Fear and Loathing at DEFCON 22

Nothing says “Welcome to Vegas” like a massive turbulence on a plane full of drunk people who, instead of holding on to their seats, frantically laugh and shout “we’re all going to die!” At 105 Fahrenheit outside, the heat was getting into everyone’s head. After a bumpy touchdown, the in-flight entertainment system rebooted, and a black terminal screen flashed onto everyone’s face:

RedBoot(tm) bootstrap and debug environment [RAM]
(MAS eFX) release, version ("540060-212" v "0.1.02") - built 12:00:35,
Nov 19 2004

Now, that was a beautiful sight – an IFE system that hadn’t been updated for almost a decade. For people who didn’t come here to participate in a big zero-sum game that is Vegas, this was a sign.

DEFCON was waiting for us right outside of that front cabin door.

Continue reading “Fear and Loathing at DEFCON 22”

Hat Hash Hacking at DEFCON

You probably remember that for DEFCON I built a hat that was turned into a game. In addition to scrolling messages on an LED marquee there was a WiFi router hidden inside the hat. Get on the AP, load any webpage, and you would be confronted with a scoreboard, as well as a list of usernames and their accompanying password hashes. Crack a hash and you can put yourself on the scoreboard as well as push custom messages to the hat itself.

Choosing the complexity of these password hashes was quite a challenge. How do you make them hackable without being so simple that they would be immediately cracked? I suppose I did okay with this because one hacker (who prefers not to be named) caught me literally on my way out of the conference for the last time. He had snagged the hashes earlier in the weekend and worked feverishly to crack the code. More details on the process are available after the jump.

Continue reading “Hat Hash Hacking at DEFCON”

The ChipWhisperer At Defcon

We’ve seen [Colin]’s entry to The Hackaday Prize before. After seeing his lightning talk at Defcon, we had to get an interview with him going over the intricacies of this very impressive piece of hardware.

The ChipWhisperer is a security and research platform for embedded devices that exploits the fact that all security measures must run on real hardware. If you glitch a clock when a microcontroller is processing an instruction, there’s a good probability something will go wrong. If you’re very good at what you do, you can simply route around the code that makes up the important bits of a security system. Power analysis is another trick up the ChipWhisperer’s sleeve, analyzing the power consumption of a microcontroller when it’s running a bit of code to glean a little information on the keys required to access the system. It’s black magic and dark arts, but it does work, and it’s a real threat to embedded security that hasn’t had an open source toolset before now.

Before our interview, [Colin] did a few short and sweet demos of the ChipWhisperer. They were extraordinarily simple demos; glitching the clock when a microcontroller was iterating through nested loops resulted in what can only be described as ‘counter weirdness’. More advanced applications of the ChipWhisperer can supposedly break perfectly implemented security, something we’re sure [Colin] is saving for a followup video.

You can check out [Colin]’s 2-minute video for his Hackaday Prize entry below.

Continue reading “The ChipWhisperer At Defcon”

DEFCON 22: The HackRF PortaPack

What do you get when you combine one of the best (and certainly one of the best for the price) software defined radios with the user interface of a 10-year-old iPod? The HackRF PortaPack, developed by [Jared Boone], and demonstrated at DEFCON last weekend.

[Jared] is one of the original developers for the HackRF, a 10MHz to 6GHz software defined radio that can also transmit in half duplex. Since the development of the HackRF has (somewhat) wrapped up, [Jared] has been working on the PortaPack, an add-on for the HackRF that turns it into a portable, ARM Cortex M4-powered software defined radio. No, it’s not as powerful as a full computer running GNU Radio, but it does have the capability to listen in on a surprising amount of radio signals.

Because [Jared] is using a fairly low-power micro for the PortaPack, there’s a lot of tricks he’s using to get everything running smoothly. He gave a lightning talk at the Wireless Village at DEFCON going over the strengths and weaknesses of the chip he’s using, and surprisingly he’s using very little floating point arithmetic in his code. You can check out the video for that talk below.

Continue reading “DEFCON 22: The HackRF PortaPack”

DEFCON 22: The Badge Designers

If you go to DEFCON next year (and you should), prepare for extreme sleep deprivation. If you’re not sleep deprived you’re doing it wrong. This was the state in which we ran into [LosT] and [J0nnyM@c], the brains behind the DEFCON 22 badge and all of the twisted tricks that torture people trying to solve the badge throughout the weekend. They were popular guys but wait around until late into the night and the throngs of hint-seekers subside just a bit.

Plans, within plans, within plans are included in the “crypto” which [LosT] talks about in the interview above. We were wondering how hard it is to produce a badge that is not only electrically perfect, but follows the planned challenge to a ‘T’. This includes things like holding off soldering mask from some pads, and different ones on a different version of the badge. Turns out that you just do as well as you can and then alter the puzzle to match the hardware.

Speaking of hardware. A late snafu in the production threw the two into a frenzy of redesign. Unable to use the planned chip architecture, [J0nnyM@c] stepped up to transition the badges over to Propeller P8X32a chips, leveraging a relationship with Parallax to ensure they hardware could be manufactured in time for the conference.

If you haven’t put it together yet, this is that same chip that Parallax just made Open Source. The announcement was timed to coincide with DEFCON.

DEFCON 22: Hack All the Things

This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).

The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.

Continue reading “DEFCON 22: Hack All the Things”

DEFCON 22: Badge Talk

I got a great seat on the main floor for the first big DEFCON 22 talk which is a welcome to the con and discussion of the badge hardware. [LosT], the creator of this year’s badge, started the discussion with a teaser about the badge… there’s a phone number hidden as part of the challenge. [LosT] took a call from someone chasing the puzzles. The guy was in the audience which was pretty fun.

The process of building a puzzle that can be solved at DEFCON is really tough. How do you make it just hard enough that it won’t get pwned right away but easy enough that a large number of attendees will be able to figure it out during the weekend? The answer is to build a secure system and introduce strategic flaws which will be the attack vectors for the attendees solving the badge challenge.

Of course the badge can be used as a development platform. The populated electronics on the board all have these nice little footprints which can be cut to disconnect them from the chip. The breakout headers on either side of the board allow you to connect headers for your own uses. Great idea!

The back of the lanyards have special characters on them too. This encourages community at the conference. To solve the puzzle you need to find others with different lanyards. Compare the glyphs and crack the code (so far I have no clue!!).

Know what I’m doing wrong? Have suggestions on where to go from here? I’ll be checking the comments!