Rogue Device Spotlight: WiFi Pineapple

 

RISK ASSESSMENT RATING: 7.67

 

Popularity: 10

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The WiFi Pineapple is the rare device that has been commercialized without losing its core base. Used both for rogue activities and for penetration testing, the WiFi Pineapple is the standard by which many rogue devices are measured.

Simplicity: 8

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device. 1 is expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate; 10 is low-cost, available for purchase online, plug-and-play operation.

Simplicity is one of the Pineapple’s draws: with a fairly intuitive UI and an incredibly robust series of tutorials, it can be used out of the box by nearly anyone with minimal experience and the help of the Internet.

Impact: 5

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide, superuser-level compromise or equivalent.

While the Pineapple has the ability to cause some serious damage when used by a pro, more often it is used for simple demos and scripted attacks.  The weak CPU and embedded OS severely limit the ability to perform many attacks and raise the required skill level to perform advanced attacks, which in our eyes lowers the potential impact.

 

WiFi Pineapple

Originally released back in 2008, the WiFi Pineapple from Hak5 is one of the oldest mass-market rogue devices, and has since inspired numerous clones and variations. Unlike some devices which have been shoehorned into their roles as penetration testing devices, the WiFi Pineapple was designed from the ground up for WiFi security work; with custom hardware, software, and intuitive web interface.

The WiFi Pineapple is especially well suited for use as a rogue access point, with specific focus on Man-In-The-Middle attacks (MITM), via its “PineAP” feature. The WiFi Pineapple also offers an open API for the creation of community developed system plugins known as “Infusions”, and even includes an “Expansion Bus” and Arduino-based hardware development kit for hardware attacks and interfacing with other devices.

 

Hardware Specifications

  •  CPU: Atheros AR9331 SoC @ 400 MHz
  • RAM: 64 MB
  • ROM: 16 MB
  • OS: Modified OpenWRT
  • I/O: Ethernet, USB, Serial TTL, Expansion Bus
  • Radios: Atheros AR9331 802.11 b/g/n, Realtek RTL8187L 802.11 b/g
  • Storage: Up to 32 GB MicroSD in FAT/EXT

 

Photos

pineapple

 

Hands-On

The WiFi Pineapple has gone through several revisions since its original release in 2008, the most recent being revision 5. You don’t go through so many versions of a device without straightening out some kinks, and the WiFi Pineapple certainly shows it. From the custom manufactured hardware (a rarity in this era of cheap commodity Linux devices) to the slick and modular web interface, the WiFi Pineapple definitely has the feel of a polished and professional device.

Of particular note is the very clever use of physical DIP switches on the side of the device. In the web configuration there is a page that lets the user configure commands to be executed on boot depending on the position the switches are in. So for example, you could set one combination of switches to automatically launch attacks against WiFi networks in the area, and another combination of switches to simply log WiFi networks passively. Then it’s just a matter of starting the WiFi Pineapple up with the switches in the appropriate position to choose which mode you want to operate in, no computer needed. Being able to control the WiFi Pineapple without needing to connect to it from another device is a huge boon, though it is hampered by the fact you need to fully shutdown and then restart the device for the switches to take effect.

The hardware development kit that plugs into the expansion port seems like a good idea, but in practice, it doesn’t do anything you couldn’t already do with a standard Arduino plugged into the USB port. Hak5 says hardware expansions (such as an LCD display) could make use of the expansion bus in the future however, so it may yet prove its worth.

Having dual WiFi radios with external antennas is brilliant, and perhaps even the defining feature of the device. Not only are there two of them, but the Hak5 team did their homework and made sure to use the best supported WiFi chipsets. This provides the system with stable monitor and injection modes, which is absolutely critical for many tasks.

If there’s a downside to the WiFi Pineapple’s hardware, it’s surely the underwhelming computational performance. A 400 MHz MIPS SoC with 64 MB of RAM just doesn’t cut it in 2015, not when boards like the Raspberry Pi can run circles around it for ~$35. The WiFi Pineapple attempts to make up for the miniscule amount of RAM onboard by automatically adding a swap partition to the MicroSD card, but that’s more like prolonging the suffering than providing a solution.

