Sunday, 22 July 2012

Social engineering using QR codes

The HOPE Number 9 conference has come and gone and I had some fun this year. Unlike the last time around, I did not prepare anything well in advance of the conference but had come up with a fun social engineering project the week before.

QR codes are becoming more and more ubiquitous in North America after having gained traction in Eastern Asia (specifically Japan) and most of Europe. Depending on what you put inside, you can have up to almost 3 KB in binary data or almost 7 KB if it is just numeric data. You'll find them in ads in newspapers and subway stations, and almost anyone with a smartphone is capable of scanning these codes.

However, people will scan them without much thought and will in most cases act along with whatever the code requests. An excellent case in point is a friend of mine who has a site called QR Code Promos, in which he uses to track people who scans QR codes placed in various locations in the United States and Italy. During DEFCON 19, he slapped a code on one of the female presenters at the Saturday night showing of Hacker Jeopardy and got a large number of males to run up and scan with their phones. It was downright funny and also sad to see these guys just race right up.

This got me thinking about taking it one step further and asking people to call a voicemail and leave some details for me. It was a two-sided idea: can I get people to call my voicemail and leave these details while at the same time get people wondering what is going on and find something else embedded inside? This ended up being a nice data mining slash puzzle so to speak.

The message

If one was to scan the above code, you'd get a message as follows:



The voicemail number was a K7 account that I had set up for free. Feel free to call it until whenever it expires.

There were about 50 or so printouts of these pieces of paper with every 6 or 7 having a different code. I did attempt to scatter the codes evenly across the whole hotel, but when you look at a QR code, they just blur and look all the same anyhow.

I had managed to snag a few photos of people scanning the codes too. Towards the end of the conference, a lot of them were also vandalised. Security had also asked around about who was putting them up and whether or not they were malicious.




Based on the writings on them, I can see that I got some attention here.

What is the deal with the codes then?

I decided to make the cipher for the decoding process rather simple. I thought about making it a monoalphabetic substitution cipher (as in swap letters around a la ROT13-esque) and use letters as opposed to numbers, but I then decided to run with using a telephone keypad as the decoding method.

In case you're not familiar with the keypad for whatever odd reason, it looks as follows:






1
 
2
ABC
3
DEF
4
GHI
5
JKL
6
MNO
7
PQRS
8
TUV
9
WXYZ
*0#


Using the above, I encoded the following message:










237325afreak
36822dotca
75274slash
4673hope
226968canyou
76583solve
843the
789953puzzle


So really it should read:
afreak dotca slash hope canyou solve the puzzle

By going to afreak.ca/hope, you'd be presented with the following:



It was pretty simple but I will mention in a bit why there were some problems with my methodology.

Success rate?

Well, I did manage to get quite a number of voicemails:



However, when you break it down, I didn't get that many people calling as only 34 unique calls were registered. The vast majority were from the northeastern part of the United States, with the notably repeat callers (more than two) being from area codes in Washington DC (9), Trenton, New Jersey (9); Westchester County, New York (7); and Vermont (4).

One fellow, Dan had managed to figure out that "solve" "the" "hope" "puzzle" were words used in the codes. Good job! However, as you have probably already read, this isn't the order of the words. I believe one aspect that made the codes confusing is that while it was probably easy to pick up that they meant something, order was not available. Perhaps what I should have done is introduced a value into them to give some semblance of order and perhaps a ninth code with "HTTP" as a value would have made things a bit more clear.

Lessons

One aspect that I neglected with this experiment was to keep track of where the codes were scanned most. What placement was most effective and what level of foot traffic should be sufficient to get the most amount of hits? I was able to keep track of what codes were scanned most, but since I didn't keep note of where the codes were being placed, it was impossible for me to know what was successful or not.

Additionally, nobody managed to decode the whole message. Was it too difficult to figure out? As I mentioned earlier, I believe a ninth code with "HTTP" in it would have made things a bit clearer.

Closing

This was a fun exercise and I imagine that I will probably do more of these social engineering exercises as time goes on. However, this is the last time I will be at the HOPE conference. DEFCON next year? Likely!

Monday, 9 January 2012

OS X's Parental Control Loophole

In recent releases of Mac OS X (as of this date, Lion is the most recent), Apple has bundled a parental control feature that allows a guest user environment separated from everybody else to log in with limited abilities. The control panel that configures it allows you to limit Internet access, what applications can and cannot be launched, and how much time the guest user may have on the machine per day. It's pretty handy if you have children, if you wish to create a kiosk of sorts, or if you would like to share a machine with guests visiting your home.



The way the parental controls appear to function is that it limits you within the Finder for application control. This means that the Finder dictates what you can and cannot launch and what you can do within the computer. For those who are unfamiliar with OS X, the Finder is akin to Explorer in Windows.



However, since it's the Finder that controls everything, it is possible to break out of the sandboxed environment and do more than what you are permitted to. Here are some things I figured out that you can do:




  • Even if you're limited to what you can do within the Finder with regards to file access, allowing an application that opens text files permits you to browse the files on the machine. This means that you can in theory pull up configuration files and so forth within TextEdit and then edit them without having to find them within the Finder.

  • Help files can be launched without any limitation.



I had hoped to add more into the points, but during the experimentation process I didn't do any sort of note-taking.



Keeping in mind that since you can freely browse files and the Finder is in control of what you can launch, it is possible to create a hole for launching any application freely if you do not limit certain applications. For example, if you were to go and allow one to run Quicksilver or Steam, it is possible to launch the Terminal.



During my tests, I used Steam as an example and went about doing the following:




  1. Had Steam allowed within the guest environment to be executed.

  2. Logged into the environment and then logged into Steam after entering a one-time code.

  3. Added Terminal as a non-Steam game (or application in this case).

  4. Able to launch Terminal.



What this means is that to rely on OS X's parental controls, you'll have to take into account any applications that can launch other applications are a potential loophole. It appears that after logging out that OS X will wipe any data that is created during the login session, but it still doesn't mean that privilege escalation is impossible using this technique.



Side note: My girlfriend had decided to let me play with her Macbook Pro by putting me in a guest environment. I am not sure how it got to this point, but we started to limit the applications I could use after I said I probably could break out of the sandbox she created. This is how I came to determine the above.