L’iphone e i suoi protocolli di sicurezza

Apple-hacked_620x350

iphone

 

Sappiamo tutti che la Apple ha delle backdoor installate nei dispositivi iphone con le quali spia gli utenti da remoto, ormai si sa, i software per lo spionaggio da remoto sono diffusi anche in Italia, ringraziamo l’incompetenza dell’hacking team nel proteggere le loro email,;ritornando alla Apple, il problema principale per scoprire le backdoor è bypasare i loro protocolli di sicurezza dei quali non si sa nulla di ufficioso, è questo che contraddistingue la Apple da tutti quanti, ha un elevata sicurezza proprio perchè non trapela nulla di compromettente dai loro uffici e inoltre nel caso di vulnerabilità scovate nei loro software, riescono a intervenire tempestivamente dopotutto creano nuovi dispositivi con ios aggiornato nel giro di pochi mesi; dunque questa è la Apple.

apple inc

Se spostiamo la nostra attenzione sull’iphone diciamo dal 4s in poi, troviamo una maggiore difficoltà nel fare qualsiasi cosa, solo facendo il jailbreak possiamo ottenere la possibilità di installazione di applicazioni non ufficiali ma soprattuto non a pagamento, ciò non toglie che con il jaibrek non si possa arrivare a capire come la Apple spia il proprio dispositivo ma dato che lo sappiamo non è difficile formulare una tesi realisitica sul loro modo operandi, allora ecco ve lo spiego.

Iniziamo dall’analisi delle fonti ufficiali: TCP and UDP ports used by Apple software products,

Nella pagina troverete le porte usate dalla Apple dichiarate ufficialmente, fin qui direte bhe significa che non ha backdoor ma non è vero anzi è perfetamente una copertura che poi viene confermata quando si prova a cercare le backdoor nei file system dell’iphone scaricando il terminale da Cydia ma dopotutto è impossibile accedervi.

Il motivo dell’impossibilità di vederle è dato dalla mancanza di informazioni per poter hackerare i loro protocolli di sicurezza e quelle poche volte in cui sono state rilevate vunerabilità la Apple ha sempre reagito velocemente:

A questo punto avete capito che il controllo del vostro dispositivo è da remoto e sopratutto simile a quello che faceva la Blackberry ai tempi d’oro, eccovi la dimostrazione:

Re: Fw: Fwd: [Analytical & Intelligence Comments] RE: Above the Tearline:BlackBerry Security

from: [email protected]

to: [email protected], [email protected]

Fascinating and supports my suspicion that all blackberry is doing is
“controlling the entire channel” and there is nothing special here. I can
defeat the Saudi’s just as easily with an iPhone and a SSL certificate for
my mail server.

Windows Mobile phones, android phones, and iPhones can use ActiveSync
protocol, which uses 128bit or 256bit AES encryption from device to server
via SSL (over port 80). The different devices vary on their support for
256bit AES (some purposely don’t because it make things slower).

In other words depending on the devices chosen you can achieve an EQUAL
level of security with a non-blackberry phone. And as an extra positive
you have the keys, not blackberry.

It looks like the iPhone 4 is using 256bit AES, but that’s really
irrelevant, even governments cannot crack 128bit AES over SSL. Without
some sort of exploit it would still take every computer on the planet a
long time working together. NIST still stands behind the AES algorithm.

–Mike

Cos’è AES ?:

AES is based on a design principle known as a substitution-permutation network, combination of both substitution and permutation, and is fast in both software and hardware.[10] Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state. Most AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition are as follows:

  • 10 cycles of repetition for 128-bit keys.
  • 12 cycles of repetition for 192-bit keys.
  • 14 cycles of repetition for 256-bit keys.

Each round consists of several processing steps, each containing four similar but different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

Dunque l’iphone è caraterizzato da protocolli inaccessibili a noi “comuni mortali” dato che il protocollo AES è stato ufficilamente nel 2002 è stato adottato dal governo federale americano, ma ci sono stati problemi di vulnerabilità nel loro protocollo nell’anno 2014 come riporta l’articolo preso da the hacker news:

Just two days before Apple has disclosed a critical Security flaw in the SSL implementationon the iOS software that would allow man-in-the-middle attacks to intercept the SSL data by spoofing SSL servers.
Dubbed as CVE-2014-1266, the so-called ‘goto fail;’ vulnerability in which the secure transport failed to validate the authenticity of the connection has left millions of Apple users vulnerable to Hackers and Spy Agencies, especially like the NSA.
Concludendo è possibile conoscere i dati rubati dai dispositivi solo attraverso l’attacco man in the middle e questo conferma la fama di Apple come “sicura” .

