Transmissions
by Dragorn
Here's a change of pace.
I'm actually feeling optimistic about some things in our field. There's some amazing new opportunities for research into protocols which were completely opaque to most of us without corporate budgets, and more eyes on something can only be good.
Sniffing Wi-Fi is easy.
Sniffing Wi-Fi has been, for the most part, always really easy to do. Since the beginning of the last decade, $85 and a PCMCIA slot would get you a cheap Prism 2 or ORiNOCO card, another $80 or $100 would get you a GPS and a serial cable, and you were good to go. Now you can go on Amazon and get a card an order of magnitude more capable and sensitive for $40. Get yourself three and cover the whole spectrum.
Wi-Fi has a lot of vulnerabilities.
There are any number of well-known attacks against it, and every few months someone comes out with a new clever way to break Wi-Fi. By comparison, Bluetooth is relatively unheard of in the vulnerability world. There aren't many attacks for it. You can scan for devices set in discovery mode, but in the last five or six years, most default to hidden, and even though almost every device out there says "Use the PIN 0000 or 1234," you don't hear about any significant hijacking of Bluetooth devices.
What's the big difference?
Is Bluetooth actually much more secure than Wi-Fi? Not really - but you can't sniff Bluetooth for $50. You can't sniff Bluetooth for $200. The barrier for entry to sniffing Bluetooth has typically been either a multi-thousand dollar commercial development system which can analyze the device you're producing, or more recently the still thousand dollar or more USRP2 doing software decoding.
The high cost barrier of entry to play with low-level Bluetooth has kept a lot of hackers from being able to poke at the protocol. With fewer eyes on it, there has been much less significant research done on it, especially compared to Wi-Fi or even the relatively newer and less well-known 802.15.4 ZigBee protocols.
This has finally been changing with the work done by Mike Ossmann to introduce a low-cost homebrew radio device capable of sniffing Bluetooth, bringing packet capture and injection on Bluetooth into the same price range as Wi-Fi. Mike has already found a lot of interesting attacks against Bluetooth (check out some of his talks from Shmoocon and Toorcon), and I'd expect more to be forthcoming now that we have cheap tools.
Too many protocols count on obscurity, rarity of hardware, or simple legislative protection to hide poor design.
Why doesn't your Yaesu radio scanner tune to certain frequencies? Because it was easier to ban the sale of devices capable of intercepting analog cell phone frequencies than it was to fix the protocols to be more secure in the first place. Besides, no one would ever break the law when they want to clone a cell phone, right?
The key factor in being able to work on digging into a new protocol is being able to communicate with other devices via that protocol.
For network protocols, this is simple: capturing and creating network traffic. For other protocols, such as those used by smartcards or other inter-chip communications, some type of interface must be built.
For wireless protocols, some ability to interface a radio of the appropriate type and protocol is needed. Bluetooth is relatively harder to sniff than Wi-Fi or ZigBee, because instead of using a contiguous range for each channel (Wi-Fi, for example, uses 22 MHz per channel), it uses a frequency-hopping method.
When a Bluetooth device pairs, it establishes a random pattern which divides the spectrum up into 80 1 MHz slices, and rapidly moves between them.
In general, this allows more Bluetooth networks to exist in the same space, since each network uses a tiny slice of the bandwidth for a tiny fraction of the time. The chances of two devices colliding are much less than the wider, overlapping Wi-Fi channels.
In practice, unfortunately, this makes Bluetooth miserable to hack on. The channel changing and configuration is handled by the low-level hardware, which we can't easy get access to.
The solution, of course, is to do some hardware hacking of our own.
When people think about hardware hacking now, they probably immediately think of the Arduino - justifiably so.
The Arduino has probably done more to popularize hardware hacking than anything else in recent years, and the quantity of community development behind the Arduino is admirable. The Arduino isn't the only chip in the game, though. It's an artifact of a greater drop in the cost of high-tech manufacturing and general tech availability.
For perhaps the first time, the cost of developing high quality, power-efficient, and small devices is well within the range of indedepndent hackers, researchers, and enthusiasts.
