Archive for the ‘Radio’ Category

« Older Entries
Newer Entries »

August 8th updates.

Wednesday, August 8th, 2012

Longer Marvin Hamlisch: NYT, LAT.

Speaking of obits, noted astronomer and pioneer of radio telescopy, Sir Bernard Lovell, passed away on Monday.

There was an update to the Sheri Sangji story while I was on vacation that I wasn’t able to blog. Luckily, Derek Lowe was on the case. For those of you who don’t remember the story, Ms. Sangji was working with t-butyl lithium in a UCLA lab; the substance, which catches fire when exposed to air, spilled, Ms. Sangji was severely burned, and died 18 days later. The university and the primary researcher, Dr. Patrick Harran, faced felony charges.

While I was gone, the charges against the university were dropped. Apparently, UCLA made a deal with the prosecution. The charges against Dr. Harran still stand.

But then it gets weird. Dr. Harran’s defense team is trying to discredit the OSHA report on the accident, based on the accusation that the author of the report participated in a murder when he was 16 years old and failed to disclose this to his employers. I’m not sure at this point if it was actually established that the author of the report and the murderer were the same person, but the author resigned his position anyway.

This is intended to be a short update. The Derek Lowe blog entry linked above has a longer summary, including links to various other sources; I commend it to your attention.

Posted in California Über Alles, Clippings, Geek, Law, Obits, Radio | Comments Closed

Hmmmmmmmm.

Friday, August 3rd, 2012

In the DEFCON 20 day 2 notes discussing the ADS-B presentation by Renderman, I alluded to some work on using USB TV tuners to pick up ADS-B broadcasts.

I did a little more research on this earlier today, just to satisfy my own curiosity.

The RTL2832U outputs 8-bit I/Q-samples, and the highest theoretically possible sample-rate is 3.2 MS/s, however, the highest sample-rate without lost samples that has been tested so far is 2.8 MS/s. The frequency range is highly dependent of the used tuner, dongles that use the Elonics E4000 offer the widest possible range (64 – 1700 MHz with a gap from approx. 1100 – 1250 MHz). When used out-of-spec, a tuning range of approx. 50 MHz – 2.2 GHz is possible (with gap). [Emphasis in the original – DB]

Holy cow! I’ve been wanting to mess with software defined radio, but the $1,500 cost for hardware is a bit discouraging. This looks like an excellent way to get started for about $20 instead. The necessary software is linked from the rtl-sdr page, and you can even get a script that will build gnuradio with the proper components.

What has been successfully tested so far is the reception of Broadcast FM and air traffic AM radio, TETRA, GMR, GSM, ADS-B and POCSAG.

Yow!

Edited to add 8/4: We are not amused. In the past two days, we have been to Fry’s. The shelves at Fry’s were almost completely stripped bare of USB TV adapters. We have also been to three different branches of Discount Electronics; none of them had any of the listed adapters. We have checked Google, and all of the adapters listed with the E4000 tuner do not appear to be available from vendors in the United States. The only adapter on rtl-sdr’s list that we were able to find was the Ezcap EZTV645 DVB-T Digital TV USB 2.0 Dongle with FM/DAB/Remote Controller which DealExtreme sells. However:

  1. There are conflicting reports as to whether this is the one rtl-sdr is talking about, and whether this one has the E4000 tuner.
  2. There are a lot of reports that DealExtreme is slow in shipping; as in, a month or longer.

I’ve ordered the Newsky TV28T that’s listed on the sysmocom site (linked from the rtl-sdr page). With shipping, it came out to 23.30 euros, or about $28.86 in dollars. That’s still well within my price range for tinkering with SDR. I’ll update when the device gets here.

In the meantime, if anyone has any GNURadio or general SDR tips, advice, or suggestions, please feel free to leave them in comments or shoot me an email. Contact addresses are in the usual place.

(And thanks, Borepatch.)

Posted in DEFCON 20, Geek, linux, project_e, Radio | 2 Comments »

DEFCON 20 updates (round 2).

