Thursday, March 28, 2019

WOPR: SECURITY LOSES SOME OF ITS OBSCURITY by: Tom Nardi

As we’ve seen time and time again, the word “hacker” takes on a different meaning depending on who you’re talking to. If you ask the type of person who reads this fine digital publication, they’ll probably tell you that a hacker is somebody who likes to learn how things work and who has a penchant for finding creative solutions to problems. But if you ask the average passerby on the street to describe a hacker, they might imagine somebody wearing a balaclava and pounding away at their laptop in a dimly lit abandoned warehouse. Thanks, Hollywood.
The “Hollywood Hacker” Playset
Naturally, we don’t prescribe to the idea of hackers being digital villains hell-bent on stealing your identity, but we’ll admit that there’s something of rift between what we call hacking versus what happens in the information security realm. If you see mention of Red Teams and Blue Teams on Hackaday, it’s more likely to be in reference to somebody emulating Pokemon on the ESP32 than anything to do with penetration testing. We’re not entirely sure where this fragmentation of the hacking community came from, but it’s definitely pervasive.
In an attempt bridge the gap, the recent WOPR Summit brought together talks and presentations from all sections of the larger hacking world. The goal of the event was to show that the different facets of the community have far more in common than they might realize, and featured a number of talks that truly blurred the lines. The oscilloscope toting crew learned a bit about the covert applications of their gadgets, and the high-level security minded individuals got a good look at how the silicon sausage gets made.
Two of these talks which should particularly resonate with the Hackaday crowd were Charles Sgrillo’s An Introduction to IoT Penetration Testing and Ham Hacks: Breaking into Software Defined Radio by Kelly Albrink. These two presentations dealt with the security implications of many of the technologies we see here at Hackaday on what seems like a daily basis: Bluetooth Low Energy (BLE), Software Defined Radio (SDR), home automation, embedded Linux firmware, etc. Unfortunately, the talks were not recorded for the inaugural WOPR Summit, but both presenters were kind of enough to provide their slides for reference.

INTERNET OF BROKEN THINGS

As you might have guessed from the name, An Introduction to IoT Penetration Testing, had a fairly serious slant towards the practical exploitation of various Internet “things”. In this presentation, Charles described the operation of a number of extremely interesting software packages which have never before made an appearance here on Hackaday. That such incredible tools have managed to fly under our radar for so long is frankly evidence enough that we should be making a better effort to collaborate with our more security-minded peers.
For working with Bluetooth Low Energy, Charles suggests btlejack, a project which uses up to three BBC Micro:Bits flashed with a custom firmware to sniff, capture, hijack, and even jam communications. Running the tool with three devices connected to a USB hub allows it to cover more channels and increases the likelihood of it capturing what you’re looking for. If you’re not in a country that was literally handing out Micro:Bits, you can also use btlejack with Adafruit’s Bluefruit LE sniffer or a nRF51822 Eval Kit.
When poking around with embedded ARM or MIPS devices, Charles says he’s had great luck with Firmadyne, an emulator package which allows you to run firmware images. He demonstrated it using a firmware meant for the venerable Linksys WRT54G router, showing how the web interface of the “router” was now accessible via a virtual interface on the local machine. More importantly than being able to simply run the firmware, Firmadyne also allows you to plug in a debugger and explore the device’s virtual filesystem to extract vital clues on how it operates.
While talking about hypothetical situations can be fascinating, Charles also peppered his presentation with real-world examples pulled from over a decade of experience in the IT field. One which was particularly interesting was what he called the “IoT On-Boarding” attack. In this scenario, he demonstrated how he was able to leverage the unencrypted configuration interface of WiFi smart bulbs to collect the encryption keys for the network the user ultimately joins the bulbs to. We’ve recently seen that these bulbs have a tendency to store network credentials in plain-text internally, so the fact that their initial configuration interface doesn’t use encryption either sadly doesn’t come as a huge surprise.

CHEAP SDR IS A HUGE DEAL

A big part of Ham Hacks: Breaking into Software Defined Radio was based on an assertion that most Hackaday readers are likely familiar with: the RTL-SDR project was an absolute game changer. That’s not to say Kelly thinks a hacked TV dongle is necessarily your best option in 2019, but that it opened the floodgates for low-cost SDRs. Before the RTL-SDR project, the prices for SDRs were well outside of the casual hacker’s budget, effectively blocking a huge chunk of the community from exploring the RF spectrum. Now that anyone with $20 in their pocket can sniff from the low Megahertz all the way up into the Gigahertz frequencies used for satellite communications, systems which were previously “secure” simply because few people could listen in on them are now ripe for the picking.
Kelly gave those in attendance a crash course in RF communications, and then went over some of the different SDRs on the market. She explained the practical considerations of things like tuner range and sample rate, and how the perspective radio hacker should factor those these variables into their purchase. But she also spoke on the importance of community and documentation; the LimeSDR Mini is an incredible deal for the price, but it doesn’t have as large a community as something like the more expensive HackRF.
With the wide world of SDR hardware out of the way, Kelly went on to giving some practical demonstrations of capturing signals and ultimately converting that into data bits which can be examined. The first half of the process: identifying which frequency the target device uses, fine-tuning with an tool such as GQRX, and then capturing with the rtl_sdr command is something we’ve seen used in a number of projects already.
But the last piece of the puzzle, taking that capture and getting usable data out of it, is something we haven’t seen nearly as much of. Kelly went over tools such as Inspectrum, DspectrumGUI, and of course Universal Radio Hacker, and demonstrated how they are used against an SDR capture file. Many of the SDR hacks that come our way essentially just re-transmit the original capture with little consideration of what information the signal actually contains, and it was interesting to see a more in-depth look at how these open source tools can help move from simple mimicry to comprehension. Once you’re able to decode the data being sent over the air, you’re well on the way to being able to modify the data; and that’s where the real fun begins.

THROUGH THE LOOKING GLASS

These presentations dealt with subjects which are familiar to Hackaday readers, but in both cases, brought something new to the table. Seeing “the other side” of technology was a central theme of the WOPR Summit, and these talks demonstrate that the perspective shift can often bring new details to light. Some mad lad clustering together BBC Micro:Bits to capture BLE traffic is about as far up our alley as you can get before busting through the front door, and the fact that we haven’t seen it until now is a perfect example that information isn’t moving as smoothly between the different camps as it should.
Hopefully other hacker events will adopt this more eclectic approach to presentation topics in the future, and help establish a better dialog between the cornucopia of hackers that are out there. Otherwise we run the risk of not only missing out on useful techniques and tools, but worse, reinventing the wheel when a solution has already been developed.

No comments:

Post a Comment