This clever precomputation attack was developed by a group of researchers at KU Leuven in Belgium. Unlike previous key fob attacks that we’ve covered in the past which have been essentially relay attacks, this hack precomputes a ton of data, looks for a collision in the dataset, and opens the door. Here’s how it works.
[Carsten] messed up. He was soldering an ARM CPU onto a quadcopter board in haste, failed to notice that the soldering iron was turned up to eleven, and pulled some of the traces up off the PCB. In the process of trying to fix that, he broke three pins off of the 100-pin CPU. The situation was going from bad to worse.
Instead of admitting defeat, or maybe reflowing the CPU off of the board, [Carsten] lasered the epoxy case off of the chip down to the lead frame and worked a little magic with some magnet wire. A sweet piece of work, to be sure!
[Simone] was trying to reverse-engineer the Bluetooth protocol of his Nike+ Fuelband and made some surprising discoveries. [Simone] found that the authentication system of the Fuelband can be easily bypassed and discovered that some low-level functions (such as arbitrarily reading and writing to memory) are completely exposed to the end user or anyone else who hacks past the authentication process.
[Simone] started with the official Nike app for the Fuelband. He converted the APK to a JAR and then used JD-Gui to read the Java source code of the app. After reading through the source, he discovered that the authentication method was completely ineffective. The authenticator requires the connecting device to know both a pin code and a nonce, but in reality the authentication algorithm just checks for a hard-coded token of 0xff 0xff 0xff 0xff 0xff 0xff rendering the whole authentication process ineffective.
After he authenticated with the Fuelband, [Simone] started trying various commands to see what he could control over the Bluetooth interface. He discovered that he could send the device into bootloader mode, configure the RTC, and even read/write the first 65k of memory over the Bluetooth interface–not something you typically want to expose, especially with a broken authentication mechanism. If you want to try the exploit yourself, [Simone] wrote an Android app which he posted up on GitHub.
There are thousands upon thousands of papers discussing various aspects of embedded hardware security, and dozens of books covering the same subject. The attacks discussed in the literature are very cool – things like side-channel power analysis and clock glitching used to extract keys from a system. The experimental setups in these papers are extraordinarily expensive – you can buy a new car for less. [coflynn] was disheartened with the price of these tools, and thought building his own would make for a great entry to The Hackaday Prize.
The hardware part of the ChipWhisperer includes a breakout board with an FPGA, ADC, and connectors for a lot of different probes, adapters, breakout boards, and a target board, With all these tools, it’s not unreasonable to say that [coflynn] could carry out a power analysis attack on a lot of embedded hardware.
Open source hardware is just one part of this entry. The biggest focus of this project is the open source software for analyzing whatever the probes and target boards record. With this software, anyone can monitor the power used when a chip runs a cryptographic function, or glitch a clock for some unintended functionality in a device. In keeping with the academic pedigree of all the literature on these attacks, there are a ton of tutorials for the ChipWhisperer for all those budding security researchers out there. Very cool stuff, and arguably one of the most technical entries to The Hackaday Prize.
The project featured in this post is an entry in The Hackaday Prize. Build something awesome and win a trip to space or hundreds of other prizes.
The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.
Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.
While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.
This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.