But it isn’t that the processor in the WiFi Pineapple is just objectively “slow”, the bigger problem is that in this case the hardware has dictated the operating system the device has to run. Rather than a full Linux distribution, the WiFi Pineapple is running a modified version of OpenWRT, an embedded Linux distro designed for routers.

While OpenWRT is great for turning your old Linksys router up to 11, it isn’t necessarily the best choice for the advanced penetration tester. Forget SSH’ing into the WiFi Pineapple to compile your favorite tool that isn’t included in the official repos. It just isn’t happening.

 

Conclusion

With years of experience behind them, Hak5 has designed what is arguably the yardstick by which other rogue devices are measured. The WiFi Pineapple is highly portable, exceptionally easy to deploy, and is almost shockingly affordable at just $100. This is the turn-key rogue device for users who want the maximum amount of impact for the minimum amount of work.

On the flip side, its sub-par performance may leave more advanced users frustrated, and being based on OpenWRT rather than a full fledged Linux distribution could cause headaches for those who want to bring their own software to the party.

Researcher Develops First Drone Malware

Small unmanned aerial vehicles (UAVs), often referred to collectively as “drones” are all the rage right now. From delivering packages for Amazon to crashing on the White House lawn, it seems every week there is some new debate about the usefulness and potential danger of the widespread availability of what was once a technology limited primarily to the military.

Questions as to the safety and security of what essentially boils down to a flying computer is unlikely to abate with the news that security researcher Rahul Sasi has developed what he claims to be the world’s first drone malware: Maldrone.

 

Maldrone

The full details of Sasi’s research won’t be revealed until nullcon in February, but he’s already put a demonstration video up on YouTube and described the general idea on his blog. While there are still some unanswered questions, what Sasi has already shown is enough to call into question how secure some of these consumer-level “drones” really are.

For his research Sasi targeted the AR.Drone, manufactured by Parrot, a Linux powered drone that users can control with their smartphone or tablet over WiFi. In his demonstration, Sasi shows a Python script (drone_expoit.py) which uploads a payload to the AR.Drone over the local WiFi network, to which the drone responds a few seconds later with a reverse shell connection.

Sasi’s software then demonstrates running some standard Linux commands on the drone’s onboard computer, which in this case simply returns the version of Linux it’s running, but could just as easily report data from the drone’s sensors back to the attacker. Finally, the malware shuts off the drone’s autopilot system, causing it to drop out of the sky like a brick.

This demonstration is simply a teaser for Sasi’s larger reveal, but it proves there is real potential to turn these drones against their masters. With the number of sensors onboard these vehicles (GPS, camera, WiFi radio, etc), they could be used for remote surveillance without the legitimate operators knowledge, or simply stolen from the owner by commanding the drone to fly back to the attacker’s location.

One big issue not fully addressed in the demonstration video or the accompanying blog post is whether this exploit can be performed remotely on a stock-firmware AR.Drone, or if the drone in the demonstration has already been compromised by way of a modified firmware. Obviously, the attack is much more potent if it works on the out of the box drone, so the answer to that question will go a long way to prove Maldrone as a valid threat.

 

Picking on Parrots

Parrot’s AR.Drone line is no stranger to security audits. In 2013, Parrot’s AR.Drone 2 (an enhanced version of the one Sasi is working with) was used in Samy Kamkar’s SkyJack. Kamkar strapped a Raspberry Pi and Alfa AWUS036H onto the AR.Drone 2, and loaded with his software it was able to knock other drone operators off of the WiFi network. With the legitimate user’s smartphone or tablet off the network, Skyjack was able to establish a new connection and remotely command the drone.

The reason the AR.Drone has been targeted in both of these demonstrations is pretty simple; rather than using a custom radio communication protocol like more advanced remote controlled vehicles, Parrot chose to simply go with standard WiFi. This means the AR.Drone is susceptible to a lot of the traditional WiFi tools and exploits, making it a much easier target. That also means that security vulnerabilities in the AR.Drone’s control systems aren’t necessarily indicative of problems with drones technology in general.

