David Sopas

web security researcher

David Sopas – Web Security Researcher
START READING
17/10/18 Hardware , IoT # , , ,

Opening a fingerprint + BLE smartlock – the smart way!

I got my hands on a smartlock that costs around 35€ on Amazon which unlocks using the fingerprint or app (using BLE).
In reality I don’t know the brand and model but this is not something that I really care. What I wanted to check was – how hard was breaking this smartlock?

After a quick inspection I noticed that this lock had something covered below the USB port (which is used to power the battery). Using a sharp knife I scrubbed the thing up and… a screw appeared 🙂

C’mon… Really? I opened it and start disassembling the device.

I needed to scrub also some parts because this lock was supposed to be waterproof so they covered some wires.

In the end, we got a small PCB with a connected fingerprint sensor. Didn’t saw any spring like other locks and can’t manage to open it by shimming. But I saw a motor which was connected by a white and yellow wire to the PCB.

I already played with some motors and other devices like that on Arduino and they usually only need some power to rotate. In this case, I’m guessing that connecting the 3.7V battery to the PCB wires it will rotate (or open).

I grabbed a couple of wires to prevent soldering or damaging the lock and connected them to the lock battery. Than connected the wires to the PCB part that connected to the motor.

And the lock opened. No fingerprint or BLE needed.

Check out the small video that I did – https://www.youtube.com/watch?v=VEjwV3LsLJ0

So I guess you take around 5 second to open this lock using a direct connection to the motor.
The vendor claims its a strong lock… Anyone can break it in 5 seconds.

Screwdrivers rule! 🙂

no responses
10/10/18 Hardware # , , , ,

micro:bit password generator

So I got a new toy – micro:bit. I initially bought three of these devices so I can sniff BLE traffic using btlejack. After playing with it, I decided to learn more about this hardware.

It’s pretty simple to use, specially if you decide to use Microsoft MakeCode, but also support MicroPython. I went with this last one and created something that is still in testing because of hardware limitations.

I decided to create a simple password generator. You have two buttons. Button A (left side) and Button B (right side).
Button A generates “randomly” and displays on the small leds a 4 digit pin number. Button B generates a 12 length char password that will consist in numbers, some letters (some letters don’t display well on the leds) and a couple of symbols.

Why I did this? Well because usually you need something to generate a fast pin or password. Some of my clients NEED this. Nothing is recorded and if you don’t catch the pin or password, click to generate another one.

Next step… Battery. Implement a CR2032 battery with a on/off button. Also, improve the code a bit and share it on github.

Check the video here – https://www.youtube.com/watch?v=M3CO_OvSO4w

no responses
16/08/18 Interesting Readings , News # , , ,

Checkmarx Security Research Team latest work

Some of our work was published and I would like to share it here:

More coming soon in a web near you 🙂

no responses
16/08/18 Bug Bounty , Tools # , , ,

h1-search tool

h1-search tool

Me and Paulo Silva wrote a simple golang tool to check full disclosures on HackerOne. Why?

  • You can filter the results
  • You can see ALL the results (H1 has page limitations – 25 results)
  • Its coded in Go 😀

So if you guys want to give it a try, feel free to install it and participate – https://github.com/dsopas/h1-search

no responses
20/04/18 Tools # , , , ,

RFD Checker and Security Assessment Mindset

I recently published two repos on my Github account. One is RFD Checker, which I did with my colleague Paulo Silva, where it scans for Reflected File Download vulnerabilities and the other one is a security mindmap (you can also have other formats). This last one had pretty good success just because it a mindset for helping infosec peers and bug bounty hunters on their assessments.

Feel free to share it and participate on any of the projects. They are open-source and with the help of the infosec community they can become a better tool to your arsenal.

 

no responses
20/04/18 My Events , News # , ,

Reflected File Download webinar

Reflected File Download webinar

On 13th March I did a webinar for Checkmarx showing in around 30 minutes what is and how you can exploit the web vector Reflected File Download.

You can still watch the recorded version at RFD: Still Threatening the Biggest Names on the Web.

Had a lot of fun doing it because it was my first webinar 🙂 ‘Til next time!

no responses
29/12/17 Papers # , , , ,

BLE Driving 101

I’m writing this article on my path of becoming a better researcher on IoT devices.
My goal was to create a portable device that I could use to scan BLE (aka Bluetooth Low Energy) devices and improve future tasks – like pentesting IoT for clients.

Disclaimer: No harm or malicious activities have been done to any device. Don’t use this type of information to do illegal stuff.

I used bleah (props to evilsocket) to record all the BLE devices on a car drive. Keep in mind that BLE has a max. range of around 100 meters (on open space) but the cheap adapter that I used had a range of 20 to 50 meters.
So first things first right? Modify my dongle.

