Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
rikafurude21 4 hours ago

Its still crazy to me that everyone has a pocket AI-hacker ready to inspect firmware and modify their devices now. You just put the agent on it and it gives you access in minutes. You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year, or at the very least extremely patient for long hours.

throwaway89201 2 hours ago | parent | next [-]

> You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year

This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.

You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.

[1] https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was...

BiraIgnacio 23 minutes ago | parent | next [-]

The hacking aspect has been hit and miss for me. Just today I was trying to verify a fix for a CVE and even giving the agent the CVE description + details on how to exploit it and the code that fixed it, it couldn't write the exploit code correctly.

Not to say it's not super useful, as we can see in the article

hrimfaxi 22 minutes ago | parent | prev | next [-]

> Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.

LLMs have had no problem modifying software on an attached android phone. It's only a matter of time.

dpark an hour ago | parent | prev | next [-]

> fully secured against attackers, of which the mere existence of a hypervisor layer is proof of

https://en.wikipedia.org/wiki/Virtual_machine_escape

JCattheATM an hour ago | parent [-]

The last one was 8 years ago. It's not a terribly common vuln anymore - not that it ever was.

mswphd an hour ago | parent | prev [-]

didn't PS3 have a hardcoded nonce for their ECDSA impl that allowed full key recovery? I would agree that I doubt LLMs let people mount side-channel attacks easily on consumer electronics though.

throwaway89201 an hour ago | parent [-]

Yes indeed, that chain of exploits was all software and not hardware. Developed after the Hotz exploit and Sony subsequently shuttering OtherOS.

It didn't directly give access to anything however. IIRC they heavily relied on other complex exploits they developed themselves, as well as relying on earlier exploits they could access by rolling back the firmware by indeed abusing the ECDSA implementation. At least, that turned out to be the path of least resistance. Without earlier exploits, there would be less known about the system to work with.

Their presentation [1] [2] is still a very interesting watch.

[1] https://www.youtube.com/watch?v=5E0DkoQjCmI

[2] https://fahrplan.events.ccc.de/congress/2010/Fahrplan/attach...

hhh 4 hours ago | parent | prev | next [-]

its really nice to not have to spend hours looking thru packet captures and stuff, i enjoy digging but as i'm getting older I have less time to spend 16 hour days looking at random firmware blobs

buildbot 4 hours ago | parent | prev | next [-]

This 1000% - I’ve used AI to enable SSH in one Phase One digital back I own, and to reverse engineer and patch the firmware on another to make the back think it’s a different back - Credo 50 to IQ250! The internals are literally the Sam.

Almondsetat 3 hours ago | parent | next [-]

I'm sorry, are you trusting an LLM to touch a camera that costs like a new car?

buildbot an hour ago | parent [-]

Only a little bit of touching for the really expensive one. The Credo 50 was less than 1K though.

Also Phase One Support/Repair is absolutely phenomenal and unless you toast the sensor; repairs are “fairly” economical.

magenta4 an hour ago | parent | prev [-]

[dead]

Thaxll 2 hours ago | parent | prev | next [-]

LLM are not capable of doing that for most things. Having an open ssh device does not require any special "skill".

strbean 4 hours ago | parent | prev [-]

Damn, maybe I can throw an agent at trying to unlock IMEI spoofing on my Unifi LTE modem. That one guy on twitter who does all the LTE modem unlocking never replied to my tweet :(