Archive for the ‘Radio’ Category

Please refrain from tasting the KNOB.

Friday, August 16th, 2019

As a Bluetooth guy, and as someone who just posted a bunch of DEFCON 27 stuff, I feel compelled to say something about the Key Negotiation of Bluetooth Attack (aka KNOB) which has been getting a lot of attention the past few days.

Here’s the actual paper from the USENIX Security Symposium.

The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. [Emphasis in the original – DB]

Here’s a higher level overview of how the attack works.

Also of interest, also from USENIX, also getting some media attention: “Please Pay Inside: Evaluating Bluetooth-based Detection of Gas Pump Skimmers“. What’s cool about this is that the authors have developed Bluetana, an Android app that scans for Bluetooth devices in the area (every five seconds), displays a list of devices it found, and highlights ones that show characteristics similar to those of Bluetooth skimmers.

First, the app checks the device’s class. All skimmers studied within this work, whether discovered by Bluetana or not, had a device class of Uncategorized. If the device class is not uncategorized, the data is saved for later analysis. The device’s MAC prefix is then compared against a “hitlist” of prefixes used in skimming devices recovered by law enforcement. If the device has a MAC that is not on this hitlist, it is unlikely to be a skimmer, and the app highlights the record yellow. Next, if the device name matches a common product using the same MAC prefix, the record highlights in orange. If all three fields (MAC prefix, Class-of-Device, and Device Name) indicate the device is likely to be a skimmer, Bluetana highlights the record in red. The highlighting procedure is the result of a year of refinements based on our experience finding skimmers in the field, and Bluetana includes a remote update procedure to account for these incremental changes.

I’m fascinated by both of these papers, just based on a preliminary skimming. I’m hoping to do a detailed reading at that mythical point in the future when I have more free time…

Black Hat/DEFCON 27 links: August 16, 2019.

Friday, August 16th, 2019

Apologies for being behind on this: I’m also working on another project that’s taking up a lot of my blogging time, but I hope to be done with that soon.

Black Hat/DEFCON 27 links: August 13, 2019.

Tuesday, August 13th, 2019

I had a lot of trouble finding this on the site, but: the DEFCON 27 media server is here.

I’ve got to wrap this up for now, as my lunch hour is almost over. I may try to do a second post tonight, if I find enough additional material to justify one. Otherwise, please share, enjoy, comment, and thank any presenters whose work you found particularly enjoyable or valuable.

Lock, lock, baby, baby.

Wednesday, August 7th, 2019

I missed these the first time around, but the Hacker News Twitter linked to them a couple of days ago. I thought I’d blog them for the benefit of all my lock/computer security/Internet of Broken Things fans.

There’s a type of lock called the FB50 smart lock. It’s manufactured by a Chinese company, and sold “under multiple brands across many ecommerce sites”. As you might guess, it has Bluetooth and an app.

And, of course, it’s vulnerable. Once you get the lock’s MAC address (which, you know, you can get just by looking for Bluetooth devices in the area), you can use a series of HTTP requests to get the lock ID and the user ID, and then disassociate the user from the lock and associate yourself.

Discussion and proof of concept code here.

And the footnotes on that led me to another Pen Test Partners lock exploit (these are the folks who brought you the Tapplock one). This time the target is something called the Nokelock, which is apparently popular on Amazon (“…they do a number of different formats in a number of different body types, sometimes with other unlocking devices, such as a fingerprint sensors. There are other brand names they get repackaged as, such as Micalock.”)

So the Bluetooth packets are encrypted. But…

…the key can be obtained from the API by two methods. All the API requests need a valid API token, which can be obtained by simply creating a user with a throw away email address.

And:

…all traffic, including the user’s traffic is sent via the unencrypted HTTP protocol.

And there’s no authorization for API calls. All you need is a token, which (as noted above) you can get with an email address. Once you’ve got a token, you can grab the information about any lock, “including email address, password hash and the GPS location of a lock”.

And the password hash is unsalted MD5. “This is a cryptographically weak hash type that can be run through very quickly.”

Extra bonus points: the footnotes for the Pen Test Partners entry point to yet another lock exploit, this one for something called the Klic Lock.

An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2

I don’t think I can put it any better than icyphox did:

DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with keys.

DEFCON 27/Black Hat 2019 preliminary notes.

