SAINTCON Badge (Badge Hacking for Mortals)

[Josh] attended his first SAINTCON this weekend before last and had a great time participating in the badge hacking challenge.

The 2014 SAINTCON is only the second time that the conference has been open to the public. They give out conference badges which are just an unpopulated circuit board. This makes a lot of sense if you figure the number of people who actually hack their badges at conferences is fairly low. So he headed off to the hardware hacking village to solder on the components by hand — it’s an Arduino clone.

This is merely the start of the puzzle. We really like that the published badge resources include a crash course on how to read a schematic. The faq also attests that the staff won’t solder it for you and to get your microcontroller you have to trade in your security screw (nice touch). Once up and running you need to pull up the terminal on the chip and solve the puzzles in the firmware’s menu system. This continues with added hardware for each round: an IR receiver, thermistor, EEPROM, great stuff if you’re new to microcontrollers.

[Josh] mentions that this is nothing compared to the DEFCON badge. Badge hacking at DEFCON is **HARD**; and that’s good. It’s in the top-tier of security conferences and people who start the badge-solving journey expect the challenge. But if you’re not ready for that level of puzzle, DEFCON does have other activities like Darknet. That is somewhere in the same ballpark as the SAINTCON badge – much more friendly to those just beginning to developing their crypto and hardware hacking prowess. After all, everyone’s a beginner at some point. If that’s you quit making excuses and dig into something fun like this!

The Solution to the 10th Anniversary Code

A few weeks ago, [1o57], a.k.a. [Ryan Clarke] gave a talk about puzzles, DEFCON, and turning crypto puzzles into an art form at our 10th anniversary party. Ever the trickster, [1o57] included a crypto challenge in his talk, and a few days after our little shindig, nobody had yet solved the puzzle. Finally, someone bothered to sit down and figure it out. We don’t know what [tahnok] won, but as [1o57] said, solving it is its own reward.

Some of the slides in the presentation had a few characters sitting off to the side for no apparent reason. [tahnok] put these together and came up with:

DOXIYLDCYVDKIKNKUMKRYDNBYGONYMNXOC

In cases like this, you might try a Caesar cipher, or just shifting characters to the left or right a certain number of places. Since [1o57] noted this was the tenth anniversary of Hackaday, [tahnok] tried that first:

TENYOBTSOLTAYADAKCAHOTDROWEDOCDNES

It doesn’t look like much, but that’s only because the string is backwards. Tricky, tricky. tricky. With instructions to send a codeword to an email address, [tahnok] now needed to find a code word. There was one picture [1o57] put up on twitter that was still an unsolved part of the puzzle:

men

With no idea what these little stickmen are, he scoured google with variants of ‘stickmen code’ and ‘semaphore’ until he hit upon the Sherlock Holmes story, The Adventure of the Dancing Men. It’s a simple substitution cypher, translated to, “codeword psychobilly ciphers”

And that’s the entire puzzle. As far as we know, this took about a month to solve, and compared to the DEFCON challenges, was fairly simple. [1o57] will probably chime in down in the comments to tell everyone how many people have picked up on the clues and sent an email.

The CryptoCape For BeagleBone

[Josh Datko] was wandering around HOPE X showing off some of his wares and was kind enough to show off his CryptoCape to us. It’s an add on board for the BeagleBone that breaks out some common crypto hardware to an easily interfaced package.

On board the CryptoCape is an Atmel Trusted Platform Module, an elliptic curve chip, a SHA-256 authenticator, an encrypted EEPROM, a real time clock, and an ATMega328p for interfacing to other components and modules on the huge prototyping area on the cape.

[Josh] built the CryptoCape in cooperation with Sparkfun, so if you’re not encumbered with a bunch of export restrictions, you can pick one up there. Pic of the board below.

Continue reading “The CryptoCape For BeagleBone”

Hackaday at DEF CON 21

DEF CON 21 Badge

I’ve arrived at the Rio Casino in Las Vegas, Nevada for DEF CON 21. Over the next couple of days, I’ll be talking about what I get up to here.

The main event today is registration, which means getting a neat badge. This year’s badge was designed by [Ryan Clarke]. According to the DEF CON booklet, they are “non-electronic-electronic” badges this year, and DEF CON will be alternating between electronic badges every other year.

The playing card design is printed on a PCB, and uses the silkscreen, solder mask, and copper layers to provide three colors for the artwork. The badge is a crypto challenge, featuring some cryptic characters, numbers, and an XOR gate. I don’t have any ideas about it yet, but some people are already working hard on cracking the code.

Tomorrow, I’ll be heading to a few talks including one on hacking cars that we discussed earlier, and one on decapping chips. I’ll also be checking out some of the villages. The Tamper Evident Village is premiering this year, and they’ll be showing off a variety of tamper proofing tech. I’ll also try to get to the Beverage Cooling Contraption Contest, where competitors build devices to cool beverages (ie, beer) as quickly as possible.

If you have any DEF CON tips, let me know in the comments.

HDMI breakout lets you sniff HDCP crypto keys

hdmi-breakout-cable

There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.

The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data possible.

Zigbee AES key sniffing

zigbeesniffing

[Travis Goodspeed] posted a preview of what he’s working on for this Summer’s conferences. Last weekend he gave a quick demo of sniffing AES128 keys on Zigbee hardware at SOURCE Boston. The CC2420 radio module is used in many Zigbee/802.15.4 sensor networks and the keys have to be transferred over an SPI bus to the module. [Travis] used two syringe probes to monitor the clock line and the data on a TelosB mote, which uses the CC2420. Now that he has the capture, he’s planning on creating a script to automate finding the key.

TEMPEST: A Signal Problem

tempest

TEMPEST is the covername used by the NSA and other agencies to talk about emissions from computing machinery that can divulge what the equipment is processing. We’ve covered a few projects in the past that specifically intercept EM radiation. TEMPEST for Eliza can transmit via AM using a CRT monitor, and just last Fall a group showed how to monitor USB keyboards remotely. Through the Freedom of Information Act, an interesting article from 1972 has been released. TEMPEST: A Signal Problem (PDF) covers the early history of how this phenomenon was discovered. Uncovered by Bell Labs in WWII, it affected a piece of encryption gear they were supplying to the military. The plaintext could be read over that air and also by monitoring spikes on the powerlines. Their new, heavily shielded and line filtered version of the device was rejected by the military who simply told commanders to monitor a 100 feet around their post to prevent eavesdropping. It’s an interesting read and also covers acoustic monitoring. This is just the US history of TEMPEST though, but from the anecdotes it sounds like their enemies were not just keeping pace but were also better informed.

[via Schneier]