(home)



















Physical Computing, Virtual Security

Adding the Arduino microcontroller development environment
to your "security research" toolkit

( follower@rancidbacon.com )


















Know your audience



















Physical Computing



















Arduino

http://arduino.cc/































































































































Blink!



















What's in it for you?



















Microcontroller vs. Embedded Linux



















Size & Cost



















Prove it!



















Networking





































WIZnet W5100 "Hardwired" TCP/IP Stack



















Hardware vulnerabilities?



















DHCP exhaustion example



















byte mac[] = {0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED};

...
  for (byte macByte1 = 11; macByte1 <255; macByte1++) {  
    for (byte macByte2 = 0; macByte2 <255; macByte2++) {
      mac[3] = macByte1;
      mac[4] = macByte2;

      if(Dhcp.beginWithDHCP(mac) == 1) {  // begin method returns 1 if successful
         ...
      } 
      ...
    }
  }
...


















Public Service Announcement from...





































http://hackerspaces.org/













































































































MakerSpace (Wellington)



















chchspace (Christchurch)



















Now, back to your scheduled programme...



















Arduino and USB



















V-USB



















Keyboard emulation



















pyusb + libusb




from arduino.usbdevice import ArduinoUsbDevice

theDevice = ArduinoUsbDevice(idVendor=0x16c0, idProduct=0x05df)
theDevice.write(0x01)
print theDevice.read()





#include <UsbStream.h>
void setup() {
    UsbStream.begin();
    UsbStream.write(0xff);
}

void loop() {
  UsbStream.refresh();

  if (UsbStream.available() > 0) {
    int data = UsbStream.read();
  }
}


















Software protection dongles *

(* Not recommended for production.)



















How USB works (reenactment)




















How USB fuzzing works (reenactment)






















Does it really work?



















Oops indeed.