Come rubare un profilo facebook? basta un po’ di ingegneria sociale e un piccolo trucchetto

face

Come rubare un profilo facebook? basta un po’ di ingegneria sociale e un piccolo trucchetto

facebook-sign-89

Eccoci ragazzi e ragazze, se siete arrivati a questo articolo significa che avrete intenzioni di conoscere come rubare un profilo facebook, premetto che questo articolo vuole solo dimostrare quanto i nostri profili facebook, email e password non siano al sicuro, dunque non sono responsabile dell’utilizzo di questa tecnica, ognuno è libero di farne ciò che vuole valutandone i rischio.

Il primo passo da fare è trovare l’utente di cui si vuole cercare di entrare nel profilo:

  1. Trovate l’id dell’utente facebook :
    FacebookpageID2
  2. Andate nella pagina facebook di login :
    Facebook_Login

 

3.Scrivete l’id nella casella identificata con email, cliccate forgot your password e vi ritroverete su questa schermata:

facebook-recupero-password_X

4.Scrivete nella casella che vi appare l’id dell’utente facebook e cliccate cerca, vi ritroverete in questa schermata:                                                                                                                         625x316xfb1129.jpg.pagespeed.ic.ftZsRxxO7r

5.A questo punto avrete in bella vista la prima e ultima lettere dell’email dell’utente,oltre che il servizio email che utilizza (gmail,yahoo,tiscali,ecc) se siete fortunati anche il numero di cellulare associato all’account ma visibile solo parzialmente. Se l’email è nome cognome allora siete a cavallo altrimenti potreste cercare di indovinarla.

6.Ora che sapete a quale servizio email utilizza l’utente, potete inviare un email con annesso link collegato ad un fake login facebook,semplicemente utilizzando l’email facebook di quell’utente, vi spiego meglio.Ogni utente ha un email facebook associata quella famosa che compare delle volte nelle info del profilo, ma questo non è rilevante perchè anche se non ci fosse si potrebbe lo stesso scoprirla, infatti basta copiare l’id dell’utente e aggiungere @facebook.com , inviando l’email l’utente la riceverà nella sua posta email con cui ha creato l’account facebook.

Ora questa falla non è grave ma se implementata con l’ingegneria sociale, può mietere vittime, infatti consideriamo questi dati :

GMAIL

YAHOO EMAIL:

Questi dati ci danno indicazioni preziose su come l’utente di yahoo e gmail può ricevere l’email, in che ora della giornata utilizza l’email (dato di gmail), se la può ricevere su smartphone o meno, come l’utente si approccia all’utilizzo delle diverse piattaforme social.

Ricordate che più informazioni personali riuscite a ricavare dall’account facebook di un utente più potete personalizzare l’email in modo che la probabilità che l’utente la apra, salga.

Ora analizziamo i dati sottratti  al sito di incontri Ashley Madison:

 

1440792234_AshleyMadison

troviamo in percentuale quanti utenti hanno utilizzato i diversi servizi email:


  •  

Nei primi tre troviamo gmail, hotmail e yahoo come riportato su questo articolo su gmail e yahoo è possibile capire come l’utente possa essere vulnerabile ad alcuni tipi di email che ad altre, mentre per hotmail non ho trovato statistiche, sorprende l’utilizzo di outlook segno che gli smartphone windows phone si stiano diffondendo, quindi attenzione utenti di outlook (il servizio è abbastanza insicuro ).

