Category Archives: (Q) Hardware News

Keyless Systems of Older VW Group Cars Can Be Hacked

Tens of millions of vehicles sold by Volkswagen AG over the past 20 years are vulnerable to theft because keyless entry systems can be hacked using cheap technical devices, according to European researchers.

Computer security experts at the University of Birmingham have published a paper outlining how they were able to clone VW remote keyless entry controls by eavesdropping nearby when drivers press their key fobs to open or lock up their cars.

Vehicles vulnerable to this attack include most Audi, VW, Seat and Skoda models sold since 1995 and many of the approximately 100 million VW Group vehicles on the road since then, the researchers said. The flaw was found in car models as recent as the Audi Q3, model year 2016, they added.

“It is conceivable that all VW Group (except for some Audi) cars manufactured in the past and partially today rely on a ‘constant-key’ scheme and are thus vulnerable to the attacks,” the paper argues.

The only exception the researchers found were cars built on VW’s latest MQB production platform, which is used in its top selling model, the Golf VII, which they found does not have the keyless flaw.

A VW spokesman said that the current Golf, Tiguan, Touran and Passat models are not vulnerable to the attack.

“This current vehicle generation is not afflicted by the problems described,” VW spokesman Peter Weisheit said in a statement, without commenting on the risks to other models.

In their published paper, the researchers did not identify the auto parts subcontractor responsible for manufacturing the affected keyless systems for VW and potentially other car makers. VW declined to comment on its supplier relationships.

The disclosures come as Europe’s largest automaker struggles to overcome its biggest-ever corporate scandal, after it admitted to manipulating diesel emissions tests in about 11 million vehicles globally.

Other car makers vulnerable
Attackers can use cheap and widely available tools for grabbing radio signals, according to the three researchers from the University of Birmingham in central England and a fourth affiliated with the University of Bochum in Germany.

Cars from other manufacturers may share these flaws, including some model years of the Ford Galaxy, the security researchers said.

A spokesman for Ford Europe had no immediate comment.

The reports’ authors said they had focused on mass-market models and did not analyse in detail VW’s luxury brands including Porsche, Bentley, Lamborghini and Bugatti.

Researchers including University of Birmingham computer science lecturer Flavio Garcia said they disclosed their findings to VW Group from November and met the company and the subcontractor involved in February.

VW Group received a draft and a final copy of the research paper before publication and have acknowledged the vulnerabilities, the authors said.

The Wolfsburg-based automaker confirmed it has had a constructive exchange with the researchers and that they had agreed to withhold details that savvy criminals could use to break into cars.

In 2013, VW obtained a restraining order against a group of researchers including Garcia to prevent publication of a paper detailing how anti-theft car immobilisers used by more than 20 different automakers were vulnerable to hacker attacks.

That research was eventually published in 2015 after the authors agreed with VW to remove a pivotal detail that would have allowed low-tech thieves to figure out how to carry out the attack.

The latest paper, entitled “Lock It and Still Lose It: On the (In)Security of Automotive Remote Keyless Entry Systems” is scheduled to be presented at the prestigious Usenix computer security conference in Austin, Texas, on Friday.

Researchers Bypass Chip-and-Pin Protections at Black Hat

LAS VEGAS – Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.

Nir Valtman and Patrick Watson, researchers with NCR Corporation, staged a series of malicious transactions in a talk here at Black Hat on Wednesday, demonstrating how they could capture Track 2 data and bypass chip and pin protections. The standard’s intent is to prevent the duplication of cards and crack down on stolen card usage, but doesn’t prevent that card data from being used or modified elsewhere, the two said.

In their first demonstration, the duo used a Raspberry Pi to capture Track 2 data packets in real time. Via a passive man-in-the-middle compromise, Wireshark picked up two interactions from data entered into a pinpad running flawed production software that’s currently in the wild.

The two declined to specify the company’s name, but claimed they had spoken with the vendor and asked them to implement TLS connections, but said they couldn’t as they ran old hardware. Afterwards the two showed how chip and pin cards aren’t immune to hacks, either.

The garbled data can be transformed into readable bits, service code expiration data, discretionary data, and so on, data that can tip a hacker off whether the card is a chip card. “You can write the data to a magstripe card and if you’re offline, no one’s the wiser,” Watson told the crowd. “Offline mode can be very attractive to a hacker,” Nir added.

The pair showed how easy it’d be to use a malicious form to trick a consumer into re-entering their PIN or a CVV on a card machine. “Consumers trust pinpads, they usually think they entered it wrong,” Nir said.

