[HN Gopher] Can you get root with only a cigarette lighter?
___________________________________________________________________
Can you get root with only a cigarette lighter?
Author : 1317
Score : 417 points
Date : 2024-10-07 13:20 UTC (9 hours ago)
(HTM) web link (www.da.vidbuchanan.co.uk)
(TXT) w3m dump (www.da.vidbuchanan.co.uk)
| QuiDortDine wrote:
| You know when your employee quits how you have to block all their
| accounts? Now imagine they have access to the server room!
| pantulis wrote:
| And that's why server rooms should have proper physical
| security.
| appendix-rock wrote:
| And why "they've got physical access, so all bets are off"
| isn't an excuse to stop trying
| yjftsjthsd-h wrote:
| I don't follow; isn't this proof that physical access
| _does_ trump everything else?
| amelius wrote:
| And be wrapped in tinfoil.
| 0xdeadbeefbabe wrote:
| This kind of work can't be done under pressure at least not a
| PoC.
| hinkley wrote:
| I find the idea of being escorted out of the building after
| giving notice a bit insulting. I've been interviewing for
| weeks, I've probably been holding this piece of paper since
| last night when I printed it out at home.
|
| I've had plenty of time to fuck with things _before_ I told you
| I was leaving. You're just screwing over my coworkers by taking
| access to me away with zero notice.
| mimentum wrote:
| I read this wrong.
| CartwheelLinux wrote:
| >I only want glitches to happen on-demand, not all the time.
|
| >My injected ELF also flushes the page cache
|
| The difference between a padawan and a jedi
|
| Amazing write up and bonus points for the reproducibility of this
| creativity.
| jojobas wrote:
| Back in the day of analog electronic locks a piezo zap into the
| lock case would unlock 4 out of 5 apartment building locks, root
| access IRL.
| zephyreon wrote:
| My immediate thought was that this was a post about how someone
| got root access to a cigarette lighter and I was totally ready to
| believe it.
|
| My parents oven gets regular software updates so I didn't even
| question whether the cigarette lighter was "smart."
| onionisafruit wrote:
| From the title I half expected an incendiary version of rubber
| hose cryptography.
| sim7c00 wrote:
| ooh i want a smart lighter, so i can use my phone in one hand
| to light the lighter in the other hand :O
| medstrom wrote:
| Sell pyromaniacs this product, find the lighter two months
| later in a burned-out building, use it to identify which
| phone did it, catch perp.
| ano-ther wrote:
| Sure, if you solder an antenna to your memory first :-)
|
| But good and thorough write-up about how to actually exploit such
| a glitch.
|
| And you could also use the cigarette lighter for hanging out at
| the data center back door and wait until the admin comes for a
| smoke.
| Retr0id wrote:
| > This should theoretically work with bit-flips in any bit
| position between 29 [...] and 12 [...] Therefore, soldering the
| antenna wire perhaps isn't totally necessary, if you can
| generate strong enough electromagnetic interference
| abound wrote:
| Mentioned elsewhere in this thread, but you need not only
| "strong" but "highly directed" electromagnetic interference.
| Each of those pins is ~0.5mm, flipping a single bit
| "wirelessly" is probably impossible, as your inference will
| cause issues in many more places than just your target.
|
| Maybe that unlocks different and exciting hacks, maybe it
| just melts your machine.
| hardburn wrote:
| Down in the "practical use" section, one use case is bypassing
| copy protection on consoles.
| vessenes wrote:
| I like this. Upshot - electrostatic bit flip on memory read or
| write, which with solder can deterministically get a 'safe'
| pointer mutated into your own evil pointer.
|
| Generally the historical perspective on physical access was:
| "once they have it, game over." TPM and trusted execution
| environments have shifted this security perspective to "we can
| trust certain operations inside the enclave even if the user has
| physical access."
|
| His next steps are most interesting to me -- can you get
| something (semi-) reliable without soldering stuff? My guess is
| it's going to be a lot harder. Lots of thought already goes into
| dealing with electrical interference. On the other hand, maybe?
