סומסום היפתח

יש המון הגדרות למושג האקר, ההגדרה שאני הכי אוהב זה מי שמסוגל לגרום לכל שני מכשירים לדבר אחד עם השני. מי שיכול לגרום לטוסטר שלו לשלוח אי-מייל, לדוגמה. מהסיבה הזאת בדיוק נהניתי במיוחד מהפרויקט הבא: בכניסה לחניה של הבניין שלי, קיים מחסום שנפתח באמצאות שלט. אני כהאקר רב פעלים החלטתי שאני רוצה להיות מסוגל לפתוח אותו בעזרת הטלפון או אפילו ווטסאפ. החלטה זו הובילה אותי לפרויקט מרובה הפתעות.

פתיחת המחסום בעזרת השלט לא עבדה כל כך טוב, והדיירים היו מבלים דקות ארוכות בלחיצה על השלט תוך נפנופו לכל הכיוונים, מה שהזכיר ריקוד פרעוני קדום. 

יום אחד פגשתי את ראש ועד הבית ושאלתי אותו אם הוא יכול לתת לי את המפתח לתיבת הבקרה של השער כדי שאוכל לבדוק אם אני יכול לשפר את בעיית הקליטה. באופן מפתיע הוא שלף את המפתח מצרור המפתחות שבידו ואמר לי שבאמת צריך לעשות משהו בקשר לזה.

רצתי מיד לפתוח את התיבה ולצלם כמה תמונות (מצ"ב):

על דלת התיבה היתה מודבקת המדבקה הבאה:

שאם מתעמקים בה ומסתכלים על עוד כמה סימנים על הלוח הראשי מבינים את הדברים הבאים:

ברגע שמקצרים בין שתי הנקודות שסימנתי בשרטוט, השער נפתח ועובר את השלבים של המתנה וסגירה, כמצופה. אם אני מחבר את שתי הנקודות האלה ל - relay ולמחשב שלי אני יכול להוסיף כל ממשק, שאותו מחשב יודע לתת.

היה ברור לי מה אני צריך:

1. לוח שליטה מרחוק כלשהו, עדיף GSM.
2. מחשב קטן ומסכן כלשהו. למרות ש Arduino כנראה היה יכול להספיק, העדפתי לשים שם RaspberryPi כדי לפתוח לעצמי כמה שיותר אפשרויות חדשות.
3. איזשהו חיבור לשתי הנקודות שבתמונה למעלה.

עד כאן פשוט למדי, אך כמובן שבמציאות שום דבר לא עבד בפעם הראשונה והיו הרבה אתגרים בדרך. הסתבר ש: 

• לדחוף עוד חוטים למנגנון בלי לנתק שום דבר אחר זה לא קל. 
• ניסיתי שלושה דגמים שונים של מודמים סלולרים ל - RaspberryPi עד שמצאתי משהו שעבד בצורה סבירה. בנוסף גם הסתבר שלא כדאי בכלל לתת למודם הזנה של מתח ישירות מה - RaspberryPi כי זה לא מספק אותו.
• הסים הראשון שניסיתי התחבר לרשת עם קליטה נמוכה באזורי, והייתי צריך להחליפו באחד אחר.
• החוסר ב - Ground משותף בין הבקר המקורי, RaspberryPi והמודם גרם להרבה קשיים. בסוף את השליטה על הכפתור פתיחה עשיתי בעזרת Relly שקיצר אותו ל - Ground של הבקר המקורי.
• את התקשורת עם המודם עשיתי בעזרת USB2Uart נוסף.
• עדכון לתוכנה ועדכון רשימת מורשי כניסה נעשה על גבי WiFi. בעזרת הוספה של repeater לרשת הביתית שלי, הצלחתי לקלוט אותו מהדירה שלי בקומה השניה.
• בקיץ החום בתוך הקופסא הזאת כל כך גבוהה שה - RaspberryPi פשוט כושל. אין לי פתרון אמיתי לזה חוץ מכמה מאווררים שהוספתי שלצערי לא באמת פתרו את הבעיה.

להלן "הפרנקנשטיין" שבניתי:

מכוער להפליא, אבל אני אוהב אותו לא פחות מפרויקט יפיפה ומסוקס.

