 Okay, so let's talk a bit about the micro-bit and the way we can hack this tiny device. So I'm just to introduce myself, I'm Demi Coquille, head of RIT, digital security, sorry. This is a French company, I'm also a senior security researcher and I'm also a software hardware with us engineer. So I'm French, expect errors and so on, but I think you're quite familiar with it. So we're going to talk about the micro-bit. Micro-bit, this is a tiny device with many amazing features, many interesting things from a hacker point of view. And I will introduce you to a way to turn the micro-bit into a sniffer and into some nice tools in order to hack into what your frequency protocols. I'm going to show some demos too. So first of all, the BBC micro-bit, so this is a BBC sponsored device that was given to a lot of students in the United Kingdom in order to facilitate the learning of coding in the UK schools. So basically it has a five by five LED screen, LED metrics, two buttons, a nice custom expansion connector and also wireless capabilities. So it's also noted because this is the interesting part in the micro-bit. And it's running micro-piphone, so if you want to code in Python on the micro-bit, this is possible. It costs only 15 bucks, I checked on Spark front, so it's shown to buy one, it's a very cheap. From another perspective, this is a device based on the Nordic semiconductors NRF 51 822, it's a bit word, it's a bit one name, but it's a 2.4 gigahertz, GFSK, demoed in the transceiver, that comes along with the CPU, so it's pretty cool. It has 256 kilobytes of flash, 16 kilobytes of RAM. You can use some pins like ADCs, so if you want to read digital, with some voltages, you can do it. It also has SPI bus, I2C bus, and you can use 20 GPIOs to do whatever you want with the expression port. It's powered in 3 volts, so it's kind of cool. It can power it with 2 AAA batteries. It's very portable and affordable. It's also easy to program. This device has been designed to fit the children needs, so everything is online. You can use a JavaScript blocks editor, for instance. I developed my Microsoft. It's kind of scratch. You can use to program your micro-bit. You just put blocks and develop on the micro-bit by using this editor, or you can do it the Python way by using an online editor. If you put Python code in it, it compiles online and you get the next file. You have just to put this file in your micro-bit. This is an interesting device because if you plug it through the USB cable to your computer, it pops up as a mass storage device. You just have to drag and drop your file and it flashes automatically your micro-bit. This is very cool. It also has a repo, a read-evaluate print loop, so if you want to debug your code, you can just use, say, your mini-con, and you can debug it through UART. This is nice when you are developing some, you know, some code on the micro-bit. It also has wireless capabilities. This is the most interesting part. This transceiver, the NRI-51-822, is able to communicate through legacy shock bus protocol. This is a protocol designed by Nordic. Also, the NN shock bus protocol. This is the new version of this protocol. Last but not least, the Bluetooth low-energy protocol. This chip can emulate devices. You can put some Bluetooth low-energy services on it, create a Bluetooth-enabled device. This is great. When I discovered these capabilities, I was like, you know, so it's interesting, French, I said. It's interesting because the NN shock bus protocol is well known as it was presented last year by Mark Newell from Bastille. It was attacked by your name during this last DevCon. It developed what you call the MOSDAQ framework. The MOSDAQ framework basically is a set of tools able to hijack wireless keyboard and mice. It's a great tool with an 8-bython tool. It's also open source. It's a good way. It's good to know the basics of this hack because it's not Magnolien who found out how to turn this device, which is a crazy radio PA, into a sniffer. All the credits go to Travis Godspeed with his NRF24 LO1 plus hack. In this hack, he managed to turn another chip for Nordic semiconductor, which is the NRF24 LO1 plus, into a sniffer by using a trick I'm going to talk about in another section of this presentation. It's good to know. Also, Semicamco made this key sweeper, which is a tiny device. It's very small and it looks like a power adapter. But inside, you find an Arduino connected to NRF24 LO1. It's able to sniff wireless keyboards. It's also using a GSM gate where you send text and receive text so you can get all the intercepted stuff, intercepted keystrokes wirelessly with your phone. Another interesting tool for 2.4 GHz protocols is a DSMX hijacking tool called Icarus. This one is a bit weird