Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Travis Goodspeed - Not Quite ZigBee

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Cargando en…3
×

Eche un vistazo a continuación

1 de 106 Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Travis Goodspeed - Not Quite ZigBee (20)

Anuncio

Más de Source Conference (20)

Más reciente (20)

Anuncio

Travis Goodspeed - Not Quite ZigBee

  1. 1. Not Quite ZigBee; or, How to Sniff a Strange Radio Open with “Why should you give a shit?” List of Exploits Travis Goodspeed 22 April 2010 -- Source Boston travis@radiantmachines.com
  2. 2. Introduction ✤ Wifi ✤ Bluetooth ✤ Ubertooth ✤ ZigBee ✤ KillerBee, GoodFET, Freakduino Chibi, Daintree ✤ What about everything else?
  3. 3. Introduction ✤ This is not a USRP lecture. ✤ Weird radios are usually one-off designs. ✤ Bad cryptography, if any. ✤ Little testing, quality control. ✤ Vulnerabilities inherited from the chipset.
  4. 4. Citations ✤ Max Moser and Thorsten Schröder ✤ Michael Ossmann ✤ Read my articles for the rest, http://travisgoodspeed.com
  5. 5. Example Targets ✤ Radio Remote Controls ✤ Apple/Nike+ Shoe Pod ✤ Garmin ANT+ Watch ✤ Microsoft Keyboard
  6. 6. Methodology ✤ Dissect a device. ✤ Part numbers, chip die photographs, firmware. ✤ Determine radio encoding, rate, and frequency. ✤ 2FSK, 2Mbps, 2.4GHz ✤ QPSK, 1Mbps, 2.4GHz ✤ Build a transceiver.
  7. 7. Part Numbers ✤ CC2420, EM250, A7125 ✤ Uniquely identify the part, index the datasheet. ✤ Vulnerabilities are indexed by part number, not product name. ✤ Sometimes they are missing or ground off. ✤ HNO3 and H2SO4 are your friends!
  8. 8. Datasheets ✤ Describe registers and pins. ✤ Sometimes private, but often public. ✤ Read the whole damned thing, and you’re secure to find bugs. ✤ Also read the errata sheets. ✤ For this chip and its ancestors.
  9. 9. Datasheets
  10. 10. Die Badges ✤ Identify the internal part number. ✤ Sometimes this is the public one. ✤ Sometimes it isn’t. ✤ Animals, Logos ✤ Lot numbers.
  11. 11. TI/Chipcon CC1110
  12. 12. Amiccon 7125
  13. 13. Amiccon 7125
  14. 14. nRF24L01+
  15. 15. Ember EM357
  16. 16. Ember EM357 Magnum
  17. 17. Mystery 2.4GHz Radio nRF24E1G ✤ Logo first. ✤ Inductors. ✤ Lollypops! ✤ Fill Pattern
  18. 18. ✤ ffo ✤
  19. 19. Mystery vs. CC1110
  20. 20. Mystery vs. EM357
  21. 21. Mystery vs. nRF24L01+
  22. 22. Mystery vs. nRF24L01+
  23. 23. Meet the Lineup ✤ Chipcon ✤ Nordic RF ✤ Amiccom ✤ Others
  24. 24. Chipcon ISM Band ✤ CC1100, 2500 radio. ✤ CC1110, 2500 system-on-chip. ✤ Very configurable. ✤ CC1110 talks to anything sub-GHz. ✤ Undocumented 4FSK, use register settings for CC1101.
  25. 25. Nordic RF ✤ No promiscuous mode. ✤ There’s a hack, but it’s ugly. ✤ Not very configurable: ✤ Microsoft Keyboards, Mice ✤ 2FSK, fixed deviation. ✤ OpenBeacon ✤ Integer MHz channels. ✤ Sparkfun Keyfob ✤ ANT+, Nike+
  26. 26. Amiccom A7125 ✤ 2.4GHz, 2FSK ✤ Doccos in English, Chinese ✤ Unbuffered mode for outputting symbols directly. ✤ 2 million symbols/second! ✤ Handy, but not necessary, for prom. sniffing of Nordic traffic.
  27. 27. Modulation Schemes ✤ Frequency Shift Keying (FSK) ✤ Cheap digital radios, Bluetooth. ✤ Amplitude Shift Keying (ASK, OOK) ✤ Car remotes, garage door openers. ✤ Phase Shift Keying (PSK) ✤ Wifi, ZigBee ✤ Complicated variations of each.
  28. 28. Frequency Shift Keying ✤ Symbol Rate: Integer or floating? ✤ Frequency: Integer or fractional? ✤ SYNC: Configurable? Repurposed as the address? ✤ Deviation: Space between highest and lowest symbol. ✤ Encoding: ✤ 2FSK: Low frequency is zero, high frequency is 1. ✤ 4FSK: +1, +1/3, -1/3, -1
  29. 29. Getting a radio board. ✤ Chips are difficult to use directly. ✤ QFN or BGA chip packages. ✤ Radio layout requires a custom board. ✤ Modules are available with radio and analog chain. ✤ Often lack an MCU, so use a GoodFET. ✤ Commercial boards are often useful. ✤ GirlTech IMME, Next Hope Badge
