Building the Internet of Wrongs

Building the Internet of Wrongs

I recently did a talk at BSides London on some of the little toys that I like to build. I’ve been tinkering with hardware for a few years now and find it fascinating. It’s a natural progression from my interests in breaking software, to breaking IoT to building my own stuff for the purposes of improving my understanding of how to break things. People asked me for the slides, but at 300mb I’m not so keen to put them up. Instead I thought I’d write up my talk and show you how to start building your own Internet of Wrongs devices.

Firstly, the Internet of Wrongs is a term I coined to describe the intersection of poorly built hardware designed for malicious purposes. None of the things I’m going to show you are particularly brilliant – indeed they’re actually all deliberately crap. However, each of these things I’ve deliberately made to provide an entry level project for a bunch of technologies, in order to highlight how easy it is to get started. If one seems too ludicrous or weak to you, just move on to the next one. If by the end of this post you don’t like any of them, take solace in the fact that it took me longer to write about it.

The WOL box

The first box I shared was the Wake-on-Lan tool I used to keep my friend’s flatmate’s macbook awake. It was all a practical joke gone horribly wrong when I was first playing with Arduino as a possible IoT platform. My friend’s flatmate was convinced that Macs were superior because he could use his fully charged Macbook on battery power in the morning, go to work, come home, tap a key and have his battery at 95%, while his previous Lenovo would only last 90 minutes. He obviously misunderstood concepts behind power management, and my mate and I decided to play a practical joke. As I had an Arduino and a TI CC3000 Wi-fi shield with me at the time, I built a Wake-on-LAN sender and left it in my mate’s flat. Plans change and instead of returning 2 weeks later, the device was left switched on in my mate’s flat for 6 months. From the whole experience I learned two things: Always have a remote off switch, and that I’m a massive douchebag, sometimes unintentionally.

My original WOL device.
My original WOL device.

WOL is a really simple but odd protocol. Because systems using it are technically switched off, you can’t really use an IP address as a target, making it a broadcast protocol. A WOL packet will typically use a broadcast MAC address and the local network’s broadcast IP address. The packet is UDP for fairly obvious reasons.

For Macs, WOL uses a destination port of 9. The structure of the packet is also quite simple. The payload consists of a sync stream of 6 bytes set to FF (or 255 for decimal fans) followed by the target MAC address repeated 16 times. The packet is called a ‘Magic packet’. It’s not that magical in my view.

Other systems use destination ports of 0 or 7, or have a specific Ethertype value when sent over Ethernet. If you wanted to build this for a Windows device you’d probably need to see what type of WOL is in use with something like Wireshark and modify it accordingly.

The code itself is really simple. Arduino uses a superset of C with a bunch of helper functions, and in your programs (or sketches as they’re called in Arduino parlance), two functions are used. The setup() function is called every time the device is switched on and loop() is run continuously. All the code does is send the packet, have some debugging code to make sure the wifi connection is up and wait a few seconds between loops.

I originally built this in 2013, long before I discovered the joys of far better platforms for this sort of thing, but if you wanted to build one yourself, the easiest way to get started would be to use an Arduino Uno R3 clone and a CC3000 WiFi Shield (Please note, these links help fund the site, but if you don’t want to use them then you can go to Amazon or elsewhere directly and search for the same items).

Next you’ll need to install the Arduino IDE, add support for Adafruit’s CC3000 shield library through the library manager, possibly download drivers depending on your Arduino clone’s USB chip and then finally download my terrible, shonky code. If he exists, I wouldn’t be surprised if God kills a kitten every time I declare a variable.

Once you have the code in the Arduino IDE, you should be able to modify the target MAC address, WPA settings and the delay between packets. Compile, upload and never again will your target Mac sleep on the same network.

If I was going to do this again, there are two main differences I’d choose. Firstly, I’d make it so that it checks a URL before setting off, so I could remotely deactivate it. Secondly I’d use something like an ESP8266 or NodeMCU instead – they’re much cheaper and have wifi built-in. Which brings me to another device, this time using ESP8266.

