Archive for the ‘GPS’ Category

Quote of the day.

Thursday, December 7th, 2017

The Los Angeles Police Department has advised drivers to be wary of following navigation apps that direct them through areas that are on fire.

(Previously on WCD.)

DEFCON 25 updates: July 31, 2017.

Monday, July 31st, 2017

Things are going to be a little busy this week, but I do plan to keep an eye out for updates. In the meantime, please enjoy this latest set:

  • TJ Horner has a nice blog post up about his experiences hacking voting machines in DEFCON 25’s “Voting Village”.
  • “The Adventures of AV and the Leaky Sandbox” (Itzik Kotler and Amit Klein) didn’t catch my attention the first time around, but the abstract sounds intriguing: “In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises whose endpoints have no direct Internet connection, or whose endpoints’ connection to the Internet is restricted to hosts used by their legitimately installed software. Assuming the endpoint has a cloud-enhanced antivirus product installed, we show that if the anti-virus product employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration.” Slides. White paper. GitHub repo.
  • GitHub repo (including slides and white paper) for the Marc Newlin/Logan Lamb/Chris Grayson presentation, “CableTap: Wirelessly Tapping Your Home Network”.
  • Here’s some stuff from “Tracking Spies in the Skies” (Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy): North Star Post summary of their presentation. GitHub repo.
  • Slides from the David Robinson talk, “Using GPS Spoofing to control time”, are here. Slides contain links to code, per Mr. Robinson. I’ve only had a chance to take a quick look at this, but I’m fascinated.

DEFCON 25 updates: July 29, 2017.

Saturday, July 29th, 2017

Third round. I’m not proud. Or tired.

DEFCON 25/Black Hat updates: July 28, 2017.

Friday, July 28th, 2017

Round 2:

  • The white paper for “Free-Fall: Hacking Tesla from Wireless to CAN Bus” (Ling Liu, Sen Nie, Yuefeng Du) is here. Slides here.
  • Slides for “Exploiting Network Printers” (Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk) are here.
  • Found slides for “Breaking Electronic Door Locks Like You’re on CSI: Cyber” here. (I called this one wrong: no Bluetooth. Not a complaint, just an observation.)
  • This is one that I saw, overlooked, and now am intrigued by: “All Your SMS & Contacts Belong to ADUPS & Others“. “Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China – without disclosure or the users’ consent.” Slides. White paper.
  • Slides for Vlad Gostomelsky’s “Hunting GPS Jammers”. I think this is one that really needs video, too.
  • “Intercepting iCloud Keychain” (Alex Radocea) slides.
  • And “The Future of ApplePwn – How to Save Your Money” (Timur Yunusov) slides.
  • And (hattip to Mr. Yunusov) “Jailbreaking Apple Watch” (Max Bazaliy). I haven’t compared these slides to the onea on the presentations server, just FYI.

Okay, lunch time is almost over, and I feel like I’ve done enough damage to the security community today. I’ll try to have more updates later today or tonight.

Here’s your hat.

Wednesday, July 26th, 2017

Black Hat 2017 is just getting started.

There’s some overlap with DEFCON 25. For example, hacking wind farm control networks and the SHA-1 hash talk are on both schedules. But there are also a few things unique to the Black Hat 2017 schedule:

The same rules for the DEFCON post apply here: if you’re a presenter who wants some love, or if you want me to follow a specific talk, leave a comment.

DEFCON 25: 0 day notes.

Tuesday, July 25th, 2017

I’m not going again this year. Maybe next year, if things hold together. But if I were going, what on the schedule excites me? What would I go to if I were there?

Thursday: neither of the 10:00 panels really grab me. At 11:00, maybe “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” but I’m at best 50/50 on that. At 12:00, I feel like I have to hit the “Jailbreaking Apple Watch” talk. “Amateur Digital Archeology” at 13:00 sounds mildly interesting.

Not really exited by anything at 14:00. At 15:00, I suspect I would end up at “Real-time RFID Cloning in the Field” and “Exploiting 0ld Mag-stripe information with New technology“. And 16:00 is probably when I’d check out the dealer’s room again, or start getting ready for an earlyish dinner.

Friday: 10:00 is sort of a toss-up. THE Garry Kasparov is giving a talk on
The Brain’s Last Stand” and as you know, Bob, chess is one of my interests. On the other hand, there’s also two Mac specific talks, and Kasparov’s talk is probably going to be packed: I suspect I’d hit “macOS/iOS Kernel Debugging and Heap Feng Shui” followed by “Hacking travel routers like it’s 1999” (because I’m all about router hacking, babe). Nothing grabs me at 11:00, but I do want to see “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” at 12:00:

By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe.

