Author Archives: admin

CVE-2018-8319: Multiple Issues in Microsoft Research Cryptographic Library (JavaScript msrCrypto)

Posted on by

As part of the research team I led at Ionic Security, in collaboration with two excellent teammates, we uncovered and published multiple issues with the elliptic curve math in the Microsoft Research JavaScript cryptographic library, called msrCrypto. This is a common library which was also available on the npm package manager and was frequently downloaded.

Continue reading

What IoT device manufacturers should learn from the “IoT worm”

Posted on by

The research paper “IoT Goes Nuclear: Creating a ZigBee Chain Reaction” by Ronen, O’Flynn, Shamir, and Weingarten garnered moderate media attention (here, here, here, etc) in early November, 2016. As I have worked extensively in ZigBee offensive and defensive security, but never specifically on the ZigBee Light Link (ZLL) profile, I was interested to dig-in and see what the main techniques and issues were, and what lessons other device manufacturers should take away from this disclosure.

Continue reading

WESS 2012: Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems

Posted on by

At the 7th Workshop on Embedded Systems Security (WESS 2012), we presented a paper co-authored with myself and researchers at the Dartmouth Trust Lab. You can read a copy of the paper here. Perhaps our abstract gives you a better summary of something I’d write for here:

Any channel crossing the perimeter of a system provides an attack surface to the adversary. Standard network interfaces, such as TCP/IP stacks, constitute one such channel, and security researchers and exploit developers have invested much e ffort into exploring the attack surfaces and defenses there. However, channels such as USB have been overlooked, even though such code is at least as complexly layered as a network stack, and handles even more complex structures; drivers are notorious as a breeding ground of bugs copy-pasted from boilerplate sample code.

This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.

S. Bratus, T. Goodspeed, P. Johnson, S.W. Smith, R. Speers. “Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems.” 7th Workshop on Embedded Systems Security (WESS 2012). October 2012. To appear.

Api-Mote (IEEE 802.15.4/ZigBee Radio Interface)

Posted on by

I’m pleased to announce the progress of the Api-Mote Base. This platform was designed with a number of thoughts (enumerated below) in mind, as well as experience from both lab-research and field assessments. A test run of 15 boards have been received and most are populated. An initial firmware version based on the GoodFET project is completed, thanks to a quick port by Travis. KillerBee support will be provided.

So why a new device? Almost three years after beginning to work with IEEE 802.15.4 and ZigBee research and security assessments, I’ve gotten tired of the hardware available to interact with these protocols. There are a number of tools out there — but none that I’ve worked with support a few core criteria.

Continue reading

Scapy Support for USB Protocol on Facedancer Boards, MAX2420, etc.

Posted on by

Immediately following the public release of the Facedancer10 PCBs by neighbors Travis Goodspeed and Sergey Bratus at REcon 2012, I began to develop a Scapy layer to support interacting with the MAX2420 chip used.

The initial code released in the GoodFET repository by Travis has some great examples, one of which is using the Facedancer to emulate a device using the USB HID (human-interface-device) specification. However, when looking at modifying the code to extend it, or use it for fuzzing, a major issue is determining the meaning of fields and the legitimate (and illegitimate) values for them, as well as the relationships between fields. This information is crucial to both specification-compliant use, or fuzzing. Continue reading

Wireless Security Excuse Bingo

Posted on by
3

Thanks to a retweet by Travis Goodspeed of a retweet by digitalbond and originally by SCADAhacker, I was reminded of Jutta Degener and Matt Blaze’s security excuse bingo, and agree that it would be entertaining (and somewhat disconcerting probably) to compile a wireless security excuse bingo board, focused specifically on the technologies and the resulting answers used in wireless sensor networks and SCADA systems, etc — as this relates to my IEEE 802.15.4 and ZigBee focus of late.

I’d like to gather input from those of you who work or have interaction with this field, and I bet an interesting list may result. I’ll post my suggestions in comments as well, and a running list can be started. Continue reading

GoodFET Development on Tmote Sky/TelosB (CC2420 Radio)

Posted on by
Reply

As part of my thesis research on 802.15.4 wireless sensor networks, I have recently become a developer on the GoodFET project. This project was started by Travis Goodspeed and “is an open-source JTAG adapter, loosely based upon the TI MSP430 FET UIF and EZ430U boards.” However, as you will see, it has grown into so much more. I started working on the GoodFET CCSPI (ChipCon SPI Flash) client and firmware which Travis had started to support the Tmote Sky and TelosB branded sensor boards. Continue reading

Flickr Photo Wrapper

Posted on by
Reply

I needed to grab photos off of Flickr (flickr.com, a photo sharing site) in order to place them on a website. In this setup, Flickr takes care of the upload, photo storage, photo serving, etc and your website can access the images on it to use in your content. Flickr offers a way to embed images on your site in a Flash slideshow, but their interface has “features” that make it too busy and distracting to use as a simple design element. Also, it doesn’t handle resizing well, often cutting off your images or the interface’s buttons.

