Clever Reed Switch Catches Thief

When [Abhimanyu Kumar] noticed money going missing from his small bookshop, he decided to set up a little trap to catch the thief. The problem was that the bookshop’s money was stored inside a cupboard in their house (back end of the shop), which meant that the culprit was likely one of their own employees. They already have a CCTV system installed in the actual store, and although he could simply add another camera in the house, [Abhimanyu] didn’t really want to do that.

He instead devised a simple security trap: dubbed the Jugaad Security System. In Hindi, Jugaad quite literally means “hack”. He added a small magnetic reed switch to the cupboard where the money is stored—well, was stored—which is then linked directly to an intervalometer. This then connects to an inconspicuous DSLR sitting on one of the work benches. He aimed the camera at the cupboard and, in case the lights are out when the system is tripped, set it to an extremely high ISO.


Three days later, during an especially busy day at the store, the camera snagged a few images of their would-be thief. Unfortunately, it was one of their own employees. A quick call to the police later and the thief confessed, returning the stolen money. Needless to say, they fired him.

read the rest of article...

Gesture Based Security Lock

A team of students from Cornell University are looking into alternative ways of creating a security system that can be locked or unlocked by using physical gestures in an enclosed space. It is the final year project for [Ankur], [Darshan] and [Saisrinivasan] in their MEng of Electrical and Computer Engineering. The system prototype is capable of recording a gesture and then comparing the gesture with future gestures to lock or unlock the system. Consider it like a secret handshake to get into the office!

To analyze the gesture they are using four SparkFun proximity sensors setup in a linear array to sense the distance a hand is moved. An ATMega1284P is used to convert the analog sensor signal to digital for further processing. The project is extremely well documented, as it appears to be the final report for the project.
A short video after the break shows off the prototype and gives a good explanation of how the system works.

read the rest of article...

Key Cutting with a CNC Mill

Keys cost like what, $2 to copy at a locksmith? But where’s the fun in that? Here’s an easy way to cut your own keys using a CNC mill! [Bolsterman] now “works” for a real estate company that rents out various properties. Whenever someone moves out, the locks need to be changed ASAP. They use Schlage locks, which can be re-keyed to any pin combination.

New keys are typically cut with a punch or a key cutting machine — he actually had one years ago, but got rid of it. Not wanting to buy a new one for his new job at the real estate company, he decided to see how hard it would be to turn his small desktop CNC into his own personal key cutting machine.

All it took for [Bolsterman] to turn his mill into a key cutting machine was a 3/8th 90° countersink bit with the end ground to a flat approximately 0.055″ across (0.035″ is the width of a factory key, but a bit of leeway makes it easier to make the key). Then you simply zero the mill off of the shoulder of the key, and using the handy Schlage pin chart (included in the original link), cut the grooves!

To automate all of this, [Torrie Fischer] created a python script for generating the GCode  for keys based on [Bolsterman's] technique — it’s hosted over at Noisebridge’s Wiki – check it out! But if all that seems like too much effort, you could just print a new key instead…

read the rest of article...

JTAGulator Finds Debug Interfaces

[Joe Grand] has come up with a tool which we think will be useful to anyone trying to hack a physical device: The JTAGulator. We touched on the JTAGulator briefly during our DEF CON coverage, but it really deserves a more in-depth feature. The JTAGulator is a way to discover On Chip Debug (OCD) interfaces on unfamiliar hardware.

Open any cell phone, router, or just about any moderately complex device today, and you’ll find test points. Quite often at least a few of these test points are the common JTAG / IEEE 1149.1 interface. JTAG interfaces have 5 basic pins: TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), and TMS (Test Mode Select), /TRST (Test Reset) (optional). If you’re looking at a PCB with many test points, which ones are the JTAG pins? Also which test points are which signals? Sometimes the PCB manufacturer will give clues on the silk screen. Other times you’re on your own. [Joe] designed the JTAGulator to help find these pins.

The idea is simple: Connect the JTAGulator to the test points on the PCB under test, issue a few commands via a serial terminal, and let the JTAGulator do the rest. It performs a brute force approach on every permutation of pins, issuing basic JTAG commands – either IDCODE or BYPASS, and looking for a response. If any valid responses are received, the JTAGulator displays the found interface’s pinout.
[Joe] used a Parallax Propeller as the core of his design.