13:00: “Controlling IoT devices with crafted radio signals“, and “Using GPS Spoofing to control time” at 14:00. (I do want to give a shout-out to the Elie Bursztein talk, “How we created the first SHA-1 collision and what it means for hash security“, though.)

Do I want to go to “Phone system testing and other fun tricks” at 15:00? Or do I want to take a break before “Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods“:

As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

And then at 17:00, “Cisco Catalyst Exploitation” is relevant to my interests. However, I don’t want to dismiss “The Internet Already Knows I’m Pregnant“:

…EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Saturday: Nothing at 10:00. At 10:30, maybe “Breaking Wind: Adventures in Hacking Wind Farm Control Networks” because why not?

I have to give another shout-out to “If You Give a Mouse a Microchip… It will execute a payload and cheat at your high-stakes video game tournament” but I’m personally more interested in “Secure Tokin’ and Doobiekeys: How to Roll Your Own Counterfeit Hardware Security Devices” at 11:00. (“All Your Things Are Belong To Us” sounds pretty cool, too, but I’d probably wait for the notes/repos/etc. to be released rather than attending in person.)

Oddly, there’s really nothing that grabs me between 12:00 and 15:00. At 15:00, “Tracking Spies in the Skies” mildly intrigues me (mostly for the ADS-B aspect), while at 16:00 I’m really excited by “CableTap: Wirelessly Tapping Your Home Network” (more home router hacking! Hurrah!)

At 17:00:

In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

You have my attention.

(Related article from Wired. Presenter’s Twitter feed.)

Sunday: “I Know What You Are by the Smell of Your Wifi“, followed a little later by “Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years“.

Weirdly, after that, there’s nothing that interests me until the closing ceremonies at 16:00. (Though I might go to “Man in the NFC” if I was there.)

This seems like a very low-key year, and I’m not sure why. I don’t see any Bluetooth related stuff, and very little lock related. Perhaps I should be glad I’m skipping this year.

Anyway, you guys know the drill: if you see a talk you’re interested in, leave a comment and I’ll try to run it down. If you’re a presenter who wants to promote your talk, leave a comment and I’ll try to give you some love.

New toy! New project!

Saturday, April 9th, 2016

I was out and about earlier today with my mom and my nephew: we stopped by Hobby Lobby because I was looking for something. I’ll be posting about that something later on, but while we were there, I found one of these and ended up getting a screaming deal on it with the 40% off coupon.

Which is great, but that looks like a manual control box, right? How do you control it with a PC? Lots of soldering and a custom circuit board?

Ah. Nope. They have a USB device interface for the OWI-535. Isn’t that nifty?

But wait! The included software only runs on a PC! How do you control it with a Mac, or a LINUX system?

Surprise! People have reverse-engineered the control protocol! For example, this guy! (I love that blog title, by the way.) It looks like most of the other control examples I’ve found all loop back to Vadim Zaliva’s work documenting the protocol for the OWI-535. (He’s also documented the control protocol for the OWI-007 here.)

And look! Here’s control code in Python. running on a Raspberry Pi! Isn’t that a clever cleaver!

We’ll see if I can get the arm together and working without breaking it. Bad news: I don’t have that much mechanical aptitude. Good news: they claim all you need is needle-nosed pliers, diagonal cutters, and a Phillips screwdriver. No soldering required, which is good. I could probably solder my way out of a paper bag if someone held a gun to my head, but I’ve never been what you could call “good”, or even “competent” at it…

(As a side note, I’ve been trying to get back to “Talkin’ GPS Blues“. Unfortunately, I also decided to upgrade Project e to Ubuntu 15.10…and Bluetooth apparently doesn’t work well on 15.10, at least as of when I completed the upgrade. So once I get Bluetooth working again, and have some more time, I intend to revisit GPS, this time with some skanky Perl, Python, and possibly even Java code. We’ll see.)

TMQ Watch: August 13, 2013.

Friday, August 16th, 2013

We were trying to come up with a clever introduction to the return of Tuesday Morning Quarterback (and, thus, the TMQ Watch) but we couldn’t. On the other hand, we were also suffering from a bad case of 70s nostalgia (brought about by many things, but exacerbated by the death of Bert Lance). So we thought we’d throw some vintage music your way before cracking open this week’s TMQ after the jump. Oddly enough, it turns out to be fitting for reasons we’ll see later on…


Night thoughts.