Thursday, August 2nd, 2012
  • Here’s a link to the slides from Terrence Gareau’s “HF Skiddies Suck, Don’t Be One. Learn Some Basic Python” presentation. I’m not complaining, but be advised that this is a large download (620 MB ZIP file) with video and code examples. Also be advised that, based on a very brief preliminary skim of the file, there may be some NSFW material in the presentation.  (Also not a complaint, but an observation.) I’d like to thank Mr. Gareau for making this available: his presentation is the only one in the “DEFCON 101” track that I’ve found so far.
  • Added a link to Renderman‘s presentation on ADS-B hacking, “Hacker + Airplanes = No Good Can Come Of This” to the day 2 notes.
  • Josh Brashars (who is a heck of a nice guy) and I have exchanged emails, and he’s graciously allowed me to temporarily host the version of his “Exploit Archaeology: Raiders of the Lost Payphones” presentation from the DEFCON 20 DVD. Of course, iDisk no longer exists (NOT that I’m BITTER or anything) and WCD’s hosting provider/WordPress implementation has a 10 MB file size limit, so I’m using Dropbox to host this file. Let me know if it doesn’t work.

Posted in DEFCON 20, Geek, Planes, Python, Radio | Comments Closed

DEFCON 20 notes: day 3, part 1.

Monday, July 30th, 2012

The secret word for the day, boys and girls, is “routers”.

But first, a couple of pictures for my great and good friend Borepatch:

The Matt Blaze Security Bingo Card. (I hope folks can read it: I took that with a cell phone camera from the front row, so I didn’t have a great angle on it.)

And:

A gentleman in the hallway was kind enough to let me take a photo of his DEFCON Shoot shirt.

Speaking of Matt Blaze…

“SIGINT and Traffic Analysis for the Rest of Us” presented by Matt Blaze and Sandy Clark, and crediting a host of other folks.

For the past few years, Blaze and company have been working on APCO Project 25, or P25 for short. P25 is planned to be the next generation of public safety radio, and is intended to be a “drop-in” replacement for analog FM systems. Cryptographic security is built into P25: it uses symmetric algorithms and supports standard cryptographic protocols. All of this sounds great.

But there are a whole bunch of problems with this.

Encryption in P25 doesn’t work very well a significant portion of the time. There are user interface issues; on some radios, the “crypto” switch is in an obscure location, and the display doesn’t make it clear if encryption is on or off. Keys can’t be changed in the field; changing keys requires loading the radio in advance using a special device, or sending keys over the air (“Over The Air Rekeying”, or “OTAR”, which sometimes doesn’t work).

One important point is that the “sender” makes all the decisions: whether the traffic is encrypted, what encryption mode is used, what key is used, etc. The “receiver” doesn’t get to decide anything. If the “sender” sends in cleartext, either deliberately or by mistake, the “receiver” decodes it, automatically and transparently to the user. If the “sender” sends an encrypted message, the “receiver” first checks to make sure it has the proper key, then either decrypts the message or ignores it (if the “receiver” doesn’t have the key).

I feel like I am cheating a little here, but even Matt Blaze at this point in his talk recommended going and reading the group’s paper from last year, “Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System” for additional background.

But wait, there’s more! We have encryption, but do we have authentication? Do we know that the radios on our network are actually valid radios? Heck no! The radios transmit a “Unit ID” which is not authenticated, and which is never encrypted, even if the radio has encryption turned on. Just knowing the unit IDs lets you do some interesting stuff: you could, for example, set up two radios, do some direction finding on the received signals with the user IDs, and build a map of where the users are.

Even better: if you send a malformed OTAR request, the radios treat it like a UNIX “ping” and respond back with their Unit ID, even if they’re idle, and without the user ever knowing.

More: P25 uses aggressive error correction. But there’s a hole in the scheme; you can jam what’s called the “NID”, which is part of the P25 transmission, and render the transmissions unreadable. The Blaze group actually built a working jammer by flashing custom firmware onto the “GirlTech IM-Me”. (That was the cheapest way to get the TI radio chip they wanted to use.) You could use this to jam the NID in encrypted P25 traffic only, thus forcing cleartext on the users…

And even more: the basic problem with P25 and cryptographic security is usability. Every time an agency rekeys, someone is without keys for a period of time. Blaze mentioned the classic paper, ““Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0” and pointed out that many of the mistakes mentioned in that paper were repeated in designing P25.