Thursday, August 1st, 2019

DEFCON 27 starts a little later than I’m used to this year (August 8th, so a week from today.) Black Hat 2019 starts August 7th. Black Hat schedule is here. DEFCON schedule is here.

Again this year, I’m not going. While I feel like I’m moving closer to the point where I’m ready to return (expenses paid or expenses unpaid) I’m not quite where I want to be yet to go on my own dime. And as far as the company paying for me to go…not this year, for reasons I won’t go into. (Nothing bad. At least I don’t think so. Just don’t want to run my mouth about internal stuff.)

So, as usual: what would I go to, if I were going?

Let’s look at the DEFCON schedule first.

(more…)

Obit watch: April 17, 2019.

Wednesday, April 17th, 2019

Owen Garriott, astronaut.

In 1973 he was the science pilot of Skylab 3, the record-breaking 59-day mission — more than double the duration of any previous flight — to Skylab, the first United States space station.
He logged nearly 14 hours outside Skylab in three spacewalks, during which physiological and biomedical metrics were monitored to determine the body’s response to long periods spent in reduced gravity.

He returned to space in 1983 on the 10-day flight of the shuttle Columbia, which carried the European Space Agency’s Spacelab 1 module, on which a multinational team of scientists conducted research.
On that mission, Dr. Garriott operated the first amateur radio station from space. He used his station’s call sign, W5LFL, to connect with about 250 ham operators, including his mother in Enid, Okla.; Senator Barry Goldwater of Arizona; and King Hussein of Jordan.

His marriage to Helen Walker in 1952 ended in divorce. In addition to his son Richard, his survivors include three other children from that marriage, Randall, Robert and Linda Garriott; his wife, Evelyn (Long) Garriott; three stepchildren, Cindy Burcham, Bill Eyestone and Sandra Brooks; 12 grandchildren; and three great-grandchildren.

Obit watch: February 23, 2019.

Saturday, February 23rd, 2019

Yesterday was a busy day for the NYT: the obit writers were apparently playing catch-up. One of these I knew about, but was waiting for a reliable source on, while the others I had not heard about.

William E. Butterworth III, noted and bestselling author.

According to his website, there are more than 50 million copies of his books in print in more than 10 languages.

If the name doesn’t ring a bell with you, that’s because he wrote mostly under pseudonyms. His best known pen name was W.E.B. Griffin.

(Also: awesome photo, NYT.)

Ken Nordine, poet and “word jazz” guy.

Mr. Nordine became wealthy doing voice-overs for television and radio commercials. But he found his passion in using his dramatic baritone to riff surreally on colors, time, spiders, bullfighting, outer space and dozens of other subjects. His free-form poems could be cerebral or humorous, absurd or enigmatic, and were heard on the radio and captured on records, one of which earned a Grammy nomination.

I used to fall asleep with the radio on and wake up to it in the morning. As I recall, early on Sunday mornings, in that twilight zone when I was half-awake and half-asleep, our local public radio station aired re-runs of “Word Jazz”.

I had not heard of Ethel Ennis, but this is an interesting story: Playboy jazz poll winner for best female singer,

She recorded for major labels in the late 1950s and the ’60s; toured Europe with Benny Goodman; performed onstage alongside Miles Davis, John Coltrane and Louis Armstrong; and appeared on television with Duke Ellington. She became a regular on Arthur Godfrey’s TV show and headlined the Newport Jazz Festival.

And then she mostly walked away from it all and became Baltimore’s unofficial “First Lady of Jazz”.

“They had it all planned out for me,” she told The Washington Post in 1979, referring to the music executives in charge of her career. “I’d ask, ‘When do I sing?’ and they’d say, ‘Shut up and have a drink. You should sit like this and look like that and play the game of bed partners.’ You really had to do things that go against your grain for gain. I wouldn’t.”
She added: “I want to do it my way. I have no regrets.”

Finally, David Horowitz, newscaster and consumer reporter. I remember watching the syndicated version of “Fight Back!” on one of the Houston TV stations (though I don’t recall which one) back when I was young…

More Black Hat/DEFCON 26 updates.

