living in a fool s wireless
play

Living in a fools wireless - secured paradise Stefan Kiese Topics - PowerPoint PPT Presentation

Dec 22, 2023 •452 likes •690 views

Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer) alarm systems Hardware Software Hacking it ;) 2015/10/02 Stefan Kiese 2 About me Security Analyst @ ERNW Heidelberg, Germany

  1. Living in a fool’s wireless - secured paradise Stefan Kiese

  2. Topics • Wireless (consumer) alarm systems • Hardware • Software • Hacking it ;) 2015/10/02 Stefan Kiese 2

  3. About me • Security Analyst @ ERNW • Heidelberg, Germany • Interested in hardware hacking, SDR, IoT • Beard ;) www.ernw.de • Twitter: @net0SKi www.troopers.de www.insinuator.net 2015/10/02 Stefan Kiese 3

  4. Wireless (consumer) alarm systems • Cheap ($10 - $250) • Easy to get • Easy to install • WIRELESS • Mostly, you get what you pay for 2015/10/02 Stefan Kiese 4

  5. Hardware Tools 2015/10/02 Stefan Kiese 5

  6. SDR: Logic Analyzer: HackRF One Intronix LogicPort LA1034 Yardstick One All-rounder: Scope: JTAGulator Tektronix MSO2012B Bus Pirate Pix ‘ sources: HackRF+YS, greatscottgadgets.com LogicPort, pctestinstruments.com MSO2012B, tek.com JTAGulator, jtagulator.com Bus Pirate v3, dangerousprototypes.com 2015/10/02 Stefan Kiese 6

  7. Software Tools 2015/10/02 Stefan Kiese 7

  8. GNU Radio Companion: Other useful tools: • E.g. minicom (for use of JTAGulator and BP) • Sigrok or other LA-soft • Baudline • Rfcat • Python Audacity: 2015/10/02 Stefan Kiese 8

  9. Usual attack vectors • Hardware: • Over the air: • • UART (Debug info, Wifi console) • Bluetooth • SPI (e.g. r/w EEPROM) • Proprietary protocols • JTAG (e.g. r/w flash, reprogram µC) • I²C (e.g. comm. w/ components) 2015/10/02 Stefan Kiese 9

  10. Comparison of the alarm systems AS 1 AS 2 AS 3 • Many • JTAG + UART • No interfaces unidentified exposed as TP exposed TPs exposed • Also simple • Rolling Code • Simple implemented record&replay record&replay • Costs also • EEPROM • Costs about about $100 • Costs about $100 $60 2015/10/02 Stefan Kiese 10

  11. Alarm system 1 Loooong transmissions … 2015/10/02 Stefan Kiese 11

  12. Alarm system 1 1. Let‘s start with a simple 3. „ Synthesizing “ signal in record&replay attack GNU Radio   successful successful 2. Trying to regain the RF 4. Manipulating messages transmission  unsuccessful  288 Bits x 90, Manchester encoded 2015/10/02 Stefan Kiese 12

  13. 2015/10/02 Stefan Kiese 13

  14. 2015/10/02 Stefan Kiese 14

  15. Alarm system 2 You shouldn‘t be allowed to issue this CMD, dude! 2015/10/02 Stefan Kiese 15

  16. Alarm system 2 1. Record&replay again … 3. JTAGulating UART   successful 2 UARTs exposed, no „valid“ output on 2. Motion Detector is common baudrates allowed to disarm the base 4. JTAGulating JTAG   Just bruteforce the unsuccessful Device ID 2015/10/02 Stefan Kiese 16

  17. 2015/10/02 Stefan Kiese 17

  18. Alarm system 3 Keep on rollin ‘, baby! 2015/10/02 Stefan Kiese 18

  19. Alarm system 3 1. Record&replay again … 3. Some interesting unlabelled ICs on PCB  unsuccessful  acc. to russian board 2. Trying to regain the RF one for signal horn transmission 4. EEPROM  65 bits x 6, two-  parted Rolling Code Connected to µC via SPI; no results yet 2015/10/02 Stefan Kiese 19

  20. 2015/10/02 Stefan Kiese 20

  21. What could vendors do better? • Use Rolling Code • Use anti-tampering techniques • Remove IDs from ICs • Send keep-alive packets • Use two-way communication • Use encryption • Be aware of the comm. protocols 2015/10/02 Stefan Kiese 21

