Jun 20

Updating RFIDler Firmware on Ubuntu 12.04.4

As a beat-my-tester for the RFIDler Kickstarter project, I got one of the first batch of these sweet LF RFID reader/writer/emulator units, straight from Zac Franken and Adam Laurie.

The RFIDler, Beta Version, and Antenna (background)

The RFIDler, Beta Version, and Antenna (background)

Although I have a Proxmark3 (actually, it’s not mine, it belongs to Larry Pesce, but he’s never getting it back), I am excited about the RFIDler as a low-cost alternative with active and exciting development.

When the RFIDler arrived it was running alpha3 firmware, which needed to be upgraded to the latest firmware in the RFIDler GitHub repository.  Flashing requires the mphidflash utility, which is available in source or binary form on Google Code.

The mphidflash tool required libhid-dev on Ubuntu, but that package has been retired for a while as abandoned by the author.  To get mphidflash working on Ubuntu, I grabbed the packages from Ubuntu 10.04 and installed them as shown:

$ wget http://mirrors.kernel.org/ubuntu/pool/universe/libh/libhid/libhid-dev_0.2.15+20060325-2.2ubuntu1_i386.deb
$ wget http://mirrors.kernel.org/ubuntu/pool/universe/libh/libhid/libhid0_0.2.15+20060325-2.2ubuntu1_i386.deb
$ sudo dpkg -i libhid0_0.2.15+20060325-2.2ubuntu1_i386.deb
$ sudo dpkg -i libhid-dev_0.2.15+20060325-2.2ubuntu1_i386.deb
$ wget http://mphidflash.googlecode.com/files/mphidflash-1.3-bin-linux.tar.gz
$ tar xfz mphidflash-1.3-bin-linux.tar.gz
$ sudo cp mphidflash /usr/sbin

After that, flashing the RFIDler becomes straightforward. First, download the GitHub repository files and change to the RFIDler/python directory, then run the setup.py script:

$ git clone https://github.com/ApertureLabsLtd/RFIDler.git
Cloning into 'RFIDler'...
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-WsskxT/pkcs11: No such file or directory
remote: Reusing existing pack: 518, done.
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 534 (delta 1), reused 0 (delta 0)
Receiving objects: 100% (534/534), 8.90 MiB | 1001 KiB/s, done.
Resolving deltas: 100% (279/279), done.
$ cd RFIDler/python
$ sudo python setup.py install

Now you should be able to run the rfidler.py script to interact with the RFIDler hardware. Plug in the hardware and check the version on your hardware (you may need to run rfidler.py as root on your system):

$ rfidler.py /dev/ttyACM0 'VERSION'
sending 'VERSION'
0003-alpha

To update the firmware, hold the bootloader button and press “reset”. The LED07 and LED08 LED’s will start alternating amber and green.

RFIDler Prepped for Bootloader

RFIDler Prepped for Bootloader

You will also see a kernel message indicating that the device has entered into bootloader mode.

$ dmesg | grep Bootloader
[783265.119771] generic-usb 0003:04D8:003C.0006: hiddev0,hidraw2: USB HID v1.11 Device [Microchip Technology Inc. USB HID Bootloader] on usb-0000:02:00.0-2.1/input0

Now, change to the head of the RFIDler directory and flash the device (lots of the status dots have been removed below):

$ sudo mphidflash -r -w firmware/Pic32/RFIDler.X/dist/debug/production/RFIDler.X.production.hex
[sudo] password for jwright: 
USB HID device found: 503808 bytes free
Erasing...
Writing hex file 'firmware/Pic32/RFIDler.X/dist/debug/production/RFIDler.X.production.hex':..................................................................................................................................
Verifying:..................................................................................................................................
Resetting device...
$ rfidler.py /dev/ttyACM0 version
sending 'VERSION'
0019-beta

Voila!

-Josh

May 10

Maximum Overdrive Redux?

Last night at SANS SecWest 2010 in San Diego I gave a presentation I’ve been working on called “Maximum Overdrive Redux”, looking at exploiting embedded and smart hardware systems.  We started off with the AC/DC Video from the 1986 Stephen King movie about how machines take over and start killing people, eventually manipulating them into human pawns.

Maximum Overdrive "Happy Toys" Truck

This movie was pretty bad, and Stephen King is even quoted as saying “I was coked out of my head” during direction.  As a result, it became a cult classic, and I thought it was a pretty good analogy for what we’re seeing with the increased reliance, interconnectivity, and physical-world access in embedded systems.

I made four critical points in the presentation:

  • Tools for exploiting embedded systems are available and getting better;
  • Embedded systems are becoming more interconnected;
  • Vendors are widely overlooking the security of embedded platforms;
  • Attackers can leverage flaws in embedded systems to exploit the physical world.

