Rithwik Jayasimha
@thel3l
Followers
10K
Following
2K
Media
146
Statuses
1K
basic persistent threat @_lagrangepoint hacker, designer, dilettante • prev @claygorilla @tensorfuse • currently: https://t.co/PIGBn2gw0n
Joined March 2015
Apple released a hearing aids feature for the AirPods Pro a while ago. I bought a pair for grandma, but then realized that the feature was geoblocked in India. So we at @_lagrangepoint decided to unblock it. It ended up involving a leaky microwave and building a Faraday cage:
9
15
222
Apple released a hearing aids feature for the AirPods Pro a while ago. I bought a pair for grandma, but then realized that the feature was geoblocked in India. So we at @_lagrangepoint decided to unblock it. It ended up involving a leaky microwave and building a Faraday cage:
388
2K
19K
Last month, a number sent me malware via an APK titled 'Union Bank Aadhar Update' on Whatsapp. These typically just lamely forward all SMSes received to steal OTPs, but this one turned out to be a significantly more sophisticated op. Some notes from taking down a scam network:
288
3K
15K
Last year, a friend was planning a trip to an amusement park for her bday. Site design is often a good heuristic for security and the design wasn't inspiring confidence—so I went poking. A fun story of finding a payment bypass in PayU India and the subsequent disclosure arc:
In the coming day or two, I'll be sharing the full details on how it was possible to bypass PayU India's hosted checkout flow and get free stuff from any merchant. bonus: failed managed disclosure programs, my credit card being abused, and @IndianCERT being awesome!.
64
377
5K
At the end of all this, we were able to enable the Hearing Aids feature for my grandma's airpods, and that of several friends :). They work great!
5
35
2K
Turns out that Apple checks a number of things, including GPS, country codes of the cellular network the devices is connected to and also—WiFi networks . Turns out that your device locates you by searching a massive database that maps WiFi SSIDs around you to a known locations.
5
48
2K
We also realized that our families are not the only ones who have loved ones who could use a pair of hearing aids. The Airpods Pro 2s are actually a *budget* option in this category—hearing aids typically cost anywhere from 3x–30x more.
5
34
2K
The C&C has been permanently down since and that means that this scam is at the very least properly dead, and they're not getting new victims. Something about this op felt very organized and unlike run of the mill phishing scams, which was quite unsettling . Until next time!.
67
72
2K
If you or a family member would benefit from being able to use Airpods Pro 2s as hearing aids in India, please reach out—we're going to be unlocking them for anyone who needs it (for free ofc) at our place in Koramangala. DM me or send us a mail at: hi at lagrangepoint dot org.
12
118
2K
Our hacky proof of concept was a Faraday cage built of aluminum foil, placed right above to the jammer–microwave that was turned on at full power. It was literally as sketch as it looked:
6
50
2K
We briefly considered driving out somewhere remote, like a farm, where there would be no WiFi. But then we realized it'd be cool to build a Faraday cage, a device that blocks out electromagnetic radiation—including cellular, GPS, and WiFi signals.
1
18
2K
At first, we thought it would be easy—spoof IP location with a VPN, maybe rewrite some requests in a proxy, how hard could it be?.
2
10
1K
We initially thought about using our microwave as a Faraday cage, but discovered our microwave was very leaky. Then we realized: a leaky microwave doesn't work as a Faraday cage, but does work excellent as a jammer!. The fact that microwaves operate at 2.4GHz made it perfect.
5
17
1K
We also know that not everyone will be able to replicate this at home even though we're posting the full technical details, so we're going to be doing a open house at Lagrange Point this month.
1
27
1K
We reversed the Rabbit R1 🐇 and got it to run on our phones! . This gives us future OTA updates, access to new features without a device + works perfectly without root/system perms!. (Blog post below)
40
142
1K
We picked an WiFi only iPad because it reduced variables: we would not have to worry about Cellular and GPS. All we had to do was somehow spoof WiFi SSIDs, while blocking out the ones in our neighborhood.