העניין הכי נחמד בזה שיש לי RaspberryPi בתוך תיבה גדולה ויחסית חלולה זה שיש לו יציאת אודיו. כך שמיד חיברתי לשם רמקולים. בסופו של סוף שבוע שלם של בזבוז זמן, יש מעל למאתיים שירים שהוא יודע לנגן בהתאמה לאיזה emoji ששולחים לו ב - SMS 😎

אחד הדברים הכי מוזרים זה שלמרות שמדובר בסים חדש, עם מספר חדש שקניתי בקיוסק ולא מקושר לאף בן אדם, הוא עדיין מקבל המון ספאם, פרסומות והודעות רציניות לחלוטין שמציאות לו לקנות קרקע להשקעה בתיזדילוך. אבל ללא ספק, ההודעה החשובה ביותר שהשער קיבל הינה:

שלום

לפי חקירה אפידמיולוגית טכנולוגית היית בתאריך 11/12/2020 בין 18:00 ל 19:00 ליד חולה קורונה. חובה עליך להכנס מיד לבידוד עד 25/12. דיווח בידוד באתר ובהצגת אסמכתא על כך!

אם יש לך תסמינים נא לפנות לקופת חולים

לאימות חייג 086822334

לבירור או השגה – באתר / במוקד 5400*

בכל אופן, השער הבטיח לא ללכת לשום מקום.

Dolphins

Recently I’ve done some harmless trolling. I’ve opened a PR to SecList to remove “my password”, “dolphins”, from all of the common passwords lists. Or in simple English, there is a public list on the internet of the most common passwords people use and I’ve asked them to remove the password “dolphins” from all lists so hackers won’t be able to hack my account. Of course this is ridiculous, and that’s why it’s funny :)
Anyhow, the post got more attention than expected

• People have twitted about it in foreign languages: https://twitter.com/galaxy001/status/945606650714505216
• The popular Nixcraft Facebook page wrote about it: https://www.facebook.com/nixcraft/posts/1932071193472916
• YCombinator wrote about it in their news feed:
  https://news.ycombinator.com/item?id=16009459
• The PR itself got more than 300 comments: https://github.com/danielmiessler/SecLists/pull/155/

Most surprisingly, on the recent Meltdown paper at https://meltdownattack.com/meltdown.pdf  there is an example of stealing browser passwords, and one of the passwords is "Dolphins", I wonder whether it's a strange coincidence or that the author was impressed with my PR.
I would like to explain here how I got to this silly idea. From time to time, I get to consult developers and admins about security. Whenever we talk about passwords I have a few guidelines such as, use 2FA everywhere.I always advise to check if the password is found on any of the lists of SecLists GitHub project. Clearly, if you find your password there it's not a good enough password.
Recently I’ve found myself guiding a SysAdmin that didn’t seem like the brightest tree in the forest. As a security researcher that got me thinking, again, what could go wrong. When I imagined that person might try to solve his problem by attempting to remove the password from the lists, instead of changing it, I thought it’s so hilarious, I must do it.
Apparently, GitHub users liked it too, and got too many comments. Sometimes when I try to load the comments page of the PR I get:

If you appreciate the joke please approve the PR to help me make sure it's the most approved PR on GitHub (https://github.com/danielmiessler/SecLists/pull/155).

Cheers,
Assaf

PoC||GTFO

On march 2nd, my paper about making of the Kosher Phone was published in an extremely awesome technical online magazine PoC||GTFO (Proof of concept or get the fuck out) issue 0x3. This month a collection of 80 essays of the magazine (including mine) were published as a book. The book was designed to resemble a bible with the same cover and paper type. I couldn’t think of a better place for my technical writing regarding making of Kosher phones :)
I’ve replaced the bible I got for my Bar Mitzva with this better bible.

I would like to thank Travis Goodspeed for giving me this opportunity.

The Tetris Fiasco

This is the Tel Aviv municipal building and it has a huge 12x20 light show on it.

Every time I passed by it, I had this idea that it would be cool to play huge Tetris on it. So I looked up on Tel-Aviv city web-site and found the contact of whoever is in charge of city’s events and celebrations. I wrote her a very professional email saying I’m working in the IT industry for a long time and I’m expert on embedded systems and that me and my friends who are also very good engineers, had this idea for a project of playing Tetris on their huge light display. Her response was quick and very enthusiastic (something like: “Wow, sounds awwwwwesome!!!1”). After a few more email exchanges I got the contact of the IT guy who was responsible for the system.
The system was made by Philips, in kind of a huge array of Philips Hue mash. It had a nice controller called “Color Kinetics” that was connected to a PC running “Color Play 2.1” on Windows XP.