That said, increased scrutiny of drone security is coming. The impressive computational power and suite of sensors required to keep one of these vehicles in the air is simply too tempting of a target to be ignored for long, especially as commercialized drone services (such as package delivery) start becoming mainstream.

OBDII Hacks Leave Vehicles Vulnerable

Modern vehicles pack a considerable amount of processing power, and with self-driving vehicles on the horizon, they are only going to get “smarter” in the near future. There’s been talk of security vulnerabilities with modern computerized vehicles in the past, but they’ve largely been theoretical or specifically targeted a make and model of car that the security researchers had spent time poring over.

But recent research has shown serious security flaws in commonly used OBD (On-Board Diagnostics) devices which are used by millions of drivers to report on their vehicle health and driving habits. It would be rather complex to perform in the wild, and not all vehicles with the devices onboard would be vulnerable, but this still represents one of the most broadly applicable and realistic vehicle cyber attacks presented so far.

 

Hacking the Zubie

The most detailed research so far has been conducted by Argus Cyber Security on the Zubie, an ODBII device which contains a cellular modem and automatically collects data about fuel economy, engine status, and even the vehicle’s location via GPS.

Cracking the Zubie started with connecting up to the device’s built-in diagnostic port, which turned out to be nothing more than a standard serial UART. After connecting the serial up to their computer, the researchers were presented with a common AT command interface that allowed them to download all the files stored on the device. After decompiling the Python files that make up the Zubie’s executable programs, the researchers got the original source code and could see what the device was doing.

The researchers were able to figure out that the Zubie didn’t use any kind of encryption or authentication for its firmware updates; it would simply download and install any file it was given over the cell network. The designers clearly didn’t think authentication was required since the Zubie would only be connecting over the supposedly secure cellular network; but unfortunately for them, rogue cell sites are now very much a reality with advancements in software defined radio (SDR).

By setting up a rogue cell site and a DNS server with false records, the researchers were able to get the Zubie to happily download a Trojan firmware update that allowed remote command of the vehicle’s CAN bus. The more advanced the vehicle, the more of its functions are tied into the CAN bus; being able to access it remotely could give an attacker access to everything from remotely unlocking doors to shutting down the engine.

 

Pwning Progressive

A completely separate investigation was conducted by Corey Thuen against the Progressive Insurance Snapshot and was presented at the S4x15 Security Conference. Thuen’s research found the Snapshot suffered from exactly the same issues as the Zubie: lack of authentication or encryption on firmware updates and susceptibility to rogue cellular sites. While Thuen didn’t go as far as proving the vulnerability of the SnapShot in the wild like Argus did with the Zubie, it stands to reason that if it works on one it will work on the other.

Both cases are a classic example of the “Security through obscurity” myth, where it is assumed that simply hiding the mechanism by which something works is the same thing as properly securing it. It was assumed that since cellular communications are relatively difficult to eavesdrop on, that there was no need to bother checking if the server the devices were communicating with was actually what it claimed to be.

 

Remote Controlled Cars

Both attacks result in the same thing: GPS enabled vehicles that can be remotely commanded from anywhere in the world over the cell network. An attacker could locate the car, unlock its doors from his or her smartphone, and never be detected. Or, the attacker could completely shut down traffic by killing the engines on all infected cars on the same street. It may sound like something out of a movie and in truth, it’s probably pushing feasibility. However, it is possible.

As vehicles become increasingly computerized, the cars we drive will start to become just as important to secure as the computers we use at work and at home.

World Leaders Weigh in On Cyber Threats

On January 20th, President Obama delivered his 2015 State of the Union address, an annual speech the President gives to inform both Congress and the American people as to the nation’s current status and goals for the coming year. In this year’s address, President Obama made specific mention about not only the importance of scientific and technological advancement for the United States, but of the dire importance of protecting the nation’s cyber infrastructure.

