36C3: All Wireless Stacks Are Broken

December 30, 2019 by 29 Comments

Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.

One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.

Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.

[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.

Reverse Engineered Media Controller From Car Is Best Friends With Android

June 4, 2018 by 17 Comments

The CAN bus is a rich vein to mine for a hacker: allowing the electronic elements of most current vehicles to be re-purposed and controlled with ease. [MikrocontrollerProjekte] has reverse engineered a CAN bus media and navigation controller and connected it to an STM32F746G-Discovery board. The STM32 is in turn connected to an Android phone, and allows the media controller to trigger a large number of functions on the phone, including music playback, maps, and general Android navigation.

When reverse engineering the controller, [MikrocontrollerProjekte] employed a variety of approaches. A small amount of information was found online, some fuzzing was done with random CAN bus IDs and messages, as well as some data logging with the device inside the car to identify message data to the relevant IDs on the bus.

The STM32F746G-Discovery board acts as a Human Interface Device (HID), emulating a mouse and keyboard connected to the Android phone via USB OTG. The LCD screen shows the output of the keystrokes and touchpad area. We’re not sure how useful the mouse-emulation would be, given that the phone has a touchscreen, but the media functions work really well, and would also make a really snazzy music controller for a PC.

We’ve covered plenty of other cool CAN bus hacks, like reverse-engineering this Peugeot 207, or this general purpose CAN sniffer.

Continue reading “Reverse Engineered Media Controller From Car Is Best Friends With Android”

OptionsBleed – Apache Bleeds In Uncommon Configuration

September 19, 2017 by 8 Comments

[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server. Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers, so it seems the impact is not huge so far.

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method. We decided to test this behaviour with a simple .htaccess file like this:

Continue reading “OptionsBleed – Apache Bleeds In Uncommon Configuration”

Closing Out DEF CON 23

August 14, 2015 by 5 Comments

We had a wild time at DEF CON last week. Here’s a look back on everything that happened.

defcon-23-hackday-breakfast-thumbFor us, the festivities closed out with a Hackaday Breakfast Meetup on Sunday morning. Usually we’d find a bar and have people congregate in the evening but there are so many parties at this conference (official and unofficial) that we didn’t want people to have to choose between them. Instead, we made people shake off the hangover and get out of bed in time for the 10:30am event.

We had a great group show up and many of them brought hardware with them. [TrueControl] spilled all the beans about the hardware and software design of this year’s Whiskey Pirate badge. This was by far my favorite unofficial badge of the conference… I made a post covering all the badges I could find over the weekend.

We had about thirty people roll through and many of them stayed for two hours. A big thanks to Supplyframe, Hackaday’s parent company, for picking up the breakfast check and for making trips like this possible for the Hackaday crew.

Hat Hacking

@RobertPlacencia and Jason were the first at DEF CON 23 to hack
@noahanadeau was the second on the scoreboard

For DEF CON 22 I built a hat that scrolls messages and also serves as a simple WiFi-based crypto game. Log onto the access point and try to load any webpage and you’ll be greeted with the scoreboard shown above. Crack any of the hashes and you can log into the hat, put your name on the scoreboard, and make the hat say anything you want.

Last year only one person hacked the hat, this year there were 7 names on the scoreboard for a total of 22 cracked hashes. Nice work!

  • erich_jjyaco_cpp    16 Accounts
  • UniversityOfAriz     1 Account
  • @badgerops             1 Account
  • conorpp_VT             1 Account
  • C0D3X Pwnd you    1 Account
  • D0ubleN                   1 Account
  • erichahn525_VTe     1 Account

Three of these hackers talked to me, the other four were covert about their hat hacking. The top scorer used a shell script to automate logging-in with the cracked passwords and putting his name on the scoreboard.

I’d really like to change it up next year. Perhaps three hats worn by three people who involves some type of 3-part key to add different challenges to this. If you have any ideas I’d love to hear them below, or as comments on the project page.

[Eric Evenchick] on socketCAN

eric-evenchick-socketCAN-defcon-23-croppedOne of the “village” talks that I really enjoyed was from [Eric Evenchick]. He’s been a writer here for a few years, but his serious engineering life is gobbling up more and more of his time — good for him!