  22. Any questions? 2015/10/02 Stefan Kiese 22

  23. Thanks for your … … and have a nice day! 2015/10/02 Stefan Kiese 23

Recommend

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There is no God. Psalm 14:1 (ESV) What Type of Fool Are You? The Fool Proper And he[Jesus] told them a parable, saying, The land of a rich

417 views • 16 slides
Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A pragmatic implementation of non-blocking linked lists, Tim Harris, DISC 2001 Five ways not to fool yourself 1. Measure as you go Starting and stopping

585 views • 25 slides
Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves

Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves

T18 Concurrent Session Thursday 06/12/2008 3:00 PM 4:30 PM Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves Presented by: Linda Rising Independent Consultant Presented at: Better Software

303 views • 29 slides
He who asks is a fool for five CSE527 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE527 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE527 minutes, but he who does not Computational Biology ask remains a fool forever. http://www.cs.washington.edu/527 Larry Ruzzo -- Chinese Proverb Autumn 2007 UW CSE Computational Biology Group Today

254 views • 10 slides
He who asks is a fool for five CSE427 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE427 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE427 minutes, but he who does not Computational Biology ask remains a fool forever. http://www.cs.washington.edu/427 Larry Ruzzo -- Chinese Proverb Winter 2008 UW CSE Computational Biology Group This week

568 views • 13 slides
Securing Wireless Localization: Living with Bad Guys Zang Li, Yanyong Zhang, Wade Trappe Badri

Securing Wireless Localization: Living with Bad Guys Zang Li, Yanyong Zhang, Wade Trappe Badri

Securing Wireless Localization: Living with Bad Guys Zang Li, Yanyong Zhang, Wade Trappe Badri Nath Talk Overview Talk Overview Wireless Localization Background Attacks on Wireless Localization Time of Flight Signal Strength Angle

700 views • 31 slides
He who asks is a fool for five CSEP590A minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSEP590A minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSEP590A minutes, but he who does not Computational Biology ask remains a fool forever. http://www.cs.washington.edu/csep590a Larry Ruzzo -- Chinese Proverb Summer 2006 UW CSE Computational Biology Group

265 views • 10 slides
Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day 1998 Left-Handed Whopper 1993 Lightning Strike First Easter April Fools Day Fool Proof And he said to them, O foolish ones, and slow of

484 views • 24 slides
2 Corinthians 12:6-10 NIV 6 Even if I should choose to boast, I would not be a fool, because I

2 Corinthians 12:6-10 NIV 6 Even if I should choose to boast, I would not be a fool, because I

2 Corinthians 12:6-10 NIV 6 Even if I should choose to boast, I would not be a fool, because I would be speaking the truth. But I refrain, so no one will think more of me than is warranted by what I do or say, 7 or because of these surpassingly

291 views • 15 slides
RUS RUSSI SIAN AN VI VISUAL SUAL CULTURE Jos Alaniz University of Washington, Seattle THE

RUS RUSSI SIAN AN VI VISUAL SUAL CULTURE Jos Alaniz University of Washington, Seattle THE

DISABILITY IN 5 RUS RUSSI SIAN AN VI VISUAL SUAL CULTURE Jos Alaniz University of Washington, Seattle THE RUSSIAN HOLY FOOL The age-old Russian tradition of the Holy Fool () or Fool for Christ springs

663 views • 23 slides
Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading, interference, hidden terminal problem IEEE 802.11 ( wi-fi ) CSMA/CA reflects wireless channel characteristics DIFS, SIFS,

1.43k views • 83 slides
CSE 527 Computational Biology http://www.cs.washington.edu/527 Lecture 1: Overview & Bio

CSE 527 Computational Biology http://www.cs.washington.edu/527 Lecture 1: Overview & Bio

CSE 527 Computational Biology http://www.cs.washington.edu/527 Lecture 1: Overview & Bio Review Autumn 2004 Larry Ruzzo He who asks is a fool for five minutes, but he who does not ask remains a fool forever. -- Chinese Proverb Related

525 views • 25 slides
1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

Outline Outline What is wireless? Overview Wireless parameters Cellular architecture Wireless Networks Wireless Networks Media multiple access Wireless LAN 802.11 MANET Mobile Ad-hoc NETworks Amnon Jonas

525 views • 13 slides
to your home church! The he Fo Fool olishn hnes ess s an and W d Wisdo sdom m How to

to your home church! The he Fo Fool olishn hnes ess s an and W d Wisdo sdom m How to

Welcome to your home church! The he Fo Fool olishn hnes ess s an and W d Wisdo sdom m How to Prevent Spiritual of th of the Cr e Cross oss Dehydration Psalm 63 1 Co Cor. . 1:1 :18-24 24 I. Dont Rely on Emotions II.

