DEFCON « Whipped Cream Difficulties

Archive for the ‘DEFCON’ Category

DEFCON 25/Black Hat updates: July 27, 2017.

Thursday, July 27th, 2017

Round 1:

Nitay Artenstein has a blog post up at the Exodus Intelligence site covering his “Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets” talk at Black Hat.
Slides from Jason Staggs’ Black Hat version of “Adventures in Attacking Wind Farm Control Networks” are up on the Black Hat site.
I don’t see slides for Colin O’Flynn’s “Breaking Electronic Door Locks Like You’re on CSI: Cyber” yet, but he does have a blog post up talking about some of his findings.
Slides and the white paper from Ruben Santamarta’s “Go Nuclear: Breaking Radiation Monitoring Devices” are up.
This is one I kind of overlooked, but it could be interesting: Thomas Brandstetter’s “(in)Security in Building Automation: How to Create Dark Buildings with Light Speed”. White paper. Slides.
No more conference CDs at DEFCON. But here’s the presentations directory on the DEFCON 25 media server. You can also torrent presentations and workshops.
To save you a small amount of trouble: here’s the (preliminary) version of the slides for “Popping a Smart Gun”.

Edited to add more:

Karla Burnett’s “Ichthyology: Phishing as a Science” is actually relevant to my professional life. White paper.
Slides and the white paper for “Hacking Hardware with a $10 SD Card Reader” (Amir Etemadieh, CJ Heres, and Khoa Hoang) are here.

Posted in DEFCON, DEFCON 25, Geek, Guns, Radio, WiFi | Comments Closed

Here’s your hat.

Wednesday, July 26th, 2017

Black Hat 2017 is just getting started.

There’s some overlap with DEFCON 25. For example, hacking wind farm control networks and the SHA-1 hash talk are on both schedules. But there are also a few things unique to the Black Hat 2017 schedule:

“Breaking Electronic Door Locks Like You’re on CSI: Cyber“. (Hey, didn’t they cancel that?) I suspect there may be some Bluetooth involved here.
“Hacking Hardware with a $10 SD Card Reader“. I would enjoy watching this, and will enjoy reading about it, but I lack the hardware skills to actually do this.
“Go Nuclear: Breaking Radiation Monitoring Devices“
“Intercepting iCloud Keychain“. The use of the words “would have” in the abstract makes me think Apple’s already patched this issue, but you never know…
“The Future of ApplePwn – How to Save Your Money“. “We’ll present a specially developed opensource utilities which demonstrates how hackers can reconnect your card to their iPhone or make fraudulent payments directly on the victim’s phone, even without a jailbreak.”
“Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets“. If memory serves, this got a lot of recent attention.
“Hunting GPS Jammers“. Radio. GPS. There.
“Attacking Encrypted USB Keys the Hard(ware) Way“.
“Exploiting Network Printers“.
“Free-Fall: Hacking Tesla from Wireless to CAN Bus“. Based on the abstract, it looks like Tesla has already fixed the issues, but the process of finding and exploiting them might still be interesting.

The same rules for the DEFCON post apply here: if you’re a presenter who wants some love, or if you want me to follow a specific talk, leave a comment.

Posted in Apple, Bluetooth, Cars, DEFCON, DEFCON 25, GPS, Locks, Radio, WiFi | Comments Closed

DEFCON 25: 0 day notes.

Tuesday, July 25th, 2017

I’m not going again this year. Maybe next year, if things hold together. But if I were going, what on the schedule excites me? What would I go to if I were there?

Thursday: neither of the 10:00 panels really grab me. At 11:00, maybe “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” but I’m at best 50/50 on that. At 12:00, I feel like I have to hit the “Jailbreaking Apple Watch” talk. “Amateur Digital Archeology” at 13:00 sounds mildly interesting.

Not really exited by anything at 14:00. At 15:00, I suspect I would end up at “Real-time RFID Cloning in the Field” and “Exploiting 0ld Mag-stripe information with New technology“. And 16:00 is probably when I’d check out the dealer’s room again, or start getting ready for an earlyish dinner.

Friday: 10:00 is sort of a toss-up. THE Garry Kasparov is giving a talk on
“The Brain’s Last Stand” and as you know, Bob, chess is one of my interests. On the other hand, there’s also two Mac specific talks, and Kasparov’s talk is probably going to be packed: I suspect I’d hit “macOS/iOS Kernel Debugging and Heap Feng Shui” followed by “Hacking travel routers like it’s 1999” (because I’m all about router hacking, babe). Nothing grabs me at 11:00, but I do want to see “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” at 12:00:

By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe.