How bad is the keying problem? Bad enough that agencies frequently transmit in cleartext, due to key management issues. (“NSA Rule Number 1: Look for cleartext.”) How frequently? Blaze and his group, for the past several years, have been running a monitoring network in several (unnamed) cites, recording cleartext P25 traffic and measuring how often this happens. About 20-30 minutes per day, by their estimate, of radio traffic is transmitted in unintended cleartext. And that traffic can contain sensitive information, like the names of informants.

Even if most of the traffic is encrypted, remember that the Unit IDs aren’t. So you’re getting some clear metadata traffic, which at the very least is useful for making inferences about what might be going on. (Zendian Problem, anyone?)

(If you’re monitoring P25 traffic, according to Blaze, the phrase you want to look for is “Okay, everyone, here’s the plan.”)

And what is the P25 community response to this? According to Blaze, the Feds have been very responsive and appreciate him pointing out the problem. The P25 standards people, on the other hand, claim Blaze is totally wrong, and that the problem is with the stupid users who can’t work crypto properly.

(This entry on Matt Blaze’s blog covers, as best I can tell, almost everything that was in his presentation. I haven’t found a copy of the actual presentation yet, but this should do to ride the river with.)

So it is getting late here, and I have to catch a plane early-ish in the morning. I think what I’m going to do is stop here for now, and try to get summaries of the three router panels up tomorrow while I’m waiting for my flight.

Posted in Cops, DEFCON 20, Geek, Guns, Law, Radio | Comments Closed

DEFCON 20 notes: day 2.

Sunday, July 29th, 2012

Note: I’ve updated the day 1 notes with a couple of things I forgot to include last night.

Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2“:MS-CHAPv2 is a wildly popular authentication protocol. For example, DEFCON’s “secure” network uses MS-CHAPv2. People have been attacking CHAP for a while now, but most of the attacks are dictionary attacks, where you use asleap and throw a word list at it, hoping the user picked a weak password.

So is MS-CHAPv2 security password dependent? That’s a reasonable assumption, but not true.

If you look at the details of the MS-CHAPv2 handshake (Moxie had a good visualization, which I can’t find online or I’d link to it here) there’s only one unknown: the MD4 hash of the user’s password. Everything else is sent in the clear, or can be derived from known information.

MS-CHAP does a series of three DES encryptions on the user password. But it isn’t 3DES: it is just three DES encryptions with three keys. One of those keys is padded so it is really only two bytes, which makes it easy to crack. The other two encryptions use the same plaintext; the end result is that the complexity of cracking MS-CHAP DES reduces to about the same as normal 56-bit DES, 2 to 56th power.

Enter the folks at Pico Computing, about whom I have written before. Pico built a machine with 48 FPGA chips, each with 40 cores running at 450 MHz, to attack DES. This machine can search the whole keyspace in about 23 hours. And Pico has come up with some clever optimizations for the FPGAs: preconfiguring memory, reducing the bus down to “key found/key not found” (since searching the keyspace is linear, if you know when the bus went to “key found”, you can figure out what the key is), and possibly just using JTAG instead of a bus.

“So what,” you say. “I don’t have a single FPGA, let alone 48 of them.”

Enter chapcrack. Do a packet capture, point chapcrack at it, and chapcrack will pull out the MS-CHAP handshake, in a handy form which you can submit to…

CloudCracker.com, which now supports MS-CHAPv2 attacks. Estimated turn-around time is one day. Woo hoo woo hoo hoo.

(Edited to add: Added a link to a blog post by Moxie Marlinspike summarizing his and David Hulton’s (of Pico Computing) presentation 8/1/2012.)

