Tony Kmoch

Sorry, this entry is only available in Czech.

Sorry, this entry is only available in Czech.

Sorry, this entry is only available in Czech.

Paradox is one of widely used manufacturer of home and company security systems. This company makes several security tools like sirens, IR detectors, etc.  Here in Czech republic is Paradox even certified to secure military areas.

Do you trust this system? You should not. I have found very simple way how to unlock any area remotely, without knowing any password. The security bug is in Paradox’es IP100 module, which is absolutely unsafe.

IP100 is internet module which allows you to control (check zones status, lock, unlock) your house. Official description of this module about security says:

• Data sent and received using 128-bit (MD5 and RC4) or 256-bit (AES) data encryption.
• Two-way dynamic authentication.

This is whopper.  MD5 and RC4 is used only to encrypt the password, not to encrypt the communication. It means that man-in-the middle attacks can be performed, but it it’s pretty small bug compared to following :-).

How to make the attack and unlock the property:

1. Let the user connect into system, or make tiny script which waits for this event. Also social hacking can be used to persuade user to connect. 
2. As soon as any legal user connects to the system, anyone on the same internet subnet as the legal user can perform the attack. This „hacker“ can do any task which IP100 provides (just with entering good URL into browser). He can watch the zones or arm/disarm the object. This „hacker“ doesn’t need session id (because there is no session handling in IP100) nor usercode nor password. Actions described in following points:
3. To check open zones and locked/unlocked status of all subsystems just point to http://router_ip_address:port/statuslive.html. You will get JavaScript, where you can search for: tbl_useraccess = new Array(9,0,0,0,0,0,0,0); - it’s array of zones: 9 means unlocked, 5 means „stay“ and so on.  There is also status of all zones.
4. The real bad thing is, that „hacker“ can unlock the Paradox system just entering this URL: http://router_ip_address:port/statuslive.html?area=00&value=d. Variable „area“ is identifier from array you got from previous step from array tbl_useraccess. To turn Paradox into stay mode, just enter: http://router_ip_address:port/statuslive.html?area=00&value=s.

Conclusion:

• The only protection of IP100 module is based on IP address (well it was not intended to use this as security protection, but it was used to avoid parallel usage by several users … you can get this point from user’s guide). Don’t even think about translating IP100 from your internal LAN to internet. Use SSH and portforwarding instead.
• Did you ever imagine, that for example webmail would be protected only by IP address, not by user and password. ;o))

What do Paradox think about this?

I have discussed this bug by phone with Mr. Stephane Racicot (Vice-President Customer Relations of Paradox company). He let engineers from Paradox and local distributor (Mr. Mračna from Eurosat) to check this bug and they drew conclusion not beeing a big bug and maybe they will fix it in some future version.

Make your own decission, whether is it big or small one.  I’d not like the feeling, that anyone can unlock my house and I’d strongly recommend potential customers to avoid Paradox company (not because making some mistake, but due their attitude to security and the will to solve problems).

I have found several commercial plugins for Outlook 2007 allowing sending bcc copy to all outgoing emails. Who would like to spend $30 for this stuff … in case when in Thunderbird it was pretty common feature.

After couple minutes, I have found free solution using VBA script.

Just put this code into VBAProject.OTM:

Private Sub Application_ItemSend(ByVal Item As Object, _
                                 Cancel As Boolean)
    Dim objRecip As Recipient
    Dim strMsg As String
    Dim res As Integer
    Dim strBcc As String
    On Error Resume Next
 
    ' #### USER OPTIONS ####
    ' address for Bcc -- must be SMTP address or resolvable
    ' to a name in the address book
    strBcc = "someone@somewhere.dom"
 
    Set objRecip = Item.Recipients.Add(strBcc)
    objRecip.Type = olBCC
    If Not objRecip.Resolve Then
        strMsg = "Could not resolve the Bcc recipient. " & _
                 "Do you want still to send the message?"
        res = MsgBox(strMsg, vbYesNo + vbDefaultButton1, _
                "Could Not Resolve Bcc Recipient")
        If res = vbNo Then
            Cancel = True
        End If
    End If
 
    Set objRecip = Nothing
End Sub

Editor can be opened using Alt+F11 in Outlook 2007, exploring Project tree on the right side and adding Application - ItemSend handler using top comboboxes.

