Cognitive and Scientific Brainology

Prolog

Wireless Power is not something new. It’s an old idea, an old dream, an old demo. However, it now revived with new forces in form of new technology products.

Mainly, there are two camps trying to use magnetic induction to charge things:

• one offering a charging pad
• other trying for over-the-air power

However, the post is not about going over this technology itself - if you want to explore, check the links provided at the end.

To the point

The point of this post is to discuss the security perspective of wireless power transfer, especially for over-the-air type. Several couple of years proved consistently that wireless technologies (WiFi, RFID, remote controls, GSM, etc.) are very prone to security vulnerabilities (sadly, most often by design, rather by implementation).

The types of attack one can envision are:

• wireless power theft

  Read more! »

TV-B-Gone experiments - Part 1

Prolog

For those who don’t know, TV-B-Gone is a device that makes TVs… well, to be gone… (As in Boris-The-Bullet-Dodger). It was invented by Mitch - Altman, and is sold as a ready (but limited in flexibility) unit, as well as a soldering/programming kit from Limor aka LadyAda.

I bought my TV-B-Gone kit version 1.1 from LadyAda some time back, but only recently with help from VadimBo, we got it soldered and (re)programmed.

Just to give you an idea what can be done (but not actually advised though ) - check “Confessions: The Meanest Thing Gizmodo Did at CES”

To the point

The downsides of the version 1.1 are:

• there are mainly NA codes only supported in firmware 1.1 and 1.1b
• there are only around 40+ codes supported in firmware 1.1 and 1.1b

So, I backported from tvbgone firmware 1.2 (Caitsith corrected WORLDcodes.c #ifdef version) into firmware 1.1b the following:

• removed NAcodes, which are UNcompressed version of limited codes table
• added WORLDcodes, which are compressed/optimized version of extended codes table
• modified main() to use compressed codes table routines
• modified Makefile to use EU/NA/both tables

Downloads

• Sources and .hex of firmware 1.1b for tvbgone containing backport of WORLDcodes from 1.2
• .hex of the original shipped “factory” version of tvbgone 1.1 from LadyAda (in case you want to restore original)

Read more! »

UPDATE 20101012

By a very nice coincidence I have bumped into this interesting paper (dating around 15 Jul 2008) - “BREAKING THE BANK - VULNERABILITIES IN NUMERIC PROCESSING WITHIN FINANCIAL APPLICATIONS” - ENJOY the reading!

Given I currently work in a telecom billing software company - I just cannot find enough words and meanings to confirm with sorrow that pretty-fucking-many of my fellow programmers do not give a shi…ny glass for avoiding this kind of problems. Worst, they don’t even realize it :-S…

PS: …and YES, Bank Of Cyprus (along with its new migrated Java/JSF-based banking application - a special post on this to follow) allows/uses:

• input like “1E+3″ which gets translated into “1000″
• “round-to-nearest, ties away from zero” for 3rd decimal, i.e. “0,004″ gets translated to “0,00″ and “0,007″ gets translated to “0,01″

Happy hacking…

Money

When it comes to speaking about money, a lot of people get interested. And nowadays most money discussion evolve around or near-by the EUR-USD exchange rates.

Some people (including me sometime ) are unhappy to depend and always lose their honestly earned savings because of some avid and greedy circles of interest are playing with exchange rates and make them uncontrollable…

Read more! »

Learning GSM: USSD fuzzing and attacking the network

Prerequisites of attacks

Some points why USSD is a good choice:
- USSD and USSD replies are free compared to SMS (except special, VAS, etc. numbers)

- USSD and USSD replies interact with 3rd party USSD Gateways software which most probably can be attacked more easy compared to SMSC

- USSD Gateways (if not crashed by a border-case/not-tested/unusual/malformed USSD message or USSD reply), forward the messages to Applications. Most probably “Third party content and application providers” suffer from buffer overflow, script injection, SQL injection, etc.

According to http://www.truteq.com/tips/ussd/:
“The menus are served by applications. This may not be at the GSM network operator, but at a content provider connected to the USSD infrastructure. Applications or content can therefore be served from :
1. Standard supplementary services
2. GSM Network Operators value-added services
3. Third party content and application providers
“

- USSD sessions implementation mechanisms can be exploited in USSD Gateways (grow huge sessions, open huge number of sessions, etc.)

Means to practically implement attacks

Fuzzing requires a lot of messages/replies back and forth through TELCO’s equipment. Many may say that such activity may not go unnoticed, and this is true.

Read more! »

Learning GSM: Mobile/Cell Phone Power-Off vs Mobile Not-reachable/Battery-discharged

Power-Off vs Not-reachable/battery-discharged

It was interesting for me to find out and read an old paper called “Forensics and the GSM mobile telephone system” (original article file 03_spring_art1.pdf).

The point I want to discuss here is also somehow related to trust or mis-trust whether a given called subscriber really went out of GSM network reach/had the battery discharged during idle OR the subscriber actually shut-off his phone and pretends he is out of network reach/battery discharched.

This trust/mis-trust often comes as a facade dialogue template:
John: “I tried to called you regarding XYZ”
Bob: “Umm, I am really sorry - I really wanted to talk to you, but I lost network/I had phone battery discharged” (when actually Bob did switch off his phone on purpose not to be reachable specifically by John and/or other calling parties)

Now there is really a way, without having any technical device or very specific knowledge to find out whether a subscriber has shut down his phone or went out of network-reach or had his battery discharched.

Read more! »