There’s been too much to do here at the Chaos Communication Camp — the Quadrennial outdoor meeting of hackers. Between talks and projects and workshops, there’s hardly been a minute to sit down and write up a summary. Nonetheless, I’ve sat in on a few talks. Here’s a quick overview of some of what happened on Day One, and a little look behind the scenes into what makes a 5,000-person hacker camp work.
We had a wild time at DEF CON last week. Here’s a look back on everything that happened.
For us, the festivities closed out with a Hackaday Breakfast Meetup on Sunday morning. Usually we’d find a bar and have people congregate in the evening but there are so many parties at this conference (official and unofficial) that we didn’t want people to have to choose between them. Instead, we made people shake off the hangover and get out of bed in time for the 10:30am event.
We had a great group show up and many of them brought hardware with them. [TrueControl] spilled all the beans about the hardware and software design of this year’s Whiskey Pirate badge. This was by far my favorite unofficial badge of the conference… I made a post covering all the badges I could find over the weekend.
We had about thirty people roll through and many of them stayed for two hours. A big thanks to Supplyframe, Hackaday’s parent company, for picking up the breakfast check and for making trips like this possible for the Hackaday crew.
For DEF CON 22 I built a hat that scrolls messages and also serves as a simple WiFi-based crypto game. Log onto the access point and try to load any webpage and you’ll be greeted with the scoreboard shown above. Crack any of the hashes and you can log into the hat, put your name on the scoreboard, and make the hat say anything you want.
Last year only one person hacked the hat, this year there were 7 names on the scoreboard for a total of 22 cracked hashes. Nice work!
- erich_jjyaco_cpp 16 Accounts
- UniversityOfAriz 1 Account
- @badgerops 1 Account
- conorpp_VT 1 Account
- C0D3X Pwnd you 1 Account
- D0ubleN 1 Account
- erichahn525_VTe 1 Account
Three of these hackers talked to me, the other four were covert about their hat hacking. The top scorer used a shell script to automate logging-in with the cracked passwords and putting his name on the scoreboard.
I’d really like to change it up next year. Perhaps three hats worn by three people who involves some type of 3-part key to add different challenges to this. If you have any ideas I’d love to hear them below, or as comments on the project page.
[Eric Evenchick] on socketCAN
One of the “village” talks that I really enjoyed was from [Eric Evenchick]. He’s been a writer here for a few years, but his serious engineering life is gobbling up more and more of his time — good for him!
You probably remember the CANtact tool he built to bring car hacking into Open Source. Since then he’s been all over the place giving talks about it. This includes Blackhat Asia earlier in the year (here are the slides), and a talk at BlackHat a few days before DEF CON.
This village talk wasn’t the same as those, instead he focused on showing what socketCAN is capable of and how you might use it in your own hacking. This is an open source software suite that is in the Linux repos. It provides a range of tools that let you listen in on CAN packets, record them, and send them out to your own car. It was great to hear [Eric] rattle off examples of when each would be useful.
Our Posts from DEF CON 23
If you missed any of them, here’s our coverage from the conference. We had a blast and are looking forward to seeing everyone there next year!
- Help Decipher the DEF CON Badge
- DEF CON Uber Badge so Hot It’s Radioactive
- DEF CON: The Proxy for ProxyHam
- Cory Doctorow Rails Against the Effect of DRM and the DMCA
- DEF CON: Abusing Scripts in Multiplayer Games
- Hacking a KVM: Teach a Keyboard Switch to Spy
- DEF CON: HDMI CEC Fuzzing
- All the Unofficial Electronic Badges of DEF CON
It happens every four years in Germany. The days are at their longest and the summer heat’s penetrating. It’s time to break out the tent and go camping. But who wants to go camping in the wilderness, where there’s no Gigabit Ethernet and nobody to hack on projects with? Much better to attend the Chaos Communications Camp 2015 with 5,000 other nerds. And Hackaday will be there!
If you’ve never been to a Chaos Camp, it’s an amazing experience. It’s like a DIY version of DEF CON, except that it takes place in tents in the countryside outside Berlin instead of gambling-themed hotels in the dry, dusty desert. There’s a lot more emphasis on actually doing stuff while at camp. (It’s meant to be a vacation, after all.) Indeed, presentations are shut down in the middle of the day for three and a half hours to give people time to hack and interact.
Have a look at the list of projects, events, sessions, villages, or talks to get a feeling of scale, and bear in mind that a lot of the most interesting activities are often unofficial: people getting together to work on stuff. There’s plenty of inspiration and room for cooperation to go around.
Like many cons these days, the badge itself will doubtless serve as at least one such source of inspiration, and the 2015 Camp’s badge is awesome. It’s essentially a HackRF One with an LPC4300 ARM Cortex M4 micro, large flash memory, USB, battery, audio, and an LCD screen on-board. Add an antenna and you’ve got an insanely versatile standalone radio hacking platform. We’re digging through the docs in anticipation. So expect some to see a bunch of SDR and RF hacks in the next few months as 5,000 hackers get these in their hands.
If you can’t make it (tickets have been sold out for a while now), you can check out the live streams. Not only will the talks be shown as they happen, but in keeping with the democratic ethos of the CCC, anyone who can set up an icecast server can set up their own stream.
