Tag Archives: hacker

This $10 device can predict your next credit card number


MagSpoof is an ATtiny85 based device that can accurately predict your next Amex card number, disable chip-and-PIN and even spoof magnetic stripes wirelessly.


After recently losing his credit card, it wasn’t long before American Express sent Samy Kamkar a replacement. It was that moment in time that the serial hacker noticed something quite peculiar: the digits on the new card were similar to his previous ones. With a little more research, he uncovered a global pattern that would enable him to accurately predict the digits on any subsequent Amex card by knowing the preceding card’s full number.

687474703a2f2f73616d792e706c2f6d616773706f6f662f6d616773706f6f662e6a7067

“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” Kamkar explains. “I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”

Like many of his prior security-focused projects, this discovery yielded another opportunity to highlight a vulnerability. And so MagSpoof was born. Kamkar’s new $10 device is capable of emulating any magnetic stripe or credit card, entirely wirelessly, and storing more than 100 card numbers in various form factors. The unit works by generating an electromagnetic field that’s strong enough to reach a traditional reader’s sensor within close proximity, sending a signal that mimics the card being swiped.

“What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration),” he notes.

687474703a2f2f73616d792e706c2f6d616773706f6f662f636369726f6e2e6a7067

And that’s not all. MagSpoof features a button that employs his prediction algorithm. In order words, if a thief using the device finds out that the card they were trying to imitate had been cancelled, the gadget could instantly determine the victim’s next card number.

“As soon as the card gets declined, you press a button and it switches to the next number,” Kamkar tells WIRED. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”

Aside from disabling chip-and-PIN protection (a function that he has since removed), accurately predicting expiration numbers and switching between different Amex cards (even when reported lost or stolen), MagSpoof can be employed for security research in any area that would traditionally require a magstripe, such as readers for drivers licenses, hotel room keys and automated parking lot tickets.

687474703a2f2f73616d792e706c2f6d616773706f6f662f6d657465722d736d616c6c322e676966

As you can tell, the MagSpoof’s hardware doesn’t look anything like a credit card, so a criminal couldn’t just simply hand it to a cashier or waiter without raising any red flags. However, Kamkar points out that he can use a digital credit card device like Coin to store the numbers that his system generates — a technique that would make his trickery much less noticeable.

Impressively, Kamkar built his prototype out of several off-the-shelf components. These included an ATtiny85, a 100mAh 3.7V LiPo battery, a motor driver, an LED, a capacitor, a resistor and some 24AWG magnet wire. He created a smaller version with an ATtiny10 as well. By simply pulsing the H-bridge and activating the coil of wire, the MagSpoof is capable of emulating the swipe of a card. MagSpoof is compatible with the Arduino framework and can work on traditional Arduino boards, as well as ATtiny chips.

According to the hacker, he has notified American Express of the issue and will not exploit their algorithm. Kamkar has made both MagSpoof’s source code and schematics available on GitHub, and elaborates upon his method on his page here.

[h/t WIRED via Samy Kamkar]

What’s ahead this year in digital insecurity?


Here’s a closer look at the top 10 cyber security predictions for 2015.


In 2014 worries about security went from a simple “meh” to “WTF!” Not only did high-profile attacks get sensational media coverage, but those incidents led to a pivotal judicial ruling that corporations can be sued for data breaches. And as hard as it is to believe, 2015 will only get worse because attack surfaces are expanding as mobile BYOD policies overtake enterprises, cloud services spread, and a growing number of IoT networks get rolled out. Add m-commerce, e-banking, and mobile payments to the questionable tradition of lax credit card security infrastructure in the U.S. and you get a perfect storm for cybercrime.

In fact, 92% of attacks across the range of segments come from nine basic sources (seen in the diagram below), according to Verizon. More numerous and sophisticated cyber crimes are anticipated for this year and beyond.

z1

 1. More companies to get “Sony’d”

2014 saw the release of highly-evolved threats from criminals that in the past only came from governments, electronic armies and defense firms. A wide-range of targets included organizations in retail, entertainment, finance, healthcare, industrial, military, among countless other industries. As a repeat offender, Sony is now the cyber-victim poster child, and the term “Sony’d” has become a verb meaning digital security incompetence. Perhaps Sony’s motto should be changed from “make.believe.” to “make.believe.security.” Just saying!

