Lutetium-
Hack Chat Transcript, Part 2
03/25/2020 at 20:16 • 0 comments![]()
@Dan Fruzzetti Any experience? :)![]()
Tom Redman (I can't @ you for some reason): https://www.cs.tau.ac.il/~tromer/papers/acoustic-20131218.pdf![]()
👀 Thanks!![]()
It seems almost like scifi![]()
Tom: i'd also suggest just investigating the underlying phenomenon of electrostriction as you can reproduce this at home![]()
Even with the CPU instructions... is that truly readable in any meaningful way? Just kinda throwing it out there, I'm sure it could be to people much smarter than me. Some state-level hacks are kind of surreal in their complexity![]()
around Y2K i did several banks in my area as either a mainframe worker for Y2K, a mainframe worker's subcontractor (they were so hot to hire anyone omg), and a hospital administration. the banks would be easier targets today, by far, because their hourly employees are often quite friendly even with people they only vaguely recognize online who may or may not be that one person thay think they remember from whatever.that said, at the time the access controls were different, printers had just made a surprising jump in photorealism and some weird things were awry. i had my own work badge, my own telecom tool belt, and my own telecom tool bag. some trick telecom tools and some stuff to plant.
fact #1: back then, you could just call and say you were coming, and when you arrived you'd have authority as if someone hired you. no authentication strings that i recall, once i was asked for a cost cener code and told them i wrote it down but forgot to bring it
![]()
Nice, thanks @samy kamkar – i'll check that out!![]()
@Dan Fruzzetti that is wild!![]()
Honestly the human element... every time.![]()
back then, it was way less tech-deep. what i mean is, if i could get into a back room or into an absent teller's drawer and grab a confidential document or photograph a confidential document, then i'd get a solid day's pay for teaching them all how to avoid it![]()
but you were still sometimes asked to prove you could access the voicemail room, the mainframe room, the 'computer room' etc. and sometimes they'd ask you to leave a calling card. i never had to actually tap a circuit of any kind, though i had to prove i could have with photographs![]()
I recall the story of a pen tester who would wear a fake pregnancy prosthetic because honestly, who's gonna deny her entry if this poor woman forgot her key card? She played the "pregnancy brain" card![]()
@Tom Redman i would delight in pulling that![]()
That's so crazy. My heart would be pounding haha![]()
adrenaline, yes; heart, do anything to keep it no![]()
the trick is to actually feel nonchalant![]()
beta blockers or square breathing, etc?![]()
and then, to be able to bullshit FAST on your feet![]()
If I had it to do over again, pen testing would be my thing![]()
because your rehearsed option will go sideways if you have to interact with the target![]()
just ask which printer/scanner it is that needs fixing![]()
@Dan Maloney you're still alive. i'm 40 and completing an MTM because *shrug*![]()
@charliex ahh, you remember too![]()
still works![]()
copy machines too, ESPECIALLY right when they got networked![]()
@charliex <3 oh i wanna see so bad![]()
@samy kamkar I loved your project on the credit card mag stripe emulator... your enthusiasm for that project came through in the post. What your most excited moment in hacking?![]()
What was*![]()
@Tom Redman it's surprising that much of this can be very effective -- of course sound is going to make it harder but when you're dealing with algos that are using significantly different operations on a per-bit basis, then it's quite clear what's going on when you begin measuring amplitude of anything that reveals power usage -- if you have access, i'd suggest taking an oscilloscope to a microcontroller, implementing any existing crypto example, and measuring power -- start with something like a shunt resistor as it performs an operation and compare to the high level implementation of the algo and you'll be surprised at how much you can "see"![]()
@samy kamkar oh that's so smart the rotation in power use gives you a clue about the rotation in processing modes![]()
Amazing! Definitely going to dig in... I love this stuff to death. It might be the thing I'm most curious about!![]()
And I look up to see that our hour is already up - amazing. We usually like to let the host go at this point, and we'll certainly do that if Samy has to go, but anyone who wants to stay on and keep the chat going is more than welcome. The Hack Chat is always here for you, even in these troubled times.![]()
Thanks @samy kamkar – loved the opportunity to learn today!![]()
thank you!![]()
I just want to say a big thanks to Samy for coming on today, and to all of you for a great chat. Really, thanks all!![]()
cheers @samy kamkar![]()
Next week we'll be talking about Laser Artistry with Seb Lee-Delisle:![]()
Thanks @samy kamkar![]()
https://hackaday.io/event/170294-lasers-hack-chat
Laser Artistry Hack Chat
Pew pew goes my big green laser Wednesday, April 1, 2020 12:00 pm PDT Local time zone: Hack Chat This event was created on 03/09/2020 and last updated 36 minutes ago. Join this event's team Seb Lee-Delisle will host the Hack Chat on Wednesday, April 1, 2020 at noon Pacific Time.
