Archive for the ‘SDR’ Category

DEFCON 25: 0 day notes.

Tuesday, July 25th, 2017

I’m not going again this year. Maybe next year, if things hold together. But if I were going, what on the schedule excites me? What would I go to if I were there?

Thursday: neither of the 10:00 panels really grab me. At 11:00, maybe “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” but I’m at best 50/50 on that. At 12:00, I feel like I have to hit the “Jailbreaking Apple Watch” talk. “Amateur Digital Archeology” at 13:00 sounds mildly interesting.

Not really exited by anything at 14:00. At 15:00, I suspect I would end up at “Real-time RFID Cloning in the Field” and “Exploiting 0ld Mag-stripe information with New technology“. And 16:00 is probably when I’d check out the dealer’s room again, or start getting ready for an earlyish dinner.

Friday: 10:00 is sort of a toss-up. THE Garry Kasparov is giving a talk on
The Brain’s Last Stand” and as you know, Bob, chess is one of my interests. On the other hand, there’s also two Mac specific talks, and Kasparov’s talk is probably going to be packed: I suspect I’d hit “macOS/iOS Kernel Debugging and Heap Feng Shui” followed by “Hacking travel routers like it’s 1999” (because I’m all about router hacking, babe). Nothing grabs me at 11:00, but I do want to see “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” at 12:00:

By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe.

13:00: “Controlling IoT devices with crafted radio signals“, and “Using GPS Spoofing to control time” at 14:00. (I do want to give a shout-out to the Elie Bursztein talk, “How we created the first SHA-1 collision and what it means for hash security“, though.)

Do I want to go to “Phone system testing and other fun tricks” at 15:00? Or do I want to take a break before “Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods“:

As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

And then at 17:00, “Cisco Catalyst Exploitation” is relevant to my interests. However, I don’t want to dismiss “The Internet Already Knows I’m Pregnant“:

…EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Saturday: Nothing at 10:00. At 10:30, maybe “Breaking Wind: Adventures in Hacking Wind Farm Control Networks” because why not?

I have to give another shout-out to “If You Give a Mouse a Microchip… It will execute a payload and cheat at your high-stakes video game tournament” but I’m personally more interested in “Secure Tokin’ and Doobiekeys: How to Roll Your Own Counterfeit Hardware Security Devices” at 11:00. (“All Your Things Are Belong To Us” sounds pretty cool, too, but I’d probably wait for the notes/repos/etc. to be released rather than attending in person.)

Oddly, there’s really nothing that grabs me between 12:00 and 15:00. At 15:00, “Tracking Spies in the Skies” mildly intrigues me (mostly for the ADS-B aspect), while at 16:00 I’m really excited by “CableTap: Wirelessly Tapping Your Home Network” (more home router hacking! Hurrah!)

At 17:00:

In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

You have my attention.

(Related article from Wired. Presenter’s Twitter feed.)

Sunday: “I Know What You Are by the Smell of Your Wifi“, followed a little later by “Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years“.

Weirdly, after that, there’s nothing that interests me until the closing ceremonies at 16:00. (Though I might go to “Man in the NFC” if I was there.)

This seems like a very low-key year, and I’m not sure why. I don’t see any Bluetooth related stuff, and very little lock related. Perhaps I should be glad I’m skipping this year.

Anyway, you guys know the drill: if you see a talk you’re interested in, leave a comment and I’ll try to run it down. If you’re a presenter who wants to promote your talk, leave a comment and I’ll try to give you some love.

A few random things I found interesting.

Monday, September 14th, 2015

Some by way of the Hacker News Twitter, others from elsewhere.

Nice appreciation of Elmore Leonard from The New York Review of Books.

Brian Krebs goes to Mexico in search of Bluetooth ATM skimmers, part 1.

Fun with software defined radio, or scanners live in vain.

NFL loser update resumes tomorrow.

DEFCON notes: Day 2

Monday, August 3rd, 2009

Saturday was a little calmer than Friday from my perspective. Part of the reason for that may have been Adam Savage‘s talk (and the meet and greet afterwards) took a lot of folks out of circulation for two or three hours. (I didn’t go.)

More quick takes:

“Hacker vs. Disasters Large & Small”: Michael Schearer, who did the first part of the presentation, also did the Hacker In Iraq presentation. As a Naval officer, he went through SERE school, so he’s got some hands-on survival experience which makes him worth paying attention to. Schearer’s part of the presentation basically covered short-term wilderness survival (as in, “I’m cold and there are wolves after me.“) and was more practical. Renderman’s half of the presentation was a more long-term, “How do we survive and rebuild society after the Big One?”, philosophical presentation. (Edited to add: links to the final versions of the slides; Part 1, Part 2.)
Key takeaways:

  • “Hacker skills are largely compatible with the skills necessary to survive in the wilderness or during a natural disaster.”
  • “Don’t be squeamish about breaking or destroying something to help you stay alive.”
  • “You are not Jack Bauer, MacGuyver, or Survivorman; you need practice to survive.”

