[HN Gopher] Bypassing Android MDM Using a $1.50 Electric Gas Lig...
___________________________________________________________________
Bypassing Android MDM Using a $1.50 Electric Gas Lighter
Author : paulgerhardt
Score : 175 points
Date : 2020-09-25 15:23 UTC (7 hours ago)
(HTM) web link (payatu.com)
(TXT) w3m dump (payatu.com)
| paulcarroty wrote:
| Oh, just remembered I need to buy the one :)
| Hasz wrote:
| Next step in cheap but effective is building a small waveguide
| for your arc lighter -- probably easier to target what you want
| vs the point source you have now.
|
| Can basically be a few pieces of carefully sized tinfoil, or some
| copper wire with copper clad soldered around it.
|
| Also, the term "Jugaad" for Indian macgyverism is excellent!
| ComodoHacker wrote:
| So did this guy just revived a long declined market of "tough"
| mobile devices (rugged, EM shielded, thermoresistant etc.)?
| trhway wrote:
| using X-ray generator and knowing the chip layout one can
| probably target specific registers/memory cells
| marunmagesh wrote:
| Hey Guys! I am the OP for this blog. Please direct your queries
| to me.
| arunmagesh wrote:
| huh?? If you're me. who am i???
| mcraiha wrote:
| Will the real OP please stand up?
| magesharun wrote:
| He is not you, I am you.
| namanaggarwal wrote:
| I would like to report this if this is not genuine
| danbruc wrote:
| What is the point of those color gradients in the photos? [1] Are
| they supposed to conceal the chip? If so, that didn't work very
| well. [2] Just make it completely black, people have failed often
| enough to properly redact information because they tried to do
| something fancy, something more visually pleasing. At least
| unless they did this intentionally, either because they wanted it
| to be visible but also wanted some deniability as an accident, or
| to mislead by embedding false information.
|
| [1]
| https://payatu.com/static/images/remoteblogs/arun/emfi_blog/...
|
| [2] http://www.unisoc.com/sc9863a
| arunmagesh wrote:
| Ouch. That was not an intended one. Those colourful overlays
| are just android stickers. I didn't expect them to be
| translucent. . :( I fixed it. I would kindly request you to
| modify / remove the link part please . :(
| [deleted]
| kspacewalk2 wrote:
| >I would kindly request you to modify / remove the link part
| please . :(
|
| But... why?
| arunmagesh wrote:
| This might give out information about the device we used.
| That should be a secret.
| dylan604 wrote:
| I'm sorry, but this is your fault. You improperly tried
| to conceal a picture by being cute instead of effective
| while trying to earn bragging points with a very public
| announcement about your hack. You brought the eye of
| Sauron upon yourself. It'll be a painful lesson to learn,
| but I'm guessing you won't make this mistake again. Some
| of us have been there before. Welcome to the club. We've
| got jackets.
| jerome-jh wrote:
| If MDM is deployed by companies, the device may come from
| the author's employer, friend's employer, government?
| Memory ref + CPU ref makes it somewhat identifiable.
| danbruc wrote:
| That's now unfortunately too late, I can no longer edit or
| delete the comment, maybe one of the mods can censor it. And
| by the way, you added a new photo to the article but the
| original file is still there, following the link in my
| comment still yields the photo with the visible part number.
| There might very well be people out there that notice that
| the article has 1.png, 2.png, 3.png, 44.png, an image with
| something hidden, and then 5.jpg [1] and then start to wonder
| what 4.png or 4.jpg might look like.
|
| [1] Yes, there are also 5.png, 6.png, and 8.png in between
| out of order, it is not a perfect pattern, but it is still
| close enough that one might notice the missing 4.png.
| crazysim wrote:
| the blog poster can edit the image on their own site right?
| danbruc wrote:
| But they can not get the link to the chip out of my
| comment.
| jstanley wrote:
| If you think the numbers on the chip contain some personally
| identifiable information: fear not, they are generally just
| part numbers and sometimes date codes.
|
| If that's not the reason for trying to redact them, what is
| the reason? I can't think of anything else reasonable.
|
| EDIT: I now realise that this was a very condescending
| comment to write to someone who, based on the submitted blog
| post, is considerably better at electronics than I am. Sorry
| about that!
| nom wrote:
| A bit OT but this just reminded me of something I haven't thought
| about for many many years. Just wanted to share.
|
| I bypassed the payment procedure in a coke vending machine with a
| lighter.
|
| Germany, around 2004 we had a coke vending machine at school,
| probably from the mid 90s. Someone told me you get free coke if
| you flick a (non-piezo) lighter in front of the display at the
| right time. I didn't believe it one bit, but when I tried it, it
| actually worked. It quickly spread around our school until months
| later the service guy fixed it.
|
| Many years later I realized what has happened. The flick of the
| lighter emitted a strong IR impulse that triggered an infrared
| receiver (which was probably used for debugging, configuring
| etc).
|
| This must have caused an interrupt, and if triggered at the same
| time the machine vended the bottle, it completed vending but
| never got back to actually decrementing the money you put into
| it. You could empty out the whole machine with nothing else but 1
| Euro and a lighter and you even got your money back.
