living in a fool s wireless
play

Living in a fools wireless - secured paradise Stefan Kiese Topics - PowerPoint PPT Presentation

Dec 22, 2023 •452 likes •690 views

Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer) alarm systems Hardware Software Hacking it ;) 2015/10/02 Stefan Kiese 2 About me Security Analyst @ ERNW Heidelberg, Germany

  1. Living in a fool’s wireless - secured paradise Stefan Kiese

  2. Topics • Wireless (consumer) alarm systems • Hardware • Software • Hacking it ;) 2015/10/02 Stefan Kiese 2

  3. About me • Security Analyst @ ERNW • Heidelberg, Germany • Interested in hardware hacking, SDR, IoT • Beard ;) www.ernw.de • Twitter: @net0SKi www.troopers.de www.insinuator.net 2015/10/02 Stefan Kiese 3

  4. Wireless (consumer) alarm systems • Cheap ($10 - $250) • Easy to get • Easy to install • WIRELESS • Mostly, you get what you pay for 2015/10/02 Stefan Kiese 4

  5. Hardware Tools 2015/10/02 Stefan Kiese 5

  6. SDR: Logic Analyzer: HackRF One Intronix LogicPort LA1034 Yardstick One All-rounder: Scope: JTAGulator Tektronix MSO2012B Bus Pirate Pix ‘ sources: HackRF+YS, greatscottgadgets.com LogicPort, pctestinstruments.com MSO2012B, tek.com JTAGulator, jtagulator.com Bus Pirate v3, dangerousprototypes.com 2015/10/02 Stefan Kiese 6

  7. Software Tools 2015/10/02 Stefan Kiese 7

  8. GNU Radio Companion: Other useful tools: • E.g. minicom (for use of JTAGulator and BP) • Sigrok or other LA-soft • Baudline • Rfcat • Python Audacity: 2015/10/02 Stefan Kiese 8

  9. Usual attack vectors • Hardware: • Over the air: • • UART (Debug info, Wifi console) • Bluetooth • SPI (e.g. r/w EEPROM) • Proprietary protocols • JTAG (e.g. r/w flash, reprogram µC) • I²C (e.g. comm. w/ components) 2015/10/02 Stefan Kiese 9

  10. Comparison of the alarm systems AS 1 AS 2 AS 3 • Many • JTAG + UART • No interfaces unidentified exposed as TP exposed TPs exposed • Also simple • Rolling Code • Simple implemented record&replay record&replay • Costs also • EEPROM • Costs about about $100 • Costs about $100 $60 2015/10/02 Stefan Kiese 10

  11. Alarm system 1 Loooong transmissions … 2015/10/02 Stefan Kiese 11

  12. Alarm system 1 1. Let‘s start with a simple 3. „ Synthesizing “ signal in record&replay attack GNU Radio   successful successful 2. Trying to regain the RF 4. Manipulating messages transmission  unsuccessful  288 Bits x 90, Manchester encoded 2015/10/02 Stefan Kiese 12

  13. 2015/10/02 Stefan Kiese 13

  14. 2015/10/02 Stefan Kiese 14

  15. Alarm system 2 You shouldn‘t be allowed to issue this CMD, dude! 2015/10/02 Stefan Kiese 15

  16. Alarm system 2 1. Record&replay again … 3. JTAGulating UART   successful 2 UARTs exposed, no „valid“ output on 2. Motion Detector is common baudrates allowed to disarm the base 4. JTAGulating JTAG   Just bruteforce the unsuccessful Device ID 2015/10/02 Stefan Kiese 16

  17. 2015/10/02 Stefan Kiese 17

  18. Alarm system 3 Keep on rollin ‘, baby! 2015/10/02 Stefan Kiese 18

  19. Alarm system 3 1. Record&replay again … 3. Some interesting unlabelled ICs on PCB  unsuccessful  acc. to russian board 2. Trying to regain the RF one for signal horn transmission 4. EEPROM  65 bits x 6, two-  parted Rolling Code Connected to µC via SPI; no results yet 2015/10/02 Stefan Kiese 19

