We Are Now At DEFCON 2

If you had a working DEFCON meter that reported on real data, would it be cool or distressing?

Before we get ahead of ourselves: no, not that DEF CON. Instructables user [ArthurGuy] is a fan of the 1983 movie  War Games, and following a recent viewing –hacker senses a-tingling — he set to work building his own real-time display.

Making use of some spare wood, [ArthurGuy] glued and nailed together a 10x10x50cm box for the sign. Having been painted white already at some point, the paint brilliantly acted as a reflector for the lights inside each section. The five DEF CON level panels were cut from 3mm pieces of coloured acrylic with the numbers slapped on after a bit of work from a vinyl cutter.

Deviating from a proper, screen-accurate replica, [ArthurGuy] cheated a little and used WS2812 NeoPixel LED strips — 12 per level — and used a Particle Photon to control them. A quick bit of code polls the MI5 terrorism RSS feed and displays its current level — sadly, it’s currently at DEFCON 2.

Continue reading “We Are Now At DEFCON 2”

Smart Gun Beaten by Dumb Magnets

[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video below the break.

Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.

Not stopping there, [Plore] went to the other extreme, creating what he calls an “electromagnetic compatibility tester” (in other words, a jammer) that jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!

Not one to call it quits, [Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.

Now, we’ve already covered the many hurdles that smart guns face, and this specific investigation of the state of smart gun technology doesn’t make the picture look any brighter. We’re aware that hindsight is always 20/20, so let us know in the comments how you would fix the problems with the Armatix IP1.
Continue reading “Smart Gun Beaten by Dumb Magnets”

DEF CON Badgelife: The ESP Rules All

Badgelife is the celebration of independent hardware creators, working for months at a time to bring custom electronic badges to conferences around the world. This year at DEF CON, Badgelife is huge. It’s not just because this year was supposed to feature a non-electronic badge, and it’s not because the official badge imploded last month — Badgelife is all about people spending most of the year designing, and manufacturing hardware, culminating in one very special weekend.

[Garrett] owns Hacker Warehouse, a store providing all kinds of neat hacker tools ranging from software-defined radios to lock pick sets to side channel analysis toolkits. This year, [Garrett] decided he wanted to branch out his business and get involved in a little bit of hardware creation. He’s been curious about this for some time and figured a limited edition DEF CON badge made sense. What he wound up with is a beautiful little badge with games, blinkies, graphics, and potential to cause a lot of wireless mischief.

Would you look at that. RF design on an independent badge.

The design of the Hacker Warehouse badge is surprisingly simple compared to the Bender Badges and puzzling crypto badges that are also part of this year’s Badgelife hardware celebration. On board is an ESP8266 with a custom PCB implementation that includes a larger Flash chip. The other side of the board is loaded up with four tact switches in a D-pad arrangement. On top is a 96 x 64 pixel full-color OLED display, and blinkies are provided by fourteen mini WS2812 RGB LEDs. Power is provided by two AA cells and what looks to be a nice fancy switching regulator. This is real hardware, not just a few modules thrown together with a bunch of LEDs.

Oh, what wireless fun

This badge is built around the ESP8266, a very interesting WiFi-enabled microcontroller that has more features than it should. [Garrett] is using the ESP as a WiFi scanner of sorts, allowing anyone with this badge to monitor WiFi channels, APs, packets, and — this is important — deauth packets.

Over the last year, there have been a number of projects around the Internet that take an ESP8266 and spew deauthorization frames into the spectrum. These frames cause a WiFi client to stop using an access point, and basically shuts down all the WiFi in an area. It’s well documented, and people have been doing it for years, but the ESP8266 makes deauth attacks so very, very easy. We’re going to see a lot of deauth frames this year at DEF CON, and the Hacker Warehouse badge will be able to detect them. It can also generate these frames, but that capability is locked for now.

