DEFCON 19 notes: day 2.

What the well-dressed gun blogger is wearing at DEFCON 19:

Thanks, Sean!

“Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes“: Confession time. I didn’t just watch this panel, I actually volunteered for part of it. I don’t think that compromised  my objectivity, but better to be up front about it.

Deviant Ollam’s presentation concentrated on the smaller handgun safes, specifically the GunVault Microvault MV500, the BioBox, and the LokSAF PBS-001. Summarizing:

  • All of these safes have some sort of keypad or biometric locking system, with a keyed tubular lock as an override.
  • The Microvault and BioBox tubular locks were easy to pick with a tubular picking tool; the Microvault was a little more difficult to pick, while the BioBox basically flew open instantly. The LokSAF tubular lock was much more difficult to pick; Ollam himself hadn’t been able to pick it, but an audience volunteer managed to pick the LokSAF lock during the presentation. (Nobody had tried the Bic pen exploit on these locks.)
  • Using a long thin object, like a straightened paper clip or a lock pick, it is possible to compromise the BioBox from outside without unlocking it; basically, you can fool the BioBox sensors into thinking the device is open, which puts it into a mode that allows you to reprogram the BioBox sensor and open the safe.
  • Ollam and company were able to fool the fingerprint reader on the LokSAF, but it took some work. The basic method is to take an impression of the finger using dental alginate, then use a rubber molding compound (readily available at hobby shops) to take a cast of the impression. That cast can be substituted for a finger and used to open the LokSAF. Part of the panel was going to be a live demonstration of this using fingerprints from audience volunteers (of which your obedient servant was one); however, it took much longer than expected for the molding compound to set up, and that demo was pushed out until much later. Ollam did have video of this exploit working, though. There are some obvious questions, such as: how practical is this if you have to get a finger impression in dental alginate first? Answer: it may be possible to extend this exploit to use just a standard fingerprint, and watch for that presentation next year.

“DIY Non-Destructive Entry“: I missed this and “Battery Firmware Hacking” because I was still caught up in stuff from the gun safes panel. Sorry.

“Smile for the Grenade! ‘Camera Go Bang!’“: Nice guys, good presenters, total failure. The basic idea was to build a clone of military throwable/launchable video camera systems, using off-the-shelf parts (including the perfectly legal and not a destructive device at all 37mm grenade launcher) at a fraction of the cost. This looks like it could be a promising project, but the presenters only started working on it three months before the con, and only did their first test run the weekend before DEFCON. It didn’t go well; the powder they used to load their grenades was apparently defective, and they got no video. While it is interesting to see how small (and cheap!) wireless video cameras have gotten ($20 for the cameras they used, and $80 for the receiver), this is a presentation that should have been shelved for a future DEFCON.

“This is REALLY not the droid you’re looking for…”: From those wonderful folks who brought you Android rootkits, yet another Android exploit. Summary: because of Android’s design, and Google’s lack of strict enforcement of their user interface guidelines, it is possible to build an app that:

  • runs in the background as an Android service.
  • uses APIs from other applications to display login screens from those apps.
  • captures credentials the user enters into those login screens.
  • forwards the captured information to…say, a server in China.
  • override the normal behavior of the “back” button, so the user doesn’t suspect there is a problem.
  • and, because Android doesn’t have a standard “switching apps” visual animation, the user further doesn’t suspect there’s a problem.

This is a very high level summary; the authors went into much more detail about how to build this kind of application in their talk. And it’s not really easy to fix the problems that enable an application of this sort without changing both the Android OS and the way Google/the Android Market does things.

2 Responses to “DEFCON 19 notes: day 2.”

  1. Borepatch says:

    That picture is extra *crazy* props.

  2. […] Firmware Hacking” (day 2). I missed this talk, but wanted to include a link to […]