I'm the One Who Doesn't Knock: Unlocking Doors From the Network

IoT Hacker

Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.

(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)


Attacker Community DEF CON 26 Badge

I’ve spent an unhealthy amount of time over the past 6 months or so participating in the craze that is #badgelife. This year, I built badges for my Security Research Group/CTF Team: Attacker Community. (Because community is important when you’re attacking things.) Like last year, all of my badges were designed, assembled, and programmed by me. There are 24 badges this year, each featuring 8 characters of 14-segment display goodness and bluetooth connectivity. I may not be one of the big names in #badgelife, but if you just make some badges for your friends, there’s a lot less pressure in case something comes up.


Hacker Summer Camp 2018: Cyberwar?

I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.

The Network

So, is it “the most dangerous network in the world”? Well, there’s probably some truth to that in the sense that in terms of density of threats, it’s likely fairly high. In terms of sheer volume of threats, the open internet is obviously going to be a leader.

First off, the DEF CON network is really multiple networks. There’s the open WiFi, which is undeniably the Wild West of computers, and there’s the DEF CON “secure” network, which uses WPA2-Enterprise (802.1x) with certificates to verify the APs. The secure network also features client isolation. Additionally, the secure network is monitored by a dedicated NOC/SOC with some very talented and hard-working individuals. I would assert that being compromised on the secure network is approximately the same risk as being compromised on any internet connection.

So, there’s 0-day flying around left and right? Not so much. Most of the malicious traffic is likely coming from someone who just learned how to use Metasploit or just found out about some cool tool in a talk or workshop. Consequently, it’s unlikely to have much impact for those who patch and are security-aware.

What you will see a ton of is WiFi pineapples. People will go buy one at the Hak5 booth, and then immediately turn it on and try to mess with other attendees. It gets pretty old, pretty quickly. Just make sure you’re connected to the DEF CON Secure WiFi and this will be a minimal problem (maybe a denial of service).

In all honesty, the con hotel WiFi is a worse place to be than DEF CON secure, by a large margin. Plenty of stupid things happening there.

3 Approaches

The Minimalist

The minimalist carries a flip phone with a burner SIM. He/she maintains contact with friends using SMS or (gasp) actual phone calls. No laptop, no smart phone to be compromised. This is a great approach if you’re not going to participate in any activities that require tech on hand. If you’re going to hang out, listen to a few talks, and drink, this is the approach with no need to worry about getting compromised.

The Burner

No, this isn’t about Burning Man, although DEF CON is kinda like Burning Man for “400-lb hackers in basements”. This hacker brings a burner version of everything: so a smart phone, but a cheap burner. This probably will get compromised, as their carrier hasn’t pushed a patch in 3 years. (And even before that, it shipped with some shady pre-installed apps that send all your contacts over plaintext to a server in China…). They also bring a $200 Dell or HP laptop with Kali Linux on board.

They connect to the first WiFi they see, never mind that it’s labeled “FBI Surveillance Van 404”. If you plan for your hardware to get pwned, it doesn’t really matter if it’s bad WiFi, right?

Of course, in order for this to work correctly, you have to never use your devices for anything sensitive. Hopefully the urge to check your real email doesn’t get too strong. Or maybe your card is suspended for potentially fraudulent activity (like that $300 SDR) and you decide to log in “briefly” to reactivate it. This route really only works if you can maintain good OpSec.

“Good Enough” Security

If you can set aside ego and assume nobody is willing to try using a $100k+ O-day on you, you can get by with a reasonable level of security. This involves bringing a modern fully-patched phone (iPhone or “flagship” Android phone), and optionally a well-secured laptop.

For the laptop, I’ve previously discussed using a Chromebook. Even with dev mode for crouton, I believe this to be reasonably safe from remote exploitation. This can also be cheap enough to be a disposable device. In my previous post, I suggested 3 Chromebook options:

Alternatively, you can get a cheap laptop and run fully-updated Windows 10 or Linux with a firewall enabled and be in a pretty good state for passive attacks over the network.