![]()
thanks all! will hang for a little longer![]()
thanks for the links @charliex![]()
thanks @samy kamkar and others![]()
Excellent @samy kamkar, thanks!![]()
I'll wait a bit to pull the transcript and post it.![]()
anytime, if i recall i intro'd you to alyssa at dc last year, she does a lot of SCA![]()
@Tom Redman hmm most exciting thing, this is an old project but i was super excited because i kind of didn't believe in myself that it would work but had just kept messing around with the idea and one day it worked. i assumed i was doing something wrong when it actually worked. more networking related and quite old now, but was soooo happy http://samy.pl/pwnat![]()
or https: if you're into that kind of thing![]()
😁![]()
> i assumed i was doing something wrong when it actually workedLike code that works the first time 'round :D
![]()
thanks @Dan Maloney![]()
exactly![]()
tfw when something compiles on the first try and you become immediately suspicious![]()
"something must be wrong" -
Hack Chat Transcript, Part 1
03/25/2020 at 20:15 • 0 comments<3
![]()
Hello everyone, hope your self-imposed or otherwise lockdowns are going as well as can be expected. Today we're going to be welcoming Samy Kamkar to the Hack Chat, to talk about side-channel attacks and reverse engineering. Welcome back, Samy! I normally ask guests to tell us a little about themselves, but that seems silly in this case. Maybe just start off by telling us how you're keeping sane these days?
![]()
Hi![]()
Hey all, thanks for having me!!![]()
Hi @samy kamkar![]()
lately have been working on a number of projects - personally some more side channel experimentation with RF, some proof of concept projects and vacuum system building at home for sputtering and physical vapor deposition, and professionally a lot of research and hardware at openpath.com building physical access control![]()
hi @Mark J Hughes!![]()
So I guess WFH isn't a big deal for you?![]()
@samy kamkar With the sputtering -- are you preparing samples for SEM or something else like making sub-mil traces , etc..?![]()
samy!![]()
Also -- what does your setup look like?![]()
@Mark J Hughes atm one of the projects on my plate is creating a prototype "usb condom" -- these are meant to be devices that remove the data lines from USB and only allow power to prevent a malicious charger from exploiting something like your phone![]()
yeah, itneresting in building my own sputtering setup![]()
but i'm a bit confused by the implementation as most of the usb condoms I've seen are opaque -- so how do i know the device itself is not malicious?![]()
so i've begun a PoC of creating an entirely transparent USB condom where you can visually see the data lines get cut off and the power run through...![]()
won't that disable power level negotiation?![]()
except, it's a lie. i'm building the sputtering setup in order to sputter ITO (indium tin oxide), which as a thin film is a transparent conductor![]()
@samy kamkar - Sort of like the inverse of the PowerBlougher that @Brian Lough makes - it cleans the power off a USB port and only lets data through![]()
thus, the data lines will continue, transparently, and one of the USB lines will be tied to a transparent antenna for nearby RF pickup![]()
i've used some ITO plastic but it's just too obvious hence the desire for a sputtering setup.![]()
Hahaha, that's super sneaky!![]()
Condoms break, just saying![]()
@samy kamkar You could make it transparent and use a 4-layer PCB. Hide the USB diff pair on an internal layer.![]()
my setup atm: Leybold Trivac D2.5E (two stage rotary vane) -> foreline trap (which I recently baked out way too long and destroyed the zeolite) -> Edwards EXT255Hi turbomolecular pump -> chamber -- with an MKS901P Pirani gauge and BPG400 Bayard-Alpert gauge![]()
@samy kamkar What is the least expensive entry into side-channel analysis? Last thin I heard about was the chip-whisperer.![]()
please note this is a very diy project so i'm fabricating some of the parts and trying to keep this as low cost as possible -- hence my high voltage feedthrough is really a J99 spark plug with a turned KF16 connector, my high voltage setup is a variac -> microwave oven transformer -> high voltage diode -> spark plug![]()
@morgan it would if the lines weren't going through but in this case they will -- however even without negotiation you'll still get 500mA![]()
Yowza! Are you current limiting the MOT somehow?![]()
@Mark J Hughes the ChipWhisperer is awesome! i highly recommend it as well as Colin's site, videos, documentation. i was fortunate to take his class on side channel work as well![]()
@samy kamkar Since the lines are going through anyway, won't the user realize the negotiation has taken place and they're charging at greater than 500 mA?![]()
@samy kamkar whats the use case you imagine where someone knows enough to want to use a usb condom but doesn't know about your evil one![]()
or is this more a poc around "look we can hide circuits in things"![]()