Saturday, March 23rd, 2013

Some folks may have noticed that I haven’t been doing as much bread blogging recently. That’s because I haven’t been baking as much bread; I’ve been a little tied up with some family things. Nothing serious, nothing health related, and things are winding down. But it has distracted me a little from the bread machine. I’m going to try to do another one of Laurence Simon’s recipes this week, but I’m not sure which one.

In other news, I’m trying to get back on my bike. I have a Trek 7500 that I bought several years ago, and which sat idle pretty much the entire time I was going to St. Ed’s. I took it in last week and had it cleaned, lubed, and tuned; now I just have a series of petty annoyances I’m working my way through. (I couldn’t find my water bottles, so I bought replacements. You can’t have too many water bottles, anyway. Then I couldn’t find my bike shoes: I can ride the Trek in my normal sort of half-boot half-sneaker shoes, but it isn’t as efficient. REI had some Shimano SH-MT33L shoes on the clearance rack at an incredibly low price, so I grabbed a pair of those.)

(Side note: I bought my bike at Freewheeling Bicycles. Why? Lawrence bought his there. I’m happy I followed his lead. The total bill to get my bike out of hock last week was about $104. That price included $8 for a rear tube, and another $45 for a rear bike rack. I want to start making grocery store trips on the bike, rather than the car, so I bought the rack and plan to sling some panniers over it at some point. Since I bought the bike there, Freewheeling gave me a 25% discount on labor, so the whole thing ended up being much more reasonable than I expected. Consider this an endorsement of Freewheeling.)

(Side note 2: F–k Sun and Ski Sports, the horse they rode in on, and any horse that looks anything like the horse they rode in on.)

As a geek, one of the things I’ve always wanted to when I was riding was to log and track my rides. I have a cheap-ass bike computer with basic functionality: current and average speed, distance on current ride, odometer, and clock. But I’ve always wanted to be able to overlay my ride log onto a map and see where I’ve ridden, as well as getting elevation data. My feeling is that being able to do that gives me a tangible sense of progress, which gives me more motivation to ride. But those capabilities require GPS.

I’m still looking for work so I can’t (and don’t want to) spend $330 on a Garmin Edge 510 or $479 on a Garmin Edge 810. (“Social network sharing”?) If Garmin, or one of my readers sent me one, I’d certainly use it, but I don’t want anyone to do that (even as a birthday present). That kind of money will buy you a decent to nice Smith & Wesson, depending on what part of the country you’re in and what you’re looking at.

Here’s the thing: I’m smart. S-M-R-T. Smart. And not only am I smart, but! I have a smartphone! That has a GPS built in! And that runs apps! And, yes, there are cycling apps available! The big ones on Android seem to be MapMyRide and Strava, but I’ve also seen people say that MyTracks works quite well for cycling applications. And I already have MyTracks installed. And I already take my cellphone with me when I ride anyway, in case of emergency. Now all I have to do is get it properly rigged and I should have almost everything I need. (The last remaining piece is some cycling shorts with pockets. I’ve blown out the waistband on the one pair I have; whenever I put them on, they slide off my ass. This is not good for cycling purposes, or for staying off the sex offender registry purposes.)

(I got into a discussion with a friend of mine about Android/iPhone cycling apps. My friend’s position is that the dedicated cycling computers like the Garmin Edge line are preferable to using your phone for this purpose. His feeling is that running the GPS on the phone and logging data eats battery power, and your phone may run out of juice before you finish the ride. My feeling is: I’m not a high-speed low-drag road biker. I’m usually not out for more than an hour or two. If I start out with a fully charged battery, I feel like I should be able to run MyTracks for at least two hours without worry. We’ll test this theory once I get everything rigged for silent running. If I was doing the kind of thing he talks about doing, such as riding the Great Divide Mountain Bike Route 12 hours a day for ten weeks, I’d reconsider my position.)

Thinking about this some more, I wonder what the market for higher-end bike and running computers like the Garmins is today. Let’s see: I can pay $330 for the Edge 500. Or I can pay $196 for a HTC EVO V 4G Android phone pre-paid (no contract) from Virgin Mobile, get one of those cycling apps, and have two cameras and cell phone service. Or I could buy a cheap-ass used phone with no carrier off of eBay, run the same apps, do everything using WiFi, and not have to worry about breaking my good phone. All cell phones sold in the US are required to connect you with 911 even if you don’t have a service contract, so you’re covered in the event of a real emergency. And if you have a good cell phone you want to take riding with you, mounting brackets are a dime a dozen. Plus, I understand some newer Android phones support ANT+, so you can get cadence sensors and heart-rate monitors that will work directly with Strava or MapMyRide on your phone. No dedicated computer needed, so, again, what’s the market for that $479 Garmin Edge 810? (You can probably even do “social network sharing” from the phone, if that’s your cup of Gatorade.) Yes, you have to purchase the cadence sensor and heart rate monitor separately, but you also have to purchase those separately with the Edge 810: that $479 price does not include either sensor. If you have an iPhone, ANT+ isn’t directly supported, but Garmin will happily sell you an ANT+ adapter for a mere $50, or $40.73 from Amazon..

