DEF CON

82 Articles

Pwning With Sewing Needles

August 8, 2016 by 23 Comments

If you don’t have root, you don’t own a device, despite what hundreds of Internet of Things manufacturers would tell you. Being able to access and write to that embedded Linux system in your new flashy gadget is what you need to truly own a device, and unfortunately this is a relatively uncommon feature. At this year’s DEF CON, [Brad Dixon] unveiled a technique that pwns a device using only a sewing needle, multimeter probe, or a paperclip. No, it won’t work on every device, and the devices this technique will work with are poorly designed. That doesn’t mean it doesn’t work, and that doesn’t mean the Pin2Pwn technique isn’t useful, though.

The attack relies on how an embedded Linux device boots. All the software needed to load Linux and the rest of the peripheral magic is usually stored on a bit of Flash somewhere on the board. By using a pin, probe, or paperclip to short two data pins, or two of the latch pins on this memory chip, the bootloader will fail, and when that happens, it may fall back to a uboot prompt. This pwns the device.

There are a few qualifications for this Pwn using a pin. If the device has JTAG, it doesn’t matter – you can already own the device. If, however, a device has a locked-down JTAG, unresponsive serial ports, or even their own secure boot solution, this technique might work.

Two data pins on a TSSOP Flash shorted by a multimeter probe
Two data pins on a TSSOP Flash shorted by a multimeter probe

This exploit works on the property of the bootloader. This bit of code first looks at a piece of Flash or other memory separate from the CPU and loads whatever is there. [Brad] found a few devices (mostly LTE routers) that would try to load Linux from the Flash, fail, try to load Linux again, fail, and finally drop to a uboot prompt.

As with any successful exploit, an equally effective mitigation strategy must be devised. There are two ways to go about this, and in this case, the software side is much better at getting rid of this attack than the hardware side.

Since this attack relies on the software falling back to uboot after an unsuccessful attempt at whatever it should be booting, the simplest and most effective mitigation technique is simply rebooting the device if the proper firmware can’t be found. Having a silent serial console is great, but if the attack relies on falling back to uboot, simply not doing that will effectively prevent this attack.

The hardware side is a little simpler than writing good firmware. Instead of using TSSOP and SOIC packages for storing the device firmware, use BGAs. Hide the pins and traces on an inner layer of the board. While this isn’t a foolproof way of preventing the attack – there will always be someone with a hot air gun, magnet wire, and a steadier hand than you – it’s hard to glitch a data line with a sewing needle if you can’t see the data line.

The Terrible Security Of Bluetooth Locks

August 8, 2016 by 53 Comments

Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.

Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.

At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Other Bluetooth ‘smart locks’ are made of plastic.

The tools [Anthony] used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi. This entire setup can be powered by a single battery, making it very stealthy.

The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well, with quite a few models of smart lock using eight digit pins. Even locks with ‘patented security’ (read: custom crypto, bad) were terrible; this patented security was just an XOR with a hardcoded key.

What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver. These locks are rare. Twelve of the sixteen locks tested could be easily broken. The majority of Bluetooth smart locks are not built with security in mind, which, by the way, is the entire point of a lock.

[Anthony]’s work going forward will concentrate expanding his library of scripts to exploit these locks, and evaluate the Bluetooth locks on ATMs. Yes, ATMs also use Bluetooth locks. The mind reels.

DEF CON: BSODomizing In High Definition

August 6, 2016 by 36 Comments

A few years ago, [Kingpin] a.k.a. [Joe Grand] (A judge for the 2014 Hackaday Prize) designed the most beautiful electronic prank ever. The BSODomizer is a simple device with a pass-through connection for a VGA display and an infrared receiver. Plug the BSODomizer into an unsuspecting coworker’s monitor, press a button on a remote, and watch Microsoft’s blue screen of death appear. It’s brilliant, devious, and actually a pretty simple device if you pick the right microcontroller.

The original BSODomizer is getting a little long in the tooth. VGA is finally dead. The Propeller chip used to generate the video only generates text, and can’t reproduce Microsoft’s fancy new graphical error screens. HDMI is the future, and FPGAs have never been more accessible. For this year’s DEF CON, [Kingpin] and [Zoz] needed something to impress an audience that is just learning how to solder. They’ve revisited the BSODomizer, and have created the greatest hardware project at this year’s DEF CON.