These statements are pretty exciting to anyone in the security industry, but like most things, there are two sides to the issue. While protecting our data and infrastructure from foreign aggressors is obviously of top concern, there are issues of internal security and privacy which were conspicuously not mentioned in the President’s speech.

 

Cyber Warfare

In his address, the President went as far as comparing information security to fighting terrorism:

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable.”

With the President’s dramatic phrasing, these statements were met with a wild round of applause and even a standing ovation from the members of Congress. To many, addressing information security threats with such a serious tone has been long overdue, and it’s not hard to see why. Increasingly , complex cyber attacks have started to dole out physical damage across the globe, and as our way of life becomes increasingly digital there’s no reason to think that the severity and frequency of these attacks will lessen if unchecked.

While issues of national security, digital or otherwise, are always of the highest priority; the President’s strong opinion on foreign cyber attacks was no doubt strengthened by the recent attack against Sony Pictures and the ensuing controversy over the perpetrator and their motive. Reports of big companies getting hit hard by security breaches is nothing new (in truth, they are becoming dishearteningly common), but rarely have they set off a media circus like the Sony attack did. If nothing else, we can thank Sony’s embarrassing security lapses for getting people’s attention on issues of information security and even starting a national dialog on First Amendment rights.

Ironically, Sony ended up making bigger waves in their failure than they probably would have otherwise. While this was perhaps not the most ideal way to get the nation to think about the realities of cyber warfare, it was unquestionably effective.

 

Personal Privacy

While statements regarding information security at the national level were a welcome addition to the President’s agenda, many wondered why nothing was said of what has arguably been a larger issue over the last couple of years: domestic surveillance. Thanks to whistleblowers such as Edward Snowden, the public has gotten a glimpse at the global system that is used to track and monitor the communications of individuals; and to say there’s been some pushback from the global community would be an understatement.

But while this issue was glossed over during the State of the Union address, we don’t have to look too far back to get the President’s opinion on the matter. In a recent press conference, the President claimed that technology such as strong encryption could, in itself, be a threat to national security, “If we get into a situation which the technologies do not allow us at all to track somebody we’re confident is a terrorist … and despite knowing that information, despite having a phone number or a social-media address or email address, that we can’t penetrate that, that’s a problem.”

President Obama went on to argue that it is imperative the government have “backdoor” access into social media and other communications networks that it alone can control, not unlike the Clinton-era “clipper chip” proposal. Many analysts noted this as something of a shift for the President, given his previous condemnation of issues such as NSA metadata collection.

But the President’s statements paled in comparison to the hard line British Prime Minister David Cameron took. In no uncertain terms, the Prime Minister claimed that encryption itself should be abolished for the individual, “I think we cannot allow modern forms of communication to be exempt from the ability, in extremis, with a warrant signed by the home secretary, to be exempt from being listened to. That is my very clear view and if I am prime minister after the next election I will make sure we legislate accordingly.”

While both leaders did make it clear that due process would still need to be followed when monitoring citizen’s communications, that’s only a minor consolement for privacy advocates.

 

Long Road Ahead

The problem is a classic double edged sword. Nobody would deny that a nation has the right to protect itself from foreign cyber attacks, but at the same time, if the same methods used to monitor digital threats abroad are used against that nation’s citizens it becomes a privacy issue. Such a complicated issue will take time to sort out and will almost certainly outlive the current administration; this is especially the case without a clear and concise plan to address both the growing need for protection against cyber warfare and a citizens fundamental right to privacy.

As David Cameron has already shown, a candidate’s opinion on these issues will begin to become increasingly important on the campaign trail. The road to a balanced national cybersecurity plan could start at the polls, with voters including technical literacy and respect for privacy in their list of qualities that they look for before casting their ballots.

Opinion: Growth key to agenda for progress

Burlington Free Press

Opinion: Growth key to agenda for progress

Jan 22, 2015

By Governor Peter Shumlin

 

The agenda I laid out earlier this month seeks to make life a little easier and more affordable for Vermont families by attacking the two biggest drags on incomes and wages: health care costs and rising property taxes. Addressing those issues alone, however, isn’t enough. If we’re to really make progress for Vermont families, we need to combine increased affordability with expanded job growth and economic opportunity.