“Exploit Archaeology: Raiders of the Lost Payphones”:More of a fun panel than a practical one, covering all the stuff the presenter went through to find documentation and tools for an old Elcotel payphone he was given. Among other things:

  • The upper housing lock (which covers the internal phone mechanism, including the reset to defaults button) is a relatively easy to pick 3-pin lock (with “anti-impressioning divots”).
  • The lower housing (where the money is stored) is a much harder to pick 4-pin lock. But the presenter got lucky…
  • You also need a special tool, called a T-wrench, to do certain things. The presenter was able to improvise one…

So once you’ve got a payphone, what can you do with it? You can hook it to an ATA and connect to an Asterisk system, and have some fun that way. (The presenter pointed out that by law, 911 calls are required to be free. So he had some fun connecting the payphone to his Asterisk system, and configuring it so dialing 911 on the payphone got an outside line through Asterisk.)

Anyway, it turns out that there are three ways to program/reprogram these phones: there was specialized software available (Elcotel has been out of business for years, but the presenter managed to get a copy of the software, crack it, and get it running), local telemetry (where you open up the upper housing, reset the phone, and let it guide you through voice prompts for reprogramming), or remote telemetry (the phone has a modem). VOIP, by the way, is not well suited to modems.

Some notes:

  • these phones have a default ID of 9999
  • a default password of 99999999
  • a secondary password of 88888888
  • The phone ID is generally set to the last four digits of the phone number.
  • And the passwords are frequently left at the default.

There’s some other fun stuff you can do with an old payphone. For example, the presenter managed to rig up his phone, a Pwn Plug, and some custom scripting into a system that allows you to run NNmap port scans over the phone. But I’ll leave details of that for his presentation when he puts it up.

Into the Droid: Gaining Access to Android User Data“: Excellent presentation covering some of the ways you can get user data out of an Android device, even if it is locked or encrypted. For example:

  • you can use the abootimg tool to create a custom boot image, intercept the phone’s bootloader, and force it to use your image.
  • Special USB debug cables work on some devices.
  • The salt for the lockscreen and system passwords can be pulled out of specific locations on the device and cracked with something like oclhashcat-lite. (See the presentation for specific details on where the salt and key are located.)
  • Applications with no permissions can still create a root shell and send information back to an end user (by hiding data in URL parameters, for example).
  • There’s a specific distribution, Santoku Linux, designed for mobile device forensics (both IOS and Android). This is a work in progress, per the presenter…

(While I’m at it, let me say that I’m really impressed with viaForensics, especially their presentation page. Not only did they have the DEFCON presentation up, but it looks like there’s a lot of other good stuff there as well. I’m particularly interested in “iPhone Forensics with free and/or open source tools” and the “Android Forensics Training Presentation“.)

“Off Grid Communications with Android – Meshing the Mobile World”: Solid presentation discussing the Android networking stack, hacking the stack and flipping chipsets into ad-hoc mode, and network routing algorithms. End result: the SPAN project on github, which provides open-source tools for Android mesh networks. (There’s also a paper in that repository that covers the same ground as the presentation, including sexy diagrams of the Android network stack.)

“The Safety Dance – Wardriving the Public Safety Band”:Basically: public safety providers are moving into the 4.9 GHz band. And it is possible to monitor their traffic using equipment bought for cheap off eBay, or equipment that, with the right drivers, can be tuned down to 4.9 GHz. One of the presenters has a blog entry here that covers some of what was in the presentation, and the github repository of their patched drivers, etc. can be found here.

I missed Kaminsky’s “Black Ops” presentation for reasons of the Penn and Teller theater being full, and I can’t find it online (yet). So I wandered over to Renderman’s “Hacker + Airplanes = No Good Can Come Of This” and got there a little late; late enough, as it turned out, that I missed Renderman observing that he was constantly being scheduled on panels opposite Kaminsky, and darn it, he’d really like to see a Kaminsky panel.

But I digress.

So have you ever wondered how things like PlaneFinder work? As part of the government’s efforts to bring air traffic control into the 20th Century, they’ve implemented something called ADS-B. Planes equipped with ADS-B transmitters send out data (such as their aircraft ID, altitude, GPS coordinates, bearing, and speed), which is picked up by ground stations and fed into the systems that feed PlaneFinder and other such sites. There’s two types: ADS-B Out, which is sent automatically as a broadcast, and ADS-B In, which allows planes to listen to each others ADS-B Out broadcasts, so that (in theory) they’re aware of each other without needing air traffic control.

