Sun, 23 Jul 2006

Citizen Engineer - Consumer Electronics Hacking and Open Source Hardware

Lady Ada is a fellow at Eyebeam. Phillip Torrone is the editor of Make magazine. They both find, make and document hacking consumer electronics devices. Phillip began the session with some covers from popular mechanics magazine in the 1950s. One featured a drawing was a family test flying ther new personal helicopter they built themself! And to make it even more ridiculous it was being towed by a car! His point was this is the kind of idealism of construction, progress and mechanical tinkering was commonplace in the post war era. Then something happened and all Americans forgot that they could make their own grown up toys.

That's all changing now with the convergence of software and hardware on digital consumer devices. The session was mostly a gallery of cool stuff people have made on the web and some of the legal and political issues surrounding intellectual property of inventions.

Here's the link list



posted at: 15:08 | path: /hopenumbersix | permanent link to this entry

Sat, 22 Jul 2006

Wireless Security Flaws

This workshop was absolutely shocking. It focused on backbone level Internet routing protocols and IP hardware management protocols being broadcast over 802.11 frequencies in urban areas. Absolutely insane. It reminded me of an eariler workshop where someone spoke of a client who had a 802.11 signal bridging his co-lo'd servers subnet over a river to his main office, including VoIP traffic! Raven, Eric and Brandon described how they have decoded packet captures with OSPF, BGP and other kinds of IGP traffic. This stuff can effect thousands of users if it's working incorrectly. Putting it over radio waves is just stupid, so why are people doing it?

They offered no answer for this question, just confirmation that time and time again new packet captures are sent to their public email address containing this traffic. I can't stress how stupid this is. If something happens to the network broadcasting this traffic, whole chunks of the Internet can dissapear!

The next part was about IP level device management protocols found on the air. Namely SNMP and sometimes even telnet. IP devices include switches, firewalls and routers. Many of these devices have no crypto or require a service contract and firmware update to add crypto. Cisco is notorious for this.

So how does one obtain packet captures? With open source software of course! Ethereal can capture any kind of ethernet traffic, while Kismet can capture any kind of 802.11 traffic over your radio. Both save captured packets to a file on disk which you can decode later.

posted at: 23:55 | path: /hopenumbersix | permanent link to this entry

Lockpicking

Locking picking is an ancient tradition. The concept is that a lock is a metal passage that has a bunch of bars running parallel to the passage. The bars are different sizes so when you insert a key, it presses the bars out of the way and the lock opens. This is obvious. What isn't obvious is that it's extremely simple to bypass or simply fake a key with some cleverness.

I was only interested in this workshop because I have a bicycle lock with a lot of history behind it. The current revision has changed the entire system to a non-tubular design sometimes used in safes. This lock requires much time and special skills to pick and would probably not be worth it for most potential theievs.

The basic idea of lockpicking is not too different than any other kind of security. You need a specialized tool for every job. But once you have those tools any lock is worthless to whatever it's supposed to be securing. There is a large web community discussing all aspects of lock picking.

The most interesting part of the demonstration was how a $35 fortified master combination lock was bypassed with a small metal stick.

posted at: 18:34 | path: /hopenumbersix | permanent link to this entry

Fri, 21 Jul 2006

The Future of Wireless Pen Testing

Around 2001 802.11 became very widespread in consumer devices. Laptops and little access points, wireless "gaming adaptors" (aka a wireless media bridge) and even PDA phones. The problem is that all the security features in the written and accepted spec are broken.

Renderman mentioned a flaw in 802.11i which is sometimes called WPA2 by Cisco, which is where I first heard about it. It has a nice feature where if an associated device sends a packet with the wrong Michael MIC checksum in too short of a time, the radio shuts down for 60 seconds and kicks all the other devices. This is supposed to be a security feature. In those 60 seconds you can power up your own AP with the same SSID and grab all their data to a network you own.

Dragorn mentioned that 802.11w is supposed to address packet authentication better.

Probably the most interesting part was a discussion of driver level exploits that can give the exploited code access to the hardware's memory, bypassing any kind of operating system controls. It can also go straight to the memory where the operating system's kernel lives and break that. Cool!