We have a plan to do that, and it starts with ensuring more Vermonters have the skills to fill the jobs that are available right in here at home. Every day I travel around Vermont I hear from employers that they have jobs to fill if only they could find skilled workers to fill them. From growing companies like Dealer.com, MyWebGrocer, and Logic Supply in Burlington to Pwnie Express in Barre, Yonder in Woodstock, and Global Z in Bennington, Vermont has a growing technology and manufacturing economy that is thirsting for skilled workers.

We’re going to help fix that. Building on programs we’ve already implemented that help Vermont kids get up to two years of free college, we’re implementing an innovative new public/private partnership to create a pathway for Vermont Technical College students to earn a free Associates Degree in Engineering Technology.

Here’s how the program will work: The state will partner with Vermont Tech to recruit employers who have job openings. Vermont Tech and participating employers will then work together to recruit motivated high school seniors, through campus visits and employer tours. Students who sign up for an engineering technology degree through VAST early college at Vermont Tech will get their first year of higher education free while finishing high school, then will be guaranteed a summer internship at the partnering employer to gain critical job skills. When they return to Vermont Tech for their second year, the employer will pay for their first semester’s tuition, a cost of about $5,000. The Vermont Strong Scholars program will then pay back their loans for their final semester if they stay and work in Vermont after graduation.

It’s a win-win-win: Enrollment will increase at Vermont Tech, Vermont kids will get a free higher education, and Vermont employers will have a pipeline of skilled employees from which to choose. And by utilizing state existing programs and leveraging private investment from Vermont employers, the new program won’t add costs to the state’s budget at a time when we’re working match Montpelier’s spending with Vermonters’ ability to pay.

Getting skilled workers to Vermont businesses is a good first step. But we also need to ensure more businesses get to that point of growing, expanding, and hiring Vermonters. To do that, we’re going to increase investment in a proven economic growth incentive for businesses. Just this year, the Vermont Economic Growth Incentive (VEGI) program has provided funding that will help Vermont companies, from National Hanger Co. in North Bennington to Cabot Hosiery in Northfield, Vermont Packinghouse in Springfield, and Blodgett Ovens in Essex, create over 550 new jobs for Vermonters, with an average yearly salary of more than $50,000.

We’ve got a plan to expand VEGI by removing the $1 million cap for special projects outside of Chittenden County; working to change the qualifying wage rate to recognize regional economic differences, which will increase the number of companies around the state that qualify for job creation support; and enabling companies to use VEGI dollars earlier for training new hires.

Finally, with tourism supporting 30,000 jobs in Vermont, we can and should do more to grow this important industry. Working with business in Vermont, we’ll used increased revenue from the rooms and meals tax to boost tourism and marketing funding. Under the proposal, 15 percent of rooms and meals tax receipts above budgeted projections will be invested in increased tourism and marketing support. The funds will also be used to promote remarkable companies that show what a great place Vermont is for technology businesses, manufacturing, and entrepreneurship.

Vermont has a bright jobs future, and our agenda for progress will make it even brighter. I look forward to working with Vermonters to get it passed and am eager to hear any other ideas that will help us help Vermont businesses continue to succeed.

Peter Shumlin of Putney is the governor of Vermont.

 

(Original Article)

The Risks of Crowdfunding a Gold Rush

While it’s far from perfect, crowdfunding has unquestionably opened the floodgates for all sorts of products and ideas which otherwise probably wouldn’t have seen the light of day. Between sites like Kickstarter, Indiegogo, and Crowdsupply, small groups (and even individuals) are able to put projects into motion that the traditional industry players wouldn’t have touched. Without relying on investors in the traditional sense, crowdfunding campaigns can fund the creation of high-risk hardware and software projects with essentially no penalty for failure.

