Archive for the ‘Radio’ Category

DEFCON 25 updates: July 31, 2017.

Monday, July 31st, 2017

Things are going to be a little busy this week, but I do plan to keep an eye out for updates. In the meantime, please enjoy this latest set:

  • TJ Horner has a nice blog post up about his experiences hacking voting machines in DEFCON 25’s “Voting Village”.
  • “The Adventures of AV and the Leaky Sandbox” (Itzik Kotler and Amit Klein) didn’t catch my attention the first time around, but the abstract sounds intriguing: “In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises whose endpoints have no direct Internet connection, or whose endpoints’ connection to the Internet is restricted to hosts used by their legitimately installed software. Assuming the endpoint has a cloud-enhanced antivirus product installed, we show that if the anti-virus product employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration.” Slides. White paper. GitHub repo.
  • GitHub repo (including slides and white paper) for the Marc Newlin/Logan Lamb/Chris Grayson presentation, “CableTap: Wirelessly Tapping Your Home Network”.
  • Here’s some stuff from “Tracking Spies in the Skies” (Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy): North Star Post summary of their presentation. GitHub repo.
  • Slides from the David Robinson talk, “Using GPS Spoofing to control time”, are here. Slides contain links to code, per Mr. Robinson. I’ve only had a chance to take a quick look at this, but I’m fascinated.

DEFCON 25/Black Hat updates: July 27, 2017.

Thursday, July 27th, 2017

Round 1:

Edited to add more:

  • Karla Burnett’s “Ichthyology: Phishing as a Science” is actually relevant to my professional life. White paper.
  • Slides and the white paper for “Hacking Hardware with a $10 SD Card Reader” (Amir Etemadieh, CJ Heres, and Khoa Hoang) are here.

Here’s your hat.

Wednesday, July 26th, 2017

Black Hat 2017 is just getting started.

There’s some overlap with DEFCON 25. For example, hacking wind farm control networks and the SHA-1 hash talk are on both schedules. But there are also a few things unique to the Black Hat 2017 schedule:

The same rules for the DEFCON post apply here: if you’re a presenter who wants some love, or if you want me to follow a specific talk, leave a comment.

DEFCON 25: 0 day notes.

Tuesday, July 25th, 2017

I’m not going again this year. Maybe next year, if things hold together. But if I were going, what on the schedule excites me? What would I go to if I were there?

Thursday: neither of the 10:00 panels really grab me. At 11:00, maybe “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” but I’m at best 50/50 on that. At 12:00, I feel like I have to hit the “Jailbreaking Apple Watch” talk. “Amateur Digital Archeology” at 13:00 sounds mildly interesting.

Not really exited by anything at 14:00. At 15:00, I suspect I would end up at “Real-time RFID Cloning in the Field” and “Exploiting 0ld Mag-stripe information with New technology“. And 16:00 is probably when I’d check out the dealer’s room again, or start getting ready for an earlyish dinner.

Friday: 10:00 is sort of a toss-up. THE Garry Kasparov is giving a talk on
The Brain’s Last Stand” and as you know, Bob, chess is one of my interests. On the other hand, there’s also two Mac specific talks, and Kasparov’s talk is probably going to be packed: I suspect I’d hit “macOS/iOS Kernel Debugging and Heap Feng Shui” followed by “Hacking travel routers like it’s 1999” (because I’m all about router hacking, babe). Nothing grabs me at 11:00, but I do want to see “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” at 12:00:

By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe.

13:00: “Controlling IoT devices with crafted radio signals“, and “Using GPS Spoofing to control time” at 14:00. (I do want to give a shout-out to the Elie Bursztein talk, “How we created the first SHA-1 collision and what it means for hash security“, though.)

Do I want to go to “Phone system testing and other fun tricks” at 15:00? Or do I want to take a break before “Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods“:

As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

And then at 17:00, “Cisco Catalyst Exploitation” is relevant to my interests. However, I don’t want to dismiss “The Internet Already Knows I’m Pregnant“:

…EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Saturday: Nothing at 10:00. At 10:30, maybe “Breaking Wind: Adventures in Hacking Wind Farm Control Networks” because why not?

I have to give another shout-out to “If You Give a Mouse a Microchip… It will execute a payload and cheat at your high-stakes video game tournament” but I’m personally more interested in “Secure Tokin’ and Doobiekeys: How to Roll Your Own Counterfeit Hardware Security Devices” at 11:00. (“All Your Things Are Belong To Us” sounds pretty cool, too, but I’d probably wait for the notes/repos/etc. to be released rather than attending in person.)

