Creating Unbeatable Videogame AI

Super Smash Bros. Melee is a multiplayer fighting game released for the Nintendo GameCube in 2001. For the last decade and a half, it has become one of the premier fighting game eSports, and it is the reason Nintendo still makes a GameCube controller for the Wii U. Smash Melee has an intense following, and for years the idea of an AI that could beat top-tier players at Melee was inconceivable – the game was just far too complex, the strategies too demanding, and the tactics too hard.

[Dan] a.k.a. [AltF4] wasn’t satisfied that a computer couldn’t beat players at Melee, and a few years ago started work on the first Melee AI that could beat any human player. He just released Smashbot at this year’s DEF CON, and while the AI is limited, no human can beat this AI.

Continue reading “Creating Unbeatable Videogame AI”

What We Learned from the 2016 Queercon Badge

DEF CON has become known for the creative electronic badges, and now we get to see a variety of them dangling from lanyards every year. This year, the Queercon badge stood out as the one that got the most people asking “where did you get that?!” Once again, [Evan Mackay], [George Louthan], [Jonathan Nelson], and [Jason Painter] delivered an awesome badge for this con-within-a-con for LGBT hackers and their friends.

The badge is a squid shape, with a nifty clear solder mask, printed on black FR4, and routed with natural curved traces. The squid eyes consist of sixty cyan LEDs, with RGB LEDs on the tentacles. The eyes make expressions, and the tentacles light up with a selectable pattern. Hitting the “ink” button shoots your pattern out to all nearby devices using the 2.4 GHz radio on board, and a set of small connectors can be used to “mate” with other badges to learn patterns. Yes, the Queercon badge always has suggestive undertones.

After playing with it for the whole con, we think this badge has some good lessons for electronic badge designers:

Variable Brightness

The 2016 Queercon Badge with two hats
The Queercon Badge with Two Hats

This badge used a phototransistor as a light sensor to measure ambient light and set the brightness accordingly. With over 60 LEDs, this helped the two AA batteries last for nearly the entire conference.

Power Switches

This badge has a power switch. That switch turns the badge off. This probably sounds very obvious, but it’s also unfortunately uncommon on electronic badges. The switch means people turn the badge off at night, and don’t have to yank batteries when firmware glitches.


The badge had two expansion ports on the squid’s head for adding hats. These were given power, and the connector spec was published before the event. Our favourite? A unicorn horn with a rainbow LED inside.

Social Badges are Fun

This has been the fourth Queercon badge in a row that communicated with other badges to unlock things. This is actually a neat way to get people to interact, and leads to a whole host of suggestive puns. Badginal intercourse, anyone?

We’ve heard that next year’s badge is already in the works, and we look forward to seeing what these folks come up with next. For now, you can grab all the hardware design files and get inspired for your own electronic badge build.

How To Detect And Find Rogue Cell Towers

Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.

These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).

No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.

A Stingray / cell site simulator detector
A Stingray / cell site simulator detector

Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.

To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.

This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.

Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.

Pwning With Sewing Needles

If you don’t have root, you don’t own a device, despite what hundreds of Internet of Things manufacturers would tell you. Being able to access and write to that embedded Linux system in your new flashy gadget is what you need to truly own a device, and unfortunately this is a relatively uncommon feature. At this year’s DEF CON, [Brad Dixon] unveiled a technique that pwns a device using only a sewing needle, multimeter probe, or a paperclip. No, it won’t work on every device, and the devices this technique will work with are poorly designed. That doesn’t mean it doesn’t work, and that doesn’t mean the Pin2Pwn technique isn’t useful, though.

The attack relies on how an embedded Linux device boots. All the software needed to load Linux and the rest of the peripheral magic is usually stored on a bit of Flash somewhere on the board. By using a pin, probe, or paperclip to short two data pins, or two of the latch pins on this memory chip, the bootloader will fail, and when that happens, it may fall back to a uboot prompt. This pwns the device.

There are a few qualifications for this Pwn using a pin. If the device has JTAG, it doesn’t matter – you can already own the device. If, however, a device has a locked-down JTAG, unresponsive serial ports, or even their own secure boot solution, this technique might work.