  20. 2015/10/02 Stefan Kiese 20

  21. What could vendors do better? • Use Rolling Code • Use anti-tampering techniques • Remove IDs from ICs • Send keep-alive packets • Use two-way communication • Use encryption • Be aware of the comm. protocols 2015/10/02 Stefan Kiese 21

  22. Any questions? 2015/10/02 Stefan Kiese 22

  23. Thanks for your … … and have a nice day! 2015/10/02 Stefan Kiese 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There is no God. Psalm 14:1 (ESV) What Type of Fool Are You? The Fool Proper And he[Jesus] told them a parable, saying, The land of a rich

417 views • 16 slides
Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A pragmatic implementation of non-blocking linked lists, Tim Harris, DISC 2001 Five ways not to fool yourself 1. Measure as you go Starting and stopping

585 views • 25 slides
Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves

Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves

T18 Concurrent Session Thursday 06/12/2008 3:00 PM 4:30 PM Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves Presented by: Linda Rising Independent Consultant Presented at: Better Software

303 views • 29 slides
He who asks is a fool for five CSE527 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE527 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE527 minutes, but he who does not Computational Biology ask remains a fool forever. http://www.cs.washington.edu/527 Larry Ruzzo -- Chinese Proverb Autumn 2007 UW CSE Computational Biology Group Today

254 views • 10 slides
He who asks is a fool for five CSE427 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE427 minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSE427 minutes, but he who does not Computational Biology ask remains a fool forever. http://www.cs.washington.edu/427 Larry Ruzzo -- Chinese Proverb Winter 2008 UW CSE Computational Biology Group This week

568 views • 13 slides
Securing Wireless Localization: Living with Bad Guys Zang Li, Yanyong Zhang, Wade Trappe Badri

Securing Wireless Localization: Living with Bad Guys Zang Li, Yanyong Zhang, Wade Trappe Badri

Securing Wireless Localization: Living with Bad Guys Zang Li, Yanyong Zhang, Wade Trappe Badri Nath Talk Overview Talk Overview Wireless Localization Background Attacks on Wireless Localization Time of Flight Signal Strength Angle

700 views • 31 slides
He who asks is a fool for five CSEP590A minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSEP590A minutes, but he who does not Computational Biology ask

He who asks is a fool for five CSEP590A minutes, but he who does not Computational Biology ask remains a fool forever. http://www.cs.washington.edu/csep590a Larry Ruzzo -- Chinese Proverb Summer 2006 UW CSE Computational Biology Group

265 views • 10 slides
Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day 1998 Left-Handed Whopper 1993 Lightning Strike First Easter April Fools Day Fool Proof And he said to them, O foolish ones, and slow of

484 views • 24 slides
2 Corinthians 12:6-10 NIV 6 Even if I should choose to boast, I would not be a fool, because I

2 Corinthians 12:6-10 NIV 6 Even if I should choose to boast, I would not be a fool, because I

2 Corinthians 12:6-10 NIV 6 Even if I should choose to boast, I would not be a fool, because I would be speaking the truth. But I refrain, so no one will think more of me than is warranted by what I do or say, 7 or because of these surpassingly

291 views • 15 slides
RUS RUSSI SIAN AN VI VISUAL SUAL CULTURE Jos Alaniz University of Washington, Seattle THE

RUS RUSSI SIAN AN VI VISUAL SUAL CULTURE Jos Alaniz University of Washington, Seattle THE

DISABILITY IN 5 RUS RUSSI SIAN AN VI VISUAL SUAL CULTURE Jos Alaniz University of Washington, Seattle THE RUSSIAN HOLY FOOL The age-old Russian tradition of the Holy Fool () or Fool for Christ springs

663 views • 23 slides
Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading, interference, hidden terminal problem IEEE 802.11 ( wi-fi ) CSMA/CA reflects wireless channel characteristics DIFS, SIFS,

1.43k views • 83 slides
CSE 527 Computational Biology http://www.cs.washington.edu/527 Lecture 1: Overview & Bio

CSE 527 Computational Biology http://www.cs.washington.edu/527 Lecture 1: Overview & Bio