I had the HUGE help of kripthor and we started by disassembling the device and identify where the antenna was.

We removed the connection and, after a few tries, we connected the external antenna of a old IP cam. Because the PCB was too small and the wires could break when we connect the device, we used a solder wire plastic holder (as a case) to have it all together and connected everything with chinese glue gun 🙂

This was the final result.

On the left you have a original dongle and in the right the mean mother f*cker dongle!

What I noticed… Better range and signal. I did a couple of tests using my own wearable and than my friend Paulo enters the scene to hold his watch in a open space.

Original dongle
80 meter range didn’t detect it
60 meter range -117dBm (sometimes didn’t detect it)
30 meter range -84dbm
10 meter range -76dbm

Mean mother f*cker dongle
100 meter range -92 dBm
60 meter range -84dBm
30 meter range -76dbm
10 meter range -71dbm

Now that I have a better dongle 😀 I had it to my portable configuration:

1x CSR 4.0 bluetooth adapter
1x Raspberry Pi 2 model B with a acrylic case (running Raspbian)
1x Powerbank

Devices found

Vendors that allowed connections ✓:
53x Unknown vendors
10x Samsung Electronics Co.
4x Apple
2x Polar Electro Oy
2x Samsung Electro-mechanics(thailand)
1x Texas Instruments
1x Google
1x Huawei Technologies Co

Totalling 74 devices in a 2.4km car drive across the city. On the unknown vendors I saw a couple of chinese wearables, Tiles, Bike GPS, etc:

Next step is to check popular areas, eg: running or bikes race events. That would pick lots of BLE devices.

2 responses
04/12/17 Papers # , , ,

Using UART to connect to a chinese IP cam

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.

http://www.securitytube-training.com/online-courses/offensive-internet-of-things-exploitation/index.html

Student ID: IoTE- 766

Following my interest in going deeper on IoT – specially on hardware hacking, I grabbed a chinese IP cam – Loftek and started checking its internals. I already had researched the web application itself and the mobile app for Checkmarx but now I wanted something different.

My main goal was to find a serial port where I could connect to my laptop and see where it takes me. I was really hoping for root access…

After identifying the components I got what I wanted. A UART connection in J2 that I hoped that allowed me to create a serial communication. In this case it was pretty easy to identify them because they were printed on the PCB – RX – TX – GND – VCC (5V).

I grabbed a couple of pins and started soldering them to the RX – TX – GND. This last one was not very well positioned because the pin holes were very close to each other.

Now the fun part. Connect to my laptop. I used 3 jumper cables and the Attify Badge.

RX – D0
TX – D1
GND – GND

Next step, detect the baudrate for the communication. I used the python script from Craig Heffner on Kali Linux and it returned:

In the following case I used screen but you can also use minicom – with the previous detected baudrate:

And guess what! A root shell dropped in the console.

Other interesting thing that I already did on a previous research was to use this IP camera to sniff the network.  What I did was to install a tcpdump binary and created a small script:

#!/bin/bash
ifconfig ra0 down
iwconfig ra0 mode monitor
ifconfig ra0 up
./tcpdump -i ra0 --monitor-mode -w cap.cap &
sleep 30
killall tcpdump
ifconfig ra0 down
iwconfig ra0 mode managed essid network-2g key s:myKeyto_Wifi
ifconfig ra0 up

After a while I got few hits on the Wireshark that allow me to see people using Dropbox inside the network and some other services:

LLMNR/NBNS Poisoning anyone? 🙂

I hope to continue my path on hardware hacking because it’s really fun. Don’t forget also to check my BLE article where I wrote my notes on this “smart bluetooth” thing.

no responses
15/11/17 Donations

Together we’re strong

A few months ago, me and Luis had the idea to help the firefighters (true heroes) with a donation that could make their job more secure.
More than 210 thousand hectares of forest burned in Portugal only this year so this was the right thing to do.

After talking with João we thought about bringing more people together, specially in the infosec community. The objective was to bring more cash to the bucket.

The decision was unanimous, donate as much as we can to Associação dos Bombeiros Voluntários da Figueira da Foz.
Currently they’re asking for an acquisition of a new car.
This operation requires a huge amount of money. Other donations are applied in tires, car repairs, fuel, water, IT equipment and firefighters special clothes.

So if you want to help out…

The IBAN is PT50 0045 3050 4024 7032 1811 2.
Also don’t forget to send an email to geral at bvff.com.pt with the wire transfer confirmation and your NIF so they can also send you the receipt.

The following community gathered a total of 1845€:

Thanks!

no responses
1 2 3 4 9