Hacking A Hack: Disassembly And Sniffing Of IM-ME Binary

November 2, 2010 by Mike Szczys 9 Comments

It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed’s] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.

We looked in on [Travis’] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis’] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.

[Thanks Travis]

WiFi And Bluetooth Sniffing Rifle

April 23, 2010 by Mike Szczys 52 Comments

[.ronin] built an all-in-one WiFi and Bluetooth sniffer. He used a Nerf rifle as a base and added two Pringles cantennas, a tablet PC, and other various bits to tie it all together. Now he wanders the streets, explaining the device to bewildered passersby. After showing the device at CarolinaCon 2010 (here’s a PDF of his presentation) he stopped by the mall nibbled about 250 Bluetooth devices using SpoofTooph. The software is running on a Fujitsu u810 tablet and he’s making good use of Backtrack 4 during his wireless adventures.

Keykeriki: Wireless Keyboard Sniffer

June 4, 2009 by Caleb Kraft 27 Comments

[vimeo = 4990390]

Remote-Exploit.org is releasing Keykeriki, a wireless keyboard sniffer. The project is both open source hardware and software. you can download the files on their site. Right now you can’t get a pre made board, but they plan on releasing one soon. The system can be upgraded with “backpacks” or add on modules. One of these is going to be an LCD that displays the keystrokes of the keyboard you are sniffing. Another is supposed to serve as an interface to your iPhone. Right now it has the ability to decode Microsoft wireless keyboards, but the Logitech pieces should be added soon.

Sniffing Keystrokes Via Laser, Power Lines

March 20, 2009 by Eliot 26 Comments

keystroke

Researchers from Inverse Path showed a couple interesting techniques for sniffing keystrokes at CanSecWest. For their first experiments they used a laser pointed at the shiny back of a laptop. The keystrokes would cause the laptop to vibrate which they could detect just like they would with any laser listening device. They’ve done it successfully from anywhere between 50 to 100 feet away. They used techniques similar to those in speech recognition to determine what sentences were being typed.

In a different attack, they sniffed characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. They haven’t yet been able to collect more than just single strokes, but expect to get full words and sentences soon. This leakage via power line is discussed in the 1972 Tempest document we posted about earlier. The team said it wasn’t possible with USB or laptop keyboards.

[Thanks Jeramy]

USB Sniffing In Linux

March 19, 2009 by Caleb Kraft 16 Comments

sniffer

[Robert] sent in this tutorial on how to set up USB sniffing in linux. Useful for seeing exactly what is being communicated to and from your USB devices, this ability is built into linux. [Bert], the author, shows us the steps involved and how to filter it to get the data we desire. You can specify exactly which device to capture data from. His example, shown above, is a session with an Arduino.

Zigbee AES Key Sniffing

March 15, 2009 by Eliot 8 Comments

zigbeesniffing

[Travis Goodspeed] posted a preview of what he’s working on for this Summer’s conferences. Last weekend he gave a quick demo of sniffing AES128 keys on Zigbee hardware at SOURCE Boston. The CC2420 radio module is used in many Zigbee/802.15.4 sensor networks and the keys have to be transferred over an SPI bus to the module. [Travis] used two syringe probes to monitor the clock line and the data on a TelosB mote, which uses the CC2420. Now that he has the capture, he’s planning on creating a script to automate finding the key.

New WPA TKIP Attack

November 9, 2008 by Eliot 7 Comments

wifibox

[Martin Beck] and [Erik Tews] have just released a paper covering an improved attack against WEP and a brand new attack against WPA(PDF). For the WEP half, they offer a nice overview of attacks up to this point and the optimizations they made to reduce the number of packets needed to approximately 25K. The only serious threat to WPA so far has been the coWPAtty dictionary attack. This new attack lets you decrypt the last 12 bytes of a WPA packet’s plaintext and then generate arbitrary packets to send to the client. While it doesn’t recover the WPA key, the attacker is still able to send packets directly to the machine they’re attacking and could potentially read back the response via an outbound connection to the internet.

[photo: niallkennedy]

[via SANS]