Blinking and glowing

An electronic conference badge isn’t cool unless it has obnoxiously bright and glowy LEDs, and the Hacker Warehouse badge is very cool.

Onboard the Hacker Warehouse badge are 14 RGB LEDs, programmed with 46 different patterns that are certainly bright enough to annoy someone. This is what you need for a badge, and it’s beautiful.

This is a truly fantastic badge that’s also a great development board for the ESP8266. Everything you need for portable WiFi gaming fun is already there — you have blinky LEDs, an OLED, what seems to be a fairly nice power supply, and enough buttons to do something interesting. All you need to do to program this badge is attach a USB to serial adapter to the pre-populated header and you really have something. It’s a great badge, and we can’t wait to see the hacks for this great piece of hardware next week at DEF CON.

Pwning With Sewing Needles

If you don’t have root, you don’t own a device, despite what hundreds of Internet of Things manufacturers would tell you. Being able to access and write to that embedded Linux system in your new flashy gadget is what you need to truly own a device, and unfortunately this is a relatively uncommon feature. At this year’s DEF CON, [Brad Dixon] unveiled a technique that pwns a device using only a sewing needle, multimeter probe, or a paperclip. No, it won’t work on every device, and the devices this technique will work with are poorly designed. That doesn’t mean it doesn’t work, and that doesn’t mean the Pin2Pwn technique isn’t useful, though.

The attack relies on how an embedded Linux device boots. All the software needed to load Linux and the rest of the peripheral magic is usually stored on a bit of Flash somewhere on the board. By using a pin, probe, or paperclip to short two data pins, or two of the latch pins on this memory chip, the bootloader will fail, and when that happens, it may fall back to a uboot prompt. This pwns the device.

There are a few qualifications for this Pwn using a pin. If the device has JTAG, it doesn’t matter – you can already own the device. If, however, a device has a locked-down JTAG, unresponsive serial ports, or even their own secure boot solution, this technique might work.

Two data pins on a TSSOP Flash shorted by a multimeter probe
Two data pins on a TSSOP Flash shorted by a multimeter probe

This exploit works on the property of the bootloader. This bit of code first looks at a piece of Flash or other memory separate from the CPU and loads whatever is there. [Brad] found a few devices (mostly LTE routers) that would try to load Linux from the Flash, fail, try to load Linux again, fail, and finally drop to a uboot prompt.

As with any successful exploit, an equally effective mitigation strategy must be devised. There are two ways to go about this, and in this case, the software side is much better at getting rid of this attack than the hardware side.

Since this attack relies on the software falling back to uboot after an unsuccessful attempt at whatever it should be booting, the simplest and most effective mitigation technique is simply rebooting the device if the proper firmware can’t be found. Having a silent serial console is great, but if the attack relies on falling back to uboot, simply not doing that will effectively prevent this attack.

The hardware side is a little simpler than writing good firmware. Instead of using TSSOP and SOIC packages for storing the device firmware, use BGAs. Hide the pins and traces on an inner layer of the board. While this isn’t a foolproof way of preventing the attack – there will always be someone with a hot air gun, magnet wire, and a steadier hand than you – it’s hard to glitch a data line with a sewing needle if you can’t see the data line.

DEFCON Thermometer

Redditor [mulishadan] — a fan of the movie WarGames — has created a singular thermostat in the form of a Defcon alert meter.

Looking to learn some new skills while building, [mulishadan] tried their hand at MIG welding the 16g cold-rolled plate steel into the distinctive shape. A second attempt produced the desired result, adding a 1/4-inch foam core and painting the exterior. Individual LEDs were used at first for lighting, but were replaced with flexible LED strips which provided a more even glow behind the coloured acrylic. A Particle Photon board queries the Weather Underground API via Wi-Fi in five-minute intervals.

Weather Data BoardEach escalation in the Defcon alert signals an increase of 10 F, starting at Defcon 5 for 69 F and below, up to Defcon 1 for 100+ F. The final build looks like a true-to-life prop with some useful functionality that can be adapted to many different purposes — proof that a relatively simple project can still produce fantastic results for entry-level makers. So why not try making this thermostat scarf as well?