In either case, you should then run a VPN. I like Private Internet Access, but there’s a lot of options out there, or you can even run your own OpenVPN server if you’re feeling adventurous.

Summary

There’s never a guarantee of security, but with updated devices & good security hygiene, you can survive the DEF CON networks. The basic elements involved are:

  • Fully updated OS
  • Be super careful
  • Use a VPN
  • No Services Exposed

Good luck and see you at Hacker Summer Camp!


Hacker Summer Camp 2018: Last Minute Tips

This is an update to my planning guide as we get closer to Hacker Summer Camp. (We’re down to about 3 weeks now!)

Planning Your Time

Schedules and details for events have begun to be released. For example, we have:

It’s time to take a look at the lists of events and times and start making your “must do” list. Resist the temptation to try to plan every minute – first, you won’t be able to stick to it, and secondly, you’ll feel like it doesn’t leave you time for spur of the moment events. There will be conversations you want to have, people you want to meet, or unscheduled activities you want to check out.

For your evening plans, there’s no better source than the DEFCON Parties Calendar. Make sure you hydrate (and maybe take a shower) before you head out for the evening. Some of my favorites from years past include:

Dining & Restaurants

Value Eats

There’s a number of cheap eats in Las Vegas. I covered some of the cheapest in my first post, but I wanted to add a few more notes. I’ll focus on the ones in relatively close proximity to the DEF CON hotels (Flamingo and Caesars) as well as BSidesLV. I’ll also include things whose portion size/quality make up for the (slight) cost.

Quick bites (fast food):

  • Earl of Sandwich
  • Shake Shack
  • Caesar’s Food Court

Fast casual dining (sit down):

Buffets

Buffets on the strip are not cheap, despite what you might have heard. They also can have long lines at dinner time, so don’t expect it to be quick in and out.

  • Caesar’s Palace is home to the Bacchanal Buffet, which has incredibly high quality options (and is one of the top-rated buffets in Vegas), but is a pretty expensive meal. The lines are likely to be very bad during DEF CON, so I suggest going to another hotel if you’re absolutely looking for a buffet.

  • Flamingo’s Paradise Garden Buffet is a middle-of-the-road buffet, with decent, but not outstanding food. It is dramatically cheaper than at Caesar’s, so might be a good option for all-you-can-eat at a lower price.

  • Next door to Caesar’s is the Mirage, which hosts a buffet named Cravings. Unlike many Vegas buffets, beverages here are self-service,so you’ll never be wanting for a drink refill, but also don’t expect many servers around. I haven’t been here myself, but the menus generally look unimpressive.

  • Though not particularly close by, the Wicked Spoon is one of the best regarded buffets in Las Vegas, with gourmet dishes made from the best ingredients. They also offer brunch 7 days a week, which appeals to some.

  • The Buffet at the Wynn (literally, it’s named “The Buffet”) has one of the best dessert/pastry selections along with great entrees and sides. It’s also not cheap, but will not suffer from the peak rush at Caesars.

Nicer Options

These are the kind of restaurants where you’ll want more than a t-shirt and jeans (and almost certainly no shorts)! Reservations are recommended. Vegas is full of these restaurants, but a few of my favorites include:

Top Shelf

Okay, to be honest, I don’t really do the top shelf restaurants myself. If you’re into that sort of thing, you might want to check out the usual guides (Michelin, etc.)

A few I’m familiar with:

  • Bouchon
  • Mon Ami Gabi
  • Restaurant Guy Savoy
  • Nobu

Packing Reminders

Handling the Weather

It’s going to be hot, so be prepared. I strongly encourage bringing a reusable water bottle like the aluminum bottle I’ll be sporting, or a Nalgene bottle. Some will even go with a bladder-style backpack. I’ll also bring along a cooling towel, which work surprisingly well! (They use evaporation to cool you down.)