CSE 527 Computational Biology http://www.cs.washington.edu/527 Lecture 1: Overview & Bio Review Autumn 2004 Larry Ruzzo He who asks is a fool for five minutes, but he who does not ask remains a fool forever. -- Chinese Proverb Related

525 views • 25 slides
1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

Outline Outline What is wireless? Overview Wireless parameters Cellular architecture Wireless Networks Wireless Networks Media multiple access Wireless LAN 802.11 MANET Mobile Ad-hoc NETworks Amnon Jonas

525 views • 13 slides
to your home church! The he Fo Fool olishn hnes ess s an and W d Wisdo sdom m How to

to your home church! The he Fo Fool olishn hnes ess s an and W d Wisdo sdom m How to

Welcome to your home church! The he Fo Fool olishn hnes ess s an and W d Wisdo sdom m How to Prevent Spiritual of th of the Cr e Cross oss Dehydration Psalm 63 1 Co Cor. . 1:1 :18-24 24 I. Dont Rely on Emotions II.

265 views • 7 slides
You Cant Fool the Bladder Police Effective Use of Urine Drug Screening Wh Why Te Test?

You Cant Fool the Bladder Police Effective Use of Urine Drug Screening Wh Why Te Test?

You Cant Fool the Bladder Police Effective Use of Urine Drug Screening Wh Why Te Test? Accountability Create and maintain safe treatment environment Compliance with licensing or policy Collection Supervised or

489 views • 37 slides
Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad Hoc MAC protocols ad Hoc routing DSR AODV 2 Wireless Networks Autonomous systems of mobile hosts connected by wireless links Nodes are

1.3k views • 102 slides
For the wise men of old, the cardinal problem of human life was how to conform the soul to

For the wise men of old, the cardinal problem of human life was how to conform the soul to

For the wise men of old, the cardinal problem of human life was how to conform the soul to objective reality, and the solution was wisdom, self-discipline, and virtue. For the modern, the cardinal problem is how to conform reality to the

351 views • 10 slides
Outsourcing Source Code Distribution Requirements Alexios Zavras, Stefano Zacchiroli Intel,

Outsourcing Source Code Distribution Requirements Alexios Zavras, Stefano Zacchiroli Intel,

Outsourcing Source Code Distribution Requirements Alexios Zavras, Stefano Zacchiroli Intel, alexios.zavras@intel.com Sofware Heritage, zack@upsilon.cc 4 February 2018 FOSDEM Brussels, Belgium Alexios Zavras, Stefano Zacchiroli Outsourcing

420 views • 29 slides
Adversaries & Interpretability SIDN: An IAP Practicum Shibani Santurkar Dimitris Tsipras

Adversaries & Interpretability SIDN: An IAP Practicum Shibani Santurkar Dimitris Tsipras

Adversaries & Interpretability SIDN: An IAP Practicum Shibani Santurkar Dimitris Tsipras gradient-science.org Outline for today 1. Simple gradient explanations Exercise 1: Gradient saliency Exercise 2: SmoothGrad 2. Adversarial

534 views • 37 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin BIRS Workshop 19w5088 July 8, 2019 1Supported by NSF Grant

1.69k views • 139 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Data Sovereignty The importance of geolocating data in the cloud Zachary N J Peterson Mark

Data Sovereignty The importance of geolocating data in the cloud Zachary N J Peterson Mark

HotCloud 2011 Data Sovereignty The importance of geolocating data in the cloud Zachary N J Peterson Mark Gondree Rob Beverly Your Data is Here But, maybe it should be here Or Here? Breaking the Abstraction Is data within some political

584 views • 20 slides

P P P P P P P P P P P P

455 views • 13 slides
Mapping of the space change of Oued Ali Mountains (Mascara, Algeria) by Landsat optical imagery

Mapping of the space change of Oued Ali Mountains (Mascara, Algeria) by Landsat optical imagery

Mapping of the space change of Oued Ali Mountains (Mascara, Algeria) by Landsat optical imagery Farida BACHIR BELMEHDI (1) , Kamel HASNI (2) , Bachir GOURINE (2) and Moussa LESGAA 1 (1) University of Oran 2, Faculty of Earth Sciences and Universe,

615 views • 6 slides

More recommend