|
| Lots of cokes were had.
| worstenbrood wrote:
| I have a similar experience. 20 years ago a friend told me a
| trick which only worked on vending machines from a particular
| brand. It only worked on the drinks with the lowest price. You
| had to put the exact money in the machine for a certain drink,
| add one cent and press the button for that drink right when you
| hear the "click" of the money. You get the drink and your money
| was increased by one cent. After you were done you could just
| get the money back. It required some practice but when your
| timing was good you could empty a complete machine. Since most
| of the vending machines had redbull and jupiler, which had the
| highest price, we had alot of free cola/sprite/.... I wonder if
| it still works.
| narwally wrote:
| When my sister lost the "sensor bar" on her Wii I showed her
| how to use a pair of candles to replace it. The sensor bar is
| just a a set of IR lights that the camera on the wii-mote
| detects.
| jagraff wrote:
| I'd imagine a pair of candles would cause the cursor to jump
| around a lot because of the flickering - how did you solve
| that problem?
| xyzzy_plugh wrote:
| With a clean, dry wick it's pretty easy to get a very still
| flame for a long, long period of time. Though if you have a
| fan or something blowing, you're out of luck.
| function_seven wrote:
| I imagine a vigorous game of Wii Tennis will cause those
| candles to flicker.
|
| And will provide a convenient excuse why I was unable to
| return that serve.
| chrischen wrote:
| Valve lighthouse "trackers" work in a similar, albeit
| slightly more complicated, way.
| mipmap04 wrote:
| Yeah it's funny that it is called a sensor bar when it has no
| sensors.
|
| For my undergrad, we had a cross-major project to build a
| robot that shot pingpong balls at various targets that were
| tagged with IR lights. We used 2 wiimotes to calculate the 3D
| space.
| moron4hire wrote:
| Using an electrical shock to bypass a subsystem in Android makes
| me think of Data in Star Trek glitching out when he got stuck in
| an EPS conduit once.
| ben_w wrote:
| Phrasing it like that makes him sound like a cat, which is a
| fantastic mental image for the entirety of TNG.
| benjaminjackman wrote:
| Makes me wish there was a Data / spot consciousness swap
| episode.
| FriedPickles wrote:
| The author claimed to use a "cheap electric Arc Gas lighter",
| which I had never heard of. I think they actually just mean an
| electric arc lighter because I wasn't able to find such a thing
| (which would presumably mean a butane lighter with an electric
| arc igniter rather than piezo).
| arunmagesh wrote:
| ah my bad!! I get the confusion. It is a arc lighter for gas
| stoves. :/
| tdeck wrote:
| I wondered about this too, since I have never seen on of these.
| Perhap the author is in a country where manual-light gas stoves
| are more common? In the US I have never encountered such a
| stove, and searching target.com (good proxy for common
| household items) brings up no lighters of this style.
| pjbk wrote:
| Being in the embedded safety/security industry for years, piezo
| igniters and sparklers are one of my go-to system test and side
| attack tools. They were also effective opening an August smart
| lock some time ago when one of my coworkers had to enter a room
| in a hurry and were not carrying their phone with the app.
| Amazingly a few zaps around the enclosure did it.
|
| The big ones for gas stoves even work some feet away on some
| badly shielded products. Growing complexity, size/weight
| reduction and low power technology have made all these devices
| quite flimsy these days.
| jacquesm wrote:
| This was a pretty common trick to glitch slot machines, they are
| hardened quite a bit against this sort of trickery. A mobile
| phone is much more delicate in general construction and doesn't
| have access to a handy ground wire.
| w0mbat wrote:
| It was a similar story with gas pumps, which truck drivers used
| to glitch to get most of their fill-up for free.
| p1mrx wrote:
| Attacking a gas pump with a high voltage lighter sounds like
| a good way to win a Darwin Award.
| grishka wrote:
| Slot machines are on someone else's premises and (disclaimer:
| I've never been to a casino myself) are most likely under
| surveillance, so they'll probably void your winnings and ban
| you if you start doing something sketchy.
|
| Devices that implement any restrictions against the end user
| like DRM or MDM, on the other hand, are in possession of the
| said user. I heard a saying that getting root privileges on a
| device you physically possess is only a matter of time and
| effort.
|
| In other words, you can totally take your phone apart as much
| as your tools and skills allow, but you'll get arrested if you
| try taking a slot machine apart.
| jacquesm wrote:
| Sure, the owners would not be happy. But slot machines are
| installed all over the world and not just in casinos.
|
| The idea was not to take the machine apart but to try to
| glitch it by hitting metal parts that were not properly
| grounded. This would then allow the voltage spike to make it
| into the circuitry, either leading to breakage, no effect, or
| fault injection. The latter could sometimes be converted into
| a win on a subsequent spin.
|
| This is 80's stuff, I'm pretty sure todays' slot machines are
| tamper proof to the point that trying this is totally
| pointless, and even back then hardening against this was
| common.