Hacking All the Things

Maybe you’re into hacking and would like to give it a shot while at DEF CON. There’s a bunch of different options here. If you want to bring a laptop with maximum security, I can’t encourage bringing a Chromebook enough. At the budget end of the spectrum, I really like the Acer Chromebook 11. For a mid-range Chromebook, I like the C302CA. At the top end, there’s nothing quite like the Pixelbook, which is currently 25% off.

While you can get lots of tech in the vendor area, you might want to consider bringing a C232HM universal cable, or at least a UART Cable. This will at least get you basic capabilties to play around with any electronic badges you might come across.

If you’re into other specific activities (SDR, etc.), you’ll want to bring the appropriate gear.

Conclusion

It’s time to start making your day-to-day plans. Many have suggested leaving lots of room for flexibility and just going with the flow, which is not a bad idea at all. Have fun!


On Deep Work

I recently stumbled upon Azeria’s blog post The Importance of Deep Work & The 30-hour Method For Learning a New Skill, and it seriously struck a chord with me. Over the past year or so, I’ve struggled with a lack of personal satisfaction in my life and my work. I tried various things to address the issue, but could not figure out a root cause until I read her article, and then it clicked with me.

Even though I was constantly busy at work, I never felt like I was getting the things done that mattered to me: security research, tackling difficult technical challenges, focused security work. Instead I was constantly in meetings, switching tasks, dealing with email, and other work that felt like I was just barely keeping afloat at the office.

I’ve since read Cal Newport’s Deep Work: Rules for Focused Success in a Distracted World, and now I have an understanding of why I’ve had these feelings and, much more importantly, what to do about them. I’ll start by saying that the book is not one I ever thought I would be reading. It sounds like, and is, half self-help book and half business strategy book, neither of which are categories I usually give much attention. But Newport is also a professor of Computer Science, the book was recommended by Azeria, and I felt like I needed to try something different, so I gave it a shot.

The first third of the book is spent defining “deep work” and “shallow work” and convincing you that it’s worth pursuing “deep work”. I nearly gave up on the book at this point because my unhappiness with how things were already going had already convinced me of the value of deep work, so I figured I didn’t need a book to tell me I was doing things wrong, but I stuck with it, and I think it ended up being worth it.

Deep work is creative work that produces new value and requires that your stretch your brain to its limits. It is also the work that is best done in a state of flow (uninterrupted work focused entirely on one task at hand), and is the work that helps to build and grow the pathways in the brain. In my case, deep work includes things like security research, tool building, and learning new skills.

Shallow work is work that doesn’t require the full use of your brain, or that can be easily interrupted and resumed later, such as logistical tasks. In my case, this includes “doing email”, most meetings, and a lot of the collaboration I do with team mates. This is not to dismiss shallow work as unimportant, but it is different and done with a different mindset. It is also easier to get to shallow work with less mental friction, which leads to a tendency to go to shallow work.

All of this discussion is useless to me if I don’t actually make some changes based on what I’ve learned. I also don’t expect the “deep work” mindset to be a silver bullet to fix the problems I’m having. Some of the sources are likely outside that position, and going “all in” on the four rules set out by Newport would be difficult in my current corporate culture.

I am going to try some things though:

  • Schedule at least 3 blocks of 3+ hours a week for Deep Work. During this time period, I will not check email, respond to (or read) instant messages, etc.
  • Reduce the frequency with which I check email to ~3 times per day.
  • Use separate browser windows for deep work, so I can hide the windows that have the distractions.
  • Schedule time for personal projects as deep work.

Some problems I’ll still have:

  • My team works in a highly collaborative fashion. Realtime communication is expected. I’ll need to find some way to sequester myself.
  • I work in an open office floorplan, which has so many distractions that even shallow work is difficult. Finding somewhere to hide and do “deep work” means sacrificing my desktop and it’s large screens.
  • A corporate culture where anyone can schedule a meeting anytime and expect you to show up.

I’m going to try an increased effort on deep work and following some of the principles from the book, as well as better efforts to track how I spend my time. I’ll report back in 6 months time on whether or not I feel more productive, am happier with my work, and have actually been able to stick to these things.