DEF CON Meetup At The Grave Of James T. Kirk

DEF CON is just around the corner, and that means in just a few days thousands of hardware hackers will be wandering around the casinos in Vegas. Yes, in a mere handful of hours, the tech literati will be accosted by the dead, disaffected eyes of dealers and the crass commercialization of every culture in humanity’s recorded history. The light of god does not penetrate mirrored ceilings. Vegas is terrible, it’ll be 120ºF outside, but at least there’s cool stuff happening Thursday through Sunday.

Hackaday is going to be there, but we really don’t want to spend the entire weekend walking around casinos. That’s why we’re hosting a meetup at the most unlikely place possible: Veridian III, the site of the battle between the Duras sisters and the Enterprise, the crash site of NCC-1701-D, and the final resting place of Admiral James Tiberius Kirk.

We’ll be visiting Veridian III at the Valley of Fire State Park on Wednesday, August 3rd, starting at 1pm. It’s about an hour north of Vegas. As you would expect, hats, sunscreen, good shoes, and a supply of water that could be categorized as “survivalist” are a good idea. Hackaday will be at the visitor center at 1PM, and after a half hour or so, the entire meetup will drive a few miles north to cooler looking rocks.

If you want an FAQ, here you go:

  • What’s this all about, then?
    • Drive out to the desert because cool rocks.
  • No, really, what’s up?
    • Watch Star Trek: Generations. We’re going to the filming location of Soren’s launch site on Veridian III. This is where Kirk died (on a bridge), and where he was buried by Picard.
  • Where and when?
    • Valley of Fire State Park. Here’s the Google Map. 1PM, August 3rd. It’s about an hour north of Vegas. We’re going to meet at the visitor center around 1pm. Around 1:30, we’re going a few miles north to the White Dome trailhead. Look for the Hackaday Flag. It’ll be flying on a PVC pipe taped to a car.
  • Why are you going to the desert, in August, in the middle of the day, with no plan whatsoever?
    • Because Benchoff.
  • Why would extinguishing a star alter its gravity? The mass of the star would still be there, which means the Nexus ribbon wouldn’t be deflected at all. Is this crazy? What’s going on here?
    • Because Rick Berman.
  • Why weren’t there two Picards after Picard and Kirk returned from the Nexus?
    • Rick Berman.
  • Is this really the grave site of James T. Kirk?
    • No, because Kirk was resurrected by the Borg and his katra restored by Romulans.

This meetup will be a continuation of a series of Hackaday meetups in the middle of nowhere. Earlier, we had a gathering at the childhood home of the worst president of the United States of America. That meetup was a roaring success, with people travelling from surprisingly far away. If you’re unlucky enough to be in Vegas for DEF CON a day early, this is one of the weirdest meetups you could possibly attend.

By the way, if enough people attend, it will serve as proof we can do a meetup anywhere. I have my eyes on Spillville, Iowa, Oregon’s House of Mystery, and one of the remaining Blockbuster stores in El Paso. If you support this idea, come on out.

Hands-on the AND!XOR Unofficial DEF CON Badge

DEF CON 24 is still about two weeks away but we managed to get our hands on a hardware badge early. This is not the official hardware — there’s no way they’d let us leak that early. Although it may be unofficial in the sense that it won’t get you into the con, I’m declaring the AND!XOR badge to be officially awesome. I’ll walk you through it. There’s also a video below.

Over the past several years, building your own electronic badge has become an impromptu event. People who met at DEF CON and have been returning year after year spend the time in between coming up with great ideas and building as many badges as they can leading up to the event. This is how I met the trio who built this badge — AND!XORAndrew Riley, and Jorge Lacoste — last year they invited me up to their room where they were assembling the last of the Crypto Badges. Go check out my guide to 2015 Unofficial DEF CON badges for more on that story (and a video of the AM transmissions that badge was capable of).

The outline is this year’s badge is of course Bender from Futurama. Both eyes are RGB LEDs, with another half dozen located at different points around his head. The microcontroller, an STM32F103 ARM Cortex-M0 Cortex-M3, sits in a diamond pattern between his eyes. Above the eyes you’ll find 16 Mbit of flash, a 128×64 OLED screen, and a reset button. The user inputs are five switches and the badge is powered by three AA batteries found on the flip side.

bender's-nose-closeup

That alone makes an interesting piece of hardware, but the RFM69W module makes all of the badges interactive. The spring coming off the top of Bender’s dome is a coil antenna for the 433 MHz communications. I only have the one badge on hand so I couldn’t delve too deeply what interactive tricks a large pool of badges will perform, but the menu hints at a structure in place for some very fun and interesting applications.

