What to do when the plane is boring - run Google Chrome on the back of the chair
I think that many of you used the media center on the back of the seat of expensive airlines, or at least saw how it works. There you can watch movies, music and even play primitive games on a joystick.
But what if this device has many hours in front of your eyes, and you are very bored? Of course, look for vulnerabilities and interface bugs! Find them, and then send to technical support to fix them.
')
What I actually did, but I published a way to bypass the interface before correcting the shortcomings. If you want to find out why I did this, what is under the interface of the media center and what does the support of Turkish Airlines do in their free time?
Unfortunately, many devices of the “Internet of Things” have minor flaws that allow them to bypass the “standard” interface and get inside the operating system. I often enjoy searching for such bugs for my own pleasure, but not to the detriment of devices and the public. You learn how to hack a stranger - you will understand how to protect your software.
Many interface developers do not pay enough attention to security, which is why users may suffer. But this is very serious, an attacker can use phishing tools to steal personal data. Naive users can enter their passwords and credit card information into the device, which at first glance cannot harm them.
It was not my first flight with Turkish Airlines, and I have already seen the media centers of several aircraft of this company. You can distinguish a Windows CE device from Android by checking the operation of touchscreen gestures; there is no multi-touch support on Windows CE. In Windows CE, touchscreens are always resistive, and on Android almost all capacitive ones.
This time I got a media center on Android. By eye, the interfaces are the same, but the touch immediately noticeable differences. While none of the staff looked in my direction, I began to explore possible shortcomings. Some devices can be controlled with just one finger, but not this.
The seats have built-in headphone jacks, a joystick, as well as an Ethernet and USB port. In Windows CE devices on board, it was disabled. I decided to try to connect a flash drive here.
The message “USB Device detected” appeared.
I found a section for playing from a USB disk, there are three sections, JPG, MP3, PDF.
Then I saved an arbitrary PDF file on the USB flash drive and plugged it back into the media center. As a result, he appeared in the list and successfully opened.
Below appeared the standard Android buttons. When you press the Home button, the program intercepts and returns to the media center. So these buttons are useless.
To go further, I selected a piece of text with my finger and the menu appeared in the upper right corner.
Through the Share menu, I got access to Mail and Messages, from where I got to look at the file system.
Inside was a 64 Gb flash drive, most likely a MicroSD. Further through the same menu through the Web Search button, we managed to launch Google Chrome.
But the Internet was not there. Perhaps on other flights he will.
Then I tried to open the file / etc / hosts, which turned out successfully.
To my surprise, it turned out that they do not use either a DHCP server or DNS, all devices inside the aircraft, including the streaming server, are registered in the hosts configuration file.
Then I managed to copy the files, including replacing the / etc / hosts file with my own, after which I returned it. This makes it possible to redirect media server traffic to any IP address and so replace the web elements of the media center itself with its own. I did not publish the way to replace the file.
It turns out you can go through all the media centers and fill them with phishing pages, or put on an advertising banner that only the technical department can remove. This is clearly a threat to the safety of travelers and I decided to send everything to those supporting Turkish Airlines.
On the plane, I prepared and filmed a video of the entire process to send in support of Turkish Airlines. It contains only what needs to be shown for support to eliminate vulnerabilities.
Unfortunately it was dark, so I apologize for the quality of the videos and pictures in this article.
I uploaded this video to YouTube a month ago, after changing the private status, the date was reset. The link was private. No one could watch the video except for me and the support service. I called in support of Turkish Airlines and not the first time, but I managed to explain that I was trying to help them. They explained exactly where on their website to write an appeal.
After sending the application with the video link, I received a letter from the robot that I would be answered within 7 days. After sending the video, I checked the view count from time to time to find out if the tech was watching it, the number did not change.
It took 2 weeks, the answer did not arrive and I decided to write to them on Twitter @TK_HelpDesk. Immediately received an answer, they said that they would check my request and respond faster.
A month has passed, there is no answer, I go to YouTube and there are 175 views and 4 links.
YouTube analytics says that the link was taken from different countries. Someone from the technical support of Turkish Airlines leaked the link to public access. Firstly, this is not professional on their part, and secondly, it became obvious that someone who had viewed most likely would download a copy or record their video about the hacking. So it makes no sense to keep the video private and I decided to publish it.
I opened the video to public access, and after that they wrote to me with support via Twitter @TK_HelpDesk in HP, as well as here . They say "we answered you on the 9th," he searched, found, there really is a letter. But its text is not at all an answer to my request, but “they would apologize for not being able to respond on time because of the load, and respond later.” . The answer to my ticket has not yet been received.
My advice, if you are developing an interface for a terminal, or any device with a touchscreen, pay more attention to integrating your program with the OS itself.
I hope my article will help someone to make their devices a little more reliable.
In my experience, the hardest thing was to “bypass the UI” on devices based on Windows XP and on Windows CE.