Continue reading “DEF CON: BSODomizing In High Definition”

DEF CON’s X86 Badge

August 5, 2016 by 49 Comments

This year’s DEF CON badge is electronic, and there was much celebrating. This year’s DEF CON badge has an x86 processor, and there was much confusion.

These vias are connected to something.
These vias are connected to something.

The badge this year, and every year, except badges for 18, 17, 16, 15, and 14, designed by [Joe Grand], and badges from pre-history designed by [Dark Tangent] and [Ping], was designed by [1057], and is built around an x86 processor. Specifically, this badge features an Intel Quark D2000 microcontroller, a microcontroller running at 32MHz, with 32kB of Flash and 8kB of RAM. Yes, an x86 badge, but I think an AT motherboard badge would better fulfill that requirement.

As far as buttons, sensors, peripherals, and LEDs go, this badge is exceptionally minimal. There are eight buttons, laid out as two directional pads, five LEDs, and a battery. There’s not much here, but with a close inspection of the ‘chin’ area of the badge, you can see how this badge was programmed.

As with any [1057] joint, this badge features puzzles galore. One of these puzzles is exceptionally hard to photograph as it is in the bottom copper layer. It reads, “nonpareil bimil: Icnwc lsrbcx kc htr-yudnv ifz xdgm yduxnw yc iisto-cypzk”. Another bottom copper text reads, “10000100001 ΣA120215”. Get crackin’.

A gallery of the Human and Goon badges follows, click through for the best resolution we have.

This post has been updated to correct the record of who designed badges for previous cons.

Hackaday Links: July 31, 2016

July 31, 2016 by 14 Comments

Going to DEF CON this week? Getting into Vegas early? We’re having a meetup on Wednesday, in the middle of the day, in the desert. It’s all going down at the grave of James T. Kirk. Rumor has it, the Metrons will abduct a few of us and make us fight to the death on a planet with impossible geology.

The Hara Arena is closing down. The Hara Arena in Dayton, Ohio is the home of Hamvention, the largest gathering of amateur radio enthusiasts in the US. I was there last May, and I can assure you, the Hara Arena has fallen into a state of disrepair. The ARRL reports hamvention will be at a new venue next year. The last scheduled event, after which there will be an auction for venue equipment and furniture, will be on August 27th. It’ll be a comic book and toy show.

Hackaday.io has a log of projects. Some might say it has too many projects. The search is great, but sometimes you just want to look at a random project. That’s the problem [Greg] solved with his Hackaday.io randomizer. It returns a random Hackaday.io project, allowing you to gawk at all the boards and resistors found within.

Primitive Technology is a YouTube channel you should watch. It’s a guy (who doesn’t talk), building everything starting with pre-stone age technology. He built a house with a heated floor, somewhat decent pottery, and this week he entered the iron age. The latest video shows him building a squirrel cage fan out of clay and bark to smelt iron. The ore was actually iron-bearing bacteria, mixed with charcoal and wood ash, and placed into a crude but accurate smelting furnace. The end result is a few bb-sized grains of iron and a lot of melted flux. That’s not much, and is certainly not an accurate portrayal of what was being done 5,000 years ago, but it does mean the Internet’s favorite guy in the woods has entered the iron age while completely skipping over bronze.

Freeside Atlanta says they’re the largest hackerspace on the east coast, and to show off all the cool goings on, they made a walk through video.

Hackaday has a retro edition. It’s a wide selection of Hackaday posts presented in a format without JavaScript, CSS, ads, or any other Web 2.0 cruft. There’s an open challenge for anyone to load the retro site with a 4004 CPU. I know it can be done, but no one has presented evidence of doing it. [Lukas] just sent in his retro submission with a Z80 single board computer displaying some of the page on seven-segment displays. It’s basically a terminal emulator connected to a laptop that does most of the work, but this is the most minimal retro submission we’ve ever received.

DEF CON Meetup At The Grave Of James T. Kirk

July 28, 2016 by 36 Comments

DEF CON is just around the corner, and that means in just a few days thousands of hardware hackers will be wandering around the casinos in Vegas. Yes, in a mere handful of hours, the tech literati will be accosted by the dead, disaffected eyes of dealers and the crass commercialization of every culture in humanity’s recorded history. The light of god does not penetrate mirrored ceilings. Vegas is terrible, it’ll be 120ºF outside, but at least there’s cool stuff happening Thursday through Sunday.

