Reverse Engineering the Linear DX Wireless Security System
The Linear DX wireless protocol is as old as dirt and utilized in many physical security components like PIR sensors, bill traps, and door lock strikers. Here we will walk through the black box reverse engineering of the wireless signaling and destroy some of the vendor’s security claims by enumerating the entire key space. We’ll also clobber together a universal transmitter out of an existing remote and a BeagleBone Black capable of triggering some receivers in as little as 30 minutes and jamming other transmitters.
Defeating Secure Boot Using Electromagnetic Pulses and badFET
We present our process of defeating secure-boot within a modern
ARM-based IP Phone, Cisco 8861, using software defined radio and our
custom EMP generator as an illustrative vehicle to discuss the following
* Dissection of a set of (yet undisclosed) vulnerabilities found in
Broadcom-implemented trust zone execution environments.
* Our recent advancements in real-time tracking of control-flow of
software running in modern embedded devices by the sensing and analysis
of involuntary electromagnetic emanations.
* Our novel electromagnetic fault injection (EMFI) techniques capable
of reliably and predictably altering computation of modern embedded
devices by controlled applications of electromagnetic pulses. We discuss
challenges and methods of achieving reliable control-flow modification
in modern 1Ghz+ processors.
* Discussion of hardware and software design of badFET, a low-cost
programmable electromagnetic pulse generator. It is our hope to release
badFET as an open-source project to democratize EMFI research. (badFET
is currently functional, but due to the nature of the device, it can
cause serious injury or death. We plan to open-source the EMP generator
portion of badFET if/when we build sufficient safety features into its
A Programmer's Perspective on Reverse Engineering
A programmer who has been reverse engineering for nearly 30 years looks at one recent discovery and one old "I told you so" and concludes to no great surprise that programmers want to understand the software and avoid the bugs but security research is mostly about finding the bugs without understanding the software. Perhaps something significant for each side gets missed in between.
The State of Security
The security field suffers from a lack of hard data. Too often, security professionals have to give recommendations based on what feels true or what seems to be true, rather than real ground truth. At the Cyber ITL, a nonprofit research organization, we're working to replace such truthiness with hard data. We're also focusing on binary analysis, as the field's focus on source code analysis has left some major blind spots in security reviews of software products.
A year ago, Mudge and Sarah introduced the Cyber ITL and its approach to automated software safety analysis. Now, they'll be covering highlights from the past year's research findings, including our in-depth analysis of several different operating systems, browsers, and IoT products.
Parts of their methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy
The spirit of the 90s is alive in Brooklyn
Using the tools and techniques of today to solve problems that only existed in the 90s and are still alive in DEFCON CTF.
Sophia D'Antoine and Ryan Stortz explain and demo tools built on BInary Ninja’s BNIL to find 90s era bugs such as format string vulnerabilities, stack buffer overflows, and command injection.
Why are we still doing this?
Closing remarks for SummerCon 2017!