The next level of hardware hacking - spinning your own boards - has already become affordable.
Ossmann is proving this via Kickstarter (www.kickstarter.com/projects/mossmann/ubertooth-one-an-open-source-bluetooth-test-tool - currently sold out and closing within 24 hours of this writing, but check for more in the future), using "crowd sourced" (much as I hate that term) funding to build a fairly significant quantity of radio boards capable of interfacing with Bluetooth - $15 gets the PCB, and $100 gets a fully populated, assembled, and tested unit.
Cheap supply chains for custom hardware means we can now get past the barrier to Bluetooth hacking and starting working with it directly, nearly the same as with Wi-Fi. Even without community funding, making small quantities of custom boards should be within the budgets of many hackers, and definitely affordable if you find a few friends to work on the project with you.
Many conferences are using embedded microcontrollers in their badges as well.
The Next HOPE used the Texas Instruments MSP430 microcontroller and the Nordic RF 2.4 GHz radio chip - coincidentally the same radio chip used in the Nike iPhone exercise device, and Microsoft wireless keyboards. Yup, that's right. Solder some USB headers onto your TNH badge, fire up the code Travis Goodspeed ported from another open-source radio project, KeyKeriki, and sniff wireless keyboards real-time (travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html) - another protocol showing significantly interesting possibilities which was inaccessible due to lack of affordable tools, and another reason to attend cons!
The first step, obviously, is in designing the board.
There are probably as many circuit board layout tools as there are word processors, with about as much difference in price. On the free side of things, EAGLE is very popular and has a fairly complete set of parts preconfigured in the system, but comes with usage restrictions and doesn't provide source code. Fortunately, there are plenty of completely open-source tools which provide similar capability, but typically you'll spend more time laying out custom parts and footprints.
Even circuit design "training" is affordable now - as affordable as free, thanks to online tutorials from SparkFun (and general tutorials on YouTube at large). Thanks to the increase in homebrew electronics, companies selling parts and components have a business interest in providing good, free tools and tutorials to encourage more development.
Just about the only part of making complex homebrew hardware that can't (realistically) be tackled at home is the PCB manufacturing itself; Simple boards can be etched at home, but multilayer and surface-mount scale boards are probably not reasonable to tackle single-handedly. Even PCB printing is surprisingly affordable now, though, with the usual tradeoff of time versus money.
Most PCB manufacturing plants are only interested in larger runs of boards. Of the ones willing to do smaller batches, you're still committed to a full panel, roughly 18x24 inches. For making a number of devices, or when time is a critical factor, a full panel is a fantastic option. Using Gold Phoenix, a Chinese manufacturer, you can get a full panel of boards, precut, and delivered in about eight days for $120. A hundred and twenty dollars!
For smaller runs of boards, or boards which don't need more than two layers, there are several groups who will collate a number of smaller designs into one large panel, and then have that panel manufactured, then segment the orders, and ship them back to the original customers.
You only pay for the amount of boards you need, but you also pay for the time needed for someone to lay them out and panelize them, the additional shipping costs, and you need to wait until enough people have submitted orders to make up a full panel. Still, when you're on a tight budget or not sure if your design will work and you need a handful of quality boards, it's a fantastic option. One site, BatchPCB, runs a store where you can sell your design and buy the designs others have made public - CafePress for circuit boards!
The only thing that isn't easily automated for custom hardware is the placement of components and soldering. There are small-batch pick-and-place automated facilities, but the cost is often too high.
Fortunately, with the tutorial videos online and the classes run at hacker spaces and conferences, the skills needed to do even surface-mount soldering are fairly easy to pick up... and if you're really good at it, you can probably fund your project by selling completed boards at a markup to compensate for your time.
We've finally crossed the threshold where cheap hardware is going to let us do a lot more work with protocols which were closed to us before; Bluetooth, keyboards, smartcards, RFID, even hardware USB sniffing and complex tools like logic analyzers are available for under a hundred dollars, and often with complete specs and board layout files so you can make them on your own if you don't want to buy the assembled version.
Grab some of the new hardware and get hacking.