Prior to 2014, companies on a wholesale basis tended to simply deny cyber vulnerabilities. However, a string of higher profile data breaches — such as Sony, Heartbleed, Poodle, Shellshock, Russian Cyber-vor, Home Depot, Target, PF Chang’s, eBay, etc. — have changed all of that. Denial is dead, but confusion and about what to do is rampant.

2. Embedded insecurity rising

Computing naturally segregates into embedded systems and humans sitting in front of screens.  Embedded systems are processor-based subsystems that are “embedded” into other machines or bigger systems.  Examples are routers, industrial controls, avionics, automotive engine and in-cabin systems, medical diagnostics, white goods, consumer electronics, smart weapons, and countless others.  Embedded security was not a big deal until the IoT emerged, which will lead to billions of smart, communicating nodes.  15 to more than 20 billion IoT nodes are being forecast by 2020, which will create a gigantic attack platform and make security paramount.

IoT Installed

A recent study by HP revealed that 70% of interconnected (IoT) devices have serious vulnerabilities to attacks. The devices they investigated consisted of “things” like cloud-connected TVs, smart thermostats and electronic door locks.

“The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces — network security, application security, mobile security and Internet-connected devices — and combine them into a new, even more insecure space, which is troubling,” HP’s Daniel Miessler stated.

Issues HP identified ranged from weak passwords, to lack of encryption, to poor interfaces, to troubling firmware, to unencrypted updating protocols. Other notable findings included:

  • 60% of devices were subject to weak credentials
  • 90% collected personal data
  • 80% did not use passwords or used very weak passwords
  • 70% of cloud connected mobile devices allowed access to user accounts
  • 70% of devices were unencrypted

Investigators at the Black Hat Conference demonstrated serious security flaws in home automation systems. At DEFCON, investigators hacked NFC-based payment systems showing that passwords and account data was vulnerable. They also revealed that the doors of a Tesla car could be hacked to open while in motion. Nice! Other attacks were exploited on smart TVs, Boxee TV devices, smartphone biometric systems, routers, IP cameras, smart meters, healthcare devices, SCADA (supervisory, control and data acquisition) devices, engine control units, and some wearables. Even simple USB firmware was proven to be highly vulnerable… “Bad USB.”

These are just the tip of the embedded insecurity iceberg. Under the surface is the entire Dark Net which adds even more treacherousness. Security companies like Symmantic have identified home automation as a likely early IoT attack point. That is not surprising because home automation will be an early adopter of IoT technologies, after all. In-house appliances also represent an attractive attack surface as more firmware is contained in smart TVs, set top boxes, white goods, and routers that also communicate. Node-to-node connectivity security extends to industrial settings as well.

Tools like Shodan, which is the Google of embedded systems, make it very easy for hackers to get into the things in the IoT.  CNN recently called Shodan the scariest search engine on the Internet. You can see why since everything that is connected is now accessible. Clearly strong security, including hardware-based crypto elements, is paramount.

 3. More storms from the cloud

z5

It became clear in 2014 that cloud services such as iCloud, GoogleDrive, DropBox and others were rather large targets because they are replete with sensitive data (just ask Jennifer Lawrence). The cloud is starting to look like the technological Typhoid Mary that can spread viruses, malware, ransomware, rootkits, and other bad things around the world. As we know by now, the key to security is how well cryptographic keys are stored.   Heartbleed taught us that, so utilizing new technologies and more secure approaches to maintain and control cryptographic keys will accelerate in 2015 to address endemic cloud exposure. Look for more use of hardware-based key storage.

