Hack.lu 2016 – Day Three
Links to reports from other days:
- Hack.lu 2016 – first day
- Hack.lu 2016 – Day Two
- Hack.lu 2016 – Day Three
Day 3
BtleJuice: the Bluetooth Smart Man In The Middle Framework
Damien Cauquil started the day and managed to capture our attention despite the apparent lack of sleep (no doubt due to the early hour and more likely following the social event of the day before…).
After a review of the specifications of the BLE (Bluetooth Low Energy) protocol, mainly used by connected objects for its performance and low power consumption, he presented his "BtleJuice" framework written in Node.js and allowing the interception and manipulation of packets using this protocol.
Several prerequisites are nevertheless necessary: two separate machines as well as two BLE adapters are currently required to carry out these attack scenarios.
Several connected objects were then tested by Damien, for which vulnerabilities were found through the use of his framework.
The first demonstration consisted of passively listening to network traffic and enabled the Quicklock connected padlock to be unlocked via a smartphone and an application.
After analyzing the traffic, it appears that the PIN code is transmitted in clear text and that the authentication of the unlocking process is simply based on the BD (Bluetooth Device) address.
Damien then performed query replay on his connected robot wowwee MIP using his BTLEJuice framework to perform manual fuzzing, allowing him to discover and call undocumented functionalities:
For the final demonstration, Damien performed a packet injection by spoofing the BD address of a blood glucose meter. Authentication here again relies solely on the BD address.
Damien concluded his presentation by explaining how it would be possible to detect the use of his tool by observing the response time during read and/or write operations.
BTLEJuice's source code is open source and available on Github:
https://github.com/DigitalSecurity/btlejuice
ARM Shellcode Basics
Saumil Shah presented the basics of ARM compilation in this workshop.
Thanks to a simple setup consisting of a Raspberry Pi and a WiFi router, it was possible to connect to the lab set up by Saumil in order to compile and test various ARM exploits:
Note: Saumil Shah also presented this work during the talk "2016: The Infosec Crossroads". The presentation materials can be retrieved from this address:
http://www.slideshare.net/saumilshah/hacklu-the-infosec-crossroads
FastIR Collector
Sébastien Larinier presented us during this workshop the analysis of various malicious codes such as Casper, Babar or Poweliks facilitated by the FastIR tool.
This takes the form of an executable that requires administrator rights when run in order to recover all Windows artifacts.
The presentation will be published soon, and the tool's source code will be available on the following Github repository:
https://github.com/SekoiaLab/Fastir_Collector
Appendices
The various presentation materials will soon be available at the following address:
In the meantime, here are some links to watch the different conferences:
- Day 3
- BtleJuice: the Bluetooth Smart Man In The Middle Framework by Damiel Cauquil
- Where should I host my malware? by Attila Marosi
- Interesting Malware – No, I'm not kidding… by Marion Marschalek
- Enhancing infrastructure cybersecurity in Europe by Rosella Mattioli
- Lightning Talk: Geeks Without Bounds by Chris Kebecka
- Lightning Talk: Lama Project by Valentin Giannini
- Lightning Talk: iOS Forensics by Pasquale Stirparo
- Lightning Talk: EmailMadeIn.lu by Martin Bosslet
- House intercoms attacks: when frontdoors become backdoors by Sébastien Dudek
- Bridging political gaps with code by Okhin
- WiFi Exploitation: How passive interception leads to active exploitation
- Fraud detection and forensics on telco networks
- The Legend of Windows: A Link to the Hash by m4xk and sıx
- CTF Prize Ceremony by Fluxfingers
