Hardware & Making
Lockpicking in the IoT
...or why adding BTLE to a device sometimes isn't smart at all
"Smart" devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren't always that smart after all. And that even AES128 on top of the BTLE layer doesn't have to mean "unbreakable". Our main target will be electronic locks, but the methods shown apply to many other smart devices as well...
This talk will hand you all the tools you need to go deeply into hacking smart devices. And you should! The only reason a huge bunch of these products doesn't even implement the most basic security mechanisms, might be that we don't hack them enough!
We start by looking at the hardware layer, dissecting PCBs and showing which chips are usually used for building those devices. Even if the firmware is read protected they still can be used as nice devboards with unusual pheripherals - if you can't flash it, you don't own it!
But you don't always have to get out your JTAG interfaces. The most simple part is intercepting an Apps communication with its servers. We show an easy Man-in-the-middle setup, which on the fly breaks the TLS encryption and lets you read and manipulate the data flowing through. This was enough to completely defeat the restrictions on a locks "share to a friend" feature and of course helps you recover your password...
Understanding the API also is the best way to actually OWN your device - giving you the option to replace the vendors cloud service with an own backend. We show how this can be for example used to continue using your bike lock when the kickstarter you got it from goes bankrupt after a presentation about it's bad crypto. Just kidding, they are already notified and working on a patch.
Also going for the wireless interface and sniffing BTLE isn't as difficult as it might sound. Turning a cheap 10 EUR devboard into a sniffer we show how to use Wireshark to dissect the packets going from and to the device and analyze the payload. In some cases this is all what's needed to get the secret key from a single interaction...
Finally we will turn into reverse engineers, showing how to decompile an android app and analyze it's inner working or even modify it to your needs. Using this we show, that a quite popular electronic padlock indeed correctly claims to use AES128, but due to a silly key exchange mechanism we can break it by listening to a single opening command. All details of this 0-day attack will be released during the talk - the vendor has been notified in May.
Last but not least we will go back for the hardware layer, showing that sometimes even simple things like magnets or shims can be used to defeat $80+ electronic locks in seconds...
Additional information
| Type | lecture |
|---|---|
| Language | English |
More sessions
| 12/27/16 |
<a href="https://outernet.is">Outernet</a> is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to <a href="http://destevez.net/tag/outernet/">reverse engineer</a> most of the protocols, and a functional <a ...
|
| 12/27/16 |
Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth ...
|
| 12/27/16 |
The NibbleTronic is a MIDI wind controller that features a novel user interface resulting in a unique tonal range. The standard configuration allows to precisely play a bit more than four full octaves including semitones with only one hand.
|
| 12/27/16 |
Mit steigendem Datenaufkommen und einer immer größer werdenden Zahl von Geräten muss auch das WLAN wachsen. Nach "ur WiFi sucks!!1!" ist dieser Talk eine kleine Einführung in die Neuerungen, welche mit dem 802.11ac-Standard gekommen sind und gibt eine Erklärung, wie sie funktionieren.
|
| 12/28/16 |
How to get USB running on an ARM microcontroller that has no built in USB hardware. We'll cover electrical requirements, pin assignments, and microcontroller considerations, then move all the way up the stack to creating a bidirectional USB HID communications layer entirely in software.
|
| 12/28/16 |
Yosys is a free and open source Verilog synthesis tool and more. It gained prominence last year because of its role as synthesis tool in the Project IceStorm FOSS Verilog-to-bitstream flow for iCE40 FPGAs. This presentation however dives into the Yosys-SMTBMC formal verification flow that can be used for verifying formal properties using bounded model checks and/or temporal induction.
|
| 12/28/16 |
Refugees are dying in the Mediterranean Sea. Thousands of them. We are building fixed wing drones, autonomously searching for refugee-vessels in a radius of 50km around a base-ship. The association "Seawatch e.V." has bought two well equipped Ships to help and rescue those people. But to help them we first have to find them.
|