4. Cyber warfare breaks out

eBay, PF Chang’s, Home Depot, Sony, JP Morgan, and Target are well-known names on the cybercrime blotter, and things will just get worse as cyber armies go on the attack. North Korea’s special cyber units, the Syrian Electronic Army, the Iranian Cyber Army (ICA), and Unit 61398 of the People’s Liberation Army of China are high profile examples of cyber-armies that are hostile to Western interests. Every country now seems to have a cyber-army units to conduct asymmetric warfare. (These groups are even adopting logos, with eagles appearing to be a very popular motif.)

z6

Cyber warfare is attractive because government-built malware is cheap, accessible, and covert, and thus highly efficient. Researchers have estimated that 87% of cyber-attacks on companies are state-affiliated, 11% by organized crime, 1% by competitors, and another 1% by former employees. Long story short, cyber war is real and it has already been waged against non-state commercial actors such as Sony. It won’t stop there.

 5. Cybercrime mobilizes

According to security researchers, mobile will become an increasingly attractive target for hackers. Fifteen million mobile devices are infected with malware according to a report by Alcatel-Lucent’s Kindsight Security Labs. Malvertising is rampant on untrusted app stores and ransomware is being attached to virtual currencies. Easily acquired malware generation kits and source code make it extremely easy to target mobile devices. Malicious apps take advantage of the Webkit plugin and gain control over application data which hands credentials, bank account, and email details over to hackers. What’s more, online banking malware is also spreading. 2014 presented ZeuS, which stole data, and VAWTRAK that hit online banking customers in Japan.

Even two-factor authentication measures that banks employ have recently been breached using schemes, such as Operation Emmental. Emmental is the real name of Swiss cheese, which of course is full of holes just like the banking systems’ security mechanisms.  Emmental uses fake mobile apps and Domain Name System (DNS) changers to launch mobile phishing attacks to get at online  banking  accounts and steal identities. Some researchers believe that cybercriminals will increasingly use such sophisticated attacks to make illegal equity front running and short selling scams.

z7

6. Growing electronic payments tantalize attackers

Apple Pay could be a land mine just waiting to explode due to NFC’s susceptibility to hacking. Google Wallet is an example of what can happen when a malicious app is granted NFC privileges making it capable of stealing account information and money. M-commerce schemes like WeChat could be another big potential target.

z8

E-payments are growing and with that so will the attacks on mobile devices using schemes ranging from FakeID to master key. Master key is an exploit kit similar to blackhole exploit kit that specifically targets mobile, where FakeID allows malicious apps to impersonate legitimate apps that allow access to sensitive data without triggering suspicion.

7. Health records represent a cyber-crime gold mine

Electronic Health Records (EHR) are now mandatory in the U.S. and a vast amount of personal data is being collected and stored as never before. Because information is money, thieves will go where the information is (to paraphrase Willie Sutton). Health records are considered higher value in the hacking underground than stolen credit card data. Criminals throughout both the U.S. and UK are now specializing in health record hacking. In fact, the U.S. Identity Theft Resource Center reported 720 major data breaches during 2014 with 42% of those being health records.

8. Targeted attacks increase

Targeted attacks, also known as Advanced Persistent Threats (APTs), are very frightening due to their stealthy nature. The main differences between APTs and traditional cyber-attacks are target selection, silence, and duration of attack. According to research company APTnotes, the number of attacks by year went from 3 in 2010 to 14 in 2012 to 53 in 2014. APT targets are carefully selected, in contrast to traditional attacks that use any available corporate targets. The goal is to get in quietly and stay unnoticed for long periods of time, as seen in the famous APT attack that victimized the networking company Nortel. Chinese spyware was present on Nortel’s systems for almost ten years without being detected and drained the company of valuable intellectual property and other information. Now that’s persistent!

9. Laws and regulations try to play catch up

A number of cyber security laws are being considered in the U.S. including the National Cybersecurity Protection Act of 2014, which advocates the sharing of cybersecurity information with the private sector, provide technical assistance and incident response to companies and federal agencies.   Another one to note is the Federal Information Security Modernization Act of 2014 that is designed to better protect federal agencies from cyber-attacks. A third is the Border Patrol Agent Pay Reform Act of 2013 to recruit and retain cyber professionals who are in high demand. Additionally, there is the Cybersecurity Workforce Assessment Act, which aims to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce. President Obama stated that wants a 30-day deadline for notices and a revised “Consumer Privacy Bill of Rights.”

