This $10 device can predict your next credit card number

---

MagSpoof is an ATtiny85 based device that can accurately predict your next Amex card number, disable chip-and-PIN and even spoof magnetic stripes wirelessly.

---

After recently losing his credit card, it wasn’t long before American Express sent Samy Kamkar a replacement. It was that moment in time that the serial hacker noticed something quite peculiar: the digits on the new card were similar to his previous ones. With a little more research, he uncovered a global pattern that would enable him to accurately predict the digits on any subsequent Amex card by knowing the preceding card’s full number.

“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” Kamkar explains. “I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”

Like many of his prior security-focused projects, this discovery yielded another opportunity to highlight a vulnerability. And so MagSpoof was born. Kamkar’s new $10 device is capable of emulating any magnetic stripe or credit card, entirely wirelessly, and storing more than 100 card numbers in various form factors. The unit works by generating an electromagnetic field that’s strong enough to reach a traditional reader’s sensor within close proximity, sending a signal that mimics the card being swiped.

“What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration),” he notes.

And that’s not all. MagSpoof features a button that employs his prediction algorithm. In order words, if a thief using the device finds out that the card they were trying to imitate had been cancelled, the gadget could instantly determine the victim’s next card number.

“As soon as the card gets declined, you press a button and it switches to the next number,” Kamkar tells WIRED. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”

Aside from disabling chip-and-PIN protection (a function that he has since removed), accurately predicting expiration numbers and switching between different Amex cards (even when reported lost or stolen), MagSpoof can be employed for security research in any area that would traditionally require a magstripe, such as readers for drivers licenses, hotel room keys and automated parking lot tickets.

As you can tell, the MagSpoof’s hardware doesn’t look anything like a credit card, so a criminal couldn’t just simply hand it to a cashier or waiter without raising any red flags. However, Kamkar points out that he can use a digital credit card device like Coin to store the numbers that his system generates — a technique that would make his trickery much less noticeable.

Impressively, Kamkar built his prototype out of several off-the-shelf components. These included an ATtiny85, a 100mAh 3.7V LiPo battery, a motor driver, an LED, a capacitor, a resistor and some 24AWG magnet wire. He created a smaller version with an ATtiny10 as well. By simply pulsing the H-bridge and activating the coil of wire, the MagSpoof is capable of emulating the swipe of a card. MagSpoof is compatible with the Arduino framework and can work on traditional Arduino boards, as well as ATtiny chips.

According to the hacker, he has notified American Express of the issue and will not exploit their algorithm. Kamkar has made both MagSpoof’s source code and schematics available on GitHub, and elaborates upon his method on his page here.

[h/t WIRED via Samy Kamkar]

A $10 USB charger can record your keystrokes wirelessly

---

A security researcher has developed a USB wall charger that can eavesdrop on nearly every Microsoft keyboard.

---

Although we shared this discreet hack from Samy Kamkar back in January, a recent tweet from Lifehacker triggered our memory and we just had to share again! KeySweeper is an Arduino-based keylogger for Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) that is cleverly camouflaged as a functioning USB wall charger. The stealthy ATmega328 driven device can sniff, decrypt, log and report back all keystrokes — saving users both locally and online.

Keystrokes are then relayed back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper comes within range of the target KeySweeper. In fact, the well-known hardware hacker suggests that an effective reach of KeySweeper is that of a typical Bluetooth device, but could be extended using a low-noise amplifier. A web-based tool enables the live keystroke monitoring.

Users can set up SMS alerts that are triggered when certain keystrokes in the form of words, usernames or URLS are being typed, e.g. “bank” or heck, even “www.atmel.com.” (*Shameless SEO plug.*) If KeySweeper is removed from AC power, it will give off the impression that it is shut off; however, the inconspicuous gadget continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.

As you are well aware, wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. Such units often encrypt their data before sending it wirelessly, but Kamkar claims to have discovered multiple bugs that make it easy to decrypt. While the researcher hasn’t tested the device on every Microsoft keyboard, he does believe that due to given their similarities, they will all be affected.

