Category Archives: security

34C3: Fitbit Sniffing and Firmware Hacking

If you walked into a gym and asked to sniff exercise equipment you would get some mighty strange looks. If you tell hackers you’ve sniffed a Fitbit, you might be asked to give a presentation. [Jiska] and [DanielAW] were not only able to sniff Bluetooth data from a run-of-the-mill Fitbit fitness tracker, they were also able to connect to the hardware with data lines using test points etched right on the board. Their Fitbit sniffing talk at 34C3 can be seen after the break. We appreciate their warning that opening a Fitbit will undoubtedly void your warranty since Fitbits don’t …read more

Continue reading

Posted in 34C3, 8909, bluetooth, ccc, cons, fitbit, fitness, reverse engienering, reverse engineering, security, security hacks, sniffing, talk, wearable, wearable hacks | Leave a comment

34C3: Hacking into a CPU’s Microcode

Inside every modern CPU since the Intel Pentium fdiv bug, assembly instructions aren’t a one-to-one mapping to what the CPU actually does. Inside the CPU, there is a decoder that turns assembly into even more primitive instructions that are fed into the CPU’s internal scheduler and pipeline. The code that drives the decoder is the CPU’s microcode, and it lives in ROM that’s normally inaccessible. But microcode patches have been deployed in the past to fix up CPU hardware bugs, so it’s certainly writeable. That’s practically an invitation, right? At least a group from the Ruhr University Bochum took …read more

Continue reading

Posted in amazing, ARM, Computer Hacks, cons, hack, hacking, microcode, news, security, trojan | Leave a comment

Edward Snowden Introduces Baby Monitor for Spies

Famed whistleblower [Edward Snowden] has recently taken to YouTube to announce Haven: an Open Source application designed to allow security-conscious users turn old unused Android smartphones and tablets into high-tech monitoring devices for free. While arguably Haven doesn’t do anything that wasn’t already possible with software on the market, the fact that it’s Open Source and designed from the ground up for security does make it a bit more compelling than what’s been available thus far.

Developed by the Freedom of the Press Foundation, Haven is advertised as something of a role-reversal for the surveillance state. Instead of a smartphone’s …read more

Continue reading

Posted in android, Android Hacks, baby monitor, Cellphone Hacks, edward snowden, Monitoring, news, privacy, security, security hacks, surveillance | Leave a comment

Design a Microcontroller With Security In Mind

There are many parts to building a secure networked device, and the entire industry is still learning how to do it right. Resources are especially constrained for low-cost microcontroller devices. Would it be easier to build more secure devices if microcontrollers had security hardware built-in? That is the investigation of Project Sopris by Microsoft Research.

The researchers customized the MediaTek MT7687, a chip roughly comparable to the hacker darling ESP32. The most significant addition was a security subsystem. It performs tasks notoriously difficult to do correctly in software, such as random number generation and security key storage. It forms the …read more

Continue reading

Posted in IME, IoT, iot security, mediatek, Microcontrollers, Microsoft Research, security, TPM | Leave a comment

Another Defeat of the Intel Management Engine

If you have a computer with an Intel processor that’s newer than about 2007, odds are high that it also contains a mystery software package known as the Intel Management Engine (ME). The ME has complete access to the computer below the operating system and can access a network, the computer’s memory, and many other parts of the computer even when the computer is powered down. If you’re thinking that this seems like an incredible security vulnerability then you’re not alone, and a team at Black Hat Europe 2017 has demonstrated yet another flaw in this black box (PDF), allowing …read more

Continue reading

Posted in Black Hat, black hat europe 2017, flaw, intel, management engine, security, software hacks, vulnerability | Leave a comment

Is Intel’s Management Engine Broken yet?

Our own [Brian Benchoff] asked this same question just six months ago in a similar headline. At that time, the answer was no. Or kind of no. Some exploits existed but with some preconditions that limited the impact of the bugs found in Intel Management Engine (IME). But 2017 is an unforgiving year for the blue teams, as lot of serious bugs have been found throughout the year in virtually every fields of computing. Researchers from Positive Technologies report that they found a flaw that allows them to execute unsigned code on computers running the IME. The cherry on top …read more

Continue reading

Posted in exploit, IME, jtag, news, security, security hacks, USB DCI | Leave a comment

(Nearly) All Your Computers Run MINIX

Are you reading this on a machine running a GNU/Linux distribution? A Windows machine? Or perhaps an Apple OS? It doesn’t really matter, because your computer is probably running MINIX anyway.

There once was a time when microprocessors were relatively straightforward devices, capable of being understood more or less in their entirety by a single engineer without especially God-like skills. They had buses upon which hung peripherals, and for code to run on them, one of those peripherals had better supply it.

A modern high-end processor is a complex multicore marvel of technological achievement, so labyrinthine in fact that unlike …read more

Continue reading

Posted in cpu, intel, minix, security, security hacks, software hacks | Leave a comment

Colette Biometric Security Purse Screams When Stolen

A team of college hackers was disappointed with the selection of secure purses available. Nearly every purse on the market is attractive, secure, or neither so they are designing their own security purse with some style. Instead of just brass or leather clasps keeping unwanted hands out, they are upgrading to automation and steel.

Everything starts with a fingerprint reader connected to an Arduino. Once an acceptable finger is recognized, a motor opens a coffin lock, also known as a butt-joint fastener, which can be completely hidden inside the purse and provides a lot of holding force. That is enough …read more

Continue reading

Posted in coffin lock, lock, purse, purse snatcher, security, security hacks, slashproof, thief, vault | Leave a comment

What is Entropy and How Do I Get More of It?

Let’s start off with one of my favorite quotes from John von Neumann: “Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number — there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method.”

What von Neumann is getting at is that the “pseudo” in pseudorandom number generator (PRNG) is really a synonym for “not at all”. Granted, if you come in the middle of …read more

Continue reading

Posted in cryptography, entropy, Hackaday Columns, hardware rng, hwrng, linux, linux hacks, prng, radomness, random, Raspberry Pi, rng, rng-tools, security | Leave a comment

Bad RSA Library Leaves Millions of Keys Vulnerable

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and …read more

Continue reading

Posted in encryption, factorization, news, ROCA, rsa, security, security hacks | Leave a comment