| if you flip one random bit of a 64 bit read every time you click
| your lighter, and your exploit can work with one of say 4 bit
| flips, then you don't need that many tries on average. At any
| rate, round 2 of experimentation should be interesting.
| onionisafruit wrote:
| > if you flip one random bit of a 64 bit read every time you
| click your lighter
|
| Without the antenna it would be hard to limit it to a single
| bit getting flipped. At least that's what I suspect.
| Retr0id wrote:
| On the flip-side (heh) flipping multiple bits at once should
| make it possible to bypass ECC
| Lance_ET_Compte wrote:
| You'd likely take an exception for a multi-bit error and
| the handler would likely just retry the read. Single-bit
| errors are often just corrected on the fly by ECC logic as
| you mention.
| echoangle wrote:
| If you can induce enough correct errors (yes that is
| contradicting), the ECC won't be able to detect the error
| because the modified data is correct again. The ECC
| schemes I've seen used can correct 1 bit and detect 2 bit
| error, so 3 flips at the right position would be enough
| to get new data that would be valid again.
| vessenes wrote:
| we need a tinfoil waveguide clearly
| intothemild wrote:
| This reminds me of exploits we used to do to arcade cabinets back
| in Sydney in the 80's and 90s. The school gas heaters used to
| have what we called "clickers", piezoelectric ignition devices
| you could remove from the heaters.
|
| You then took that clicker to your local arcade, and clicked one
| of the corners of the CRT, that would send a shock through the
| system and add credits to your game. I believe this was because
| the CRT was grounded on the same ground lines that the mechanism
| for physically checking a coin had gone through the system.
|
| Suffice to say, they caught onto this over time, and added some
| form of an alarm into it. But up until then... Those were truly
| the best times.
| chasd00 wrote:
| This brings back a vague memory of smacking the side of a
| pinball machine just right and getting a free game. I bet it
| was the same concept.
| intothemild wrote:
| I imagine (with zero research) that the mechanism for adding
| credit would be the coin goes through a slot, and either
| itself completed a circuit, or the coin as it travels moves
| some lever to complete a circuit. So I imagine if you hit the
| machine just right, you'd also move that lever.
| devmor wrote:
| You were likely causing the spring-loaded mechanism that
| detects a coin insertion to make physical contact.
| wgrover wrote:
| Yup - the first few minutes of one of Technology
| Connections' videos on electromechanical pinball machines
| shows this mechanism in action:
|
| https://www.youtube.com/watch?v=E3p_Cv32tEo
| candlemas wrote:
| Just like The Fonz.
| DonHopkins wrote:
| Henry Winkler is actually just as cool as the character he
| played!
| giancarlostoro wrote:
| Reminds me of an arcade machine a friend would get behind, turn
| it off and back on, and it would give you a free token. Maybe
| its designed that way so the employee can test it for free, not
| sure. But he climbed behind it, and proceeded to play for free.
| IWeldMelons wrote:
| Those who lived in USSR remembers soda vending machines (they
| poured your drink in a glass cup; you were expected to wash
| it before using by pressing on a cup, which stood upside down
| on plastic plate with holes, kinda inverted shower head; very
| unhygienic, I know). Well it had a button behind that let you
| have a free drink. You could also "upgrade" pure carbonated
| water (1 kopeyek) to a sweet soft drink (3 kopeyek) by
| pressing another button. needless to say schoolchildren would
| abuse the hell out of this "feature".
| jcrash wrote:
| > pressing on a cup, which stood upside down on plastic
| plate with holes, kinda inverted shower head
|
| I think they still use these in bars
|
| https://barsupplies.com/collections/glass-washers
| everforward wrote:
| > you were expected to wash it before using by pressing on
| a cup, which stood upside down on plastic plate with holes,
| kinda inverted shower head; very unhygienic, I know
|
| Those systems are occasionally used in bars in the US,
| though they've dropped the whole plate and it's usually
| just arms where the holes are.
