security

460 Articles

Mozilla WebThings: An Open Platform For Building IoT Devices

October 29, 2019 by 24 Comments

Mozilla recently officially released their IoT platform. This framework comes with “Gateway” software that can run on a Raspberry Pi and a framework that can run on any number of devices.

As we’ve seen, IoT is a dubious prospect for consumers. When you throw in all the privacy issues, support issues, and end-of-life issues; it gets even worse. Nobody wants their light bulbs to stop working because a server in faraway land shut down, but that’s an hilariously feasible scenario.

WebThings comes with a lot out of the box. It comes with a user interface, logging, rules, and an easy-to-understand API. Likewise the actual framework allows for building on many common devices and can be written in Node, Python, Java, Rust, Micropython, and used as an Arduino library. This opens it up for everything from a eBay ESP32 to a particle board.

We’ve started to notice some projects that use it trickling in on the tip line and on hackaday.io. We’re interested to see what kind of community grows around this, and are curious if it won’t be too long before easy-to-hack kits start showing up on your favorite online retailers.

There’s good documentation and of course, being open source, you can check out the source for yourself.

Revisiting The BlackHat Hack: How A Security Conference Was Pwned

October 18, 2019 by 1 Comment

Does anyone remember the Black Hat BCard hack in 2018? This hack has been documented extensively, most notoriously by [NinjaStyle] in his original blog post revealing the circumstances around discovering the vulnerability. The breach ended up revealing the names, email addresses, phone numbers, and personal details of every single conference attendee – an embarrassing leak from one of the world’s largest cybersecurity conferences.

To recap: The Black Hat conference badges included an embedded NFC tag storing the participant’s contact details presumably for vendors to scan for marketing purposes. After scanning the tag, [NinjaStyle] realized that his name was readily available, but not his email address and other information. Instead, the NFC reader pointed to the BCard app – an application created for reading business cards.

[NinjaStyle] decompiled the APK for the app to search for API endpoints and found that the participants each had a custom URL made using event identification values. After finding data that appeared to correspond to an eventID and badgeID, he sent a request over a web browser and found that his attendee data was returned completely unauthenticated. With this knowledge, it was possible to brute-force the contact details for every Black Hat attendee (the range of valid IDs was between 100000-999999, and there were about 18,000 attendees). Using Burp Suite, the task would take about six hours. 

He was able to get ahold of BCard to reveal the vulnerability, which was fixed in less than a day by disabling the leaky API from their legacy system. Even so, legacy APIs in conference apps aren’t an uncommon occurrence – the 2018 RSA Conference (another cybersecurity conference) also suffered from an unprotected app that allowed 114 attendee records to be accessed without permission.

With the widespread publicity of leaked attendee data, event organizers are hopefully getting smarter about the apps that they use, especially if they come from a third-party vendor. [Yashvier Kosaraju] gave a talk at TROOPERS19 about pen testing several large vendors and discovering that Kitapps (Attendify) and Eventmobi both built apps with unauthenticated access to attendee data. It’s hard to say how many apps from previous years are still around, or whether or not the next event app you use will come with authentication – just remember to stay vigilant and to not give too much of your personal data away.

A Tamagotchi For WiFi Cracking

October 16, 2019 by 8 Comments

OK, let’s start this one by saying that it’s useful to know how to break security measures in order to understand how to better defend yourself, and that you shouldn’t break into any network you don’t have access to. That being said, if you want to learn about security and the weaknesses within the WPA standard, there’s no better way to do it than with a tool that mimics the behavior of a Tamagotchi.

Called the pwnagotchi, this package of artificial intelligence looks for information in local WiFi packets that can be used to crack WPA encryption. It’s able to modify itself in order to maximize the amount of useful information it’s able to obtain from whatever environment you happen to place it in. As an interesting design choice, the pwnagotchi behaves like an old Tamagotchi pet would, acting happy when it gets the inputs it needs.

This project is beyond a novelty though and goes deep in the weeds of network security. If you’re at all interested in the ways in which your own networks might be at risk, this might be a tool you can use to learn a little more about the ways of encryption, general security, and AI to boot. Of course, if you’re new to the network security world, make sure the networks you’re using are secured at least a little bit first.

Thanks to [Itay] for the tip!

USB Armory MkII: A USB-C Thumb Drive Based Linux Computer For Pentesters

September 29, 2019 by 16 Comments

While it might look like a disrobed flash drive or RTL-SDR dongle, the USB Armory Mk II is actually a full-fledged open hardware computer built into the ubiquitous USB “stick” format. But more than just that, it’s optimized for security research and boasts a list of features that are sure to get the attention of any pentesters in the audience. Fine tuned thanks to the feedback developer [Inverse Path] received about the original version of the hardware, the Mk II promises to be the last word in secure mobile computing.