He added input protection, selectable voltage (1.2V to  3.3V) and bus pirate compatible headers. The JTAGulator can also identify and test serial UART pinouts to determine if any serial ports exist. If JTAG and serial aren’t enough, the JTAGulator is completely open source, released under the CC BY 3.0 US license. You can add any interface you want.  Though [Joe] has plans to add more of the common interfaces in the future.

read the rest of article...

Reverse Engineering a D-Link Backdoor

Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router.

As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications. Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: ”edit by (04882) joel backdoor”.

read the rest of article...

Cracking GSM with RTL-SDR for Thirty Dollars

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware.

Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware. Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message. From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

read the rest of article...

Running Custom Code on Cheap One-time Password Tokens

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450″ with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

read the rest of article...

Getting a Shell on any Android Device

If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.

USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell. To test their theory, [Michael] and [Kyle] rigged up a simple USB plug to UART adapter (seen above) that included a specific value of resistor to enable a shell on their test phone. Amazingly, it worked and the thought of having a secure phone was never had again.

The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware. If you’re interested in helping them out with their project, they have a project site up with all the information to get up to speed on this very ingenious hack.

read the rest of article...

An Awesome Wireless Motion Sensor

Wireless sensor networks are nothing new to Hackaday, but [Felix]‘s wireless PIR sensor node is something else entirely. Rarely do we see something so well put together that’s also so well designed for mass production. For his sensor, [Felix] is using a Moteino, a very tiny Arduino compatible board with solder pads for an RFM12B and RFM69 radio transceivers. These very inexpensive radios – about $4 each – are able to transmit about half a kilometer at 38.4 kbps, an impressive amount of bandwidth and an exceptional range for a very inexpensive system.

The important bit on this wireless sensor, the PIR sensor, connects with three pins – power, ground, and out. When the PIR sensor sees something it transmits a code the base station where the ‘motion’ alert message is displayed. The entire device is powered by a 9V battery and stuffed inside a beautiful acrylic case. With everything, each sensor node should cost about $15; very cheap for something that if built by a proper security system company would cost much, much more.

read the rest of article...

Sniffing Out LG Smart TV Tracking Protocol

[DoctorBeet] noticed the advertisements on the landing screen of his new LG smart television and started wondering about tracking. His curiosity got the better of him when he came across a promotional video aimed at advertisers that boasts about the information gathered from people who use these TVs. He decided to sniff the web traffic. If what he discovered is accurate, there is an invasive amount of data being collect by this hardware. To make matters worse, his testing showed that even if the user switches the “Collection of watching info” menu item to off it doesn’t stop the data from being phoned home.

The findings start off rather innocuous, with the channel name and a unique ID being transmitted every time you change the station. Based on when the server receives the packets a description of your schedule and preferred content can be put together. This appears to be sent as plain data without any type of encryption or obfuscation.

Things get a lot more interesting when he discovers that filenames from a USB drive connected to the television are being broadcast as well. The server address they’re being sent to is a dead link — which makes us think this is some type of debugging step that was left in the production firmware — but it is still a rather sizable blunder when it comes to personal privacy. If you have one of these televisions [DoctorBeet] has a preliminary list of URLs to block with your router in order to help safeguard your privacy.

read the rest of article...

Update: SD Card Locker Now Supports Password Protect

[Karl Lunt] has updated his Secure Digital Card locker to support password based locking. [Karl's] original design only supported write locking via the TMP_WRITE_PROTECT  bit. The new design gives the user an option: TMP_WRITE_PROTECT, or password protection. [Karl] goes into further detail this time around about the bit fields used with CMD42, and how they are set. The passwords in this case are up to 16 bytes.

The bytes don’t necessarily have to be printable characters – any binary value can be used. Unfortunately, [Karl's] locker doesn’t utilize a user interface beyond the buttons, so any password must be “baked in” to the SD Card locker firmware. We would love to see the option of even a basic serial interface for entering a password (most likely in hex).

[Karl] tried his device out with several different cards, and several computers. While not an exhaustive test, he did find that the computers always behaved the same: A locked SD card would not show up. In the case of windows, no beep, no drive, nothing. He goes into the security possibilities of using password locking: Financial data could be stored and physically transferred via SD or microSD, with the password sent separately (say in an email or SMS). Any unenlightened data thief attempting to use the card would think they have a broken device on their hands.

