Now fingerprint reader and rootkits – Sony did it again

This report of F-Secure’s Mika Ståhlberg states that MicroVault USM-F fingerprint reader software shipped with that Sony USB stick installs a driver that is hiding a directory under C:\Windows.

And – reportedly the guys of FS research laboratory

also tested the latest software version available from Sony at and this version also contains the same hiding functionality. [added a hyperlink]

Hmmm – time to wear my white T-shirt with text familiar to many readers – “Most people don’t even know what a rootkit is, so why should they care about it?”


iPhone default passwd: Won’t people ever learn?

i’d expect this from new software companies, maybe. but the big ones seem to keep doing this.

default passwords, especially in widely distributed devices, are bad. no, really. enough with these already.

iphone root password cracked
we managed to obtain and crack the hashs of the user passwords for the iphone os. more information could be found at our development wiki here (link removed).

edit: cause you digg people broke the poor wiki:

the password for root is “alpine”
the “mobile” user accounts password is “dottie”

is it sick to have root pasword to all iphones worldwide? well not really, there is no terminal yet to login :p

gadi evron,


Chip & PIN relay attacks – Man in the middle style

Saar Drimer and Steven Murdoch, members of Security Research Team of University of Cambridge Computer Laboratory have introduced their detailed analysis entitled “Chip & PIN (EMV) relay attacks”.

Link to the very interesting blog posting is here. Picture of the credit card, ‘fake terminal’ and their device included.

These researchers are the guys behind the Chip & PIN terminal playing Tetris too, YouTube video (49secs) here.


USB Attacks Going Commercial?

in the public hacking world, so far we have mostly seen usb technology from security vendors… not the attackers side.

a few years ago we had discussions on pen-test, and later bugtraq and fd on these risks, following an article in 2600 and a post from me on the risks digest. on pen-test, harlan carvey and others also followed up.
since then there have been multiple threads everywhere. this was not new back then, either, imo.

back then i mainly addressed the risk of driver attacks (now more acknowledged since blackhat 2005 and blackhat 2006 presentations on the subject appeared), and didn’t get much attention. hackers did not know usb technology that well and most did not see what the heck drivers had to do with it.

what did come up were the risks of autorun technology (which is a simple solution to making usb devices execute code). these were not as easy as they first appeared, and did not work if windows xp’s screen saver was active. still, things were interesting and my fav quote of: the janitor is the richest person in the organization, got some interest.

today, with several usb buffer overflow discovered (mostly in the linux kernel) and driver attacks getting more attention, i came across the following blog entry by xavier ashe.

in his blog he discusses a usb autorun technology which is actually an hacking tool, (more…)


Elmo Got Hacked

The cute device Knows Your Name Elmo, has been recently hacked to say bad things as ELMO EAT WHALE AND SEAL.

I am sure this isn’t a sesame street approved sentence :)

For now the the hacking of the device is pretty crude, and many details on its inner workings are still missing, but with time the customization options on this device are bound to become available.

I am waiting for a coffe making device that will do my bidding, but a Elmo coffe making device will be also great :)

More details at this link.


PSP Buffer Overflow Allows Downgrading of Firmware

SonyxTeam has released a downgrader for the PSP. The downgrade works by exploiting a buffer overflow in libtiff which resides in PSP’s toc2rta 2.0. The downgrade utilizes the overflow as there is no other way to run non-Sony approved software on the PSP 2.0. The downgrade opens up the PSP device to independent software development for Sony’s device which hasn’t been Sony-approved.

In my opinion this is the first time a buffer overflow has been used for “good“, i.e. execute a good piece of software, rather than for “evil“, execute a bad piece of software. It would be interesting to see how would Sony react to this, and whether this will speed Sony’s responsiveness to software vulnerabilities found in their product.


Analysis of the Texas Instruments DST RFID

Although the article isn’t new, it is still good reading material to those that are looking into implementing some sort of RFID for security or identification.

The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below.

To summarize the article you can do almost anything with their DST simulator and reader:

  • Sniff a DST tag in a victim’s pocket
  • Crack the key in a DST tag
  • Start a car
  • Buy gas

Virtual Sex with Commwarrior

Now that I have your attention :) well Commwarrior is a worm that is spreading to Bluetooth based Cellular phones. Actually it spreads to Symbian Series 60 devices using MMS and Bluetooth communication.

MMS, for those that don’t know, stands for “Multimedia Messaging System”, a younger brother of SMS, that allows 3G cellular phones to send short sounds, movie clips and other multimedia as a message that looks like SMS, using the Internet Message Format (RFC 2822) . MMS starting to be highly popular like many other gimmicks of the 3rd generation and the world of cellular phones.

