1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. One for all and all for WHAD: wireless shenanigans made easy !

One for all and all for WHAD: wireless shenanigans made easy !

Presented at DEF CON 32 (2024), Aug. 9, 2024, 5 p.m. (45 minutes).

A lot of security research have recently focused on various wireless communication protocols, targeting smartphones, wireless mice and keyboards and even cars. In order to demonstrate these attacks, researchers developed dedicated tools that for most of them include some specialized firmware of their own but also rely on various unique custom host/device communication protocols. These tools work great but are strongly tied to some specific hardware that at some point will not be available anymore, or require hackers to buy more hardware to carry on to have fun with. Why not making these tools compatible with more hardware ? And why researchers always have to create their own host/device protocol when it comes to using a dedicated hardware ? Why not having one flexible protocol and related tools to rule them all ? We will present in this talk WHAD, a framework that provides an extensible host/device communication protocol, dedicated protocol stacks and way more for hackers who love having fun with wireless protocols. WHAD makes interoperability possible between tools by allowing different hardware devices to be used if they provide the required capabilities, giving the opportunity to create advanced tools without having to care about the hardware and its firmware in most of the cases! - [Atlas 2012] Atlas. SubGHz or Bust, 2012. Available at [link](https://media.blackhat.com/bh-us-12/Briefings/Atlas/BH_US_12_Atlas_GHZ_Workshop_Slides.pdf). - [Blu 2019] Bluetooth SIG. Bluetooth Core Specification, 2019. - [Cauquil 2016] Damien Cauquil. BtleJuice: The Bluetooth Smart MiTM framework. In DEF CON, volume 24, 2016. - [Cauquil 2017b] Damien Cauquil. Sniffing BTLE with the Micro:Bit. PoC or GTFO, vol. 17, pages 13–20, 2017. - [Cauquil 2017c] Damien Cauquil. Weaponizing the BBC Micro:Bit. In DEF CON, volume 25, 2017. Available at [link](https://media.defcon.org/DEFCON25/DEFCON25presentations/DEFCON25-Damien-Cauquil-Weaponizing-the-BBC-MicroBit-UPDATED.pdf). - [Cauquil 2018] Damien Cauquil. You’d better secure your BLE devices or we’ll kick your butts ! In DEF CON, volume 26, 2018. Available at [link](https://media.defcon.org/DEFCON26/DEFCON26presentations/DEFCON-26-Damien-Cauquil-Secure-Your-BLE-Devices-Updated.pdf). - [Cauquil 2019] Damien Cauquil. Defeating Bluetooth Low Energy 5 PRNG for fun and jamming. In DEF CON, volume 27, 2019. Available at [link](https://media.defcon.org/DEFCON27/DEFCON27presentations/DEFCON-27-Damien-Cauquil-Defeating-Bluetooth-Low-Energy-5-PRNG-for-fun-and-jamming.PDF). - [Cayre 2019a] Romain Cayre, Vincent Nicomette, Guillaume Auriol, Eric Alata, Mohamed Kaâniche and Geraldine Marconato. Mirage: towards a Metasploit-like framework for IoT. In 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), Berlin, Germany, October 2019. - [Cayre 2021b] Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato. InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Taipei (virtual), Taiwan, June 2021. - [Cayre 2021c] Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato. WazaBee: attacking Zigbee networks by diverting Bluetooth Low Energy chips. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Taipei (virtual), Taiwan, June 2021. - [Cayre 2021d] Romain Cayre, Géraldine Marconato, Florent Galtier, Mohamed Kaâniche, Vincent Nicomette and Guillaume Auriol. Cross-protocol attacks: weaponizing a smartphone by diverting its Bluetooth controller. In 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Abu Dhabi, United Arab Emirates, June 2021. - [Cayre 2021e] Romain Cayre, Damien Cauquil and Aurélien Francillon. ESPwn32: hacking with ESP32 system-on-chips.In 17th IEEE Workshop on Offensive Technologies (WOOT 2023), co-located with IEEE S&P 2023, San Francisco, United States, May 2023. - [Goodspeed 2011a] Travis Goodspeed. Promiscuity is the nRF24L01+’s Duty. Available at [link](http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html), 2011. - [IEE 2020] IEEE Standard for Low-Rate Wireless Networks. IEEE Std 802.15.4 2020 (Revision of IEEE Std 802.15.4-2015), pages 1–800, 2020. - [Jasek 2016] Sławomir Jasek. Gattacking Bluetooth Smart Devices. In BlackHat USA, 2016. Available at [link](http://gattack.io/whitepaper.pdf). - [LOG 2019] LogiTacker GitHub Repository, 2019. Available at [link](https://github.com/RoganDawes/LOGITacker) - [LoR 2017] LoRa Alliance, Inc. LoRaWan Specification, 2017. - [Newlin 2016a] Marc Newlin. MouseJack : White Paper. In DEF CON, volume 24, 2016. Available at [link](https://github.com/BastilleResearch/mousejack/blob/master/doc/pdf/DEFCON-24-Marc-Newlin-MouseJack-Injecting-Keystrokes-Into-Wireless-Mice.whitepaper.pdf). - [Olawumi 2014] Olayemi Olawumi, Keijo Haataja, Mikko Asikainen, Niko Vidgren and Pekka Toivanen. Three practical attacks against ZigBee security: Attack scenario definitions, practical experiments, countermeasures, and lessons learned. In 2014 14th International Conference on Hybrid Intelligent Systems, pages 199–206, 2014. - [Qasim Khan 2019] Sultan Qasim Khan. Sniffle: A sniffer for Bluetooth 5 (LE), 2019. Available at [link](https://hardwear.io/netherlands-2019/presentation/sniffle-talk-hardwear-io-nl-2019.pdf). - [Ryan 2013a] Mike Ryan. Bluetooth: With Low Energy Comes Low Security. In 7th USENIX Workshop on Offensive Technologies (WOOT 13), Washington, D.C., August 2013. USENIX Association. - [Vidgren 2013a] N. Vidgren, K. Haataja, J. L. Patiño-Andres, J. J. Ramírez-Sanchis and P. Toivanen. Security Threats in ZigBee-Enabled Systems: Vulnerability Evaluation, Practical Experiments, Countermeasures, and Lessons Learned. In 2013 46th Hawaii International Conference on System Sciences, pages 5132–5138, 2013. - [Wright 2009] Joshua Wright. KillerBee: Practical ZigBee Exploitation Framework, 2009. Available at [link](http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf). - [Zillner 2015] T. Zillner. ZigBee Exploited: The good , the bad and the ugly. In BlackHat, 2015.