|
| To my understanding, at least in the US, they aren't used
| for deep-cleaning anything. That happens with soap and
| water in the back still. The upside-down-showers are used
| to clean out the dregs of someone's glass when they get a
| refill (you give them a glass, they give it a quick rinse,
| refill it and hand it back), and as a quick rinse for new
| glasses to clean up water stains/detergent residue and
| anything that might have fallen in since they were cleaned
| (hair, dust, etc).
| baud147258 wrote:
| I think for beer there's a reason of bringing the glass
| to a colder temperature, which (from what I've heard)
| should reduce the amount of foam (not sure that's the
| exact term) in the glass.
| everforward wrote:
| Oh, are the lines refrigerated or otherwise thermally
| controlled? I always presumed it was regular tapwater;
| i.e. probably slightly below room temp, but not much.
|
| Mileage obviously varies, but the "beer nerd/snob" bars
| I've been to simply don't re-use glasses without a full
| wash. They'd rather just charge a little more to hire
| more dishwashers and be able to absolutely guarantee that
| there's no leftover beer/water in your glass when they
| refill it, and that the glass is refrigerated if that's
| something they want.
|
| I've always heard the head/foam had more to do with how
| you pour the beer (more impact/movement = more foam), but
| it makes sense that temperature affects it as well.
| There's some kind of official course on how to pour
| Guinness to get the correct head on it. I don't remember
| the whole thing, but it was something about holding the
| glass the correct distance from the tap and tilting it so
| that the beer "slides" down the side of the glass rather
| than a direct perpendicular impact with the beer already
| in the glass (which makes more foam).
| IWeldMelons wrote:
| Yes right, the key difference that the were used to clean
| between uses by different customers; this is clearly
| insufficient; at least because a good deal of customers -
| drunks, children, people with mental issues would not
| wash at all before use, a good vector for disease spread.
| Late USSR I happen to remember always had problems with
| hepatitis spread, which is considerably less of a problem
| today, due to adoption of disposable food
| containers/utensils.
| JamesSwift wrote:
| Its been a long time since I worked in a bar, but in the
| front-of-house we used a three-sink station where the
| sinks were: soap, water, sanitizing-solution. Then you
| sit the glasses to drip-dry.
|
| Actually here is a link explaining it:
| https://www.webstaurantstore.com/article/620/three-
| compartme...
| stavros wrote:
| I've seen something like this in the Netherlands,
| although even more disgusting: They take the used glass,
| dunk it in a bucket that has brushes all around and in
| the middle and is full of soapwater, rotate the glass
| three times against the glass, take it out, and pour the
| beer in the glass.
|
| Yes, the glass's sides are still full of the disgusting
| soapwater from the bucket that's now basically 95% other
| people's drink dregs.
| heavenlyblue wrote:
| People in the UK bery often do the whole "washing dishes
| in the bucket" thing which is ridiculous
| everforward wrote:
| I believe some of those early arcade games were more
| electrical engineering than software engineering, so perhaps
| it was easier to set it up that way?
|
| To my understanding some of those early arcade games also had
| jumpers to control some of the behavior. It could be that a
| tech set the "free credit on reboot" jumper and forgot to
| reset it when they were done.
| luismedel wrote:
| This trick worked in Telefonica's phone booths in Spain in the
| 90s too :-)
| chrisweekly wrote:
| I vaguely remember (sometime in the 80s) sticking a
| straightened paperclip into a small hole on the face of a
| payphone to avoid having to drop a dime / quarters, and being
| able to call anywhere.
| 8ig8 wrote:
| If I recall, you'd stick the straightened paperclip into
| one of the holes on the mouthpiece and touch the other end
| of the paperclip to some metal part on main phone body.
|
| War Games used a pull tab from an aluminum can to a similar
| effect?
|
| (It's been a while.)
| zxexz wrote:
| I remember when Verizon phone booths in the US started
| accepting the credit cards, for a while they would accept any
| 16-digit number with a valid IIN that passed the Luhn check.
| Scoundreller wrote:
| Toronto's parking meter boxes were like this. They just had
| GPRS so they'd do an overnight dump (possibly a part of
| their data deal with the telecom back when data was
| actually saturated during the day).
