Archive for the ‘Bluetooth’ Category

Here’s your hat.

Wednesday, July 26th, 2017

Black Hat 2017 is just getting started.

There’s some overlap with DEFCON 25. For example, hacking wind farm control networks and the SHA-1 hash talk are on both schedules. But there are also a few things unique to the Black Hat 2017 schedule:

The same rules for the DEFCON post apply here: if you’re a presenter who wants some love, or if you want me to follow a specific talk, leave a comment.

Actually, they can read your poker face.

Wednesday, October 26th, 2016

Or at least your cards.

This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.

For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.

The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.

Ironically, there is a hardcoded backdoor password in the app, which makes this security measure pointless if you know the backdoor password.

How does it work? Hidden camera, concealed infrared LEDs, and…

What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.

So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.

And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)

The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.

More on Blue Hydra.

Sunday, August 7th, 2016

Earlier, I wrote “It runs! It works! Mostly. Kind of.”

I’ve been banging on Blue Hydra in my spare time since Thursday, and I stand by that statement. Here’s what I’ve run into so far.

The README is pretty clear, and I didn’t have any problems installing the required packages. (I don’t have an Ubertooth, so I skipped that one. We’ll come back to the Ubertooth later.)

First problem, which was actually very tiny: I know next to nothing about Ruby, other than that cartoon foxes are somehow involved, so the phrase “With ruby installed add the bundler gem” was more like “I don’t speak your crazy moon language”. Google cleared that up pretty quickly: the magic words are gem install bundler.

Next problem: running bundle install resulted in an error stating that it couldn’t find the Ruby header files. It turns out that, while my Ubuntu installation had Ruby 2.1 installed, it didn’t have the ruby-dev package installed. sudo apt-get install ruby-dev fixed that issue.

Next problem: the SQLIte Ruby gem failed to install when I ran bundle install. It turns out that I also needed the sqlite3-dev package as well. And with that installed, the bundle built, and I could do ./bin/blue_hydra.

Which gave an error stating that it didn’t have permissions to open a handle for write. Okay, let’s try sudo ./bin/blue_hydra (because I always run code from strangers as root on my machine; everyone knows strangers have the best candy). And that actually worked: Blue Hydra launched and ran just fine. In fairness, this may be a configuration issue on my machine, and not an issue with the software itself.

In playing with it, I’ve found that it does what it claims to do. Sort of. It’s been able to detect devices in my small lab environment with Bluetooth discovery turned off, which is impressive. I also like the fact that it stores data into an SQLite database; other Bluetooth scanning tools I’ve played with didn’t do that.

However, it seems to take a while to detect my iPhone; in some instances, it doesn’t detect it at all until I go into Settings->Bluetooth. Once I’m in the Bluetooth settings, even if I don’t make a change, Blue Hydra seems to pick up the iPhone. Blue Hydra also has totally failed to detect another smart phone in my small lab environment (and I have verified that Bluetooth was both on and set to discoverable.)

Now, to be fair, there may be some other things going on:

