Category Archives: security hacks

Kristin Paget is Hacking Carrier Grade LTE eNodeB

Every once in a while you get lucky and a piece of cool gear lands on your bench to tear down and explore. On that measuring stick, Kristin Paget hit the jackpot when she acquired a fascinating piece of current generation cellphone infrastructure. She’s currently researching a carrier-grade LTE eNodeB and walked through some of the findings, along with security findings of two IoT products, during her talk on the Laws of IoT Security at the 2017 Hackaday Superconference.

Evolved Node B (eNodeB) is the meat and potatoes of the LTE cellular network. It connects the antenna to backhaul — …read more

Continue reading

Posted in 2017 Hackaday Superconference, carrier grade, cons, eNodeB, Evolved Node B, Kristin Paget, Laws of IoT Security, LTE, security hacks | Leave a comment

Mathieu Stephan : The Making of a Secure Open Source Hardware Password Keeper

Mathieu Stephan is an open source hardware developer, a Tindie seller who always has inventory, a former Hackaday writer, and an awesome all-around guy. One of his biggest projects for the last few years has been the Mooltipass, an offline password keeper built around smart cards and a USB interface. It’s the solution to Post-It notes stuck to your monitor and using the same password for all your accounts around the Internet.

The Mooltipass is an extremely successful product, and last year Mathieu launched the Mooltipass Mini. No, it doesn’t have the sweet illuminated touch-sensitive buttons, but it is a …read more

Continue reading

Posted in 2017 Hackaday Superconference, cons, Hackaday Columns, Mathieu, mooltipass, open hardware, open source, security hacks | Leave a comment

Is Intel’s Management Engine Broken yet?

Our own [Brian Benchoff] asked this same question just six months ago in a similar headline. At that time, the answer was no. Or kind of no. Some exploits existed but with some preconditions that limited the impact of the bugs found in Intel Management Engine (IME). But 2017 is an unforgiving year for the blue teams, as lot of serious bugs have been found throughout the year in virtually every fields of computing. Researchers from Positive Technologies report that they found a flaw that allows them to execute unsigned code on computers running the IME. The cherry on top …read more

Continue reading

Posted in exploit, IME, jtag, news, security, security hacks, USB DCI | Leave a comment

(Nearly) All Your Computers Run MINIX

Are you reading this on a machine running a GNU/Linux distribution? A Windows machine? Or perhaps an Apple OS? It doesn’t really matter, because your computer is probably running MINIX anyway.

There once was a time when microprocessors were relatively straightforward devices, capable of being understood more or less in their entirety by a single engineer without especially God-like skills. They had buses upon which hung peripherals, and for code to run on them, one of those peripherals had better supply it.

A modern high-end processor is a complex multicore marvel of technological achievement, so labyrinthine in fact that unlike …read more

Continue reading

Posted in cpu, intel, minix, security, security hacks, software hacks | Leave a comment

Colette Biometric Security Purse Screams When Stolen

A team of college hackers was disappointed with the selection of secure purses available. Nearly every purse on the market is attractive, secure, or neither so they are designing their own security purse with some style. Instead of just brass or leather clasps keeping unwanted hands out, they are upgrading to automation and steel.

Everything starts with a fingerprint reader connected to an Arduino. Once an acceptable finger is recognized, a motor opens a coffin lock, also known as a butt-joint fastener, which can be completely hidden inside the purse and provides a lot of holding force. That is enough …read more

Continue reading

Posted in coffin lock, lock, purse, purse snatcher, security, security hacks, slashproof, thief, vault | Leave a comment

Practical Public Key Cryptography

Encryption is one of the pillars of modern-day communications. You have devices that use encryption all the time, even if you are not aware of it. There are so many applications and systems using it that it’s hard to begin enumerating them. Ranging from satellite television to your mobile phone, from smart power meters to your car keys, from your wireless router to your browser, and from your Visa to your Bitcoins — the list is endless.

One of the great breakthroughs in the history of encryption was the invention of public key cryptography or asymmetrical cryptography in the 70’s. …read more

Continue reading

Posted in encryption, Featured, gpg, Interest, openpgp, pki, private key, public key encryption, security hacks | Leave a comment

Bad RSA Library Leaves Millions of Keys Vulnerable

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and …read more

Continue reading

Posted in encryption, factorization, news, ROCA, rsa, security, security hacks | Leave a comment

Inside Two-Factor Authentication Apps

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password …read more

Continue reading

Posted in 2FA, 2FA algorithm, google authenticator, Interest, Original Art, security breach, security hacks, totp, two-factor authentication | Leave a comment

Oh Great, WPA2 Is Broken

WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It’s fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF).

This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It’s called KRACK, for Key Reinstallation Attack. The key insight to this exploit is a vulnerability in the handshaking between routers and devices to establish a secure connection.

This is not …read more

Continue reading

Posted in 802.11, KRACK, security hacks, wifi, wpa, wpa2 | Leave a comment

Encryption For The Most Meager Of Devices

It seems that new stories of insecure-by-design IoT devices surface weekly, as the uneasy boundary is explored between the appliance and the Internet-connected computer. Manufacturers like shifting physical items rather than software patches, and firmware developers may not always be from the frontline of Internet security.

An interesting aside on the security of IoT traffic comes from [boz], who has taken a look at encryption of very low data rate streams from underpowered devices. Imagine perhaps that you have an Internet-connected sensor which supplies only a few readings a day that you would like to keep private. Given that your …read more

Continue reading

Posted in encryption, IoT, one time pad, security, security hacks | Leave a comment