| mschuster91 wrote:
| > This is 80's stuff, I'm pretty sure todays' slot machines
| are tamper proof to the point that trying this is totally
| pointless, and even back then hardening against this was
| common.
|
| They are. Source: I own a modern-ish computer based slot
| machine and tried my fair share of tricks against it.
| dan000892 wrote:
| The very first technical standards for slot machines in
| Nevada are ESD testing to confirm it's safe for the
| player and that the integrity of the device is unimpacted
| by 27kV discharge to any point on the exterior of the
| machine while it's being played (and the test labs really
| go to town finding gaps in panels and really trying to
| make something bad happen).
|
| Given the absence of mechanical reels and the fact that
| the components likely to be susceptible to glitching
| aren't remotely close to the outside of the machine this
| isn't a viable attack method for machines in operation.
|
| Source: NV Tech Standard 1 [1] also have zapped modern
| slot machines with an ESD gun.
|
| [1]: https://gaming.nv.gov/modules/showdocument.aspx?docu
| mentid=2...
| xxpor wrote:
| I happened to be in AP Stats back in HS with the son of the
| owner of the business who certified all electronic casino
| games for the state of NJ. We took a field trip to the
| business and his dad gave us all a tour and explained all
| of the testing they do for this sort of stuff, the code
| reviews, making sure the machine's odds were actually what
| they said they were etc. I don't remember many details at
| this point (it was 12 years ago, which is insane), but I do
| distinctly remember the scale and just the amount of stuff
| they did. It's very serious business, because it was in
| both the casino owners and NJ's interest to make sure the
| machines were in fact not hackable as much as possible.
| ideals wrote:
| This looks like what we used to do with electric lighters to turn
| them into weak tasers and zap each other at school.
|
| Disposable cameras had a little more umph though.
| ocdtrekkie wrote:
| My first lesson in "capacitors store electricity" when I was a
| kid was when I took the battery out of a disposable camera...
| and then managed to shock myself with the flash discharge
| anyways.
| TeMPOraL wrote:
| I shocked myself a few times with these too, in the process
| of disassembling the cameras. I needed components (capacitors
| and the flash circuit) for the ignition system for the rocket
| engines we were building with a friend, so I went to a local
| photo store and asked nicely for used cameras with flash.
| They gave me a bag with some 20 of them.
|
| (The shocks I got were through carelessness; I used a kitchen
| knife to discharge the caps after ripping off the plastic
| shell of the camera, but sometimes I touched the wrong thing
| while disassembling. Roughly half the cameras I got had the
| caps charged to the point they'd spark brightly on discharge,
| and one of them damaged the knife.)
|
| Context for those too young to remember: back before digital
| cameras were available and affordable, you could buy
| disposable cameras in kiosks and stores cheaply. These would
| come pre-loaded with a single roll of film, and after you
| used it up (~30 photos), you'd take the whole camera to a
| photo store. The photo store people would rip the roll out of
| the camera, develop your photos, and throw the camera away.
| Some models came with flash, so if you could get the used
| ones from the store (or their trash), you got a free source
| of high-voltage capacitors.)
| agumonkey wrote:
| Did the same at a school trip, after taking off the film I
| thought I could tear the camera apart, thus exposing the cap
| connection. Left hand fingers would lean peeerfectly on these
| metallic parts when playing with the flash.
|
| It became a game between kids. The shock was more intense
| than harmful, although I saw two white dots on my nail that I
| assumed was due to the shock.
|
| Today I rip microwave ovens, but I carry gloves and remove
| caps before anything else.
| leptons wrote:
| I used to work at radio shack. The rug behind the counter was
| very efficient at providing static electricity and whenever
| we touched the barcode scanning wand - zap. So I got a
| package of 2kv high voltage capacitors and held one lead
| while touching the other lead to the wand while rubbing my
| shoes on the carpet, thereby charging the capacitor. I left
| the charged capacitor on the POS terminal keyboard for the
| asshole I worked with to discover. Of course he fell right
| into my trap and picked up the capacitor. It was pretty funny
| to me, but not to him. This jerk would often steal my sales
| and talk down to me, he had it coming.
| thelazydogsback wrote:
| I did it by sticking a screwdriver where I shouldn't have and
| touching the flyback cap on an old (CRT) TV that was only
| recently unplugged. Luckily I wasn't well-grounded and the
| part of the screwdriver shunted the current turned to slag.
| tgsovlerkhgsel wrote:
| Did you get shocked at all? I'm trying to understand what
| the return path for the current would be in this situation.
| throwanem wrote:
| Through the screwdriver shank, as it's placed across the
| capacitor terminals. This creates a dead short through
| which the differing potentials on the capacitor plates
| can equalize - and if the capacitor is large enough, they
| do so quite enthusiastically.
|
| I ruined a screwdriver of my own that way once,
| discharging a photoflash cap in a flash head whose
| control circuit had died with the cap at full charge.
| Didn't do my hearing any good, either, I'm sure - it took
| fully half an hour for the ringing to go away.
___________________________________________________________________
(page generated 2020-09-25 23:00 UTC)