At work we are using RSA SecurID for login to corporate services. RSA provides software tokens which are mobile applications that generate one-time passwords that change every minute or so. These applications are closed source and they use proprietary protocol to provision the token. This basically means that you are vendor locked-in with something that relies on security through obscurity. I wanted to have an open-source implementation of RSA SecurID and until now I have been using stoken together with rsa_ct_kip for token provisioning.
Last time I reverse engineered how AirMatters controls air purifiers which are in the same local network. This time we will look into how AirMatters controls devices using the Philips cloud and how secure it is. Network analysis The network communication is over SSL, so the first step is to bypass the SSL verification in AirMatters. The application loads its CA certificates from /resources/assets and tries to establish a trust chain to them.
One of my co-workers brought a very old IPTV set-top-box in the office. The box was distributed by one of the very first IPTV providers in Sofia – Megalan. I remember using one of those back in 2009. We decided to see how difficult is to root 10+ years old hardware and the fun began! The box is running both telnet and ssh but there is no default password. The next thing we tried, of course, is connecting a serial console.
I am playing with emulated HID devices in Linux and found a kernel bug when using the usb_f_hid and dummy_hcd kernel modules. I won’t go into details of what I am trying to achieve (saving this for a future post) but focus on how I troubleshooted this particular bug. As of this writing, it is 100% reproducible with 4.15.0-45 kernel and these steps: Load libcomposite and dummy_hcd into the kernel Create an emulated HID device with configfs Write something to /dev/hidg0 After executing step 3, the machine hangs in a way which makes it clear that it’s not a userspace problem but a kernel one.
The air pollution in Sofia is really high during the winter, so I decided to buy an air purifier for my home. After some short research, I bought Philips AC2729: it can purify and humidify the air at the same time, show particulate matter (PM 2.5) / humidity, and features quiet sleep mode. It also has a Wi-Fi interface which allows remote control with a mobile app. Being able to control the device with my phone sounds pretty cool but after reading so many stories about the so called Internet of Shit, I thought it’d be a good idea to inspect what kind of data this thing sends and ultimately create my own tool to control it.
This is a PoC for something I call “virtual usb drive”. The drive is created on Linux using the MSG kernel module. Then it can be attached to VMs running on VMware vSphere using VMRC 5.5. I think it’s pretty cool hack, so I decided to share it. DISCLAIMER: This is unofficial and unsupported, use it at your own risk. Here is a demo: You can find the supporting scripts here.
This post summarizes my experience with cloning RFID cards that I am using on daily basis. There is nothing new here, just a summary of well-known hacks that I found on the internet. Corporate badge At work we use 125KHz passive RFID badges which are easy to clone. Each badge has unique ID, so the first step is to read this ID. I have been using this DIY reader based on an Arduino:
My ISP is offering IPTV with a set-top-box (STB) device which is connected to the provider network and the TV itself: The only “user interface” for the STB is the remote control. I was curious to find out if the traffic between the STB and the provider is encrypted, so I decided to see what goes on the wire. The easiest way to do this is to create an ethernet bridge between the provider and the STB and then capture the traffic.