  30. 30. Configuring the Radio ✤ All digital radios are configured by Special Function Registers (SFR). ✤ Register settings can come from multiple sources: ✤ SmartRF Studio configuring TI/Chipcon radios. ✤ Datasheets ✤ Ask Ossmann
  31. 31. ✤ RF Parameters ✤ Register Addresses ✤ Register Values
  32. 32. Always bring it back to Python
  33. 33. GoodFET Radio Architecture ✤ Firmware in C, client in Python. ✤ Py2Exe port for Win32. ✤ Only tested on the Chinese build. ✤ Firmware is trimmed to support only the needed drivers. ✤ New drivers can be written in pure-Python. ✤ Port functions to C as needed.
  34. 34. Turning Point Clicker ✤ Classroom remote control. ✤ Attendance, Quizzing ✤ Nordic nRF24E1G ✤ 8051 MCU ✤ 2.4GHz Radio ✤ External Flash
  35. 35. Radio+8051 MCU SPI ROM
  36. 36. Dumping Firmware ✤ Chips ✤ nRF24E1G -- 8051 MCU + nRF2401 Radio ✤ 24C32 Boot Rom ✤ Documentation ✤ Datasheets, Reference Design
  37. 37. nRF24E1 ✤ 8051 Microcontroller ✤ More popular than ARM and X86. ✤ Internal nRF2401 Radio ✤ 1Mbps GFSK Radio ✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing ✤ No internal Flash. Boots from external EEPROM. ✤ No promiscuous mode. (The hack comes later.)
  38. 38. Radio+8051 MCU SPI ROM
  39. 39. nRF24E1 Firmware in IDA ✤ ``goodfet.spi25c dump clicker.hex’’ ✤ Copy all but first 7 bytes to clicker.bin. ✤ Load clicker.bin to CODE memory at 0x0000.
  40. 40. Just 3kB of Code
  41. 41. nRF24E1 Internal Arrangement ✤ 8051 MCU ✤ Internal SPI Bus ✤ RADIO register #0x80
  42. 42. Useful Registers ✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF ✤ P1 LED Port ✤ P0.0 SPI EEPROM Slave Select ✤ RADIO #0x80 ✤ RADIO.3 is Radio Slave Select ✤ RADIO.7 is Power Up
  43. 43. From Registers to Functions
  44. 44. RADIOWRCONFIG ✤ Just a lot of SPIRXTX. ✤ 08 08 00 00 00 00 00 00 00 ✤ (1B) (1C) (1D) ✤ 63 6F ✤ (1A)+1
  45. 45. Data Width ADR ADR Width CRC LEN Config Channel
  46. 46. RADIOWRCONFIG ✤ Just a lot of SPIRXTX. ✤ Channel at 0x1A ✤ 08 08 00 00 00 00 00 00 00 ✤ MAC at 0x1B, 0x1C, 0x1D ✤ (1B) (1C) (1D) ✤ 4 bytes of data ✤ 63 6F ✤ 1 byte checksum ✤ (1A)+1
  47. 47. Transmission ✤ Function takes one byte of input. ✤ Repeated calls to SPITXRX ✤ (1E) (1F) (20) //Destination MAC Address ✤ (1B) (1C) (1D) //Source MAC Address ✤ (input) //Button Code
  48. 48. Destination MAC at 1E, 1F, 20 ✤ MOV 0x1E, #0x12 ✤ DMAC is 0x123456 ✤ MOV 0x1F, #0x34 ✤ Payload length is 4 bytes. ✤ MOV 0x20, #0x56 ✤ One byte checksum.
  49. 49. Turning Point Sniffing ✤ 2.441 GHz, 1Mbps ✤ Address: [0x12, 0x34, 0x56] ✤ Payload: ✤ 3 byte MAC ✤ 1 byte Button (ASCII)
  50. 50. Load the Registers by GoodFET
  51. 51. Microsoft Keyboard ✤ 2.4GHz Nordic, XOR crypto ✤ SYNC varies by unit. ✤ Again, there’s no promiscuous mode. ✤ Initial Exploit in Keykeriki 2.0 ✤ Max Moser and Thorsten Schröder ✤ Amiccom A7125, nRF24L01+
  52. 52. Holy crap that’s bad crypto!
  53. 53. Promiscuity is a Citizen’s Duty ✤ If the crypto is so bad, why is it hard to sniff? ✤ SYNC field is unique to the unit. ✤ Receiver must know the SYNC to receive a packet. ✤ Two solutions: ✤ 1) Search raw radio traffic for Preamble. (Keykeriki) ✤ 2) Use the preamble as if it were a SYNC. (GoodFET)
  54. 54. Schröder and Moser’s Solution ✤ A7125 samples raw bits at 2Mbps. ✤ ARM CPU looks for Preamble. ✤ When the MAC is found, ✤ Load nRF24L01+ to sniff. ✤ Dump to PC for interpretation. ✤ Can it be cheaper?
  55. 55. GoodFET Autotune ✤ Reduce MAC length to two bytes. ✤ Disable checksums. ✤ Set MAC to 0x0055 or 0x00AA. ✤ Count occurrences of 5-byte sequences: ✤ Might by shifted off by a bit. ✤ Filter out noise.
  56. 56. GoodFET Autotune
  57. 57. GoodFET Autotune
  58. 58. Conclusions
  59. 59. Sidebar ✤ Somehow we have time left. ✤ Let’s not waste it.

×