I’m back in Los Angeles but I thought I’d leave you with one last image from ShmooCon. Larry Pesce from PaulDotCom has been been bringing new ShmooBall guns to the conference for the past few years. ShmooBalls are foam balls given to the conference attendees so they can throw them at speakers they disagree with.

This year Larry brought a turret mounted to a Power Wheels. You can see the 2008 and 2009 versions on Hack a Day.

Mike opened by quoting from the February 2003 issue of Bruce Schneier’s Crypto-Gram on the importance of authentication.

Last year I had a conversation with an engineer involved with security for the Bluetooth wireless protocol. I told him that Bluetooth has only privacy and not per-packet authentication. He responded with the prototypical lame responses: 1) pseudorandom frequency hopping makes it “nearly impossible” for an attacker to get in, and 2) the range is only 8 feet, so the attacks are naturally limited.

I tried to argue the point, but eventually gave up. Then I said something like: “I can hardly wait for Bluetooth to become universal, because I really want a wireless keyboard and mouse with the “base station” built into my computer.” He said: “Yes, but you really probably don’t want to use Bluetooth for that, because then somebody could stuff keystrokes or mouse clicks into your system.” I didn’t know whether to laugh or cry. Talk about not getting it.

The bluetooth HID profile is essentially USB HID implemented over bluetooth. The bluetooth dongle has two USB protocols it can use to communicate to the computer either “boot” protocol or “report” protocol. The report protocol is very flexible to suit whatever the device needs. The “boot” protocol on the other hand is fixed. The boot protocol is designed this way because it’s in the computer BIOS which allows the keyboard to be used at boot time without needing a full USB stack. Many dongles default to this boot protocol when plugged in and just enumerate as a mouse and keyboard instead of a full bluetooth host (which you can later switch to in software).

Mike developed the btbb plugin for WireShark which lets you look at bluetooth baseband packets captured over the air with the USRP software radio. While working on it he noticed the keystrokes were being sent in the clear. He sent a few captures to Joshua Wright who used them to develop btaptap which takes a pcap file and spits out the keystrokes. The dongle they were captured from was in boot mode, but just being in boot mode doesn’t guarantee they’re sent in the clear. Some computers with bluetooth now ship with boot mode as the default.

The next thing Mike talked about was HID Attack by Collin Mulliner. Collin developed xkbd-bthid as a virtual bluetooth keyboard to send keystrokes to bluetooth devices. It was designed to hunt down machines that were waiting for keyboards to connect. Most of these holes have been patched now. Mike demoed injecting mouse commands by using a dongle on the victim’s machine while the mouse was turned off. The interesting part of the demo was that he injected keystrokes using the mouse since it’s the same HID boot protocol. Support for encryption in mice isn’t required by the USB HID spec only for keyboards.

To do the spoof, you have to know the BD_ADDR of the device you’re spoofing. If you have physical access, you could just read it off of the device or OS. Kismet now ships with kismet-btscan for actively sending inquiries to recover the BD_ADDR of local devices. kismet-bluetooth is also being developed to passively monitor the baseband using the USRP.

When bluetooth devices are using encryption there’s a link key that you must crack. Much research has been done on this with BT Crack by Thierry Zoller and btpincrack by David Hulton. They work but require a lot of time and usually capturing the actual device pairing. Mike suggested in jest that all pairing should be done inside of a Faraday cage.

bthidproxy is yet another handy piece of software. Using it you can man in the middle bluetooth connections by using two dongles and spoofing the host and device addresses. Because of ‘virtual cabling’, a one to one connection is made between device and host. This means that almost all attacks must be performed when either the device or host are off allowing you to take their place. This isn’t too much of a problem since machines get powered down often and many mice have off switches to save battery.

Mike talked about K Chen’s Apple Keyboard firmware attack. The USB keyboard doesn’t check the firmware’s signature so it can be rewritten. Bluetooth HID is USB over bluetooth, so Mike decided to see if the same thing was possible. He was able to modify the firmware on his Apple bluetooth keyboard by sending it packets over the air. His keyboard is the older three battery version which required the link key to be used, but he said that the newer two battery version doesn’t have this protection.

It was a great presentation and Mike has the slides and additional resources on his site. He even includes a checklist for verifying how secure your bluetooth devices are. The link key puts most attacks out of reach of your average hacker, but as he pointed out it is often not implemented. For future work, he plans on developing baseband injection using the USRP.

As was bound to happen, I put the finishing touches on my GPU post and immediately ran into David Hulton (h1kari) at Pico Computing’s ShmooCon booth. As the organizer of ToorCon, he was the person that originally introduced me to the power of the FPGA.

Pico recently hit a new high mark for decrypting 56-bit DES (PDF). DES encryption has been deprecated but can be found in old systems and uses many features found in modern encryption algorithms. They can now check all keys in just 4.65 days as opposed to 9.14 years it would take a graphics card.

The 4U machine was built with 7 of the company’s EX-300 x1 PCI Express cards. Each card has 16 Xilinx Spartan FPGAs for a total of 176 in the system. It’s quite a beast, but don’t expect to see too many since this SC-4 SuperCluster is ~$80K.