@Mark J Hughes technically you can get away with cheaper though if you wanted, though it wouldn't be as advanced as a setup. in my previous supercon talk on side channels, near the end i demonstrated a new project using a Teensy 3 to perform bootloader debug protection bypassing *non-invasively* in order to dump flash from protected microcontrollers![]()
@samy kamkar what you save in money you make up for in time. Usually many times over. :)![]()
@samy kamkar What's the hardest microcontroller family to attack?![]()
@stansanders hi!! i think the hiding in plain sight is the thing that piqued my interest, and the usb condom was just for me to tease the current implementation since i really do think it's silly to have an opaque device that you can't open (i realized this after i was given a USB condom in another country and it had an aluminum casing that couldn't be removed easily and i started to become suspicious)![]()
https://www.riscure.com/gocheap/ https://github.com/Riscure/cheapSCAte is cheap and basic , talk by alyssa too ![]()
for sca![]()
Hi @samy kamkar !![]()
@samy kamkar Hey, what are you doing with RF + side channels?, that sounds really interesting!![]()
@Seth the variac before the MOT allows control of the voltage but i don't have current limiting atm - however i'll likely get another small variac and use that for current control![]()
hi @adellelin !!![]()
@anfractuosity one of my never ending projects is around intentional electromagnetic interference. there's a lot of amazing research on EM (and other side channels) revealing secret material of a system, but i've been more fascinated with the opposite, such as inducing voltage in a circuit to control it![]()
specifically air gapped systems that are intended to be "secure" as they're not connected to any network![]()
the problem is "air" is a terrible gap![]()
pretty much everything goes through it![]()
especially RF![]()
oh interesting, using a coil you mean above the chip, or..?![]()
hey y'![]()
i've been doing work around further field injection in the ISM band on input devices -- close enough that you're in proximity but not so close that you're touching the device in question or have it opened up. the example would be going into a corporate office, grabbing lunch with someone, and leaving your "phone" on someone's desk near a keyboard![]()
@samy kamkar ever thought about trying to exploit something's natural interference to create a sidechannel i.e. spitting the right sequence at a nic causes the hardware to sidechannel itself![]()
keyboards are pretty neat...typically connected via USB which used shielded twisted pair for the data signals and differential voltage which prevents most EM interference![]()
however as soon as that USB is terminated to the MCU, you're essentially left with a plastic shell and nice, long copper antennnas--i mean traces, to each of the keys![]()
hay y'all.... back in the day, it was a common thing to add a short length of wire to a filter tap on a pole mounted CATV system.... to make it leaky....and then aim a TV antenna at the "created air gap on a closed system" to essentially get "free CATV" same logic applies to adding a wire to most microcontrollers and other systems...to leak signals for passive theft.![]()
@stansanders hmm can you give me an example? like +++ATH0 of the dialup days? for those who aren't familiar, that's the AT "hang up" command that you can send your dialup modem to hang up. problem is you could get users on a chat like IRC to respond with an IRC PING of whatever you sent to them, and the modem would interpret it as the command and execute. essentially a DoS from anyone on IRC![]()
oh neat, re. keyboard, i bought a cheap mini-whip vlf antenna to try and pickup keyboard stuff, but don't have an SDR that can go that low atm![]()
and worse you could send other AT commands, eg +++ATH0,AT1900xxxxxxx![]()
@anfractuosity you can use your sound card![]()
that's a good point!![]()
i'm not sure if i might have tried that for something else actually, when i was tapping the earth of our mains to try and pickup the keyboard stuff![]()
you can look at crosstalk and emi leakage on the usb hub as well![]()
@anfractuosity nice! that's an awesome technique. i'm not sure it will work well with USB keyboards but with PS2 was effective![]()
yeah with ps2 that was![]()
@charliex ooh yeah that would be cool - have you seen any projects successfully employ that?![]()
@samy kamkar heya , yeah https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-su.pdf![]()
@Steve Bossert (K2GOG) interesting!![]()
@samy kamkar exactly that, exploiting the device's own foibles in the RF / EM realm in order to attack without physical access necessarily![]()
@Mark J Hughes regarding saving money -- while that's true, i'm in general trying to build things so i understand them...i definitely am spending more resources by doing it but it's definitely a pref of mine to get into the nitty gritty and diy to get a better grasp on things as otherwise i'm a pretty slow learner. i've never been good at just reading and understanding something, things only seem to click for me when i apply it![]()
