Wireless Hacking With The OLPC XO


Not even a week ago we asked what we should do with our OLPC XO. InformIT’s [Seth Fogie] has written a great two part article that covers turning it into a hacker toolkit. Part one is an overview of the OLPC, how to upgrade it, and do some usability tweaks. Part two covers installing Nessus, Metasploit, and doing some wireless sniffing. We’ll be building our own little green monster based on this and let you know how it goes.

[via Slashdot]

GPL Vs. Skype Back In Court


UPDATE: Skype has withdrawn their appeal and accepted the original judgment.

Tomorrow the High District Court of Munich will hear Skype argue against the validity of the GPL. Last June, the court issued an injunction against Skype for selling the SMC WSKP 100, a Linux-based WiFi VoIP phone. After the initial GPL violation, a flier with the URL for the source was added to the package. The GPL wasn’t provided and the court found this insufficient for fulfilling the requirements of the GPL. Skype is appealing and claims that the GPL as a whole violates anti-trust regulation. The case against Skype was brought by OpenMoko‘s original system architect, Harald Welte, as part of his work for gpl-violations.org.

DIY 2.4ghz Spectrum Analyser


This project got some blog love last year, but it slipped past my radar. [jhecker] built a parallel port interfaced device based on a Cypress 2.4ghz transceiver module. The module is pretty complete, so as long as you can wield a soldering iron, you can pull this one off. The module is pretty cheap, so it could be just the thing for building your own signal detector.

[Ed Note, Stardate 2018: There seems to be some linkrot.  Try this link instead.]

24C3 Mifare Crypto1 RFID Completely Broken

Another highlight for us at CCC was [Karsten Nohl] and [Henryk Plötz] presenting how they reversed Philips crypto-1 “classic” Mifare RFID chips which are used in car keys, among other things. They analyzed both the silicon and the actual handshaking over RF. Looking at the silicon they found about 10K gates. Analyzing with Matlab turned up 70 unique functions. Then they started looking “crypto-like” parts: long strings of flip-flops used for registers, XORs, things near the edge that were heavily interconnected. Only 10% of the gates ended up being crypto. They now know the crypto algorithm based on this analysis and will be releasing later in the year.

The random number generator ended up being only 16-bit. It generates this number based on how long since the card has been powered up. They controlled the reader (an OpenPCD) which lets them generate the same “random” seed number over and over again. This was actually happening on accident before they discovered the flaw.

One more broken security-through-obscurity system to add to the list. For more fun, watch the video of the presentation.

ToorCon 9: Retrieving WEP Keys From Road Warriors


[Vivek Ramachandran]’s Cafe Latte attack was one of the last talks we caught at ToorCon. I’ve found quite a few articles about it, but none really get it right. It’s fairly simple and deals with cracking WEP keys from unassociated laptops. First your WEP honeypot tells the client that it has successfully associated. The next thing the client does is broadcast a WEP encrypted ARP packet. By flipping the bits in the ARP packet you can replay the WEP packet and it will appear to the client to be coming from an IP MAC combo of another host on the network. All of the replies will have unique IVs and once you get ~60K you can crack it using PTW. The bit flipping is the same technique used in the fragmentation attack we covered earlier, but Cafe Latte requires generation of far fewer packets. You can read about the Cafe Latte attack on AirTight Networks.