After checking all of the technical details, making some planning and gathering a bunch of friends to take part in the project, I sent them a proposal which I was willing to do for free, just to have the opportunity to play a game. Needless to say, I had a few limitations such as:
I could work only during evening / night hours, as me and my friends have a day job.
Even though, I see no risk to the system, the lights or anything else, I have no insurance, so they will have to be responsible for it if something goes horribly wrong.
I won’t create an App for it, just a controller connected by WiFi.
20x12 might not be enough for Tetris, so I might want to make a Snake game or Pong or all of the above.
At the beginning they were very responsive and answered most of my emails very quickly, they added more and more people to the CC, and I had a feeling everything's going in the right direction. However, at some point, they started asking for more and more paper work / technical details that didn’t seem relevant. I even got a friend who is a graphic designer to make a sketch of how the Snake game will look like:

At this point I told them I’m doing it for free, so I’m going to give them only a POC level product. I am willing to give all of my code, documents and research. Once we will have a working version they can either take everything to someone else to make a product out of it for less money, or I’ll give them another proposal (this time not for free) to finish everything. The responses became slower and slower until at some point they totally stopped. I though they probably decided not to proceed with the idea, and forgot about it..
Few months later I got a phone call from a friend who told me he saw my Tetris project and that he even got to play a game.

I was shocked. I’m not sure who gave them a better offer than a free one, or which part created the problem of actually using my proposal, but anyhow, I was quite upset that they used my idea and someone else’s implementation.
I would love to hear your thoughts and feedback about why do you think I didn’t get the job, and how should I’ve acted differently. Do you think that If I’ve asked for money and had an insurance I had better chances of getting the job? Do you think the company who was hired for the project had some connections and that’s why they got it? Do you think I might have improperly presented myself and seemed unprofessional for the job?

Cheers,
Assaf

Numbers Memory Trade Off

I have a small obsession about human memory. I’ve watched many YouTube videos about savants with profound memory and the things they can do. Videos such as “The Boy With The Incredible Brain” and “The Real Rain Man”. These people who can remember anything with perfect accuracy are fascinating.

My obsession pushed me to learn about memory techniques. I found out that even though, my memory is nothing to be proud of, using a few tricks I was able to memorize the order of a deck of 52 play cards! At my peak I was able to memorize two full decks in less than 15 minutes. I believe, that almost anyone who practices that can achieve the same results in a short period of time.

In one TED talk, Daniel Tammet, who is a savant, talked about synesthesia. He described synesthesia as one of the key abilities for outstanding memory and many other astonishing creative abilities. Synesthesia, is a cross between senses, for instance, perceiving numbers as colors or sounds. I instantly saw that as an invite to try LSD, as it’s known to be one of the side effects of the drug ;)

Daniel Tammet, also claims that everyone has synesthesia of some level, and that it’s also an acquired ability to some level.

On my very little free time, I’ve started working on an Android app for helping “stimulating” synesthesia. The idea is simply a big size Simon game. Simon is a kind of a memory game. In that game a player is given a series of tones and lights and requires to repeat the series. Usually this game has four colors. My version of the game has ten colors, each one corresponds to a number from Zero to Nine. In my game the series of tones is not random, and it corresponds to string of numbers the user wish to memorize. Currently I use 50 digits of Pi, but I will add an option to enter arbitrary number, or choose phone number from the contact list.

If anyone has more interesting links about these kind of memory techniques, or any unbelievable savant stories, please share it down in the comments.

If anyone is interested in the Android app, or wants to help please do it on GitHub on the following link:

https://github.com/assafnativ/Synesthesia 

Warning, this is my very first Android app, I’m more used to see Android apps in IDA...

Cheers,

Assaf

More QRCodes

I’ve updated the library from the last post to support colored QRCodes with all kinds of outputs.