here. In fact, this is a tool that uses some kind of sniffing to hack into the DSMX protocol. What is DSMX protocol? It's a protocol used with modern airplanes. When you're just flying modern airplanes, you may use a controller and a receiver that uses this protocol. They hack into this protocol and we're able to take complete control of a plane or a quadcopter, in this case. So, after having reading all of this, I was thinking about doing some kind of offensive Python on the micro bit. Maybe it's possible to turn this micro bit into a stiffer, hopefully it is, but maybe we can do a lot more with this. So, just a look at it. So, let's start digging into the micro bit. I'm going to start with the NRF 51-822 specifications. Especially the way you can turn the transceiver into a sniffer. So, I talked about the Travis Goodspeed hack. So, this is how the Travis Goodspeed hack works. So, basically you have a datagram sent over the air and the transceiver tries to match some fields just to identify a valid packet. Your packet starts with a preamble, which is in this example 55 in X, then followed by a three byte address. So, the address can be 3, 4, 5 bytes when you are dealing with the Ununshockbus protocol. And this address is followed by your packet control field, which is 9-bit, then a payload and at the end a CLC. So, this is a basic setup for the ESB protocol. But what Travis Goodspeed discovered is that the matching, when the transceiver tries to identify the start of a packet, it does not rely on the preamble byte. It performs the matching on the address. So, if you configure your NRF 24-821 in a railway, there is a possibility to sniff. I mean, since the matching is performed on the address, if we set up the transceiver to match a two byte long address rather than the 3, 4, 5 bytes, and if we put a 0055 in X as an address, it will match the preamble of the packet. So, we also configure this transceiver to forget about the PCF field. So, we go back to the legacy shock bus protocol and we tell the transceiver that we need a 32 bytes of payload. So, in the payload, we will find the ESB address, which is here 3 bytes, the 9 bits of the PCF field, the original payload, and also a CRC. In order for this packet to be notified to our code, we need to disable the CRC. Why? Because if the CRC is enabled, the matching algorithm will check the CRC and in this configuration, the CRC does not match. So, once you configure your transceiver this way, you're able to sniff. So, this is for the 24 L1 plus, not for the 51 822. But basically, they did the same mistake on the 51 822. So, if you just tweak a bit the configuration of the 51 822, you can get the exact same effect. There are some differences between the 24 L1 plus and the 51 822. So, basically, the 51 is able to do both big engine and little engine values, where the NF 24 L1 just sticks with the big engine. And also, the NF 51 822, it's very difficult to say, sorry. As a payload with a max 254 bytes instead of the 32 bytes, we got with the 24 L1 plus. So, it's very cool because we were limited with the 24 L1, but the limitation is no longer here with the 51. But the configuration is a bit more complex. So, here is how it is done. I put all this on the code. So, you have a base 0 and perfect 0 registers. You have to put some 0 in it and 55 just to be sure to match the preamble. We configure the PCF field to be 0 to just to use this field here. And also, we set up the Indian S2 big with some kind of value. And we set up the maximum payload length to 40. Why 40? Just to be able to catch the 32 bytes payload. We would have missed if we were using the NF 24 L1. Once you set up your 51 822 like this, you will get some packets in it because it matches the preamble. But we have to check the CRC ourselves because this is not performed by the transceiver. So, by using this and by using some code from the firmware which is the firmware used for the Masjack tool, we can check the CRC and just avoid all false positives from this. So, I put all of this into a modified micro Python firmware I've brought. I will be, what is this at the end of this talk. So, and modify the micro and Python, write your module just to implement some new features such as this sniffing trick. And by using some lines of Python, I was able to develop a quick ESB sniffer. So, I got a little demo to show you how it works. So, first of all, I am programming my micro bit with my specific firmware. And I tell the micro bit to use a specific Python file I wrote. So, this is the file I showed you just before. And by connecting to the UART with a specific board rate, I am getting all the stuff printed by the micro bit. So, here you can see many devices talking with some kind of ESB protocol. So, this is a