You probably remember the CANtact tool he built to bring car hacking into Open Source. Since then he’s been all over the place giving talks about it. This includes Blackhat Asia earlier in the year (here are the slides), and a talk at BlackHat a few days before DEF CON.

This village talk wasn’t the same as those, instead he focused on showing what socketCAN is capable of and how you might use it in your own hacking. This is an open source software suite that is in the Linux repos. It provides a range of tools that let you listen in on CAN packets, record them, and send them out to your own car. It was great to hear [Eric] rattle off examples of when each would be useful.

Our Posts from DEF CON 23

If you missed any of them, here’s our coverage from the conference. We had a blast and are looking forward to seeing everyone there next year!

The Economics Of Fuzz Testing With The Intel Edison

October 18, 2014 by 16 Comments

The Intel Edison is an incredibly small and cheap x86 computing platform, and with that comes the obvious applications for robotics and wearable computing. [mz] had another idea: what if the Edison could do work that is usually done by workstations? Would it make economic sense to buy a handful of Edisons over a single quad-core Xeon system?

[mz] thought the Edison would be an ideal platform for fuzz testing, or sending random, automated data at a program or system to figure out if they’ll misbehave in interesting ways. After figuring out where to solder power and ground wires to boot an Edison without a breakout board, [mz] got to work benchmarking his fuzz testing setup.

Comparing the benchmarks of a fuzzing job running on the Edison and a few servers and workstations, calculations of cost-efficiency worked out well for this tiny x86 system on module. For parallelizable tasks, the Edison is about 8x less powerful than a reasonably modern server, but it’s also about 5-8x cheaper than a comparable desktop machine. Although renting a server is by far the more economic solution for getting a lot of computing power easily, there are a few use cases where a cluster of Edisons in your pocket would make sense.

[Bunnie] Launches The Novena Open Laptop

April 2, 2014 by 60 Comments

Today [Bunnie] is announcing the launch of the Novena Open Laptop. When we first heard he was developing an open source laptop as a hobby project, we hoped we’d see the day where we could have our own. Starting today, you can help crowdfund the project by pre-ordering a Novena.

The Novena is based on the i.MX6Q ARM processor from Freescale, coupled to a Xilinx Spartan 6 FPGA. Combined with the open nature of the project, this creates a lot of possibilities for using the laptop as a hacking tool. It has dual ethernet, for routing or sniffing purposes. USB OTG support lets the laptop act as a USB device, for USB fuzzing and spoofing. There’s even a high speed expansion bus to interface with whatever peripheral you’d like to design.

You can pre-order the Novena in four models. The $500 “just the board” release has no case, but includes all the hardware needed to get up and running. The $1,195 “All-in-One Desktop” model adds a case and screen, and hinges open to reveal the board for easy hacking. Next up is the $1,995 “Laptop” which includes a battery control board and a battery pack. Finally, there’s the $5000 “Heirloom Laptop” featuring a wood and aluminum case and a Thinkpad keyboard.

The hardware design files are already available, so you can drool over them. It will be interesting to see what people start doing with this powerful, open computer once it ships. After the break, check out the launch video.

Continue reading “[Bunnie] Launches The Novena Open Laptop”

Barcode Infiltrator

September 2, 2010 by 25 Comments

Whenever someone manages to expose vulnerabilities in everyday devices, we love to root for them. [Adrian] over at Irongeek has been inspired to exploit barcodes as a means to attack a POS database. Based on an idea from a Pauldotcom episode, he set out to make a rapid attack device, using an LED to spoof the signals that would be received by scanning a barcode. By exposing the POS to a set of generic database attacks, including XSS, SQL Injection, and other errors easily solved by input sanitation, he has created the first version of an automated system penetration device. In this case the hardware is simple, but the concept is impressive.

With the hardware explained and the source code provided, as well as a basic un-sanitized input cheat sheet, the would-be barcode hackers have a great place to start if they feel compelled to provide a revision two.

[Thanks Robert W.]