To try it one can either use my fork at: https://github.com/assafnativ/python-qrcode (In Red)

Or the pull request at the original project: https://github.com/lincolnloop/python-qrcode/pull/118 (In Green)

Here is the output of sample.py

PNG format

SVG format: https://drive.google.com/file/d/0B5833Zxi4DMTWGIxWGNOU2J4R1k/view?usp=sharing

TTY using basic ANSI colors:

ASCII using extended RGB escape codes:

Business Card

When I just started freelancing, I wanted to design my own business card. It had to have QR code, of course. At first I tried one of these online QR code generators and got something like this:

That contains all the Information I want to share about myself. Unfortunately, this is a very dense QR code, and therefore it’s harder to scan properly with a smartphone, especially when printed on a card. It seemed like no matter how much Information I removed from it, it was still the dense kind of QR code. So I started reading about the structure of QR codes to understand what are the limits of the nice smartphone friendly type.
Apparently there are classes of QR codes called versions, where “Ver1” is the most friendly, but contains the least amount of data, while the one above is of version 7. Therefore, I was aiming for version 5 at most.
During my research (when I say research I mean reading the Wikipedia page for QR code), I came across this picture that explains the structure of QR codes:

Source: Wikipedia

After I saw that sample, I knew exactly how my Business card should look like. My skill is “Reverse Engineering”, I take things apart to understand how they work. The Picture reflected that very well. I wanted to deconstruct the QR into elements of data on the card. The idea I had in mind was something like:

The colors of a box reflect the data it encodes. Of course, this is just a sample I made by hand, in which the colors have very little to do with the data.

My plan was to:

• Find a Python library for encoding QR codes
• Find a way to encode the information in the version 5 QR code
• Write a new feature for the library to add colors to the data

I started with the Python QR code library from: https://github.com/lincolnloop/python-qrcode

But it seemed like it wasn’t optimized enough, this is what I got the first time I used it:

Which is a level 8 QR code, while for the same data I already got a level 7 QR code. At first I assumed it had to do with the amount of error correction used in the encoding, but investigating further, I found that both of them were set for M (Medium) error correction mode.
By investigating the code I found that I can get a better result by using the library a bit differently, but still it wasn't the most optimized encoding.
QR code has 4 different kinds of data encodings:

• Numbers only (0-9), for which every 3 characters are encoded by 10 bits
• Number + capital alphabet + “ $%*+-./:”, in which every 2 characters are encoded by 11 bits
• 8 bit char for each every character takes 8 bits
• Kanji for Chinese characters encoding

The problem is that moving from one mode to another cost about 15 bits. For example: to encode the string “a111a” you can use either:

• 15 to set to mode 3
• Encode “a”
• 15 bits to move to mode 1
• Encode “111” with 10 bits
• Move back to mode 3 = 15 more bits
• Encode “a”

In total: 15 + 8 + 15 + 10 + 15 + 8 = 71 bits
Another option is to:

• Move to mode 3 for 15
• Encode everything “a111a” with 8 * 5 bits

In total: 15 + 40 = 55bits
Therefore, it’s hard to know when it’s really worth changing encoding mode.
To solve the problem with 100% certainty of the best encoding, I used a flow graph. In that graph I made a node for “start” and edge to each encoding mode that can encode the next character. For the data In the example above the graph would look something like:

Once I created the graph, searching the shortest path from “start” to “end” using “Dijkstra” gave me the very best encoding for my data.

This work brought me back the level 7 QR code, which is still not the level I was aiming. Meanwhile, I found out that UPPER CASE letters are encoded much better than lower case. So by playing with the data a little I got:

This is a level 6 QR code, just one more level to go ;)
The last encoding improvement I got by reducing error correction from M to L (Low). Here it is:

This is a level 5 QR code, big success!

All that I was left to do is take care of the colors. To adjust the colors I simply attached an RGB value to every data piece that I added, and percolated it throw the different functions. For the error correction I used two different modes, one uses a different color (see example below) and one that reflects the data colors in a vague way. Here is the result:

BEGIN:VCARD

VERSION:2.1

FN:Assaf Nativ

TEL:+972500000000

TITLE:REVERSE ENGINEER

EMAIL:Nativ.Assaf@gmail.com

END:VCARD

• Probs
• Timing pattern
• Error Correction

One more fun twist: Squares -> Circles:

Cheer, Assaf

P.S. The definition of the QR Code standard is ISO/IEC 18004:2015, which cost about 300 USD. If you liked this post, any help in getting the PDF would be very appreciated.