(According to the presentation that followed Renderman, ADS-B is at about 70% penetration for commercial aircraft, and much lower for general aviation. The government’s goal is to have the majority of traffic on the system by 2020.)

When does this get interesting? Right about now. First of all, anyone can build a ground station and receive ADS-B broadcasts. Renderman has. (I understand there’s been quite a bit of work on using cheap-ass USB digital TV tuners as ADS-B receivers.) That gets you access to the flight data going over your head.

But wait, there’s more! ADS-B has no authentication and no encryption built in. That means anyone with the proper equipment (a radio that transmits at 1090 MHz) can spoof ADS-B broadcasts.

Remember the part above about how planes could use ADS-B to keep track of each others positions,  bypassing ATC? Have you booked your Amtrak ticket yet?

As ADS-B usage grows, attacks are likely to become more disruptive. What happens if someone starts jamming ADS-B signals? Or inserting fake flight data? Or has the same fake plane in two places at once? The official response, according to Renderman, boils down to “trust us”. “Us” being the same folks who brought you Operation Fast and Furious. Pull the other one, guys; it has bells on.

Edited to add: Link to Renderman’s slides for this presentation added 8/1/2012.

“Busting the BARR: Tracking ‘Untrackable’ Private Aircraft for Fun & Profit”: A semi-related panel to Renderman’s. So how does PlaneFinder get the data that comes from ADS-B broadcasts? The FAA has a feed (called ASDI: Aircraft Situation Display to Industry); they’ll send you the data in XML format, and you can parse it and display it and hug it and squeeze it and call it George, if you want.

However, the FAA also has something called the “Block Aircraft Registration Request”. If you’re someone who doesn’t want their flight information made public, you can put your aircraft on the BARR list. This doesn’t strip your data out of the ASDI feed; that’s still there, but sites that use ASDI (like FlightAware) can’t display information for flights on the BARR. (If you want to subscribe to the ASDI feed, write an XML parser, and be notified every time Jay Z’s plane takes off and lands, more power to you. You just can’t share that information with others.)

So how did the presenters work around that? Their project basically comes down to:

  1. Monitoring LiveATC.net and downloading ATC communications.
  2. Using speech recognition to pull out flight information (such as tail numbers of planes).
  3. Profit. Or in this case, OpenBARR.net, which is still in testing.

That was enough excitement for one day. I seriously thought about entering the DEFCON Beard Competition, but I couldn’t tell if there was a cash prize and I don’t want the IOC revoking my status as an amateur.

Posted in Android, DEFCON 20, Geek, Planes, Radio | 5 Comments »

The street finds its own uses for things.

Monday, December 26th, 2011

The radio signal travels deep into the arid countryside, hours by foot from the nearest road. There, the 8-foot-tall (2-meter-tall) dark-green branches of the rockrose bush conceal a radio tower painted to match. A cable buried in the dirt draws power from a solar panel. A signal-boosting repeater relays the message along a network of powerful antennas and other repeaters that stretch hundreds of miles (kilometers) across Mexico, a shadow communications system allowing the cartel to coordinate drug deliveries, kidnapping, extortion and other crimes with the immediacy and precision of a modern military or law-enforcement agency.

Posted in Clippings, Geek, Radio | 1 Comment »

Doug Winner, call your office, please.

Tuesday, July 26th, 2011

Emmis Communications owns a bunch of Austin radio stations. Their holdings include KGSR, which specializes in local and Texas music, news talk station KLBJ, and KROX-FM (aka 101X).

Emmis just paid the FCC $12,000 to settle accusations that KROX-FM was involved in a “payola” scheme…

…that netted one of its hosts “valuable consideration” from a music store, a live music venue, a booking agent and a band manager.

The Statesman story is curiously short on details about the host, music store, live music venue, booking agent, and band manager who were involved. A Google search didn’t turn up much more information, but it did turn up a copy of the consent decree.

(Hattip.)

