Add Bluetooth To A Cheap Electronic Lock

April 19, 2016 by Gerrit Coetzee 24 Comments

[James] works from home. His office is filled with objects that can be described with adjectives such as, “expensive,” and, “breakable.” His home, however, is filled with professional object-breakers known as children. To keep these two worlds from colliding, he installed a keypad lock on his office door. The potential side-effect of accidentally training his children to be master safe-crackers aside, the system seems to work so far.

However, being a hacker, the tedium of entering a passcode soon grew too heavy for him. Refusing to be a techno-peasant, he set out to improve his lock. The first step was to reverse engineer the device. The lock is divided into two halves, one has a keypad and handle, the other actually operates the lock mechanism. They are connected with a few wires. He hooked an oscilloscope to the most likely looking candidates, and looked at the data. It was puzzling at first, until he realized one was a wake-up signal, and the other was the data. He then hooked the wires up to a Bluetooth-enabled Arduino, and pressed buttons until he had all the serial commands the door lock used.

After that it was a software game. He wrote code for his phone and the Arduino to try out different techniques and work out bugs. Once he had that sorted, he polished the app and code until he reached his goal. All of the code is available on his GitHub.

Finally, through his own hands, he elevated himself from techno-peasant to wizard. He need but wave his pocket oracle over the magic box in front of his wizard’s lair, and he will be permitted entry. His wizardly trinkets secure from the resident orcs, until they too begin their study of magic.

Remote Sensing Bombs Could Stem Terrorism

March 29, 2016 by Al Williams 84 Comments

If you understand technology, there were a lot of things hard to explain on Star Trek. Transporters, doors that were smart enough to open unless you hit them during a fight, and the universal translator all defy easy explanation. But one of the hardest things to explain were Mr. Spock’s sensors. From the ship or with a tricorder, Spock could sense at a distance just about anything from chemical compositions, to energy, and even the presence of life (which, today, at least, is difficult to determine even what that means).

Remote sensing would have a very distinct use in today’s world: finding terrorist bombs earlier. A recent article published on New Scientist by [Debora MacKenzie] points out that stopping attacks like the recent one in Brussels is difficult without increasing congestion. For example, putting checkpoints at doors instead of inside transit stations is common in Asia, but causes lines and delays.

The United States has used ion mobility spectrometry (IMS) to detect explosive traces on swabs (using machines like the one on the left). However in the early 2000’s they experimented with a version of the device that used puffs of air to determine if people had explosives while they passed by the machine. By 2010, officials decided the machines broke down too often and stopped using them.

Remote Sensing in Practice

According to an expert at Rand Corporation, remote sensing is likely to employ imaging or sniffers. However, imaging solutions are easy to fool since a bomb can take the shape of an ordinary object. Sniffers, including biological sniffers (known as dogs), are harder to fool. The problem is that deploying thousands of dogs to cover the world’s airports is difficult.

Continue reading “Remote Sensing Bombs Could Stem Terrorism” →

Password Extraction Via Front Doorbell

February 28, 2016 by Elliot Williams 52 Comments

Not a day goes by without another IoT security hack. If you’re wondering why you don’t want your front doorbell connected to the Internet, this hack should convince you.

The hack is unfathomably stupid. You press the button on the back of the unit that pairs the doorbell with your home WiFi network, and it transmits the password in the clear. Sigh. It’s since been fixed, and we suppose that’s a good thing, but we can’t resist thinking for a moment about an alternative implementation.

Imagine, like all previous non-IoT wireless doorbells, that the doorbell transmitted a not-very coded signal over an open frequency like 433 MHz to a receiver inside your home. Do the same with the video stream. Now the receiver can be connected to the Internet, and can be significantly more secure because it’s behind your locked front door. The attack surface presented to the outside world by the doorbell itself is small, and limited to faking a doorbell press or showing you pictures you don’t want to see. Yawn.

But because the outside doorbell unit could be connected to a network, it was. Now the attack surface extends into your home’s network, and if you’re like most people, the WiFi router was your only real defense.

Now we love the IoT, in principle. There are tons of interesting applications that need the sort of bandwidth or remote availability that the Internet provides. We’re just not convinced yet that a doorbell, or a fridge for that matter, meet the criteria. But it does add a hundred bucks to the price tag, so that’s good, right? What do you think? When does the risk of IoT justify the reward?

Thanks [Dielectric] for the tip!

