DEFCON 18 notes: Day 3.

“The Search for Perfect Handcuffs… and the Perfect Handcuff Key“: It seems that Sunday morning at DEFCON has become the default time for the lock picking and other physical security panels. Sometimes this bugs me a little; I can only sit through so many panels on compromising high security locks with common household objects before my eyes glaze over and I leave for the dealers room. It isn’t that these panels aren’t interesting, but three in a row…

Anyway, I say all that to say that this presentation from TOOOL was one of the better Sunday morning lock bypass presentations I’ve seen at DEFCON. Deviant Ollam and his crew gave a comprehensive overview of handcuffs, how they work, and how they can be defeated. Some key points:

  • A group of Dutch hackers managed to defeat the high security Dutch handcuffs by taking a photo of the key (hanging off someone’s belt) and using a 3D printer to duplicate it. The key can be found here.
  • You can shim many handcuffs with paper, believe it or not. Paper money (especially European paper money, which in many cases is more like plastic or Tyvek than paper) works especially well for this, as currency is generally designed to be tear resistant.
  • Handcuffs are generally a pretty simple mechanism. If they aren’t double-locked, it’s really easy to “shim” them (force a flat piece of metal, or something like that, down between the pivoting ratchet arm and the cuff itself), or pick the lock with something like a paper clip. (You know what really works well for a cuff pick? The sort of U-shaped metal arm that comes on those steel binder clips you can buy at Office Depot.)
  • If the cuffs are double-locked, it makes shimming and picking attacks harder. One way to defeat double-locking is the “whack attack”; slam the cuffs against a hard surface, and inertia will pop the double-lock locking bar back into the unlocked position.
  • It doesn’t take a lot of strength to break handcuffs. Breaking them is just a matter of binding the chains up. Once you’ve done that, it’s just leverage and simple physics to break the chain.
  • You can also rough up the chain with a small easily concealed diamond saw blade to make it easier to break. The folks at SEREPick sell such a thing; you can hide it in the seams of your clothes, in a belt, in the top of a shoe…
  • There’s a lot of design variation in handcuffs, which can cause problems, especially if you’re trying to find a universal handcuff key. Keyway sizes, size and number of pawls…lots of things can cause problems.
  • The TOOOL folks have collected a bunch of cuffs, so they got as many as possible together, took very precise measurements of the keys, and came up with a single “universal” handcuff key that opened all the cuffs they were able to try. No, they don’t sell it, but diagrams and measurements for the key were part of the presentation. The easiest thing to do, according to the presenters, is to start with a Smith and Wesson handcuff key, as that’s closest to the final dimensions of the universal key. After that, all you need is some minor cutting and filing which can be done with a Dremel tool.

(I suspect there are some people who are going to ask “Why would you want to break out of handcuffs? And don’t you feel bad about sharing this information with criminals?” In the first place, the criminals have already learned all these tricks at one of our many institutes of higher education. In the second place, the bad guys are starting to use things like handcuffs and zip ties to restrain their victims; you might as well learn how to defend yourself.)

“Electronic Weaponry or How to Rule the World While Shopping at Radio Shack“: I’ll cut some slack for this guy being a first time presenter, but this was a “Meh” panel for me. It was heavy on the theory of things like RF jamming and EMP attacks, but short on practice. Most of the theory I already knew, so there wasn’t a whole lot there for me. At the end, he did demonstrate a “sound cannon”, which was interesting. It did not, however, even approach the “annoying” level for me, much less the “weapon” one, though the presenter was running it without amplification.

“Breaking Bluetooth By Being Bored”: Dunning (who also built Vera-NG, a Bluetooth and WiFi sniping rifle) presented a series of tools for banging on Bluetooth. These tools included:

  • SpoofTooph, a utility for cloning and spoofing Bluetooth devices. SpoofTooph can also be run in a logging mode, where it will collect data on devices it encounters.
  • The Bluetooth Profiling Project, which uses programs like SpoofTooph to collect Bluetooth device profiles for analysis. (For example, which device addresses correspond to which manufacturer?)
  • vCardBlaster, a utility for running a denial of service attack against a Bluetooth device by flooding it with vCards.
  • Blueper, which sends a stream of files over Bluetooth. You can send files to multiple devices in range, or target a single device and flood it with files. This is interesting because many devices cache received files before asking the user to accept them; if you push a continuous stream of files to one of those devices, you can fill up internal storage and possibly crash the device.
  • pwntooth, a suite of automated Bluetooth testing tools.

As a side note, after some banging around (mostly to resolve dependencies) I managed to compile and install SpoofTooph on Project e. So far, I’ve only tested it in my lab environment, but it seems to work as designed. This is one of the reasons I love going to DEFCON, as there’s nothing like that moment when you say “Holy f—ing s–t, that f—ing f—er actually f—ing works! S–t!”

There was no final attendance figure announced at the closing ceremonies. According to Joe Grand’s badge documentation, there were 7,000 electronic badges made, and those went fast. I would not be shocked if there were 15,000 people at DEFCON this year, and from what I saw in the closing ceremonies, a lot of those folks were attending for the first time.

The big piece of news from the closing ceremonies is that, after four years at the Riveria, DEFCON is moving to the Rio next year. My hope is that the move will make it easier to get into the more popular panels (DEFCON apparently will be using the Penn & Teller Theater at the Rio), and provide more room to move around. (And maybe even more room for vendors.)

Coming up later on: the final after action report and thank-yous.

Comments are closed.