The KeySweeper project builds on previous work from Travis Goodspeed, Thorsten Schröder and Max Moser around the megaAVR controlled KeyKeriki.

Kamkar says the cost for KeySweeper can range anywhere from $10 to $80, depending on the operation and its necessary functions. Aside from the Arduino Pro Mini that he selected for its size, other components include:

• nRF24L01+ 2.4GHz RF chip which communicates using GFSK over 2.4GHz
• AC USB charger for converting AC power to 5v DC.
• (Optional) A SPI Serial Flash chip can be used to store keystrokes on.
• (Optional) Adafruit FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
• (Optional, if using FONA) The FONA requires a mini-SIM card — not a micro SIM.
• (Optional, if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.

It should be noted that the hacker does say a Teensy MCU can be used in place of the ‘duino. As for the software, the primary code is installed on the microcontroller, while the web-based backend uses jQuery and PHP to log all keystrokes and provide an interface for live monitoring of target keyboards. KeySweeper’s source code and schematic are available on GitHub.

Intrigued? You can access the entire build on Kamkar’s official page.

This $100 device can locate, unlock and remote start GM cars

---

OwnStar is a device that can locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.

---

When director Sam Esmail was casting for his latest cyberpunk–thriller TV series Mr. Robot, we’re surprised serial hacker Samy Kamkar wasn’t in the running for the star role. That’s because, in just the last year alone, the 29-year-old has devised a plug-in box capable of tracking everything you type, a 3D-printed robot that can crack combination locks, and his own radio device for online anonymity. Added to that growing list is a tablet-sized unit can easily tap into and wirelessly take control of a GM car’s futuristic features.

Undoubtedly, car hacking will be a hot topic at this year’s Black Hat and DEFCON events. Cognizant of this, the Los Angeles-based entrepreneur has created what he’s calling OwnStar, a device that can locate, unlock and remotely start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.

As you can see in the video below, the system is driven by a Raspberry Pi and uses an ATmega328 to interface with an Adafruit FONA for cellular connection. After opening the OnStar RemoteLink app on a smartphone within Wi-Fi range of the hacking gadget, OwnStar works by intercepting the communication. Essentially, it impersonates the wireless network to fool the smartphone into silently connecting. It then sends specially crafted packets to the mobile device to acquire additional credentials and notifies the attacker over 2G about the new vehicle it indefinitely has access to, namely its location, make and model.

First reported by WIRED, Kamkar has revealed that if a hacker can plant a cheap, homemade Wi-Fi hotspot somewhere on an automobile’s body — whether that’s under a bumper or its chassis — to capture commands sent from the user’s smartphone, the results for vulnerable car owners could range from pranks and privacy breaches to actual theft.

With the user’s login credentials, an attacker could do just about anything he or she wants, including tracking a car, unlocking its doors and stealing stuff inside (when carjacking meets car hacking), or starting the ignition from afar. Making matters worse, Kamkar tells WIRED that remote control like this can enable a malicious criminal to drain the car’s gas, fill a garage with carbon monoxide or use its horn to drum up some mayhem on the street. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

It’s evident that Kamkar’s objective here isn’t to help thieves and endanger the lives of drivers; instead, he is hoping to utilize OwnStar to raise awareness around the vulnerabilities of connected cars. Fortunately though, the actual issue lies on the mobile software and not the GM vehicles themselves. The carmaker has already been receptive of this discovery and plans to fix the matter at hand. Until then, the hacker advises owners to refrain from opening the app until an update has been provided by OnStar.

Intrigued? Kamkar says that he will provide more details around this and other hacks at DEFCON, which he will share on his website as well. Until then, you can watch the demonstration that was conducted on a friend’s 2013 Chevy Volt.

NOTE: Kamkar has confirmed that OnStar has indeed resolved the vulnerability and a RemoteLink app update has been released.

Hacker builds an impressive ProxyHam alternative

---

ProxyGambit boasts twice the radio range of the ProxyHam, as well as unlimited reach with GSM.