One of the more interesting and intelligent recommendations came from the FDA, who issued guidelines for wireless medical device security to ensure hackers could not interfere with things such as implanted pacemakers and defibrillators. This notion was is part stimulated by worry about Dick Cheney’s pacemaker being hacked. In fact countermeasures were installed by on the device by Cheney’s surgeon. More regulation of health data and equipment is expected in 2015.

“Security — or the lack of it — will largely determine the success or failure of widespread adoption of internet-connected devices,” the FTC Commissioner recently shared in an article. The FTC also released a report entitled, “Privacy & Security in a Connected World.”

10. Hardware-based security may change the game

According to respected market researcher Gartner, all roads to the digital future lead through security. At this point, who can really argue with that statement? Manufacturers and service providers are seeing the seriousness of cyber-danger and are starting to integrate security at every connectivity level. Crypto element integrated circuits with hardware-based key storage are starting to be employed for that. Furthermore, these crypto elements are a kind of silver bullet given that they easily and instantly add the strongest type of security possible (i.e. protected hardware-based key storage) to IoT endpoints and embedded systems. This is a powerful concept whose fundamental value is only starting to be recognized.

IoT Node Chart 1

Crypto elements contain cryptographic engines to efficiently handle crypto functions such as hashing, sign-verify, ECDSA, key agreement (e.g.  ECDH), authentication (symmetric or asymmetric), encryption/decryption, message authentication coding (MAC), run crypto algorithms (e.g. elliptic curve cryptography, AES, SHA) and many other functions.

The hardware key storage plus crypto engine combination in a single device makes it simple, ultra-secure, tiny, and inexpensive to add robust security. Recent crypto element products offer ECDH for key agreement and ECDSA for authentication. Adding a device with both of these powerful capabilities to any system with a microprocessor that can run encryption algorithms (such as AES) brings all three pillars of security (confidentiality, data integrity and authentication) into play.

2014-Crypto-Security-at-our-Core-Atmel-Has-You-Covered

With security rising in significance as attack platforms increase in size and threats become more sophisticated, it is good to know that solutions are already available to ensure that digital systems are not only smart and connected, but robustly secured by hardware key storage. This could be the one of the biggest stories in security going forward.

Happy Programmer’s Day!

Program writers and developers spend countless hours creating code used to build computer software, sites and applications we may take for granted. Celebrated annually on the 256th day of the year — hexadecimal 100th, or the 28th — Programmers’ Day commemorates the hard work of these tech-savvy individuals.

Why 256 you ask? It represents the number of distinct values in an 8-bit byte, and well, it is also the largest power of two that comes to less than the 365 days found in a regular year. What this means is that the “holiday” will always fall on September 13, except of course on leap years. (Pedants might note that the binary representation of 1111 1111 is actually 255, making Programmers’ Day 24 hours too late. Because as any programmer knows, this ignores the use of zero as a value!)

The sheer number and diversity of programming languages in use today continues to grow. In collaboration with journalist Nick DiakopoulosIEEE Spectrum recently unveiled some of the world’s most popular languages, ranging from Java to C++. (Given the rise of the Maker Movement, you may notice Arduino made the list!)

07dataflow-1403643424680

As many will attest, a programmer is a unique breed. Seeing as coding culture leaves no shortage of character, InfoWorld recently compiled a list of the 13 classic archetypes of those you would find in most IT departments and hackerspaces. Which one best categorizes you?

“Any fool can write code that a computer can understand. Good programmers write code that humans can understand. ” — Martin Fowler

Resultantly, only those with coding in their DNA will (probably) identify with the following comical images…

This shirt.

(Source: imgur.com/XMmAe40)

(Source: imgur.com/XMmAe40)

This mug. 

(Source: Zazzle)

(Source: Zazzle)

This week. 

(Source: Explosm.net)

(Source: Explosm.net)

This relationship situation. 

(Source: Twitter user @ipixel_au)

(Source: Twitter via @ipixel_au)

This chart. 

(Source: memebase.cheezburger.com)

(Source: memebase.cheezburger.com)

This Facebook post. 

(Source: imgur.com)

(Source: imgur.com)

This sign. (You’ve been warned…)

(Source: ThinkGeek)

(Source: ThinkGeek)

This desk. (The struggle is real…)

Barbdie

This tattoo. 

