Ink brush drawing by David Mack

About Matt

Matt Neely a penetration tester and security researcher located in the Cleveland Ohio area.

Learn more here.

Search
Powered by Squarespace
Thursday
18Jun

Weekend Project: Building a Bus Pirate

This past weekend I decided to make a Bus Pirate as a quick weekend project.  The Bus Pirate is a universal serial interface originally designed by the folks over at Hack a Day.  Basically the Bus Pirate is a device that can talk a wide range of serial protocols.  Most folks are familiar with the USB serial bus, yes I know that is redundant, and the old school RS-232 serial port.  Just about every computer made in the past 20 plus years has one of these serial ports. Sadly many hardware devices such as smart cards, integrated circuits and embedded devices do not speak RS-232 or USB.  Because of this talking to these devices can be hassle. You often need to build a hardware converter and possibly write some custom code to communicate with these devices.  The Bus Pirate tries to eliminate this hassle.

Today the Bus Pirate speaks eight protocols (1-Wire, UART, I2C, SPI, JTAG, raw 2-wire, raw 3-wire and PC AT keyboard).  The raw 2-wire and raw 3-wire can be used to interface with proprietary serial protocols.  The Bus Pirate also contains some other handy features such as a on-board 3.3 and 5 volt power supply, 0-6 volt measurement probe, a frequency measurement probe and frequency generator.

I was not adventurous enough to etch my own circuit board so I decided to build the Bus Pirate kit made by Fundamental Logic.  The kit includes all the parts you need.  Fundamental Logic even preprogrammed the PIC so you can build the kit without a PIC programmer.  The online assembly directions for the kit are very clear and easy to follow.  Before you start be sure to visit their tools page to make sure you have all the tools you need.

Overall the project took me about two hours to complete. A lot of that time was spent setting up and getting back into the swing of soldering.  Overall it was not a very difficult project.  The kit uses all through-hole components and the circuit board is not too densely populated.  In terms of difficulty I rate this kit as medium to medium-low.  I recommend this kit to anyone who wants to build a Bus Pirate.  However if you are new to electronics and soldering this is probably not the best project for you to cut your teeth on.

Truthfully I had more problems getting my serial port and terminal program configured properly than I did assembling the kit.  In the future I'll post some notes on getting the Bus Pirate to work in Windows and Linux.  I'll also cover how to get it working with a serial-to-USB converter.

So the Bus Pirate sounds like a cool geek toy but how does it relate to security?  First off when assessing hardware it is often helpful to communicate with the hardware directly.  This will allow you to skip over the vendor's APIs and applications which may place limitation on what can be sent to the hardware.  If you can talk to the hardware directly you can bypass these limitations.  From the security point of view I am especially interested in the Bus Pirate's ability to speak JTAG, 1-wire and raw 2-wire serial protocols.

JTAG is a diagnostic protocol that can be used to communicate with electronic circuits and chips.  JTAG is commonly used to restore bricked routers when an installation of OpenWRT or similar firmware fails.  However JTAG can also be used to directly query the memory in most embedded devices.

iButton Image By Stan Zurek1-wire is a protocol used by the iButton line of products. iButtons are frequently used in physical access control systems.

The raw 2-wire mode can be used to communicate with a number of smart cards.

I'll let your imagination ponder why I would want to communicate with these devices.

Thursday
11Jun

Finally My Notacon Slides Are Posted!

At long last here are the slides from my Notacon talk.  Below is an overview of the talk:

Notacon Mythbusters: Is Personal Data Stored on Hotel Keys? Using Magstripe Analysis Tools to Discover the Answer

For years emails and rumors have circulated that personal information such as credit card numbers, names and addresses are stored stored on hotel room keys.

The talk starts with an introduction to magstripe cards and how information is encoded onto the cards. The next section discusses what tools can be used to read and analyze magstripe cards. Next we test the myth by looking at data collected from a large number of hotel keys to determine what personal information is stored on them. The talk concludes with a discussion of advanced magstripe analysis, data manipulation techniques and how these techniques can be used during penetration tests and security assessments.

On a related note I hope to get back into updating this blog. One of my first priorities is to finish up the series on magstripe analysis. Thank you for reading and stay tuned for more updates!

Wednesday
15Apr

Slides from Tonight's NEO InfoSec Forum Meeting

 By popular request here are the slides from tonight's tool talk presentation on Jasager and Karmetasploit.

Monday
16Mar

Encore Presentation of Radio Reconnaissance in Penetration Testing Coming This July

If you missed my ShmooCon presentation "Radio Reconnaissance in Penetration Testing: All Your RF Are Belong to Us" here is your chance to see it again!  At the July 9th meeting of the Ohio Information Security Forum I will be doing an encore presentation of this popular talk.  The Ohio Information Security Forum meetings are held in Dayton Ohio and are free and open to the public.  For more information visit the Ohio Information Security Forum website.

Tuesday
10Mar

Client-Side Wireless Attacks and Defenses Presentation Slides

Last Thursday at the Ohio Information Security Conference I gave a presentation on attacking and defending wireless clients. The first half of this presentation focused on the various attacks that can be launched against wireless clients.  During this section I cover basic attacks such as sniffing unencrypted traffic and moved up to more advanced attacks using tools such as Jasager and Karmetasploit.  The second part of the talk covered how to protect wireless clients from these attacks.  The slides from the presentation can be found here.