Planet Arduino

MalDuino is an Arduino-powered USB device which emulates a keyboard and has keystroke injection capabilities. It’s still in crowdfunding stage, but has already been fully backed, so we anticipate full production soon. In essence, it implements BadUSB attacks much like the widely known, having appeared on Mr. Robot, USB Rubber Ducky.

It’s like an advanced version of HID tricks to drop malicious files which we previously reported. Once plugged in, MalDuino acts as a keyboard, executing previous configured key sequences at very fast speeds. This is mostly used by IT security professionals to hack into local computers, just by plugging in the unsuspicious USB ‘Pen’.

[Seytonic], the maker of MalDuino, says its objective is it to be a cheaper, fully open source alternative with the big advantage that it can be programmed straight from the Arduino IDE. It’s based on ATmega32u4 like the Arduino Leonardo and will come in two flavors, Lite and Elite. The Lite is quite small and it will fit into almost any generic USB case. There is a single switch used to enable/disable the device for programming.

The Elite version is where it gets exciting. In addition to the MicroSD slot that will be used to store scripts, there is an onboard set of dip switches that can be used to select the script to run. Since the whole platform is open sourced and based on Arduino, the MicroSD slot and dip switches are entirely modular, nothing is hardcoded, you can use them for whatever you want. The most skilled wielders of BadUSB attacks have shown feats like setting up a fake wired network connection that allows all web traffic to be siphoned off to an outside server. This should be possible with the microcontroller used here although not native to the MalDuino’s default firmware.

For most users, typical feature hacks might include repurposing the dip switches to modify the settings for a particular script. Instead of storing just scripts on the MicroSD card you could store word lists on it for use in password cracking. It will be interesting to see what people will come up with and the scripts they create since there is a lot of space to tinker and enhanced it. That’s the greatness of open source.

You can watch the prototype in action in the video:

If you are an Android user and a big fan of Super Mario beware: there is no Android version! There has been no official news on the Android version yet, let alone a version of the game. There is, however, a version circulating outside of Google Play market that will steal your bank account.

Right now attackers are taking advantage of the game’s popularity and Android users despair to spread malware posing as an Android version of Super Mario Run as they did in the past for Pokemon GO. The trojan is called Android Marcher and has been around since 2013, mostly targeting mobile users financial information. After installation, the application attempts to trick users with fake finance apps and a credit card page in an effort to capture banking details. The malware also locks out Google Play until the user supplies their credit card information.

In this new variant of Marcher, it can monitor the device and steal login data of regular apps, not just banking and payment apps, and send the stolen data back to command and control (C&C) servers. Facebook, WhatsApp, Skype, Gmail, the Google Play store are all vulnerable. Criminals can exploit these stolen accounts to carry out additional fraud.

Zscaler researchers advice is:

To avoid becoming a victim of such malware, it is a good practice to download apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the “Unknown Sources” option under the “Security” settings of your device.

We may add to turn on “App Verification”. Verify Apps regularly checks activity on your device and prevents or warns you about potential harm. Verify Apps is on by default, as is Unknown Sources turned off. Verify Apps also checks apps when you install them from sources other than Google Play. Of course, there is a privacy trade-off. Some information has to be sent about the apps you install back to Google.

The main advice is: use common sense. It’s common practice for companies to release official apps versions through Google Play and highly unlikely to do it via any other way.

It’s the most wonderful time of the year! No, we’re not talking about the holiday season, although that certainly has its merits. What we mean is that it’s time for the final projects from [Bruce Land]’s ECE4760 class. With the giving spirit and their mothers in mind, [Adarsh], [Timon], and [Cameron] made a programmable lock box with four-factor authentication. That’s three factors more secure than your average Las Vegas hotel room safe, and with a display to boot.

Getting into this box starts with a four-digit code on a number pad. If it’s incorrect, the display will say so. Put in the right code and the system will wait four seconds for the next step, which involves three potentiometers. These are tuned to the correct value with a leeway of +/- 30. After another four-second wait, it’s on to the piezo-based knock detector, which listens for the right pattern. Finally, a fingerprint scanner makes sure that anyone who wants into this box had better plan ahead.

This project is based on Microchip’s PIC32-based Microstick II, which [Professor Land] starting teaching in 2015. It also uses an Arduino Uno to handle the fingerprint scanner. The team has marketability in mind for this project, and in the video after the break, they walk through the factory settings and user customization.

We have seen many ways to secure a lock box. How about a laser-cut combination safe or a box with a matching NFC ring?

We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read.

The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable. However, if you know where enough functions are located in flash, you can just use what’s there. These kind of return-oriented programming (ROP) tricks were enough for the researchers to write a worm.

In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.

Will this amount to anything in practice? Probably not. There are tons of systems out there with much more easily accessed vulnerabilities: hard-coded passwords and poor encryption protocols. Attacking all the Yuns in the world wouldn’t be worth one’s time. It’s a very cool proof of concept, and in our opinion, that’s even better.