Also it’s neccessary to change security settings:

1. In Outlook 2000 to 2003, choose Tools | Macro | Security and set security to Medium. In Outlook 2007, the macro security settings are in the Tools | Trust Center dialog. Set macro security to Warn on all macros.
2. Restart Outlook

URLs:

• http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=341
• http://www.outlookcode.com/article.aspx?id=72
• http://outlookcode.com/article.aspx?id=49

Sorry, this entry is only available in Czech.

As I described here, I’ve bought Asus WL-500g Premium router where I installed Kamikaze 7.09 firmware to. I am running on Linux 2.4 kernel, because 2.6 doesn’t support wifi on my router (see here).

I’d like to connect some USB webcam, but even I spent a lot of time trying to find some usable driver, I didn’t suceed so far.

Here are drivers which are not usable for my case:

• UVC video driver (kmod-video-uvc) supports only >= 2.6 kernels
• ov51x-jpg also supports only >= 2.6 kernels
• qc-usb driver for Logitech webcams (download) didn’t work for me

These drivers may work:

• ov51x driver may work, but I didn’t find binaries for Kamikaze
• spca5xx (download or as a ipkg package kmod-usb-spca5xx-le) seems to be most perspective for me
• OpenWrt Kamikaze 7.09 has directly support using ipkg for pwc driver. These cams listed are pretty good and pretty expensive ;-).

Programs supported

Copied from this discussion:

• spca5xx_le - spcacat, servfox
• spca5xx - spcacat, servfox, motion, palantir, mvc, getjpeg

Solution

Based on this talk, I decided to buy webcam “Labtec webcam pro”. Instructions based on this great tutorial (in polish, but I guess you don’t mind) are following:

• Connect the webcam to router. Restart it. You should get in “dmesg” output this:

  usb.c: USB device 2 (vend/prod 0x46d/0x8a2) is not claimed by any active driver.

  That sound great, because this vend/prod is supported by spca5xx

• Install usb stuff, if not installed:

  ipkg install kmod-usb-core kmod-usb-uhci kmod-usb2

• Install the spca5xx light edition driver:

  ipkg install http://download.czechit.net/openwrt/kmod-usb-spca5xx-le_2.4.34-brcm-1_mipsel.ipk

• Everytime after restart of the router, you have to load the modules using:

  insmod videodev
  insmod spca5xx

• Now, if you check “dmesg”, you should get:

  Linux video capture interface: v1.00
  usb.c: registered new driver spca5xx
  spca_core.c: USB SPCA5XX camera found. Type Labtec Webcam Pro Zc0302 + Hdcs2020
  spca_core.c: spca5xx driver 00.57.08LE registered

• Search for the device, make link for spcacat and install this software for downloading images from webcam:

  ls -al /dev/v4l/*
  ln -s /dev/v4l/video0 /dev/video0
  cd /tmp
  wget http://download.czechit.net/openwrt/spcacat.gz
  gunzip spcacat.gz
  mv spcacat /usr/bin
  chmod +x /usr/bin/spcacat
  ipkg install libpthread libgcc

• To make one “shot” to file SpcaPict.jpg use:

  spcacat -d /dev/video0 -g -s 640x480 -f jpg -o -N 1 -p 100

Warning: Based on this post, it’s possible that connecting 2 and more cams won’t be easy.