With the incredible popularity of the Raspberry Pi and Arduino, it should come as no surprise that products either inspired by or based on these devices are hitting crowdfunding sites in huge numbers. Unfortunately these devices are popping up so fast, and with so little oversight, that backing one has become a bit of a gamble.

Obviously, they don’t all end up going south, but there are already a few notable examples of what can go wrong when fast money and high tech collide.

 

Broken Promises

While the idea of crowdfunding products sounds great, the reality isn’t always so rosy. The fact of the matter is that backers are not making a purchase when they pledge their money; they are making a donation. Even after a project has gotten all (or in some cases, much more) the money than was asked for, there’s absolutely no guarantee it will ever meet all the goals originally set out for it, much less get released.

 

The Grossly Misleading

Most crowdfunded projects that end poorly are an honest attempt that simply get sidetracked by all the myriad problems that you run into when trying to mass produce a piece of cutting edge hardware. It’s a shame, but it happens.

Unfortunately, there are some funding campaigns that just look like scams, pure and simple. Either the creators misrepresent the capabilities of their product, claim they are farther ahead in R&D than they are, or even just make the whole thing up.

 

Hopeful Future

But it isn’t all doom and gloom, there are some high quality projects out there that are well thought out and have every indication of going all the way.

The Little Universal Network Appliance (LUNA) from WAW Technologies has recently completed it’s funding campaign and looks to be on the right track; the team already have a functioning prototype and have clearly defined the goals ahead of them. Then there’s the very slick USB Armory, which is currently blasting past its funding goal.

Of course, until the hardware is in backer’s hands, anything could happen. That’s not to say it isn’t worth pulling the wallet out for a well thought out and documented campaign; just always remember that you’re not making a purchase, you’re making a donation with the possibility of a perk at the end.

News Release of Government Shumlin’s Budget Address

VT Digger

News Release of Governor Peter Shumlin’s Budget Address

Jan 15, 2015

By VTD Staff

MONTPELIER – In a detailed address outlining many of the important issues he will seek to address this legislative biennium, Gov. Peter Shumlin today outlined his fiscal year 2016 budget and Part II of his Agenda for Progress to grow jobs, expand affordability and preserve quality of life for Vermonters.

In addition to a balanced budget that closes a $94 million budget gap, the Governor laid out the rest of his aggressive agenda that includes proposals to cut in half the Medicaid cost shift; reduce private health insurance premiums; help get school spending under control; eliminate the cost of an associate’s degree for some Vermont students and provide Vermont employers a pipeline of skilled workers; and increase economic development incentives.

All of these proposals are designed to help working Vermonters by growing jobs and economic opportunity for the state.

“When you listen to the voices of so many Vermonters, from every corner of our state, from every background, and of every political persuasion, their frustration and uncertainty about their future is clear,” the Governor said.  “We know many of the drivers of this unease: Rising health care costs and rising property taxes, among others, and no corresponding rise in incomes and property values. Many hardworking Vermonters who would be proud to call themselves members of the middle class are left with a feeling that they are treading water or, worse, dipping below the surface.”

 

FISCAL YEAR 2016 BUDGET

Vermont’s economy has shown many signs of recovery since the Great Recession. State revenues have rebounded, growing by $175 million between 2011 and 2014 after falling by more than $97 million between 2008 and 2009. This has coincided with increased job growth, a steady decline in the unemployment rate, and a drop in the number of foreclosures. But while Vermont’s economy continues to grow, the growth rate has not been as robust as economists had predicted. In early 2014, the consensus economic forecast was that State revenue would grow by 5 percent over the prior fiscal year. Revenue is now expected to grow by only 3 percent for this fiscal year and general fund revenue growth is expected to remain around 3.5 percent for the next five years.

 

 

 

(Original Article) 

 

Researchers Warn of Skeleton Key Malware

eSecurity Planet

Researchers Warn of Skeleton Key Malware

Jan 20, 2015

By Jeff Goldman

 

Dell SecureWorks Counter Threat Unit researchers recently uncovered malware capable of bypassing authentication on Active Directory (AD) systems that use single-factor (password-only) authentication.