|
| So people were using cancelled or empty prepaid
| visa/mastercards.
|
| Initially they'd just push out blacklists.
|
| Once they really caught on, they did a firmware upgrade to
| do online verification and it took fooooreeeeveeeeerrrrr to
| do a credit card purchase.
| astrostl wrote:
| This also worked in the USA. By the 1990s most arcades operated
| on proprietary tokens rather than coin currency. Many had
| skill-gambling machines that had sliding rows covered in
| tokens, that you would try to dislodge with your own tokens and
| keep what was displaced.
|
| The "Jungle Jive" version of this would dispense tokens out the
| opposite side of the machine if the electric ignition of a
| cigarette lighter was used to lightly shock the metal intake
| slot. If you clicked it too much too quickly it would go into
| an alert mode. While this could be accomplished solo, the ideal
| MVP setup was a team of three: one scout to watch for
| employees, one to click, and one to collect.
| TowerTall wrote:
| We did the exact same thing early 80's except that we used the
| clicker found in disposal lighters.
|
| We did it for a couple of years until they figured it out and
| started to conver the arcade cabinets with transparent plastic.
|
| At the same time they also drilled holes at the back of the
| machine for ventilation as the rest of the case now was sealed
| in plastic.
|
| We found out that using a bamboo stick you could press the
| lever that register when a coin has been paid into the slot.
|
| That made them relocate the holes for the ventilation to the
| top of the case instead of the back so we couldn't get the
| lever anymore. Or so they thought. haha
|
| We discovered that by pressing a coin up the return slot -- the
| one where you get your coin back if it isn't accepted -- you
| could also trigger the lever for coin registration and the free
| gaming continued.
|
| Eventually they put in sharp screws into that coin return box
| so you would cut your finges.
|
| After that we got a SEGA. Was great fun :)
| jacobgkau wrote:
| At what point does the arcade just kick you out? I can't
| imagine them seeing you continuously tamper with their
| equipment to circumvent paying and think, "the best way to
| handle this is to keep modifying our machines."
| an_ko wrote:
| If you kick someone out, you lose them as a customer, and
| they'll tell all their friends about the free play trick
| out of spite, so you'll have to patch the machine anyway.
| jacobgkau wrote:
| You're making me wonder what the stats are for how many
| people try to abuse arcade machines in a country like
| Japan versus the United States. (Not that people in any
| country are gonna be entirely honest, but the entitlement
| to break the system and the comfort to brag about it
| seems cultural.)
|
| In fact, that could be why some of the machines weren't
| better protected against that stuff in the first place,
| right?
| szvsw wrote:
| There are some great scenes in Rebels of the Neon God
| [1992] by Tsai Ming-Liang (Taiwanese filmmaker) where the
| main characters steal the main pcbs from some arcade
| machines and try to resell them to the arcade owner lol.
| Wonderful film, recommend it - some great scenes in those
| arcades.
| cutemonster wrote:
| Maybe the staff at the arcade, aren't the owners of the
| place, so they don't personally care that much. They'd
| rather be friends with everyone, than to be the "angry
| police"? (And I'm guessing the tampering players were nice
| people to have around)
|
| And the technicians "improving" the machines -- maybe they
| had a good time too, I'm wondering. @TowerTall and friends
| made their job more interesting / fun?
| bityard wrote:
| Arcades were big dark noisy rooms, and quite often had only
| one or two people on staff who were usually either busy
| dealing with other customers and were paid far too little
| to care about the owners' profit margins. They were
| basically there to hand out prizes to little kids for the
| ticket machines and make sure nobody walked out with Dig
| Dug on a hand cart.
| throaway89 wrote:
| I always wondered why arcade cabinets were covered in
| plastic. Till now i thought it was for spills or something.
| roymurdock wrote:
| super cool
| j0hnyl wrote:
| I remember reading about this in this book, about the hacker
| named Pengo who was known for adding credits to arcade games in
| the same manner.