Links

• Webcam tutorial with compiled packages for OpenWrt

I decided to move to Ubuntu. Here are quick steps:

• Install Windows.
• Download bootable Ubuntu CD. Boot it. Try it. Use partition utility in System menu to create 2 partitions for Ubuntu - one as unused, where will be Ubuntu installed later and second linux-swap type.
• Follow instructions, make sure you are connected to internet - neccessary to download apt repository index. Reboot.
• Add secondary keyboard: System - Keyboard - Layouts and then in “Layout Options - Group shift/lock behaviour” choose Alt+Shift to switch keyboard’s layouts
• Check content of /etc/apt/sources.list - repositories should be uncommented, so installing packages (e.g. plugins to Firefox) may work.
• Searching for packages is described here. For example: apt-cache search php

Honesly, I don’t understand /etc/config/firewall config, coz it’s working pretty strange for port forwarding. I have even found a lot of pages reporting bugs in Kamikaze build during port fw. After several hours, I have found command, which works for Kamikaze - just edit /etc/firewall.user and add:

iptables -t nat -A PREROUTING -p tcp --dport 3535 -j DNAT --to-destination 192.168.1.126:80
iptables        -I FORWARD -p tcp --dport 3535 -d 192.168.1.126 -j ACCEPT

Port forwarding using SSH allows you to make virtual TCP port which goes through an SSH connection, even to local networks. There are many tutorials on the net, but they seemed to me complicated…so I wrote this quick tutorial using some example cases. For portforwarding you need a SSH client (for example Putty) and SSH server on the server (for example SSHD running on your router).

There are 2 main port forwarding cases:

• Local port forwarding
• Remote port forwarding

Local port forwarding using Putty

When you gonna need this: You have possibility to access some computer in a particular network (it has public IP or port forwarding is enabled on NAT), but you cannot access local computers in that network.

For example: You want to connect from your work to port 80 (webserver) of your home PC with local IP 192.168.1.100. You cannot do this directly, because this IP is hidden in LAN. So you make SSH connection to some device with public IP (e.g. router, server), where SSH server is running and tunnel port from your localhost to 192.168.1.100 port 80.

In the putty on your client computer, you specify hostname of your public IP server.

And then create a record for port forwarding. Port 5050 on your local machine will be forwarded to port 80 at 192.168.1.100 in your home network. Don’t forget to press “Add” button.

Now you can connect to your SSH server using button “Open”. After you successfully login, you can point to address localhost at port 5050 which will be forwarded to 192.168.1.100 at port 80. So in this case, when forwarding webserver port, you may put http://localhost:5050 to your web browser.

Remote port forwarding

When you gonna need this: You are in the local network and you can publish any network’s service to the internet, even if your provider doesn’t have any public IP server nor ssh server.

For example: You are at school and you like FTP server at 192.168.1.100 (port 23). You want to connect to this FTP from your dormitory. You cannot use “local port forwarding”, because school doesn’t have SSH server on public IP or you don’t have access to it. Solution is simple: You forward port 23 to your own ssh server anywhere on the internet.

In the LAN network (where you have access to 192.168.1.100 computer, port 23) you create a SSH connection to hostname of your public accesible SSH server.

In the tunnels settings you specify following. Don’t forget to check “Remote” and “Local ports accept connections from other hosts” (DANGEROUS).

As soon as you establish SSH connection to your public SSH server, anyone from internet can access port 5050 on your SSH server and connect to local computer 192.168.1.100 which was previously protected by NAT. This is ofcourse dangerous, if you don’t know what are you doing.

These connections work as long as the SSH tunel is opened from LAN (school) network.

Better solution - combine remote and local port forwarding

Because remote port forwarding itself can be pretty dangerous - better solution for this can be combination of both.

Steps:

• From your school you create SSH connection to your SSH server (exactly as described in “remote port forwarding” part), but you don’t allow “Local ports accept connections from other hosts” - it means that localhost on SSH server can access this port, but noone from outside network.
• From your dormitory, you create SSH local port forwarding connection to your public SSH server. You forward local port 5051 to 127.0.0.1:5050 (localhost at SSH server).
• Now you can access 192.168.1.100:23 at your school from your dormitory using localhost:5051. So for example: ftp://localhost:5051

Comments, questions

If any questions, please add comment bellow.