2
12
1K
I didn't want to leave the server up and harvesting victims, so I spun up a repl and wrote a script to inundate their server with fake data and my lovely 'invitation' to chat and an email ID. I think I was hitting them at about 3M requests per minute at the peak :D
8
42
1K
In conclusion, disappointed with @PayUindia, would have been nice to have the VDP bounty paid out and the program either monitored or closed down. Going to let CERT handle vendor comms for any disclosure going forward. I've sent in at least four reports since. Cheers!.
11
23
1K
The domain itself was registered on GoDaddy and was using @Cloudflare for protection. This is also how I discovered that Cloudflare's abuse form *does not work*. The form perennially errors out when you try to submit. So, naturally, as you do, I went digging further.
3
75
1K
This is when things got SUPER fun. The scammers got the message and I got some increasingly desperate emails asking me to please find a new hobby. Turns out their server MELTED at 3M+ requests a min :D. As my friend @squeal said: "damn imagine using gmail for real crime"
13
56
979
Since Vercel basically gives you your @ from GitHub, we can find the authors for these projects on Github too. If anyone's interested in digging up some ghosts, I bet there's a lot to be found on the malware author's profile here:
4
55
836
I used jadx to decompile the APK, and it was immediately apparent that this was not the run of the mill op that just forwarded SMSes. Here's a side by side of another such SMS stealing scam I received in July and this on the right:
3
48
814
And of course these things are always a group effort. Greetz and massive thanks to the gang @rithvikvibhut @raghavtosh @itsarnavb and @AppyFizzyy . None of this would have been possible without them :).
2
9
811
@rithvikvibhut And if you're interested in the technical details behind the Faraday cage:
Last week, I built a Faraday cage with friends. We built this to unlock hearing aids mode on the AirPods for grandma, geoblocked in India for regulatory reasons. This cage is in Koramangala, Bangalore 🇮🇳. But inside the cage, your phone thinks it's Menlo Park, California 🇺🇸
20
20
807
In short:. - It shows a fake bank page where victims are asked to enter their DOB and account number which are posted to an server.- The C&C replies with a message to activate the SMS forwarding .- Attackers then make a password reset request and use the stolen OTP to get in
4
51
678
I think this server was a front for at least 5 different such scams (that I've been able to find). They use the app package name to distinguish between the different scams they're running at once:
2
31
664
I tried to get Raju Kumar and Kishor Bhai on a call for a chat to see why they were doing what they were doing but they never showed up :(. They killed the phone number and server stat. When I checked later that day, the C&C was not returning a phone number to forward SMSes!.
1
29
649
At some point in the last month, they took the domain down entirely as well:
3
27
625
The C&C was hosted at one ` v1 [.] apijson [.] xyz`, which on searching reveals multiple such associated scams on virus sandboxes. More on this later.
1
31
574
There was lots of other fascinating stuff:. Remember the sandboxes from earlier that used the same C&C but impersonating different companies?. There were a bunch of Vercel deployment URLs in those:
2
30
557
There was more stuff on the domain itself that I was hoping to check out at some point, but the authors killed it before I got a chance to go back for a look
5
23
537
So anyway, I registered as a victim by POSTing some base64 encoded data to their endpoint with a burner email and a message that said "Email me at this ID or I'll be reporting you in the next 48 hours". This returns a reply with a number and enables the SMS forwarding feature.
6
33
536
@deedydas @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh Already done, glad you found it interesting!.
2
13
502
I wasn't initially sure what had just happened: you don't expect this kind of dumb shit to work and it's a always a shock when it does. Was super sick that day but I looked up PayU's reporting policy and realized that they had a Bugcrowd so I sent in a quickly recorded demo:
2
8
501
It took me a second to realize that I hadn't masked the CC number in my demo when I recorded the PoC in my sick/sleep deprived state. Looks like it was my mistake to assume that no reasonable individual would use the *researcher's card* to test their system?.
