Tuesday, January 16, 2018

Hacking Embedded hardware video

I am trying to learn more about how hackers might be able to compromise factory IoT devices in an attempt to help find ways to prevent these types of attacks and I found this interesting video from a 34C3 presentation.

How to Hack SCADA from 34C3: https://youtu.be/Itgwb3rn7gE

34C3 - SCADA - Gateway to (s)hell

Hacking industrial control gateways

Small gateways connect all kinds of field busses to IP systems. This talk will look at the (in)security of those gateways, starting with simple vulnerabilities, and then deep diving into reverse-engineering the firmware and breaking the encryption of firmware upgrades. The found vulnerabilities will then be demonstrated live on a portable SCADA system.

Companies often utilize small gateway devices to connect the different field-busses used in industrial control systems (such as Modbus, RS232 etc) to TCP/IP networks. Under the hood, these devices are mostly comprised of ARM-based mini computers, running  either custom, tiny operating systems or uClinux/Linux. The talk will look at the security aspects of these gateways by examining known and unfixed vulnerabilities like unchangeable default credentials, protocols that do not support authentication, and reverse engineering and breaking the encryption of firmware upgrades of certain gateways.

The talk will consist of a theoretical part, an introduction on how to reverse-engineer and find vulnerabilities in a firmware-blob of unknown format, and a practical part, showcasing a live ICS environment that utilizes gateways, from both the IP and  the field-bus side, to pivot through an industrial control system environment: Demonstrating how to potentially pivot from a station in the field up to the SCADA headquarters, permanently modifying the firmware of the gateways on the way.

Thomas Roth

Monday, January 8, 2018

Friday, January 5, 2018

Cool Application on Google AIY Voice Kit

My good friend Yuibi shared his new Github creation that uses Google's AIY Voice kit and machine learning to play back Japanese music on his "Google Home".  Pretty cool project!


Thanks for sharing Yuibi!

Thursday, January 4, 2018

My ESP8266 Notes

The ESP8266 module is one of my favorite IoT modules to play with, because of its low price and ease of use.  Right now you can get one for as low as $2/board with everything you need.  Ordering on Amazon will cost you around $8-$20, but I bought one to experiment with from Amazon before making a bulk order from China on ebay to get better pricing.



My favorite board and instructions:

Get the Serial Driver for Windows!!!

Firmware Flasher for bin files:

  • https://github.com/nodemcu/nodemcu-flasher
  • https://github.com/espressif/esptool
  • https://github.com/marcelstoer/nodemcu-pyflasher/releases (Nice!)
  • https://nodemcu.readthedocs.io/en/master/en/flash/
Where do I get the firmware?
  • Build your own:
    • https://nodemcu-build.com/faq.php
  • Find someone else's build and download it or use the default old image from devkit
    • https://github.com/nodemcu/nodemcu-devkit-v1.0

What do I flash?
  • bin/0x00000.bin to 0x00000
  • bin/0x10000.bin to 0x10000
  • Your custom firmware using the nodemcu-build.com and pyflasher

Setup Arduino Libraries for ESP8266 and IRController blueprint (source)

  1. Install Arduino IDE
  2. Install ESP8266 Arduino Core
  3. Install the following libraries from the Arduino IDE Library Manager: ESP8266WebServer ESP8266WiFi ArduinoJson WiFiManager NTPClient IRremoteESP8266 as well as Cryptosuite which is not on the IDE
  4. Load the IRController.ino blueprint from this repository
  5. Upload blueprint to your ESP8266 (the .ino file). Monitor via serial at 115200 baud rate
  6. Device will boot into WiFi access point mode initially with SSID IRBlaster Configuration, IP address Connect to this and configure your access point settings using WiFi Manager. If your router supports mDNS/Bonjour you can now access your device on your local network via the hostname you specified (http://hostname.local:port/), otherwise via its local IP address (this IP address is displayed on the serial output)
  7. Forward whichever port your ESP8266 web server is running on so that it can be accessed from outside your local network, this is critical since Alexa commands come from Amazon's servers, not locally
  8. Download the IR Controller Alexa skill and start creating your devices. Each IR command will require a URL which can be saved. Choose whichever functionality you desire. Information on creating the URLs can be found below

Wednesday, January 3, 2018

I am posting this great newsletter that I receive from Chris Sandovall monthly.  He does a great job of keeping his ear to the latest trends. 