Continue reading “Hands-on the AND!XOR Unofficial DEF CON Badge”

Hackaday Links: July 24, 2016

Right now HOPE is dying down, and most of the Hackaday crew will be filtering out of NYC. It was a great weekend. The first weekend in August will be even better. We’re going to DEF CON, we’ll have people at VCF West, and a contingent at EMF Camp. If you’re going to EMF Camp, drop a line here. There will be Hackaday peeps wandering around a field in England, so if you see someone flying the Hackaday or Tindie flag, stop and say hi.

Raspberry Pi’s stuffed into things? Not all of them are terrible. The Apple Extended keyboard is possibly the best keyboard Apple ever produced. It’s mechanical (Alps), the layout is almost completely modern, and they’re actually cheap for something that compares well to a Model M. There’s also enough space inside the plastic to fit a Pi and still have enough room left over for holes for the Ethernet and USB ports. [ezrahilyer] plopped a Pi in this old keyboard, and the results look great. Thanks [Burkistana] for sending this one in.

We’ve been chronicling [Arsenijs] Raspberry Pi project for months now, but this is big news. The Raspberry Pi project has cracked 10k views on Hackaday.io, and is well on track to be the most popular project of all time, on any platform. Congrats, [Arsenijs]; it couldn’t happen to a better project.

A few months ago, [Sébastien] released SLAcer.js, a slicer for resin printers that works in the browser. You can’t test a slicer without a printer, so for the last few months, [Sébastien] has been building his own resin printer. He’s looking for beta testers. If you have experience with resin printers, this could be a very cool (and very cheap) build.

Anyone going to DEF CON? For reasons unknown to me, I’m arriving in Vegas at nine in the morning on Wednesday. This means I have a day to kill in Vegas. I was thinking about a Hackaday meetup at the grave of James T. Kirk on Veridian III. It’s about an hour north of Vegas in the Valley of Fire State Park. Yes, driving out to the middle of the desert in August is a great idea. If anyone likes this idea, leave a note in the comments and I’ll organize something.

Network Security Theatre

Summer is nearly here, and with that comes the preparations for the largest gathering of security researchers on the planet. In early August, researchers, geeks, nerds, and other extremely cool people will descend upon the high desert of Las Vegas, Nevada to discuss the vulnerabilities of software, the exploits of hardware, and the questionable activities of government entities. This is Black Hat and DEF CON, when taken together it’s the largest security conference on the planet.

These conferences serve a very important purpose. Unlike academia, security professionals don’t make a name for themselves by publishing in journals. The pecking order of the security world is determined at these talks. The best talks, and the best media coverage command higher consultancy fees. It’s an economy, and of course there will always be people ready to game the system.

Like academia, these talks are peer-reviewed. Press releases given before the talks are not, and between the knowledge of security researchers and the tech press is network security theatre. In this network security theatre, you don’t really need an interesting exploit, technique, or device, you just need to convince the right people you have one.

Continue reading “Network Security Theatre”

Closing out DEF CON 23

We had a wild time at DEF CON last week. Here’s a look back on everything that happened.

defcon-23-hackday-breakfast-thumbFor us, the festivities closed out with a Hackaday Breakfast Meetup on Sunday morning. Usually we’d find a bar and have people congregate in the evening but there are so many parties at this conference (official and unofficial) that we didn’t want people to have to choose between them. Instead, we made people shake off the hangover and get out of bed in time for the 10:30am event.

We had a great group show up and many of them brought hardware with them. [TrueControl] spilled all the beans about the hardware and software design of this year’s Whiskey Pirate badge. This was by far my favorite unofficial badge of the conference… I made a post covering all the badges I could find over the weekend.

We had about thirty people roll through and many of them stayed for two hours. A big thanks to Supplyframe, Hackaday’s parent company, for picking up the breakfast check and for making trips like this possible for the Hackaday crew.