The researchers are have named the malware Skeleton Key.

“Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal,” the Dell SecureWorks researchers explained in an analysis of the malware. “Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.”

Because Skeleton Key requires domain administrator credentials for deployment, the researchers have found attackers deploying Skeleton Key using login credentials stolen from critical servers, administrators’ workstations, and the targeted domain controllers.

 

 

(Original Article)

Hackers for Hire

Over the weekend, word started spreading online about “Hackers List”, a service that offers individuals a way to connect with hackers who are looking for freelance work. While the site clearly states that it exists only to link hackers with potential employers, questions about the legitimacy and legality of such a service immediately starting springing up.

With so many hacks in the news recently, it comes as no surprise that the public would be leery about this sort of service. But does a site like this really pose a security threat? Or is this a first step in the process of the positive side (so-called “white hat”) of hacking finally being accepted by the mainstream?

 

Browsing the Site

Even though news of the site has only recently been hitting the major news outlets, it’s actually been up and running for some time – the first tasks went up for bid in mid-November 2014. That means there’s already a fairly large number of tasks that prospective hackers can browse through and make offers on. Unfortunately, taking a look through the available tasks doesn’t fill one with confidence.

Task List

The majority of tasks on the site take the form of “hacking” into social media or email accounts, with a few requests to have images removed from sites and that sort of thing. While it’s possible that some of the more involved tasks are hidden away in the pages and pages of results (which don’t seem to be searchable, annoyingly enough), there surely can’t be many of them. Even selecting the different categories of hacks, like “Product Manufacturing” or “Writing”, just shows the same kind of password cracking requests that have been misfiled.

It’s entirely possible the site was created with the best of intentions; in the hopes of connecting skilled developers and researchers to individuals and groups who are in need of their specific skills to solve complex and unique problems. But those hopes have surely been dashed by the legions who’ve flocked to the site hoping to get access to their significant other’s email account.

In fact, it seems like every task listed on the site is in violation of their Terms and Conditions and Acceptable Use Policy. Sites turning a blind eye to a few ToS infractions is nothing new of course, but then it seems 98% of the posts on your site violate your own rules, you may as well just dump the rules altogether.

 

Security Implications

After browsing the site for a bit you come to one very obvious conclusion – there’s really nothing to be worried about here.

While a site like this could potentially be a serious threat – for example, to allow a company to find somebody to break into their competitor’s network – the reality is there’s nothing here but social network denizens looking for quick fixes and pranks. Honestly, it’s hard to believe many successful transactions have even been facilitated by this site, given the inane nature of the tasks and the meaningless responses the “hackers” leave.

In truth, it’s sort of sad to see the state Hackers List is in. If would have been refreshing if the mainstream media had been able to look at this site and see a legitimate marketplace for security research, penetration testing, and development. As it stands, Hackers List does nothing but further the negative hacker stereotypes that are already so pervasive.

At least for now, the line between security professionals and criminals is still unfortunately blurred.

Deconstructing the KeySweeper

Security researcher Samy Kamkar has recently taken the wraps off KeySweeper, a wireless keyboard sniffer that is disguised as a standard USB wall charger, and it’s already gotten quite a bit of attention in the media. Not that making headlines on tech sites is a new feat to Kamkar, who readers may remember from his autonomous hacking drone project SkyJack. While the media has a tendency to exaggerate things a bit, KeySweeper is perhaps the exception to the rule.

We’ve talked about rogue devices hiding in everyday objects before, but there haven’t been many verifiable real-world examples. Only a month ago we covered a story in which many people doubted the very existence of the device in question. KeySweeper presents a rare opportunity to get inside one of these devices and see just what’s possible in such a small package.

 

Theory of Operation

The development of KeySweeper started by cracking open a wireless keyboard made by Microsoft to see what sort of wireless technology it used. Determining that the keyboard used hardware by Nordic Semiconductor, Kamkar was able to find a compatible radio module for less than $1 on eBay. But looking through the Nordic chip’s datasheet showed that it didn’t appear to have any official sniffing functionality, which would seem to rule out the ability to use it for anything but its intended function.