“Personal Survival Preparedness”: Nice guy, okay talk, mostly dealing with survival in an urban environment after some devastating event (Katrina or worse).

“Picking Electronic Locks Using TCP Sequence Prediction”: Excellent presentation, short, and scary. Brief summary: many electronic lock systems are IP based and the traffic on the network is not encrypted. This makes the locks vulnerable to a man-in-the-middle attack (to capture an unlock command) and a replay attack with a spoofed TCP sequence number (to replay the command). These attacks bypass the existing control software, so the spoofed unlock command leaves no audit trail. The author is a network admin at Texas State University; woo hoo! Greater Austin/San Marcos Metropolitan Area represent!

Sniff Keystrokes With Lasers/Voltmeters”: Two pretty amusing guys with another excellent presentation. In the first half, they presented an attack on PS/2 keyboards with very simple hardware; all you need is a slightly hacked power cord connected to a common circuit with the computer in question on one end, and an ADC plus a micro-controller (for data acquisition, filtering, and storage) on the other and viola! In the second half, they outlined a acoustic-based attack that builds on previous research, combined with microphone hardware using freaking laser beams. As the authors said, “How cool is that?”
Key takeaway: “girls will melt when you show this…”

“Bluetooth, Smells Like Chicken”: Pretty much what I expected from the summary. Using software-defined radio gear (about $1000) you can monitor the Bluetooth frequencies. Bluetooth does frequency hopping over about 79 MHz, and the software-defined radio gear can only monitor about 25 MHz (max) at one time. But you can monitor one channel and use information from that packet to actually predict the frequency hopping cycle. The authors also presented a technique that allows aliasing of the entire Bluetooth spectrum to the 25 MHz available in the radio gear they were using without compromising the ability to extract packets. Finally, they discussed Bluetooth attacks using off-the-shelf sub-$10 hardware to sample and inject data.

Key takeaway: there is no longer any such thing as a non-discoverable Bluetooth device.

0-Day DEFCON Notes

Thursday, July 30th, 2009

I like DEFCON. I like Dark Tangent personally. I like Joe Grand, the guy who has designed the DEFCON badges for the past few years.

But, guys, it looks really bad when, for the second year in a row, you run out of badges early on Thursday and have to issue temporary badges until more real ones get to the con Friday morning. You don’t even have the Olympics to blame this year. This is especially frustrating now that badge hacking is an official event/contest.

DEFCON talks I will not be attending:

“Hacking UFOlogy 102: The Implications of UFOs for Life, the Universe, and Everything.”

“Two years ago at Def Con 15, Richard [Thieme] presented Hacking UFOlogy. He supported his contention that (1) UFOs are real and (2) the data to support that statement is voluminous with numerous references and links…”

Hippie, please.

DEFCON talks I plan to attend:

“Is your iPhone Pwned”, Mahaffrey, Hering, and Lineberry. (This may be tough to get into, but it is scheduled against Dark Tangent’s intro and Joe Grand’s discussion of the badge, so we’ll see.)
“Hacking with the iPod Touch”, Willhelm
“That Awesome Time I Was Sued For Two Billion Dollars”, Scott
“Three Point Oh”, Long. (For the speaker’s reputation; I’ve heard Johnny Long speak before, and he’s someone I’d like to know better.)
“Something About Network Security”, Kaminsky. (Again, for the speaker’s reputation; Kaminsky is to TCP/IP what Musashi was to the sword.)
“Hacker vs. Disasters Large & Small”, RenderMan and Schearer
“Personal Survival Preparedness”, Dunker and Dunker
“Picking Electronic Locks Using TCP Sequence Prediction”, Lawshae
“Sniff Keystrokes With Lasers/Voltmeters”, Barisani and Bianco
“Bluetooth, Smells Like Chicken”, Spill, Ossmann, and Steward. (It looks like they’re going to talk about using software-defined radio to sniff Bluetooth, techniques for breaking the pseudo-random hopping sequence, and apparently some stuff that can be done with sub-$10 off-the-shelf hardware.)
“RAID Recovery: Recover Your PORN By Sight and Sound”, Moulton
“USB Attacks”, Vega
“Cracking 400,000 Passwords, Or How To Explain to Your Roomate why the Power Bill Is a Little High”, Weir and Aggarwal

I missed the panels on “Hacking With GNURadio” and “Hacking the Apple TV and Where your Forensic Data Lives”. Perhaps next year I need to arrive on Wednesday. If there is a next year.