If any of my readers have experience with cycling apps like the ones I’ve mentioned (or others: I’m still running an Android phone, but iPhone users are welcome too) please feel free to leave a comment, or drop me an email if you’d prefer. Contact information is in the place where it says “Contact”.

Crime of the century!

Friday, March 8th, 2013

Somebody, or a group of somebodies, stole eight – that’s right, eight – school buses from a Chicago area bus yard last night.

The people who stole the buses drove them to a scrapyard, where they were shredded.

“There was a pile of shredded school buses about two-stories high,” one police official said. Some pieces were large enough that police could see the “Sunrise bus logo,” the official said.
Engines and transmissions from the buses had already been cut in half, and the seats tossed in a “big pile of scrap.”

(The linked article includes some photos of the pile of scrap.)

Apparently, the buses were stolen sometime between 7 PM last night (when the yard was closed) and 5 AM this morning (when the theft was discovered). So are scrap yards typically open after 7 PM on a weeknight? And wouldn’t you figure that someone would ask questions when eight school buses were driven in for scrap? Or was there more going on?

When officers arrived, several people who apparently worked in the scrap yard ran into a building, police said. Officers initially apprehended one person and later took two others into custody. The owner was arrested in the afternoon.

(This could also double as important safety tip #18 17:

The buses were all equipped with GPS tracking devices, and police were able to track “their entire movement” to the scrap yard on the West Side, police said.

Don’t steal stuff with GPS tracking devices, or stuff that you might think has GPS tracking devices. Among the things that you might think have GPS tracking devices, if you’re a criminal mastermind:

  • Airplanes.
  • Expensive cars.
  • Government vehicles, including police cars.
  • School buses that carry children.

That’s just a partial list. I’m sure others can think of more examples, but those should suffice for the crackheads in my audience.)

DEFCON 20 notes: Day 1.

Saturday, July 28th, 2012

If you asked people to explain DEFCON, what would they say? Some might say: for those who understand, no explanation is necessary, for those who don’t, no explanation is possible.

Others might say that DEFCON is a mystery, wrapped in a riddle, inside… Enigma machine

(Not only did the National Cryptologic Museum bring that, they also were handing out (while supplies lasted) two really cool booklets: “The Cryptographic Mathematics of Enigma” and “Solving the Enigma: History of the Cryptanalytic Bombe”. The inside covers of both books claim they are available for free by sending a request: email me for the address, or try crypto_museum [at]

(I also got a kick out of the “NSA careers” cards they were handing out, mostly because it was the first buisness card I’ve ever seen with an embedded microfiber screen cleaner.)

Today’s schedule:

“Making Sense of Static – New Tools for Hacking GPS”: Pretty much what I expected from the description, but still a very good panel. The presenters have been doing a lot of work with systems that use GPS tracking, and they’ve run up against the limits of affordable off-the-shelf GPS hardware. There are all kinds of things you can’t do with retail GPS:

  • Experimenting with spoofing and jamming attacks is hard because you don’t have low-level hardware access to see what’s going on.
  • Implementing methods for dealing with poor signal environments, such as “urban canyons”, is also difficult.
  • You also don’t have access to the newer systems, such as GLONASS, Galileo, or Compass.
  • And it is hard to experiment with advanced positioning techniques.

Much of the presentation was devoted to a detailed account of exactly how GPS calculates positions on Earth, and what some of the limitations of those calculations are. If I were to attempt to summarize this, I’d be doing from memory and likely get much of it wrong, so instead I’ll point to the Wikipedia entry which covers the same material (including the use of Gold codes to distinguish each GPS satellite).

All of this led up to two products:

  • libswiftnav, which is a lightweight, fast, and portable set of tools for building a GPS receiver. The nice thing about libswiftnav, according to the authors, is that it will run on microcontrollers and other relatively wimpy hardware.
  • Piksi, a hardware implementation that uses libswiftnav and overcomes a lot of the limitations outlined previously: it can do highly accurate positioning, very fast updating, and supports other positioning systems.

The presenters have stated that their presentation should be available at the Swift-Nav site as soon as they have a chance to upload it.

I missed the “Not So Super Notes, How Well Does US Dollar Note Security Prevent Counterfeiting?” session simply because the clock got away from me. If I can find the presentation online, I will link to it.

