that device was actually implanted in your body.

Radio Controlled Pacemakers Are Easily Hacked

Doctors use RF signals to adjust pacemakers so that instead of slicing a patient open, they can change the pacemakers parameters which in turn avoids unnecessary surgery. A study on security weaknesses of pacemakers (highlights) or full Report (PDF) has found that pacemakers from the main manufacturers contain security vulnerabilities that make it possible for the devices to be adjusted by anyone with a programmer and proximity. Of course, it shouldn’t be possible for anyone other than medical professionals to acquire a pacemaker programmer. The authors bought their examples on eBay.

They discovered over 8,000 known vulnerabilities in third-party libraries across four different pacemaker programmers from four manufacturers.  This highlights an industry-wide problem when it comes to security. None of the pacemaker programmers required passwords, and none of the pacemakers authenticated with the programmers. Some home pacemaker monitoring systems even included USB connections in which opens up the possibilities of introducing malware through an infected pendrive.

The programmers’ firmware update procedures were also flawed, with hard-coded credentials being very common. This allows an attacker to setup their own authentication server and upload their own firmware to the home monitoring kit. Due to the nature of the hack, the researchers are not disclosing to the public which manufacturers or devices are at fault and have redacted some information until these medical device companies can get their house in order and fix these problems.

This article only scratches the surface for an in-depth look read the full report. Let’s just hope that these medical companies take action as soon as possible and resolve these issue’s as soon as possible. This is not the first time pacemakers have been shown to be flawed.

U.S Air Force Is Going To Get Hacked

[HackerOne] has announced that US Dept of Defense (DoD) has decided to run their biggest bug bounty program ever, Hack the Air force.

You may remember last year there was the Hack the Pentagon bug bounty program, Well this year on the coattails of last year’s success the DoD has decided to run an even bigger program this year: Hack The Air force. Anyone from “The Five Eyes” countries (Australia, Canada, New Zealand, the United Kingdom and of course the United States) can take part. This is a change in format from the Pentagon challenge which was only open to U.S citizens and paid out a total of around $75,000 in bug bounties.

Now obviously there are rules. You can’t just hack The Air Force no matter how much you want “All their base are belong to you”. The DoD want computer hackers to find bugs in their public facing web services and are not so much interested in you penetration testing their weapons systems or any other critical infrastructure. Try that and you may end up with a lovely never-ending tour of Guantanamo Bay Naval Base.

Q Has Nothing On Naomi Wu

We’re not so much fans of James Bond as we are of Q, the hacker who supplies him with such wonderful things. There is a challenger to Q’s crown, [Naomi Wu] — code name [SexyCyborg] — built an epic gadget called the Pi Palette which hides a Linux laptop inside of a cosmetics case.

You can see the covert mode of the Pi Palette below. It resembles a clamshell cosmetics case with the makeup and applicator in the base and a mirror on the underside of the flip-up lid. The mirror hides an LCD screen in the portrait orientation, as well as a Raspberry Pi 3 running Kali Linux.

The base of the case includes a portable battery beneath the wireless keyboard/touchpad — both of which are revealed when the cosmetics tray is removed. An inductive charger is connected to the battery and [Naomi] built a base station which the Pi Palette sits in for wireless charging.

She envisions this as a covert penetration testing. For that, the Pi Palette needs the ability to put the WiFi dongle into promiscuous mode. She wired in a dual dip-switch package and really went the extra mile to design it into the case. The fit and finish of that switch is just one tiny detail the illustrates the care taken with the entire project. With such a beautiful final project it’s no wonder she took to the streets to show it off. Check that out, as well as the build process, in the video after the break.

Continue reading “Q Has Nothing On Naomi Wu”

RFID Reader Snoops Cards From 3 Feet Away

Security researcher [Fran Brown] sent us this tip about his Tastic RFID Thief, which can stealthily snag the information off an RFID card at long range. If you’ve worked with passive RFID before, you know that most readers only work within inches of the card. In [Fran’s] DEFCON talk this summer he calls it the “ass-grabbing method” of trying to get a hidden antenna close enough to a target’s wallet.

His solution takes an off-the-shelf high-powered reader, (such as the HID MaxiProx 5375), and makes it amazingly portable by embedding 12 AA batteries and a custom PCB using an Arduino Nano to interpret the reader’s output. When the reader sees a nearby card, the information is parsed through the Nano and the data is both sent to an LCD screen and stored to a .txt file on a removable microSD card for later retrieval.

There are two short videos after the break: a demonstration of the Tastic RFID Thief and a quick look at its guts. If you’re considering reproducing this tool and you’re picking your jaw off the floor over the price of the reader, you can always try building your own…

Continue reading “RFID Reader Snoops Cards From 3 Feet Away”