Posted in Clippings, Radio | Comments Closed

Quote of the day.

Tuesday, March 1st, 2011

“This is a substantial amount of iguana meat, well beyond what would be considered as personal use, it lacked the necessary permits for lawful importation and further it was found hidden in masa,” said Joe Uribe, Acting CBP Port Director in Laredo.

I think the lessons here are:

  1. Always make sure you have the proper permits for your iguana meat.
  2. If you have the proper permits, you don’t need to hide your iguana meat in masa. Or anything else for that matter.
  3. Small amounts of iguana meat for “personal use” are apparently okay with Customs.
  4. You can find recipes for iguana online.
  5. At the moment, I very much wish that I was in Tijuana.

Posted in Clippings, Food, Lizards, Music, Radio, Reptiles | 3 Comments »

Radio, radio.

Friday, January 28th, 2011

Dashed off in great haste: this appears to be a good current schedule for Radio Cairo on shortwave.

I still have my shortwave gear, but I haven’t fired it up in a long time and I’m not sure how well it still works. If any of my readers are shortwave listeners and have other schedules from the Middle East, or reception reports on Radio Cairo, I welcome those here.

Posted in Radio | Comments Closed

K-Geezer.

Sunday, September 26th, 2010

I wanted to link to this story about changes at Austin’s KGSR over the past year, and the payoff for those changes (more listeners). The story is somewhat buried on the Statesman‘s web site. I only discovered it because I was reading the Life and Arts section over breakfast this morning.

This story also represents something else that I’ve brought up before; the entitled attitude of so many people in Austin, who think that nothing (public or private) should ever change. Personally, I’m in favor of anything that decreases the chance I’ll hear Bob Schneider or Kasey Chambers on the radio.

Posted in Clippings, Media, Music, Radio | 1 Comment »

DEFCON 18 notes: Day 3.

Wednesday, August 4th, 2010

“The Search for Perfect Handcuffs… and the Perfect Handcuff Key“: It seems that Sunday morning at DEFCON has become the default time for the lock picking and other physical security panels. Sometimes this bugs me a little; I can only sit through so many panels on compromising high security locks with common household objects before my eyes glaze over and I leave for the dealers room. It isn’t that these panels aren’t interesting, but three in a row…

Anyway, I say all that to say that this presentation from TOOOL was one of the better Sunday morning lock bypass presentations I’ve seen at DEFCON. Deviant Ollam and his crew gave a comprehensive overview of handcuffs, how they work, and how they can be defeated. Some key points:

  • A group of Dutch hackers managed to defeat the high security Dutch handcuffs by taking a photo of the key (hanging off someone’s belt) and using a 3D printer to duplicate it. The key can be found here.
  • You can shim many handcuffs with paper, believe it or not. Paper money (especially European paper money, which in many cases is more like plastic or Tyvek than paper) works especially well for this, as currency is generally designed to be tear resistant.
  • Handcuffs are generally a pretty simple mechanism. If they aren’t double-locked, it’s really easy to “shim” them (force a flat piece of metal, or something like that, down between the pivoting ratchet arm and the cuff itself), or pick the lock with something like a paper clip. (You know what really works well for a cuff pick? The sort of U-shaped metal arm that comes on those steel binder clips you can buy at Office Depot.)
  • If the cuffs are double-locked, it makes shimming and picking attacks harder. One way to defeat double-locking is the “whack attack”; slam the cuffs against a hard surface, and inertia will pop the double-lock locking bar back into the unlocked position.
  • It doesn’t take a lot of strength to break handcuffs. Breaking them is just a matter of binding the chains up. Once you’ve done that, it’s just leverage and simple physics to break the chain.
  • You can also rough up the chain with a small easily concealed diamond saw blade to make it easier to break. The folks at SEREPick sell such a thing; you can hide it in the seams of your clothes, in a belt, in the top of a shoe…
  • There’s a lot of design variation in handcuffs, which can cause problems, especially if you’re trying to find a universal handcuff key. Keyway sizes, size and number of pawls…lots of things can cause problems.
  • The TOOOL folks have collected a bunch of cuffs, so they got as many as possible together, took very precise measurements of the keys, and came up with a single “universal” handcuff key that opened all the cuffs they were able to try. No, they don’t sell it, but diagrams and measurements for the key were part of the presentation. The easiest thing to do, according to the presenters, is to start with a Smith and Wesson handcuff key, as that’s closest to the final dimensions of the universal key. After that, all you need is some minor cutting and filing which can be done with a Dremel tool.

