Jeremy Hong: Weaponizing The Radio Spectrum

Jeremy Hong knows a secret or two about things you shouldn’t do with radio frequency (RF), but he’s not sharing.

That seems an odd foundation upon which to build one’s 2018 Hackaday Superconference talk, but it’s for good reason. Jeremy knows how to do things like build GPS and radar jammers, which are federal crimes. Even he hasn’t put his knowledge to practical use, having built only devices that never actually emitted any RF.

So what does one talk about when circumspection is the order of the day? As it turns out, quite a lot. Jeremy focused on how the military leverages the power of radio frequency jamming to turn the tables on enemies, and how civilian police forces are fielding electronic countermeasures as well. It’s interesting stuff, and Jeremy proved to be an engaging guide on a whirlwind tour into the world of electronic warfare.
Continue reading “Jeremy Hong: Weaponizing The Radio Spectrum”

Fooling Samsung Galaxy S8 Iris Recognition

We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.

Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!

Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode.  A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right.  No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.

Continue reading “Fooling Samsung Galaxy S8 Iris Recognition”

Fail Of The Week: Pinewood Derby Cheat Fails Two Ways

Would you use your tech prowess to cheat at the Pinewood Derby? When your kid brings home that minimalist kit and expects you to help engineer a car that can beat all the others in the gravity-powered race, the temptation is there. But luckily, there are some events that don’t include the kiddies and the need for parents to assume the proper moral posture. When the whole point of the Pinewood Derby is to cheat, then you pull out all the stops, and you might try building an electrodynamic suspension hoverboard car.

Fortunately for [ch00ftech], the team-building Derby sponsored by his employer is a little looser with the rules than the usual event. Loose enough perhaps to try a magnetically levitating car. The aluminum track provided a perfect surface to leverage Lenz’s Law. [ch00ftech] tried different arrangements of coils and drivers in an attempt to at least reduce the friction between car and track, if not outright levitate it. Sadly, time ran out and physics had others ideas, so [ch00ftech], intent on cheating by any means, tried spoofing the track timing system with a ridiculous front bumper of IR LEDs. But even that didn’t work in the end, and poor [ch00f]’s car wound up in sixth place.

So what could [ch00ftech] had done better? Was he on the right course with levitation? Or was spoofing the sensors likely to have worked with better optics? Or should he have resorted to jet propulsion or a propeller drive? How would you cheat at the Pinewood Derby?


2013-09-05-Hackaday-Fail-tips-tileFail of the Week is a Hackaday column which celebrates failure as a learning tool. Help keep the fun rolling by writing about your own failures and sending us a link to the story — or sending in links to fail write ups you find in your Internet travels.

Social Logons

SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms”

Palm Pre IPod Spoofing Confirmed

palmpre

The new Palm Pre cellphone has a “media sync” feature which lets the device sync with iTunes in a fashion identical to an iPod. Last week [Jon Lech Johansen] speculated that this was not done in cooperation with Apple and that Palm was spoofing the iPod’s USB controller. This was confirmed today when a tipster sent him a screenshot of what the device reports in both standard and media sync modes. The Palm Pre reports its Product ID as iPod and Vendor ID as Apple with a few other changes. [Jon] notes that it doesn’t change the root USB node, so Apple should be able to block this behavior with an iTunes update. With Palm already pulling tricks like this presumably through software we wonder if this will become a full-on arms race.