  • I’ve also observed previously that Bluetooth under Ubuntu 15.10 didn’t work very well. At all. So at one point on Saturday, just for giggles, I upgraded Project e to Ubuntu 16.01.1 LTS. And shockingly (at least for me) Bluetooth works much much better. As in, I can actually pair my phone with Ubuntu and do other Bluetooth related stuff that didn’t work with 15.10. That seems to have mitigated the discovery issues I was seeing with Blue Hydra a little, but not as much as I would have liked. (Edited to add 8/8: Forgot to mention: after I upgraded, I did have to rerun bundle install to get Blue Hydra working again. But the second time, it ran without incident or error, and Blue Hydra worked immediately aftewards (though it still required root).)
  • I was using the Asus built-in Bluetooth adapter in my testing. Also just for giggles, I switched Blue Hydra to use an external USB adapter as well. That didn’t seem to make a difference.
  • In fairness, Blue Hydra may be designed to work best with an Ubertooth One. The temptation is great to pick one of those up. It is also tempting to pick up a BCM20702A0 based external adapter (like this one) partly to see if that works better, partly because I don’t have a Bluetooth LE compatible adapter (and this one is cheap) and partly because the Bluetooth lock stuff is based on that adapter. (Edited to add 8/8: I’m also tempted by this Sena UD100 adapter. It is a little more expensive, but also high power and has a SMA antenna connector. That could be useful.)
  • It may also be that I have an unreasonable expectation. Project e is seven years old at this point, and, while it still runs Ubuntu reasonably well, I do feel some slowness. Also, I think the battery life is slipping, and I’m not sure if replacements are available. I’ve been thinking off and on about replacing it with something gently used from Discount Electronics: something like a Core i5 or Core i7 machine with USB3 and a GPU that will work with hashcat. Maybe. We’ll see. Point is, some of my issues may just be “limits of old hardware” rather than bugs.
  • And who knows? There may very well be some bugs that get fixed after DEFCON.

tl, dr: Blue Hydra is nice, but I’m not yet convinced it is the second coming of Christ that I’ve been waiting for.

DEFCON 24: August 7, 2016 updates.

Sunday, August 7th, 2016

The presentations on the conference CD are here, if you’re looking for something specific that I didn’t mention. I’m still going to try to provide links to individual presenters and their sites, simply because I believe those are the most recent and best updated ones. Just to be clear, I’m not trying to rip off anyone else’s work, which is why I link directly. I want to provide myself (and possibly other interested folks) with one-stop shopping for the latest versions of the things I’m most interested in.

This takes us into today. I’ve been at this for about an hour and a half now. I’m not proud. Or tired. But I do have some other things I want to do, and I think it is a bit early to expect Sunday presentations to be up. I’ll end this one for now, and see if I can do another update tomorrow. Also, I want to do a further write-up on Blue Hydra, possibly tonight, maybe tomorrow as well.
If you are a presenter who’d like to provide a link to your talk (even if it is one I didn’t specifically call out) or you have other comments or questions, please feel free to comment here or send an email to stainles [at] sportsfirings.com.

DEFCON 24 notes: Hail Hydra!

Thursday, August 4th, 2016

GitHub repository for Blue Hydra.

I’m jumping the gun a little, as the presentation is still a few hours away, but I wanted to bookmark this for personal reference as well as the enjoyment and edification of my readers.

Edited to add: quick update. Holy jumping mother o’ God in a side-car with chocolate jimmies and a lobster bib! It runs! It works! Mostly. Kind of.

If I get a chance, I’ll try to write up the steps I had to follow tomorrow. Yes, this blog is my personal Wiki: also, while the instructions in the README are actually pretty good, I ran into a few dependency issues that were not mentioned, but are documented on Stack Overflow.

DEFCON 24: 0-day notes.

Wednesday, August 3rd, 2016

Another year observing DEFCON remotely. Maybe next year, if I get lucky, or the year after that.

The schedule is here. If I were going, what would I go to? What gets me excited? What do I think you should look for if you are lucky enough to go?

(As a side note, one of my cow-orkers was lucky enough to get a company paid trip to Black Hat this year. I’m hoping he’ll let me make archival copies of the handouts.)

(more…)

New toy! New project!

Saturday, April 9th, 2016

I was out and about earlier today with my mom and my nephew: we stopped by Hobby Lobby because I was looking for something. I’ll be posting about that something later on, but while we were there, I found one of these and ended up getting a screaming deal on it with the 40% off coupon.

Which is great, but that looks like a manual control box, right? How do you control it with a PC? Lots of soldering and a custom circuit board?

Ah. Nope. They have a USB device interface for the OWI-535. Isn’t that nifty?

But wait! The included software only runs on a PC! How do you control it with a Mac, or a LINUX system?

Surprise! People have reverse-engineered the control protocol! For example, this guy! (I love that blog title, by the way.) It looks like most of the other control examples I’ve found all loop back to Vadim Zaliva’s work documenting the protocol for the OWI-535. (He’s also documented the control protocol for the OWI-007 here.)