Oddly, there’s really nothing that grabs me between 12:00 and 15:00. At 15:00, “Tracking Spies in the Skies” mildly intrigues me (mostly for the ADS-B aspect), while at 16:00 I’m really excited by “CableTap: Wirelessly Tapping Your Home Network” (more home router hacking! Hurrah!)

At 17:00:

In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

You have my attention.

(Related article from Wired. Presenter’s Twitter feed.)

Sunday: “I Know What You Are by the Smell of Your Wifi“, followed a little later by “Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years“.

Weirdly, after that, there’s nothing that interests me until the closing ceremonies at 16:00. (Though I might go to “Man in the NFC” if I was there.)

This seems like a very low-key year, and I’m not sure why. I don’t see any Bluetooth related stuff, and very little lock related. Perhaps I should be glad I’m skipping this year.

Anyway, you guys know the drill: if you see a talk you’re interested in, leave a comment and I’ll try to run it down. If you’re a presenter who wants to promote your talk, leave a comment and I’ll try to give you some love.

Obit watch: May 30, 2017.

Tuesday, May 30th, 2017

Frank Deford, noted sportswriter.

As you know, Bob, I am not a sports fan. However, I am a fan of reading, and frequently encountered Deford’s work in collections of sports-writing, or in back issues of SI at the doctor’s office, or other places I don’t remember now. Heck, I even read large parts of Alex: The Life of a Child: I want to say it was reprinted in Reader’s Digest or some damn place.

Point being, I always kind of liked the guy, or at least his writing. I wasn’t really a fan of his NPR work, to be honest. But that probably had more to do with it being NPR than him personally.

“I think there are more good sportswriters doing more good sportswriting than ever before,” he wrote in “Over Time.” “But I also believe that the one thing that’s largely gone out is what made sport such fertile literary territory — the characters, the tales, the humor, the pain, what Hollywood calls ‘the arc.’ That is: stories. We have, all by ourselves, ceded that one neat thing about sport that we owned.”

Also among the dead: former Panamanian dictator Manuel Noriega.

Obit watches, firings, ocelots, and other stuff: December 27, 2016.

Tuesday, December 27th, 2016

I think I’m going to wait until tomorrow to try to pull together the Carrie Fisher obits. Not that it was entirely unexpected (though I think we were all hoping for the best for her), but I feel better letting things sit for a day.

By way of Lawrence: Richard “Watership Down” Adams. A couple of pithy quotes:

The book, and a subsequent animated film in 1978, became synonymous with rabbits and at least one enterprising butcher advertised: “You’ve read the book, you’ve seen the film, now eat the cast.”

“If I saw a rabbit in my garden I’d shoot it,” he once said.

By way of my beloved sister-in-law: Vera Rubin, noted female astronomer.

Rubin’s uncovering of evidence for dark matter revealed that “there’s much more out there than we would expect based on our common-sense experience,” said James Bullock, professor of physics and astronomy at UC Irvine. “Today, the standard interpretation is that 80% of matter is in this form that’s different than anything that is known to science. And without this dark matter, a lot of other things about the universe don’t make sense: Galaxies themselves wouldn’t exist; stars wouldn’t exist, and we would not exist.”

Rex and Rob Ryan both OUT in Buffalo.

The Bills went 1-7 this season against teams with a record better than .500, with the one victory coming against the New England Patriots, who were without suspended quarterback Tom Brady and started rookie third-stringer Jacoby Brissett.

He’s still due $16.5 million after compiling a 15-16 record as Bills coach, a .483 winning percentage that is actually the best of the seven head coaches (including Perry Fewell on an interim basis) who have followed Wade Phillips since the 2000 season.

Babou (either one), call your office, please.

…biologists working in Laguna Atacosa National Wildlife Refuge near Harlingen found the first known ocelot den in two decades.

Meanwhile, the BBC reports that the cheetah is “rapidly heading towards extinction”. While sad, this comes as no great shock to us…because, as we all know, cheetahs never win.

This is kind of cool, at least to me: a homebrew short-range transmitter that sends out time signals on the WWVB 60 KHz frequency. Why would you want to do this, other than for the challenge?

Unfortunately, I can’t get my wristwatch to receive the 60 kHz amplitude-modulated time signal in my dorm room in Cambridge, Massachusetts.

