Closing out DEF CON 23

We had a wild time at DEF CON last week. Here’s a look back on everything that happened.

defcon-23-hackday-breakfast-thumbFor us, the festivities closed out with a Hackaday Breakfast Meetup on Sunday morning. Usually we’d find a bar and have people congregate in the evening but there are so many parties at this conference (official and unofficial) that we didn’t want people to have to choose between them. Instead, we made people shake off the hangover and get out of bed in time for the 10:30am event.

We had a great group show up and many of them brought hardware with them. [TrueControl] spilled all the beans about the hardware and software design of this year’s Whiskey Pirate badge. This was by far my favorite unofficial badge of the conference… I made a post covering all the badges I could find over the weekend.

We had about thirty people roll through and many of them stayed for two hours. A big thanks to Supplyframe, Hackaday’s parent company, for picking up the breakfast check and for making trips like this possible for the Hackaday crew.

Hat Hacking

For DEF CON 22 I built a hat that scrolls messages and also serves as a simple WiFi-based crypto game. Log onto the access point and try to load any webpage and you’ll be greeted with the scoreboard shown above. Crack any of the hashes and you can log into the hat, put your name on the scoreboard, and make the hat say anything you want.

Last year only one person hacked the hat, this year there were 7 names on the scoreboard for a total of 22 cracked hashes. Nice work!

  • erich_jjyaco_cpp    16 Accounts
  • UniversityOfAriz     1 Account
  • @badgerops             1 Account
  • conorpp_VT             1 Account
  • C0D3X Pwnd you    1 Account
  • D0ubleN                   1 Account
  • erichahn525_VTe     1 Account

Three of these hackers talked to me, the other four were covert about their hat hacking. The top scorer used a shell script to automate logging-in with the cracked passwords and putting his name on the scoreboard.

I’d really like to change it up next year. Perhaps three hats worn by three people who involves some type of 3-part key to add different challenges to this. If you have any ideas I’d love to hear them below, or as comments on the project page.

[Eric Evenchick] on socketCAN

eric-evenchick-socketCAN-defcon-23-croppedOne of the “village” talks that I really enjoyed was from [Eric Evenchick]. He’s been a writer here for a few years, but his serious engineering life is gobbling up more and more of his time — good for him!

You probably remember the CANtact tool he built to bring car hacking into Open Source. Since then he’s been all over the place giving talks about it. This includes Blackhat Asia earlier in the year (here are the slides), and a talk at BlackHat a few days before DEF CON.

This village talk wasn’t the same as those, instead he focused on showing what socketCAN is capable of and how you might use it in your own hacking. This is an open source software suite that is in the Linux repos. It provides a range of tools that let you listen in on CAN packets, record them, and send them out to your own car. It was great to hear [Eric] rattle off examples of when each would be useful.

Our Posts from DEF CON 23

If you missed any of them, here’s our coverage from the conference. We had a blast and are looking forward to seeing everyone there next year!

DEF CON vs IoT: On Hackability and Security

Ahh DEF CON! One group of hackers shows off how they’ve broken into all sorts of cool devices and other hackers (ahem… “security professionals”) lament the fact that the first group were able to do so. For every joyous “we rooted the Nest thermostat, now we can have fun” there’s a doom-mongering “the security of network-connected IoT devices is totally broken!”.

And like Dr. Jekyll and Mr. Hyde, these two sides of the hacker persona can coexist within the same individual. At Hackaday, we’re totally paranoid security conscious, but we also like to tinker with stuff. We believe that openness and security are best friends forever. If you can open it, you can see if it’s well-made inside, at least in principle. How do we reconcile this with the security professional’s demand for devices that only accept signed binary firmware updates so that they can’t be tampered with?

We’ve got no answers, but we’ve got plenty of questions. Read on, and let us know what you think.

Continue reading “DEF CON vs IoT: On Hackability and Security”

All the Unofficial Electronic Badges of DEF CON

2015 was the year of the unofficial hardware badge at DEF CON 23. There were a ton of different hardware badges designed for the love of custom electronics and I tried to catch up with the designer of each different badge. Here is the collection of images, video demos, and build details for each one I saw this weekend.

Whiskey Pirates

[TrueControl] did a great job with his badge design this year for the Whiskey Pirate Crew. This is a great update from the badge he designed last year, keeping the skull and bones outline. It uses a PSOC4 chip to control a ton of LEDs. The eyes are RGB pixels which are each on their own PCB that is soldered onto the back of the badge, with openings for the LED to show through. Two AA batteries power the board which has a surface-mount LED matrix. The user controls are all capacitive touch. There is a spinner around one eye, and pads for select and back. The NRF24L01 radio operates at 2.4GHz. This badge is slave to commands from last year’s badge. When the two are in the same area the 2015 badges will scroll the nickname of the 2014 badge it “sees”. The piezo element also chirps many different sounds based on the interactions with different badges.