Poephol

I have some really cool friends in Cape Town, but some of my friends happen to have terrible neighbours. While flying to Cape Town to stay at my friends, they were quietly chatting in their garden in the early evening. The neighbours weren’t happy about this, but instead of asking my friends if they’d mind being a little quieter (not that they were loud), instead they kept screeching through the open window through the balcony above:

Eddie’s the dude

Eddie’s the guy

Eddie’s the man

This went on for quite some time, and led to a disturbing confrontation in which words were said and fists were shaken, but thankfully no punches were landed.

After landing I had a chat with my mate Eddie about doing something to their wifi. After some careful ethical and legal considerations, we decided it wasn’t really appropriate for us to knock everyone off their wifi network. Instead, I had a few more thoughts and built a little widget as a proof of concept when I returned to the UK. I named it Poephol because Eddie’s upstairs neighbours are (as one might say in Afrikaans) moerse poephols.

The ESP8266 is a simultaneously fantastic and shockingly terrible chip. It’s 3.3v only, not 5v tolerant at all and has massive issues with memory leaks and resets depending on how you use it. If I was trying to sell it to you, I’d say the architecture is ‘quirky’. As I’m not I’ll just come out with it: Working with it feels like you’re working with something weird and obtuse sometimes, but it’s cheap as and has wifi. Indeed, you can buy an ESP-01 for about US$1-2, and a NodeMCU (a much nicer dev board with USB support) for about US$5. To be fair, getting up and running with a NodeMCU is pretty easy and it’s much nicer to play with, then transfer your working code to an ESP board like the ESP-12.

Node MCU and an ESP-01 below an Apple wireless keyboard for scale.
NodeMCU and an ESP-01 below an Apple wireless keyboard for scale.

You can use the Arduino to program the ESP8266, just add it to the boards list and use the boards manager to install support. As always, Adafruit has the straight dope on setting this up. The code I used was shamelessly stolen from Kripthor’s github and tweaked only to broadcast SSIDs rather than jam the wifi signal. You can grab my code here.

The way Poephol works is pretty simple, it generates random SSIDs based on the template of ‘jeffsthe’ followed by one of dude, guy or man chosen at random, followed by an underscore and randomly generated two character bit of text. It then broadcasts this SSID, and a quarter of a second later generates another one and broadcasts that, ad nauseum. As with WOLter, it’s a fairly lame but accessible toy, and there’s plenty of fun to be had.

The code itself uses the now deprecated wifi_send_pkt_freedom() function to send a raw beacon frame. Some of you may wonder if this can be abused to send de-auth packets, to which the answer is yes. If you wanted to do this, you’d need two ESP8266s, one to sniff packets and one to send de-auths. I’ve had it working with two NodeMCUs communicating over GPIO. It was unstable but it (mostly) worked (I’m not going to share the code though).

Thunderblade

By way of an aside, I also talked about how I could modify code I wrote for a talk I gave at Kiwicon last December to do the deauth dance. I wrote the code in python using the excellent dpkt python bindings. Words can’t describe just how beautiful this is, although I couldn’t get deauth working at the time in python, so instead I went with shelling out to aircrack-ng. Again, as this is a tool that solely has the purpose of deauthing people, I’m not comfortable releasing it, although you might be able to look at the code when BSides London releases the video of the talk.

Thunderblade, a portable contextual wifi deauth tool.
Thunderblade, a portable contextual wifi deauth tool.

Thunderblade was built using a Raspberry Pi Zero. At the time the Pi Zero was quite a new thing. Personally I’m not sure how the Raspberry Pi foundation can make a computer that cheap and make a profit, given the price of the Zero’s DRAM is more than the Zero itself. Still, if you can get one, they’re nice little Linux boxes to play with.

To build a thunderblade, you need a Pi Zero, a wifi card, a USB OTG cable for the zero and a battery pack. Optionally you might want a powered USB hub while you’re building it so you can work on the device directly, unless you’ve got a USB gadget based serial terminal up.

