Friday, November 26, 2010

Bluetooth Keyboards: who owns your keystrokes?

I gave a talk at ShmooCon 2010 on the security of Bluetooth keyboards and mice. After a restoration of the ShmooCon archive, the full video is once again available. I have also published the slides and such.

Most of my previous Bluetooth work had been done using software radio techniques requiring somewhat costly hardware. For this talk I focused on what is possible for both attack and defense using low-cost off-the-shelf Bluetooth equipment. It turned out that quite a lot of interesting things were possible that had not been demonstrated before. Even so, many essential capabilities such as passive monitoring remained out of reach without more expensive hardware which is why I've since turned my attention to Project Ubertooth.

Tuesday, November 23, 2010

supporting OpenVizsla

I just made a pledge to support OpenVizsla, an open source USB analyzer. I had been thinking about designing something similar, and now I don't have to!

Tuesday, November 16, 2010

Ubertooth: first release

Tonight I uploaded the first release of Project Ubertooth, an open source wireless development platform that can be used for Bluetooth testing and research. This is a very preliminary release, but it includes the complete hardware design for Ubertooth Zero, firmware source code, and the host code needed to perform rudimentary Bluetooth sniffing as I demonstrated at ToorCon 12. Although you can download a project archive, I recommend using the Subversion repository so that you can easily keep up to date with the project as it develops.

The documentation is still a bit thin, but there are README files scattered about the project directories. The host code can be compiled with gcc on Linux. The firmware also can be compiled with a gcc toolchain (I have found the CodeSourcery package to be helpful) and can be flashed onto a board with lpc21isp. I've been using a slightly modified SparkFun FTDI Basic Breakout for this, but there are several serial programming devices that will work with lpc21isp.

Also in the repository is an early hardware design for Ubertooth One, the next generation board that I hope to have ready within a couple months. This is a more challenging design that will probably require a few revisions, so keep your expectations low if you try to build one based on the current layout.

Tuesday, November 02, 2010

introducing the DEF CON Super Rocker 18

Last spring I decided that this year I would win the DEF CON 18 badge hacking contest. I failed. In the process, however, I had fun and learned a great deal, and I ended up with a decent hack that is still unfinished.

I wanted to make something to take advantage of the digital signal processing (DSP) capabilities of the chip on the badge, so I decided to turn my travel guitar into the DEF CON Super Rocker 18, an electric guitar with digital effects powered by the badge.

I started with a Hohner 30" Folk Guitar, an instrument that you can find at toy stores for $30 to $50. I first bought a toy guitar several years ago when I had a job that involved a lot of travel. It was a great way to entertain myself and keep practicing while on the road. I could toss it into the overhead bin on an airplane without a case and not worry about damage because the thing only cost me $20. It didn't sound great (though it was much better than others of the same model that I tried - always try musical instruments at the store even if they are toys), but it was the best $20 I ever spent. That guitar lasted for years and traveled with me to about 25 states. After ToorCamp in 2009, I decided to retire that guitar because its quality had degraded considerably over several years and a few repairs. I replaced it with the Hohner, a higher quality instrument that made its first journey to DEF CON 17. I can't say enough good things about the Hohner. Yes, it is a toy, but I have played worse guitars that cost 10 times as much. If you've ever thought it would be nice to have a guitar for travel, backpacking, or to keep in your car, go get one.

If you are a friend of mine who is wondering why you didn't see me at DEF CON, it is probably because I spent quite a bit of the weekend soldering in my hotel room! I started the project about six weeks in advance, but I spent most of that time experimenting with alternative guitar pickup technologies. I saw the project as an opportunity to experiment more than a contest to win - and my results followed accordingly. When I arrived at the con, I had 99% of the circuits designed, 10% of them constructed, and I had yet to start cutting into the guitar or writing firmware.

I think it was a good thing that I started drilling the guitar in the bathtub. That made it much easier to clean up the sawdust in the hotel room. I used a manual hand drill that was good to travel with. It worked great with smaller twist bits, but I gave up and turned the hole saws by hand. All the parts were mounted in the guitar with hot glue, a few small wood screws, and some bits of wooden chopsticks I picked up at a Las Vegas sushi buffet.

Counting the badge, I think I ended up with six circuit boards mounted in or on the guitar, and it turned out that most of them never did anything! You see, I spent so much time working on building the hardware that I ended up with only a couple hours to write code before the end of the competition. Making the time crunch even worse, I had reliability problems with both the badge's serial bootloader and the JTAG interface. Unfortunately I had to completely abandon the notion that the thing would make noise, and I instead turned my attention to the one function that I thought I could get working very quickly.

I had mounted an RGB LED under each string in the fingerboard of the guitar, and I used those to implement a three-phase RGB stroboscopic tuner. You can see it in action at the end of my contest entry video. The LEDs are driven by a circuit with both high and low side shift registers to minimize the number of pins used on the badge's microcontroller. Each color of the LED flashes at a rate equal to the string's frequency (110 times per second if tuning a 110 Hz string). If the string is in tune, then its vibration brings it to about the same location each time that color flashes. This is much faster than the eye can see, so it just appears to be a stationary blob of color. If the string is a little bit out of tune, the blob moves around slowly, and if the string is further out of tune the blob moves faster. With three colors all firing at different times, you see three blobs that move around depending on the tuning of the string. The circuit doesn't involve any audio sensing whatsoever. I've seen single-phase and two-phase stroboscopic guitar tuners before. What's better than one or two? Three!

I've been so busy with other projects that I haven't even looked at the code since the day of the contest, but I still travel with the DCSR18. When I do, I am reminded that I should resume working on it before too much time goes by. There are a number of other interesting features that I hope to get working, and I'll blog about them as I do.