---

While many of us have been scratching our heads as to what happened to the ProxyHam following its sudden disappearance, Samy Kamkar has surfaced with his own take on online anonymity. The hacker has created what he calls an “advanced resurrection of ProxyHam,” also known as ProxyGambit — a device that enables users to access an Internet connection from anywhere on Earth without ever revealing their IP address or location. 

The news of ProxyHam demise came over Twitter when Rhino Security, the consultancy run by the project’s creator Ben Caudill, announced that the was being pulled from the DEFCON agenda. The tweet stated, “Effective immediately, we are halting further dev on #proxyham and will not be releasing any further details or source for the device.”

The $238 ProxyGambit has one-upped its predecessor, given that its direct line-of-sight point-to-point link boasts a range of up to six miles, more than double ProxyHam’s two-and-a-half miles. And impressively, it can work anywhere on Earth via 2G. It can use a reverse-tunneled GSM bridge that connects to the Internet and exits through a wireless network anywhere in the world.

“While a point to point link is possible, the reverse GSM bridge allows you to proxy from thousands of miles away with nothing other than a computer and Internet with no direct link back to your originating machine,” Kamkar explains.

Both methods proxy connection through local Wi-Fi networks near the gadget, shielding and making it more difficult to determine one’s true whereabouts, IP and identity. The ProxyGambit consists of two Adafruit FONA GSM breakout boards, any two ATmega328 Arduino boards and two Raspberry Pis. The FONA uses a SIM800 chip to link the Arduino to the GSM to produce a 2G Internet connection. Meanwhile, the Arduino serves as a serial connection over a reverse TCP tunnel and provides a software proxy layer between the Raspberry Raspberry Pi’s UART and the FONA. One of, if not, the most vital parts of the project is the Pi, which drives the Linux serial link and bridges the public Wi-Fi and radio connection.

Beyond all that, Kamkar employs a 2.5A USB hub, an SD card to host the operating system and data, a Wi-Fi card depending on how far a user would like the ProxyGambit to reach, and a LiPo battery to power the FONA.

When all is said and done, the hacker does emphasize that this is merely a proof of concept and recommends that any potential builders proceed with extreme caution.

“The fragmentation of data through alternate mediums is a useful and effective concept and those interested in privacy, anonymization, or deanonymization should explore this area further. Entropy is both gained and lost with these methods and many risks are involved when deploying any system of this nature,” he concludes.

Intrigued? Head over to Kamkar’s page, where he has made all of the ProxyGamit’s source code and instructions available.

This Arduino-based device can crack a Master Lock in under 30 seconds

---

Think those belongings are safe in that gym and high school locker of yours? You may want to think again.

---

A few weeks ago, hacker Samy Kamkar demonstrated just how easily he could crack a Master Lock combination lock in less than eight attempts using nothing more than a simple mathematical algorithm. In the tail-end of his video, he also hinted that he had been working on an Arduino-based, motorized cracking machine that would be capable of doing all the legwork for him. The Maker said the device would be introduced in the very near future.

And well, the future is now. As a way to highlight a vulnerability in one of the world’s most ubiquitous brands of combination locks, the Maker has created a battery-powered, 3D-printed robot that can pop open any locker in as little as 30 seconds. Simply attach the aptly dubbed Combo Breaker to any of the countless Master Locks, turn it on and let it get to work.

“The machine pretty much brute-forces the lock for you,” Kamkar says.

When left on its own, the Combo Breaker can take upwards of five minutes to break open a lock. However, with a little help of finding the first number on the dial using Kamkar’s web-based tool, the process will take under a half a minute.

The Combo Breaker employs a small stepper motor to turn the dial, an optical sensor to keep track of how much the stepper motor is turning, a rotor with a 3D-printed attachment for the lock’s face, a lever that tries to lift the shackle, another sensor that can detect if an attempt to lift the shackle has failed, and an Arduino Nano (ATmega328) for the brains of the operation.

Want one of your own? Kamkar has provided a step-by-step breakdown of the build along with its required parts (which should cost approximately $100) on his site here. Meanwhile, you can find all of the necessary software for the machine on GitHub.