According to the two researchers, attackers could compromise a pinpad – by injecting a form, Malform.FRM in this instance, when no one’s in the store and quickly change it back to a customized “Welcome!” message. Both Valtman and Watson advocate that pin pads leverage strong crypto algorithms and allow only signed whitelist updates. Point of sale pin pads are usually PCI certified but the two pointed out PCI doesn’t require encryption over a local area network, which is how an attacker could carry out a MiTM attack.

Consumers should never re-enter their PIN, as it’s a telltale giveaway that a pin pad may have been compromised, Valtman claimed, before adding that he usually frequents stores that allow him to pay with his Apple Watch, as he finds the technology more secure than EMV. “It’s cool, but not a secure standard,” Nir said.

DEF CON 24: US government retains dozens, not thousands, of zero-days

Those who believe the US federal government has stockpiled thousands of zero-day vulnerabilities, as a Def Con 24 audience estimated Friday, might be relieved and surprised to know (and likely a little more than incredulous) that the number of vulnerabilities in its arsenal is, according to Columbia University senior research scholar Jason Healey, in the dozens.

Healey, who will release the results of research done by his team at Columbia University this autumn, acknowledged that he wasn’t “going to convince a lot of you” because government had “given us a lot of reason to be suspicious.”

But while Healey said, “I don’t know if we got the right answer,” his team tried “to run down every line of evidence we can.”

And the results fall into line with what the US government has claimed and others have concluded. The US government’s US$ 25 million (£19 million) budget for the cover purchase of vulnerabilities implies a more modest arsenal.

“If I had budget like that … I would [shop for] higher value vulnerabilities,” Healey said.

The government’s dual roles regarding disclosure of vulnerabilities in the past has created discord among agencies – with law enforcement types keen on keeping and using zero days while departments focused on critical infrastructure and cyber-security like Commerce, State and even Homeland Security want the vulnerabilities to be disclosed to vendors quickly where they can be addressed.

“That’s why you’d see tension between them,” Healey said.

That the US government stockpiles zero day vulnerabilities is nothing new, stretching back 15 to 20 years, but the policies surrounding the way it manages and discloses them have evolved.

What was essentially no policy at all – with a 2002 policy directive leaving disclosure up to the US National Security Agency’s discretion – gave way to a more thoughtful and elaborate policy with the establishment of the Vulnerability Equity Process (VEP) in 2010.

“It really kicked in in 2010, with a document that says here’s the process, how to do it ,” Healey said.

“As a policy guide, it was OK,” he said, explaining that it even included an appeals process although documents obtain through FOIA requests were so heavily redacted “we can’t tell what it was.”

It likely “wasn’t very fully implemented,” Healey said, noting that former NSA chief Gen. Michael Hayden said it wasn’t fully operational. That might have led to tensions between the different bureaucracies, Healy explained.

“Imagine seeing departments like DHS and Commerce saying ‘you did what with Stuxnet and my agency had to deal with it,’” he said.

But those tensions have since dissipated after the Obama administration released a presidential directive with stronger and more definitive policy.

“Today don’t see that disagreement, the lack of that is very telling,” said Healey. Now, “you disclose vulnerabilities to the vendor on default.” If  an agency doesn’t want to disclose, then it has to make a case for withholding that information.

“The president said it’s just too damn important to leave for [just] anyone” to decide, he said.

Proposed exceptions to the disclosure default threatened to weaken the policy, though.

“Exceptions you can drive a truck through,” said Healey, leave intelligence agencies a lot of latitude. “If have that kind of exception, you know what intelligence agencies are going to do. They’re going to take it to the edge.”

But three breakthroughs helped to turn things around – the Heartbleed vulnerability emerged.  Calling it a “stunning” move, Healey said the NSA “came out and said we had no idea about this.”

The revelation forced the White House’s hand and raised a number of questions, such as whether the vulnerability was something Russia would use against the US or was it “a routine bug.”

That, Healey said, “was not a bad analytical way to go about it. What questions do we need to answer?”

The second breakthrough came from efforts by the Electronic Frontier Foundation (EFF) to obtain additional information through FOIA. Healey gave the nod to the EFF for doing “a fantastic job on FOIA requests.”

The third breakthrough occurred when the NSA came out with additional information, saying that “91 percent of vulnerabilities that went through NSA process were disclosed to vendors,” Healey said, explaining that of the remaining nine percent, many had already been discovered by the vendors themselves.

