[Travis Goodspeed] starts a space agency in Southern Appalachia

travis-goodspeed-space-tracker

His space agency hardware might be in Southern Appalachia, but he can control it from anywhere in the world. That’s right, [Travis Goodspeed] started his own space agency — well kinda. The first piece of hardware operated by the organization is this dish for tracking moving targets in near space.

The main part of the build is a Felcom 82B dish which  was designed to be a satellite link for naval vessels. The image showing the back side of it exposes all of the extras he built into the system. Don’t worry though, a dome goes over the top to keep the weather out without encumbering its operation.He uses an SDR dongle to handle the radio communications. That connects to a BeagleBone which pipes the data to his handheld over the Internet.

It’s amazing to see this type of hobby project. It wasn’t that long ago that you needed an entire room of hardware to communicate with satellites.

Exploiting DFU mode to snag a copy of firmware upgrades

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Facedancer board lets your Python programs pretend to be USB hardware

This is the prototype board for [Travis Goodspeed's] new USB development tool called the Facedancer. He took on the design with USB security exploits in mind, but we think it’s got a lot of potential for plain old development as well.

Kudos on the [Frank Herbert] reference when naming the project. Like the characters from the Dune mythology that can perfectly mimic any person they touch, this device let’s you mimic whatever you can imagine. One the USB ports connects to the victim (or host) the other connects to a development machine. Python can then be used to send USB commands in real time. Think of this as doing the same thing the Bus Pirate does for SPI and i2c, except that it’s doing it on the USB protocol itself. This way you can feel your way through all of the road-bumps of developing a new device (or testing an exploit) without the need to continually compile and flash your hardware.

Wardriving for Zigbee

Wardriving started out as a search for unprotected WiFi access points before hot spots were prevalent. And so this ZigBee protocol wardriving hardware which [Travis Goodspeed] put together really gives us a sense of nostalgia for that time. Don’t get us wrong, we love our pervasive WiFi access and don’t wish to go back to simpler times. But if the radio signals your looking for are scarce, locating them provides a challenge.

Regular readers will recognize that [Travis] is interested in all things RF. One of his projects included sniffing wireless keyboard packets out of thin air and displaying them on the screen of his Nokia N900. This is right along those lines but he’s upgraded to an N9 phone for the display hardware. He switched up the RF hardware, using a TelosB (a board he’s already familiar with) to get on the 802.15.4 ZigBee spectrum. This dev board has an expansion port which let him use an RN42 module for wireless communications with the phone. This means the sniffing hardware can be hidden away in a backpack or jacket. After all, nobody will question someone walking around staring at a smart phone.

Reverse engineering Bluetooth using Android and SPOT as an example

[Travis Goodspeed] wrote in to tell us about his work reverse engineering the Bluetooth communications on this SPOT module. He’s targeted the post as a general guide to sniffing Bluetooth transmissions, but was inspired to use the SPOT as an example after seeing this other SPOT hack. We know he’s a fan of getting things to work with his Nokia N900, and that’s exactly where he ended up with the project.

This module was manufactured to be controlled by an Android phone. But there’s no control app available for the Nokia handset. Since Android uses the open-source Bluez package for the Bluetooth protocol, it’s actually pretty easy to get your hands on the packets. After grabbing a few test sets he shows how he deciphered the packets, then wrote a quick Python script to test out his findings. After working his way through the various commands available (grabbing the SPOT serial number, getting position data from it, etc) [Travis] wrote up a frontend in QT mobility for use on the N900.

RF sniffing on-the-go

It’s been a while since we checked in on [Travis Goodspeed]. His latest post makes RF sniffing with the Next HOPE badge more portable by ditching the need to display data on a computer. He’s built on the work he did at the beginning of the year, replacing the FTDI chip on the badge with a Bluetooth module. Now he can use his Nokia N900 as a GoodFET terminal to not only display the packets pulled from the air, but the control the badge as well.

Previously, the client running on the computer was communicating with the badge via a serial connection. To get it working on the N900 [Travis] transitioned from using py-serial over to using py-bluez. All of the code changes are available from the GoodFET repository.

He’s got a few other tricks planned for this concept. He put in a parts order to add Bluetooth to the Girltech IM-ME. The pretty pink pager has the same radio chip on board, so adding Bluetooth connectivity will allow it to be used in the same way. There are also plans in the works to add a couple other packet sniffing protocols to the bag of tricks, including ZigBee.

Project 25 Digital Radios (law enforcement grade) vulnerable to the IM-ME

Would you believe you can track, and even jam law enforcement radio communications using a pretty pink pager? It turns out the digital radios using the APCO-25 protocol can be jammed using the IM-ME hardware. We’ve seen this ‘toy’ so many times… yet it keeps on surprising us. Or rather, [Travis Goodspeed's] ability to do amazing stuff with the hardware is what makes us perk up.

Details about this were presented in a paper at the USENIX conference a few weeks ago. Join us after the break where we’ve embedded the thirty-minute talk. There’s a lot of interesting stuff in there. The IM-ME can be used to decode the metadata that starts each radio communication. That means you can track who is talking to whom. But for us the most interesting part was starting at about 15:30 when the presenter, [Matt Blaze], talked about directed jamming that can be used to alter law enforcement behavior. A jammer can be set to only jam encrypted communications. This may prompt an officer to switch off encryption, allowing the attackers to listen in on everything being said to or from that radio.

[Read more...]