3G To WiFi Bridge Brings The Internet

March 28, 2017 by Elliot Williams 39 Comments

[Afonso]’s 77-year-old grandmother lives in a pretty remote location, with only AM/FM radio reception and an occasionally failing landline connecting her to the rest of the world. The nearest 3G cell tower is seven kilometers away and unreachable with a cell phone. But [Afonso] was determined to get her up and running with video chats to distant relatives. The solution to hook granny into the global hive mind? Build a custom antenna to reach the tower and bridge it over to local WiFi using a Raspberry Pi.

The first step in the plan was to make sure that the 3G long-shot worked, so [Afonso] prototyped a fancy antenna, linked above, and hacked on a connector to fit it to a Huawei CRC-9 radio modem. This got him a working data connection, and it sends a decent 4-6 Mbps, enough to warrant investing in some better gear later. Proof of concept, right?

On the bridging front, he literally burned through a WR703N router before slapping a Raspberry Pi into a waterproof box with all of the various radios. The rest was a matter of configuration files, getting iptables to forward the 3G radio’s PPP payloads over to the WiFi, and so on. Of course, he wants to remotely administer the box for her, so he left a permanent SSH backdoor open for administration. Others of you running remote Raspberry Pis should check this out.

We think it’s awesome when hackers take connectivity into their own hands. We’ve seen many similar feats with WiFi, and indeed [Afonso] had previously gone down that route with a phased array of 24 dBi dishes. In the end, the relatively simple 3G Pi-and-Yagi combo won out.

Part two of the project, teaching his grandmother to use an Android phone, is already underway. [Afonso] reports that after running for two weeks, she already has an Instagram account. We call that a success!

Russian Hackers Domain Fronting

March 28, 2017 by Elliot Williams 51 Comments

FireEye just put out a report on catching the Russian hacker group “Advanced Persistent Threat 29” (APT29, for lack of a better code name) using the meek plugin for TOR to hide their traffic. If you’re using meek with meek-reflect.appspot.com, you’ll find it’s been shut down. If all of this is gibberish to you, read on for a breakdown.

meek is a clever piece of software. Imagine that you wanted to communicate with the Tor anonymizing network, but that you didn’t want anyone to know that you were. Maybe you live in a country where a firewall prevents you from accessing the full Web, and blocks Tor entry nodes as part of their Great Firewall. You’d want to send traffic somewhere innocuous first, and then bounce it over to Tor, in order to communicate freely.

That’s what meek does, but it goes one step further. The reflector server is hosted using the same content-delivery network (CDN) as a popular service, say Google’s search engine. The CDN has an IP address, like every other computer on the Internet, but it delivers content for any of the various services it hosts. Traffic to the CDN, encrypted with TLS, looks the same whether it’s going to the meek reflector or to Google, so nobody on the outside can tell whether it is a search query or packets destined for Tor. Inside the CDN, it’s unencrypted and passed along to the reflector.

Anyway, meek was invented to help bring the uncensored Internet to people who live in oppressive regimes, and now cybersecurity researchers have observed it being used by Russian state hackers to hide their tracks. Sigh. Technology doesn’t know which side it’s on — the same backdoor that the FBI wants to plant in all our communications can be used by the mafia just as easily. Plugins that are meant to bring people freedom of speech can just as easily be used to hide the actions of nation-state hackers.

What a strange world we live in.

Hacked IoT Switch Gains I2C Super Powers

March 27, 2017 by Elliot Williams 50 Comments

Economies of scale and mass production bring us tons of stuff for not much money. And sometimes, that stuff is hackable. Case in point: the $5 Sonoff WiFi Smart Switch has an ESP8266 inside but the firmware isn’t very flexible. The device is equipped with the bare minimum 1 MB of SPI flash memory. Even worse, it doesn’t have ~~the I2C ports~~ extra pins exposed so that you can’t just connect up your own sensors and make them much more than just a switch. But that’s why we have soldering irons, right?

Continue reading “Hacked IoT Switch Gains I2C Super Powers” →

Cheap Smarthome Gadget(s) Hacked Into Zigbee Sniffer

March 27, 2017 by Elliot Williams 7 Comments

French hacker [akila] is building up a home automation system. In particular, he’s been working with the “SmartHome” series of gadgets made by Chinese smartphone giant, Xiaomi. First, he started off by reverse-engineering their very nicely made temperature and humidity sensor. (Original in French, hit the translate button in the lower right.) With that under his belt, he opened up the PIR motion sensor unit to discover that it has the same debugging pinouts and the same processor. Almost too easy.

For a challenge, [akila] decided it was time to implement something useful in one of these gadgets: a ZigBee sniffer so that he can tell what’s going on in the rest of his home network. He built a USB/serial programming cable to work with the NXP JN5169’s bootloader, downloaded the SDK, and rolled up his sleeves to get to work.

While trolling through the SDK, he found some interesting firmware called “JennicSniffer”. Well, that was easy. There’s a demo version of a protocol analyzer that he used. It would be cool to get this working with Wireshark, but that’s a project for another day. [Akila] got far enough with the demo analyzer to discover that the packets sent by the various devices in the home network are encrypted. That’s good news for the security-conscious out there and stands as the next open item on [akila]’s to-do list.