I wasn’t able to get into the “How to Hack VMware vCenter Server in 60 Seconds” session for reasons of it being held in a room way too small for everyone who wanted to get in. This seems to be a version of the presentation from another conference. I’ve only given it a quick skim, but it looks very interesting indeed.

Bypassing Endpoint Security for $20 or Less” wasn’t quite what I had expected, but it paid off. The basic idea behind this panel was that there’s an increasing emphasis on keeping people from walking out of the office with sensitive data on USB mass storage devices; some companies use software that allows only known and approved devices to connect over USB.

So how do you know if a device is known and approved? Much of the presentation dealt with specifics of how USB, and especially USB mass storage, works. The short answer is that everything depends on “endpoints” (which are sort of “virtual wires” for USB connections) and “descriptors” (which provide information about the device). USB devices identify themselves through a combination VID/PID as part of the protocol, so if you can spoof the VID/PID, you can pretend to be an already authorized device.

Which is what the presenter’s hardware does, for less than $20. I haven’t found the presentation online, but the presenter swears the hardware schematics etc. will be available on github under “usb-impersonator” as soon as he gets around to updating the repository (which he promises will be real soon now).

Edited to add 7/28: Two points in this presentation that I wanted to mention but forgot to last night.

  1. Windows doesn’t see anything but the first LUN on USB mass storage devices. So if you want to hide something on a flash drive from a Windows user, partitioning the drive is a good way of doing that.
  2. If you run modprobe usbmon (this may require running as root) and then fire up Wireshark, wonder of wonders, you get a whole bunch of USB bus devices available as Wireshark interfaces. This is something I want to play with more when I have time: I’ll probably post some Wireshark capture files showing what happens when a device is inserted.

Edited to add: Added link to Phil Polestra’s blog entry, which contains links to the slides and the code, 8/1/2012.

The last presentation I went to was “Safes and Containers – Insecurity Design Excellence”. This is one that’s already gotten a fair amount of attention: a friend of mine emailed me a link to this Forbes article by one of the presenters that neatly recaps the whole thing (including their videos).

Basically, many popular gun safes, especially ones made by the Stack-On corporation, are insecure and can be opened with paper clips, drinking straws, pieces of brass purchased at a hardware store,..or by just simply lifting up the safe and dropping it a few inches.

Why is this? The presenters argue that the people who make these safes don’t come from a culture that says to itself “Okay, I’ve built this safe. Now how can I bypass the mechanism and get in?” Quoting: “Engineers know how to make things work, but not how to break them.” Many of these safes are imported from China and are made as cheaply as possible, which complicates things even more.

There’s also an attitude of “my product meets the standards, so up yours”. The California Department of Justice has standards for gun safes, and these products all meet those standards. However, the CDOJ standards do not involve any kind of realistic tests of the product, such as turning it over to a five-year-old and telling him there’s candy inside.

My one issue with this presentation is that the authors seem to view gun safes as the most important part of protecting your kids from guns; thus they believe safes need to be stronger. I can agree with this, but as I see it, safes should be a last resort, not the primary means of protection. I grew up in a house with guns, and I was never tempted to mess with any of them because my parents raised me properly (and because I knew I’d be beaten bloody if I did mess with them). Age-appropriate training (such as the NRA’s “Eddie the Eagle” program) combined with appropriate physical security (what was that gun safe doing where a three-year old had physical access to it, anyway?), combined with safes that actually do what they’re supposed to do, constitutes a layered defense, and one that works better than just relying on cheaply made Chinese junk.

And so to bed. I’m tired, and stuff hasn’t been working right all night. Project e just shut itself down in the middle of this post, the Kindle’s battery was deeply discharged and I had to wait for it, and dinner was not that great. (More about that later on.)

Random sports (and other) notes.

Monday, October 17th, 2011

I wasn’t planning to say anything about the Texas Rangers: last year was significant, this year, well, what can you say other than that they’ve gotten good?

However, I can’t help but take the opportunity to gloat a little here, since it appears that a Rangers/Cardinals World Series has John Gruber extremely upset. Poor guy.

Loser update tomorrow: Miami plays tonight.

“We’re the only ones professional enough to have 21 MP-5 submachine guns stolen from our training facility.”

Somewhat buried lead: the MP-5s were converted to fire blanks only.

The parts required to change the MP-5 back to live firing were for sale on a gun supply website. It was unclear, however, what documentation or background checks would be required to purchase them.

I am not an MP-5 armorer, but I would guess: probably none. I doubt any of those parts are serial numbered like AR lower receivers. And I’m curious where the LAT reporter got his information.