Actually, they can read your poker face.

Wednesday, October 26th, 2016

Or at least your cards.

This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.

For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.

The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.

Ironically, there is a hardcoded backdoor password in the app, which makes this security measure pointless if you know the backdoor password.

How does it work? Hidden camera, concealed infrared LEDs, and…

What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.

So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.

And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)

The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.

Random notes and a whole bunch of obits: September 19, 2016.

Monday, September 19th, 2016

I didn’t have much to say about the Mew York attack because:

1) I was busy Saturday afternoon and all day Sunday.
b) It was an emerging situation that I don’t think blog posts could have done justice to.
III) I didn’t have anything to add.

I still don’t have much to add (except that I went “Holy s–t!” when I read about this morning’s shootout), but I did think this was kind of interesting: the NYT on the finding of the second device and taking it away in a “total containment vessel”:

The total containment vessel is essentially an inside-out diving vessel, Lt. Mark Torre, the commanding officer of the department’s bomb squad, said in an interview in July. “Instead of keeping the pressure out and keeping you alive in five fathoms of water, it keeps the pressure in,” he explained. Should a bomb explode inside, tiny vents allow pressure to escape. “It sounds like a hammer hitting a piece of steel,” he said.

I don’t remember if the APD has one (or even if we talked about that during the bomb squad presentation) but I’ll try to ask next time around. I keep thinking I should do a post on the APD bomb squad, bomb squads in general, and the weirdness thereof. (Did you know: you can’t just have a bomb squad? Even if you’re a police force. In some cases, even if you’re a major metropolitan police force, as opposed to East Podunk that has six officers and makes their entire budget off of catching speeders where the limit drops from 70 MPH to 25 MPH. Nope, no bomb squad for you.)

I made note of most of the big obits over the weekend, but there are quite a few others that I think are worth observing and commenting on.

NYT obit for W.P. Kinsella.

Charmian Carr, who was the eldest von Trapp in “The Sound of Music”, was in “Evening Primrose” with Anthony Perkins…and that was pretty much it. No snark intended, but I bring this up because: I keep thinking about a new series spotlighting actors and actresses (but most of the ones I’ve found so far are actresses) who had very short careers – like one, maybe two, at most a small handful of credits – and then left Hollywood for whatever reason. I’m thinking the first entry may be sometime in October.

James Stacy, TV actor. He was in a series called “Lancer” that ran for three years and which I have no memory of. Not long after “Lancer” ended, he was hit by a drunk driver while riding his motorcycle: Mr. Stacy lost a leg and an arm, and his passenger was killed. He kept working in what the NYT describes as “specialized” roles, though his career was interrupted by a suicide attempt and prison time for child molestation.

Howard E. Butt Jr.. oldest son of the founder of the HEB grocery chain. HEB is huge in this part of the country, and Mr. Butt, Jr. was in a position to take it over. Except…

But Mr. Butt, a Southern Baptist, who as a college student and lay minister had led a Christian youth revival movement, wrestled with the dual pressures of the business and his spiritual pursuits. That struggle led to severe depression, which he later discussed openly.

He ended up turning leadership of the chain over to his brother, ran the family foundation, and continued his ministry.

At the same time, he continued to encourage the evangelical movement to engage other Christians, even those unaffiliated with a particular church. In 2000, he began giving a one-minute radio homily, a segment he titled “The High Calling of Our Daily Life,” which highlighted the role that faith has played in the successful careers and personal lives of ordinary people. His homilies were carried on 3,000 stations in every state, reaching millions of listeners.

I used to catch this on KLBJ-AM when I was driving to work at Dell and still listened to the radio.

Duane Graveline, who I’d never heard of before. And neither had my mother, who was an adult during this time. Dr. Graveline was an astronaut:

With much fanfare, the space agency named Dr. Graveline one of six new “scientist-astronauts” on June 26, 1965. The group included two physicians, two university teachers, a research physicist and a geologist, Harrison H. Schmitt, who would later walk on the moon and become a United States senator.

He was in the program for about two months. A month in, his wife announced she was divorcing him. Shortly after that, he “resigned”:

In his memoir, Donald K. Slayton, one of the original seven astronauts and a longtime NASA official, said: “The program didn’t need a scandal. A messy divorce meant a quick ticket back to wherever you came from — not because we were trying to enforce morality, but because it would detract from the job.”

