Apple Laptop Batteries Vulnerable To Firmware Hack

July 23, 2011 by Mike Nathan 45 Comments

dead_and_busted_macbook_batteries

When you think about hacking laptops, it’s highly unlikely that you would ever consider the battery as a viable attack vector. Security researcher [Charlie Miller] however, has been hard at work showing just how big a vulnerability they can be.

As we have been discussing recently, the care and feeding of many batteries, big and small, is handled by some sort of microcontroller. [Charlie] found that a 2009 update issued by Apple to fix some lingering MacBook power issues used one of two passwords to write data to the battery controllers. From what he has seen, it seems these same passwords have been used on all batteries manufactured since that time as well. Using this data, he was subsequently able to gain access to the chips, allowing him to remotely brick the batteries, falsify data sent to the OS, and completely replace the stock firmware with that of his own.

He says that it would be possible for an attacker to inject malware into the battery itself, which would covertly re-infect the machine, despite all traditional removal attempts. Of course, replacing the battery would rectify the issue in these situations, but he says that it would likely be the last thing anyone would suspect as the source of infection. While using the battery to proliferate malware or cause irreversible damage to the computer would take quite a bit of work, [Charlie] claims that either scenario is completely plausible.

He plans on presenting his research at this year’s Black Hat security conference in August, but in the meantime he has created a utility that generates a completely random password for your Mac’s battery. He says that he has already contacted Apple to in order to help them construct a permanent fix for the issue, so an official patch may be available in the near future.

[Thanks, Sergio]

Building A Single-button Combination Lock

July 14, 2011 by Mike Nathan 15 Comments

single_button_arduino_combination_lock

[John Boxall] of Little Bird Electronics was thinking about combination locks, and how one might improve or at least change the way these locks work. Traditional combo locks can be implemented in a variety of ways, most of which we are all familiar with. Standard rotary padlock and keypad-based electronic safes work just fine, but he was interested to see how one might implement a single button combination lock.

[John] determined that the best, if not only way, to build this sort of lock would require him to measure button press intervals. In his case he decided to monitor the intervals between his button presses instead, but the concept is the same. He first tested himself to see how accurately he could press and release the button, leaving a one-second space between presses. After looking at the results he determined that he would need to incorporate at least a 10% margin for error into his code in order to compensate for human error.

He then created an Arduino sketch to test his idea, defining a set of key press intervals that could be used to ‘unlock’ his imaginary vault. It worked quite well, as you can see in the video demo below.

Now we’re not suggesting that you lock up your mint condition My Little Pony collection or your illegal arms stash with this type of lock, but it could be useful as an extra failsafe for certain projects/gadgets that you want to keep all to yourself.

Continue reading “Building A Single-button Combination Lock” →

Vodafone Femtocells Hacked, Root Password Revealed

July 14, 2011 by Mike Nathan 14 Comments

vodafone_femtocell_network_diagram

As phone systems have evolved over time, the desire to break them and exploit their usage continues to flourish. Just recently, [The Hacker’s Choice (THC)] announced that they had accessed secure data from Vodafone’s mobile phone network last year, via their femtocell product.

The purpose of the femtocell is to extend mobiile network coverage to locations where reception might not be ideal, routing calls to Vodafone’s network via IPSec tunnels. [THC] knew that this meant the femtocells required a high-level of interaction with the carrier’s traditional mobile network, so they started poking around to see what could be exploited.

After gaining administrative access to the femtocell itself using the root password “newsys”, they found that they were able to allow unauthorized users to utilize the service – a simple ToS violation. However, they also had the ability to force any nearby Vodafone subscriber’s phone to use their femtocell. This enabled them to request secret keys from Vodafone, which they could then use to spoof calls and SMS messages from the victim’s phone without their knowledge.

They have been kind enough to release all of the pertinent information about the hack on their wiki for any interested parties to peruse. Now we’re just wondering how long it takes before stateside carriers’ femtocells are exploited in the same fashion.

[Thanks, kresp0]

Shoulder Surfing With OpenCV

July 12, 2011 by Mike Nathan 14 Comments

shoulder_surfing_with_shoulder_pad

While it seems that many people are wise to shoulder surfing, keeping a lookout for anyone spying on their passwords, [Haroon] wrote in to remind us that the threat is just as real today as it ever was.

