Running Custom Code On Cheap One-time Password Tokens

October 15, 2013 by Mathieu Stephan 41 Comments

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450” with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

We love seeing tiny consumer hardware hacked like this. Most recently we’ve been enthralled by the Trandscend Wi-Fi SD card hacking which was also one of [Dmitry’s] hacks.

Wi-Fi Enabled Garage Door Opener

September 26, 2013 by Brian Benchoff 27 Comments

Normally, internet-controlled household devices are a cobbled together mashup of parts. This is great for a prototype, but if you’re looking for something that will last a decade in your garage, you’ll need something a little cleaner and more robust. [Phil]’s Internet-enabled garage door opener is just that, replete with a custom-made enclosure for his Arduino powered system.

The main hardware for [Phil]’s build is a Freetronix EtherTen, an Arduino clone with a built-in Ethernet interface. Aside from that, the electronics are simple: a relay, transistor, and diode provide the connection from the EtherTen to the garage door opener.

The software for this setup consists of a main file that sets up the web page, the serial monitor, and loops through the main program. There are a bunch of classes for initializing the web page, writing passwords to the EEPROM, activating the door, and setting the MAC and IP addresses.

Opening the door with this remote is a snap: with any WiFi enabled smartphone or tablet, [Phil] only needs to log onto his network, surf on over to the page hosted on the Arduino, and enter a password. From there, opening the door is just a press of a button. Passwords and other configuration settings cane be entered with MegunoLink. This software also includes a serial monitor to log who opened the door and when.

It’s an interesting and compact system, and handy to boot. You might sometimes forget your garage door opener, but we’re thinking if you ever find yourself without your phone, a closed garage door is the least of your problems.

Reverse Engineering A Wireless Protocol

July 1, 2013 by Brian Benchoff 31 Comments

logic

Like all good tinkerers, [Andrew] decided to figure out how his wireless security system worked. Yes, it’s an exercise in reverse engineering, and one of the best we’ve seen to date.

After breaking out the handheld spectrum analyzer and TV tuner SDR, [Andrew] cracked open a few devices and had a gander at the circuit boards. The keypad, PIR sensor, and base station all used a TI radio chip – the CC11xx series – that uses SPI to communicate with a microcontroller.

Attaching a logic analyzer directly to the radio chip and reading the bits directly, [Andrew] started getting some very good, if hard to understand data. From the security system specs, he knew it used a ’20-bit code’, but the packets he was reading off the SPI bus were 48 bits long. The part of this code was probably the system’s address, but how exactly does the system read its sensors?

The easiest way to figure this out was to toggle a few of the sensors and look at the data being transmitted. With a good bit of reasoning, [Andrew] figured out how the alarm system’s code worked. This theory was tested by connecting one of the radios up to an Arduino and having his suspicions confirmed.

While [Andrew]’s adventure in reverse engineering is only a benefit for people with this model of security system, it’s a wonderful insight into how to tear things apart and understand them.

A Clever Solution For Constantly Locking Workstations

March 12, 2013 by Brian Benchoff 57 Comments

ROBOT

[Vasilis] works at CERN, and like any large organization that invented the World Wide Web, they take computer security pretty seriously. One ‘feature’ the IT staff implemented is locking the desktop whenever the screen saver runs. When [Vasilis] is in his office but not at his battlestation, the screen saver invariably runs, locking the desktop, and greatly annoying [Vasilis].

The usual Hackaday solution to this problem would be a complex arrangement of RFID tags, webcams, and hundreds, if not thousands of lines of code. [Vasilis] came up with a much better solution: have the computer ping his phone over Bluetooth. If the phone is detected by the computer, kill the screen saver.

The code is up on Github. It’s not much – just 20 lines of a Bash script – but it’s just enough to prevent the aggravation of typing in a password dozens of times a day.

Breaking The MintEye CAPTCHA One More Time

January 29, 2013 by Brian Benchoff 20 Comments

minteye

A while back we saw the MintEye CAPTCHA system – an ‘are you human’ test that asks you to move a slider until an image is de-swirled and de-blurred – cracked wide open by exploiting the accessibility option. Later, and in a clever bit of image processing, the MintEye CAPTCHA was broken yet again by coming up with an algorithm to detect if an image is de-swirled and de-blurred.

It appears we’re not done with the MintEye CAPTCHA yet (Russian, translation). Now the MintEye CAPTCHA can be broken without any image processing or text-to-speech libraries. With 31 lines of Java, you too can crack MintEye wide open.

The idea behind the hack comes from the fact that blurred images will be much smaller than their non-blurred counterpart. This makes sense; the less detail in an image, the smaller the file size can be. Well, all the pictures MintEye delivers to your computer – 30 of them, one for each step of swirl and blurring – are the same size, meaning the ‘wrong answer’ images are padded with zeros at the end of the file.

There’s a 31 line program on the build page that shows how to look at thirty MintEye images and find the image with the fewest zeros at the end of the file. This is, by the way, the correct answer for the MintEye CAPTCHA, and has a reproducibility of 100%.

So, does anyone know if MintEye is a publicly traded company? Also, how exactly do you short a stock?

Extracting Data With USB HID

January 26, 2013 by Brian Benchoff 59 Comments

sd_adaptor

High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.

We’ve seen this sort of thing before where a microcontroller carries an executable to extract data. Previously, the best method was to blink the Caps Lock LED on a keyboard, sending one bit at a time to a micocontroller. [d3ad0ne]’s build exploits the USB HID protocol, but instead of 1 bit per second, he’s getting about 10kBps.

To extract data from a system, [ d3ad0ne] connects a Teensy microcontroller to the USB port. After opening up Notepad, [ d3ad0ne] mashes the Caps Lock key to force the Teensy to type out a script that can be made into an executable. This executable is a bare-bones application that can send any file back over the USB cable to the Teensy where it’s stored on an SD card. Short of filling the USB ports in a workstation with epoxy, there’s really no way to prevent secure files from leaking out of a computer.

Breaking The Minteye Captcha Again

January 19, 2013 by Brian Benchoff 16 Comments

cap

A few days ago we saw a post from [samuirai] at the Shackspace hackerspace in Stuttgart on breaking the minteye captcha system. Like most other captcha cracks, [samuirai] used the voice accessibility option that provides an audio captcha for blind users. Using the accessibility option is a wonderful piece of work, but [Jack] came up with an even more elegant way to defeat the minteye captcha.

For those unfamiliar, the minteye captcha provides a picture tossed through a swirl filter with a slider underneath. Move the slider left or right to eliminate the swirl and you’ve passed the, “are you human” test. Instead of looking for straight lines, [Jack] came up with a solution that easily defeats the minteye captcha in 23 lines of Python: just minimize the length of all the edges found in the pic.

The idea behind the crack is simply the more you swirl an image, the longer the edges in the image become. Edge detection is a well-studied problem, so the only thing the minteye cracking script needed to do was to move the slider for the captcha from the left to the right and measure the lengths of all the edges.

[Jack] included the code for image processing part of his crack, fortunately leaving out the part where he returns an answer to the minteye captcha. For that, and a very elegant way to crack a captcha, we thank him.