(I suspect there are some people who are going to ask “Why would you want to break out of handcuffs? And don’t you feel bad about sharing this information with criminals?” In the first place, the criminals have already learned all these tricks at one of our many institutes of higher education. In the second place, the bad guys are starting to use things like handcuffs and zip ties to restrain their victims; you might as well learn how to defend yourself.)

“Electronic Weaponry or How to Rule the World While Shopping at Radio Shack“: I’ll cut some slack for this guy being a first time presenter, but this was a “Meh” panel for me. It was heavy on the theory of things like RF jamming and EMP attacks, but short on practice. Most of the theory I already knew, so there wasn’t a whole lot there for me. At the end, he did demonstrate a “sound cannon”, which was interesting. It did not, however, even approach the “annoying” level for me, much less the “weapon” one, though the presenter was running it without amplification.

“Breaking Bluetooth By Being Bored”: Dunning (who also built Vera-NG, a Bluetooth and WiFi sniping rifle) presented a series of tools for banging on Bluetooth. These tools included:

  • SpoofTooph, a utility for cloning and spoofing Bluetooth devices. SpoofTooph can also be run in a logging mode, where it will collect data on devices it encounters.
  • The Bluetooth Profiling Project, which uses programs like SpoofTooph to collect Bluetooth device profiles for analysis. (For example, which device addresses correspond to which manufacturer?)
  • vCardBlaster, a utility for running a denial of service attack against a Bluetooth device by flooding it with vCards.
  • Blueper, which sends a stream of files over Bluetooth. You can send files to multiple devices in range, or target a single device and flood it with files. This is interesting because many devices cache received files before asking the user to accept them; if you push a continuous stream of files to one of those devices, you can fill up internal storage and possibly crash the device.
  • pwntooth, a suite of automated Bluetooth testing tools.

As a side note, after some banging around (mostly to resolve dependencies) I managed to compile and install SpoofTooph on Project e. So far, I’ve only tested it in my lab environment, but it seems to work as designed. This is one of the reasons I love going to DEFCON, as there’s nothing like that moment when you say “Holy f—ing s–t, that f—ing f—er actually f—ing works! S–t!”

There was no final attendance figure announced at the closing ceremonies. According to Joe Grand’s badge documentation, there were 7,000 electronic badges made, and those went fast. I would not be shocked if there were 15,000 people at DEFCON this year, and from what I saw in the closing ceremonies, a lot of those folks were attending for the first time.

The big piece of news from the closing ceremonies is that, after four years at the Riveria, DEFCON is moving to the Rio next year. My hope is that the move will make it easier to get into the more popular panels (DEFCON apparently will be using the Penn & Teller Theater at the Rio), and provide more room to move around. (And maybe even more room for vendors.)

Coming up later on: the final after action report and thank-yous.

Posted in asus_eee, Bluetooth, DEFCON 18, Geek, linux, Locks, project_e, Radio | Comments Closed

DEFCON 18 notes: Day 2.

Sunday, August 1st, 2010

Saturday was kind of a rough day at DEFCON 18. But then, Saturday is always a rough day at DEFCON.

I don’t feel it’d be fair to review or summarize the “Extreme-range RFID Tracking” panel; I came in about 20 minutes late. (We lingered a bit over a very good breakfast at Blueberry Hill.) What I was able to gather is that Padget’s set a new record for long distance RFID reading, and that upping the radio power works for increasing RFID reading range up to a point. (Edited to add 8/10/2010: added link to Black Hat 2010 version of paper. Here’s a link to Paget’s blog entry about the session.)

I was not able to get into “Jackpotting Automated Teller Machines Redux” due to extreme overcrowding. (Edited to add 8/9/2010: The Black Hat website has what purports to be MP4 video of Jack’s version of the presentation at Black Hat 2010. I have not sat down and watched it yet.)

