About a year ago I bought and assembled the open source and open hardware Geiger counter by MightyOhm at the Chaos Communication Congress. Since this device does not have a display to show the current measured values, I extended it by some hardware to do the job. I’ve used a ESP8266 SoC by Wemos and connected a cheap OLED display via i2c. The measured data is send from the Geiger counter to the ESP8266 via UART. Since the ESP8266 has WiFi capabilities, the measured values are not only shown on the display, but also on a small web page. Read more

Together with my colleague Matthias Deeg I’ve done some research on several (cheap) wireless alarm systems. We found that it is possible to disarm all systems by a simple replay attack. Such an attack can be easily carried out using a Software Defined Radio (SDR). The results of our research have been documented by “Plusminus”, a German TV show. Read more

Together with my colleague Matthias Deeg I’ve done some research on several modern wireless desktop sets. All of the manufacturers claim they are secure because they encrypt data using AES 128. All keyboards and mice use a proprietary communication protocol (not Bluetooth), therefore we were interested in if they are really secure. The result of the analysis was presented at several IT security conferences including Ruxcon in Melbourne, Hacktivity in Budapest, ZERONIGHTS in Moscow, DeepSec in Vienna and hack.lu in Luxembourg. Read more

After playing around with my SDR and wireless sockets I had a look at other devices, which also use ASK/OOK modulated signals. I found a different wireless socket system, an alarm system and a sex toy. After analyzing the signals, I wanted do build a remote to control them all. I used an Adafruit Trinket (ATtiny85) as micro controller and a cheap OOK transmitter module at 433MHz. The code on the controller just sends the same signal as the original remote replay attack). Read more

In order to improve my understanding of Software Defined Radios (SDRs) and wireless communication in general, I tinkered with cheap wireless sockets. The results are two pieces of software. Sniffer: This script can eavesdrop on the signals the remote control sends to the sockets. It displays the address, the socket identifier (A, B, C, D or E) and the state (on/off). Remote control: This script allows you to change the state of any socket by supplying the address and the socket identifier. Alternatively you can use the brute-force mode to turn on/off every socket within range. Read more

I wrote my bachelor thesis about finding and exploiting USB security issues in USB host implementations. The first chapter imparts some basic knowledge about the USB technology. The second part is about USB security. This includes theoretical approaches as well as practical attack vectors. In the last chapter of the thesis you will find my work of trying to exploit some USB vulnerabilities and building a malicious USB device. Read more

In the process of making and improving the MifareClassicTool (MCT) I wrote two documentations about the development process. The first one covers the initial development until version 1.0.0 and also explains the basics of the MIFARE Classic technology and Android app development. It was created as part my internship semester. The second documentation covers the development process from version 1.0.0 to 1.5.2 and has some download and usage statistics. It was created as part of university project. Read more

This is a paper about RFID security. It was part of my university studies (sixth semester). The main focus is on the theory and feasibility of different attack vectors and their counter measures. Especially logical issues and physical attack vectors have been taken into account. Read more

This is a paper about the basics of digital forensics. It was part of my university studies (sixth semester). It is an introduction to the topic and aims to answer questions like “what is digital forensics?”, “what is it for?” and “how is it done?”. There also is a practical part about some basic tools and how to use them. Read more

The “Gulaschprogrammiernacht” (GPN) is a congress organized by Entropia e.V. (CCC Karlsruhe). I presented my research about the security of the student card at this congress. The similar student card system is present at most German universities. At this point in time the system was very broken, mostly because of the usage of the insecure MIFARE Classic RFID tags. Read more