Logitech wireless mouse. And it's sniffed without any problem by this little hack. So, here it is. But we are not limited to ESB protocol or ESB protocol. It's 2.4 gigabytes transceiver. We can do a lot of stuff. We can do a sniffing. We can also inject information into this protocol. And this technique is not limited to ESB. So, we can act into any 2.4 gigahertz protocol that relies on the JFSK modulation with a specific data rate. So, there is a whole new world of possibilities. And as a field worker, I obviously own some kind of quadcopter. And I decided to put some support for the XN297 transceiver, which is found in the Chirston 610. I don't know if you're familiar with this quadcopter. It's quite a common. So, but the transceiver is not common. This is compatible with the NLF 51822. But there is a slight difference. That is, this transceiver uses a data whitening algorithm. So, anyway, it's not a big deal. So, I developed a lot of some methods for the radio model to be able to communicate with the XN297. So, if you use the custom parameter used by the transceiver, which is 671 or 55, as a receiver and transmitter process, you can communicate with this device without no problem at all. So, this is pretty easy to implement in the macro bit. Although the NLF 51822 is Bluetooth smart capable. So, I was wondering if there were some kind of possibilities to sniff some Bluetooth smart traffic. And this is possible just as a reminder for those here that do not know where the Bluetooth low energy protocol. The BAD protocol uses three channels to advertise devices. That is the 37, 38 and 39 channels. These channels are spread along the old band, 2.4 gigahertz band. So, this is just a reminder. And every device that performs this advertising stuff has to send a specific packets to a specific access address. This is a 4 byte address used by the preamble just to match, to identify unique links. And in this packet, you will find some kind of PDU. And this is a PDU that tells BAD stack what it's all about. So, here we are looking for advertisement. And I also put all of this in my modified micro bit firmware, my micro Python. So, I wrote a quick BAD advertisement sniffer using Python. And I ran it yesterday or this night at the hotel. There were a lot of devices advertising themselves. This is quite normal. But we can also spoof advertisement packets. So, if we build from scratch a packet, we can create a DEF CON 25 device and advertise this device. But furthermore, we can do some furthering on the PDU part source used in many BAD stacks. So, I decided to modify just a byte. The first one before the DEF CON 25 string, which normally is 09. But I put an O A, so just a value plus one instead of a nine. And I advertised this device. And I used my laptop with my integrated BLE adapter just to detect the devices that were around. If you look carefully, you can see that even I sent a Malfold PDU, but my stack got it. And I get one more character at the end of DEF CON 25 because it thought that it was a 10 bytes long string rather than nine bytes. It can be also useful to test some kind of this stuff on Bluetooth. Furthermore, we can sniff BLE connections. So, if you want to make a 15 bugs BLE sniffer, well, maybe it's the way. So, I tested this. I tried to sniff BLE connection request. That's the BLE connection request is a specific packet sent by a device that wants to connect to a specific other device, BLE device, to provide this device with all the requested parameters. And we can sniff this connection request. So, I did this again with a BLE device at home. So, everything is on a micro bit still. So, it takes some time to get the connection request because since the device advertises itself on three channels, you get to be on the watch channel when the connection request arrives. Just waiting. Okay. We got the first one. So, here we got the access address, which is a four byte address identifying the link. And the initiator address, the advertiser address, the CRC unit, which is important here because if you don't have this value, you cannot compute the CRC for your packet. And the open interval, which is a value that is used to determine the opening frequency. So, obviously, I was on the good start to sniff BLE connections. But, in fact, Python cannot do sniffing well with a micro bit. Because a micro pattern introduce incompatible delays. It's so slow. Just to say it's simple. It's slow. We have a few RAM available. So, it's very difficult to create or to develop a BLE sniffer using this micro Python stuff. So, but this is not really a problem as we are going to see later. So, I decided to implement some tools. So, the first one was a mouse jack like USB sniffer, obviously. Since I was in the wireless keyboard