A bit of research showed that Travis Goodspeed had already done some work in sniffing Microsoft keyboards using the Nordic chipset, coming up with a way of tricking the chip into receiving data in promiscuous mode. Goodspeed’s method was exactly what Kamkar was looking for, but it required a computer and additional hardware. Kamkar ported over some of Goodspeed’s original Python code to C so it could run on a microcontroller, and made some improvements to speed up scanning.

Once Kamkar had a small device capable of receiving packets from Microsoft keyboards, he still needed to decrypt them. As it turns out, researchers Thorsten Schröder and Max Moser had already done a lot of the decryption work in their KeyKeriki project. Some additional discoveries and work by Kamkar got the entire decryption routine down to just a couple of lines of C, suitable for running on even the most basic of processors:


void decrypt(uint8_t* pkt)

{

for (int i = 4; i < 15; i++)


pkt[i] ^= mac >> (((i - 4) % 5) * 8) & 0xFF;

}

 

Inside the KeySweeper

With the software worked out, the next step was getting the hardware as cheaply and small as possible.

In its most basic configuration, the KeySweeper is made up of an Arduino Pro Mini and NRF24L01+ radio, which can both be had for just a few dollars. With these two devices alone it’s possible to capture and decode wireless keyboards, but a few other optional components make the KeySweeper even more powerful. An SPI flash chip can be used to store large numbers of keystrokes, and a GSM module can send the keystrokes out over the Internet or via SMS messages. There’s even a rechargable battery which can be used to provide the KeySweeper with power.

KeySweeper Guts

While this sounds like a lot of hardware, it can all be made to fit inside the casing of a standard USB wall charger, even with the charger electronics inside. The KeySweeper really is perfectly disguised, short of weighing a bit more than the victim may expect, there is nothing that would tip them off to their USB charger actually being a sophisticated espionage tool.

 

Room for Improvement

Critics will say that the KeySweeper is too focused on one target (Microsoft keyboards using the NRF24L01 radio) to really be a threat, and of course that’s true. As it is now, the KeySweeper is just a proof of concept. What’s really interesting is how future devices will take this concept to the next level.

The proprietary NRF24L01 module could easily be swapped out for similarly sized Bluetooth or WiFi modules for only a few dollars more. This year saw the release of the ESP8266 chip, a $5 module that can be connected up to a microcontroller and offer a full TCP/IP stack and WiFi connectivity. A KeySweeper-derived device with a ESP8266 chip onboard could potentially map a victim’s entire network and send it to a central server, while still being cheap enough that it would be disposable.


Tiny development boards like the Arduino don’t have nearly the processing power required to crack serious encryption or manipulate live data on the network…yet. As embedded computers become smaller and more powerful, it won’t be long before low cost boards the size of the Arduino have as much power as our smartphones do now.

 

KeySweeper Impact

The KeySweeper is undeniably impressive, but what may be making its reveal an even bigger story is the fact that Kamkar has documented the entire build process (even providing links to where he purchased the individual components) and released all of the source code for both the KeySweeper itself and the server side data collection tools on GitHub.

Instead of trying to sell this product as a kit, or attempting to crowdsource it as a finished product, Kamkar has cracked his project wide open for anyone who doubted that these kind of devices could be out in the wild. While some will still question if the USB charger you got with your knock-off MP3 player is something you need to be suspicious of, there is no longer any question that not only is the hardware to build such a device readily available, nearly anyone can buy it and put one together.

Anyone who looks at the KeySweeper and doesn’t think that the security industry is changing forever is kidding themselves. Devices like this will go from being a newsworthy oddity to a day-to-day threat, and the best way to protect yourself is to understand them as much as possible. With luck, the release of the Samy Kamkar’s KeySweeper will serve more to inform people on how to best protect themselves from devices like this in the future than it will give blueprints to those who would build one for their own nefarious purposes.


It could go either way, it just depends who’s listening harder.