Presenters:

  • Damien Cauquil / virtualabs - Security Engineer at Quarkslab   as Damien Cauquil
    Damien Cauquil is security engineer at Quarkslab, France. He loves electronics, embedded devices, wireless protocols and to hack all of these not especially in that order. He authored several Bluetooth Low Energy tools like Btlejuice and Btlejack, discovered a way to hack into an existing Bluetooth Low Energy connection that has later been improved by his co-speaker Romain Cayre, and other tools on a lot of different topics that tickle his mind but not always related to security or wireless protocols.
  • Romain Cayre - Assistant Professor, Software and System Security (S3) Group at EURECOM
    Romain Cayre is assistant professor in Software and System Security (S3) group at EURECOM, France. He works on topics related to wireless security, IoT security and embedded systems security. He loves hacking embedded wireless stacks and playing with wireless protocols. In the past, he worked on several research projects related to wireless hacking, like WazaBee (a cross-protocol pivoting attack allowing to receive and transmit arbitrary 802.15.4 packets from a diverted BLE transceiver), InjectaBLE (an attack allowing to inject arbitrary packets into an ongoing Bluetooth Low Energy connection by leveraging a race condition in the Link Layer clock drift compensation mechanism), and OASIS (a defensive framework allowing to generate an embedded detection software and inject it into Bluetooth Low Energy controllers). He is also the main developer of Mirage, an offensive framework for wireless communication protocols (and a draft to the new framework WHAD !)

Similar Presentations: