Category Archives: Hack

Open API to Kinect

Posted on by
Reply

It did not took long for the hacking/hobbyist community to reverse engineer the API with Microsoft’s Kinect. Kinect device is the new gizmo for Xbox which uses the body as an input device.

Adafruit, a US company, offered a $3,000 bounty to the first developer who would provide a library to connect to the Kinect. Hector Martin is the winner. His library gives access the RGB data from the camera together with the depth map.

The first person who reported to be able to connect to Kinect was alexP from NUI. Nevertheless, he did not publish his drivers. He works with the open source group Natural User Interface (NUI). At the contrary,Hector Martin has published them as open source under the name LibFreenect. Meanwhile, Theo Watson has adapted this library to work on Mac OS X.

The initial reaction of Microsoft to Adafruit’s challenge was to threaten of legal suite in case of hacking.

With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant

Microsoft has smoothened its position. It does not claim that this library is a hack (which stricto senso may be true).

Kinect for Xbox 360 has not been hacked–in any way–as the software and hardware that are part of Kinect for Xbox 360 have not been modified. What has happened is someone has created drivers that allow other devices to interface with the Kinect for Xbox 360. The creation of these drivers, and the use of Kinect for Xbox 360 with other devices, is unsupported. We strongly encourage customers to use Kinect for Xbox 360 with their Xbox 360 to get the best experience possible

The position of Microsoft is very smart. In no way does this library harm Microsoft business. Soon, hobbyists will use the Kinect and create most probably applications extending further than game. They may even come with some ideas that Microsoft’s engineers will be able to exploit. This may be even good advertisement for Kinect.

It reminds the use of Sony’s PS3 in fields unrelated to games. See security Newsletter #9.

Another winner is Adafruit, for $5,000, they made the headlines worldwide! and with the role of good guys!! That is cheap. :)

Cracking commercial quantum cryptography

Posted on by
Reply

Quantum cryptography is a strange beast. The first commercial solutions, for instance by Quantique ID, are already available. And they are already hacked. Researchers of the Norge Quantum Hacking group have succeed to succesfully eavesdrop communications.

Of course, the vulnerability was not in the concept of quantum cryptography itself but on some technological loopholes. As usually, weakness comes from implementation. They present a nice gallery of pictures illustrating the material and the methods used by the exploit.

It is not the first exploit of this team. See Cracked Quantum Cryptography?

XSS vulnerabilities and anti virus vendors

Posted on by
Reply

Team Elite, a team of white hackers, disclosed last week Cross Site Scripting (XSS) vulnerabilities on the sites of three antivirus vendors: Symantec, ESET, and Panda Security. All three vendors promptly closed the vulnerabilities. The mere fact that the sites of security specialists host such well-known vulnerabilities highlights the difficult to create a clean secure software/site.

XSS is probably one of the most spread (and faster growing) vulnerability on the Web. The next issue of the security newsletter (#17, to be issued within a fortnight) will touch this issue of XSS. XSS is to Web sites what buffer overflow is to normal software: a well-known issue that nevertheless always appears.

The site of Team Elite is a nice repository of many vulnerabilities.

Apple, Jailbreaking and Patents

Posted on by
Reply

Monday, September 13, 2010

Put together these three words and you obtain an explosive cocktail that will surely make the headlines. End of July, a new type of Jailbreaking for iPhone and iPad appeared. Two weeks later, Apple closed the hole. Unfortunately, one week later, somebody highlighted an Apple patent that was filed in February 2009 (There is a period of 18 months after filing while the text of the patent is not public). It was claimed that Apple patented a method to fight jailbreaking and even brick the phone in case of jailbreaking. Most of the news I’ve seen on the Net where making the same statement.
Thus, I decided to have a look on this patent. The title of the patent is “Systems and methods for identifying unauthorized users of an electronic device”. Where is jailbreaking? The patent is about identifying an unauthorized user, not about identifying an unauthorized action. To identify an unauthorized users, the patent proposes in sub claims many solutions such as voice identification (comparing to voice print of authorized users), face recognition, heartbeat sensor (I was not aware of this type of biometrics, has somebody a good pointer?), or proximity detection of a sensor such as NFC. Once an unauthorized user detected, the patent claims that the device collects some information such as keylogging, logging the Internet activity, taking pictures with geotag, or using an accelerometer to identify the current mode of transportation. Then it sends an alert to a responsible party with the collected data.
The patent describes also a larger definition of unauthorized user by