In conclusione si può dire che ogni utente facebook può essere soggetto ad email di phishing senza che si accorga di nulla, basta semplicemente studiare il suo account facebook, sottrarre qualche informazione ad amici, parenti (ricordo che esiste la possibilità di vedere gli amici in comune di un utente di cui non siamo amici e di cui non abbiamo nessuna relazione), se vi capita la sfiga di avere un parente diciamo “chiacchierone” sapete che siete a rischio che il vostro account venga hackerato con un email phishing , inoltre vorrei citare questo articolo ai fini di farvi capire quanto la vostra identità non sia al sicuro:  The science of password selection

Convert your cheap “unmanaged” switch to a VLAN capable layer 2 managed switch for just $2

pcb

The title of that post may look crazy at first, but it’s not, it is entirely possible to convert your cheap 100M 8 port switch or stuff like that to a managed switch.

That’s possible simply because, if you open up one of these and look at the datasheet, you will find out that they use the same switch chips used frequently inside of routers ( which they can be reprogrammed as you like with openwrt ).

The switch i’ve used this time is a “digicom 10/100” switch, digicom is an italian rebrand of some other stuff probably, but anyway, let’s get straight to the point, below you can see the PCB of that switch

 

Switch chip is IP178CH, and since today luck is on our side, its datasheet can easily be found there http://www.icplus.com.tw/Data/Datasheet/IP178Cx-DS-R13-20080925.pdf .

Serial management interface timing diagram and command format

Now by taking a quick look at the datasheet some important things for that modification are easily found:

  • The switch chip can be programmed by pulling up or down it’s pins but only basic features are programmable that way
  • The switch chip can be programmed from the EEPROM ( which on that switch board is not present, but there are unpopulated pads for it ), for the switch to take in account the EEPROM , first two bytes must be 0x55AA
  • The switch chip can be programmed using a synchronous serial interface at pins MDC & MDIO, on the fly.
    This one is the most useful one to create a managed switch

The serial interface is similiar to I2C but much simpler, it does not support multiple devices on the same bus and devices don’t have an address.
MDC Clock has to be generated from CPU side ( in that case an arduino ) , so you can operate it at whatever speed you want provided you don’t exceed maximum ratings.

Now once you know how to operate communicate with the switch it’s just matter of programming an arduino.
To do that, if you want just to test and you are going to power the arduino over usb. you are going to need to modify an USB cable to give arduino 3.3v instead of 5v.
You could also use a level shifter for that, but i prefer powering the entire arduino at 3.3v because it’s simpler and cheaper.
To power an arduino with 3.3v you can simple take an usb cable and cut red and black wires and insert a regulator between PC side and arduino side.

Arduino usb cable modification

After doing that modification, just adjust the regulator to give 3.3v and you are ready to go
On that switch , since again , we are lucky today, the IC pins of the serial management interface were already routed to an unpopulated header, on which i soldered a 3 pin strip header

The pinout is the following:
1 :   GND
2 :   MDIO
3 :   MDC

MDIO must be pulled high using a 2.2k resistor or some similiar value, again, if you are using a level shifter instead of the 3.3 cable mod, be sure to connect pullup resistor to 3.3v and not 5V.
To protect I/O lines also add two 100 ohm resistors or 200 ohm at most between MDIO,MDC and arduino pins ( 2,3 )

After doing that the HW part is done, if you want to make it permanent, just buy an arduino pro mini ( NOT NANO ) , and an usb-serial, the two should be around $2 total, max 3$.
You can also easily find on the board the 3.3v power rail and power the pro-mini from there, DO NOT power the arduino pro mini from usb or use an arduino nano or you will fry everything.
When connecting usb-serial adapter to it you will only connect GND, RX, TX wires , also DTS if you want to be able to program it from usb.

Now let’s take a look of a basic software to have a managed switch which can save configuration on arduino eeprom and restore it at boot.

 

outBit and inBit generate a clock cycle on MDC while reading or writing an output value to/from MDIO

readReg reads an entire register by submitting read command, phy address and reg address

writeReg writes an entire register by submitting a write command together with phy address, reg address and the 16 bit value to write.

The switch itself works in a fairly simple way, you can assign which ports belongs to a VLAN ( that is independent from whether the packets will be tagged or not) and then you can configure how to treat untagged packet and what to do when a packet from a VID port group goes out of a port.

