It’s been a while since we checked in on [Travis Goodspeed]. His latest post makes RF sniffing with the Next HOPE badge more portable by ditching the need to display data on a computer. He’s built on the work he did at the beginning of the year, replacing the FTDI chip on the badge with a Bluetooth module. Now he can use his Nokia N900 as a GoodFET terminal to not only display the packets pulled from the air, but the control the badge as well.
Previously, the client running on the computer was communicating with the badge via a serial connection. To get it working on the N900 [Travis] transitioned from using py-serial over to using py-bluez. All of the code changes are available from the GoodFET repository.
He’s got a few other tricks planned for this concept. He put in a parts order to add Bluetooth to the Girltech IM-ME. The pretty pink pager has the same radio chip on board, so adding Bluetooth connectivity will allow it to be used in the same way. There are also plans in the works to add a couple other packet sniffing protocols to the bag of tricks, including ZigBee.
[Travis Goodspeed] put together a proof of concept hack that sniffs wireless keyboard data packets. He’s using the Next HOPE badge that he designed as the hardware platform for these tests. It has an nRF24L01+ radio on-board which can easily communicate with 2.4 GHz devices.
The real trick comes in getting that radio to listen for all traffic, then to narrow that traffic down to just the device from which you want data. He covers the protocol that is used, and his method of getting around MAC address verification on the hardware. In the end he can listen to all keyboard data without the target’s knowledge, and believes that it is possible to inject data using just the hardware on the badge.
[Travis Goodspeed] is taking a look at the attendee badges for this year’s Next HOPE conference. He’s given us a pretty good look at what is on the board, what it means to you, and how you can get at it. Of course the final hardware specs are a secret until conference time, but this will help you get some ideas and ensure that you bring the right add-on hardware. We normally try not to do too much quoting, but one of [Travis’] statements literally makes us laugh out loud (as opposed to what most people describe as lol):
“These badges are active RFID tags which beacon the position of each attendee a few times a second, so that the god damned devil army of lies–by which I mean the Next HOPE badge committee–can track each attendee around the Hotel Pennsylvania.”
No matter how you feel about the badge committee, the tradition of hacking conference badges is a fun, rewarding, and often frustration past-time. The badges are actually using the concept of OpenAMD. The last three letters stand for Attendee Meta Data which is an evolving concept. How can meta data about attendees be useful to all involved in a non-invasive way? How about associating yourself with a concept, like microcontroller programming. What if you could search to find out where other people interested in that are right now? Could be great… could end up in an impromptu meeting around the restrooms for no good reason. Either way, take a look at the teaser video covering the topic after the break.
Oh, one more note about the hardware. This year they’re moving away from PIC based badges to the more energy-efficient MSP430 line. It’s not one of the value-line processors that the Launchpad is meant for, but this bigger-brother ‘F’ chip will be no problem to work with if you’ve already spent some time with the ‘G’ series.
Continue reading “Next HOPE Badge Hacking Primer”