Projects

Our team often contributes to open-source and community projects. Below are several examples of these contributions to the security community:

Open Source

a

KillerBee 2.0

River Loop is a leader in IEEE 802.15.4 and ZigBee security research and penetration testing, and is proud to contribute to the open-source and security community through the continued development of KillerBee along with other contributors. The 2.0.beta release adds numerous features over the 1.0 release.

Api-Do

Additional tools for ZigBee and 802.15.4 Security Auditing

a

GoodFET

Contributions to CCSPI app (for ChipCon radio communications on IEEE 802.15.4), Facedancer code (for low level USB fuzzing), testing, and hardware production.

We provide fully assembled GoodFET42 are provided through resellers, or directly for larger orders:

a

Scapy dot15d4

Implemented a IEEE 802.15.4 dissection/construction layer for the popular Scapy packet manipulation framework.

Conferences

a

Troopers 14

Making (and Breaking) an IEEE 802.15.4 WIDS

Presented the ApiMote v4beta hardware for sniffing and injection on IEEE 802.15.4 networks and released as open source. Demonstrated the beta BeeKeeper WIDS framework for wireless intrusion detection on 802.15.4. Showed a technique for injecting packets which are seen at the PHY layer by some radio-chips but not by other chips, even when both chips are IEEE 802.15.4 compliant. You can download a copy of the presentation here.

a

ToorCon Seattle ‘11

Tools for Practical Exploration of the 802.15.4 Attack Surface

Presented toolkit for interacting with IEEE 802.15.4/Zigbee. Our tools build on top of the KillerBee framework developed by Josh Wright, and add support for additional hardware, code stability, as well as additional functionality such as reflexive jamming. In addition to a brief introduction to the issues of 802.15.4 security, demonstrated attendees how to get involved in attacking the surface themselves -- the hardware and software they need -- and showed how this enables them to not only perform their own assessments, but how it can provide attackers a way to interfere with the operation of networks as well.

a

SchmooCon ‘11

ZigBee Security: Find, Fix, Finish

Techniques for sniffing ZigBee packets have been presented, as have theoretical vulnerabilities in other types of wireless sensor networks, but this talk uses injection and intelligent packet generation to move towards real proof-of-concept attacks on 802.15.4/ZigBee networks. We analyze which proposed wireless sensor network attacks actually work on ZigBee, and provide proof of concept implementations of theoretical attacks. Specifically, we present tools that autonomously discovers and profiles networks in real time, gathering as much information over time about a network and its devices, their relationships, and traffic flows among other things; information gathered during this process will then be used to craft and inject arbitrary frames with minimal user interaction in order to attack the network with precision and pinpoint weaknesses.

a

Defcon 20

Presented our project to create the ApiMote hardware at the Wireless Village. This platform was designed specifically to fulfill the needs of security assessors, based on experience from both lab-research and field assessments. It is inexpensive, easy to program, supports expansion and battery power, uses an internal or external antenna, and has low-level support for cutting-edge RF research (low-level registers exposed, in support of PIP, POOP, etc).

Publications

These are some of the published articles we have authored or co-authored:

PoC||GTFO

A Tourist's Guide to MSP430

This was a "quick-start" style guide for reversing engineering embedded systems. The goal is to get the reader situated with the MSP430 architecture as quickly as possible, so they can apply their other reversing experince to this platform.

Workshop on Embedded Systems Security

Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems

Any channel crossing the perimeter of a system provides an attack surface to the adversary. Standard network interfaces, such as TCP/IP stacks, constitute one such channel, and security researchers and exploit developers have invested much effort into exploring the attack surfaces and defenses there. However, channels such as USB have been overlooked, even though such code is at least as complexly layered as a network stack, and handles even more complex structures; drivers are notorious as a breeding ground of bugs copy-pasted from boilerplate sample code. This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that effective and efficient injection of traffic into the buses is real and easily affordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.

USENIX Workshop on Offensive Technologies

Packets in Packets: Orson Welles’ In-Band Signaling Attacks for Modern Radios

Presents methods for injecting raw frames at Layer 1 from within upper-layer protocols by abuse of in-band signaling mechanisms common to most digital radio protocols. This packet piggy-backing technique allows attackers to hide malicious packets inside packets that are permitted on the network. When these carefully crafted Packets-in-Packets (PIPs) traverse a wireless network, a bit error in the outer frame will cause the inner frame to be interpreted instead. This allows an attacker to evade firewalls, intrusion detection/prevention systems, user-land networking restrictions, and other such defenses. As packets are constructed using interior fields of higher networking layers, the attacker only needs the authority to send cleartext data over the air, even if it is wrapped within several networking layers. This paper includes tested examples of raw frame injection for IEEE 802.15.4 and 2-FSK radios. Additionally, implementation complications are described for 802.11 and a variety of other modern radios. Finally, we present suggestions for how this technique might be extended from wireless radio protocols to Ethernet and other wired links. [Paper]

a

Hawaii International Conference on System Sciences/IEEE Computer Society

Api-do: Tools for Exploring the Wireless Attack Surface in Smart Meters

Security will be critical for the wireless interface offered by soon-to-be-ubiquitous smart meters — since if not secure, this technology will provide an remotely accessible attack surface distributed throughout many homes and businesses. However, history shows that new network interfaces remained brittle and vulnerable (although believed otherwise) until security researchers could thoroughly explore their attack surface. Unfortunately, for the majority of currently available smart meter wireless networking solutions, we are still in that pre-exploration phase; “closed” radio stacks with proprietary features impede exploration by posing multiple hardware and software obstacles to standard network attack surface exploration techniques. In this paper, we address this problem by presenting open and extensible software tools for 802.15.4based proprietary stacks that work on commodity digital radio platforms. [Paper]