2
2
443
Update: We've got the Rabbit R1 to run LineageOS!.Root and boot, baby. Now, let's write some custom apps. credits to @SanGraphic and orville from our motley gang who made this happen!
We reversed the Rabbit R1 🐇 and got it to run on our phones! . This gives us future OTA updates, access to new features without a device + works perfectly without root/system perms!. (Blog post below)
13
38
382
By now, I'd realized this was not going to work, so I shot off an email off to @IndianCERT with the details which turned out to be an *excellent* decision. They were super professional and promptly acknowledged and set someone to interface with PayU directly after repro'ing!
2
4
366
In essence, we're mapping:. Successful payment → failure_callback_url.Failed payment → success_callback_url. Of course, the merchant is supposed to later verify the transaction state with PayU directly, but I bet many won't bother. Including the amusement park.
8
3
362
Now, the 'Transaction was successful' logic is often either handled with a webhook or a callback URL. A good rule is to obviously never trust the client for any of this—the user is always going to try to scam you.
1
2
360
@photomatt wanting someone to have skin in the game is definitely the best reason to not want fully autonomous transportation.
4
11
338
I never bothered to go back and look at how they 'fixed' their implementation, that's left as an exercise to the reader, but I forwarded the CERT thread to bugcrowd out of spite. They've not replied to a request for info in 4+ months, so I can only assume this is unmonitored.
3
1
347
My grandma is recovering from a recent viral infection that has necessitated the use of a BiPap machine for extended periods. Today, while I was visiting her, the clip on her face mask fatigued. We could've bought a new mask tomorrow for ₹3500 (~$50) but that seemed unideal.
13
14
342
Since the attcker controls the success and failure callback URLs, they could just swap their values, and a failed payment would trigger a successful action flow . There's no way that this would work, right?
1
2
339
Some background: @PayUindia is one of the largest payment gateways, used by over 500k+ merchants online in India. When you pay for things online, merchants will rely on PayU to say "Yes, we got da money!"—and trust that yes, they really did. This becomes important later.
1
2
314
And thus began the tiring process of disclosing this to PayU. Notes:. - My triagers on @Bugcrowd were awful, and never understood what I was trying to convey.- PayU India has abandoned their VDP, and all reports go to /dev/null. - They also decided to test with my CC details???
3
5
299
I hear y'all still struggle to get reservations at d̵o̵r̵s̵i̵a̵ .@eatnaru?. May he with the lowest latency win, godspeed:. const puppeteer=require("puppeteer"),dates=[33,31,32,35,34],tableSlots=[2,3,4],timeSlots=[1,2,3,4];function*generatePermutations(){for(const e of.
28
13
299
I blocked my CC, and DM'ed CERT-In asking them to tell the PayU devs to knock it off—again, super nice of them. I'd likely have gone ballistic if I had a direct line to PayU, because ???
1
1
280
Can someone confirm that Ola Maps is basically just @Mapbox with a skin?
After Azure exit last month, we’ve now fully exited google maps. We used to spend ₹100 cr a year but we’ve made that 0 this month by moving completely to our in house Ola maps! Check your Ola app and update if needed 😉. Also, Ola maps API available on @Krutrim cloud! Many more
11
4
263
In the coming day or two, I'll be sharing the full details on how it was possible to bypass PayU India's hosted checkout flow and get free stuff from any merchant. bonus: failed managed disclosure programs, my credit card being abused, and @IndianCERT being awesome!.
f4bfebfc1b9bdc9ca4b990f06c9f446c.Reveal: December 1 2024, or patch.
1
13
258
Back to the checkout:. I lazily played with payment values being sent to the gateway but realized that the parameters were all hashed with a salt: you could not just tweak the values and pass the transaction. Now, see the 'furl' and 'surl' fields?
2
1
258
I'm tired by now, and have been trying to directly contact PayU as well. I had Claude write me a story to illustrate (this may have been a bit mean spirited, sorry lol)
1
2
255
We built an ungodly fast search experience for electronic components from vendors across India!. We scrape continuously and data is refreshed every 24 hours. May your part searches be an OOM faster ↘️.
