[KC Budd] wanted to make a car-tracking GPS unit, and he wanted it to be able to phone home. Adding in a GSM phone with a data plan would be too easy (and more expensive), so he opted for the hacker’s way: tunneling the data over DNS queries every time the device found an open WiFi hotspot. The result is a device that sends very little data, and sends it sporadically, but gets the messages out.
This system isn’t going to be reliable — you’re at the mercy of the open WiFi spots that are in the area. This certainly falls into an ethical grey zone, but there’s very little harm done. He’s sending a 16-byte payload, plus the DNS call overhead. It’s not like he’s downloading animated GIFs of cats playing keyboards or something. We’d be stoked to provide this service to even hundreds of devices per hour, for instance.
If you’re new here, the idea of tunneling data over DNS requests is as old as the hills, or older, and we’ve even covered this hack before in different clothes. But what [KC] adds to the mix is a one-stop code shop on his GitHub and a GPS application.
Why don’t we see this being applied more in your projects? Or are you all tunneling data over DNS and just won’t admit it in public? You can post anonymously in the comments!
The gist of the idea is to suspend an underwater tunnel from floating pontoons. By the time you finished reading that sentence, you probably already had a list of things in your head that seem to make this a terrible idea. After all, it does seem to combine the worst aspects of both underwater tunnels and bridges. But, the idea may actually be a good one, and it’s already being seriously considered in Norway.
Continue reading “It’s Not a Bridge, and Not a Tunnel. Or, Maybe it’s Both?”
With another hacker conference looming in front of us, it’s time to start thinking about hardware security. Hacker conventions have the most hostile network you’ll ever encounter. [Security4all] points out that 25C3 already has an extensive page on securing your hardware. It starts from the ground up with physical security, BIOS passwords, and locking down bootloaders. There’s a section on securing your actual OS and session. Finally, they cover network usage. It mentions using SSH for dynamic forwarding, which we feel is a skill everyone should have. We’ve used it not just for security, but for bypassing brainless bandwidth restrictions too. There’s also the more trick transparent version. Every piece of data you bring with you, you risk losing, so they actually recommend just wiping your iPhone and other devices before attending. It’s important to remember that it’s not just your own data at risk, but everyone/thing you communicate with as well.
ISPs have recently become very aggressive towards their customers. They’ve been blocking or altering traffic to prevent you from using specific programs or protocols. Google’s Senior Policy Director recently stated that they’re developing tools to allow people to detect ISP interference. A couple other groups have been building tools as well: The Network Neutrality Squad just released the second beta of their Network Measurement Agent. The tool currently detects spoofed packets by monitoring the round trip time of the connection; early reset packets will have lower than average RTT. If you want to go more in depth, the EFF has published a guide for using Wireshark to do the detection. We’ve even heard rumors of people building tools to tunnel a session inside of one that looks completely different.