(Source: Mervy.net)

(Source: Mervy.net)

This car.

(Source: imgur.com/d6RiDgk)

(Source: imgur.com/d6RiDgk)

This comic. 

(Source: imgur.com/CfSwf)

(Source: imgur.com/CfSwf)

This hierarchy of needs. 

wifi

This thought pattern. (No really though…)

(Source: Pinterest)

(Source: Pinterest)

This base-ic reference. (See what we did there?)

(Source: izifunny.com)

(Source: izifunny.com)

This meme. 

(Source: funny-quotations.net)

(Source: funny-quotations.net)

As professional days go, this one is surely one of the best. So, if you know a programmer (developer, coder, hacker or software engineer) slaving away at the computer this weekend, be sure to stop and share some praise. After all, they deserve it!

“The best programmers are not marginally better than merely good ones. They are an order-of-magnitude better, measured by whatever standard: conceptual creativity, speed, ingenuity of design, or problem-solving ability.” — Randall Stross

Heck, we couldn’t end this blog about programming without some sort of self-promotion! Available for free, Atmel Studio 6 connects seamlessly to all Atmel debuggers, programmers and the simulators for both ARM and AVR devices:

The latest version of our Studio includes the GCC C and C++ Compiler, assembler and a simulator, and interfaces seamlessly with in-system debuggers and programmers to make code development easier.

Electronic component art sculptures

My pal Phil Sittner sent a link to this picture of a rock band made out of electronic components. You have to love the title: L.E.D. Zeppelin.

L.E.D.-Zeppelin

Apparently that picture inspired this mom to make her own art:

Electronic-component-art

All this creativity is near and dear to my heart, since my dear departed analog pal Jim Williams was also a lover of electronic art. One nice feature of Jim’s art was that it often functioned as a real working circuit as well as being a free-form sculpture.

Jim-Williams-thermometer-sculpture

So if you have an artistic bent, think about soldering up some items from your junk box to make something beautiful and fascinating.

How to program your secrets into a chip with hardware-based security

Written by Nelson Lunsford

Implementing security into your design may seem somewhat daunting and time-/resource-intensive at first glance.  You may be thinking that you don’t have the luxury for it.  Fortunately, Atmel makes it easy when using the turnkey Atmel CryptoAuthentication IC.

At its most basic, the CryptoAuthetication device receives a challenge from a host system and a response is sent back to that host system. That challenge is combined with a secret key stored in the secure memory of the CryptoAuthetication using the MAC command. Then the result or response is sent back to the host system. If the response is correct as determined by the host system, then the operation can proceed.

How does that secret get into the CryptoAuthetication IC in the first place? Well, the CryptoAuthetication device requires that it be personalized or programmed with a known configuration for the application that it is intended to solve. Personalization of the device simply means configuring it to do what you want it to do.

The following methods can be used to place secure information into the CryptoAuthentication device:

  1. You can program the IC using the available communications interfaces provided by the IC, namely SWI or TWI.
  2. Atmel provides a software package and a hardware kit. This package is the Atmel CryptoAuthentication Evaluation Studio (ACES) and the AT88CK101STK8 or AT88CK109STK8 hardware.
  3. Atmel has produced a Secure Personalization or Programmer Kit (combination hardware and software) that can be purchased to program the CryptoAuthentication in greater quantities than the ACES tool.
  4. Atmel has approved several 3rd party programmers that can be purchased program the CryptoAuthentication before deployment.
  5. Atmel has also approved several 3rd party companies that will program the CryptoAuthentication once the secrets have been securely received.
  6. Atmel provides a service to their larger customers enabling the CryptoAuthentication to be personalized at final package test.
  7. This service is for programming larger numbers of ICs where it is not conducive for you to manage it yourself.

Any of the 6 methods mentioned above will work for placing your specific data into the CryptoAuthentication device in order to protect your IP.

Arduino making a mark at Maker Faire

I don’t usually make a big deal of my upcoming weekends, but when I get the chance to hang out in a human-size mouse trap, buzz around a giant Hand of Man robot, or get my code on competitively in a variety of hacker races, it’s worth talking up a bit.