Built a super fast search engine for finding electronics components in India 🇮🇳 with @thel3l . We've got components with pricing and stock info from different Indian vendors (like Robu, Probots etc). Using it for finding parts for our own hacks, and it is fast . (link below ⏚)
10
23
245
Finally, CERT-In confirms that PayU has fixed the vuln on October 18th:
1
1
244
Sad to see @DotPe_India mail researchers legal threats instead of setting up basic auth on their endpoints. Bad look and definitely representative of the larger scene.
Sorry guys - have taken the post down due to a legal notice from Dotpe. I could fight them because I didn't access anything that wasn't already public. But it's not worth the hassle. The legal process in this country is in itself a punishment. 🙏.
2
11
243
Third triager decides that this is a waste of their time and tries to close the report:
2
2
235
It starts with the triager not understanding the vulnerability. I think they were hoping for some neat categorization, and this didn't obviously fit?
1
1
231
@naa_rang @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh Yes!.You can use the URI handler to do the hearing test, but that doesn't allow you to actually use the result/enable the hearing aid feature after :;).
2
1
221
A week passes, I bump for update, and it's evident that I'm still talking to the wrong people
2
1
223
Everything goes silent for a while. I've told CERT-In that I intend to disclose in 3 months which seems like a nice fair timeline. Then one random evening, on October 4th, my credit card starts getting OTPs:
1
1
223
I request to be connected with someone at PayU directly, but to no avail.
1
1
220
Fourth triager joins the chat, and also insists I'm jerking them around.
1
1
217
So the client controls the success and failure callback URLs. But how is the hash computed?. The PayU docs at the time defined it as:.sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT). Conspicuously absent: furl, surl in the hash.
1
1
206
@theSlavenIvanov @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh Nope. All this is just for the initial feature flag to be enabled on the device/associated iCloud account. Once it's enabled, you can use the device as you normally would. As far as the device is concerned, you just made a spontaneous trip to NA and back.
1
1
205
Only in @peakbengaluru will you see used Herman Miller chairs randomly dumped on pavements like this
10
12
184
@6r33none @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh we're looking forward to a challenge!.
1
1
158
First off, the R1 is absolutely an Android app. It is actually three applications sitting atop the Android Board Support Package from MediaTek:.- RabbitIme.apk.- R1SystemUpdater.apk.- RabbitLauncher.apk. There are no system level modifications, and it even ships with stock apps.
5
6
151
@arunphilips afraid not :).the bugcrowd was unmonitored and they never replied so ¯\_(ツ)_/¯.
2
1
150
Today, we hosted an incredible Bio-101 course at Lagrange Point led by @pranav_berry. We discussed everything between gene transfer and mutations, viruses and DNA sequencing and had some amazing discussions about the mutations in genetic material and cancer.
10
8
123
@ayoncjee @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh There's actually no change per se done to the device. Literally all we're doing is enabling a feature flag that should be disabled in this country. The minute it's enabled, the feature is toggled on, and the continue to work as usual. It doesn't matter if you pair them with.
1
0
121
Just watched the @browsercompany 's Act II event and had a chance to play with the new 'browser that browses for you' features. Couple of us dug deeper to understand how this was working under the hood—. (greetz @itsarnavb @sidbing @rithvikvibhut )
4
7
110
It isn't perfect but it fits well and grandma is now asleep with the modified mask :)
3
0
106
@AlcorRespecter No not really. The browser making the request is common, and this was how PayU asks devs to implement the hosted checkout. The logic is if you hash the payment data + secret and send it with the request, it's actually okay to send it from the client since it's resistant to.
2
1
105
To put into context how hard @itsarnavb cooked with our latency: We don't have UI animations because it would make things *slower*!. Most searches return results sub 15ms—10x faster than a super fast 150ms spring gahaha. We'll talk more about how we did this soon!.