Also on display was the new E-101. It’s a single Spartan-6 LX45 FPGA. It has a mini-USB connector to make it very benchtop friendly; previous boards in this class used CF, CardBus, or ExpressCard formats.

For having to fill a last minute ShmooCon opening, dragorn delivered a very provoking talk. You may know him for his indispensable wifi tool, Kismet. He blew through 100 slides in 20 minutes and I’m sure I’ll miss the finer points but it really turned out to be something potentially incredible (and destructive). He laid the ground work by discussing how open public wifi hotspots are so heavily used. Many of us understand the risk but he set out to show even more unexplored territory.

802.11 traffic is trivial to capture and as Toast demonstrated at Defcon, easily injectable with airpwn. Many people saw this but the full implications weren’t really understood so dragorn decided to expand on the idea. The team built a new version of Airpwn TCP hijack for the Metasploit framework. It now supports full content replacement using regex and a very fast ruby-based packet assembler.

dragorn outlined the many ways you could use this. You could modify one of the many helper .js files that browsers download while loading pages. You could rewrite the DOM to your benefit, change all forms to go through your proxy, or change all https to plain http.

These attacks could be made persistent by telling the browser to cache the .js for an extremely long time (10 years even) as rsnake described in his VPN research. Then when the user returned to their home intranet the exploit would still be viable; it could even phone home to get new .js payloads. Want to make the attack really generic? Poison Urchin.js, the code that every site using Google Analytics makes you load.

What’s the answer? Securing your connection with a VPN perhaps. This doesn’t really help the average user though because it’s difficult to do. If your splash start page is http which hands off the login to https, the attacker could hijack you starting with that very first page before you’re in the VPN.

dragorn also built DNSpwn DNS hijack. You can use it to poison someone’s DNS so that it persists even when they switch to a VPN.

This is one of those attacks that could be easily missed by expert users. At the end of his talk, dragorn lamented, “I’ve ruined wifi for myself.”

I’m at the ShmooCon hacker conference in D.C. this weekend and will be posting about some of the more interesting talks. The Friday round of talks are limited to 20 minutes and cover a wide variety of topics. Collin Brack opened with a subject I’m thoroughly interested in: GPU based cracking.

In the past, I’ve talked about using FPGAs for dedicated repetitive math. Since then, GPU manufacturers have started developing frameworks so you can write code directly against the processor, not necessarily for graphics. Nvidia has been pushing their CUDA technology, while other manufacturers have been working on OpenCL.

Collin uses Nvidia devices in his day job and naturally leans towards CUDA. He has specifically worked with the Tesla C1060 and Tesla S1070. The second being a dedicated 1U device, it doesn’t have a video out.

The conclusion of the talk was a broad survey of what cracking tools have been ported to these frameworks, many of which work with live tool DVD BackTrack 4—they have a CUDA guide. Programs like aircrack-ng-cuda are available for wireless cracking; cRARk and RAR GPU for RAR password recovery; and IGHASHGPU, MD5 GPU Crack, and RainbowCrack are available too. The shining star of the group though is pyrit, which is available for many different GPU platforms.

If you’ve got a unibody Mac, you’ve probably got the hardware to play with any of these tools. Even though we’re moving away from FPGA, I’m still happy to see developers taking advantage of the speed increases available from GPUs.

Hackers working on the Barnes & Noble Nook have gotten a huge gimmee. nookDevs member poutine took the back off of his and discovered that the device’s filesystem is stored on a 2GB microSD card instead of onboard flash. Mounting the card revealed three ext3 partitions. You can find a listing of the files here. It’s mostly a stock Cupcake build with a few additions like ./system/app/instorewifi-release.apk. The debug interface, adb, is included so its a matter of adding it to the startup script to begin talking to the device over USB.

When the nook was announced, I was interested because it’s an Android device but worried that it would be too locked down to be fun. This is an amazing discovery and being able to modify the filesystem directly will surely make hack development much easier. The back is just screwed on so it isn’t that difficult to remove and since it’s under an external cover I can imagine people keyholing it to get easy access to the card. Veteran Android hackers like JesusFreke have already jumped in to help out. You can find them actively working in #nookdevs on Freenode.

US wireless carriers have started selling femtocells to their customers. A femtocell is a device that essentially acts as a mini cellphone tower. It connects to the user’s broadband connection and their cellphone connects wirelessly just like it would to a regular tower. The call is trunked over the broadband connection and the customer gets a much better signal than they normally would. If the caller leaves range of the femtocell, it will be handed off seamlessly to a normal tower.

I was reading about AT&T’s MicroCell, which they’re testing in a couple markets, and saw this interesting note:

Due to broadcasting regulations, users will also be prevented from using the 3G MicroCell in areas where AT&T doesn’t officially do business. For example, it can’t be installed by users in Vermont or North Dakota or in other countries outside the US; this is enforced by GPS tracking in the device.