Hat Hacking

For DEF CON 22 I built a hat that scrolls messages and also serves as a simple WiFi-based crypto game. Log onto the access point and try to load any webpage and you’ll be greeted with the scoreboard shown above. Crack any of the hashes and you can log into the hat, put your name on the scoreboard, and make the hat say anything you want.

Last year only one person hacked the hat, this year there were 7 names on the scoreboard for a total of 22 cracked hashes. Nice work!

  • erich_jjyaco_cpp    16 Accounts
  • UniversityOfAriz     1 Account
  • @badgerops             1 Account
  • conorpp_VT             1 Account
  • C0D3X Pwnd you    1 Account
  • D0ubleN                   1 Account
  • erichahn525_VTe     1 Account

Three of these hackers talked to me, the other four were covert about their hat hacking. The top scorer used a shell script to automate logging-in with the cracked passwords and putting his name on the scoreboard.

I’d really like to change it up next year. Perhaps three hats worn by three people who involves some type of 3-part key to add different challenges to this. If you have any ideas I’d love to hear them below, or as comments on the project page.

[Eric Evenchick] on socketCAN

eric-evenchick-socketCAN-defcon-23-croppedOne of the “village” talks that I really enjoyed was from [Eric Evenchick]. He’s been a writer here for a few years, but his serious engineering life is gobbling up more and more of his time — good for him!

You probably remember the CANtact tool he built to bring car hacking into Open Source. Since then he’s been all over the place giving talks about it. This includes Blackhat Asia earlier in the year (here are the slides), and a talk at BlackHat a few days before DEF CON.

This village talk wasn’t the same as those, instead he focused on showing what socketCAN is capable of and how you might use it in your own hacking. This is an open source software suite that is in the Linux repos. It provides a range of tools that let you listen in on CAN packets, record them, and send them out to your own car. It was great to hear [Eric] rattle off examples of when each would be useful.

Our Posts from DEF CON 23

If you missed any of them, here’s our coverage from the conference. We had a blast and are looking forward to seeing everyone there next year!

DEF CON: HDMI CEC Fuzzing

HDMI is implemented on just about every piece of sufficiently advanced consumer electronics. You can find it in low-end cellphones, and a single board Linux computer without HDMI is considered crippled. There’s some interesting stuff lurking around in the HDMI spec, and at DEF CON, [Joshua Smith] laid the Consumer Electronics Control (CEC) part of HDMI out on the line, and exposed a few vulnerabilities in this protocol that’s in everything with an HDMI port.

CEC is designed to control multiple devices over an HDMI connection; it allows your TV to be controlled from your set top box, your DVD player from your TV, and passing text from one device to another for an On Screen Display. It’s a 1-wire bidirectional bus with 500bits/second of bandwidth. There are a few open source implementations like libCEC, Android HDMI-CEC, and even an Arduino implementation. The circuit to interface a microcontroller with the single CEC pin is very simple – just a handful of jellybean parts.

[Joshua]’s work is based off a talk by [Andy Davis] from Blackhat 2012 (PDF), but greatly expands on this work. After looking at a ton of devices, [Joshua] was able to find some very cool vulnerabilities in a specific Panasonic TV and a Samsung Blu-ray player.

A certain CEC command directed towards the Panasonic TV sent a command to upload new firmware from an SD card. This is somewhat odd, as you would think firmware would be automagically downloaded from an SD card, just like thousands of other consumer electronics devices. For the Samsung Blu-Ray player, a few memcpy() calls were found to be accessed by CEC commands, but they’re not easily exploitable yet.

As far as vulnerabilities go, [Joshua] has a few ideas. Game consoles and BluRay players are ubiquitous, and the holy grail – setting up a network connection over HDMI Ethernet Channel (HEC) – are the keys to the castle in a device no one  would ever think of taking a close look at.

Future work includes a refactor of the current code, and digging into more devices. There are millions of CEC-capable devices out on the market right now, and the CEC commands themselves are not standardized. The only way for HDMI CEC to be a reliable tool is to figure out commands for these devices. It’s a lot of work, but makes for a great call to action to get more people investigating this very interesting and versatile protocol.

Hacking a KVM: Teach a Keyboard Switch to Spy

When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet. This was their first DEF CON talk and they did a great job of explaining what it took to hack these devices.

Continue reading “Hacking a KVM: Teach a Keyboard Switch to Spy”