I don’t recall Dr. Graveline being mentioned at all in any of the histories of the space program that I’ve read (and I’ve read several). It sounds like he had some issues: he was married a total of six times and lost his medical license twice. The first time, it was suspended for two years after “a large number” of Demerol went missing. The second time, it was revoked permanently “over allegations that he had sexually abused children” (though not, apparently, ones that were patients of his).

C. Martin Croker, animator and voice actor. I was most familiar with him as the voices of Zorak and Moltar on “Space Ghost Coast to Coast”. I’d include a clip here, but the one I want to use is actually on the A/V Club page. And: according to the A/V Club, most of the “Space Ghost” episodes are now up for free streaming on the Adult Swim website.

Don Buchla, one of the early electronic music innovators. I’d never heard of him (perhaps because Bob Moog got all the press). I’ll try to remember to ask Todd next time I see him if he was familiar with Mr. Buchla’s work.

Mr. Buchala and Mr. Moog were contemporaries:

In the early ’60s, the better-known Robert Moog, who died in 2005, and Mr. Buchla arrived independently at the idea of the voltage-controlled modular synthesizer: an instrument assembled from various modules that controlled one another’s voltages to generate and shape sounds. Voltages could control pitch, volume, attack, timbre, speed and other parameters, interacting in complex ways.

Part of the reason Mr. Moog may have gotten more press was that he put keyboards on his machines. Mr. Buchla “wanted instruments that were not necessarily tied to Western scales or existing keyboard techniques. To encourage unconventional thinking, his early instruments deliberately omitted a keyboard.”

More:

Mr. Buchla’s instruments had modules with more colorful names, like Multiple Arbitrary Function Generator, Quad Dynamics Manager and, for his random-voltage noise generator, Source of Uncertainty.

Damn. I want a “Multiple Arbitrary Function Generator”.

In 1965, with $500 from a Rockefeller Foundation grant made to the Tape Music Center, the composers Morton Subotnick and Ramon Sender commissioned Mr. Buchla to build his first voltage-controlled instrument, the original Buchla Box.
It included a module that would transform both avant-garde and popular music. Called a sequencer, it vastly expanded the concept and functionality of a tape loop by generating and repeating a chosen series of voltages, enabling it to control a recurring melody, a rhythm track or other musical elements. It would become an essential tool of electronic dance music.

Obit watch: September 3, 2016.

Saturday, September 3rd, 2016

The late great Jon Polito.

I hate to be lazy here, but I’m going to point to the respectful and comprehensive A/V Club obit. (Though couldn’t they have found something better for Detective Crosetti than the misguided “Homicide” movie?)

(And I need to see “Miller’s Crossing” again.)

Also among the dead: Jim Pruett, legendary Houston radio personality turned prominent (and often quoted in the media) gun store owner. Mike the Musicologist tells me he sold the store a while back; I’ve actually wanted to visit it, but the last few times I’ve been down to Houston it just hasn’t worked out for one reason or another.

DEFCON 24 updates: August 11, 2016.

Thursday, August 11th, 2016

“SITCH – Inexpensive, Coordinated GSM Anomaly Detection” doesn’t just have slides up. Or a whitepaper.

It has an entire freaking website. Which does include, yes, slides and whitepaper. (Thanks to SecBarbie on Twitter for this.)

Slides for the Tamas Szakaly “Help, I’ve got ANTs!!!” talk are here. And his GitHub repo is here.

Good stuff is going up on the Black Hat 2016 briefings site, too. I haven’t had a chance to go through all of the abstracts yet, but my current favorite is: “Does Dropping USB Drives In Parking Lots And Other Places Really Work?”. Slides here, code here, blog post here, no spoilers here.

More on Blue Hydra.

Sunday, August 7th, 2016

Earlier, I wrote “It runs! It works! Mostly. Kind of.”

I’ve been banging on Blue Hydra in my spare time since Thursday, and I stand by that statement. Here’s what I’ve run into so far.

The README is pretty clear, and I didn’t have any problems installing the required packages. (I don’t have an Ubertooth, so I skipped that one. We’ll come back to the Ubertooth later.)

First problem, which was actually very tiny: I know next to nothing about Ruby, other than that cartoon foxes are somehow involved, so the phrase “With ruby installed add the bundler gem” was more like “I don’t speak your crazy moon language”. Google cleared that up pretty quickly: the magic words are gem install bundler.