and mice hijacking. So, this sniffer is able to damn 32 bytes payloads where the mouse jack original tool cannot. And it supports USB and legacy USB. And also the BLE link layer are implemented some kind of Bluetooth sniffer at the link layer just to be able to capture packets. This is quite new. It also introduces a follow mode for USB. But this mode is also present in the mouse jack tool. And it can do a wireless sniffing. This is very useful when you are trying to debugging some 2.4 gigahertz protocols. So, this is the system. I tested my tool against my wireless keyboard and mouse. So, again, I programmed my micro bit to use some kind of middleware I've developed. And I start my sniffer, telling my sniffer to follow a specific device, which is my wireless keyboard. So, you can discover what this device is by using the same tool. And here we go. So, we get many packets, many acknowledgments. And if I type in with my keyboard, as you can see, it's all the packets. So, this keyboard sent encrypted frames. So, this is not sent in Clotext. So, this is good. But if I take a not bad, and if I type with my wireless keyboard, so you can see, there are a lot of packets and work changes between the wireless keyboard and dongle. So, by doing this, we can spy on wireless devices using the ESB protocol. Obviously, it was a good idea to create a wireless key logo using this micro bit. So, I use the micro bit with two 2.8 batteries. And I created a software. So, it chooses UART interface to send the recorded key stroke. And the micro bit provides a tiny file system you can use to store your in-memory, and pass it on memory of the data. So, if you want to get track of every key stroke, sniffed by this device. So, this is a good way to go. So, I decided to plan my key logo in the meeting room. We have a digital security. So, I just put it on. You can see the lead doing some kind of searching for wireless keyboard. And I asked a colleague of mine to log into an account using this wireless keyboard. So, he was currently logging in in a notebook using my vulnerable keyboard. So, he's entering his password. Everything was sniffed by this key logo. And when I get my key logo back, I connect this key logo to my computer. So, this is the raw stuff to get the key strokes. Okay. So, I press a button every day. I get all the key strokes. So, this is a password in French. So, it was done with less than 200 lines of Python. The hard part was the HID conversion from the key stroke to the characters. And it sounds nice to try to hack into some kind of wireless quadcopters, 2.4 GHz based quadcopters. So, I saw in November 2016 that Mark Newton and challenge Michael Osman and Dominic Spiel during talk. So, the idea came from Mark Newton. He wanted to make some kind of dual drone dual with against Michael Osman. So, they unboxed 2.6 GHz 10 and they tried to hack the other GHz 10. So, it was done with the most jack framework from Mark Newton. And I don't know what tools used Michael Osman, but I guess it's dual based. And the result was the following. So, apparently it ended up with a draw and no phishing nets or hijacking whatsoever. So, that was a good start. Dominic Spiel and Michael Osman presented the CX-10 wireless protocol during the talk. So, we got all the stuff already done. So, this is a binding request sent by the remote controller to the quadcopter. So, basically it's the controller sends a binding request containing its transmitter ID and the quadcopter answers back with a binding reply with a transmitter ID and a vehicle ID or aircraft ID followed by your confirmation. And then they start hoping from channel to channel sending from the controller all the information about the stick positions from the controller. So, basically the throttle, your pitch, roll and button state. And it does this by looping on different channels. So, my idea was to create a work controller that will be able to take over an existing connection and to take control of the drone. This can be done by sending a work packet just before the original controller does. And by doing this, we can take control of this. So, the channel open mechanism is just using four channels that are derived from the transmitter ID. So, once you got the transmitter ID, you get the channels. So, the ZI jack is quite current. We sniff a valid packet from channel 3 to 18, which is the first range of the first channel used by this drone. Once a valid packet is found, we get the transmitter ID and the vehicle ID. We check this transmitter ID against the channels. We derive again the channel list and check if the channel we are currently listening on is in this list. And if it's okay, we just synchronize with the drone and send quicker, we send packets quicker than the