Some great reads here from his newsletter below:

I hope you find value from this newsletter. If it was forwarded to you and you want on the list, let me know.
Don’t want it? I’ll take you off the list, no hard feelings. I’m always open to feedback. Enjoy! – chris sandoval
I’m closing out 2017 (and kicking off 2018) by taking a look back at the most interesting stuff of the last year. Everything in this issue was a MUST READ or MUST WATCH in the second half of 2017. All killer, no filler!! Looking forward to an interesting 2018 – Happy New Year!

“Nearly half of middle-class workers may be forced to live on food budget of as little as $5/day when they retire”

“‘I’m going to work until I die,’ says one 74-year-old in a generation finding it too costly to retire.”

“what the dollar stores are betting on in a large way is that we are going to have a permanent underclass in America”

More Trends:

Innovation Stuff
“Creativity’s broadly distributed. Opportunity isn’t”

Internet Stuff
“The new deregulation of the internet is a loss, but it doesn’t have to be a permanent one, unless we let it.”

“Without net neutrality, service providers could easily prioritize their own content over competitors”

Think & Work Differently
“Steve Ballmer is loading volumes of government data onto a website. Maybe divided America will use it to find common ground.”

“We put monkeys to shame when it comes to the psychological vagaries of dividing the world into Us and Them.”

“providing some of the most compelling evidence yet of the positive effects of bestowing unconditional sums of cash on the poor”

“The younger generation uses technology the same ways as older people — and no better at multitasking.”

“we should be paying as much attention to the cheapest technologies as to the most sophisticated”

More Think & Work Differently:

Future of Cars Stuff
“It had a good run. But the end is in sight for the machine that changed the world”

More Future of Cars Stuff:

Puerto Rico Stuff
“The situation is still some people don’t even have food. He’s all that’s keeping them from starving.”

“Ethan and José's arrival felt like a movie”

“longest and largest major power outage in modern US history” Amazingly well-designed feature.

More Puerto Rico Stuff:

Security, Privacy & Fraud Stuff
“anyone who is applying for federal student aid or has a child who applied should strongly consider taking several steps”

“Andrew Therrien wanted payback. He got it—and uncovered a conspiracy.”

More Security, Privacy & Fraud Stuff:

Disruption & Transformation Stuff
“This is going to take a complete, from the ground up, rethink of every product in the business as we re-task it for real-time engagement, and it has already started.”

“there is a direct correlation between Digital IQ and financial performance”

More Disruption & Transformation Stuff:

Customer Experience Stuff
“To make this transition from UX designer to “product designer,” there are three important things to understand: strategy, growth, and marketing.”

“they build things that deliberately change the world in the way they want it to be changed”

“While many believe the success of Amazon Prime revolves around free shipping, it’s the removal of friction and focus on experience that sets it apart.”

More Customer Experience Stuff:

Facebook Stuff
“Violators can face tens of thousands of dollars in fines. Every single ad was approved within minutes.”

Military Stuff
“Four siblings wrote hundreds of letters to each other during WWII. The story they tell of service, sacrifice and trauma was hidden away in an abandoned storage unit — until now.”

“If you can't treat someone with dignity and respect, then get out

More Military Stuff:

TED2017 Stuff
·      Courage is contagious

Wildfire Stuff

Hurricane Stuff

Magic Box

BBQ Stuff

6-Word Movie Reviews
·      Blade Runner 2049 – Vast. Deep. Absolutely stunning. MUST SEE
·      Coco – Amazingly good. Every detail was perfect.
·      The Big Sick – incredibly funny and touching. SEE IT.
·      Atomic Blonde – Maximum intense action. Charlize Theron rules!

Universe Stuff

Blade Runner Stuff

Animal Stuff
·      Stick ‘em up!

Game of Thrones Stuff

·      PAPYRUS!!!
·      Dude can SPIN!
·      Short Trip

Nightmare Fuel
·      Survivalist

Classification: Public Information