13:00: “Controlling IoT devices with crafted radio signals“, and “Using GPS Spoofing to control time” at 14:00. (I do want to give a shout-out to the Elie Bursztein talk, “How we created the first SHA-1 collision and what it means for hash security“, though.)

Do I want to go to “Phone system testing and other fun tricks” at 15:00? Or do I want to take a break before “Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods“:

As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

And then at 17:00, “Cisco Catalyst Exploitation” is relevant to my interests. However, I don’t want to dismiss “The Internet Already Knows I’m Pregnant“:

…EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Saturday: Nothing at 10:00. At 10:30, maybe “Breaking Wind: Adventures in Hacking Wind Farm Control Networks” because why not?

I have to give another shout-out to “If You Give a Mouse a Microchip… It will execute a payload and cheat at your high-stakes video game tournament” but I’m personally more interested in “Secure Tokin’ and Doobiekeys: How to Roll Your Own Counterfeit Hardware Security Devices” at 11:00. (“All Your Things Are Belong To Us” sounds pretty cool, too, but I’d probably wait for the notes/repos/etc. to be released rather than attending in person.)

Oddly, there’s really nothing that grabs me between 12:00 and 15:00. At 15:00, “Tracking Spies in the Skies” mildly intrigues me (mostly for the ADS-B aspect), while at 16:00 I’m really excited by “CableTap: Wirelessly Tapping Your Home Network” (more home router hacking! Hurrah!)

At 17:00:

In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

You have my attention.

Sunday: “I Know What You Are by the Smell of Your Wifi“, followed a little later by “Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years“.

Weirdly, after that, there’s nothing that interests me until the closing ceremonies at 16:00. (Though I might go to “Man in the NFC” if I was there.)

This seems like a very low-key year, and I’m not sure why. I don’t see any Bluetooth related stuff, and very little lock related. Perhaps I should be glad I’m skipping this year.

Anyway, you guys know the drill: if you see a talk you’re interested in, leave a comment and I’ll try to run it down. If you’re a presenter who wants to promote your talk, leave a comment and I’ll try to give you some love.

Posted in Apple, DEFCON, DEFCON 25, Geek, GPS, Guns, Locks, Radio, SDR | Comments Closed

Curses!

Tuesday, July 25th, 2017

DEFCON 25 is this week, and it snuck up on me. I was expecting it to start next week.

I guess this means I have to get the schedule analysis up in a hurry. I think I can get it done by Wednesday night; or at least get the Thursday/Friday parts of it up, and Saturday/Sunday up by Thursday night.

Is there anything that leaps out at me from a quick once-over? No “hippie, please!” panels that I noticed this year. Also no badge contest or mystery challenge.

(Also, I’m reorging the DEFCON tags. I think this should be transparent to everyone.)

Posted in DEFCON, DEFCON 25 | Comments Closed

Actually, they can read your poker face.

Wednesday, October 26th, 2016

Or at least your cards.

This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.

For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.

The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.

Ironically, there is a hardcoded backdoor password in the app, which makes this security measure pointless if you know the backdoor password.

How does it work? Hidden camera, concealed infrared LEDs, and…

What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.

So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.

And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)

The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.

Posted in Android, Bluetooth, DEFCON 24, Geek, Phones, Radio | Comments Closed

DEFCON 24 updates: August 11, 2016.

Thursday, August 11th, 2016

“SITCH – Inexpensive, Coordinated GSM Anomaly Detection” doesn’t just have slides up. Or a whitepaper.

It has an entire freaking website. Which does include, yes, slides and whitepaper. (Thanks to SecBarbie on Twitter for this.)

Slides for the Tamas Szakaly “Help, I’ve got ANTs!!!” talk are here. And his GitHub repo is here.

Good stuff is going up on the Black Hat 2016 briefings site, too. I haven’t had a chance to go through all of the abstracts yet, but my current favorite is: “Does Dropping USB Drives In Parking Lots And Other Places Really Work?”. Slides here, code here, blog post here, no spoilers here.

Posted in DEFCON 24, Phones, Radio | Comments Closed

DEFCON 24 updates: August 8, 2016.

Monday, August 8th, 2016

Posted in Apple, DEFCON 24, linux | Comments Closed

More on Blue Hydra.

Sunday, August 7th, 2016

Earlier, I wrote “It runs! It works! Mostly. Kind of.”

