From our very own Eldon Sprickerhoff comes a report on DEFCON XII...
I get a kick out of baking in the hot sun every August with six thousand other computer geeks. I'm talking about DEFCON - the annual hacker conference in Las Vegas, baby.
From a wireless perspective, here are the highlights of DEFCON 0xC.
Access Points
The wifi network performance seemed better than last year. There seemed to be less de-authentication traffic and fake access points. DEFCON X was where fakeap was unleashed during the wardriving contest, as were various wireless deauthentication programs.
DEFCON Wireless Shootout II
Using puny 30mW Orinoco radios and a couple of big satellite dishes, three teenagers (Team P.A.D.) threw an unamplified signal 55.1 miles across the desert. They might have gone further but they ran out of road. This bested the record from last year (by ASLRulz) by over 20 miles. In the best example of participatory parenting since that "Big Brother" episode of the Simpsons, the father of one of the teenagers drove them from Ohio to Las Vegas to enter the contest. Thunderous applause.
Wall of Sheep
When you use the wifi network at DEFCON, you have to assume that everyone around you is capturing the traffic or actively trying to hack you. Nevertheless, there are always people who have no problem logging in through unencrypted connections. To salute these people, DEFCON presents the Wall of Sheep - a PC capturing unencrypted userids and passwords and projecting them on a screen to the world. And there are a lot of them.
One guy emailed out his tax return in PDF format. Silly rabbit. You never know who's going to be listening in on your traffic.
AirPwn
Easily the most amusing wifi hack of the conference, websurfers were treated to an injection attack featuring the goatse guy and tubgirl. For more details, visit http://www.evilscheme.org/defcon (warning - probably not safe for office viewing). Another good reason to use a proxy through an encrypted tunnel.
Wardriving Contest/Fox and Hound/Running Man
I didn't really pay much attention to these contests - they were all just variations on the wardriving theme which personally is getting a little long in the tooth. I did like the corporate sponsorship though - Fleeman, Anderson + Bird (one of my favourite hardware vendors) was one such sponsor. I highly recommend them at http://www.fab-corp.com as they have great product, good prices, no minimum order size to ship to Canada, and give amazing sales support unlike some other companies I won't mention (ahem http://www.hyperlinktech.com).
Credit Card Networks Revisited: Penetration in Real-Time
A very interesting segment - where people were encouraged to capture and analyze credit card traffic. Actively demonstrated some of what Lowe's hardware store discovered last year.
TCP/IP Black Ops 2004
Dan Kaminsky is now a pretty standard fixture at DEFCON - his talks about hacking TCP/IP are entertaining and always filled to capacity. This is the third time in a row that I've seen him and he always delivers. And as the author of Paketto Keiretsu, his code delivers.
His focus was of exploiting both the recursive and caching aspects of DNS. One project involved tunnelling ssh traffic over DNS queries. Now this has been done in Linux a while ago, but this implementation was done in user space. What does this have to do with wifi? Practically all for-pay hotspots are susceptible to this attack - which permits people to access the net without authenticating. Want to know more? Visit his site at http://www.doxpara.com
Bluesnarfing/Bluetracking/Bluebugging
In the last year, there has been some real churn in Bluetooth hacking software. Even though Bluetooth radios are typically of lower power, there are many more of them thanks to cellphones. Bluesnarfing is defined as accessing information out of a vulnerable Bluetooth device. Bluetracking is defined as tracking a person's movements by using their Bluetooth device's identifier, and using a number of readers to record time and position. Bluebugging involves the exploitation of a mobile phone in order to get it to call you back (allowing you to listen in on conversations). I thought the Bluetracking was the most interesting part - basically since it's passive and practically undetectable.
http://www6.tomshardware.com/business/200408021/defcon-05.html
http://store.bluedriving.com
Shmoo - Wireless Weaponry
The Schmoo Group usually gives a very good performance but I thought this year's was a little lackluster.
They started talking about some DoS techniques and code for WPA (which was very good!) but it then went downhill. They brought out their Wifi Robot which searches for a signal, homes in on the user and shows them their unencrypted passwords. I thought that they showed it at DEFCON XI. They brought out the Sniper Yagi which I thought was a little overhyped and likely to fry someone's eyeballs if they actually looked through the scope while it was turned on (not counting what would happen if you carried it while walking down the street). I thought the Bluesniper Rifle looked cooler.
