security

460 Articles

Smart Gun Beaten By Dumb Magnets

July 25, 2017 by 221 Comments

[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video below the break.

Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.

Not stopping there, [Plore] went to the other extreme, creating what he calls an “electromagnetic compatibility tester” (in other words, a jammer) that jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!

Not one to call it quits, [Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.

Now, we’ve already covered the many hurdles that smart guns face, and this specific investigation of the state of smart gun technology doesn’t make the picture look any brighter. We’re aware that hindsight is always 20/20, so let us know in the comments how you would fix the problems with the Armatix IP1.
Continue reading “Smart Gun Beaten By Dumb Magnets”

Sneak Thieves Beware: A Pi Watcheth

July 13, 2017 by 8 Comments

Ever have that strange feeling that somebody is breaking into your workshop? Well, Hackaday.io user [Kenny] has whipped up a tutorial on how to scratch that itch by turning a spare Raspberry Pi you may have kicking around into a security camera system that notifies you at a moment’s notice.

The system works like this: a Raspberry Pi 3 and connected camera module remain vigilant, constantly scanning for motion and recording video. If motion is detected, it immediately snaps and sends a picture to the user’s mobile via PushBullet, then begins recording video. If there is still movement after a few seconds, the process repeats until the area is once again devoid of motion. This also permits a two-way communication with your Pi security system, so you can check in on the live feed whenever you feel the urge.

To get this working for you — assuming that your Pi has been recently updated — setup requires setting up a PushBullet account as well as installing it on your mobile and  linking it with an API. For your Pi, you can go ahead with setting up some Python PushBullet libraries, installing FFmpeg, Pi Camera Notifier, and others. Or, install the ready-to-go image [Kenny] has prepared. He gets into the nitty-gritty of the code in his guide, so check that out or watch the tutorial video after the break.

Continue reading “Sneak Thieves Beware: A Pi Watcheth”

Dropping Zip Bombs On Vulnerability Scanners

July 8, 2017 by 117 Comments

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.

Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.

Malduino Elite – First Impressions

May 31, 2017 by 39 Comments

A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.

The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.

Original Malduino Elite sketch and Lite prototype

The Elite version is bigger, comes with a Micro-SD card reader and four DIP switches, which allow the user to choose which script to run from the card. It also has the LED, which indicates when a script has finished to run. This allows the user to burn the firmware only once and then program the keystroke injection scripts that stored in the Micro-SD card, in contrast to the Lite version which needs to be flashed each time a user wants to run a different script.

These are the two Malduinos and because they are programmed straight from the Arduino IDE, every feature I just mentioned can be re-programmed, re-purposed or dropped all together. You can buy one and just choose to use it like a ‘normal’ Arduino, although there are not a lot of pins to play around with. This freedom was one the first things I liked about it and actually drove me to participate in the crowd-funding campaign. Read on for the full review.
Continue reading “Malduino Elite – First Impressions”

Radio Controlled Pacemakers Are Easily Hacked

May 27, 2017 by 40 Comments

Doctors use RF signals to adjust pacemakers so that instead of slicing a patient open, they can change the pacemakers parameters which in turn avoids unnecessary surgery. A study on security weaknesses of pacemakers (highlights) or full Report (PDF) has found that pacemakers from the main manufacturers contain security vulnerabilities that make it possible for the devices to be adjusted by anyone with a programmer and proximity. Of course, it shouldn’t be possible for anyone other than medical professionals to acquire a pacemaker programmer. The authors bought their examples on eBay.

They discovered over 8,000 known vulnerabilities in third-party libraries across four different pacemaker programmers from four manufacturers.  This highlights an industry-wide problem when it comes to security. None of the pacemaker programmers required passwords, and none of the pacemakers authenticated with the programmers. Some home pacemaker monitoring systems even included USB connections in which opens up the possibilities of introducing malware through an infected pendrive.

The programmers’ firmware update procedures were also flawed, with hard-coded credentials being very common. This allows an attacker to setup their own authentication server and upload their own firmware to the home monitoring kit. Due to the nature of the hack, the researchers are not disclosing to the public which manufacturers or devices are at fault and have redacted some information until these medical device companies can get their house in order and fix these problems.

This article only scratches the surface for an in-depth look read the full report. Let’s just hope that these medical companies take action as soon as possible and resolve these issue’s as soon as possible. This is not the first time pacemakers have been shown to be flawed.

Hacked By Subtitles

May 25, 2017 by 15 Comments

CheckPoint researchers published in the company blog a warning about a vulnerability affecting several video players. They found that VLC, Kodi (XBMC), Popcorn-Time and strem.io are all vulnerable to attack via malicious subtitle files. By carefully crafting a subtitles file they claim to have managed to take complete control over any type of device using the affected players when they try to load a video and the respective subtitles.

According to the researchers, things look pretty grim:

We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.

One of the reasons you might want to make sure your software is up to date is that some media players download subtitles automatically from several shared online repositories. An attacker, as the researchers proved, could manipulate the website’s ranking algorithm and not only would entice more unsuspecting users to manually download his subtitles,  but would also guarantee that his crafted malicious subtitles would be those automatically downloaded by the media players.

No additional details were disclosed yet about how each video player is affected, although the researchers did share the details to each of the software developers so they can tackle the issue. They reported that some of the problems are already fixed in their current versions, while others are still being investigated. It might be a good idea to watch carefully and update your system before the details come out.

Meanwhile, we can look at the trailer:

Continue reading “Hacked By Subtitles”

Linux SambaCry

May 25, 2017 by 25 Comments

Great news everyone, Windows is not the only operating system with remote code execution via SMB. Linux has also its own, seven-year-old version of the bug. /s

This Linux remote execution vulnerability (CVE-2017-7494) affects Samba, the Linux re-implementation of the SMB networking protocol, from versions 3.5.0 onwards (since 2010). The SambaCry moniker was almost unavoidable.

The bug, however, has nothing to do on how Eternalblue works, one of the exploits that the current version of WannaCry ransomware packs with. While Eternalblue is essentially a buffer overflow exploit, CVE-2017-7494 takes advantage of an arbitrary shared library load.  To exploit it, a malicious client needs to be able to upload a shared library file to a writeable share, afterwards it’s possible for the attacker to cause the server to load and execute it. A Metasploit exploit module is already public, able to target Linux ARM, X86 and X86_64 architectures.

A patch addressing this defect has been posted to the official website and Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are also available. If you can’t apply the patch at the moment, the workaround is to add the parameter “nt pipe support = no” to the [global] section of your smb.conf and restart smbd. Note that this can disable some expected functionality for Windows clients.

Meanwhile, NAS vendors start to realise they have work on their hands. Different brands and models that use Samba for file sharing (a lot, if not all, of them provide this functionality) will have to issue firmware updates if they want to patch this flaw. If the firmware updates for these appliances take the same time they usually do, we will have this bug around for quite some time.