Before you wonder whether I’ve managed to contract an unhealthy dose of hallucinogenic corporate cube fever, don’t panic! I’m referring to the upcoming Maker Faire, to be held at the San Mateo County Fairgrounds on the 18/19 of May.

makerpics

Maker Faire, created by Make magazine back in 2006, stitches together the arts and crafts with engineering and science.

beat_report

It’s a huge science fair for the general public, where Do-It-Yourselfers are free to roam around unleashed (usually on their segways) wearing propeller beanies and flashy LED pins without anybody judging them. Much.

Tinkerers little and large take center stage at Maker Faire, showing the world their zany contraptions and electrifying experiments, while trading tips and tricks for others who want to follow in their low power footsteps.

And Atmel, I’m proud to say, is all over it.

Why? Because in many ways, Atmel powers the maker movement, with its tech at the heart of so many maker designs. It helps, of course, that Atmel microprocessors are the chips of choice for the Arduino platform, both in their AVR flavor and ARM varieties.

arduino_due_in_hand

Arduino has democratized hardware in a way that allows anyone – young or old, engineer or not, rich or poor – to scratch their own itch and create anything they can imagine.

As Arduino’s founder, Massimo Banzi, puts it, “You don’t need anyone’s permission to create something great.”

Indeed, with Arduino even finding its way into every single MakerBot 3D printer, creativity now really knows no bounds.

At Maker Faire, Atmel will be right across from our friends and partners at Arduino (Booth #625 and #619 for the location sticklers) and along with a pretty slick booth design made up entirely of cardboard furniture (Chairigami!!), we’ll have quite a bit going on.

makerfairepic

For starters, we’ll have some MakerBot demos and an “IoTorium” (which I’m assuming is an emporium of awesome Internet of Things devices).

Speaking of awesome “things”, the folks from PuzzleBox will be pitching up in Atmel’s booth with their brain-controlled helicopters, alongside the cool riders from Faraday Bikes who will be peddling their electric bicycle wares.

We’ll also have some cute hackable Hexbugs crawling around and for those keeping an eye on the time, some smart watches from Secret Labs (shhhh!).

hexbugs

The Maker movement is a passionate one, and Atmel’s pretty passionate about being a part of it. If you can’t make it to Maker Faire, no sweat. You can follow all the goings on via Twitter. Just look for the hashtags @makerfaire, @atmel, @arduino.

Hope to see you there!

 

A Deep Dive Into the Unique Challenge Authentication Model

By: Nelson Lunsford

Let’s take a closer look at the unique challenge authentication model, using an Atmel CryptoAuthentication IC, for protecting your design’s intellectual property (IP). At its most basic, the Atmel ATSHA204 CryptoAuthentication IC receives a challenge from a host system and a response is sent back to that host system. That challenge is combined with a secret key stored in the secure memory of the ATSHA204 using the MAC command. Then, the result or response is sent back to the host system. If the response is correct as determined by the host system, then the operation can proceed. What if a malicious entity (a hacker) had been monitoring the bus where the host and the client are exchanging the challenge and the subsequent response? If the challenge was the same value, then the response would be the same every time and the hacker would know that response without ever knowing the embedded secret in the ATSHA204 device. This would enable the use of a knock off product even when a company took steps to prevent it.

One simple solution to this specific problem would be to prevent the hacker from having prior knowledge of what the response is. If the challenge was different every time it is sent to the ATSHA204 IC, then the response would be different every time. A unique challenge does exactly that. Even if the hacker has a list of challenges and associated responses, they will not have the correct response or it will take too long to find it in a pre-compiled list.  A unique challenge is a perfect method for defending a system against replay-style attacks. If you are using a hardware security device on the host side, you would use the random number generator (RNG) within the hardware to generate the challenge, thus making the response completely random. However, many embedded systems do not have a high-quality RNG. An alternative to an RNG would be simply to use the date and the time of day combined. If a time of day is not available in the system, then a counter could be used. A counter with the combination of the serial number of the client device can be used. A counter does not have to increment by ‘1’; some multiplier function could be used instead.