We’ve seen [Colin]’s entry to The Hackaday Prize before. After seeing his lightning talk at Defcon, we had to get an interview with him going over the intricacies of this very impressive piece of hardware.
The ChipWhisperer is a security and research platform for embedded devices that exploits the fact that all security measures must run on real hardware. If you glitch a clock when a microcontroller is processing an instruction, there’s a good probability something will go wrong. If you’re very good at what you do, you can simply route around the code that makes up the important bits of a security system. Power analysis is another trick up the ChipWhisperer’s sleeve, analyzing the power consumption of a microcontroller when it’s running a bit of code to glean a little information on the keys required to access the system. It’s black magic and dark arts, but it does work, and it’s a real threat to embedded security that hasn’t had an open source toolset before now.
Before our interview, [Colin] did a few short and sweet demos of the ChipWhisperer. They were extraordinarily simple demos; glitching the clock when a microcontroller was iterating through nested loops resulted in what can only be described as ‘counter weirdness’. More advanced applications of the ChipWhisperer can supposedly break perfectly implemented security, something we’re sure [Colin] is saving for a followup video.
You can check out [Colin]’s 2-minute video for his Hackaday Prize entry below.
Continue reading “The ChipWhisperer At Defcon”
The Electronic Frontier Foundation have released an alpha of their own Open Wireless Router Firmware as part of the Open Wireless Movement. This project aims to make it easier to share your wireless network with others, while maintaining security and prioritization of traffic.
We’ve seen a lot of hacks based on alternative router firmware, such as this standalone web radio. The EFF have based their router firmware off of CeroWRT, one of the many open source firmware options out there. At this time, the firmware package only targets the Netgear WNDR3800.
Many routers out there have guest modes, but they are quite limited and often have serious vulnerabilities. If you’re interested in sharing your wireless network, this firmware will help out by letting you share a specified amount of bandwidth. It also aims to have a secure web interface, and secure auto-update using Tor.
The EFF has announced this “pre-alpha hacker release” as a call for hackers who want to join in the fun. Development is happening over on Github, where you’ll find all of the source and issues.
Thanks to [Edward Snowden] we have a huge, publicly available catalog of the very, very interesting electronic eavesdropping tools the NSA uses. Everything from incredibly complex ARM/FPGA/Flash modules smaller than a penny to machines that can install backdoors in Windows systems from a distance of eight miles are available to the nation’s spooks, and now, the sufficiently equipped electronic hobbyist can build their own.
[GBPPR2] has been going through the NSA’s ANT catalog in recent months, building some of the simpler radio-based bugs. The bug linked to above goes by the codename LOUDAUTO, and it’s a relatively simple (and cheap) radar retro-reflector that allows anyone with the hardware to illuminate a simple circuit to get audio back.
Also on [GBPPR2]’s build list is RAGEMASTER, a device that fits inside a VGA cable and allows a single VGA color channel to be viewed remotely.
The basic principle behind both of these bugs is retroreflection, described by the NSA as a PHOTOANGLO device. The basic principle behind these devices is a FET in the bug, with an antenna connected to the drain. The PHOTOANGLO illuminates this antenna and the PWM signal sent to the gate of the FET modulates the returned signal. A bit of software defined radio on the receiving end, and you have your very own personal security administration.
It’s all very cool stuff, but there are some entries in the NSA catalog that don’t deal with radio at all. One device, IRATEMONK, installs a backdoor in hard drive controller chips. Interestingly, Hackaday favorite and current Hackaday Prize judge [Sprite_TM] did something extremely similar, only without, you know, being really sketchy about it.
While we don’t like the idea of anyone actually using these devices, the NSA ANT catalog is still fertile ground for project ideas.
Continue reading “Homebrew NSA Bugs”
In a little less than two weeks, the biannual HOPE conference in NYC will be in full swing. Attendance is more than likely to put you on a list somewhere, so of course we’ll be setting up shop, enjoying the sights and sounds, and throwing swag at hundreds of attendees.
Highlights of HOPE X include a keynote from [Daniel Ellisburg], a video conference with [Edward Snowden], a Q&A with the EFF, a talk I’ll certainly be attending, and the always popular talk on social engineering headed up by [Emmanuel Goldstein].