The subjects of his research are touch screen phones and tablets, which utilize on-screen keyboards for data entry. He says that while nearly all password entry boxes on these devices are obscured with the traditional line of asterisks, the keyboards themselves are quite an interesting vulnerability.

Since touch screen technology can be finicky at times, most vendors ship their devices with some sort of key press verification system. On the iPhone and iPad, for instance, each key is highlighted in blue following a button press. This functionality makes it quite easy for shoulder surfers to casually steal your password if you’re not paying attention.

But what if you are well aware of your surroundings? [Haroon] has developed a piece of software he calls shoulderPad, which is based on openCV that does the surfing for him. The application can monitor a video stream, live or recorded, extracting the user’s password from the highlighted button presses. His demonstrations show the recording taking place at a relatively close distance, but he says that it would be quite easy to use surveillance footage or zoom lenses to capture key presses from afar.

He does say that the button highlighting can be easily disabled in the iPhone’s options pane, which should negate this sort of attack for the most part.

Continue reading to see a quick video of shoulderPad in action.

Continue reading “Shoulder Surfing With OpenCV” →

Tweeting Home Alarm System

June 30, 2011 by Mike Nathan 9 Comments

Instructables user [willnue] wanted to build a DIY Tweeting alarm system from the ground up, but reconsidered after taking a close look at the scope of such a project. He settled on using an off the shelf security system, taking care of the Twitter interface on his own. He bought a GE 45142 Wireless alarm and promptly disassembled it to see how he might retrieve status messages from the unit.

He figured that monitoring the alarm’s LEDs would make the most sense, so he used a bit of Ethernet cable and wired all of the system’s indicators to his Arduino board. He hooked up an Ethernet shield to the Arduino, then wrapped the pair up in a plastic project box that closely matched the look of the security system. Once that was done, he wrote some simple code for the Arduino that monitors each of the alarm system’s six status lights, sending updates to Twitter via the ThingTweet service.

With this system you might not get your status messages in time to foil whoever is carrying off your plasma TV, but at least you will know what to expect once you get home!

If you want to keep tabs on [Will’s] security system to ~~find out the best time to rob him~~ see how things are going, check out his Twitter feed here.

Teensy AVRs Used In Penetration Testing

June 28, 2011 by Mike Nathan 42 Comments

netragard_penetration_testing_mouse

While some people know that you should be wary of USB drives with unknown origins, the same care is rarely, if ever exercised with USB peripherals. The security firm Netragard recently used this to their advantage when performing a penetration test at a client’s facility. When the client ruled out the use of many common attack vectors including social networks, telephones, social engineering, and unauthorized physical access from the test, the team at Netragard knew they would have to get creative.

They purchased a Logitech USB mouse and disassembled it in order to add their clever payload. A Teensy uC was programmed to emulate keyboard input, entering commands via the mouse’s USB connection once it had been connected to a computer. Using an undocumented exploit in McAfee’s antivirus suite, they were able to evade detection while their system entered commands to install malware from the flash drive they hid along side the Teensy.

Once the mouse was reassembled, they repackaged it along with some marketing materials to make it look like part of a promotional event. They purchased a detailed list of employees and singled out an easy target, sending their malicious mouse on its way. Within three days, their malware was loaded onto the victim’s computer and their test was deemed a success.

[Thanks, Aaron]

Ubuntu Laika – An Android Phone Pen Testing Platform

June 9, 2011 by Mike Nathan 11 Comments

laika_screenshot

Once [Ruan] over at AndroidClone heard that Android devices were capable of running a full Linux environment, he started contemplating all of the things he might be able to do with a full Linux OS in his pocket.

He decided that a portable penetration testing platform would be great to have on hand, so he got busy installing Ubuntu 10.10 on his Lenovo LePhone. Once he had it up and running, he stripped out all of the unnecessary fluff and added some common tools such as Wireshark, Nmap, and Kismet, among others. He says it easily runs side by side with Android, allowing you to switch between the Ubuntu install and your standard Android applications with ease.

While this all started out as a proof of concept, he has continued to refine the project, releasing several new versions along the way. If you are interested in giving it a try, he has installation instructions available in the AndroidClone forums.

[thanks Stephen]