Jun 20

Updating RFIDler Firmware on Ubuntu 12.04.4

As a beat-my-tester for the RFIDler Kickstarter project, I got one of the first batch of these sweet LF RFID reader/writer/emulator units, straight from Zac Franken and Adam Laurie.

The RFIDler, Beta Version, and Antenna (background)

The RFIDler, Beta Version, and Antenna (background)

Although I have a Proxmark3 (actually, it’s not mine, it belongs to Larry Pesce, but he’s never getting it back), I am excited about the RFIDler as a low-cost alternative with active and exciting development.

When the RFIDler arrived it was running alpha3 firmware, which needed to be upgraded to the latest firmware in the RFIDler GitHub repository.  Flashing requires the mphidflash utility, which is available in source or binary form on Google Code.

The mphidflash tool required libhid-dev on Ubuntu, but that package has been retired for a while as abandoned by the author.  To get mphidflash working on Ubuntu, I grabbed the packages from Ubuntu 10.04 and installed them as shown:

$ wget http://mirrors.kernel.org/ubuntu/pool/universe/libh/libhid/libhid-dev_0.2.15+20060325-2.2ubuntu1_i386.deb
$ wget http://mirrors.kernel.org/ubuntu/pool/universe/libh/libhid/libhid0_0.2.15+20060325-2.2ubuntu1_i386.deb
$ sudo dpkg -i libhid0_0.2.15+20060325-2.2ubuntu1_i386.deb
$ sudo dpkg -i libhid-dev_0.2.15+20060325-2.2ubuntu1_i386.deb
$ wget http://mphidflash.googlecode.com/files/mphidflash-1.3-bin-linux.tar.gz
$ tar xfz mphidflash-1.3-bin-linux.tar.gz
$ sudo cp mphidflash /usr/sbin

After that, flashing the RFIDler becomes straightforward. First, download the GitHub repository files and change to the RFIDler/python directory, then run the setup.py script:

$ git clone https://github.com/ApertureLabsLtd/RFIDler.git
Cloning into 'RFIDler'...
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-WsskxT/pkcs11: No such file or directory
remote: Reusing existing pack: 518, done.
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 534 (delta 1), reused 0 (delta 0)
Receiving objects: 100% (534/534), 8.90 MiB | 1001 KiB/s, done.
Resolving deltas: 100% (279/279), done.
$ cd RFIDler/python
$ sudo python setup.py install

Now you should be able to run the rfidler.py script to interact with the RFIDler hardware. Plug in the hardware and check the version on your hardware (you may need to run rfidler.py as root on your system):

$ rfidler.py /dev/ttyACM0 'VERSION'
sending 'VERSION'
0003-alpha

To update the firmware, hold the bootloader button and press “reset”. The LED07 and LED08 LED’s will start alternating amber and green.

RFIDler Prepped for Bootloader

RFIDler Prepped for Bootloader

You will also see a kernel message indicating that the device has entered into bootloader mode.

$ dmesg | grep Bootloader
[783265.119771] generic-usb 0003:04D8:003C.0006: hiddev0,hidraw2: USB HID v1.11 Device [Microchip Technology Inc. USB HID Bootloader] on usb-0000:02:00.0-2.1/input0

Now, change to the head of the RFIDler directory and flash the device (lots of the status dots have been removed below):

$ sudo mphidflash -r -w firmware/Pic32/RFIDler.X/dist/debug/production/RFIDler.X.production.hex
[sudo] password for jwright: 
USB HID device found: 503808 bytes free
Erasing...
Writing hex file 'firmware/Pic32/RFIDler.X/dist/debug/production/RFIDler.X.production.hex':..................................................................................................................................
Verifying:..................................................................................................................................
Resetting device...
$ rfidler.py /dev/ttyACM0 version
sending 'VERSION'
0019-beta

Voila!

-Josh

Dec 09

ISACA Review: Hacking Exposed Wireless 2nd Edition

Hacking Exposed Wireless 2nd Edition CoverA special thanks to Horst Karin for posting a great review of my new book, Hacking Exposed Wireless 2nd Edition on the ISACA website.

If you haven’t already checked it out, you can browse the book through Amazon’s Page Viewer. For the first time in print, we provided an in-depth coverage of attacking and exploiting WiFi as well as ZigBee, Bluetooth and DECT technology in the approachable and understandable Hacking Exposed style.

Be sure to check out our companion website to grab the online content and associated files for download.

-Josh

May 13

Wlan2eth 1.2 Release

Wlan2eth is a tool I wrote to convert 802.11 packet captures into Ethernet-style captures; I find this useful when working with various sundry tools that don’t properly handle 802.11 frames.

Adrian Crenshaw sent in a bug report for wlan2eth where he was getting the following output:


$ ./wlan2eth ../forjosh.pcap out.dump
Converted 0 packets.

Turns out I didn’t have support for other 802.11 packet capture link types (Adrian was using PRISM_AVS). I’ve updated wlan2eth to fix this issue, while adding support for Ad-hoc network captures as well.

Questions/Comments/Concerns?