We don’t know how secure the password lock feature is – brute forcing a variable length 16 byte binary password would take some time. It all comes down to how quickly each password attempt takes. Some cursory web searching didn’t bring up any information about successful SD card password cracking. Sounds like a challenge for our readers!

read the rest of article...

Google Security Certificates Forged

Recently, Google discovered that a certificate authority (CA) issued forged certificates for Google domains. This compromises the trust provided by Transport Layer Security (TLS) and Secure HTTP (HTTPS), allowing the holder of the forged certificates to perform a man-in-the-middle attack.

To validate that the website you’re visiting is actually who they claim to be, your browser ensures that the certificate presented by the server you’re accessing was signed by a trusted CA. When someone requests a certificate from a CA, they should verify the identity of the person making the request. Your browser, and operating system, have a set of ultimately trusted CAs (called root CAs). If the certificate was issued by one of them, or a intermediate CA that they trust, you will trust the connection. This whole structure of trust is called a Chain of Trust.

With a forged certificate, you can convince a client that your server is actually http://www.google.com. You can use this to sit between a client’s connection and the actual Google server, eavesdropping their session.
In this case, an intermediate CA did just that. This is scary, because it undermines the security that we all rely on daily for all secure transactions on the internet. Certificate pinning is one tool that can be used to resist this type of attack. It works by associating a host with a specific certificate. If it changes, the connection will not be trusted.
The centralized nature of TLS doesn’t work if you can’t trust the authorities. Unfortunately, we can’t.

read the rest of article...

Ambient Computer Noise Leaks Your Encryption Keys

[Daniel, Adi, and Eran], students researchers at Tel Aviv University and the Weizmann Institute of Science have successfully extracted 4096-bit RSA encryption keys using only the sound produced by the target computer. It may sound a bit like magic, but this is a real attack – although it’s practicality may be questionable. The group first described this attack vector at Eurocrypt 2004. The sound used to decode the encryption keys is produced not by the processor itself, but by the processor’s power supply, mainly the capacitors and coils.

The target machine in this case runs a copy of GNU Privacy Guard (GnuPG). During most of their testing, the team used some very high-end audio equipment, including Brüel & Kjær laboratory grade microphones and a parabolic reflector. By directing the microphone at the processor air vents, they were able to extract enough sound to proceed with their attack. [Daniel, Adi, and Eran] started from the source of GnuPG. They worked from there all the way down to the individual opcodes running on the x86 processor in the target PC.

As each opcode is run, a sound signature is produced. The signature changes slightly depending on the data the processor is operating on. By using this information, and some very detailed spectral analysis, the team was able to extract encryption keys. The complete technical details of the attack vector are available in their final paper (pdf link). Once  they had the basic methods down, [Daniel, Adi, and Eran] explored other attack vectors. They were able to extract data using ground fluctuations on the computers chassis. They even were able to use a cell phone to perform the audio attack.

Due to the cell phone’s lower quality microphone, a much longer (on the order of several hours) time is needed to extract the necessary data. Thankfully [Daniel, Adi, and Eran] are white hat hackers, and sent their data to the GnuPG team. Several countermeasures to this attack are already included in the current version of GnuPG.

read the rest of article...

Chameleon Emulates Contactless Smart Cards

Researchers at Ruhr University of Bochum in Germany have been busy working with RFID and related devices for quite some time now. They call the fruit of their labors Chameleon, a versatile Contactless Smart Card Emulator. Contactless Smart Cards are RFID style devices that also contain a smart card style memory. These cards are often used for payment, replacing mag strip style credit cards. Philips MIFARE Classic cards are a common example of contactless smart cards.

The Chameleon is set up to emulate any number of cards using the common 13.56MHz frequency band. Adding a new card is as simple as loading up a new CODEC  and application to the firmware. Currently Chameleon can emulate MIFARE cards using the ISO14443A. The Chameleon is completely open source, and can be built for around $25 USD. The heart of the system is an Atmel ATxmega192A3 microcontroller.

The 192 is a great microcontroller for this task because it contains hardware accelerators for both DES and AES-128. An FTDI USB interface chip is used to provide an optional communication link between a host computer and the ATxmega. The link can be used for debugging, as well as manipulating data in real-time. A host PC is not necessary for use though – the Chameleon will operate just fine as a stand alone unit. We definitely like this project – though we’re going to be doubling down on the shielding in our RF blocking wallets.

read the rest of article...