But what if this device has many hours in front of your eyes, and you are very bored? Of course, look for vulnerabilities and interface bugs! Find them, and then send to technical support to fix them.
')
What I actually did, but I published a way to bypass the interface before correcting the shortcomings. If you want to find out why I did this, what is under the interface of the media center and what does the support of Turkish Airlines do in their free time?
What is the problem with embedded device interfaces?
Unfortunately, many devices of the “Internet of Things” have minor flaws that allow them to bypass the “standard” interface and get inside the operating system. I often enjoy searching for such bugs for my own pleasure, but not to the detriment of devices and the public. You learn how to hack a stranger - you will understand how to protect your software.
Many interface developers do not pay enough attention to security, which is why users may suffer. But this is very serious, an attacker can use phishing tools to steal personal data. Naive users can enter their passwords and credit card information into the device, which at first glance cannot harm them.
Long flight hours
It was not my first flight with Turkish Airlines, and I have already seen the media centers of several aircraft of this company. You can distinguish a Windows CE device from Android by checking the operation of touchscreen gestures; there is no multi-touch support on Windows CE. In Windows CE, touchscreens are always resistive, and on Android almost all capacitive ones.
This time I got a media center on Android. By eye, the interfaces are the same, but the touch immediately noticeable differences. While none of the staff looked in my direction, I began to explore possible shortcomings. Some devices can be controlled with just one finger, but not this.
The seats have built-in headphone jacks, a joystick, as well as an Ethernet and USB port. In Windows CE devices on board, it was disabled. I decided to try to connect a flash drive here.
The message “USB Device detected” appeared.
I found a section for playing from a USB disk, there are three sections, JPG, MP3, PDF.
Then I saved an arbitrary PDF file on the USB flash drive and plugged it back into the media center. As a result, he appeared in the list and successfully opened.
Below appeared the standard Android buttons. When you press the Home button, the program intercepts and returns to the media center. So these buttons are useless.
To go further, I selected a piece of text with my finger and the menu appeared in the upper right corner.
Through the Share menu, I got access to Mail and Messages, from where I got to look at the file system.
Inside was a 64 Gb flash drive, most likely a MicroSD. Further through the same menu through the Web Search button, we managed to launch Google Chrome.
But the Internet was not there. Perhaps on other flights he will.
Then I tried to open the file / etc / hosts, which turned out successfully.
To my surprise, it turned out that they do not use either a DHCP server or DNS, all devices inside the aircraft, including the streaming server, are registered in the hosts configuration file.
Then I managed to copy the files, including replacing the / etc / hosts file with my own, after which I returned it. This makes it possible to redirect media server traffic to any IP address and so replace the web elements of the media center itself with its own. I did not publish the way to replace the file.
It turns out you can go through all the media centers and fill them with phishing pages, or put on an advertising banner that only the technical department can remove. This is clearly a threat to the safety of travelers and I decided to send everything to those supporting Turkish Airlines.
Appeal in support of Turkish Airlines
On the plane, I prepared and filmed a video of the entire process to send in support of Turkish Airlines. It contains only what needs to be shown for support to eliminate vulnerabilities.
Unfortunately it was dark, so I apologize for the quality of the videos and pictures in this article.
I uploaded this video to YouTube a month ago, after changing the private status, the date was reset. The link was private. No one could watch the video except for me and the support service. I called in support of Turkish Airlines and not the first time, but I managed to explain that I was trying to help them. They explained exactly where on their website to write an appeal.
After sending the application with the video link, I received a letter from the robot that I would be answered within 7 days. After sending the video, I checked the view count from time to time to find out if the tech was watching it, the number did not change.
Waiting for support response
It took 2 weeks, the answer did not arrive and I decided to write to them on Twitter @TK_HelpDesk. Immediately received an answer, they said that they would check my request and respond faster.
A month has passed, there is no answer, I go to YouTube and there are 175 views and 4 links.
YouTube analytics says that the link was taken from different countries. Someone from the technical support of Turkish Airlines leaked the link to public access. Firstly, this is not professional on their part, and secondly, it became obvious that someone who had viewed most likely would download a copy or record their video about the hacking. So it makes no sense to keep the video private and I decided to publish it.
I opened the video to public access, and after that they wrote to me with support via Twitter @TK_HelpDesk in HP, as well as here . They say "we answered you on the 9th," he searched, found, there really is a letter. But its text is not at all an answer to my request, but “they would apologize for not being able to respond on time because of the load, and respond later.” . The answer to my ticket has not yet been received.
Afterword
My advice, if you are developing an interface for a terminal, or any device with a touchscreen, pay more attention to integrating your program with the OS itself.
I hope my article will help someone to make their devices a little more reliable.
In my experience, the hardest thing was to “bypass the UI” on devices based on Windows XP and on Windows CE.
Source: https://habr.com/ru/post/401713/
All Articles