The way thunderblade worked was to look for DNS requests and responses on open Wifi networks. If certain keywords existed in the request or response, that device was then deauthenticated from the network. Initially I thought of the idea when I saw some concert footage with a sea of phone users all filming it. Because of the Pi zero’s memory and 1ghz chip, python is pretty usable. For anything less powerful I’d definitely look to implement it in C.

Fun with Software Defined Radio

The RTL2832 chip is a common cheap chipset used in cheap USB DVB-T sticks. It, and it’s friends the R820T and E4000 started a revolution in cheap Software Defined Radio. They’re nowhere near as good as a proper radio, but the ability to reuse <£10 worth of TV stick to listen to pretty much anything from 27Mhz to 1.6 Ghz has opened up a huge hobbyist community.

There are many things you can do with these devices, but most of them are sadly unlawful where I live. As a part-time ethics enthusiast, this means that I’m only really able to start doing genuinely naughty stuff where a legal and policy framework permits such things, often far away from the more interesting signals. Still, if you want to listen to anything from weather satellites to GSM, these sticks are mighty useful.

My USB-powered Wifi SDR setup.
My USB-powered Wifi SDR setup.

A commonly equally mispurposed device is the common pocket router. Often these are built using using System-on-Chip (SoC) designs that feature a whole router on a single chip, then with a few extras soldered on for flash memory and ports. Indeed, if you want a fairly insecure Operating System on your router that wasn’t built by the vendor, there’s a bunch of OSes descended from a project called OpenWRT that allow you to do just that.

Combining the two we have a fairly interesting option for dealing with signal loss due to cable attenuation. Instead of running coax to a big radio, we can use a small OpenWRT box with a USB TV stick and plug that in close to our antenna, then control and manage it over wifi, or as people saw at BSides, less favourably so via 4G. Simply install the rtlsdr package from an installed OpenWRT system and you should be good to launch it from the command line.

Of course, if you want to really get the most out of it, it’s better to try and do some processing on the router itself. In my talk I showed off my USB-powered Wifi SDR decoding ADS-B signals with Antirez’ dump1090. The installed version has MalcolmRobb‘s modifications and allows me to track flights from Heathrow to Southampton and even as far as Plymouth, simply using the TV aerial on top of my house. Dump1090 is also in the OpenWRT packages list, and now even has a script to allow you to start it automatically, saving me the embarrassing job of posting my startup script. The router itself is a GL.Inet 6416A, based on the excellent AR9331 chipset. GL.Inet also make the AR150, which has slightly better wifi and costs about the same as the 6416A.

Now this might not seem that bad – it’s certainly quite useful, but things start to get very devious very quickly when you start looking at using battery powered OpenWRT devices for less savoury SDR stuff. I’m going to do some more on this at BSides Athens. In the meantime Dump1090 should hopefully keep you busy.

M.E.L.-1

The M.E.L.-1 Prototype
The M.E.L.-1 Prototype

The final toy I showed is still only a prototype. The Minimal Electronics Learner, or M.E.L.-1 is an ATTiny prototyping board that I’m working on. It’s main purpose is to provide a complete embedded kit for beginners that anyone can use and to introduce them to modifying hardware or building their own. I started work on this at the tail end of last year, and will be demoing a prototype, including building one live at BSides Manchester. The final device will allow you to do things like building a hat to shut down a Raspberry Pi, or modifying a fan to come on when it goes over a specific temperature. Or playing with chip to chip communication buses and doing devious things to them (my original plan).

Hopefully we’ll have this ready for 44CON and will be doing the final build as a badge, if not we’ll have something equally cool, no doubt.

Conclusions

Historically the world of hacking stuff has been largely limited to software, mostly due to a lack of low cost tool availability, or to a large amount of background knowledge being needed before you can start. With chipsets like the ESP8266 and NodeMCU, things are starting to get really interesting and really cheap at the low end. With OpenWRT and the Raspberry Pi at the high end, things are still cheap, and the age of throwaway malicious devices is almost upon us. The question is, what will you build in the time of the Internet of Wrongs?

What others are reading on Raw Hex