Two data pins on a TSSOP Flash shorted by a multimeter probe
Two data pins on a TSSOP Flash shorted by a multimeter probe

This exploit works on the property of the bootloader. This bit of code first looks at a piece of Flash or other memory separate from the CPU and loads whatever is there. [Brad] found a few devices (mostly LTE routers) that would try to load Linux from the Flash, fail, try to load Linux again, fail, and finally drop to a uboot prompt.

As with any successful exploit, an equally effective mitigation strategy must be devised. There are two ways to go about this, and in this case, the software side is much better at getting rid of this attack than the hardware side.

Since this attack relies on the software falling back to uboot after an unsuccessful attempt at whatever it should be booting, the simplest and most effective mitigation technique is simply rebooting the device if the proper firmware can’t be found. Having a silent serial console is great, but if the attack relies on falling back to uboot, simply not doing that will effectively prevent this attack.

The hardware side is a little simpler than writing good firmware. Instead of using TSSOP and SOIC packages for storing the device firmware, use BGAs. Hide the pins and traces on an inner layer of the board. While this isn’t a foolproof way of preventing the attack – there will always be someone with a hot air gun, magnet wire, and a steadier hand than you – it’s hard to glitch a data line with a sewing needle if you can’t see the data line.

The Terrible Security Of Bluetooth Locks

Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.

Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.

At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Other Bluetooth ‘smart locks’ are made of plastic.

The tools [Anthony] used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi. This entire setup can be powered by a single battery, making it very stealthy.

The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well, with quite a few models of smart lock using eight digit pins. Even locks with ‘patented security’ (read: custom crypto, bad) were terrible; this patented security was just an XOR with a hardcoded key.

What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver. These locks are rare. Twelve of the sixteen locks tested could be easily broken. The majority of Bluetooth smart locks are not built with security in mind, which, by the way, is the entire point of a lock.

[Anthony]’s work going forward will concentrate expanding his library of scripts to exploit these locks, and evaluate the Bluetooth locks on ATMs. Yes, ATMs also use Bluetooth locks. The mind reels.

DEF CON: BSODomizing In High Definition

A few years ago, [Kingpin] a.k.a. [Joe Grand] (A judge for the 2014 Hackaday Prize) designed the most beautiful electronic prank ever. The BSODomizer is a simple device with a pass-through connection for a VGA display and an infrared receiver. Plug the BSODomizer into an unsuspecting coworker’s monitor, press a button on a remote, and watch Microsoft’s blue screen of death appear. It’s brilliant, devious, and actually a pretty simple device if you pick the right microcontroller.

The original BSODomizer is getting a little long in the tooth. VGA is finally dead. The Propeller chip used to generate the video only generates text, and can’t reproduce Microsoft’s fancy new graphical error screens. HDMI is the future, and FPGAs have never been more accessible. For this year’s DEF CON, [Kingpin] and [Zoz] needed something to impress an audience that is just learning how to solder. They’ve revisited the BSODomizer, and have created the greatest hardware project at this year’s DEF CON.

Continue reading “DEF CON: BSODomizing In High Definition”

DEF CON’s X86 Badge

This year’s DEF CON badge is electronic, and there was much celebrating. This year’s DEF CON badge has an x86 processor, and there was much confusion.

These vias are connected to something.
These vias are connected to something.

The badge this year, and every year, except badges for 18, 17, 16, 15, and 14, designed by [Joe Grand], and badges from pre-history designed by [Dark Tangent] and [Ping], was designed by [1057], and is built around an x86 processor. Specifically, this badge features an Intel Quark D2000 microcontroller, a microcontroller running at 32MHz, with 32kB of Flash and 8kB of RAM. Yes, an x86 badge, but I think an AT motherboard badge would better fulfill that requirement.

As far as buttons, sensors, peripherals, and LEDs go, this badge is exceptionally minimal. There are eight buttons, laid out as two directional pads, five LEDs, and a battery. There’s not much here, but with a close inspection of the ‘chin’ area of the badge, you can see how this badge was programmed.

As with any [1057] joint, this badge features puzzles galore. One of these puzzles is exceptionally hard to photograph as it is in the bottom copper layer. It reads, “nonpareil bimil: Icnwc lsrbcx kc htr-yudnv ifz xdgm yduxnw yc iisto-cypzk”. Another bottom copper text reads, “10000100001 ΣA120215”. Get crackin’.

A gallery of the Human and Goon badges follows, click through for the best resolution we have.

This post has been updated to correct the record of who designed badges for previous cons.