Here’s a puzzler for you: If you’re phreaking something that’s not exactly a phone, are you still a phreak?
That question probably never crossed the minds of New Yorkers who were acoustically assaulted on the normally peaceful sidewalks of Manhattan over the summer by creepy sounds emanating from streetside WiFi kiosks. The auditory attacks caused quite a stir locally, leading to wild theories that Russian hackers were behind it all. Luckily, the mystery has been solved, and it turns out to have been part prank, part protest, and part performance art piece.
To understand the exploit, realize that New York City has removed thousands of traditional pay phones from city sidewalks recently and replaced them with LinkNYC kiosks, which are basically WiFi hotspots with giant HDTV displays built into them. For the price of being blitzed with advertisements while strolling by, anyone can make a free phone call using the built-in VOIP app. That was the key that allowed [Mark Thomas], an old-school phreak and die-hard fan of the pay telephones that these platforms supplanted, to launch his attack. It’s not exactly rocket surgery; [Mark] dials one of the dozens of conference call numbers he has set up with pre-recorded audio snippets. A one-minute delay lets him crank the speakerphone volume up to 11 and abscond. The recordings vary, but everyone seemed most creeped out by the familiar jingle of the [Mr. Softee] ice cream truck franchise, slowed down and distorted to make it sound like something from a fever dream.
Yes, it’s a minimal hack, and normally we don’t condone the misuse of public facilities, even ones as obnoxious as LinkNYC appears to be. But it does make a statement about the commercialization of the public square, and honestly, we’re glad to see something that at least approaches phreaking again. It’s a little less childish than blasting porn audio from a Target PA system, and far less dangerous than activating a public safety siren remotely.
Continue reading “Manhattan Mystery of Creepy Jingles and Random Noises Solved”
The invention of the transistor ushered in a lot of technologies that we now take for granted, and one of the less-thought-about areas that it improved living conditions worldwide was by making the touch-tone phone possible. No longer would the world have to fuss with dials to make phone calls, they could simply push some buttons. This technology is still in use today, and it is possible to build external phone dialers that use these tones to make phone calls, as [SunFounder] demonstrates with his latest project.
The tones that a phone makes when a button is pressed correlate with specific frequencies for each number. Automatic dialers like this one help when there are multiple carriers (like different long-distance carriers, for example) where different prefixes can be used to make calls cheaper depending on the destination of the call. A preprogrammed dialer can take all of this complication out of making phone calls. [SunFounder] is able to make a simple dialer from scratch, using an Arduino, its “tone” library, and a speaker that is simply held up to the phone that the call will be placed on.
[SunFounder] points out that he built this more because he’s interested in the inner workings of phones, and not because he needed a purpose-built dialer. It’s a good demonstration of how phones continue to use DTMF though, and how easy it is to interface with such a system. It might also suit a beginner as an introduction to the world of phreaking.
In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.
Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.
The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.
The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.
However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.
As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.
History Repeats Itself
Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.
How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational. Continue reading “Social Engineering is on The Rise: Protect Yourself Now”
If we were to express an official view of the what these guys did once they hacked into a Target store’s PA system, we’d have to go with definitely uncool. However, it’s good to know that phone phreaking and good ol’ social engineering isn’t dead yet. Many of us got our start by playing with the systems around us.
Anyone could call into a Target store and request to be transferred to the PA’s extension code, which was the same everywhere. If the person transferring the call wasn’t quick on their feet, the caller would then be patched directly into the stores PA system. The kicker? Target had no way of stopping the PA until the caller hung-up. It’s the way the system was designed.
The hack itself is embarrassingly simple. The PA is attached to the in-store phone network. This is pretty standard. We’ve all seen a sales associate go up to phone in a store, dial a number, and make an announcement throughout the store. Where Target went wrong is improper separation of systems, and poorly thought out standardization.
The weakest link in security is always the people it’s designed for, not the one’s it’s designed to keep out. It’s a fun little prank, and hopefully Target has it sorted out now.
Continue reading “Social Engineering Your Way To The Target PA System”
Electronics leak waves and if you know what you’re doing you can steal people’s data using this phenomenon. How thick is your tinfoil hat? And you sure it’s thick enough? Well, it turns out that there’s a (secret) government standard for all of this: TEMPEST. Yes, all-caps. No, it’s not an acronym. It’s a secret codename, and codenames are more fun WHEN SHOUTED OUT LOUD!
The TEMPEST idea in a nutshell is that electronic devices leak electromagnetic waves when they do things like switch bits from ones to zeros or move electron beams around to make images on CRT screens. If an adversary can remotely listen in to these unintentional broadcasts, they can potentially figure out what’s going on inside your computer. Read on and find out about the history of TEMPEST, modern research, and finally how you can try it out yourself at home!
Continue reading “TEMPEST: a Tin Foil Hat for Your Electronics and Their Secrets”
Payphones used to be found on just about every street corner. They were a convenience, now replaced by the ubiquitous mobile phone. These machines were the stomping grounds for many early computer hackers, and as a result hold a place in hacker history. If you’ve ever wanted to re-live the good ol’ days, [hharte’s] project might be for you.
[hharte] has been working to make these old payphones useful again with some custom hardware and software. The project intends to be an interface between a payphone and an Asterisk PBX system. On the hardware side, the controller board is capable of switching various high voltage signals required for coin-line signaling. The controller uses a Teensy microcontroller to detect the hook status as well as to control the relays. The current firmware features are very basic, but functional.
[hharte] also wrote a custom AGI script for Asterisk. This script allows Asterisk to detect the 1700hz and 2200hz tones transmitted when coins are placed into the machine. The script is also in an early stage, but it will prompt for money and then place the call once 25 cents has been deposited. All of the schematics and code can be found on the project’s github page.