Hackaday is going to be there, but we really don’t want to spend the entire weekend walking around casinos. That’s why we’re hosting a meetup at the most unlikely place possible: Veridian III, the site of the battle between the Duras sisters and the Enterprise, the crash site of NCC-1701-D, and the final resting place of Admiral James Tiberius Kirk.

We’ll be visiting Veridian III at the Valley of Fire State Park on Wednesday, August 3rd, starting at 1pm. It’s about an hour north of Vegas. As you would expect, hats, sunscreen, good shoes, and a supply of water that could be categorized as “survivalist” are a good idea. Hackaday will be at the visitor center at 1PM, and after a half hour or so, the entire meetup will drive a few miles north to cooler looking rocks.

If you want an FAQ, here you go:

  • What’s this all about, then?
    • Drive out to the desert because cool rocks.
  • No, really, what’s up?
    • Watch Star Trek: Generations. We’re going to the filming location of Soren’s launch site on Veridian III. This is where Kirk died (on a bridge), and where he was buried by Picard.
  • Where and when?
    • Valley of Fire State Park. Here’s the Google Map. 1PM, August 3rd. It’s about an hour north of Vegas. We’re going to meet at the visitor center around 1pm. Around 1:30, we’re going a few miles north to the White Dome trailhead. Look for the Hackaday Flag. It’ll be flying on a PVC pipe taped to a car.
  • Why are you going to the desert, in August, in the middle of the day, with no plan whatsoever?
    • Because Benchoff.
  • Why would extinguishing a star alter its gravity? The mass of the star would still be there, which means the Nexus ribbon wouldn’t be deflected at all. Is this crazy? What’s going on here?
    • Because Rick Berman.
  • Why weren’t there two Picards after Picard and Kirk returned from the Nexus?
    • Rick Berman.
  • Is this really the grave site of James T. Kirk?
    • No, because Kirk was resurrected by the Borg and his katra restored by Romulans.

This meetup will be a continuation of a series of Hackaday meetups in the middle of nowhere. Earlier, we had a gathering at the childhood home of the worst president of the United States of America. That meetup was a roaring success, with people travelling from surprisingly far away. If you’re unlucky enough to be in Vegas for DEF CON a day early, this is one of the weirdest meetups you could possibly attend.

By the way, if enough people attend, it will serve as proof we can do a meetup anywhere. I have my eyes on Spillville, Iowa, Oregon’s House of Mystery, and one of the remaining Blockbuster stores in El Paso. If you support this idea, come on out.

Hands-on The AND!XOR Unofficial DEF CON Badge

July 25, 2016 by 15 Comments

DEF CON 24 is still about two weeks away but we managed to get our hands on a hardware badge early. This is not the official hardware — there’s no way they’d let us leak that early. Although it may be unofficial in the sense that it won’t get you into the con, I’m declaring the AND!XOR badge to be officially awesome. I’ll walk you through it. There’s also a video below.

Over the past several years, building your own electronic badge has become an impromptu event. People who met at DEF CON and have been returning year after year spend the time in between coming up with great ideas and building as many badges as they can leading up to the event. This is how I met the trio who built this badge — AND!XORAndrew Riley, and Jorge Lacoste — last year they invited me up to their room where they were assembling the last of the Crypto Badges. Go check out my guide to 2015 Unofficial DEF CON badges for more on that story (and a video of the AM transmissions that badge was capable of).

The outline is this year’s badge is of course Bender from Futurama. Both eyes are RGB LEDs, with another half dozen located at different points around his head. The microcontroller, an STM32F103 ARM Cortex-M0 Cortex-M3, sits in a diamond pattern between his eyes. Above the eyes you’ll find 16 Mbit of flash, a 128×64 OLED screen, and a reset button. The user inputs are five switches and the badge is powered by three AA batteries found on the flip side.

bender's-nose-closeup

That alone makes an interesting piece of hardware, but the RFM69W module makes all of the badges interactive. The spring coming off the top of Bender’s dome is a coil antenna for the 433 MHz communications. I only have the one badge on hand so I couldn’t delve too deeply what interactive tricks a large pool of badges will perform, but the menu hints at a structure in place for some very fun and interesting applications.

Continue reading “Hands-on The AND!XOR Unofficial DEF CON Badge”