I backed up these points by looking at attacks against smart card parking meters, home area networks, Internet-connected vehicle control systems, Verizon MiFi devices, the SHODAN Computer Search Engine, NIBE Heat Pumps and more.  I’ve posted the slides in the Presentations  section.

Comments, questions, concerns? Please drop me a note.  Thanks! -Josh

Feb 03

MiFi Config Hack

In my previous post, I wrote about a method to exploit the default password selection on Verizon MiFi devices.  As a MiFi user, I’m also interested in other ways I can manipulate the device.

The configuration settings for the MiFi are fairly straightforward, and some users have pointed out that there are additional settings that can be applied via a customized config file (browse to Advanced -> Config File -> Download File then edit and upload).  However, the MiFi also has a hidden advanced configuration page accessible at  http://192.168.1.1/adv802.html that is not otherwise linked on the administrative pages.

Hidden MiFi Configuration Page

Hidden MiFi Configuration Page

On this page we are able to set a variety of options not accessible with the default management interface:

  • Leverage WEP as an encryption and authentication mechanism (yay!);
  • Increase the number of simultaneous stations allowed to share the MiFi WLAN at any given time;
  • Adjust the transmit power level of the WLAN interface for more range or longer battery life;
  • Manipulate other wireless settings very few people understand and even fewer care about.

These changes have been available by manually editing the config.xml file previously, but now you can do it without all the hassle of XML+notepad.

-Josh

Jul 22

Webcast Tomorrow: Smart Grid and AMI Security Concerns

The characters, places and events described herein are entirely fictional, and any resemblance to individuals living or dead is purely coincidental, kthxbye.

The characters, places and events described herein are entirely fictional, and any resemblance to individuals living or dead is purely coincidental, kthxbye.

Tomorrow at 1pm EST Matt Carpenter (InGuardians), Walt Sikura (Industrial Defender) and I are delivering a webcast titled “Smart Grid and AMI Security Concerns” where we talk about the security challenges of the smart grid, discussing tools and techniques through which an attacker could exploit the security of the smart grid.

I’m very fortunate to get the chance to present with both Matt and Walt on a topic which I find no only fascinating but of significant importance as we roll out more and more smart grid systems in North America and throughout the world. The webcast is hosted through WebEx and you can sign up at:

http://www.industrialdefender.com/news/webinar_smart_grid.php

We’re also planning to do this as a trilogy, where we’ll spend more time in later presentation digging in deeper into attach methodologies and defense techniques, as well as what we are doing to exploit and secure smart grid components.

-Josh

May 10

Reversing the Microchip Zena ZigBee Sniffer

Microchip Zena Network Analyzer

Microchip Zena Network Analyzer

A few days ago I bought a Microchip Zena ZigBee sniffer. This USB HID device comes with simple software for Windows that captures and decodes 2.4 GHz 802.15.4, ZigBee, MiWi (Microchip stack) and MiWi-P2P traffic. It’s $150, which is a little steep considering that it is a PIC18LF with USB and a MRF24J40 radio, but I’ve had fun playing with it all the same.

The Zena 3.0 sniffer software provides a basic per-packet view of frames. I guess we are all spoiled by Wireshark, but I was hoping for more detail and a better UI. The Zena sniffer can save a capture in a proprietary file format, and can export selected frames (to the clipboard) in space-delimited hex bytes.

A cool accompanying feature is the network configuration display interface where Zena will identify all the parent/child relationships observed. You can specify a BMP background as a floorplan and move the nodes to their physical locations as well.

Zena Packet Capture Tool

Zena Packet Capture Tool

Zena Sniffer Network Configuration Display

Zena Sniffer Network Configuration Display

SnoopyPro Capture of Zena USB Traffic

SnoopyPro Capture of Zena USB Traffic

With no Linux support, I decided to write my own user space Linux driver to capture packets with the goal of integrating it into libpcap captures and other tools including Kismet Newcore. Plugging into a Linux box, it was clear that the device was using the USB HID, which was good news for me since it would be simpler to reverse the configuration details. Using the SnoopyPro USB sniffer, I was able to look at the USB packets, observing data from frames shown by the sniffer, as well as recording the configuration activity based on the channel I specified to capture on.

With this information, it was straightforward to identify the USB endpoint 0x01 as the control channel (for setting the channel) and USB endpoint 0x81 as the data endpoint (for delivering frames). Using PyUSB with the excellent Pymissle project by Scott Weston as an example, I quickly put together a tool that can set the channel number and capture frames from the Zena device, dumping the hex bytes to stdout.

Linux Microchip Zena data, isn't it beautiful?

Linux Microchip Zena data, isn't it beautiful?

The Python script is available here. It’s hack, but it was enough to get me started on what will be my next post: zbfind, a location tracking and identification tool for ZigBee and 802.15.4 networks.

-Josh