POPULARITY
Michael Ossmann (@michaelossmann) from Great Scott Gadgets joined us to chat all things SDR, Open Source Hardware, education, and more! Here are links to some of the topics we covered: HackRF One Ubertooth One GreatFET One A Mathematician's Lament WEP Wep dead again article APCO P25 Ettus USRP NTLMv1 Dominic Spill GNU Radio Michael's KiCon Talk gr-bluetooth Michael's awesome video series on SDR http://www.nsaplayset.org/ https://en.wikipedia.org/wiki/NSA_ANT_catalog IMSI Catcher DEF CON 22 - Michael Ossmann - The NSA Playset: RF Retroreflectors https://en.wikipedia.org/wiki/The_Thing_(listening_device) Cyberspies book Samy Kamkar (Featured in Episode 41!) Rolljam Yardstick One https://github.com/nonamecoder/CVE-2022-27254 https://www.rtl-sdr.com/tesla-charging-ports-opened-with-hackrf-replay-attack/ How To Write Pop Horn Parts
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Eric-Van-Albert-Zack-Banks-Looping-Surveillance-Cameras-like-in-the-Movies.pdf Looping Surveillance Cameras through Live Editing of Network Streams Eric Van Albert independent security researcher Zach Banks independent security researcher This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers. We have developed several applications for this technology. Most notable is the editing of live Audio streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced Audio transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent. Eric is a recent MIT graduate who spends his days building 3D printers for Formlabs and his nights crawling around places he probably shouldn’t. He has taught seminars on lockpicking and physical security vulnerabilities to various audiences at the Institute, and done a small bit of security consulting work. When he runs out of projects to hack on, he reads the leaked NSA ANT catalog for ideas. Zach is also a recent MIT graduate with over 0 years of security experience. He’s particularly interested in the security of embedded devices and knots. In his free time, he enjoys putting household appliances on the internet and refactoring his old code.
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Joe-FitzPatrick-Matt-King-NSA-Playset-JTAG-Implants-UPDATED.pdf Extras Here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Joe-FitzPatrick-Matt-King-Extras.rar NSA Playset: JTAG Implants Joe FitzPatrick SecuringHardware.com Matt King Security Researcher While the NSA ANT team has been busy building the next generation spy toy catalog for the next leak, the NSA Playset team has been busy catching up with more open hardware implementations. GODSURGE is a bit of software that helps to persist malware into a system. It runs on the FLUXBABBIT hardware implant that connects to the depopulated JTAG header of certain models of Dell servers. This talk will introduce SAVIORBURST, our own implementation of a jtag-based malware delivery firmware that will work hand-in-hand with SOLDERPEEK, our custom hardware design for a standalone JTAG attack device. We will demonstrate how to this pair enables the persistent compromise of an implanted system as well as release all the hardware and software necessary to port SAVIORBURST and SOLDERPEEK to your jtag-equipped target of choice. Anyone curious to know more about JTAG, regardless of previous hardware experience, will learn something from this talk. Joe has spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at https://SecuringHardware.com, including Software Exploitation via Hardware Exploits and Applied Physical Attacks on x86 Systems. In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects. Twitter: @securelyfitz Matt is a hardware designer and security researcher who has over a decade of experience designing, securing and exploiting hardware test and debug features on CPUs and SoCs. When not performing pointless hardware tricks Matt tries to help educate integrated circuit designers on the risks posed by hardware debug capabilities. Twitter: @syncsrc
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Datko-Reed/DEFCON-22-Josh-Datko-Teddy-Reed-NSA-Playset-DIY-Hardware-Implant-over-l2c-UPDATED.pdf NSA Playset: DIY WAGONBED Hardware Implant over I2C Josh Datko FOUNDER, CRYPTOTRONIX, LLC Teddy Reed SECURITY ENGINEER In this talk we present an open source hardware version of the NSA's hardware trojan codenamed WAGONBED. From the leaked NSA ANT catalog, WAGONBED is described as a malicious hardware device that is connected to a server's I2C bus. Other exploits, like IRONCHEF, install a software exploit that exfiltrate data to the WAGONBED device. Once implanted, the WAGONBED device is connected to a GSM module to produce the NSA's dubbed CROSSBEAM attack. We present CHUCKWAGON, an open source hardware device that attaches to the I2C bus. With the CHUCKWAGON adapter, we show how to attach an embedded device, like a BeagleBone, to create your own hardware implant. We show how to add a GSM module to CHUCKWAGON to provide the hardware for the CROSSBEAM exploit. We improve the WAGONBED implant concept by using a Trusted Platform Module (TPM) to protect data collection from the target. The talk will demonstrate how these features can be used for good, and evil! Josh Datko is the founder of Cryptotronix, an open source hardware company that designs and manufactures security devices for makers. After graduating from the U.S. Naval Academy, Josh served on a submarine where he was the radio communication officer and manager of the key management program. While an embedded software engineer for a defense contractor, he was recalled back to active duty for a brief tour in Afghanistan. In June, he completed his Master's of Computer Science from Drexel University with a focus on systems, security, and privacy. He founded Cryptotronix in 2013. Twitter: jbdatko Teddy Reed is a security engineer obsessed with network analysis and developing infrastructure security protections. He has held several R&D positions within US laboratories with focuses on enterprise security defense, system assessments, and system and hardware emulation.
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Ossman/DEFCON-22-Michael-Ossmann-Pierce-Toorcamp.pdf Extra materials available here: https://defcon.org/images/defcon-22/dc-22-presentations/Ossman/DEFCON-22-Michael-Ossmann-CONGAFLOCK-schematic.pdf The NSA Playset: RF Retroreflectors Michael Ossmann GREAT SCOTT GADGETS Of all the technologies revealed in the NSA ANT catalog, perhaps the most exotic is the use of RF retroreflectors for over-the-air surveillance. These tiny implants, without any power supply, transmit information intercepted from digital or analog communications when irradiated by radio signals from an outside source. This modern class of radar eavesdropping technology has never been demonstrated in public before today. I've constructed and tested my own RF retroreflectors, and I'll show you how they work and how easy they are to build with modest soldering skills. I'll even bring along some fully assembled units to give away. Now you can add RF retroreflectors to your own NSA Playset and play along with the NSA! Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.