[via /r/DIY]

“IoT Security” is an Empty Buzzword

As buzzwords go, the “Internet of Things” is pretty clever, and at the same time pretty loathsome, and both for the same reason. “IoT” can mean basically anything, so it’s a big-tent, inclusive trend. Every company, from Mattel to Fiat Chrysler, needs an IoT business strategy these days. But at the same time, “IoT” is vacuous — a name that applies to everything fails to clarify anything.

That’s a problem because “IoT Security” is everywhere in the news these days. Above and beyond the buzz, there are some truly good-hearted security professionals who are making valiant attempts to prevent what they see as a repeat of 1990s PC security fiascos. And I applaud them.

But I’m going to claim that a one-size-fits-all “IoT Security” policy is doomed to failure. OK, that’s a straw-man argument; any one-size-fits-all security policy is bound for the scrap heap. More seriously, I think that the term “IoT” is doing more harm than good by lumping entirely different devices and different connection modes together, and creating an implicit suggestion that they can all be treated similarly. “Internet of Things Security” is a thing, but the problem is that it’s everything, and that means that it’s useful for nothing.

What’s wrong with the phrase “Internet of Things” from a security perspective? Only two words: “Internet” and “Things”.

Continue reading ““IoT Security” is an Empty Buzzword”

How Those Hackers Took Complete Control of That Jeep

It was an overcast day with temperatures in the mid seventies – a perfect day to take your brand new Jeep Cherokee for a nice relaxing drive. You and your partner buckle in and find yourselves merging onto the freeway just a few minutes later.  You take in the new car smell as your partner fiddles with the central touch screen display.

“See if it has XM radio,” you ask as you play with the headlight controls.

Seconds later, a Taylor Swift song begins to play. You both sing along as the windows come down. “Life doesn’t get much better than this,” you think. Unfortunately, the fun would be short lived. It started with the windshield wipers coming on – the dry rubber-on-glass making a horrible screeching sound.

“Hey, what are you doing!”

“I didn’t do it….”

You verify the windshield wiper switch is in the OFF position. You switch it on and off a few times, but it has no effect. All of the sudden, the radio shuts off. An image of a skull and wrenches logo appears on the touchscreen. Rick Astley’s “Never Gonna Give You Up” begins blaring out of the speakers, and the four doors lock in perfect synchronization. The AC fans come on at max settings while at the same time, you feel the seat getting warmer as they too are set to max. The engine shuts off and the vehicle shifts into neutral. You hit the gas pedal, but nothing happens. Your brand new Jeep rolls to a halt on the side of the freeway, completely out of your control.

Sound like something out of a Hollywood movie? Think again.

[Charlie Miller], a security engineer for Twitter and [Chris Valasek], director for vehicle safety research at IOActive, were able to hack into a 2014 Jeep Cherokee via its wireless on-board entertainment system from their basement. A feature called UConnect, which allows the vehicle to connect to the internet via a cellular connection, has one of those things you might have heard of before – an IP address. Once the two hackers had this address, they had the ‘digital keys’ to the Jeep. From there, [Charlie] and [Chris] began to tinker with the various firmwares until they were able to gain access to the vehicle’s CAN bus. This gives them the ability to control many of the car’s functions, including (under the right conditions) the ability to kill the brakes and turn the steering wheel. You probably already have heard about the huge recall Chrysler issued in response to this vulnerability.

But up until this weekend we didn’t know exactly how it was done. [Charlie] and [Chris] documented their exploit in a 90 page white paper (PDF) and spoke at length during their DEF CON talk in Las Vegas. That video was just published last night and is embedded below. Take look and you’ll realize how much work they did to make all this happen. Pretty amazing.

Continue reading “How Those Hackers Took Complete Control of That Jeep”