Perimeter
2/10/2011
08:54 AM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Frequency Hopping Spread Spectrum, Project Ubertooth Detailed At ShmooCon

Two new wireless security projects discussed at ShmooCon focus on bringing low-cost hardware to security researchers

Have you often wanted to research, maybe even get into attacking wireless protocols other than the usual WiFi, but found the cost of the hardware to be off-putting? Several researchers recently presented at ShmooCon 2011 on projects they're working on to reduce the cost of entry for those interested in analyzing wireless protocols used by Bluetooth devices and smart meters.

The first wireless talk was the "Hop Hacking Hedy" (video) presentation by Q, Cutaway, and Atlas. It gave an overview of Frequency Hopping Spread Spectrum (FHSS), dispelled some myths about FHSS, discussed some of the challenges with analyzing wireless protocols using FHSS, and detailed the goals of their hedyattack project.

In order to keep the cost for hedyattack low, the project is based on the CC1111 from Texas Instruments (TI), which can be purchased in a development kit for $50. When paired with the current hedyattack attack code, you can monitor FHSS in the 902-928 MHz range, although cutaway said it is easy to modify for sub-902MHz frequencies.

Still wondering what you could use hedyattack for? According to the presentation, the CC1111 is a "USB-enabled version of TI's most popular <1GHz radio ... same radio used in the majority of today's smart meters."

The second talk I want to mention was from Michael Ossman, called "Project Ubertooth: Building a Better Bluetooth Adapter" (video). One of the things that has been missing in the security world is a good, low-cost Bluetooth sniffing device. Michael's research found that current Bluetooth devices do not have the capability to perform passive sniffing, so he set out to build one for less than $100.

Project Ubertooth was the result of that effort and led to the creation of Ubertooth One. Paired with Kismet and a custom plugin, Ubertooth One allows you to discover and passively monitor Bluetooth devices. Michael demonstrated Kismet with Ubertooth One during his presentation and Bluetooth devices immediately started showing up on the screen.

Ready to dive in? The hedyattack code is available at the group's Google Code project found here, and the CC1111 development kit can be purchased from TI at this page. For Ubertooth One, Michael has created a Kickstarter project to fund the project; you can get your own Ubertooth One for $100.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.