Thanks [Dave] for the great tip!

Hackaday.io user [Abderraouf] has written an implementation of the new(ish) Spritz cipher and hash for Arduino. While we’re not big enough crypto-nerds to assess the security of the code, it looks like it’s going to be pretty handy.

Spritz itself is a neat cipher. Instead of taking in fixed blocks of data and operating on them, it allows you to process it in (almost) whatever chunks it comes in naturally, and then extract out the encrypted results piecewise. It works both as a two-way cipher and as a one-way hash function. It looks like Spritz is a one-stop-shop for all of your encryption needs, and now you can run it on your Arduino.

In case you are afraid of new implementations of new ciphers (and you should be), Spritz’s pedigree should help to put you at ease: it was developed by [Ron Rivest] to be a successor to his RC4 algorithm, and it incorporates a lot of the lessons learned about that algorithm over the past. This doesn’t exclude subtle flaws in the implementation of the library (no offence, [Abderraouf]!) or your work downstream, but at least the underlying algorithm seems to be the real deal.

[Abderraouf] links it in his writeup, but just for completeness, here’s the Spritz paper (PDF). What crypto libraries do you currently use for Arduino or microcontroller projects? We’ve been fans of XXTEA for ages, but more because it’s simple and small than because it’s secure. Spritz may be simple enough to implement easily, and still more secure. Sweet.

[BaronVonSchnowzer] is spinning up some home automation and settled on an inexpensive ambient temperature sensor which is sold to augment the data a home weather station collects. He found that the RF protocol had been reverse engineered and will use this information to harvest data from a sensor in each room. In true hacker fashion, he rolled his own advances out to the Internet so that others may benefit. Specifically, he reverse engineered the checksum used by the Ambient F007TH.

He got onto this track after trying out the Arduino sketch written to receive the sensor’s RF communications. One peculiar part of the code turned out to be a filter for corrupt messages as the protocol’s checksum hadn’t yet been worked out. Figuring out how the checksum byte owrks wasn’t an easy process. The adventure led him to dump 13k samples into a spreadsheet to see if sorting similar sets of 5-byte message and 1-byte checksum would shed some light on the situation. The rest of the story is some impressive pattern matching that led to the final algorithm. Now [BaronVonSchnowzer] and anyone else using these modules can filter out corrupt data in the most efficient way possible.

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.

Remembering passwords is a pain, and there’s a number of devices out there to make it easier. If you’re looking to roll your own, this guide to building a Final Key will walk you through the process.

We talked about the Final Key before. It’s a one button password manager that encrypts and stores your password. It acts as a virtual serial port for configuration. When you hit the button, it becomes a keyboard and types in the correct password.

The creator has no intentions of making this a commercial project for a number of reasons. Instead, easy build instructions are provided based on the Arduino Pro Micro. The 24LC512 EEPROM can be soldered directly to the Arduino by bending out the DIP legs. A few resistors, a button, and an LED finish off the project. The last step is to fill it with hot glue to prevent tampering.

The Final Key firmware is available on Github, and the case can be ordered from Shapeways. If you’re interested in hardware password management, you can also check out the Mooltipass which is being developed on Hackaday.

[Thanks to Lars for the tip!]

Google Authenticator is an app that generates one time passwords (OTPs). These passwords are often used as a second factor of authentication, along with your normal password. OTPs work by having a shared secret and a synchronized clock on two devices. When you generate the password, a hash based on the secret and timestamp is created. This proves that you have access to the secret, and can only be used once.

To secure his Lego mini-figures, [Luca] built an authentication system using Google Authenticator and Arduino. A web app is used to generate a secret that can be configured into the Arduino using an array, and into Google Authenticator using a QR code. The Arduino is using a library that implements Time-based One Time Password authentication (TOTP).

There are some challenges, including keeping a good clock source on the Arduino, but this look like an interesting way to do authentication. After the break, watch a quick video overview of the project (for English captions, hit the CC button).

[Nick] and [Simon] both have home security systems with a monitoring service who will call whenever an alarm is tripped. For [Simon] this ends up happening a lot and he wanted to change the circumstances that would trigger a call. Because of company policy the service is inflexible, so he and [Nick] went to work cutting them out of the loop. What they came up with is this custom electronics board which monitors the security system and calls or texts them accordingly.

They started with the self-monitoring alarm system design we looked at back in September. This led to the inclusion of the SIM900 GSM modem, which is a really cheap way to get your device connected to the cellular network. It also uses a DTMF touch tone decoder to emulate the phone line to keep the security system happy. [Simon] highlights several changes he made to the design, as well as the reasons for them. One idea he has for a possible revision is to do away with the MT8870 chip which handles the touch tones. He thinks it may be possible to use the SIM900′s DTMF features to do that work instead.