We don’t see as many ZigBee hacks as we’d expect, but they’ve definitely got a solid niche in home automation because of commercial offerings like Philips Hue and Wink. And of course, there’s the XBee line of wireless communications modules. We just wrote up a ZigBee hack that aims to work with the Hue system, though, so maybe times are changing?

A Red Teamer’s Guide To Pivoting

March 25, 2017 by Elliot Williams 22 Comments

What is hacking and what is network engineering? We’re not sure where exactly to draw the lines, but [Artem]’s writeup of pivoting is distinctly written from the (paid) hacker’s perspective.

Once you’re inside a network, the question is what to do next. “Pivoting” is how you get from where you are currently to where you want to be, or even just find out what’s available. And that means using all of the networking tricks available. These aren’t just useful for breaking into other people’s networks, though. We’ve used half of these tools at one time or another just running things at home. The other half? Getting to know them would make a rainy-day project.

Is there anything that ssh and socat can’t do? Maybe not, but there are other tools (3proxy and Rpivot) that will let you do it easier. You know how clients behind a NAT firewall can reach out, but can’t be reached from outside? ssh -D will forward a port to the inside of the network. Need to get data out? There’s the old standby iodine to route arbitrary data over DNS queries, but [Artem] says dnscat2 works without root permissions. (And this code does the same on an ESP8266.)

Once you’ve set up proxies inside, the tremendously useful proxychains will let you tunnel whatever you’d like across them. Python’s pty shell makes things easier to use, and tsh will get you a small shell on the inside, complete with file-transfer capabilities.

Again, this writeup is geared toward the pen-testing professional, but you might find any one of these tools useful in your own home network. We used to stream MP3s from home to work with some (ab)use of netcat and ssh. We keep our home IoT devices inside our own network, and launching reverse-proxies lets us check up on things from far away without permanently leaving the doors open. One hacker’s encrypted tunnel is another man’s VPN. Once you know the tools, you’ll find plenty of uses for them. What’s your favorite?

Thanks [nootrope] for the indirect tip!

MIDI Drawings Paint With Piano Keyboards

March 25, 2017 by Elliot Williams 9 Comments

Musician [Mari Lesteberg] is making music that paints pictures. Or maybe she’s making pictures that paint music. It’s complicated. Check out the video (embedded below) and you’ll see what we mean. The result is half Chinese scroll painting, and half musical score, and they go great together.

Lots of MIDI recorders/players use the piano roll as a model for input — time scrolls off to the side, and a few illuminated pixels represent a note played. She’s using the pixels to paint pictures as well: waves on a cartoon river make an up-and-down arpeggio. That’s a (musical) hack. And she’s not the only person making MIDI drawings. You’ll find a lot more on reddit.

Of course, one could do the same thing with silent pixels — just set a note to play with a volume of zero — but that’s cheating and no fun at all. As far as we can tell, you can hear every note that’s part of the scrolling image. The same can not be said for music of the black MIDI variety, which aims to pack as many notes into a short period of time as possible. To our ears, it’s not as beautiful, but there’s no accounting for taste.

It’s amazing what variations we’re seeing in the last few years on the ancient piano roll technology. Of course, since piano rolls are essentially punch-cards for musical instruments, we shouldn’t be too surprised that this is all possible. Indeed, we’re a little bit surprised that new artistic possibilities are still around. Has anyone seen punch-card drawings that are executable code? Or physical piano rolls with playable images embedded in them?

Continue reading “MIDI Drawings Paint With Piano Keyboards” →

Say It With Me: Aliasing

March 23, 2017 by Elliot Williams 28 Comments

Suppose you take a few measurements of a time-varying signal. Let’s say for concreteness that you have a microcontroller that reads some voltage 100 times per second. Collecting a bunch of data points together, you plot them out — this must surely have come from a sine wave at 35 Hz, you say. Just connect up the dots with a sine wave! It’s as plain as the nose on your face.

And then some spoil-sport comes along and draws in a version of your sine wave at -65 Hz, and then another at 135 Hz. And then more at -165 Hz and 235 Hz or -265 Hz and 335 Hz. And then an arbitrary number of potential sine waves that fit the very same data, all spaced apart at positive and negative integer multiples of your 100 Hz sampling frequency. Soon, your very pretty picture is looking a bit more complicated than you’d bargained for, and you have no idea which of these frequencies generated your data. It seems hopeless! You go home in tears.

But then you realize that this phenomenon gives you super powers — the power to resolve frequencies that are significantly higher than your sampling frequency. Just as the 235 Hz wave leaves an apparent 35 Hz waveform in the data when sampled at 100 Hz, a 237 Hz signal will look like 37 Hz. You can tell them apart even though they’re well beyond your ability to sample that fast. You’re pulling in information from beyond the Nyquist limit!

This essential ambiguity in sampling — that all frequencies offset by an integer multiple of the sampling frequency produce the same data — is called “aliasing”. And understanding aliasing is the first step toward really understanding sampling, and that’s the first step into the big wide world of digital signal processing.

Whether aliasing corrupts your pristine data or provides you with super powers hinges on your understanding of the effect, and maybe some judicious pre-sampling filtering, so let’s get some knowledge.

Continue reading “Say It With Me: Aliasing” →