Next problem: running bundle install resulted in an error stating that it couldn’t find the Ruby header files. It turns out that, while my Ubuntu installation had Ruby 2.1 installed, it didn’t have the ruby-dev package installed. sudo apt-get install ruby-dev fixed that issue.

Next problem: the SQLIte Ruby gem failed to install when I ran bundle install. It turns out that I also needed the sqlite3-dev package as well. And with that installed, the bundle built, and I could do ./bin/blue_hydra.

Which gave an error stating that it didn’t have permissions to open a handle for write. Okay, let’s try sudo ./bin/blue_hydra (because I always run code from strangers as root on my machine; everyone knows strangers have the best candy). And that actually worked: Blue Hydra launched and ran just fine. In fairness, this may be a configuration issue on my machine, and not an issue with the software itself.

In playing with it, I’ve found that it does what it claims to do. Sort of. It’s been able to detect devices in my small lab environment with Bluetooth discovery turned off, which is impressive. I also like the fact that it stores data into an SQLite database; other Bluetooth scanning tools I’ve played with didn’t do that.

However, it seems to take a while to detect my iPhone; in some instances, it doesn’t detect it at all until I go into Settings->Bluetooth. Once I’m in the Bluetooth settings, even if I don’t make a change, Blue Hydra seems to pick up the iPhone. Blue Hydra also has totally failed to detect another smart phone in my small lab environment (and I have verified that Bluetooth was both on and set to discoverable.)

Now, to be fair, there may be some other things going on:

  • I’ve also observed previously that Bluetooth under Ubuntu 15.10 didn’t work very well. At all. So at one point on Saturday, just for giggles, I upgraded Project e to Ubuntu 16.01.1 LTS. And shockingly (at least for me) Bluetooth works much much better. As in, I can actually pair my phone with Ubuntu and do other Bluetooth related stuff that didn’t work with 15.10. That seems to have mitigated the discovery issues I was seeing with Blue Hydra a little, but not as much as I would have liked. (Edited to add 8/8: Forgot to mention: after I upgraded, I did have to rerun bundle install to get Blue Hydra working again. But the second time, it ran without incident or error, and Blue Hydra worked immediately aftewards (though it still required root).)
  • I was using the Asus built-in Bluetooth adapter in my testing. Also just for giggles, I switched Blue Hydra to use an external USB adapter as well. That didn’t seem to make a difference.
  • In fairness, Blue Hydra may be designed to work best with an Ubertooth One. The temptation is great to pick one of those up. It is also tempting to pick up a BCM20702A0 based external adapter (like this one) partly to see if that works better, partly because I don’t have a Bluetooth LE compatible adapter (and this one is cheap) and partly because the Bluetooth lock stuff is based on that adapter. (Edited to add 8/8: I’m also tempted by this Sena UD100 adapter. It is a little more expensive, but also high power and has a SMA antenna connector. That could be useful.)
  • It may also be that I have an unreasonable expectation. Project e is seven years old at this point, and, while it still runs Ubuntu reasonably well, I do feel some slowness. Also, I think the battery life is slipping, and I’m not sure if replacements are available. I’ve been thinking off and on about replacing it with something gently used from Discount Electronics: something like a Core i5 or Core i7 machine with USB3 and a GPU that will work with hashcat. Maybe. We’ll see. Point is, some of my issues may just be “limits of old hardware” rather than bugs.
  • And who knows? There may very well be some bugs that get fixed after DEFCON.

tl, dr: Blue Hydra is nice, but I’m not yet convinced it is the second coming of Christ that I’ve been waiting for.

DEFCON 24: August 7, 2016 updates.

Sunday, August 7th, 2016

The presentations on the conference CD are here, if you’re looking for something specific that I didn’t mention. I’m still going to try to provide links to individual presenters and their sites, simply because I believe those are the most recent and best updated ones. Just to be clear, I’m not trying to rip off anyone else’s work, which is why I link directly. I want to provide myself (and possibly other interested folks) with one-stop shopping for the latest versions of the things I’m most interested in.

This takes us into today. I’ve been at this for about an hour and a half now. I’m not proud. Or tired. But I do have some other things I want to do, and I think it is a bit early to expect Sunday presentations to be up. I’ll end this one for now, and see if I can do another update tomorrow. Also, I want to do a further write-up on Blue Hydra, possibly tonight, maybe tomorrow as well.
If you are a presenter who’d like to provide a link to your talk (even if it is one I didn’t specifically call out) or you have other comments or questions, please feel free to comment here or send an email to stainles [at] sportsfirings.com.