|
| https://www.amazon.com/CYBERPUNK-Outlaws-Hackers-Computer-Fr...
| beeflet wrote:
| how did you stumble across this one?
| ballenf wrote:
| The inspiration here was getting root on the Switch 2. Getting
| root in Linux was the POC. The goal was not demonstrating some
| fundamental security vulnerability that's practically
| exploitable, but instead for reclaiming actual ownership of one's
| own hardware without breaking TPM or game ring 0 anti-cheat.
| adrian_b wrote:
| ...
|
| "Finally, I'd like to thank JEDEC for paywalling all of the
| specification documents that were relevant to conducting this
| research."
| roymurdock wrote:
| "It's just one resistor (15 ohms) and one wire, soldered to DQ26.
| The wire acts like an antenna, picking up any nearby EM
| interference and dumping it straight onto the data bus."
|
| really neat hack. using the lighter to create EM interference.
| better go light up next to my DDR bus and see what happens :)
| mikewarot wrote:
| >Can You Get Root with Only a Cigarette Lighter?
|
| No, you can't. That long lead to couple your ersatz pulse
| generator defeats all the engineering put into making the
| computer reliable and quiet in the EMI sense.
|
| Circuit bending is fun stuff, but it's not a remote exploit.
| jasongill wrote:
| Where in the article does he say this is a remote exploit?
| _joel wrote:
| The old saying of "if you've got physical access, game over",
| is where this applies.
| RIMR wrote:
| This guy literally got root using a cigarette lighter, and your
| attempt to debunk it is to suggest that physical exploits don't
| count?
|
| If you only care about remote exploits, fine, but don't go
| scolding others for accomplishing things you can't.
| mikewarot wrote:
| Do it without the precisely connected wire, and then you can
| say "only a cigarette lighter" as mentioned in the title,
| otherwise it's click-bait
| Pikamander2 wrote:
| When I saw the title, I was expecting this to be about hacking a
| modern car with one of those USB-C cigarette lighter devices.
| KolmogorovComp wrote:
| Just wanted to say it was an amazing write-up.
| smcl wrote:
| I reckon you can get a root with just a cigarette lighter if you
| hang around outside the right bars in Australia
| Stefan-H wrote:
| And worst case there is always the rubber hose.
| twelve40 wrote:
| ...or a $5 wrench
| jacobgkau wrote:
| I think you misunderstood the Australian slang. That person
| was not referring to the XKCD concept. They were referring to
| another meaning of the word "root."
| Stefan-H wrote:
| Ha! Thanks for the elucidation. My assumptions around the
| GP did include the assumption of sex, but it was more in a
| honeypot context rather than as an end in an of itself.
| mensetmanusman wrote:
| Next, a balloon and carpet!
| sim7c00 wrote:
| socks! and kickng device thru the room!
| _joel wrote:
| Nice trick, now do it with cosmic rays!
| i4k wrote:
| This was very well written and an amazing challenge but my brain
| is wired to that "hacking common sense" that if you have physical
| access then it's already over... the first thing that came to my
| mind was that, if you have physical access, then you can reflash
| the BIOS, install a driver backdoor, you can boot a live OS and
| then it's just a matter of tampering /etc/{passwd,shadow,groups,
| etc} ...
|
| but I remembered that most of the physical access hacks would not
| be possible if the disk is encrypted.. which then makes this kind
| of hack enormously attractive.
|
| The antenna idea can be extended to be a piece of hardware with
| the interference device built-in (piezo or whatever) which
| communicates with the external world with any wireless medium and
| then the attacker can trigger the interference remotely. This,
| plus a website controlled by the hacker which the victim is
| scammed to visit can be enough to make it viable.
| 333c wrote:
| The motivation in the introduction is rooting/jailbreaking a
| handheld game console. I think this is a perfectly plausible
| situation where you have physical access but still want to
| obtain "unauthorized" access.
| johnisgood wrote:
| > I remembered that most of the physical access hacks would not
| be possible if the disk is encrypted..
