Is it bigger than a Breadboard?

Short post today... I'm sharing with you some of my work using breadboards and arduinos on 123d.circuits.io.

Simple Project

The first example is something simple. The light turns on when you press the button.

A little more difficult

This project isn't quite finished.
My intention here was to create a game where the Arduino would generate a random sequence of light flashes. You would then have to press the buttons corresponding to the lights in the same order that the lights flashed. The difficulty would increase as you went on.
Unfortunately, I couldn't quite get the software right. I had a hard time capturing the button presses, sequencing them, and matching that sequence to the true pattern. With a little more time I could probably get it working, but I welcome any comments!

Sport Phishing

Introduction

Today's post is about phishing. I will illustrate a simple example using the Google login screen. Using an apache2 webserver, I host a phishing page that captures the username and password of an unsuspecting user and saves them to a file. In the process, I learned about php, html POST requests and how to set up a webserver.

Source Code

After setting up my webserver on my Unix box, I downloaded the source code of the gmail login page:

The familiar Google login page.

The relevant sourcode for the form submission.

By looking at the source code, we can see that the login page uses a form with POST request to send the login data to https://accounts.google.com/ServiceLoginAuth. My goal, then, is to hijack that request, sending the data to a page of my own making before redirecting the user to the real login page, none the wiser.

Modifying the Page Source

The first step is to modify the page source and host it on my webserver. All I'm going to do is change the destination of the POST method to a page of my own creation (see next section). I'll call that page "get_info.php", so that's what I'll modify in the Google sourcecode.

PHP

I wrote a small PHP script, "get_info.php" that captures the login data and appends it to a file on the server.

It then redirects the user to Google's actual login page. To the casual user, it would appear as though she had merely entered her password incorrectly. If I had more time, I would figure out how to have the "incorrect password" notification appear, so there would be no clue to the user that something is amiss.

Data Capture

The final result is a csv file with username / password pairs.

Final Thoughts

I started this project, I had never encountered PHP before, so part of the challenge was figuring out how the form worked. Future exploration would probably skip the "get_info.php" step altogether and simply have malicious php embedded in the original page. I would also make the redirection more surreptitious.

RFID Skeleton Key

What do Amazon.com, a college dorm, and a top-secret government facility have in common? They all use Radio Frequency IDentification devices to track the movement of important objects. RFIDs consist of a tag that broadcast identifying data to a receiver when it moves within range. Businesses use them to track inventory throughout a supply chain. Institutions use them to grant certain people access to resources and track their use.

RFID used in product identification. Note the small size of the coil and chip.

Johns Hopkins uses RFID technology embedded in ID cards as the primary means of restricting access to student dorms and other buildings. As a Resident Advisor, I use this technology every day. Not only is it critical to student security to restrict access to the dorms to authorized persons, but in crisis situations it is critical that the university be able to track the whereabouts of students when they are on campus. On more than one occasion that I have seen, card access records have been used to locate students who were believed to be a danger to themselves or others. Maintaining the one-to-one mapping of RFID tags to users is critical to maintaining the safety and security of students on campus.

Unfortunately, RFID technology (particularly older versions) is vulnerable. According to several articles, it is actually pretty easy to spoof an RFID card using off-the-shelf technology. Using an Arduino, a toilet paper roll, and a handful of simple components, it's possible to create a transmitter that spoofs an existing card.

This in itself would not be too scary, since in order to spoof a card it is generally considered prohibitively difficult to get close enough to skim the ID code. However, it is not difficult to imagine an RFID skimmer planted behind a legitimate receiver that could not only spoof the ID cards of every resident of a building, but also track their movements over the course of days or weeks. Even without skimming card numbers, it would even be possible to brute-force many older RFID systems, given an attacker knew some basic information about the system in question.

Most modern RFID access control systems utilize more robust protocols to guard against these kinds of vulnerabilities. For example, there might be two-way communication between card and receiver used to authenticate the user. Or the card could use a one-time-pad system to encrypt data. Nevertheless, given the ubiquity of RFID systems, not all of them state-of-the-art, the vulnerabilities of the technology cannot not be ignored.

UPDATE: I realize that this post doesn't cover a current vulnerability in an OS, however this issue is something that affects systems that I use on a daily basis.

Dell Charger Brick Power Specs

When I first took home my laptop, I noticed that it was a monster. I had bought it based on the specs, not paying much attention to its size. As it turns out, it's a a 17.5in behemoth, which I named "Levi" - short for "leviathan". In any case, with a huge computer comes a huge power supply, as can be seen below:

Charger brick on top of laptop - banana for scale

Specs

The power brick can take input between 100-200V at 3.5A AC at 50-60Hz. The output is 12.5V at 12.3A DC. That means it has an internal resistance of 1.59Ω, and power output of 240W (rounding to 3 significant figures). Since I'm an RA and still live on-campus, that means according to BGE's confusing rate schedule, the school is paying between 1.68 and 3.71 cents per hour that I have my charger plugged in. Assuming I'm lazy and leave my charger plugged in all the time, that's $6.23 per week - or a little over two and a half gallons of gas per week, given Maryland's average price of $2.369 per gallon.