Built a super fast search engine for finding electronics components in India 🇮🇳 with @thel3l . We've got components with pricing and stock info from different Indian vendors (like Robu, Probots etc). Using it for finding parts for our own hacks, and it is fast . (link below ⏚)
5
6
97
Please reach out if you're in Bengaluru and want your Airpods enabled as hearing aids for family or yourself!. We have a few slots between 2–4PM. This is all free (ofc). Also stay tuned if you're from elsewhere in India, we're working something out :).
We're doing an unlock session tomorrow afternoon in Koramangala. There's a few slots open, please reach out if you'd like your airpods unlocked for you!.
4
11
88
The reason it was trivial to get the app running on any android device was because Rabbit didn't initially bother checking the headers being sent from the device. It appears that the first batch devices were shipped from the factory with ADB enabled.
5
1
76
@bythyag @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh My grandmom has been using it for a bit—she thinks it sounds different but likes it. @itsarnavb's grandmom has been using it as well. You should try it—I feel like it might depend a lot on what ranges you need help with!.
2
0
67
.@itsarnavb who was at our lab space was able to print and deliver the part to me less than an hour after I'd modelled it (from across town)!
2
1
63
A big blocker for ambitious kids is access to quality tools. I remember yearning for a logic analyzer throughout school, but the price was always too high. We're fixing this, starting with making a Raman Spectrometer in homage to the great CV Raman (who was also from Bengaluru!)
Last night, some of us at @_lagrangepoint met to figure out how to detect plastic contamination in our food. We want to figure out how to detect both microplastics and leached plasticizers at scale. We've reached out to and gotten a response from many labs in Bangalore,
5
5
64
Looking for folks with Parkinson's or other motor disabilities to test and iterate on clothing adaptations I designed! . Intend to make it possible to dress again with dignity. Please DM/share with anyone who might benefit from this!. Protos are ready, just need more feedback.
3
14
53
We were able to dump and analyze the firmware. Because of their implementation, the only way for an old device to communicate with the server is to do an OTA. Patching the existing tools to apply a delta OTA to a base image was the hardest part of the project.
1
1
49
I didn't have my laptop or a vernier handy, but took some rough measurements with a steel scale nearby, spun up Fusion360 on a relative's laptop and modelled the part, making generous allowances for the snap–fit
1
0
47
Also, just for kicks, I turned it into a easy to run script for future OTAs:
2
1
45
And finally something for the future:.94f835a8f06f59ec4477325b3a5d915200ec7999df3c2bf249c3e00d2a0d4bda. Greetz to these amazing people: @EmilyLShepherd @ChromMob @uwukko @schlizzawg @MarcelD505, has been a fun week :D.
4
1
43
accidentally bought way too many books on my recent trip to SF, and now am hand carrying a small library since my check in was wayyy over the weight limit haha
5
0
45
Going to be at Stanford tomorrow to talk to friends and folks working on cool hardware. Please say hi if you wanna meet or anyone you know is in the area!.
Gonna be at Stanford tomorrow to talk to electrical engineers and hardware founders!. Come say hello!
2
3
43
Make friends who casually ask you to source Xenon for projects
2
0
40
Update: We've seen the job through 🤙. Stay tuned for updates!.
After a stressful 24 hours trying to get the Airpods Pro's hearing aid features working in India (where it is not launching) for grandma, I'm accepting (temporary) defeat. Putting all this here in case it helps someone else progress:
7
0
38
After a stressful 24 hours trying to get the Airpods Pro's hearing aid features working in India (where it is not launching) for grandma, I'm accepting (temporary) defeat. Putting all this here in case it helps someone else progress:
4
1
35
@ayoncjee @_lagrangepoint @rithvikvibhut @itsarnavb @raghavtosh Yeah, we've tested this out. It's persistent on both:.- iCloud account that was logged in when the region was changed.- Any Airpods that are connected to the device, even temporarily.
2
0
36