So, all I wanted was to grab a user’s public photos from Flickr (by username) and then allow someone to easily display one (or many). Lets look at how you use the classes:

require_once("photosFlickr.php");
$flickrphotos = new photosFlickr($flickr_username, "YOUR-API-KEY-HERE");
$photos = $flickrphotos->getPhotos();
$photoOfInterest = $photos[array_rand($photos, 1)];
$flickrpic = new photoFlickr($photoOfInterest, "YOUR-API-KEY-HERE");
$flickrpic->setSize($width, $height);
print $flickrpic->getHTML(true);

Before you start, you need to put two PHP files on your server. One is mine (photosFlickr.php) and my code expects to find phpFlickr Class 3.0 (written by Dan Coulter that you can get at http://phpflickr.com/). Download his files, and upload the one called phpFlickr.php to your website (it is easiest to put it in the same folder as you put my code).

First, we include the code I wrote. Make sure to include the full and correct relative path to the file on your server.
require_once("photosFlickr.php");

Second, we instantiate an instance of the class that handles multiple photos. We give the constructor the flickr username (as a string), and also your API key (as a string) which you can get for free from Flickr by clicking here.
$flickrphotos = new photosFlickr($flickr_username, "YOUR-API-KEY-HERE");

Then lets actually use the instance we just created… the simplest way to do so is to ask for all the public photos (Flickr may only return the first 100 due to how their API works. You can easily modify my code to ask for more.). We do this by calling:
$photos = $flickrphotos->getPhotos();
And we have the list of photos in the array called $photos. But if you look at this array, it is a mess! It is all information that makes sense to Flickr, but not as much to you. Don’t worry, I have a class to handle that as well.

For our example, lets pick one photo to deal with. We’ll do this randomly by calling:
$photoOfInterest = $photos[array_rand($photos, 1)];
We now have picked the photo we want to work with. You can do this in many ways, the random method is just an example ($photos[0] would give you the first one image Flickr returned, etc.).

Now lets display this picture. We instantiate a photoFlickr instance (note this is different than the photosFlickr instance we used before:
$flickrpic = new photoFlickr($photoOfInterest, "YOUR-API-KEY-HERE");
This will cause my code to make some sense out of the information returned by Flickr.

Optionally, you can decide the size you want to display the picture at. Just call:
$flickrpic->setSize($width, $height);
This provides it the width and height. For example this may look like $flickrpic->setSize(300, 200); but you can also just give it the width (like $flickrpic->setSize(300); and my code will figure out the correct height based on the dimensions of the image.

It will also intelligently choose the image to load from Flickr’s site. Flickr stores multiple versions of each image (thumbnail, square, medium, large, original) and the code will look through these and pick the smallest one that has dimensions equal or greater than what you need. This means your viewer’s browser has to load as small a file as possible while still not stretching an image and thus making it look bad.

But you still haven’t shown anything to your user! You need to display the HTML code for the image. This is done easily by calling:
print $flickrpic->getHTML();
This will output the image tag, with the sizes you specified (if any, otherwise default), and will automatically link the image to it’s page on Flickr. If you don’t want it to link to Flickr, just use $flickrpic->getHTML(false);.

That is all!

Please feel free to leave feedback. I’ll also consider new feature requests. Please alert me to bugs and I’ll fix and repost ASAP (I know there are some, I just don’t have time to fix all the edge cases right now).

Journal Article Published

Posted on by
Reply

Last winter, I wrote a research paper with my classmate Evan Tice ’09 studying the security of computing resources at Dartmouth College. It was very interesting to write, and thanks to Computing Services, we were able to study security logs and do some of our own analysis on the systems to supplement the publicly available information.

A sanitized form of our paper has been published in the Fall 2009 issue of the Dartmouth Undergraduate Journal of Science, and you can read it online here. For ease of reading, I have also posted it in the original PDF format.