original remote and get control of this. So, the ZI radio is set by using my micropython modded firmware. So, it's the same. We wait for a valid packet. We start with 55 and index parameter. We get the transmitter ID. We derive the channels. And we check if the channel we are listening on is in the channel list. If it's okay, if it's found in the channel list, then we start synchronizing with the drone and then send packets with the correct values to take control of the drone. But the fact is I need a way to fly the drone. So, I need a remote controller. I thought about using a classic RC, but no, this is a way too complex. This is using some kind of protocol. I also thought about using a USB compatible gamepad. We use normally in the modern RC. But again, this was very complex. So, I decided to go with an existing remote controller for the firmware 610. So, I modified my remote controller, put some words in it, and soldered the original transmitter used in this controller and made my own work controller. So, that's it. With this controller, I am able to read the stick values by using the ADCs from the 51832. And I won't perform any live demos. I'm sorry. We got some insurance issues. It told me if I can put some thread to tie my quadcopter to a table, I did this at home and smashed it to the ground. So, obviously, I won't be able to do this. But I got videos. So, this is the first one demonstrating the hijacking process. So, I got a 610. So, it's waiting for binding. I performed this binding with a remote controller and I can control the drone with this remote. So, this is quite okay. And then I'm using my transmitter. Well, basically, this is not powered on. So, it doesn't work. So, I put power on it. Just check if the original transmitter is disconnected. So, here it is. I got the control of the drone and I'm going to use my controller to pilot the drone. So, this is quite interesting. So, this was a test that I made on my desk. And I made another video showing the real flight. So, this is quite the same. I just thought the quadcopter put it on the floor, binding the quadcopter with the remote controller. So, here it is. So, I can fly the drone with this legit remote controller. So, I'm not a good drone pilot, you know. So, as I said. So, here it is. And then I take my remote controller powered in turn. Sorry. Just, oh, here it is. So, I'm just checking it. Normally, when you do it live, you get some trouble with the quadcopter, but if it's flying high, this is not really a problem. You can get the controller quickly. So, here it is. And using my remote controller, I was able to fly it smoothly, almost. So, it's working and I can fly it. It's not just a proven concept. So, sometimes I got the remote controller disconnected, but I also experienced some issues with the green version of this quadcopter. I ordered some on Amazon and got it, received it on that time. And when I tried this attack, it didn't work very well because the sticks do not have the same values. So, this is a problem that you're trying to take control of this. So, hopefully everything is online now, as I'm speaking. So, I put everything, the tools, the firmware, and so on. It's available on GitHub. It's open source. If you have a micro bit, feel free to use it. And I test this firmware. If you find issues or the bugs or so on, file you request. If you test it, you will see that it's a child's play to hack into some things. So, as a conclusion, because I got to be very quick, this is a chip tiny and battery powered radio frequency hacking tool. So, this is quite interesting. It also allows rapid prototyping. If you are going to experiment some ESB protocol, ESB protocol, or BLE, you can do a nice stuff with it. It's, it may be better than Busty's Mod Jack. I don't want to get markedly angry, you know. And you can do even better with the micro bits DIL, which is the device abstraction layer developed by the University of Lancaster. So, this is a C++, not Python, so you have to get deeper in the source code. But I'm currently working on a start of implementation of my clients hacking tool for BLE. So, my clients developed BLE sniffer based on the Uber tools using some SDR. And guess what? You can, I'm quite sure we can do the same with the micro bit. I implemented the access address recovery, the CRC recovery from this tool. It's still in development. I got no proof of concept to show you. But if I connect my smartphone to a device, I am able to get all this value back and the open interval too. So, it's just a matter of time to get it working with a real BLE device. So, this is just some future work that comes with all of this. So, if you have any questions, I will be available out there, wondering in the halls and rooms. And thank you.