And look! Here’s control code in Python. running on a Raspberry Pi! Isn’t that a clever cleaver!

We’ll see if I can get the arm together and working without breaking it. Bad news: I don’t have that much mechanical aptitude. Good news: they claim all you need is needle-nosed pliers, diagonal cutters, and a Phillips screwdriver. No soldering required, which is good. I could probably solder my way out of a paper bag if someone held a gun to my head, but I’ve never been what you could call “good”, or even “competent” at it…

(As a side note, I’ve been trying to get back to “Talkin’ GPS Blues“. Unfortunately, I also decided to upgrade Project e to Ubuntu 15.10…and Bluetooth apparently doesn’t work well on 15.10, at least as of when I completed the upgrade. So once I get Bluetooth working again, and have some more time, I intend to revisit GPS, this time with some skanky Perl, Python, and possibly even Java code. We’ll see.)

A few random things I found interesting.

Monday, September 14th, 2015

Some by way of the Hacker News Twitter, others from elsewhere.

Nice appreciation of Elmore Leonard from The New York Review of Books.

Brian Krebs goes to Mexico in search of Bluetooth ATM skimmers, part 1.

Fun with software defined radio, or scanners live in vain.

NFL loser update resumes tomorrow.

DEFCON 23 notes: August 12, 2015.

Wednesday, August 12th, 2015

More slides! More stuff!

DEFCON 21 update: August 5, 2013.

Monday, August 5th, 2013

Yeah, I know, I’ve been quiet. Much of Friday’s blogging time was eaten by Bluehost instability, and Saturday and Sunday were busy.

But I do have some updates and links.

I’m going to cut things off here for right now. I’m still trying to find links to some of the other presentations I mentioned (in particular, I’d love a link of some sort to Anch’s “Pentesters Toolkit” if anyone has one) and will post updates as they come in. Depending on what I dig up, there may be a second post tomorrow. In the meantime, this should keep you busy.

DEFCON 21: -1 day notes.

Wednesday, July 31st, 2013

Just because I’m not going to DEFCON 21 doesn’t mean I can’t try to cover it. From 1,500 miles away. Sort of half-assedly.

DEFCON hasn’t even started yet, but Black Hat is going on, and some stuff is coming out. The biggest story so far has been Barnaby Jack’s death. I haven’t mentioned it previously because I’ve felt like it was well covered elsewhere (even FARK).

Another “big” (well, I think it is) story that I haven’t seen very much coverage of is the phone cracking bot. Justin Engler (@justinengler on Twitter) and Paul Vines, according to the synopsis of their talk and the linked article, built a robot for under $200 that can brute force PINs. Like the one on your phone.

Robotic Reconfigurable Button Basher (R2B2) is a ~$200 robot designed to manually brute force PINs or other passwords via manual entry. R2B2 can operate on touch screens or physical buttons. R2B2 can also handle more esoteric lockscreen types such as pattern tracing.

This is one I’ll be keeping an eye on.

Borepatch is in Vegas this year, attending both Black Hat and DEFCON. He’s got a couple of posts up: a liveblog of the NSA director’s presentation at Black Hat, and another post about the links between black hats and political candidates.

So the DEFCON schedule is up. If I was going, what would get me excited? (I’ve included the Twitter handles of the speakers from the DEFCON 21 schedule information; I figure this gives a central source for looking up someone’s feed and getting copies of their presentation.)

From Thursday’s talks: I’d probably go to “Hacker Law School“, as I’m a frustrated wanna-be lawyer anyway. Why not?

Anch’s (@boneheadsanon) “Pentesters Toolkit” talk makes my heart skip a beat:

You’ve been hired to perform a penetration test, you have one week to prepare. What goes in the bag? What is worth lugging through airport security and what do you leave home. I’ll go through my assessment bag and show you what I think is important and not, talk about tools and livecd’s, what comes in handy and what I’ve cut out of my normal pen-test rig.