[39805.823336] usb 1-2: configuration #1 chosen from 1 choice
[39808.880125] usb 1-2: USB disconnect, address 14
[39810.360083] usb 1-2: new low speed USB device using uhci_hcd and address 15
[39810.538392] usb 1-2: configuration #1 chosen from 1 choice
[39810.584698] usbcore: registered new interface driver usbserial
[39810.584730] USB Serial support registered for generic
[39810.584783] usbcore: registered new interface driver usbserial_generic
[39810.584788] usbserial: USB Serial Driver core
[39810.595661] USB Serial support registered for PocketPC PDA
[39810.595784] ipaq 1-2:1.0: PocketPC PDA converter detected
[39810.599942] usb 1-2: PocketPC PDA converter now attached to ttyUSB0
[39810.599985] usbcore: registered new interface driver ipaq
[39810.599991] ipaq: v0.5:USB PocketPC PDA driver
modem-manager: (ttyUSB0) opening serial device...
[39810.637271] BUG: unable to handle kernel NULL pointer dereference at 0000003c
[39810.637284] IP: [<f847593d>] ipaq_open+0x1fd/0x570 [ipaq]
NetworkManager: <info>  modem manager disappeared
[39810.637307] * pde = 3e20c067 ##
[39810.637313] Oops: 0002 [#1] SMP 
[39810.637320] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.0/usb1/1-2/uevent
NetworkManager: <info>  Trying to start the modem-manager...
[39810.637328] Modules linked in: ipaq usbserial usbhid aes_i586 aes_generic binfmt_misc ppdev snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm uvcvideo snd_seq_dummy iptable_filter snd_seq_oss snd_seq_midi snd_rawmidi joydev snd_seq_midi_event ip_tables eeepc_laptop videodev v4l1_compat snd_seq x_tables snd_timer snd_seq_device snd arc4 ecb ath5k mac80211 led_class psmouse ath soundcore lp atl2 serio_raw cfg80211 snd_page_alloc parport dm_raid45 xor fbcon tileblit font bitblit softcursor usb_storage i915 drm i2c_algo_bit video output intel_agp agpgart
[39810.637424] 
[39810.637431] Pid: 889, comm: modem-manager Not tainted (2.6.31-14-generic #48-Ubuntu) 900
[39810.637438] EIP: 0060:[<f847593d>] EFLAGS: 00010286 CPU: 0
[39810.637451] EIP is at ipaq_open+0x1fd/0x570 [ipaq]
[39810.637456] EAX: 00000000 EBX: e4dd2000 ECX: f6452200 EDX: e4dd4000
[39810.637462] ESI: ef2d9840 EDI: f6452200 EBP: ef1f5de8 ESP: ef1f5da0
[39810.637468]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[39810.637474] Process modem-manager (pid: 889, ti=ef1f4000 task=ef6225b0 task.ti=ef1f4000)
[39810.637479] Stack:
[39810.637483]  00000003 c07657f0 ef1f5db4 00000292 c07657ec ef1f5dbc c0127c38 ef1f5dd0
[39810.637497] <0> f65785a0 00000064 f69e4000 f6452200 00000100 ef2d9854 00000100 f847cc60
[39810.637511] <0> f6452200 f6452204 ef1f5e20 f805cc3a ef1f5df8 c05708b8 ef1f5e20 c037d9c1
[39810.637526] Call Trace:
[39810.637542]  [<c0127c38>] ? default_spin_lock_flags+0x8/0x10
[39810.637558]  [<f805cc3a>] ? serial_open+0xda/0x130 [usbserial]
[39810.637568]  [<c05708b8>] ? _ spin_lock+0x8/0x10 ##
[39810.637578]  [<c037d9c1>] ? check_tty_count+0x51/0xb0
[39810.637587]  [<c0380a43>] ? __tty_open+0x1a3/0x460
[39810.637594]  [<c0380d1f>] ? tty_open+0x1f/0x40
[39810.637604]  [<c01ea5bd>] ? chrdev_open+0xcd/0x190
[39810.637612]  [<c01e5769>] ? __dentry_open+0xb9/0x230
[39810.637619]  [<c01e59c5>] ? nameidata_to_filp+0x55/0x70
[39810.637627]  [<c01ea4f0>] ? chrdev_open+0x0/0x190
[39810.637636]  [<c01f34fa>] ? do_filp_open+0x53a/0x890
[39810.637647]  [<c01e31bf>] ? __mem_cgroup_commit_charge+0x3f/0x80
[39810.637656]  [<c01ca1a9>] ? do_anonymous_page+0x199/0x200
[39810.637664]  [<c01e5500>] ? do_sys_open+0x50/0x150
[39810.637672]  [<c01e5669>] ? sys_open+0x29/0x40
[39810.637680]  [<c010336c>] ? syscall_call+0x7/0xb
[39810.637684] Code: c0 85 c0 0f 85 12 02 00 00 8b 7d e4 85 db 89 9f a0 00 00 00 0f 84 45 02 00 00 8b 55 e4 8b 82 98 00 00 00 89 d1 8b 92 90 00 00 00 <89> 50 3c 8b 81 a8 00 00 00 8b 91 a0 00 00 00 89 50 3c 8b 81 98 
[39810.637761] EIP: [<f847593d>] ipaq_open+0x1fd/0x570 [ipaq] SS:ESP 0068:ef1f5da0
[39810.637778] CR2: 000000000000003c
[39810.637785] ---[ end trace f88c0740245043a9 ]---


















Hey, what happened to my USB?



















#include <UsbFuzzBase.h>


void setup() {
    UsbFuzzer.setVendorId(0x045e);  // (Microsoft Corp.) 
    UsbFuzzer.setProductId(0x0417); // (Windows Powered Pocket PC 2002)

    UsbFuzzer.begin();
}

void loop() {
  UsbFuzzer.refresh();
  ...
}


















More detail...




















python-firmata & Firmata



>>> import firmata
>>> a = firmata.Arduino('/dev/tty.usbserial-XXXXXXXXXX', baudrate=57600)
>>> a.pin_mode(13, firmata.OUTPUT)
>>> a.digital_write(13, firmata.HIGH) # LED on pin 13 on
>>> a.digital_write(13, firmata.LOW) # LED on pin 13 off
>>> a.serial.close()


















Electro-Mechanical assistance

http://l4n.clustur.com/index.php/Nanotron_3000#tucenaber



















And everything else...



















Places to Learn



















Hackerspaces

The Valley in Christchurch (TVIC)

Planet NZTech



















Arduino in New Zealand

Me -- Philip J. Lindsay



















code@rancidbacon.com