265 views • 7 slides
You Cant Fool the Bladder Police Effective Use of Urine Drug Screening Wh Why Te Test?

You Cant Fool the Bladder Police Effective Use of Urine Drug Screening Wh Why Te Test?

You Cant Fool the Bladder Police Effective Use of Urine Drug Screening Wh Why Te Test? Accountability Create and maintain safe treatment environment Compliance with licensing or policy Collection Supervised or

489 views • 37 slides
Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad Hoc MAC protocols ad Hoc routing DSR AODV 2 Wireless Networks Autonomous systems of mobile hosts connected by wireless links Nodes are

1.3k views • 102 slides
Wireless LAN Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux & freeBSD Securing & Managing Wireless LAN : Implementing 802.1x EAP-TLS PEAP-MSCHAPv2

278 views • 14 slides
A Featherweight Approach to FOOL Atsushi Igarashi Kyoto Univ. What I Have Been Working On

A Featherweight Approach to FOOL Atsushi Igarashi Kyoto Univ. What I Have Been Working On

A Featherweight Approach to FOOL Atsushi Igarashi Kyoto Univ. What I Have Been Working On Type theory and its applications : Static program analysis based on type inference Behavioral types for concurrent programs Multi-stage programming

1k views • 71 slides
Timothy R. Newman, Ph.D. Wireless @ VT Wireless @ Virginia Tech Wireless Umbrella Group

Timothy R. Newman, Ph.D. Wireless @ VT Wireless @ Virginia Tech Wireless Umbrella Group

Timothy R. Newman, Ph.D. Wireless @ VT Wireless @ Virginia Tech Wireless Umbrella Group MPRG, CWT, VTVT, WML, Antenna Group, Time Domain Lab, DSPRL Officially rolled out June 2006 Currently 32 tenure track faculty and more

304 views • 19 slides
Inspections for Decision Makers (or: you may fool me, but not hurt me) Federico Echenique and

Inspections for Decision Makers (or: you may fool me, but not hurt me) Federico Echenique and

Inspections for Decision Makers (or: you may fool me, but not hurt me) Federico Echenique and Eran Shmaya California Institute of Technology November 10, 2007 SISHOO Nov. 10th Inspections for decision makers Existing result: Inspections are

616 views • 23 slides
The Challenge of Legacy Assets Richard Lucas, BSc(Eng) MBA MD of ASH Wireless ASH Wireless is an

The Challenge of Legacy Assets Richard Lucas, BSc(Eng) MBA MD of ASH Wireless ASH Wireless is an

The Impact of the Internet of Things on our Lives. The Challenge of Legacy Assets Richard Lucas, BSc(Eng) MBA MD of ASH Wireless ASH Wireless is an electronics design consultancy Specialising in wireless and sensors An Ofgem funded Network

1.7k views • 26 slides
Living Well When Living Longer HIV and Rehabilita5on

Living Well When Living Longer HIV and Rehabilita5on

Living Well When Living Longer HIV and Rehabilita5on #RehabHIV European AIDS Clinical Society (EACS) Friday October 23 2015, 16:30-18:00hrs Barcelona,

700 views • 52 slides
Topic 2b Wireless MAC Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down

Topic 2b Wireless MAC Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down

Topic 2b Wireless MAC Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016 Wireless and Mobile Networks 7-1 Ch. 7: Wireless and Mobile

331 views • 29 slides
UNM Wireless Updates Current status of the continued efforts to increase wireless coverage on

UNM Wireless Updates Current status of the continued efforts to increase wireless coverage on

UNM Wireless Updates Current status of the continued efforts to increase wireless coverage on campus, wireless authentication and improvements June 6 7, 2019 Wireless Improvements Top Areas of Improvement 2018 Chemistry Duck

773 views • 17 slides

More recommend