Push some more of my buttons, please.

The Aaron Bayles (@AlxRogan) “Oil and Gas Infosec 101” talk kind of intrigues me, but it would depend on my mood at the time as to whether I went to that one, or skipped out for a break.

Likewise with the Beaker and Flipper talk on robot building: yeah, robot building is something I’m interested in doing, but I might just be in a mood to visit the Atomic Testing Museum instead, and read your slides later. Nothing personal: I’m sure it will be a great talk.

I’m intrigued by the ZeroChaos (@pentoo_linux) panel on the Pentoo LINUX distribution for penetration testing. I’m not sure how that differs from, say, BackTrack, but I’d probably show up just so I could find out.

The “Wireless Penetration Testing 101 & Wireless Contesting” talk by DaKahuna and Rick Mellendick (@rmellendick) hits yet another of my hot buttons. I can’t tell from the description how much of this is going to be describing contests in the Hacker Village, and how much will be practical advice, but I’d show up anyway.

That takes us into Friday. Just from a preliminary look at the schedule, it looks like the big thing this year is hacking femtocells. Doug DePerry (@dugdep) and Tom Ritter (@TomRitterVG) are doing a talk on “I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell”:

During this talk, we will demonstrate how we’ve used a femtocell for traffic interception of voice/SMS/data, active network attacks and explain how we were able to clone a mobile device without physical access.

The Charlie Miller (@0xcharlie) and Chris Valasek (@nudehaberdasher) talk, “Adventures in Automotive Networks and Control Units“, sounds interesting as well. I’m just slightly more interested in femtocells than automotive hacking, so apologies to Mr. Miller and Mr. Valasek: if the two weren’t in conflict, I’d hit your talk for sure.

And if you haven’t been to a software defined radio talk, Balint Seeber’s (@spenchdotnet) sounds promising.

The Secret Life of SIM Cards” by Karl Koscher (@supersat) and Eric Butler (@codebutler) intrigues me the most out of the 11:00 talks. And I’m kind of interested in the Ryan W. Smith (@ryanwsmith13) and Tim Strazzere “DragonLady: An Investigation of SMS Fraud Operations in Russia” presentation because, well…

This presentation will show key findings and methods of this investigation into top Android malware distributors operating in Russia and the surrounding region. The investigation includes the discovery of 10’s of thousands of bot-controlled twitter accounts spreading links to this type of SMS fraud malware, tracing distribution through thousands of domains and custom websites, and the identification of multiple “affiliate web traffic monetization” websites based in Russia which provide custom Android SMS fraud malware packaging for their “affiliates”. During this investigation we have mapped out an entire ecosystem of actors, each providing their own tool or trade to help this underground community thrive.

There’s not much that intrigues me after Benjamin Caudill’s (@RhinoSecurity) presentation on “Offensive Forensics: CSI for the Bad Guy“. If I was at DEFCON, this is the time where I’d probably be browsing the dealer’s room, though I might go to the Amir Etemadieh (@Zenofex)/Mike Baker (@gtvhacker)/CJ Heres (@cj_000)/Hans Nielsen (@n0nst1ck) Google TV panel: these are the same folks who did the Google TV talk at DEFCON 20.

I feel kind of conflicted at 4:00. The Daniel Selifonov talk, “A Password is Not Enough: Why Disk Encryption is Broken and How We Might Fix It” sounds interesting. But I’m also intrigued by the “Decapping Chips the Easy Hard Way” with Adam Laurie and Zac Franken. Decapping chips is something I’ve been fascinated by, and it looks like Adam and Zac have found methods that don’t involve things like fuming nitric acid (and thus, are suitable for an apartment).

This is also the time when we, once again, present the “Hippie, please!” award to Richard Thieme for “The Government and UFOs: A Historical Analysis“.

