QNX Crypt Cracked

The Crypt algorithm for the QNX operating system was just cracked. QNX runs on banks computers, ATM's, Medical Equipment, and the almighty i-opener. Source code is there if you're interested.

For those who are interested...

[z4ce]

Kuro5hin has a write-up on this here and Advogato has one here. They've had these articles for most of today they have some interesting posts already.

*never* encrypt passwords!

[pb]

Don't encrypt passwords, hash them! Make sure there's enough information to identify a correct password, but not enough to reproduce it!

That having been said, I don't know enough to write a secure crypto algorithm without following in someone else's footsteps. (I know the basics of public-key cryptography, I could probably code that) But you know what? I wouldn't try to reinvent the wheel here, not unless I proved it mathematically first. :)

...and if that decryption algorithm works, this'll be really embarrassing for them. (because it's *so* computationally simple, it should run in no time at all. I just don't have any random QNX "encrypted" data lying around to try it with...)
---
pb Reply or e-mail; don't vaguely moderate.

mmm...clustering

[vsync64]

Just think... Now we can turn every appliance in the world into a node in our giant Beowulf cluster...

• The Unaware ATM Beowulf Cluster...
• The Unaware iOpener SETI@home Team...
• The distributed.net Wristwatch Team...

The possibilities are truly endless.

Use of Proprietary Encryption - Bad once again

[CmndrKrypto]

Yet again a company thinks that Jim the guy down the hall who "knows some crypto" can design a critical algorithm. After all, it looked kinda mashed up in testing, so how could anyone break that? :) Really, people, there are enough freely available one-way hash algorithms, which you can, and always could, export... Good crypto is hard to do, so if somebody has already done the work for you, take advantage of it! Don't waste time making up your own. You'll get shot in the foot later, like the QNX people did here.

Hidden message...

[|guillaume|]

It seems theres a secret obfuscated message in the binary when you compile the code...

seineew era sreenigne XNQ

---
guillaume

ATMs

[Signal+11]

DON'T PANIC.

Okay, with that out of the way, even if you stole an ATM and decrypted everything in it, here's what you'd find: Nothing.

The network is specifically designed to avoid silly things like that - the ATM stores no persistent information beyond who used it, some accounting information, and when it was used. *that* information *may* be compromised, but a) it wouldn't do you any good and b) it's unlikely they're using anything less than 3DES. Give these people some credit, ok?

Now, if somebody was able to do realtime decoding of the ATM network itself... that would do several things a) panic people who normally don't panic, b) increase the local population drastically after the influx of federal agents, c) make international headlines and d) would not be submitted by an anonymous coward.

Guys.. I know people who work/have worked for financial institutions. I'd estimate the security to be B2 or above (if it was government certified). Unlike the DoD's "NIPR" net which was /supposed/ to be physically disconnected from any/every other network, the financial institutions just plain don't transfer important info over networks. The data is too valuable.

For example, credit bureaus will not accept an update to anybody's credit report electronically - it is done by hand with tape drives. Makes the movie "Hackers" seem more than alittle unrealistic. =) In short, DON'T PANIC. This crack means nothing to the financial industry. Now, if you want to be worried... you should note some of them run Windows 95..................

Re:ATMs

[Syberghost]

Guys.. I know people who work/have worked for financial institutions. I'd estimate the security to be B2 or above (if it was government certified). Unlike the DoD's "NIPR" net which was /supposed/ to be physically disconnected from any/every other network, the financial institutions just plain don't transfer important info over networks. The data is too valuable.

And I have written code for small banks, and installed their networks. (I'd say designed, but in every case they overrode most of my security requirements and designed their own.)

You may very well be correct regarding large financial institutions, but little banks make do with the same resources as all other little companies; whatever they can scrounge from the cheap end of the local talent pool.

The largest bank in my home town transfers their data over an IPX LAN using Cisco routers configured and maintained by a company whose average "network engineer" is less than 21 years old.

The most competent network engineer currently at that company was once fired for running a warez site on a company PC, and it's not at all uncommon for them to snoop customer traffic including bank dialups, which I know for a fact sometimes use the same passwords as they use internally.

There is NOBODY at that bank who can check those routers to make sure they aren't doing other things, such as TCP/IP to all the dialup-connected PCs also on that LAN, or something else through the 56k leased line to Compuserve for credit verification, etc. I suspect, but can't prove, that there's nobody there who even knows the router passwords.

Said bank's employees frequently install software brought from home or downloaded off the net. Said bank has no firewall for those internet connections.

Said bank has physical security that includes a branch office with no cameras, a consumer-grade alarm, friends and family of college-age employees routinely coming and going, and an unfirewalled direct LAN connection to the main building.

Oh; and until recently, they had their System 34 and later System 36 in that branch office. Fortunately, their Unix systems and Novell servers have never been in that building.

The lock on the back door was a cheap consumer-grade door lock. Pickable with a screwdriver and a paper clip, I'd estimate. EASILY pickable with tools, and this has been demonstrated to them.

Re:Slashdot Effect [Humor]

[slashcode parser sucks ass. what part of "plain text" don't you understand?]

<DJ-Pyro> JESUS CHRIST
<DJ-Pyro> im getting dos'd
<DJ-Pyro> ddos'd
<DJ-Pyro> like from all over the world
<lfilipoz> DJ-Pyro: wow... you can still IRC, tho?
<DJ-Pyro> not me
<DJ-Pyro> my server
<DJ-Pyro> colo at digitalNATION
<lfilipoz> is it just your box or all of digitalNation?
<DJ-Pyro> my box
<lfilipoz> and what's the url, so i can try to ping :)
<DJ-Pyro> we just shutdown apache
<DJ-Pyro> and now all of the clients are doing a CLOSE on tcp
<DJ-Pyro> netstat > netstat made a 30k log file
<DJ-Pyro> DAMN
<DJ-Pyro> they are back!
* jeff looks at DJ-Pyro
<DJ-Pyro> this is bigger than last time
<jeff> DJ-Pyro, you don't by chance host i-opener-linux.net, do you?
<lfilipoz> last time?
<DJ-Pyro> yes :)
<DJ-Pyro> why?
<lfilipoz> slashdot post
<DJ-Pyro> SHIT!
* lfilipoz already posted to that story and got the source code
<lfilipoz> bwahahaha
* jeff laughs
<jeff> source is here: http://slashdot.org/comments.pl?sid=00/04/16/13242 33&cid=56
<DJ-Pyro> oh jesus fscking christ!

From a QNX person...

I doubt there will be any "official" response to this so I figure I'll give an unofficial post:

Crypt is *not* a form of secure encryption.

QNX Neutrino 2.0 has the option of using a more modern crypt, not the version which has been cracked.

QNX customers DO NOT use this as a form of strong encryption. Implying that QNX customers are suddenly at risk is irresponsible journalism, at best.

There were a few comments about export restrictions. Yes, QNX does have secure technology which falls under these restrictions, no it's not crypt.

...oh yes, if you're interested in attending QNX200 please email us, there will be *major* announcements which you won't want to miss (linux users in particular).