For example if you want to use port 1 as trunking port ( multiple vlan tagged networks on the same physical port ) , and you want to tag untagged traffic from ports 2,3,4 with vlan ids 2,3,4 you have to:

  • Assign ports 1,2 to VID 2
  • Assign ports 1,3 to VID 3
  • Assign ports 1,4 to VID 4
  • Set ports 2,3,4 to remove VLAN tags from outgoing packets
  • Set port 1 to add VLAN tag to outgoing packets
  • Set default VID for untagged traffic of port 2 to 2
  • Set default VID for untagged traffic of port 3 to 3
  • Set default VID for untagged traffic of port 4 to 4

With that configuration for example you will be able to connect 3 different networks to a single ethernet cable, which may be useful when you have a radio tower with multiple devices on it and only a single cable going to the ground equipment.

That’s just the beginning, similiar mods can in most of the cases be done on all switches and probably with more features on newer ( gigabit ones ) switches.

You could also use a raspberry to manage the switch instead of an arduino to be able to work on it from ethernet with some nice web interface.

 

Calibrating YIHUA 898D soldering station

step1

When you buy an 898D soldering station there’s a very high chance that it is completely uncalibrated, leading to burnt/damaged parts and other kinds of problems since most of the times it is calibrated to give much higher temperature.

For that procedure you are going to need:

  • A cross-head screwdriver to open the 898D
  • A flat-head screwdriver at most 2 mm wide to rotate the potentiometers
  • A thermocouple thermometer
  • An IR thermometer

First of all , set both temperatures at 230 C° and disconnect the power cord because part of the board is directly connected to mains

To open the soldering station , remove the four screws around the front panel

Once removed the front panel you should have a board like the one below:

That board has two trimmers, one is to adjust smd rework gun , the other one is to adjust soldering iron temperature.
First start with hot air gun, after you made sure that no metal is touching the board and you are not touching the board, plug the power again, and heat a piece of paper with the hot air gun.
Place on one side of the paper the hot air gun, on the other side an IR thermometer.
If you read 220-235 C° it’s ok, if you read temperatures like 260 or 280 C° or 200 C° you definetely need to adjust it.
To do that take a small flathead screwdriver and with the soldering station disconnected from mains if the air is hotter than it should be , rotate like 1-2 turns the potentiometer counter-clockwise, otherwise rotate it of the same amount clockwise, and plug again the power and check if the temperature is in an acceptable range, if not repeat the above step with smaller adjustements.

When you have done with hot air gun start working on the soldering iron, place some excess solder on it’s tip and put it in contact of a shielded thermocouple
Let it stay like 3-4 mins and then check the temperature reading of the thermocouple, if it is less than 210 C° or more than 240 C° you need to calibrate that too, proceed as follows:
  1. If temperature is higher than it should be, rotate like 1/4 of turn the soldering iron potentiometer clockwise ( contrary to the hot air gun one ), you should do that with the power connected so BE VERY CAREFUL to not touch any part on the board except the potentiometer with the screwdriver when doing that.
    If the temperature is lower than it rotate it 1/4 of turn counter-clockwise.
  2. If temperature was higher than needed, blow some air at the thermocouple+soldering iron tip to lower the temperature and wait for it to rise
  3. After like 2 minutes, check if temperature still needs adjustement, if yes repeat from step1 with smaller rotations.
I’m using a pid controller as a thermometer because it’s the only thermocouple based thermometer that i have at the moment
After that reassemble everything and you are done.

Installing OpenWRT on SITECOM WL-326

DSC_0539

The SITECOM WL-326 is an ethernet+3g router featuring 300 Mbps wireless and an usb port to connect a 3G modem.

This device is not officially supported by OpenWRT and not very common, so there’s basically zero info on it at the moment.

First thing is to find out which SoC it uses, since it is covered by an heat spreader, best idea that does not involve the risk of destroying the board is connecting an USB-TTL adapter to the serial port which is visible on the photos.

Luckly contrary to most cases, the PCB has already written on it which pins are RX,TX,GND, so it’s just matter of soldering a female o male strip header, and connect it to the adapter.

Serial port settings are 57600 8N1, and when connecting the power to the device, it’s immediately visible that it is a rebrand of another device, the ESR-6670 http://wiki.openwrt.org/toh/engenius/esr6670.
Still no luck, it’s not supported either, but at least now we know what SoC it uses, which is Ralink 3052.

Now the tricky part, bootloader only shows one option, contrary to most supported routers

So the only option is just to try it, worst case scenario if it goes wrong we’ll have to reverse engineer the (likely) jtag connector visible on the photo.