Anyway, as far as I could find, there are two versions of Commwarrior, both of them spread by “Virtual Sex”. It does so by looking for Bluetooth phones near by, and sending them infected SIS file. The SIS files that Comwarrior sends are named with random file names, so you can’t just ignore a certain file name and be safe.

Regardless of Bluetooth, the worm also tries to send MMS with itself to all of the phones listed on the contact/address books.

Here some details from F-Secrue about the worm:

The Comwarrior contains the following texts:

CommWarrior v1.0 (c) 2005 by e10d0r

The text “OTMOP03KAM HET!” is Russian and means roughly “No to braindeads”.

Replication over bluetooth

Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl.

The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.

The Comwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range. And possible spreading faster than Cabir.

Commwarrior replicates over Bluetooth only from 08:00 to 23:59, based on the phone’s own clock.

Replication over MMS

Comwarrior replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain variable text message and Comwarrior SIS file with filename commw.sis.

Unlike in bluetooth spreading the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.

The numbers where Commwarrior sends the MMS messages are read from the phone address book.

The comwarrior uses following texts in MMS spreading:

Matrix has you. Remove matrix!

3DGame from me. It is FREE !

MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner
Nokia RingtoneManager for all models.

Security update #12
Significant security update. See

Display driver
Real True Color mobile display driver!

Audio driver
Live3D driver with polyphonic virtual speakers!

Symbian security update
See security news at

SymbianOS update
OS service pack #1 from Symbian inc.

Happy Birthday!
Happy Birthday! It is present for you!

Free SEX!
Free *SEX* software for you!

Virtual SEX
Virtual SEX mobile engine from Russian hackers!

Porno images
Porno images collection with nice viewer!

Internet Accelerator
Internet accelerator, SSL security update #7.

WWW Cracker
Helps to *CRACK* WWW sites like

Internet Cracker
It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector
Save you battery and *MONEY*!

3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager
Official Symbian desctop manager.

*FREE* CheckDisk for SymbianOS released!MobiComm
Norton AntiVirus
Released now for mobile, install it!

New Dr.Web antivirus for Symbian OS. Try it!


When the Comwarrior SIS file is installed the installer will copy the worm executables into following locations:


When the comwarrior.exe is executed it copies the following files:


And rebuilds it’s SIS file to:


After recreating the SIS file the worm starts spreading over MMS.

Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone’s own clock.

For reference please look at:
F-Secure Commwarrior.A
F-Secure Commwarrior.B
Some Bluetooth stuff
Bluetooth specs


Lexar’s LockTight CompactFlash Supports SHA-1

Good news from Lexar – one of the world’s bigger CompactFlash manufactures – as they start shipping their security oriented Lexar LockTight CompactFlash. Lexar’s LockTight CompactFlash support encryption and the ability to establish security settings on the memory card and digital camera to prevent unauthorized use – read and write – of the CompactFlash.

The encryption algorithm is said to utilize 160 bit encryption technology, using the SHA-1 (Secure Hash Algorithm), a standard approved by the NIST (National Institute of Standards and Technology).


Move Aside iPODCast it is Tempest for Eliza’s Turn

The idea behind Tempest is not new, however, the website I found is – at least to me.

The website proposes the idea of playing an MP3 music file on your screen and listening it through your radio. Were the only “connection” between the two are the emissions transmitted by your CRT screen and the radio picking them up.


No more **** passwords?

A nice solution built by MERL to prevent shoulder surfing is to display a flickering picture and provide glasses that would be able to filter out these flickers resulting in a dual image:

This means that the display that can only be viewed with magic glasses.

Although the solution is simple, you can use this to “encrypt/hide” data quite well – i.e. show someone one picture while the person with the special glasses sees another one.

The only draw back is that the glasses need to be wired to the screen, making the solution not very portable.

This would also give a whole new meaning to “I can’t work today as forgot my glasses at home” :-)


Nintendo DS Cracked

News flash!
“There’s fully functional device known as Super PASS designed to play NDS Roms downloaded from the Internet with your Nintendo DS”.

Why is this important?

Well simple, if the previously suggested secure environment of the Nintendo DS environment has been cracked, I see no reason why the Microsoft’s Xbox 360 claims of uncrackable would hold any ground as Microsoft expects.

You can learn more about this Super PASS device at the following location: China Has Successfully Cracked Nintendo DS, 10 Latest Games Tried Out and here NDS games can now be played on your NDS device.