I’m slightly intrigued by Nicolas Oberli’s (@Baldanos) talk about the ccTalk protocol, “Please Insert Inject More Coins”:

The ccTalk protocol is widely used in the vending machine sector as well as casino gaming industry, but is actually not that much known, and very little information exists about it except the official documentation. This protocol is used to transfer money-related information between various devices and the machine mainboard like the value of the inserted bill or how many coins need to be given as change to the customer.

Saturday morning, we have the second femtocell talk, “Do-It-Yourself Cellular IDS”, by Sherri Davidoff (@sherridavidoff), Scott Fretheim, David Harrison, and Randi Price:

For less than $500, you can build your own cellular intrusion detection system to detect malicious activity through your own local femtocell. Our team will show how we leveraged root access on a femtocell, reverse engineered the activation process, and turned it into a proof-of-concept cellular network intrusion monitoring system.

Opposite that, and worth noting, are the annual Tobias/Bluzmanis lock talk, and the David Lawrence et al talk on using 3D printers to defeat the Schlage Primus.

More than likely, I’d hit the Daniel Crowley et al (@dan_crowley) talk, “Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices“, and the Philip Polstra (@ppolstra) presentation “We are Legion: Pentesting with an Army of Low-power Low-cost Devices“. I’m particularly intrigued by the Polstra talk, as one of my areas of interest is how small can we make devices that can still do useful hacking? What’s the smallest feasible wardriving system, for example?

I do want to give Jaime Sanchez (@segofensiva) a shout-out for his talk on “Building an Android IDS on Network Level“. This is worth watching.

I’d have to go to the Phorkus (@PeakSec)/Evilrob “Doing Bad Things to ‘Good’ Security Appliances” talk:

The problem with security appliances is verifying that they are as good as the marketing has lead you to believe. You need to spend lots of money to buy a unit, or figure out how to obtain it another way; we chose eBay. We now have a hardened, encrypted, AES 256 tape storage unit and a mission, break it every way possible!

Because, tape! But the Wesley McGrew “Pwn The Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices” talk also interests me.

The PIN cracking device talk is on Saturday, opposite Amber Baldet’s (@AmberBaldet) talk on “Suicide Risk Assessment and Intervention Tactics“. I’m glad DEFCON accepted her talk, and I am looking forward to seeing the presentation online.

Also noteworthy, I think: James Snodgrass and Josh Hoover (@wishbone1138) on “BYO-Disaster and Why Corporate Wireless Security Still Sucks“.

Todd Manning (@tmanning) and Zach Lanier (@quine) are doing a presentation on “GoPro or GTFO: A Tale of Reversing an Embedded System“. I don’t have a GoPro (yet) or much of a use for one (yet) but I think they are interesting devices, so I’ll be watching for slides from this talk. Same for the conflicting Melissa Elliott talk, “Noise Floor: Exploring the World of Unintentional Radio Emissions“.

This takes us to Sunday. There’s not a whole lot that really turns me on early, though I admit to some interest in the Jaime Filson/Rob Fuller talk on harvesting github to build word lists:

After downloading approximately 500,000 repositories, storing 6TB on multiple usb drives; this will be a story of one computer, bandwidth, basic python and how a small idea quickly got out of hand.

I like the idea behind John Ortiz’s “Fast Forensics Using Simple Statistics and Cool Tools“, and he teaches at the University of Texas – San Antonio, so I’d probably go to that.

Now is when things start heating up from my perspective. Joseph Paul Cohen is giving a talk on his new tool, “Blucat: Netcat For Bluetooth“:

TCP/IP has tools such as nmap and netcat to explore devices and create socket connections. Bluetooth has sockets but doesn’t have the same tools. Blucat fills this need for the Bluetooth realm.

Holy crap, this sounds awesome. All I ask for is code that compiles.

(Unfortunately, this is up against the Eric Robi (@ericrobi)/Michael Perklin talk on “Forensic Fails“, which sounds like fun. But Bluetooth hacking is a big area of interest for me; sorry, guys.)