“[0039]As another example, an activity that can detect an unauthorized user can be any action that may indicate the electronic device is being tampered with being, for example hacked, jailbroken, or unlocked. For example, a sudden increase in memory usage of the electronic device can indicate that a hacking program is being run and that an unauthorized user may be using the electronic device. “

:Happy:
Even funnier

“As yet another example of activities that can indicate tampering with the electronic device, an unauthorized user can be detected when a subscriber identity module (SIM) card is removed from or replaced in the electronic device.”

Good luck for the many false positives. Jailbreaking is really a side issue in this patent. It is more valid against thefts than against jailbreaking. Would the device be able to detect jailbreaking, most probably would it be able to cancel the action. Of course, now it is legal to jailbreak the phone, at least in the US.

The lesson is that you should not trust too much what you read in the blogs. Build your own opinion. read the source documents. I am sure that very few of the journalists or bloggers that reported the news did in fact have read the patent.

It is the turn of PS3

Posted on by
Reply

For years Sony’s Playstation resisted to hackers. One potential explanation was that when authorizing homebrew applications to execute on PS, Sony removed as attacker the complete homebrew community (which is a large chunk of the reverse engineering community). This is not anymore true.

Since 19 august, the PSjailbreak is available. This USB stick allows to execute duplicate of games. It is a kind of R4 but for PS3. It works for PS3 and PS3 slim. The price is rather high (at least in France around 130€ or $160). Every reports claim that it works.

Sony already claimed that through their network PSN they can detect the presence of the JailBreak and then retaliate. I did not yet find a post that confirmed a counterstrike by Sony on PSN. The current version of PS3Jailbreak does not propose any upgrade feature, thus it may be a weakness.

The funny part of the story is that pirates may soon be pirated. The reverse engineering of the PSJailBreak already started. The hack is based on a standard PIC microcontroller PIC18F. It seems that the code has already been successfully dumped. Some sites are already proposing clones such as PS3stinger, PS3key, X3JailBreak… Clearly, the distributor foresaw this because the site clearly warns about imitators and created a logo for authorized dealers.

 

Once more, our law #1 “attackers will always find their way” was verified. It took just longer than for the other game consoles. Now, let’s wait the reaction of Sony.

The JailBreaking race

Posted on by
1

Two weeks ago, two vulnerabilities were disclosed on iPad, iTouch, and iPhones. In a nutshell:

  • A buffer overflow in FreeType allowed arbitrary code execution from specially crafted pdf files
  • An integer overflow in IOsource allows gaining system privilege

Combining both exploits, it is possible to take control of the devices. A site JailBreakMe.com used it to easily jailbreak iPhones and iPads. Jailbreaking allows to use a different network operator than the one locked by the manufacturer, in the case of Apple ATT Interestingly, since end of July, jailbreaking is legal in the US.

Apple has just issued new versions that correct these flaws: iOS 3.2.2 for iPads and iOS 4.0.2 for iPhones. It is a good thing because these vulnerabilities could be used for more than jailbreaking (although Apple may not have the same appreciation on jailbreaking)

SMS: Nice piece of social engineering

Posted on by
Reply

This morning, I received on my cellular the following SMS (translated from French):

Info: This caller tried to call you at 09:47 without leaving a message. Unknown Number in your directory > Call the 0899190721 to identify him

Obviously, this number will be surcharged. How many gullible people will fall in this trap?

It is a nice piece of social engineering. The caller has not left a message. You may want to know who called and why he called. They give a solution to answer these questions… Bingo.

The attack would have been even better if you would have had a failed call just before.

The scammers are really very creative!