I’ve been banging on Blue Hydra in my spare time since Thursday, and I stand by that statement. Here’s what I’ve run into so far.

The README is pretty clear, and I didn’t have any problems installing the required packages. (I don’t have an Ubertooth, so I skipped that one. We’ll come back to the Ubertooth later.)

First problem, which was actually very tiny: I know next to nothing about Ruby, other than that cartoon foxes are somehow involved, so the phrase “With ruby installed add the bundler gem” was more like “I don’t speak your crazy moon language”. Google cleared that up pretty quickly: the magic words are gem install bundler.

Next problem: running bundle install resulted in an error stating that it couldn’t find the Ruby header files. It turns out that, while my Ubuntu installation had Ruby 2.1 installed, it didn’t have the ruby-dev package installed. sudo apt-get install ruby-dev fixed that issue.

Next problem: the SQLIte Ruby gem failed to install when I ran bundle install. It turns out that I also needed the sqlite3-dev package as well. And with that installed, the bundle built, and I could do ./bin/blue_hydra.

Which gave an error stating that it didn’t have permissions to open a handle for write. Okay, let’s try sudo ./bin/blue_hydra (because I always run code from strangers as root on my machine; everyone knows strangers have the best candy). And that actually worked: Blue Hydra launched and ran just fine. In fairness, this may be a configuration issue on my machine, and not an issue with the software itself.

In playing with it, I’ve found that it does what it claims to do. Sort of. It’s been able to detect devices in my small lab environment with Bluetooth discovery turned off, which is impressive. I also like the fact that it stores data into an SQLite database; other Bluetooth scanning tools I’ve played with didn’t do that.

However, it seems to take a while to detect my iPhone; in some instances, it doesn’t detect it at all until I go into Settings->Bluetooth. Once I’m in the Bluetooth settings, even if I don’t make a change, Blue Hydra seems to pick up the iPhone. Blue Hydra also has totally failed to detect another smart phone in my small lab environment (and I have verified that Bluetooth was both on and set to discoverable.)

Now, to be fair, there may be some other things going on:

I’ve also observed previously that Bluetooth under Ubuntu 15.10 didn’t work very well. At all. So at one point on Saturday, just for giggles, I upgraded Project e to Ubuntu 16.01.1 LTS. And shockingly (at least for me) Bluetooth works much much better. As in, I can actually pair my phone with Ubuntu and do other Bluetooth related stuff that didn’t work with 15.10. That seems to have mitigated the discovery issues I was seeing with Blue Hydra a little, but not as much as I would have liked. (Edited to add 8/8: Forgot to mention: after I upgraded, I did have to rerun bundle install to get Blue Hydra working again. But the second time, it ran without incident or error, and Blue Hydra worked immediately aftewards (though it still required root).)
I was using the Asus built-in Bluetooth adapter in my testing. Also just for giggles, I switched Blue Hydra to use an external USB adapter as well. That didn’t seem to make a difference.
In fairness, Blue Hydra may be designed to work best with an Ubertooth One. The temptation is great to pick one of those up. It is also tempting to pick up a BCM20702A0 based external adapter (like this one) partly to see if that works better, partly because I don’t have a Bluetooth LE compatible adapter (and this one is cheap) and partly because the Bluetooth lock stuff is based on that adapter. (Edited to add 8/8: I’m also tempted by this Sena UD100 adapter. It is a little more expensive, but also high power and has a SMA antenna connector. That could be useful.)
It may also be that I have an unreasonable expectation. Project e is seven years old at this point, and, while it still runs Ubuntu reasonably well, I do feel some slowness. Also, I think the battery life is slipping, and I’m not sure if replacements are available. I’ve been thinking off and on about replacing it with something gently used from Discount Electronics: something like a Core i5 or Core i7 machine with USB3 and a GPU that will work with hashcat. Maybe. We’ll see. Point is, some of my issues may just be “limits of old hardware” rather than bugs.
And who knows? There may very well be some bugs that get fixed after DEFCON.

tl, dr: Blue Hydra is nice, but I’m not yet convinced it is the second coming of Christ that I’ve been waiting for.

Posted in Apple, Bluetooth, DEFCON 24, Geek, linux, Nokia, project_e, Radio, Ruby | 4 Comments »

DEFCON 24: August 7, 2016 updates.

Sunday, August 7th, 2016

The presentations on the conference CD are here, if you’re looking for something specific that I didn’t mention. I’m still going to try to provide links to individual presenters and their sites, simply because I believe those are the most recent and best updated ones. Just to be clear, I’m not trying to rip off anyone else’s work, which is why I link directly. I want to provide myself (and possibly other interested folks) with one-stop shopping for the latest versions of the things I’m most interested in.