I hadn’t considered this restriction, but GPS receivers are standard in every femtocell being sold. I became curious about hacking femtocells since GPS devices are pretty much standardized as far as how they communicate. They’re usually sending NMEA messages over a serial connection. You’d just need to spoof that data to make the femtocell believe it’s in a proper location even if you took it to Europe. At least one device designed to spoof NMEA already exists.

I began digging to see how the GPS is actually connected. I found the FCC ID MXF-3GFP980217 in a post on Howard Forums. The FCC application has several documents that you can’t view because their confidential: block diagram, parts list, schematics. The internal photos are unprotected though, one of which appears above.

There doesn’t appear to be anything unusual. You can see the antenna and the related chip in the upper left corner. It’s from the RoyalTek REB-1315LPX family which isn’t unusual. You can see a four pin header in that area too which is probably a serial header with the NMEA data stream. It seems like it would be a matter of verifying the data and then replacing it with your own spoofer then you can take your cell tower wherever you please.

I don’t really like the idea of femtocells. They’re carrier specific, but worst of all there seems to be technology that’s even easier to work with, namely: UMA. UMA is a feature of some T-Mobile phones. It lets you make calls over wifi and will hand off to a cellphone tower if you walk out of range. Yes, it relies on the handset to have UMA specific hardware, but it doesn’t require anything other than a wifi connection, any connection, not a specific device.

If you’re interested in UMA, the BlackBerry 9700 has recently been released. It’s the first 3G T-Mobile device that has UMA.

The only other interesting thing I noticed on the MicroCell was a Xilinx Spartan-3A on the board. It’s not the main processor and is presumably being used as a either a DSP or crypto device.

When an application sends an update to Twitter it can specify the ’source’. The screenshot above shows an update where I used ‘foursquare’ as the source even though it wasn’t sent by Foursquare. No, I don’t think this is a security issue; it can be funny though.

Early this afternoon @BreakingNews posted “BULLETIN — OUSTED HONDURAN PRESIDENT ZELAYA RETURNS TO HONDURAS.” I found this humorous because when you become a mayor on Foursquare it announces to Twitter using the same style: It names a person, a location, a title, and uses the word ‘ousted’. Here’s an example of a mayor update. I constructed a fake update saying that I had ousted Zelaya as president of Honduras. Chris Nelson pointed out to me that I could specify the source as well, so I went for a slightly more involved joke.

Foursquare also announces to Twitter when you unlock a badge. Here’s is an example of me unlocking a badge. Clicking the bit.ly link takes you to a Foursquare page that describes the badge. I decided to make my own ‘Dictator’ badge. While New York has a number of Foursquare badges, Los Angeles has a limited number, so I wanted to surprise people with a new badge. I recreated the URL structure on my own domain (almost) and created a new badge image and text. I then updated Twitter using the same language as Foursquare and using ‘foursquare’ as the source. Here is the tweet and my fake badge (the design is from here).

Now to dream up useful ways to abuse this.

UPDATE: @SanMo is now using Chris Finke’s implementation in Python.

@SanMo is a Twitter based service I launched in late January. It’s designed specifically for Twitter users in the Santa Monica area. Anyone can send a message starting with @SanMo and the bot will retweet it. The idea is that locals who want to participate will follow @SanMo and then respond to the inquiries.

To build the initial community, I used Twitterholic to find the top Twitter users in Santa Monica and then manually followed them. I also used Twitter Search to find people in my ZIP code and then followed them. Since the launch, I’ve also made use of Twitter Perch to autofollow anyone that says “Santa Monica”.

I had my Hacker Drinkup friends submit many of the early tweets to encourage use of the service. Although I originally imagined it for things like restaurant recommendations, there’s been a large variety of tweets: providing earthquake info, solving service issues with the local ISP, and even discussing local stimulus spending.

My favorite moment so far was @shephardfx mentioning that he was taking a trip to Santa Monica the following week. Twitter Perch followed him automatically. When he arrived, he used @SanMo to get sushi recommendations.

@SanMo is based on @whitneymcn’s Perl script that powers “lyric of the day” on Twitter. A cron job checks for @ replies every two minutes. It takes the reply, removes the @SanMo, adds an RT and sender name, and then stores it in the database queue for posting.

It’s been running fairly flawlessly, but such a minimal interface can be difficult for the user. If you don’t put @SanMo at the beginning of your tweet, it won’t be retweeted. This is a partial feature, since it lets you talk about @SanMo without pinging all the followers. Where it becomes an issue is when someone @replies the asker and follows that with @SanMo; it won’t get retweeted (the inverse isn’t an issue).

The other problem is that tweets can get truncated when retweeted. @SanMo is most likely shorter than the user’s handle. The RT, space, and trailing colon take up precious characters as well. Context keeps most of these readable, but there’s a high likelihood that it will destroy a URL. Other services solve this by creating a shortened URL to connect to the original content. I don’t think this is necessary and just adds another hoop. I’ll probably implement in_reply_to_status_id so users can find the original tweet instead.

That’s the only feature I’ve got planned and I’d probably only tackle it with a complete rewrite of the script. The only other thing I feel is missing is a way to intelligently archive/thread the conversations.