Barcodes That Hack Devices

February 17, 2016 by Elliot Williams 76 Comments

[virustracker] has been playing around with barcodes lately, and trying to use them as a vector to gain control of the system that’s reading them. It’s a promising attack — nobody expects a takeover via barcodes. The idea isn’t new, and in fact we’ve seen people trying to drop SQL attacks in barcodes long ago, but [virustracker] put a few different pieces together and came up with a viable attack.

The trick is that many POS terminals and barcode readers support command characters in their programming modes. Through use of these Advanced Data Formatting (ADF) modes, [virustracker] sends Windows-Key-r, and then cmd.exe, ftps a file down, and runs it. Whatever computer is on the other side of the barcode scanner has just been owned. ADF even supports a delay function to allow time for the command window to pop up before running the rest of the input.

The article details how they got their payload from requiring more than ten individual barcodes down to four. Still, it’s a suspicious-looking attack to try to pull off where other people (think cashiers) are looking. However, we have many automated machines in our everyday life that use barcodes. How many of these are vulnerable is an open question. [virustracker] suggests lottery machines, package-delivery automats, and even hospitals.

The defense is simple, and it’s the same as everywhere else: disable the debug and configuration modes in your production systems, and sanitize your input. Yes, even the barcodes.

The Internet Of Broken Things (or, Why Am I So Cold?)

February 8, 2016 by Al Williams 68 Comments

Although the Internet of Things (IoT) is a reasonably new term, the idea isn’t really all that new. Many engineers and hackers have created networked embedded systems for many years. So what’s different? Two things: the Internet is everywhere and the use of connected embedded systems in a consumer setting.

Like anything else, there’s a spectrum of usefulness to IoT. Watching The Expanse, the other day (which is not a bad show, by the way), I noticed that if you had the right IoT lights, you could run an app that would change your lighting to suit the show in real-time. I don’t have those lights, but I suppose when the action moves to a dark sub-basement, your lights dim and when you are in a space ship’s reactor room, they turn red, and so on. Fun, but hardly useful or life-changing.

On the other hand, there are some very practical IoT items like the Nest thermostat. It might seem lazy to want to monitor and control your thermostat from your tablet, but if you are frequently away from home, or you have multiple houses, it can be a real positive to be able to control things remotely. With the recent blizzard on the U.S. east coast, for example, it would be great to turn on the heat in your weekend cottage 150 miles away while you were still at work or home. However, the Nest recently had a hiccup during an upgrade and it has made many of their customers mad (and cold). I’ll get back to that, in a minute. First, I want to talk about the problems with deploying something that will be in many varied environments (like people’s homes) that controls something real.

Continue reading “The Internet Of Broken Things (or, Why Am I So Cold?)” →

Reverse Engineering A WiFi Security Camera

February 6, 2016 by Brian Benchoff 22 Comments

The Internet of Things is slowly turning into the world’s largest crappy robot, with devices seemingly designed to be insecure, all waiting to be rooted and exploited by anyone with the right know-how. The latest Internet-enabled device to fall is a Motorola Focus 73 outdoor security camera. It’s quite a good camera, save for the software. [Alex Farrant] and [Neil Biggs] found the software was exceptionally terrible and would allow anyone to take control of this camera and install new firmware.

The camera in question is the Motorola Focus 73 outdoor security camera. This camera connects to WiFi, features full pan, tilt, zoom controls, and feeds a live image and movement alerts to a server. Basically, it’s everything you need in a WiFi security camera. Setting up this camera is simple – just press the ‘pair’ button and the camera switches to host mode and sets up an open wireless network. The accompanying Hubble mobile app scans the network for the camera and prompts the user to connect to it. Once the app connects to the camera, the user is asked to select a WiFi connection to the Internet from a list. The app then sends the security key over the open network unencrypted. By this point, just about anyone can see the potential for an exploit here, and since this camera is usually installed outdoors – where anyone can reach it – evidence of idiocy abounds.

Once the camera is on the network, there are a few provisions for firmware upgrades. Usually, firmware upgrades are available by downloading from ‘private’ URLs and sent to the camera with a simple script that passes a URL directly into the shell as root. A few facepalms later, and [Alex] and [Neil] had root access to the camera. The root password was ‘123456’.

While there’s the beginnings of a good Internet of Camera in this product, the design choices for the software are downright stupid. In any event, if you’re looking for a network camera that you own – not a company with a few servers and a custom smartphone app – this would be near the top of the list. It’s a great beginning for some open source camera firmware.

Thanks [Mathieu] for the tip.

“Hello Barbie” Not An IoT Nightmare After All

January 29, 2016 by Elliot Williams 25 Comments

Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.

We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.

The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.