Where the policy and transparency go from here depends on the steps taken by the next president. “Right now, there’s no role for Congress in this,” said Healey.  Existing policy “could be made stronger through Executive Order.”

The Common Methods of Hardware Hacking

Hardware Hacking is an art, but there are some common methods to modifying devices that can jump-start any good hacking project.

 

Method 1: Patching Into I/O

The first (and arguably easiest) method of hacking a device is patching into its control mechanism. Most consumer products have at least one button or indicator LED, and the connections for that component are usually easy to find and solder to.

With access to button pads, you can attach your own button, relay, or transistor circuit to control it with your own hardware. For example, if you wanted to make a device wireless, you can connect your wireless device directly to the button pads to drive the button signal high or low depending on what the wireless device receives. I see this kind of implementation all the time. For example, there was recently a write-up on hackaday about a user named Kolumkilli hacking his Keurig coffee maker to be wirelessly controlled. He accomplished this by locating the “brew” button pads and connecting a wireless device. This kind of hack can be accomplished without digging into the actual programming of the device.

alt text

Image courtesy of Hackaday

With access to the LED pads on a device, you have a reliable output source from the device. The best example I’ve seen of this is a hack with the Star Wars Force Trainer. It appears the blog post for this hack has been removed, but in the hack the designers simply soldered to LEDs on the base of the toy to trigger their own device when certain LEDs turned on. Then they could use the toy as the controller for their own system, without ever having to access the data on the device.

alt text

Image courtesy of starwars.com

Method 2: Replacing a Component

This method is often used in Circuit Bending. The user wants the device to sound different, so he or she replaces a component (usually experimentally) to get a different sound out of a device. This kind of approach isn’t relegated to Circuit Bending, though. A lot of interesting hacks have been achieved by replacing a component. For example,replacing bike light bulbs with high-intensity LEDs, or replacing the motors on an off-the-shelf toy car to make it drive dangerously fast.

alt text

Image courtesy of Hackedgadgets.com

Method 3: The Logic Analyzer

One can gather a lot of “private” data from a device with the use of a simple logic analyzer. To do this, one finds an interesting chip or test point on a circuit board, connects a logic analyzer, and then runs the device. The logic analyzer will record any signals occurring on the lines it’s sniffing, and that data can potentially be translated into something useful. I once hacked a Lidar range finder this way, probing its serial lines while it was running.

Logic

The blog post went live before I had time to do anything useful with the data, but I made the data public, and by the next day someone had interpreted it and created of video of the graphical representation of the data. Just for a little shameless self-promotion, I used the Saleae Logic Analyzer that we sell, which does auto baud-rate detection and signal translation for the SPI, I2C, and serial protocols. Because of this, it is a vital tool in my hardware hacking toolkit.

More Logic

Method 4: JTAG Hex Dump (a.k.a. Voodoo)

When an electronic device is manufactured, it must be programmed with firmware at some point. The same port through which a device is programmed can also be used to disassemble and hack the firmware. Many microcontrollers have a memory dump feature that can be triggered through its programming port that allows a user to read the full memory (in hex) of the chip. Many devices include a feature that “locks” the device so that it cannot be read or reprogrammed once it is flashed, but many device manufacturers do not implement this feature, leaving their products susceptible to firmware hacking.

In order to hack firmware through a programming port, one must:

  1. Identify the device and if it has the capability to dump its memory
  2. Build or buy a programmer that can receive this memory dump and transmit to a computer
  3. Get the hex dump from the chip with the programmer
  4. Disassemble the hex into assembly language

Once the hacker has the assembly language, he or she is looking at the firmware. From there one can modify the firmware file to one’s own ends, changing variables and registers to change the behavior of the device. Then the hacker recompiles the firmware into hex, and reprograms the device with the hacked firmware. This is an advanced method of hardware hacking, but can provide the most effective (or entertaining) results.

One of my favorite examples of this sort of hacking is the GoodFET, a device developed by Travis Goodspeed to (among other things) easily trigger a hex dump and re-flash the memory of multiple platforms (MSP430, AVR, PIC, etc.). The GoodFET makes it easy for the hardware hacker to download or “peek” at code hosted on a chip, in order to modify or exploit it for hacking.

alt text

 

For those interested in heavy-duty hardware hacking, be sure to check out Travis Goodspeed’s blog.

As I said before, this is by no means a complete “how to hack hardware” article. There will always be new ways to modify and hack new devices and chips, and someone will always come up with some slick way to use a device to an unintended end. What methods have you used to hack hardware, or what do you find useful in the reverse engineering process?