Sean Metcalf’s “Beyond the MCSE: Red Teaming Active Directory” isn’t up yet, but it will be here when he gets around to it. (This isn’t a shot at him; if I was in Vegas right now, uploading my presentation would be the last thing on my mind, too.) That site does have his Black Hat presentation, “Beyond the MCSE: Active Directory for the Security Professional”.
Haven’t found an updated copy of Master Chen’s “Weaponize Your Feature Codes” presentation yet, but the GitHub repo with his code is here.
The slides for Joe Grand and Joe FitzPatrick’s “101 Ways to Brick your Hardware” are up on the Grand Idea Studio website.
And the slides for “BSODomizer HD: A Mischievous FPGA and HDMI Platform for the (M)asses” are also on the Grand Idea Studio website.
The material from the Six_Volts/Haystack “Cheap Tools for Hacking Heavy Trucks” presentation will be here within a week of the conference, according to the presenters. Here. Shake hands with danger.
The GitHub repo with the slides and the code from the Anthony Rose and Ben Ramsey “Picking Bluetooth Low Energy Locks from a Quarter Mile Away” talk is here.
Here are the slides and the whitepaper from Marc Newlin‘s “MouseJack: Injecting Keystrokes into Wireless Mice”.
The slides from the Rogan Dawes and Dominic White “Universal Serial aBUSe: Remote Physical Access Attacks” will be here eventually, according to the presenters, and the tools will be here (ditto).

This takes us into today. I’ve been at this for about an hour and a half now. I’m not proud. Or tired. But I do have some other things I want to do, and I think it is a bit early to expect Sunday presentations to be up. I’ll end this one for now, and see if I can do another update tomorrow. Also, I want to do a further write-up on Blue Hydra, possibly tonight, maybe tomorrow as well.
If you are a presenter who’d like to provide a link to your talk (even if it is one I didn’t specifically call out) or you have other comments or questions, please feel free to comment here or send an email to stainles [at] sportsfirings.com.

Posted in Bluetooth, DEFCON 24, Geek, Radio | Comments Closed

DEFCON 24 notes: Hail Hydra!

Thursday, August 4th, 2016

GitHub repository for Blue Hydra.

I’m jumping the gun a little, as the presentation is still a few hours away, but I wanted to bookmark this for personal reference as well as the enjoyment and edification of my readers.

Edited to add: quick update. Holy jumping mother o’ God in a side-car with chocolate jimmies and a lobster bib! It runs! It works! Mostly. Kind of.

If I get a chance, I’ll try to write up the steps I had to follow tomorrow. Yes, this blog is my personal Wiki: also, while the instructions in the README are actually pretty good, I ran into a few dependency issues that were not mentioned, but are documented on Stack Overflow.

Posted in Bluetooth, Bookmarks, DEFCON 24, Geek, linux, Radio | Comments Closed

DEFCON 24: 0-day notes.

Wednesday, August 3rd, 2016

Another year observing DEFCON remotely. Maybe next year, if I get lucky, or the year after that.

The schedule is here. If I were going, what would I go to? What gets me excited? What do I think you should look for if you are lucky enough to go?

(As a side note, one of my cow-orkers was lucky enough to get a company paid trip to Black Hat this year. I’m hoping he’ll let me make archival copies of the handouts.)

(more…)

Posted in Android, Apple, Bluetooth, Books, DEFCON 24, Geek, Phones, Radio | 2 Comments »

DEFCON 23 notes: August 12, 2015.

Wednesday, August 12th, 2015

Whipped Cream Difficulties

Archive for the ‘DEFCON’ Category

DEFCON 25/Black Hat updates: July 27, 2017.

Here’s your hat.

DEFCON 25: 0 day notes.

Curses!

Actually, they can read your poker face.

DEFCON 24 updates: August 11, 2016.

DEFCON 24 updates: August 8, 2016.

More on Blue Hydra.

DEFCON 24: August 7, 2016 updates.

DEFCON 24 notes: Hail Hydra!

DEFCON 24: 0-day notes.

DEFCON 23 notes: August 12, 2015.

Pages

Happy Amazon Fun Time!

Archives

Categories

Blogroll

BugMeNot

Firearms Reference

People who deserve your support.

Reference

RIP

Twitter

Twitter Catholico

Webcomics I Like (without reservation)

Meta

May 2024
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31