Grey bar Blue bar
Share this:

Sat, 1 Jun 2013

Honey, I’m home!! - Hacking Z-Wave & other Black Hat news

You've probably never thought of this, but the home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.

Under the hood, the Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels.

Unlike Zigbee, almost no public security research has been done on the Z-Wave protocol except once during a DefCon 2011 talk when the presenter pointed to the possibility of capturing the AES key exchange ... until now. Our Black Hat USA 2013 talk explores the question of Z-Wave protocol security and show how the Z-Wave protocol can be subjected to attacks.

The talk is being presented by Behrang Fouladi a Principal Security Researcher at SensePost, with some help on the hardware side from our friend Sahand Ghanoun. Behrang is one of our most senior and most respected analysts. He loves poetry, movies with Owen Wilson, snowboarding and long walks on the beach. Wait - no - that's me. Behrang's the guy who lives in London and has a Masters from Royal Holloway. He's also the guy who figured how to clone the SecureID software token.

Amazingly, this is the 11th time we've presented at Black Hat Las Vegas. We try and keep track of our talks and papers at conferences on our research services site, but for your reading convenience, here's a summary of our Black Hat talks over the last decade:

2002: Setiri : Advances in trojan technology (Roelof Temmingh)

Setiri was the first publicized trojan to implement the concept of using a web browser to communicate with its controller and caused a stir when we presented it in 2002. We were also very pleased when it got referenced by in a 2004 book by Ed Skoudis.

2003: Putting the tea back into cyber terrorism (Charl van der Walt, Roelof Temmingh and Haroon Meer)

A paper about targeted, effective, automated attacks that could be used in countrywide cyber terrorism. A worm that targets internal networks was also discussed as an example of such an attack. In some ways, the thinking in this talk eventually lead to the creation of Maltego.

2004: When the tables turn (Charl van der Walt, Roelof Temmingh and Haroon Meer)

This paper presented some of the earliest ideas on offensive strike-back as a network defence methodology, which later found their way into Neil Wyler's 2005 book "Aggressive Network Self-Defence".

2005: Assessment automation (Roelof Temmingh)

Our thinking around pentest automation, and in particular footprinting and link analyses was further expanded upon. Here we also released the first version of our automated footprinting tool - "Bidiblah".

2006: A tail of two proxies (Roelof Temmingh and Haroon Meer)

In this talk we literally did introduce two proxy tools. The first was "Suru', our HTTP MITM proxy and a then-contender to the @stake Web Proxy. Although Suru has long since been bypassed by excellent tools like "Burp Proxy" it introduced a number of exciting new concepts, including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements included timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own.

Another pioneering MITM proxy - WebScarab from OWASP - also shifted thinking at the time. It was originally written by Rogan Dawes, our very own pentest team leader.

The second proxy we introduced operated at the TCP layer, leveraging off the very excellent Scappy packet manipulation program. We never took that any further, however.

2007: It's all about timing (Haroon Meer and Marco Slaviero)

This was one of my favourite SensePost talks. It kicked off a series of research projects concentrating on timing-based inference attacks against all kinds of technologies and introduced a weaponized timing-based data exfiltration attack in the form of our Squeeza SQL Injection exploitation tool (you probably have to be South African to get the joke). This was also the first talk in which we Invented Our Own Acronym.

2008: Pushing a camel through the eye of a needle (Haroon Meer, Marco Slaviero & Glenn Wilkinson)

In this talk we expanded on our ideas of using timing as a vector for data extraction in so-called 'hostile' environments. We also introduced our 'reDuh' TCP-over-HTTP tunnelling tool. reDuh is a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page onto a compromised server, we can connect to hosts behind that server trivially. We also demonstrated how reDuh could be implemented under OLE right inside a compromised SQL 2005 server, even without 'sa' privileges.

2009: Clobbering the cloud (Haroon Meer, Marco Slaviero and Nicholas Arvanitis)

Yup, we did cloud before cloud was cool. This was a presentation about security in the cloud. Cloud security issues such as privacy, monoculture and vendor lock-in are discussed. The cloud offerings from Amazon, Salesforce and Apple as well as their security were examined. We got an email from Steve "Woz" Wozniak, we quoted Dan Geer and we had a photo of Dino Daizovi. We built an HTTP brute-forcer on and (best of all) we hacked Apple using an iPhone.

2010: Cache on delivery (Marco Slaviero)

This was a presentation about mining information from memcached. We introduced go-derper.rb, a tool we developed for hacking memcached servers and gave a few examples, including a sexy hack of It seemed like people weren't getting our point at first, but later the penny dropped and we've to-date had almost 50,000 hits on the presentation on Slideshare.

2011: Sour pickles (Marco Slaviero)

Python's Pickle module provides a known capability for running arbitrary Python functions and, by extension, permitting remote code execution; however there is no public Pickle exploitation guide and published exploits are simple examples only. In this paper we described the Pickle environment, outline hurdles facing a shellcoder and provide guidelines for writing Pickle shellcode. A brief survey of public Python code was undertaken to establish the prevalence of the vulnerability, and a shellcode generator and Pickle mangler were written. Output from the paper included helpful guidelines and templates for shellcode writing, tools for Pickle hacking and a shellcode library.We also wrote a very fancy paper about it all...

We never presented at Black Hat USA in 2012, although we did do some very cool work in that year.

For this year's show we'll back on the podium with Behrang's talk, as well an entire suite of excellent training courses. To meet the likes of Behrang and the rest of our team please consider one of our courses. We need all the support we can get and we're pretty convinced you won't be disappointed.

See you in Vegas!

Wed, 1 Apr 2009

HBN Developer Edition Training

Hi All

We have scheduled our first Developer course for April in Pretoria, should you know of anyone in your area that would like to attend.

