Posts tagged: Hacking Video

Oct 01 2013

New Touch ID Hack Allows to Unlock iPhone by Multiple FingerPrints

iPhone 5S Touch ID HackThe Iranian group defeated the very basic phenomenon of an iPhone Fingerprinting scanner, which allows them to unlock an iPhone device with multiple Fingerprints.

Apple‘s iPhone 5s, was launched just available in stores two weeks before with a new feature of biometrics-based security system called “Touch ID”, that involves analyzing a user’s fingerprint and using that to unlock the phone.

Apple launched the technology that it promises will better protect devices from criminals and snoopers seeking access. With this you can purchase things from the iTunes App Store. Basically, you can now use it in place of your password.

“Fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike,” according to the Apple’s website.

Last week Germany Hackers showed that how they were able to deceive Apple’s latest security feature into believing they’re someone they’re not, using a well-honed technique for creating a latex copy of someone’s fingerprint.

Another interesting fact is that, Touch ID is not only designed to scan the fingerprints of your fingers, it works with various human body parts and appendages which are also not fingers.

In a video demonstration, the Group set up a mixed Fingerprint scan of 5-6 people for an iPhone 5S handset (as shown in the video), which allowed all of them to unlock the locked device with their individual fingerprint.

According to Apple, the chance that Touch ID will misread a finger is 1 in 50,000 , this is because Touch ID is not designed to capture the fingerprint in strict mode. It scans the fingerprint on a very high-resolution (2400 dpi), to get and match the partial parts of an impression for faster unlocking.

If the iPhone is not able to scan the thumb impression in the strict mode to be unique, there is a possibility that out of 1000 thumb impressions iPhone’s Touch ID system can count 2-3 impressions as of the same person.

Sep 02 2013

Facebook Vulnerability that Allowed any Photo to be Deleted Earns $12,500 Bounty

Facebook BountyAn Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.

Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.

For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.

The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.

Kumar explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.

By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.

Jul 25 2013

Hackers Use Laptop to Control Car

Two security experts in the US have demonstrated taking control of two popular models of car, while someone else was driving them, using a laptop.

Speaking to the BBC ahead of revealing their research at security conference Defcon in Las Vegas in August, Charlie Miller and Chris Valasek said they hoped to raise awareness about the security issues around increasingly computer-dominated car control.

How They Did It:

The researchers used cables to connect the devices to the vehicles’ electronic control units (ECUs) via the on-board diagnostics port (also used by mechanics to identify faults) inside a 2010 model Ford Escape and Toyota Prius.

Contained within most modern vehicles, ECUs are part of the computer network that controls most aspects of car functionality including acceleration, braking, steering, monitor displays and the horn.

The pair were able to write software which sent instructions to the car network computer and over-rode the commands from the actual drivers of the cars.

Their work, funded by the Pentagon’s research facility Darpa, has so far received a mixed reaction from the manufacturers themselves.

Source: BBC News

Jul 09 2012

Hackers Steal Keyless BMW in 3 Minutes

On the car forum 1Addicts, a one-time poster by the name of “stolen1m” uploaded the video showing how his BMW was stolen in under three minutes. He suspects the thieves used devices that plug into the car’s On-Board Diagnostic (ODB) port to program a new keyfob.

In this particular video, there are a few security flaws that the hackers are exploiting simultaneously: there is no sensor that is triggered when the thieves initially break the window, the internal ultrasonic sensor system has a “blind spot” just in front of the OBD port, the OBD port is constantly powered (even when the car is off), and last but not least, it does not require a password. All of this means the thieves can gain complete access to the car without even entering it.

BMW has acknowledged that there is a problem, but is downplaying this particular issue by saying the whole industry struggles with thievery. This is unfortunate given that the evidence seems to point towards BMWs being specifically targeted. Whether that’s because they are luxury cars or because they have a security loophole doesn’t matter: the point is BMW needs to do something about it.

If you want to protect yourself from this hack, look into how you can disable the OBD port on your BMW by disconnecting the corresponding wires. If you or your dealer needs it, you can always reenable it. Alternatively, you can try to further secure the port in your own custom way.

Jul 05 2012

Android Clickjacking Rootkit Demonstrated

ClickJackingA team of security researchers have demonstrated how a security flaw in Android 4.0.4 can be exploited by a clickjacking rootkit.

The research team is lead by North Carolina State University professor Xuxian Jiang, who succeeded in developing a proof-of-concept rootkit that attacks the Android framework as opposed to the underlying operating system kernel. The researchers contend that such a rootkit could potentially be downloaded with an infected app and be used to manipulate the smartphone.

In the video, the demonstrator was able to hide applications on the device, as well as get them to launch when icons for other applications are clicked. If downloaded with an infected application, the rootkit could for example hide the smartphone’s browser and replace it with a browser that looks exactly the same but actually steals all of the user’s information.