@Mark J Hughes the "hardest" mcu family to attack, i haven't tried attacking some of the secure variants of chips but they're on my list as i improve the vacuum system i would like to perform more invasive attacks. i've been doing IC decapsulation and optical reversing of (old) silicon but the "secure" chips often have metal masks/protective layers that i'm interested in defeating, again with home made made devices![]()
how many of the "secure" chip builds can you get your hands on to test different jigs and cutters and such with, for example for abrasive methods?![]()
@stansanders yeah, that is super interesting. there are some neat tricks -- Travis Goodspeed found a neat technique on nRF24L01's (super inexpensive Nordic 2.4GHz GFSK transceivers) - they don't support any "sniffing" modes, you must receive on a specific address, but found by using the preamble (0xAA's or 0x55's aka 0b10101010 or 0b01010101) and disabling basically all other checks (CRC, specifying a length, removing any other header requirements), the preamble would trigger the address detection and you'd be able to promiscuously eavesdrop packets on the channel (within limitations of the chip of course, such as the size limit, 32-bytes I believe, and modulation/encoding)![]()
@samy kamkar Oh, I'm sorry, I meant for me. I agree entirely with that statement. I'll often find a $100 solution to a $20 problem just so I can own it.![]()
@Dan Fruzzetti getting chips isn't too hard if you buy products using them - i think with the modern technology you'll need a focused ion beam or similar to remove/add metal![]()
@Mark J Hughes ahh! haha i misunderstood, but yeah, i guess that's what makes us all hackaday'ers :)![]()
I just want to mess around a bit.![]()
@samy kamkar outside my area. abrasion wouldn't be - you can blast with pretty small media now. hey anyone know of any curve-fitting libraries for Arduino that they like![]()
@samy kamkar very cool. i'm also more thinking of things like knowing there's an inductor that emits a magnetic field and if you do something that loads and unloads it in a certain way the inductor interferes with something else interesting![]()
@stansanders aggr-inject was also a cool example of the "packet in packet" technique (which +++ATH0 is an example of) -- specifically in open (unencrypted) 802.11n networks, a victim could visit a site / access some data, let's say a large, malicious image, and if any of the packets got dropped, the image itself contains a packet delimiter and wifi packet in itself. it would normally just be "data" as part of the image, but since the previous packet was dropped, the NIC is now looking for a new 802.11n frame -- and what do you know, it sees one and interprets it![]()
nice![]()
thus the victim received an raw 802.11n frame which could be anything, such as an arp packet redirecting traffic![]()
fatal![]()
so thats the same principle, but im imagining that the sidechannel manifests as a hardware thing![]()
so reading the old-timey LEDs on a hub![]()
"omg it's just... the data"![]()
@Dan Fruzzetti true, removing the metal is possible, however typically these chips will no longer work and you'll essentially want to reconnect the metal as well (hence the FIB), but i'd definitely be interesting in super precise abrasion techniques if you know of any![]()
Hey @samy kamkar! Just wanted to say I love what you do and really appreciate your project posts. Thanks for sharing those. I'm endlessly fascinated with this stuff. Really enjoyed your darknet diaries episode too!![]()
Super-precise abrasion techniques... Dunno if you have access to a machine shop, but that sounds like a surface grinder to me. Easily hits tolerances of 0.0001".![]()
awesome, thanks Tom!![]()
yeah surface grinders are good for decap, joe grand did a thing on it a while ago![]()
If I ever end up with a second career, it'll be hacking or pen-testing :)![]()
@Tom Redman i love human-factors exploits![]()
iirc he did pcb's cant recall if he did any chips![]()
if you really want to test a medium-sized enterprise, HFVs are the equivalent to side-channel attacks![]()
@Dan Fruzzetti the stories I've heard from some pen testers sound straight out of some tom clancy book. I'd probably barf but I love to think I could do it haha![]()
What's an HFV?![]()
@samy kamkar in an ideal universe are you hoping to carefully decouple the shields from the chips in order to reattach them later? and Tom, the getting scared part is the part that'll thrill you and make you old
![]()
speaking of old, i don't look that young anymore![]()
@samy kamkar in the dd episode you talked about using smartphone microphones to pick up ultrasonic freqs of CPU instructions. Has there been a POC of this? Has it been used in the wild to you knowledge? It feels like there'd be too much noise in an uncontrolled environment.![]()
Side-Channel Attacks Hack Chat
Reverse Engineering through the side door with Samy Kamkar
If I had it to do over again, pen testing would be my thing