As with all our extracurriculars, Hackaday will be giving out some swag (200+ tshirts, stickers, and THP goodies), and manning a vendor booth. Look for the eight foot Hackaday flag held up with duct tape. We’ll also be doing the usual video and blog thing from HOPE, for all of you who can’t attend thanks to your company’s security reviews, and some super secret things I can’t believe the overlords signed off on.
In other 2600 news, they ain’t doin too good, with tens of thousands of dollars of debt thanks to rather crappy legal stuff with their distributors. Buying a ticket would help the 2600 guys out, as would buying July’s issue (also on Kindle).
There are thousands upon thousands of papers discussing various aspects of embedded hardware security, and dozens of books covering the same subject. The attacks discussed in the literature are very cool – things like side-channel power analysis and clock glitching used to extract keys from a system. The experimental setups in these papers are extraordinarily expensive – you can buy a new car for less. [coflynn] was disheartened with the price of these tools, and thought building his own would make for a great entry to The Hackaday Prize.
The hardware part of the ChipWhisperer includes a breakout board with an FPGA, ADC, and connectors for a lot of different probes, adapters, breakout boards, and a target board, With all these tools, it’s not unreasonable to say that [coflynn] could carry out a power analysis attack on a lot of embedded hardware.
Open source hardware is just one part of this entry. The biggest focus of this project is the open source software for analyzing whatever the probes and target boards record. With this software, anyone can monitor the power used when a chip runs a cryptographic function, or glitch a clock for some unintended functionality in a device. In keeping with the academic pedigree of all the literature on these attacks, there are a ton of tutorials for the ChipWhisperer for all those budding security researchers out there. Very cool stuff, and arguably one of the most technical entries to The Hackaday Prize.
The project featured in this post is an entry in The Hackaday Prize. Build something awesome and win a trip to space or hundreds of other prizes.
Continue reading “THP Entry: Embedded Hardware Security With The ChipWhisperer”
We’ve all been there. Your roommate is finally out of the house and you have some time alone. Wait a minute… your roommate never said when they would be back. It would be nice to be warned ahead of time. What should you do? [Mattia] racked his brain for a solution to this problem when he realized it was so simple. His roommates have been warning him all along. He just wasn’t listening.
Most Hackaday readers probably have a WiFi network in their homes. Most people nowadays have mobile phones that are configured to automatically connect to these networks when they are in range. This is usually smart because it can save you money by not using your expensive 4G data plan. [Mattia] realized that he can just watch the wireless network to see when his roommates’ phones suddenly appear. If their devices appear on the network, it’s likely that they have just arrived and are on their way to the front door.
Enter wifinder. Wifinder is a simple Python script that Mattia wrote to constantly scan the network and alert him to new devices. Once his roommates are gone, Mattia can start the script. It will then run NMap to get a list of all devices on the network. It periodically runs NMap after this, comparing the new host list to the old one. If any new devices show up, it alerts with an audible beep and a rather hilarious output string. This type of scanning is nothing new to those in the network security field, but the use case is rather novel.
RFID security systems have become quite common these days. Many corporations now use RFID cards, or badges, in place of physical keys. It’s not hard to understand why. They easily fit inside of a standard wallet, they require no power source, and the keys can be revoked with a few keystrokes. No need to change the locks, no need to collect keys from everyone.
[Shawn] recently set up one of these systems for his own office, but he found that the RFID cards were just a bit too bulky for his liking. He thought it would be really neat if he could just use his cell phone to open the doors, since he always carries it anyways. He tried searching for a cell phone case that contained an RFID tag but wasn’t able to come up with anything at the time. His solution was to do it himself.
[Shawn] first needed to get the RFID tag out of the plastic card without damaging the chip or antenna coil. He knew that acetone can be used to melt away certain types of plastic and rubber, and figured he might as well try it out with the RFID card. He placed the card in a beaker and covered it with acetone. He then sealed the beaker in a plastic bag to help prevent the acetone from evaporating.
After around 45 minutes of soaking, [Shawn] was able to peel the plastic layers off of the electronics. He was left with a tiny RFID chip and a large, flat copper coil. He removed the cover from the back of his iPhone 4S and taped the chip and coil to the inside of the phone. There was enough room for him to seal the whole thing back up underneath the original cover.
Even though the phone has multiple radios, they don’t seem to cause any noticeable interference. [Shawn] can now just hold his phone up to the RFID readers and open the door, instead of having to carry an extra card around. Looking at his phone, you would never even know he modified it.
[Thanks Thief Dark]