The lamest part of the presentation was a so-called "stealth wifi sniffer" which turned out to be a Zaurus hidden in a tissue box. I asked them about the power, and they said that it would last for 4 hours. That's exactly 3.5h longer than I get when I use my Zaurus with a wireless CF card - and those sitting around me were calling out "bullshit" too.
I was a little disappointed - I had very high expectations and by the looks on the faces of others in the room, I was not alone. Shmoo took the opportunity to hype the first Shmoocon in 2005 - if you're interested, go to http://www.shmoocon.org for more details.
Nekkidness and Denial
DEFCON has a reputation for some wild parties and nekkid flesh, and this was no exception. Normally, I'd not include this - but I'm sure that someone saw this URL and I swear, that's not me! He might look somewhat like me, but I didn't wear jeans at all in Las Vegas - it's too hot!
http://www.timekiller.org/gallery/SomeChick/photo0056
Seriously, if you're interested in the fringes of security, you must attend DEFCON. I recommend flying JetsGo direct from Toronto.
EWS
Subscribe to Feed (RSS 2.0)
A few comments, corrections, etc.
Hackerbot was never officially shown at DefCon XI--just paraded around the pool a couple times. It was shown off again at ToorCon last year. This year, we decided to give Hackerbot its due credit and stage time--to include some very cool updates. Like SDL-based Windows joystick code that runs from the OQO to drive it when it's in manual mode. Or the new touchscreen LCD. Or the "turbo" button that makes it quite challenging to keep pace with.
The WPA DoS was researched so that it could be run from 802.11bounce, the hidden Zaurus-based 802.11 attack platform--creating a Wi-Fi "hand grenade" for WPA networks basically. 802.11bounce is accessed via 1 Watt 900mhz wireless serial connection--which we think is pretty cool. And it runs on lithium ion batteries, not the Zaurus battery, so 4 hours of life, with all the crap its running, is pretty nifty. And it's not bullshit.
The sniper yagi was admittedly rediculous, but that was the point. Who would be silly enough to build something like this? Us, of course. But make no mistake, it's quite functional. It's been tested at several miles, and the dual Sony camcorder batteries provide over 8 hours of life. You aim it, connect it to your card, and then turn it on. We don't have a remote trigger for it--yet.
Don't forget HotspotDK updates, the Black Hat Bluetooth Device Tracking experiment, the live Linux CD distro soon to be released, the Windows Wireless Weapons of Mass Destruction coming to ToorCon this year, and of course, ShmooCon in February 2005!
Please forgive us for skimming on a few things, or not providing enough technical depth during the DefCon talk. We had a lot of things we were working on and just wanted to bring folks up to date with an entertaining talk. Depth was sacrificed for dynamics--and 20 minutes of our time was taken up by "Spot the Fed".
I know, I know--excuses, excuses. Okey dokey. Feel free to send comments, criticism, flames, whatever my way.
We hope to see OTHER folks presenting geeky stuff at ShmooCon! The CFP is out!
Thanks.
Sincerely,
Beetle
Posted by: Beetle | Wednesday, September 01, 2004 at 10:57 PM
For those of you wondering how to get more life out of a zaurus (which you pretty much require when you run a 200mw wifi card in them), here's what I did:
As the onboard 3.7volt (750mah?) battery sux0rs, I used two 3.7volt 2aH lithium-ion cells I nabbed off ebay. At 7.4 volts, it provided a nice headroom to the Powertrends 78ST105VC linear (85% something eff) power regulator to fee the zaurus a nice clean 5 volts. The zaurus still did have a battery in it, but it was just 'charging from AC power' heh.
Anyway, we really do get quite a bit of life from a zaurus this way - - without TXing on the wifi card (eg: in monitor mode) & the screen off, we really get more like 7 hours. Under typical 'remote' use (heavy TX on the wifi card), we see 4- 4.5 hours.
In the picture here:
www.engadget.com
You can see the battery & the regulator on the far left side, both covered in 'enterprise class' plastic bags to prevent shorting & fires. :)
If you have any trouble with this kind of setup, feel free to send me an email & I'll see what I can do to help.
Cheers,
Ericj
Posted by: Ericj | Thursday, September 02, 2004 at 12:36 AM
Thank you for the clarifications/comments, guys.
I especially appreciate the Zaurus battery booster reference.
EWS
Posted by: Eldon Sprickerhoff | Monday, September 06, 2004 at 03:10 PM