Thanks,

-Josh

May 11

Locating ZigBee Devices

ZigBee Device Finder

ZigBee Device Finder

Since the introduction of the ZigBee-2004 specification, the ZigBee Alliance has made significant improvements in the security of sensor-based wireless networks. Despite improvements introduced in later amendments including the ZigBee-Pro specification, the security is not bullet-proof, due to the significant constraints of CPU, flash and memory availability in low-cost devices. Designing around these constraints, the ZigBee Alliance has made reasonable security options available to vendors of ZigBee products, broadly classifying security levels into high-security mode (intended for enterprise applications) and low-security mode (intended for residential applications). Looking at the available offerings for ZigBee stacks from vendors such as Atmel, Microchip and TI, it is apparent that high-security mode costs more, not necessarily in software costs but in terms of memory, flash and CPU requirements.

If you read up on ZigBee, you’ll quickly identify the Achilles’ heel plaguing the security of any low-cost wireless technology:

“… due to the low-cost nature of ad hoc network devices, one cannot generally assume the availability of tamper resistant hardware. Hence, physical access to a device may yield access to secret keying material and other privileged information, as well as access to the security software and hardware.”
ZigBee Specification 053474r17, Jan. 2008; available from www.zigbee.org
ZigBee CC2420

ZigBee CC2420

Effectively, if you use sensor-based networks, and an adversary is able to steal a device, they can extract key information from the hardware which can be used to exploit the rest of the network. This style of attack has been demonstrated by my neighborly colleague Travis Goodspeed on multiple occasions, snagging encryption keys, dumping device firmware and many other interesting hacks with hardware in hand.

Following Travis’ article, a few people submitted posts indicating that while his attack is interesting, it requires hardware to be effective. Today, we’re a little bit closer to making that reality.
.

Introducing zbfind – ZigBee Location Tracking

Following my previous work on reversing the Microchip Zena ZigBee sniffer, I put together a quick Linux tool to passively sniff for the presence of ZigBee/802.15.4 devices and display some summary information about the identified devices. When a device is selected in the GTK UI, a speedometer needle and histogram will record the relative signal strength of the selected device with a relative distance estimate in feet using the free-space path loss formula. A screen-shot is displayed at the top of this post.

Readers from my SANS Ethical Hacking Wireless course will recognize this UI; it’s based on a tool Mike Kershaw and I wrote for Bluetooth analysis (that has yet to be released, but we have big plans for it, stay tuned). This initial code is a little rough around the edges, but provides a simple interface to track down and identify ZigBee and other 802.15.4 devices in the area.

I’m holding off on releasing this tool until I iron out a few more bugs, but am happy to share the code individually if folks 1. have a Microchip Zena Sniffer and 2. have experience with Linux and Python. Drop me a note if you are interested and meet these conditions (I don’t mean to be unfair, but I want to spend my time working on the code to add features and fix bugs instead of helping users, at the moment; thanks for understanding).

My Goals

My goal in releasing this tool is simple: provide administrators with the firepower to justify the added cost of enterprise-security ZigBee technology with hardware tamper-proof security features. If the tools don’t exist publicly, many people disregard the threat. By making this tool available, I’m hoping people will be able to use it as an argument to justify more expensive ZigBee hardware deployments where warranted by security policy.

-Josh

May 10

Reversing the Microchip Zena ZigBee Sniffer

Microchip Zena Network Analyzer

Microchip Zena Network Analyzer

A few days ago I bought a Microchip Zena ZigBee sniffer. This USB HID device comes with simple software for Windows that captures and decodes 2.4 GHz 802.15.4, ZigBee, MiWi (Microchip stack) and MiWi-P2P traffic. It’s $150, which is a little steep considering that it is a PIC18LF with USB and a MRF24J40 radio, but I’ve had fun playing with it all the same.

The Zena 3.0 sniffer software provides a basic per-packet view of frames. I guess we are all spoiled by Wireshark, but I was hoping for more detail and a better UI. The Zena sniffer can save a capture in a proprietary file format, and can export selected frames (to the clipboard) in space-delimited hex bytes.

A cool accompanying feature is the network configuration display interface where Zena will identify all the parent/child relationships observed. You can specify a BMP background as a floorplan and move the nodes to their physical locations as well.

Zena Packet Capture Tool

Zena Packet Capture Tool

Zena Sniffer Network Configuration Display

Zena Sniffer Network Configuration Display

SnoopyPro Capture of Zena USB Traffic

SnoopyPro Capture of Zena USB Traffic

With no Linux support, I decided to write my own user space Linux driver to capture packets with the goal of integrating it into libpcap captures and other tools including Kismet Newcore. Plugging into a Linux box, it was clear that the device was using the USB HID, which was good news for me since it would be simpler to reverse the configuration details. Using the SnoopyPro USB sniffer, I was able to look at the USB packets, observing data from frames shown by the sniffer, as well as recording the configuration activity based on the channel I specified to capture on.

With this information, it was straightforward to identify the USB endpoint 0×01 as the control channel (for setting the channel) and USB endpoint 0×81 as the data endpoint (for delivering frames). Using PyUSB with the excellent Pymissle project by Scott Weston as an example, I quickly put together a tool that can set the channel number and capture frames from the Zena device, dumping the hex bytes to stdout.

Linux Microchip Zena data, isn't it beautiful?

Linux Microchip Zena data, isn't it beautiful?

The Python script is available here. It’s hack, but it was enough to get me started on what will be my next post: zbfind, a location tracking and identification tool for ZigBee and 802.15.4 networks.

-Josh