And of course, we’ll be there reporting on as much as we can. If anything strikes your fancy and you’d like us to check it out for you, post up in the comments here. We can’t promise the impossible, but we’ll try. And if you’re going to camp as well, keep an eye out for Elliot and say Hi.
2015 was the year of the unofficial hardware badge at DEF CON 23. There were a ton of different hardware badges designed for the love of custom electronics and I tried to catch up with the designer of each different badge. Here is the collection of images, video demos, and build details for each one I saw this weekend.
[TrueControl] did a great job with his badge design this year for the Whiskey Pirate Crew. This is a great update from the badge he designed last year, keeping the skull and bones outline. It uses a PSOC4 chip to control a ton of LEDs. The eyes are RGB pixels which are each on their own PCB that is soldered onto the back of the badge, with openings for the LED to show through. Two AA batteries power the board which has a surface-mount LED matrix. The user controls are all capacitive touch. There is a spinner around one eye, and pads for select and back. The NRF24L01 radio operates at 2.4GHz. This badge is slave to commands from last year’s badge. When the two are in the same area the 2015 badges will scroll the nickname of the 2014 badge it “sees”. The piezo element also chirps many different sounds based on the interactions with different badges.
[True] makes design an art form. The matte black solder mask looks fantastic, and he took great care in use of font, size, alignment, and things like letting copper show through for a really stunning piece of hardware art.
Keep reading for ten more great badges seen over the weekend.
HDMI is implemented on just about every piece of sufficiently advanced consumer electronics. You can find it in low-end cellphones, and a single board Linux computer without HDMI is considered crippled. There’s some interesting stuff lurking around in the HDMI spec, and at DEF CON, [Joshua Smith] laid the Consumer Electronics Control (CEC) part of HDMI out on the line, and exposed a few vulnerabilities in this protocol that’s in everything with an HDMI port.
CEC is designed to control multiple devices over an HDMI connection; it allows your TV to be controlled from your set top box, your DVD player from your TV, and passing text from one device to another for an On Screen Display. It’s a 1-wire bidirectional bus with 500bits/second of bandwidth. There are a few open source implementations like libCEC, Android HDMI-CEC, and even an Arduino implementation. The circuit to interface a microcontroller with the single CEC pin is very simple – just a handful of jellybean parts.
[Joshua]’s work is based off a talk by [Andy Davis] from Blackhat 2012 (PDF), but greatly expands on this work. After looking at a ton of devices, [Joshua] was able to find some very cool vulnerabilities in a specific Panasonic TV and a Samsung Blu-ray player.
A certain CEC command directed towards the Panasonic TV sent a command to upload new firmware from an SD card. This is somewhat odd, as you would think firmware would be automagically downloaded from an SD card, just like thousands of other consumer electronics devices. For the Samsung Blu-Ray player, a few memcpy() calls were found to be accessed by CEC commands, but they’re not easily exploitable yet.
As far as vulnerabilities go, [Joshua] has a few ideas. Game consoles and BluRay players are ubiquitous, and the holy grail – setting up a network connection over HDMI Ethernet Channel (HEC) – are the keys to the castle in a device no one would ever think of taking a close look at.
Future work includes a refactor of the current code, and digging into more devices. There are millions of CEC-capable devices out on the market right now, and the CEC commands themselves are not standardized. The only way for HDMI CEC to be a reliable tool is to figure out commands for these devices. It’s a lot of work, but makes for a great call to action to get more people investigating this very interesting and versatile protocol.
Satellite television is prevalent in Europe and Northern Africa. This is delivered through a Set Top Box (STB) which uses a card reader to decode the scrambled satellite signals. You need to buy a card if you want to watch. But you know how people like to get something for nothing. This is being exploited by hackers and the result is millions of these Set Top Boxes just waiting to form into botnets.
This was the topic of [Sofiane Talmat’s] talk at DEF CON 23. He also gave this talk earlier in the week at BlackHat and has published his slides (PDF).
The Hardware in Satellite receivers is running Linux. They use a card reader to pull in a Code Word (CW) which decodes the signal coming in through the satellite radio.
An entire black market has grown up around these Code Words. Instead of purchasing a valid card, people are installing plugins from the Internet which cause the system to phone into a server which will supply valid Code Words. This is known as “card sharing”.
On the user side of things this just works; the user watches TV for free. It might cause more crashes than normal, but the stock software is buggy anyway so this isn’t a major regression. The problem is that now these people have exposed a network-connected Linux box to the Internet and installed non-verified code from unreputable sources to run on the thing.
[Sofiane] demonstrated how little you need to know about this system to create a botnet:
- Build a plugin in C/C++
- Host a card-sharing server
- Botnet victims come to you (profit)
It is literally that easy. The toolchain to compile the STLinux binaries (gcc) is available in the Linux repos. The STB will look for a “bin” directory on a USB thumb drive at boot time, the binary in that folder will be automatically installed. Since the user is getting free TV they voluntarily install this malware.
Click through for more on the STB Hacks.
When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet. This was their first DEF CON talk and they did a great job of explaining what it took to hack these devices.