|
| Only if you have not booted into your system through using a
| keyfile or a passphrase to decrypt the data, i.e. if your PC is
| shut down. I have full disk encryption, and when I boot into my
| system, it uses the keyfile with which it would perform the
| decryption, and boom, I have my PC ready to be accessed
| physically.
| ruslan wrote:
| AFAIC, reflashing BIOS won't give you anything, you need to
| sign it first with proper private key which is checked by the
| CPU hardware before execution begins. This EMI trick fools CPU
| itself and I cannot see how it can be fixed, unless new paging
| algorithm is invented.
| themoonisachees wrote:
| This specifically is trivially defeated by ECC, though it
| wouldn't be that much harder to instead flip 3 bits and ECC
| would be unable to help. ECC has very poor penetration
| outside the server world though, so we're still safe. For
| now.
| m3kw9 wrote:
| I'm gonna do one with " Can You Get Root With Only my bare
| hands?"
| _trampeltier wrote:
| 2 days ago
|
| https://news.ycombinator.com/item?id=41748861
| mmsc wrote:
| Not only is it a fun exploit, this is also a cool mini-
| introduction to how caching works for CPUs.
|
| I remember a year ago or so there was a submission here which
| detailed how computers work and are build starting at the tiniest
| part: starting with logic gates, IIRC. Anybody remember what that
| website was?
| pvitz wrote:
| Do you mean nand2tetris? https://www.nand2tetris.org/course
| mmsc wrote:
| Hmm, no but similar. This was about full-scale personal
| computers.
| treflop wrote:
| I thought OP was going to do this without soldering anything.
|
| But I feel like soldering something is no different than just
| like splicing a telephone cable in half and putting your own
| headset in the middle...
|
| Except instead of putting a headset, you crudely use a lighter...
| antaviana wrote:
| I thought this was about getting the root password by burning the
| sysadmin with a cigarette lighter (https://xkcd.com/538/)
| sim7c00 wrote:
| fun read. wonder if someone can do it with one of those lemon
| batteries, u know.. when life gives u lemons... get root!
| pantalaimon wrote:
| Three men on a boat.
|
| With four cigarettes, but no lighter.
|
| How are they going to smoke?
| i4k wrote:
| they throw 1 cigarette overboard :-)
| hinkley wrote:
| That's worse than the elephant joke.
| _ache_ wrote:
| I followed him on mastodon, the article is cool too. On Mastodon,
| there is a video of the root access where one can see the screen.
|
| https://mastodon.xyz/@retr0id@retr0.id/113252910481164528
| rcakebread wrote:
| Just burned my sysadmin with a lighter. The root passwrod is
| "OWWhAThtefuck'.
| sfc32 wrote:
| I read it as "Can you get A root with only a cigarette lighter?"
| oluckyman wrote:
| Depends how desperate for a smoke the other person is.
| einpoklum wrote:
| I can get root with only a spoon!
|
| However, I'm not sure the kind of root you want unless you're
| into horticulture.
| echoangle wrote:
| Can someone explain why the EMI would cause a Bitflip and not
| always a high read? Why would a pulse invert the signal that's
| read? Don't the voltages effectively get added?
| amenghra wrote:
| It depends on how the analog signal is encoded. In some
| protocols, a 1 is encoded as high-then-low and 0 is encoded as
| low-then-high.
| echoangle wrote:
| Ah good point, I was assuming simple TTL where signal level
| is the bit that's transferred, RAM is probably using
| something more complex
| missinglugnut wrote:
| You need to think of EMI as having a magnitude and a direction.
| Half the time you are adding a negative voltage.
| echoangle wrote:
| Since he's using a Piezo lighter, shouldn't it be just a
| single DC pulse like discharging a capacitor?
| missinglugnut wrote:
| I was confused on the lighter type so I deleted that part
| of my response. I think you're correct but I can't say for
| sure.
| tinix wrote:
| reminds me of using a modified milty zerostat to use the spark
| gap to induce emp for glitching.
___________________________________________________________________
(page generated 2024-10-07 23:00 UTC)