This command will ask you some parameters, first one is the router IP, just hit enter ( leaving it as it is )
second one is the TFTP server IP, a default one will be shown.

Now connect an ethernet cable between a LAN port and your machine and ifconfig it to the router ip address

ifconfig eth0 up 192.168.99.8

or something like that.

Now you can hit enter, and then it will ask the linux kernel filename, which is WRONG, that’s not the linux kernel filename but the uImage filename.

Now the hard choice, finding a similiar enough device to flash this one with, and cross finger that it does not blow up, i’ve choosen the wr512 because it has too an usb port and an ethernet so, it’s worth trying.

So download http://downloads.openwrt.org/chaos_calmer/15.05-rc2/ramips/rt305x/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-initramfs-uImage.bin and rename it to something sane, like /home/dev/rd.bin

Now, start a tftp server, quickiest way without spending 15 mins configuring with xinetd or crap like that is

dnsmasq –enable-tftp –tftp-root=/home/dev -d

If it fails because of port already in use, append -p 3244

If it started succesfully, enter the choosen filename ( rd.bin or whatever it is ) on the serial console and hit enter, now it should flash it and reboot, but you are not done yet, because this is an image designed to work only on RAM , so any config change will NOT be saved.

But since you should have an openwrt console now and the LAN ports configured to 192.168.1.1, ifconfig your machine’s interface to 192.168.1.2.

Download http://downloads.openwrt.org/chaos_calmer/15.05-rc2/ramips/rt305x/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-squashfs-sysupgrade.bin

Notice that now the downloaded file has “sysupgrade” in it and not initramfs-uImage.

Now from the serial console do

scp [email protected]:[email protected]hfs-sysupgrade.bin /tmp/

Once done ( and completed succesfully of course ), do

sysupgrade -v /tmp/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-squashfs-sysupgrade.bin

It will take like a min or two and then reboot automatically, after the reboot you will have the router at 192.168.1.1 again.

Now login to LuCI interface, go to Network->Switch and you should see two vlans configured , vlan1 which is lan configured with the first port untagged and vlan2 which is wan configured to some other port untagged.

Now change on vlan1 the first port ( left to right ) , to off , and on vlan2 the first port ( same as vlan1 ) to untagged, and click save & apply.
That’s because the router of which we flashed the firmware has the switch connected differently.

That’s it now you are done , you can configure wireless and other stuff, just forget about 3G unless you replace flash memory, because it is likely that there’s not enough space on flash ( unless you build a version without LuCI and with 3g and then configure with CLI ).

Update: It’s possible to install 3g packages and still have 52 kbytes free, not tested because i don’t have an USB 3g modem handy

Asus eeePC 1005PE LVDS Cable pinout

I’m posting this pinout, because it can’t be easily found, and using a multimeter it takes a lot to figure out, like it did for me

MB Connector Panel back connector Description
1 2 3.3VDD
2 4 EDID eeprom power ( 3.3V)
3 6 EDID eeprom CLK
4 7 EDID eeprom DATA
5 28 VDD_EN ( Active high, 3.3v)
6 30 VLED_EN (Active high, 3.3v)
7 22 GND
8 8 LVDS Channel 0 –
9 9 LVDS Channel 0 +
10 11 LVDS Channel 1 –
11 12 LVDS Channel 1 +
12 14 LVDS Channel 2 –
13 15 LVDS Channel 2 +
14 22 GND
15 17 LVDS Clock –
16 18 LVDS Clock +
17 1 GND
18 5 Backlight PWM ADJ
19 25 Led VCC ( 5V )
20 24 Led VCC ( 5V )

If you are planning to reuse the panel with an MT6820 board, set the panel voltage to 3.3volts , connect 3.3VDD and VDD_EN together, and connect all the gnd pins to gnd too.
About the backlight, for me it worked leaving VLED_EN open ( unconnected ) and ADJ connected to the BL pin of the mt6820 ( brightness , unless i’ve swapped for error the pins , does not seem to work )
The whole thing will draw about 1A @ 5V, so if you get an Y cable with a switch ( to prevent the mt6820 from powering on too early ), you can run it from two usb ports

The correct jumper configuration for the board is with only A closed , and all other open