[True] makes design an art form. The matte black solder mask looks fantastic, and he took great care in use of font, size, alignment, and things like letting copper show through for a really stunning piece of hardware art.

Keep reading for ten more great badges seen over the weekend.

Continue reading “All the Unofficial Electronic Badges of DEF CON”

Hacking a KVM: Teach a Keyboard Switch to Spy

When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet. This was their first DEF CON talk and they did a great job of explaining what it took to hack these devices.

Continue reading “Hacking a KVM: Teach a Keyboard Switch to Spy”

DEF CON: Abusing Scripts in Multiplayer Games

Everyone has at least a few games on their computer, and I would assume most of the Hackaday readership would be among the enlightened PC gamer bretheren. At this year’s DEF CON, [Tamas Szakaly] gave a talk about the data these games leak to the Internet, the data they accept from the Internet, and what you can do with that data.

[Tamas]’ talk was entirely about scripting games, like the many games that are scriptable in Lua, or Valve’s Squirrel. Developers have thought about this before and have implemented sandboxes and many anti-cheat mechanisms. However, because these sandboxes are poorly implemented, it’s easy to get outside the game and do some real damage.

[Tamas]’ first target was Crysis 2 and the CryEngine3. This game uses a Lua scripting engine and has no sandbox whatsoever. That means [Tamas] can call os.execute, and from there the entire game is over. Or it’s just begun. Either way you look at it, it’s pretty bad.

CryTek notwithstanding, [Tamas] can also use games with Lua scripting that have a real sandbox. DOTA2 has a leaky sandbox and can be used to call OS I/O routines and execute base 64 encoded executables right over the main executable.

The most impressive example of script abuse in various multiplayer games is from Garry’s Mod. This game has custom implementation of dangerous functions, restricted file IO, and a proper Lua sandbox. This was a wise decision from the developers, but the library is huge. If you create a map or mode used on a server, you can have a full HTTP proxy to the gamer’s home network. During the talk, [Tamas] used this exploit to display an image from a webcam on a Garry’s Mod server. It was on the podium right next him, but this could have been done on a server on the other side of the planet.

Continue reading “DEF CON: Abusing Scripts in Multiplayer Games”

Cory Doctorow Rails Against the Effect of DRM and the DMCA

If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.

Continue reading “Cory Doctorow Rails Against the Effect of DRM and the DMCA”

DEF CON: The Proxy for ProxyHam

Two weeks ago, news broke of an incredible abuse of power from the National Security Agency. A DEF CON talk was cancelled, and speculation raged that information was not free. This was the ProxyHam, a device that puts you miles away from any agency hunting down your IP address.

Of course, as with just about every DEF CON talk picked up by the press, ProxyHam is an ill-conceived, terrible idea. You can replicate it with parts bought from newegg, and despite using a highly directional antenna the FCC – or any other government agency – can still track you down.

In lieu of a talk on using off-the-shelf networking hardware in the way it was intended, [Dave Maynor] and [Robert Graham] of Errata Security gave a talk at DEF CON that is the proxy to the ProxyHam. They completely debunked the outrageous speculation surrounding the cancellation of the DEF CON talk and managed to introduce a new version of Internet over radio that is actually useful for the security-minded individual.

The ‘debunking’ part of the Errata Security talk was exactly what anyone would expect; the talk was probably cancelled because the creator of ProxyHam exceeded radiated power limits, the FCC caught him, or simply because of ‘advice from counsel’. No big deal; someone was doing something illegal – encryption over ISM bands – and the things you would expect to happen in fact happened.

In the last two weeks, the guys replicated the ProxyHam build, but found a few major shortcomings. Even with a highly directional antenna, interested parties could still track you down. This led the guys at Errata Security to make this system better. They managed to do it in two weeks.

The Errata Security relies on JT65A – a radio mode made for very weak signals – to hide signals underneath the noise floor. By multiplexing data across multiple channels, this system has about the same bandwidth as a 56kbps modem from 1999. It’s not much, but it is possible to use this proxy for ProxyHam over 20 miles away from where you’re stealing WiFi from. That’s far better than ProxyHam could ever manage, and all the transmissions stay below the noise floor. The FCC and similarly equipped agencies might be able to find you, but no one with a $20 SDR dongle will.

There are no releases yet, but Errata Security plan to make the software that allows this multiplex transmissions available soon, and hope to have a Raspberry Pi-based hardware solution for this technique coming shortly. It’s a radio proxy solution that’s actually somewhat secure, and won’t immediately draw the ire of the FCC.