Wednesday, August 15th, 2018
  • Slides for “A Dive in to Hyper-V Architecture & Vulnerabilities” with Joe Bialek and Nicolas Joly can be found here. (The link on the Black Hat site is still borked.)
  • This isn’t an actual DEFCON 26 presentation, but it’s referenced in Vincent Tan’s “Hacking BLE Bicycle Locks for Fun and a Small Profit”, and I want to bookmark it for later: “Blue Picking: Hacking Bluetooth Smart Locks” by Slawomir Jasek.
  • Slides for “Ring 0/-2 Rookits: Compromising Defenses” with Alexandre Borges are here.
  • Also not a DEFCON presentation, but picked up by way of an Ars Technica story: “Fear the Reaper: Characterization and Fast Detection of Card Skimmers” by Nolen Scaife, Christian Peeters, and Patrick Traynor. In which the authors analyze a bunch of skimmers confiscated by NYPD…and then build a device that can detect skimmers, based on nothing more than the physical properties of how card readers work. Quote of the day: “Security solutions requiring significant behavioral changes are unlikely to be successful.”
  • Content for “All your math are belong to us” with sghctoma is here: slides, white paper, and exploit code.

Your loser update: pre-NFL edition.

Wednesday, August 15th, 2018

Actually, this sits at the weird intersection of a couple of things:

Bud Light is installing “Victory Fridges” throughout the Cleveland area that will unlock via WiFi following the Browns’ first regular-season win this season.

Which do you suppose is going to happen first: a Browns win, or someone hacks the fridges? My money is on the latter.

Cleveland hackers, you’ve got at least 25 days to prove me right.

More from the Entertainment and Sports Programming Network.

And how about a little musical interlude? We haven’t had one in a while.

DEFCON 26/Black Hat updates: August 14, 2018.

Tuesday, August 14th, 2018

I apologize that I wasn’t able to post more coverage over the weekend: as I expected, it turned out to be fun, but packed.

I intended to post this yesterday, but I wasn’t able to find many updates on my lunch hour. Then I got stuck in a gumption trap late in the day at work, and basically came home and collapsed.

In retrospect, that was better, because this story broke late in the afternoon: Caesars Palace security was (in the opinion of at least some DEFCON attendees) a little too aggressive about searching rooms. More from Defiant, a company that was at DEFCON. Statement from Marc Rogers.

Good post with links over at Borepatch’s site about the widely covered “voting machine vulnerabilities”.

Also: badge related coverage if you care. Personally, I don’t need a stinking badge.

Black Hat updates:

DEFCON 26 updates:

Black Hat 2018/DEFCON 26 0 day updates.

Thursday, August 9th, 2018

Some of yesterday’s Black Hat presentations:

Some others that I didn’t get to the first time around:

  • “Software Attacks on Hardware Wallets” by Alyssa Milburn and Sergei Volokitin. “…we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker.” Slides. White paper.
  • “Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers” with a whole big bunch of folks. “…we show that it is possible to recover the original leaked signal over large distances on the radio. As a result, variations of known side-channel analysis techniques can be applied, effectively allowing us to retrieve the encryption key by just listening on the air with a software defined radio (SDR).” Slides. White paper.

Ars Technica has a story up in advance of Justin Shattuck’s “Snooping on Cellular Gateways and Their Critical Role in ICS” presentation later today:

…many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, but they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.

There are a couple of other presentations from yesterday that sound interesting on second look, but the links to them are currently broken. Also, I haven’t had a chance to read through all of these yet: I did give a quick skim to “Stress and Hacking” and “Reversing a Japanese Wireless SD Card” and look forward to a more careful read of both.

I think I’m going to try to post a second update later this evening if the broken links are fixed and/or new content is available. We should also be getting close to the point where the DEFCON 26 media server has preliminary versions of the presentations up…

Edited to add: DEFCON 26 presentations are now live on the DEFCON media server.

DEFCON 26/Black Hat 2018 preliminary notes.

Sunday, August 5th, 2018

DEFCON 26 and Black Hat 2018 start up later this week. Again, I’m not going, but I do feel like I’m inching closer to making a return. Full-timers from my group have been sent to Black Hat in the past, so who knows what’s going to happen next year?

What would I do if I was there? A quick skim of the Black Hat briefings schedule doesn’t show a whole lot that really jumps out at me. I’d probably just be hitting targets of opportunity, with a few exceptions:

What about DEFCON 26? After the jump…

(more…)