Speaking of Bluetooth hacking, Ryan Holeman (@hackgnar) is doing a talk on “The Bluetooth Device Database”. Which is exactly what it sounds like:

During this presentation I will go over the current community driven, distributed, real time, client/server architecture of the project. I will show off some of analytics that can be leveraged from the projects data sets. Finally, I will be releasing various open source open source bluetooth scanning clients (Linux, iOS, OSX).

Dude lives in Austin, too! Holy crap^2!

And that takes us through to the closing ceremonies and the end of DEFCON 21. I will try to link to presentations as they go up, significant news stories, other people’s blogs, and anything else I think you guys might be interested in. If you have specific requests or tips, please either let me know in comments or by email to stainles at mac dot com, stainles at gmail dot com, or stainles at sportsfirings dot com.

I heartily endorse this event or product. (#8 in a series)

Tuesday, April 23rd, 2013

Silvercar.

This endorsement may be of limited utility to most of you, since Silvercar currently only operates in DFW and Austin. But I am hopeful that they will expand to other cities.

What are they? Silvercar is a car rental firm, but they’re different from your normal car rental company.

First of all, they only rent one type of car: silver Audi A4s. That’s not so bad, for reasons I’ll get into in a bit.

Second of all, their prices are reasonable: right now, they’re charging $75/day on weekdays and $50/day on weekends. That’s actually about what you’d pay for anything from Enterprise at the airport. (I just checked the Enterprise site: cheapest is $66.99 for a full-size car, going up to $127.56 for a “luxury” car.) That is with unlimited milage.

Thirdly, the experience is nowhere near as annoying as your average car rental agency is:

  • They pick you up at the airport. You pick your car. You scan the QR code with the Silvercar app on your phone. You drive away with your rental. If you want, they’ll give you a briefing on how to use the navigation and audio systems. If you need help, they have some very pleasant people available to walk you through the process.
  • Unlimited mileage.
  • Fuel is charged based on what you actually use (at prevailing market rate) plus $5 if you don’t return the car with a full tank.
  • They don’t get pushy about the “collision damage waver”. As a matter of fact, I don’t think they have such a thing.
  • Those nice people they have on duty kept asking if we’d like a bottle of water or something while we picked up and dropped off the car. When’s the last time Hertz asked you if you wanted a bottle of water?

And the Audi A4s they rent are fun cars. Yes, they have Bluetooth. They also have WiFi. Seriously. You can use your rental car as a WiFi hotspot while driving. Most of this stuff is your basic Audi features, as far as I know, including the navigation and audio. But it is still really nice to have these features in a rental car, especially at this price.

I should note that I didn’t actually rent the car: Mike the Musicologist came up for a visit and handled the interaction with Silvercar. But I was along for the pickup and dropoff, and from what I saw it was the most friction-free car rental experience ever.

We drove the Audi down to New Braunfels Sunday night to have barbecue at the Cooper’s there (which I liked very much). Then we drove back through the city and stopped at the Buc-ees (yes, the one that won the “America’s Best Restroom” contest – and, yes, it is a darn nice men’s room). Monday, MtM and I drove down to Boerne and had lunch at a wonderful German restaurant called Little Gretel. I want to go back. Actually, what I want to do is take a long weekend, book a motel room in Boerne, and stay for a day or two, eating at Little Gretel, feeding the ducks in the creek across the street, and exploring the surrounding area.

We drove back to Austin by way of Fredericksburg (stopping briefly at the shop for the Nimitz Museum/Museum of the Pacific War) and the Audi never missed a beat. It felt like it was on rails even when I pushed it close to 100 MPH, and we got around 26 MPG for the entire Monday trip.

The one small issue I’d bring up with Silvercar, if they asked me, is that they only provide an iPod connector for the Audi MMI system. It’d be nice to have at least the Audi USB connectors as well. (I was unable to find a USB port in the car: the MMI system does have two SD card slots, though, as well as a SIM card slot.)

So, anyway, if you need a good rental car in Austin (or DFW), give Silvercar a try. And thanks to Mike for organizing this adventure.