security

473 Articles

Researchers Claim That HP Laser Printers Can Be Hijacked To Steal Data And Catch Fire

November 30, 2011 by 36 Comments

hp-laserprinter-security-holes

The news was abuzz yesterday with coverage of a study released by Columbia University researchers warning consumers that HP laser printers are wide open to remote tampering and hacking. The researchers claim that the vast majority of printers from HP’s LaserJet line accept firmware updates without checking for any sort of digital authentication, allowing malicious users to abuse the machines remotely. The researchers go so far as to claim that modified firmware can be used to overheat the printer’s fuser, causing fires, to send sensitive documents to criminals, and even force the printers to become part of a botnet.

Officials at HP were quick to counter the claims, stating that all models built in 2009 and beyond require firmware to be digitally signed. Additionally, they say that all of the brand’s laser printers are armed with a thermal cutoff switch which would mitigate the fuser attack vector before any real fire risk would present itself. Despite HP’s statements, the researchers stand by their claims, asserting that vulnerable printers are still available for purchase at major office supply stores.

While most external attacks can easily be prevented with the use of a firewall, the fact that these printers accept unsigned firmware is undoubtedly an interesting one. We are curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities (and low toner warning overrides), or if this all simply fizzles out after a few weeks.

RFID Reading And Spoofing

November 10, 2011 by 9 Comments

Locks are always temporary hindrances. After deciding to open the RFID-secured lock in his department, [Tixlegeek] built a device to read and spoof RFID tags (French, Google translate here).

The system is built around an ATMega32 microcontroller with a 16×2 LCD display. A commercial RFID reader module takes care of all the sniffing/cloning duties, and a small modulation circuit handles pumping those bits over to a lock. Right now, the spoofer can only handle reading and spoofing 125kHz RFID tags with no encryption or authorization. A tag that’s more complex than the duct tape RFID tag doesn’t work.

[Tixlegeek]’s little project does open up a few interesting avenues of exploring stuff that’s most certainly illegal. A smaller version of the project could be emplaced near a door or other RFID reader and left to crack a lock with a 32+62 bit password at 125 kilohertz. It wouldn’t be the fastest safecracker in the business, but it would work automatically as long as there is power.

If you’ve got any other ideas on what [Tixlegeek]’s RFID spoofer could do, leave a note in the comments.

beer-security

Beer Security System Keeps Freeloaders Out Of Your Stash

November 3, 2011 by 29 Comments

The crew at the Milwaukee Hackerspace are pretty serious about their beer. They used to have a fridge filled with cans, available to all at the hackerspace, but they decided to beef things up and create a secured beer dispensing system.

Like many others we have seen, their kegerator is built into an old refrigerator, complete with a tap built into the door. To ensure that interlopers are kept from their precious brew, they have secured the refrigerator using an Arduino and RFID tags to grant access. They use the same RFID key fobs members carry to gain access to the space for tracking beer consumption, unlocking the tap whenever a valid tag is swiped past the sensor.

They are still in the midst of tweaking and revising the system, but it looks good so far. It’s a great way to keep uninvited guests from their beer stash, while giving them a way to track consumption at the same time. We’re looking forward to seeing more details and code once things are completely wrapped up.

[via BuildLounge]

Simple Circuit Reminds You To Lock The Door As You Rush Out Of The House

October 11, 2011 by 24 Comments

door_lock_minder

It seems that [pppd] is always rushing out of his apartment to catch the bus, and he finds himself frequently questioning whether or not he remembered to lock the door. He often doubles back to check, and while he has never actually forgotten to lock the door, he would rather not deal with the worry.

Since he finally had some free time on his hands, he decided to put together a simple device that would help end his worry once and for all. Using an ATtiny13, [pppd] designed a circuit that would detect when his door has been unlocked and opened, beeping every few seconds until the lock is reengaged. The circuit relies on a reed switch installed inside the door frame, which is tripped by the magnet he glued to his door’s deadbolt.

He says that the system works well so far, though he does have a few improvements in mind already.

Security System Gives You A Call When It Senses Intruders

September 8, 2011 by 13 Comments

gsm_motion_detector_alarm_system

[Dimitris] decided to build a homemade alarm system, but instead of triggering a siren, sending an SMS message, or Tweeting about an intrusion, he preferred that his system call him when there was trouble afoot. He says that he preferred a call over text messaging because there are no charges associated with the call if the recipient does not pick up the line, which is not the case with SMS.

The system is based around an off the shelf motion detector that was hacked to work with an old mobile phone. The motion detector originally triggered a siren, but he stripped out the speaker and wired it to a bare bones Arduino board he constructed. The Arduino was in turn connected to the serial port of an unused Ericssson T10s mobile phone. This allows the Arduino to call his mobile phone whenever the motion detector senses movement.

The system looks to be quite useful, and while [Dimitris] didn’t include all of the code he used, he says others should be able to replicate his work without too much trouble.

Gyroscope-based Smartphone Keylogging Attack

August 18, 2011 by 31 Comments

smartphone_keylogging_with_gyroscopes

A pair of security researchers have recently unveiled an interesting new keylogging method (PDF Research Paper) that makes use of a very unlikely smartphone component, your gyroscope.

Most smart phones now come equipped with gyroscopes, which can be accessed by any application at any time. [Hao Chen and Lian Cai] were able to use an Android phone’s orientation data to pin down what buttons were being pressed by the user. The attack is not perfect, as the researchers were only able to discern the correct keypress about 72% of the time, but it certainly is a good start.

This side channel attack works because it turns out that each button on a smart phone has a unique “signature”, in that the phone will consistently be tilted in a certain way with each keypress. The pair does admit that the software becomes far less accurate when working with a full qwerty keyboard due to button proximity, but a 10 digit pad and keypads found on tablets can be sniffed with relatively good results.

We don’t think this is anything you should really be worried about, but it’s an interesting attack nonetheless.

[Thanks, der_picknicker]

PS2 To USB Keyboard Converter Also Logs Your Keystrokes

August 16, 2011 by 15 Comments

[Shawn McCombs] is up to no good with his first Teensy project. The board you see above takes the input from a PS2 keyboard and converts it to a USB connection. Oh, and did we mention that it also keeps track of everything you type as well?

From the beginning the project was intended to be a keylogger. It’s a man-in-the-middle device that could be hidden inside the case of a keyboard, making it appear to be a stock USB keyboard. Data is stored to an SD card so an attacker would need to gain access to the hardware after the data he’s targeting has been typed.

It works mostly as [Shawn] expected. He is, however, having trouble handling the CTRL, ALT, Windows, and Caps Lock keys. If this were actually being used maliciously it would be a dead giveaway. Many secure Windows machine require a CRTL-ALT-DELETE keystroke to access the login screen.