Locally Exploiting Wireless Sensors

Presented at DEF CON 17 (2009), July 31, 2009, 6:30 p.m. (50 minutes)

Wireless sensors are often built with a microcontroller and a radio chip, connected only by a SPI bus. The radio, not the MCU, is responsible for symmetrical cryptography of each packet. When the key is loaded, it is sent as cleartext over the SPI bus, and an attacker with local access can steal the key using a few syringe probes and readily available hardware. This attack and other local attacks against wireless sensor networks will be presented in detail, including a live demo of an AES128 key being extracted from an operational network. Following the conclusion of the lecture, audience members will be brought onstage to perform the attack themselves on various pieces of example hardware.

Presenters:

• Travis Goodspeed - Engineer of Superior Buckles, Goodspeed and Gourneau
  Travis Goodspeed is a neighborly reverse engineer from Southern Appalachia. He has been exploiting and reverse engineering wireless sensors since writing the first stack overflow exploit for them in 2007. His recent projects have included a timing attack on the MSP430 bootstrap loader and an extra-neighborly party-mode belt buckle in the shape of Tennessee.

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#Goodspeed
• https://infocon.org/cons/DEF CON/DEF CON 17/DEF CON 17 video and slides/DEF CON 17 - Travis Goodspeed - Locally Exploiting Wireless Sensors - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=PJ4jip-l780

Similar Presentations:

• Hackfest 2017 / The Black Art of Wireless Post-Exploitation
• Black Hat Asia 2018 / AES Wireless Keyboard – Template Attack for Eavesdropping
• DEF CON 25 (2017) / Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods