[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).
He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.
He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.
It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future. In the meantime, continue reading to see a quick video of his handiwork.
If you are interested in seeing what you might be able to do with your own car, check out this CAN bus sniffer we featured a while back.
Continue reading “Enhance Your Key Fob Via CAN Bus Hacking”
The ubiquitous presence of wireless devices combined with easy access to powerful RF development platforms makes the everyday world around us a wireless hacker’s playground. Yesterday [Travis Goodspeed] posted an article showing how goodfet.cc can be used to sniff wireless traffic and also to jam a given frequency. We’ve previously covered the work of [Travis] in pulling raw data from the IM-ME spectrum analyzer, which also uses goodfet.cc.
The Texas Instruments Chronos watch dev platform contains a C1110 chip, which among other things can provide accelerometer data from the watch to an interested sniffer. The i>clicker classroom response device (which houses a XE1203F chip) is also wide open to this, yielding juicy info about your classmates’ voting behaviour. There is still some work to be done to improve goodfet.cc, and [Travis] pays in beer–not in advance, mind you.
With products like the Chronos representing a move towards personal-area wireless networks, this sort of security hole might eventually have implications to individual privacy of, for example, biometric data–although how that might be exploited is another topic. Related to this idea is that of sniffable RFID card data. How does the increasing adoption of short-range wireless technologies affects us, both for good and bad? We invite you to share your ideas in the comments.
It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed’s] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.
We looked in on [Travis’] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis’] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.
[.ronin] built an all-in-one WiFi and Bluetooth sniffer. He used a Nerf rifle as a base and added two Pringles cantennas, a tablet PC, and other various bits to tie it all together. Now he wanders the streets, explaining the device to bewildered passersby. After showing the device at CarolinaCon 2010 (here’s a PDF of his presentation) he stopped by the mall nibbled about 250 Bluetooth devices using SpoofTooph. The software is running on a Fujitsu u810 tablet and he’s making good use of Backtrack 4 during his wireless adventures.
Remote-Exploit.org is releasing Keykeriki, a wireless keyboard sniffer. The project is both open source hardware and software. you can download the files on their site. Right now you can’t get a pre made board, but they plan on releasing one soon. The system can be upgraded with “backpacks” or add on modules. One of these is going to be an LCD that displays the keystrokes of the keyboard you are sniffing. Another is supposed to serve as an interface to your iPhone. Right now it has the ability to decode Microsoft wireless keyboards, but the Logitech pieces should be added soon.
Researchers from Inverse Path showed a couple interesting techniques for sniffing keystrokes at CanSecWest. For their first experiments they used a laser pointed at the shiny back of a laptop. The keystrokes would cause the laptop to vibrate which they could detect just like they would with any laser listening device. They’ve done it successfully from anywhere between 50 to 100 feet away. They used techniques similar to those in speech recognition to determine what sentences were being typed.
In a different attack, they sniffed characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. They haven’t yet been able to collect more than just single strokes, but expect to get full words and sentences soon. This leakage via power line is discussed in the 1972 Tempest document we posted about earlier. The team said it wasn’t possible with USB or laptop keyboards.
[Robert] sent in this tutorial on how to set up USB sniffing in linux. Useful for seeing exactly what is being communicated to and from your USB devices, this ability is built into linux. [Bert], the author, shows us the steps involved and how to filter it to get the data we desire. You can specify exactly which device to capture data from. His example, shown above, is a session with an Arduino.