- Hacking by Numbers - Developer Edition (28-30th April)

Information about the course:

  • HBN - Developer Edition
'Hacking By Numbers - Developer Edition' is a course aimed at arming web application developers with knowledge of web application attack techniques currently being used in the 'wild' and how to combat them. Derived from our internationally acclaimed 'Hacking By Numbers' security training, this course focuses heavily on two questions: "What am I up against?" and "How can I protect my applications from attack?" During the course sample applications will be dissected to discover security related bugs hidden within the code. The class will then consider prevention, detection & cure.

A registration form can be downloaded from [here]

Otherwise please mail [] for more information.


Ranum Reloaded..

A little while back i commented on Marcus Ranums HiTB talk "Cyberwar is Bullshit!". I ended the post with the words "Ranum is indeed much better than this..". Ranum spoke recently at Source Boston, and his talk [The Anatomy of Security Disasters] indeed shows this is true..

If you are in the industry to make a quick buck, or because it beats flipping burgers at McD's, you probably dont need to, but if you are involved with security decisions at any level, then you really should take a few minutes to digest his talk.

If i have any criticism of the piece, it is simply this: Ranum frames the issues in terms of computer security, but actually the behavior he describes is pretty symptomatic of dysfunctional management in general.

"there is a huge disconnect between what management hears and what they are told — a disconnect so severe that senior management .. can deride security practitioners as "whiners" while still expecting them to enable business securely"

His timeline of a disaster is spot on, and im sure is something that will cause vigorous head nodding from readers all over the planet:

"At the beginning of the disaster, a bad idea is proposed. Often, someone immediately tries to shoot it down, or point out its flaws. In very rare corporate cultures, the idea dies there and the whole disaster is averted. More typically, the bad idea survives - as does the trail of Emails pointing out the initial flaws.


Next comes the most interesting part of the disaster. Suppose management is duly and accurately apprised of the fact that the idea is bad. If the idea is something management really wants to do, there is sometimes a period of negotiation, or re-tuning. The idea bounces back and forth and has various tweaks applied to it, but two important things remain:

    1. It is still a bad idea.
    2. It is going to happen anyway.
Anyone who has ever been involved in this kind of disaster, from the technical side, will doubtless recall the horrifying feeling you get when you realize that you're trapped trying to deal with a bad idea.

Then comes the most crucial part of the disaster: the point at which management's expectations begin to form a reality gap. Generally, this happens because management believes it has set out some objectives, and does not realize that those objectives are being renegotiated because the basic objectives are literally impossible or simply ridiculous.

Up in the corner office, they see people working hard on making the idea come to fruition, plans are being made and considerations are being weighed. The trade-offs that are being made, which place the organization at risk, are being somewhat improved with compensating controls, but nobody has been able to break it to the corner suite that we're still dealing with a fundamentally bad idea. More importantly, still, the compensating controls may serve to obscure the fact that they amount to little more than butt-covering. In the most dysfunctional organizations, you get senior (or sometimes mid-level) executives who 'shop a bad idea' until they find someone who is willing to tell them it is good."

I originally planned to include only small sections of Ranums talk, but felt i couldnt leave those snippets out.. I have sat in on more than my fair share of executive meetings, and his words ring true wether it relates to security decisions or even just strategic ones.. I love the Feynman report he quotes, and firmly believe that one of the biggest challenges we face is trying to break the insane "reality gap" that seems to prevail in boardrooms across the globe.


"Simply put, such disasters are purely the fault of poor management; managers who 'shop' bad ideas, or who create organizational cultures in which staff that point out problems are "whiners" or "nay-sayers." Unfortunately, in most businesses, senior level managers are recruited for being "can do" types who get the job done, which means that you're particularly in danger of having to deal with a senior executive that is comfortably living with a serious reality gap"

Mon, 30 Mar 2009

Hello World (With an LED)

Way back when i was a sysadmin, i recall reading a quote from one of the ATT greybeards who said something to the effect of "every competent sysadmin should be able to build his own network card".

Of course most of us have spent tons of time ripping apart electronics and "watching what happens when you connect X and Y", but unlike the electronic engineers with their oh-so-cool multi-meters ive never actually done any plc programming..

Which is why i think arduino has so much of promise. Other than the cool stuff that people are doing with it, its cool just cause its going to get a whole bunch of people tinkering with hardware and sensor based computing.

As a self confessed noob, i took great pleasure in going from 10 lines of code, to a blinking LED!

(i have placed the board next to a standard sized business card as a size reference - its much smaller than i expected (in my mind i imagined a NIC2000 type green PCB, not the prettyness that is the Duemilanove (Made in Italy, should have known!)))


Like deja-vu (all over again)

Those of you who were around in 2001 will recall (anti-sec f.a.q)..

The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug:

"Did you consider reporting the vulnerability to Apple?

I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs."

to the art captured by Garett Gee:

(Alex Sotirov && Dino Dai Zovi)

As usual this sparks loud debate on both sides. Ross Thomas from SophosLabs came out loudly against Miller for being "so breathtakingly cavalier about the safety of my data and the privacy of my personal information" (sic)

Personally i must confess that i find Rosses reasoning pretty dodgy, but i recall having a similar discussion at 04h00 in the morning with singe in a Las Vegas food court..

Interesting times..


PS. oh.. almost forgot, it doesnt matter which side of the argument-line you fall on, you have to give props to Internet Security's latest rockstar - the hax0r known as Nils for his elite browser trifacta [Safari|IE8|Firefox]

PPS. Oh.. can we please stop people talking about how the machines were hacked in X seconds. It makes a good headline, but its annoying..