I did attend the “This is not the droid you’re looking for…” panel, mostly because I was camping out for the next talk. This panel turned out to be more interesting than I expected; the presenters demonstrated a proof-of-concept rootkit for Android phones that allows you to do all sorts of fun stuff; grab contact information, grab SMS messages, grab location information (all three of these are stored in SQLite databases on the Android), and even make phone calls from the phone. The presenters haven’t weaponized the attack yet, but claim it should be easy to do so.

Practical Cellphone Spying“: Another nifty panel. Padget discussed the concepts behind IMSI catching, and gave a live demo of cellphone interception on the AT&T network. The key takeaway here for me was that the same technology used by law enforcement to intercept calls is now coming down to the point where it will be wrapped in a turnkey package and sold to people with more questionable motivations. (Edited to add 8/10/2010: added link to Paget’s blog entry which includes slides.)

How to Hack Millions of Routers“: I went to this because Lawrence put in a special request. The short version is that a large number of commercially available routers (such as those used by Verizon FIOS) are vulnerable to a clever attack using DNS rebinding and load balancing. Heffner has also released a tool that automates this attack. (This is another Black Hat talk that got a lot of attention in the press; the link above includes a copy of Heffner’s white paper which details the attack vector.)

(Edited to add 8/9/2010: I’ve added a link to Heffner’s Black Hat version of this talk, which as far as I can tell, is pretty similar to the DEFCON 18 version.)

I didn’t attend either “Hacking with Hardware: Introducing the Universal RF Usb Keboard Emulation Device – URFUKED” or “Programmable HID USB Keystroke Dongle: Using the Teensy as a Pen Testing Device“. (Edited to add 8/10/2010: added a link to the Teensy project from the Irongeek website. The bottom of that page has a link to the DEFCON presentation. I’ve also added a link to HackerWarrior.com for the USB Keyboard Emulation Device; that directory appears to contain a copy of the presentation, plus code.)

Instead, I left a little early, had a very nice sake fueled dinner at Shabu-Shabu Paradise in Henderson (a restaurant I enthusiastically endorse), sidecars at the iBar in the Rio (sadly, we did not get to play with the Microsoft Surface), and Penn & Teller.

The three of us saw Penn and Teller back in 2006, and we wondered how much the show had changed since then. Mike the Musicologist estimated that about 50% of the show was new; I think the percentage is a little higher than that, but my memory may be faulty. I was not unhappy that they ended the show with the .357 magnums; the bullet-catching illusion fascinates me, and I’m still trying to figure out how Penn and Teller do it. (Jim Steinmeyer’s The Glorious Deception: The Double Life of William Robinson, aka Chung Ling Soo is a very good history of the bullet-catching illusion, and yet another book I strongly recommend to anyone with even a casual interest in the history of magic.)

The other thing we all noticed is that Penn and Teller’s show has become a bit more explicitly political; in addition to the .357 magnum closer, which has always included 2nd Amendment references (and big kudos to P&T for reciting the Four Rules), the show also included references to flag burning, the Chinese Bill of Rights (“What Chinese Bill of Rights?” Exactly.) and the stupidity of the TSA. Penn and Teller even sell the Security Edition of the Bill of Rights in their gift shop for a lousy $5. (Quote: “We want McCarran Airport to be flooded with these.”) Not that any of us were bothered by the politics; I think all three of us lay claim to at least some form of Libertarianism. And if you’re the kind of person who would take offense at Penn and Teller’s politics, I won’t tell you “don’t go”; I’ll tell you “go, and have your world view challenged”.

(I’d also like to give Penn and Teller kudos for keeping gift shop prices low. Both Andrew and I picked up DVDs of the Teller-directed “Macbeth” for only $10. Teller, if you’re reading this, thanks for signing my copy. And for everything else you do, too.)

Posted in Books, DEFCON 18, Endorsements, Food, Geek, Guns, Magic, Radio, Travel | 1 Comment »

« Older Entries
Newer Entries »