I asked the question of how to properly secure a 802.11 network since both WPA and WEP are broken by design. Dragorn's response is to open the radios and secure everything on layer 3 with a VPN.

posted at: 20:21 | path: /hopenumbersix | permanent link to this entry

Friday Night Keynote. RMS Is Crazy

Richard M Stallman is the founder of the GNU movement since publishing the GNU Manifesto in 1985. He is speaking right now at HOPE. He gave some shouts to Defective By Design and talked about how the GPL version 3 will try and prevent further manipulation of GNU code by adding clauses defining freedoms related to DRM. The GNU project's legal arm is the Free Software Foundation, which is a group of lawyers who work to ensure software freedom stays that way. ed. I am a member of the FSF, so I'm definitely biased

He seems very touchy and came off as distracted during the first part of the speech. Then he attempted a joke where he wore a halo and crowned himself a saint of the GNU church of Emacs. He then uttered the quip that vi vi vi is the editor of the beast, which was damn funny. So yeah. He's crazy...

...but totally cool because he redeemed himself during the Q/A session. Almost every person had an antagonistic question concerning his idealism and he aptly challenged each one. The cool part about RMS is that he's 100% consistant. Free Software makes us free thus is good for humanity; proprietary software removes freedom thus is bad for humanity. Can't beat that really.

posted at: 17:37 | path: /hopenumbersix | permanent link to this entry

Magnetic Stripe Technology and the New York City MetroCard

Joseph Battaglia is pretty damn cool. He heard about card bending and got curious. Why the hell are people getting free fares by some weird urban lore of intentionally breaking discarded metrocards? He figured it out and explained it and basically the entire proprietary metro card magnetic stripe format from 2004. Of course this format has been changed due to the large mainstream media attention the security flaw got.

I'll try and be concise cause this one is really deep. Cubic is the name of the company that made the magnetic stripe algorithm for the MTA. It's different than other cards, for example a starbucks gift card in that it has a non-standard sequence of binary data encoded on to the magnet. Fortunately, to be compatible with the global market for these little swipey card things it conforms to a number of ISO standards. Namely ISO 7810, ISO 7811, and ISO 7813. Yea! reference points.

Mr Battaglia use these and more (including the patents Cubic filed with USPO) to implement a card read/write chart which he published.

posted at: 13:00 | path: /hopenumbersix | permanent link to this entry

How to Steal Someone's Implanted RFID - And Why You'd Want To

Annalee Newitz put an RFID implant in her arm to prove a point. Then she talked to us about how simple, cheap and insecure it was. This procedure is commonly used in a very ethical manner for tagging pets and livestock. A company called VeriChip makes human implantable tags containing personal data. They sell them off as good for the emergency room when you might not be able to communicate nor have any identifying paper on your person. Whatever. The shit they implanted in Ms. Newitz's arm is a simple pet tag. A totally unencrypted RFID transponder running at 13.56mhz. Anyone who can listen on that frequency can record the signal in it's entirety. Then if they have the antenna to transmit the same signal, can clone that tag. Stupid. Maybe good for inventory...maybe only good for these kind of demos.

Newitz paid $400 for her implant, but did not recommend this method. Her co-presenter, Jonathan Westhues said that any skilled body piercer can implant it for about $20. The parts can cost another $20. So you'd only be out $40 if you wanted to get your very own implant.

Newitz also had a good quip referencing her Democracy Now! appearance. When Liz Mcintyre asked "What if Hitler had RFID?". Newitz's response was that genocidal dictators did just fine killing millions before digital technology. Blaming RFID on mass murder is barking up the wrong tree.

posted at: 12:00 | path: /hopenumbersix | permanent link to this entry

About

I work with communications, open source software, sound and video. I'm the most happy when I work on all of these things at once. Sounds, Systems, Robots, Rocking Tigers.

CV?
(.doc | .odt | .pdf)

October 2008
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Links

Archives

Powered by Blosxom
hacker emblem
Debian Logo
Charles Darwin Has A Posse