On most unrooted, stock, Android phones, enabling tethering will run a “Provisioning Check” with your wireless provider to ensure that your data plan allows tethering. This post documents Tethr, a way to bypass the provisioning check on Android devices prior to version 7.1.2. After discovering this method I reported it to the Android bug bounty fixing the issue and receiving CVE-2017-0554. Background The ability to tether is controlled by your device’s build.prop file, usually located at /system/build.prop. The default is to require the provisioning check before enabling tethering, but it can by bypassed by adding the following line: ...

For those of you not in the know, ambergris is defined as: a wax-like substance that originates as a secretion in the intestines of the sperm whale, found floating in tropical seas and used in perfume manufacture. However, that will not be what this post is about (sorry to disappoint). Instead, I’ll present what happens when building an image on Docker that contains a reverse shell in the Dockerfile. ...

A while ago I came into possession of a few HID iClass readers. After collecting dust in my project drawer for a few months I decided to find a fun use for them, which ended up in the project I call Badgy. Background The back of the HID readers have 10 colored wires coming out of them. Luckily the readers also had a nice sticker telling me which wire was what. ...

Last week at DerbyCon 5.0 the CircleCityCon folks had a booth with a challenge, the Challenge of Tiamat’s Eye. @CircleCityCon: Can you solve the Puzzle of Tiamat's Eye? Visit our booth at @DerbyCon to take the challenge! pic.twitter.com/yJzPvxOQk9 — CircleCityCon 10.0: WHODUNIT? (@CircleCityCon) September 26, 2015 The challenge consisted of the small chest pictured above containing an eye made up of blinking red LEDs. Every 30 seconds the pattern would reset. The content organizers hinted that we would need to record the eye at 60fps in order to capture all of the information we needed. We ended up using a coffee creamer cup as a diffuser over the LEDs to make the difference in the pixels clearer. This resulted in the following recording. Note: we recorded 30 seconds at 60fps, which resulted in a 60 second 30fps recording. ...

Sonic (my home ISP) offers an IPv6 tunnel for their customers who have a service plan that does not offer native IPv6 yet. Sonic’s IPv6 tunnel operates much the same way Hurricane Electric’s Tunnel Broker does, however since the endpoint is located inside the ISP you should get better performance. Sonic even offers example configurations for configuring the IPv6 tunnel endpoint on various operating systems, but none for DD-WRT, a common aftermarket router firmware. Another Sonic user did document how to configure Sonic’s IPv6 tunnel with older versions of DD-WRT on the Sonic forums HERE, however the link appears to be dead. Additionally newer versions of DD-WRT have a new IPv6 tab which should allow for a painless configuration using nothing more than the web interface. ...

I gave a presentation at WOOT 2015 demonstrating how network enabled telematic control units (TCUs) can be used to remotely control automobiles from arbitrary distance over SMS or the internet. Abstract Modern automobiles are complex distributed systems in which virtually all functionality—from acceleration and braking to lighting and HVAC — is mediated by computerized controllers. The interconnected nature of these systems raises obvious security concerns and prior work has demonstrated that a vulnerability in any single component may provide the means to compromise the system as a whole. Thus, the addition of new components, and especially new components with external networking capability, creates risks that must be carefully considered. ...

Recently there has been a lot of buzz about the recent Heartbleed vulnerability found in some versions of OpenSSL. The attack works due to a mistake in the server validating part of the request made by the SSL client. The popular web comic XKCD has made a great simple comic explaining how the attack works, and there are simple tools to test for vulnerable servers. But how does this affect me, a user? ...

At an internship I had a while ago one project assigned to me was to regain access to a CCTV security system which we had been locked out of for some years. (The previous manager left without leaving the password.) The DVR system was a TRIPLEX DVRLink DVR468RW, whatever that is. It seemed cheap; a small embedded computer with video in/out, a hard-drive and CD-RW drive for recording storage. The administration interface was accessed either by a web server running on the device or a desktop client you installed on your computer. ...

Update: ActionBarSherlock is no longer necessary. The latest Google Support Library includes appcompat which is a better solution. ActionBarSherlock is an Android support library designed to allow you to use the ActionBar which was introduced in Android 3.0 Honeycomb with older devices, back to Android 2.1 Eclair. This allows your applications to have a modern looking interface, even on older devices whose API does not support the new features. To get started using ActionBarSherlock in Eclipse follow these steps. ...

A while ago I was working on building a custom kernel for my Android phone. Once you get the source the compilation process is not as straightforward as I hoped. Here are the steps required to get from the kernel source to a flashable image for your phone. Get a copy of the build toolchain and Linux kernel for your device First download a copy of the pre-build toolchain from git. ...