TL;DR: This is a deep-dive into a nice concept for a security token & password manager that turned into a horrible product due to lack of proper R&D and Threat Modeling.

Prologue: After my first success in bypassing APPROTECT readout protection of the NRF52-based Slok smartlock with #PocketGlitcher (i.e. video below), I started looking around for more interesting and concerning (from a security point of view) NRF52-based products.

And here it comes the #Hideez Key 2!


Recently I bought a X-RAY machine from China to have some ghetto-style desktop setup in order to inspect/reverse engineer some PCBs and hardware implants.


Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way!

Disclaimer: due to a complaint from the citizens of my native city in Italy… I had to rename #PiadinaBoard into #BurtleinaBoard :P

Few months ago I have presented #FocacciaBoard: a similar multipurpose breakout board that uses the famous FT232H to handle multiple protocols commonly found in (I)IoT devices (i.e. UART, JTAG, SWD, SPI, I2C).


A Multipurpose Breakout Board to hack hardware in a clean and easy way!

TL;DR: Go grab a copy of the Gerbers and 3D-printed Case STL files at https://github.com/whid-injector/Focaccia-Board and print through your favorite FAB.

Prologue

Even before the appearance of the word (I)IoT, I was breaking hardware devices, as many of you, with a multitude of debuggers (i.e. stlink, jlink, RS23–2-2USB, etc.). It was always a PITA bringing around a device that does UART-to-USB, another that supports JTAG or SWD, a SPI reader/dumper, etc.

Luckily for all of us, FTDI released the lovely FT232H chipset which does support all of them…


In the previous post https://medium.com/@LucaBongiorni/usbsamurai-a-remotely-controlled-malicious-usb-hid-injecting-cable-for-less-than-10-ebf4b81e1d0b I have talked a bit about USBsamurai based on C-U0007.

With this blog-post I wanna bring more light regarding:

  • Which are the differences between C-U0007 & C-U0012
  • How to Build USBsamurai with a C-U0012
  • How to flash the C-U0012 with the LIGHTSPEED Firmware
  • How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature
  • How to setup LOGITacker

Let’s get started!

Differences between C-U0007 & C-U0012:

As you see below, they quite differ from aesthetic point of view. Moreover, the C-U0007 mounts a Nordic chipset and the C-U0012 a TI chipset. …


TL;DR: The Video is self-explanatory. (Wanna know how to make it? Read the article below.)

All started with this Tweet last April, when I wanted a damn cheap USB implant capable of injecting keystrokes.

It had to be:

  • Remotely Controllable
  • Fast in Typing
  • Tiny as f***k
  • Cheaper than a bottle of Vodka

The main idea (for the hardware-side) is to re-use the Logitech’s inexpensive Unifying dongles as implants within USB cables.

To give you an idea… this is how much this dongle cost (CU-0007): 7.74 EURO!


Few months ago I was testing some TCP & Wiegand based Access Control Systems that also had RFID reading capability and a lovely Fingerprint reader embedded.

Most of my time was spent on hardware security related tasks. However, since I love to mess-up with chemical compounds… I decided to test those Fingerprint Sensors and see which one can be tricked by a cloned version of my finger.

First, let’s have a quick overview of how most of the fingerprint sensors on the market work. (To do that I am using a photo taken from one of the very first academic…


While driving to work I have seen the advertisement of a Fireworks Festival that’s going to happen in the city. And, as usual, my curiosity brought me to one question: “How they trigger the fireworks?

Back when I was a contractor I have worked for a company which the main business was demolition with explosives. To give you an idea…


As you may know, I am close to release WHID Elite. And as pedantic hardware developer I wanna be sure everything works, even the smallest details.

Last week I was looking for new targets to test WHID Elite’s Radio Hacking capabilities and suddenly I found an interesting one: an Electrocuting Cock Ring. Yes, you read it correctly (What you cannot find on Amazon…).


As most of you already know, at the beginning of 2017, appeared on the market the Hak5’s BashBunny.

It is an interesting toy, but someone (i.e. Mame82) decided to create a way cooler version based on a 11$ Raspberry Pi Zero W. Which is inheriting the concept of AirGap bypass from USaBuse.

Anyway, for more information about P4wnP1 features checkout its Github repo: https://github.com/mame82/P4wnP1

As I was discussing with Mame82, P4wnP1 + RPi ZeroW is a really cool toy, which enhances the features (i.e. remote HID attacks and AirGap bypass) that were already available in whid.ninja. …

Luca Bongiorni

Non aetate verum ingenio apiscitur sapientia / Omnia silendo ut audeam nosco / There is no deduction for excellence / Tweets are my own

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store