Compared to the original hardware, the most obvious change is the switch to USB-C. The previous USB Armory used traces on the PCB to plug directly into a USB Type-A port, but this time around [Inverse Path] has put a proper male connector on the front of the board. Nominally, the USB Armory is plugged into a host computer to provide it with power and a network connection, though it also has the ability to disguise itself as a storage or input device for more stealthy applications. There’s also a female USB-C port on the Mk II, which can be used to connect additional devices, a feature the previous version lacked.

The USB Armory Mk II is powered by an upgraded 900 MHz ARM Cortex-A7 processor, though it retains the same 512 MB of RAM from the previous version. Like the original, there’s a micro SD slot to hold the Linux operating system, but this time it’s supplemented with an onboard 16 GB eMMC chip. There’s even a physical switch that allows the user to choose which storage device they want to boot from. Other additions for the Mk II include Bluetooth connectivity, and a hardware true random number generator (TRNG).

We first brought you word of the original USB Armory back in 2014, and it’s always good to see an open hardware project thriving and iterating years later. While the $149 price tag arguably puts the MKII out of the tinkering budget for many of us, there’s clearly a market for niche devices like this and we can’t wait to see what [Inverse Path] comes up with next.

ESP8266 And ESP32 WiFi Hacked!

September 5, 2019 by 48 Comments

[Matheus Garbelini] just came out with three (3!) different WiFi attacks on the popular ESP32/8266 family of chips. He notified Espressif first (thanks!) and they’ve patched around most of the vulnerabilities already, but if you’re running software on any of these chips that’s in a critical environment, you’d better push up new firmware pretty quick.

The first flaw is the simplest, and only effects ESP8266s. While connecting to an access point, the access point sends the ESP8266 an “AKM suite count” field that contains the number of authentication methods that are available for the connection. Because the ESP doesn’t do bounds-checking on this value, a malicious fake access point can send a large number here, probably overflowing a buffer, but definitely crashing the ESP. If you can send an ESP8266 a bogus beacon frame or probe response, you can crash it.

What’s most fun about the beacon frame crasher is that it can be implemented on an ESP8266 as well. Crash-ception! This takes advantage of the ESP’s packet injection mode, which we’ve covered before.

The second and third vulnerabilities exploit bugs in the way the ESP libraries handle the extensible authentication protocol (EAP) which is mostly used in enterprise and higher-security environments. One hack makes the ESP32 or ESP8266 on the EAP-enabled network crash, but the other hack allows for a complete hijacking of the encrypted session.

These EAP hacks are more troubling, and not just because session hijacking is more dangerous than a crash-DOS scenario. The ESP32 codebase has already been patched against them, but the older ESP8266 SDK has not yet. So as of now, if you’re running an ESP8266 on EAP, you’re vulnerable. We have no idea how many ESP8266 devices are out there in EAP networks,  but we’d really like to see Espressif patch up this hole anyway.

[Matheus] points out the irony that if you’re using WPA2, you’re actually safer than if you’re unpatched and using the nominally more secure EAP. He also wrote us that if you’re stuck with a bunch of ESP8266s in an EAP environment, you should at least encrypt and sign your data to prevent eavesdropping and/or replay attacks.

Again, because [Matheus] informed Espressif first, most of the bugs are already fixed. It’s even percolated downstream into the Arduino-for-ESP, where it’s just been worked into the latest release a few hours ago. Time for an update. But those crusty old NodeMCU builds that we’ve got running everything in our house?  Time for a full recompile.

We’ve always wondered when we’d see the first ESP8266 attacks in the wild, and that day has finally come. Thanks, [Matheus]!

Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised

August 23, 2019 by 83 Comments

It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.

The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to [LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.

With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.

The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.

Continue reading “Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised”

Use A Digital Key To Deter Lockpicking

July 19, 2019 by 26 Comments

Spending an hour or two around any consumer-level padlock or house deadbolt lock with a simple lockpicking kit will typically instill a good amount of panic and concern about security. While it’s true that any lock can be defeated, it’s almost comically easy to pick basic locks like this. So, if you’re looking for a level of security that can’t be defeated in two minutes with a tiny piece of metal, you might want to try something a little more advanced.

This project stemmed from an idea to use a YubiKey, a USB hardware token typically used for two-factor authentication, for physical locks instead. The prototype was built around an Arduino UNO, and all of the code and build instructions are available on the project’s site. The creator, [rprinz08], does not have one built inside of a secure enclosure so that would remain an exercise for the reader, but the proof-of-concept is interesting and certainly useful.

While digital keys like this can have their own set of problems (as all locks do), this would be a great solution for anyone needing to lock up anything where physical keys are a liability or a nuisance, where logging is important, or where many people need access to the same lock. The open source code and well-known platform make it easy for anyone to build, too.