Secure by default

It’s not often that I buy stuff off the cuff. My buying habits are relatively conservative, and I usually do a lot of research on equipment before I buy it. This Friday was an exception to the rule – when I saw the WRT54GC in Fry’s for $40, I just couldn’t miss out. The device is very slender, very nearly pocket-sized, and has a built-in antenna with a jack for an external one and 5 ethernet ports (1 external).
Wireless technology is in use for nearly a decade now, and securing a wireless network today is relatively easy. Yet as I plug this baby into the socket and hit refresh on the laptop, I see a new network: SSID linksys, channel 6, no encryption. Great. A few tweaks later and the device no longer publishes its SSID (no it’s not linksys anymore), and would only let you connect if you speak WPA2 to it. And ‘admin’ was a lame administrator password anyway.

Here’s a question for you: How many people actually go through the extra few clicks to secure their wireless device? If this device sold only 1000 units, I bet there are now 800 new open wireless networks.

Let’s consider the following imaginary scenario, involving Joe, your average computer user:

  1. Joe buys his new device and connects it to his cable modem, like the manual says
  2. Joe then looks for a wireless network with his laptop. There it is, SSID linksys, no encryption
  3. Joe connects to the unencrypted network and tries to browse the web
  4. Joe’s web connection is hijacked to a local web-server on the device, which asks him for a 6 digit code on a sticker on the device.

Several interesting things can happen now: Maybe Joe can surf the net immediately, while the device sets up a MAC filter for his current MAC address. Not very secure, but it’s better than nothing. Or Joe might have to choose a WPA key, and a small signed Java applet would setup his computer with the new key.

Now I’m not Joe, so maybe my perspective is all skewed. Is it really too much to ask from a user to go through a linear, consistent process before his network is set up, ensuring he is running an encrypted network, or at least MAC-filtered? Is it that much of an annoyance?

Is it more expensive to manufacture? The device already has an individualized sticker on it with the MAC address, I don’t think adding another 6 digits to it is much of a hassle, and the device already has an embedded web server. Yes, some more code.

Disclaimer 1: I know, this is still insecure, because Joe still uses a wireless unencrypted medium to transmit the code. It can be solved with an SSL web server, but even if it’s unencrypted, the window of vulnerability is greatly reduced.

Disclaimer 2: The WRT54GC came with a CD, which I never bothered to take out of its sleeve. I could see no reason to run software on my PC when I could just as well configure the device over the web. Perhaps Joe’s magic one-click access point securifier exists on that CD, and I just didn’t bother to check.

Originaly posted in my blog


Never Say Never

Microsoft’s Andre Vrignaud – Xbox Platform Strategy Group – has given a lecture at the recent GDC Europe 2005 and have been heard to state that:
Microsoft took 2 and a half years on security this time round, whereas the Xbox only had around a year. Vrignaud prompted: “Never say never”, but he thinks it’s going to be a long time before the Xbox 360 gets modded.

I think that like in the case of PSP – which until recently was considered quite hard to mod/hack – the momentum builds slowly, but once it gets rolling, nothing can stop it, not even new firmwares.


WiFi Cameras by Nikon the Next Thing to Get Hacked?

Nikon is planning on releasing new WiFi-enabled cameras to the market, as with all WiFi devices, it means that the camera will probably get an IP address and support some kind of connectivity protocol.

Its not yet clear what protocol is going to be used by Nikon to transfer the pictures between the camera and the computer, but they do mention the ability of transferring them wireless, not through a computer, to a PictBridge-enabled printer – BTW: The PictBridge standard talks about USB connectivity, but they could be planning on using Picture Transfer Protocol/Internet Protocol dubbed PTP/IP.

It will be interesting to see how long it will take until someone hacks this setup, during an important event such as a press conference or maybe a weeding ;) , to broadcast false images or maybe even steal the competition’s images… Time will tell :)


People Hacking Their Blue-Ray will be “Punished”

According to Engadget, people that will hack their Blue-ray device will be punished by the makers of the device. It is not yet clear how will they be punished, all that is know is this:

On top of that, consumers should expect punishment for tinkering with their Blu-ray players, as many have done with current DVD players, for instance to remove regional coding. The new, Internet-connected and secure players will report any “hack” and the device can be disabled remotely.

It would be interesting to see how the consumers will react to such punishment, or if even such talk of punishment will be ever become true actions on the part of the vendor.

In any case if they do start to punish the consumer, the first thing that will be hacked in the Blu-ray device will be the “punishing-enabling” system :)