Some month ago I started to look into some RFID-based TOTP hardware tokens. Out of curiosity I bought some and started to reverse engineer them. This was just meant to be a learning experience. My colleague, Matthias Deeg, got interested as well and bought another token. Together we learned a lot about those devices. This post tells the story about the research I have done on the Token2 OTPC-P2. Links to Matthias’s research on the Protectimus SLIM can be found at the end of this post. Read more

Some time ago I came across a homee Brain Cube. This cube is an universal central device to connect smart home components of different vendors together and to control them. After opening up the case of this smart home bridge, I saw some potential to gain root access to the operating system running on it. Read more

Together with my colleague Matthias Deeg I’ve done some more research on wireless input devices. This is considered a follow up research to our previous work on wireless desktop sets. This time the focus was on presenters (aka presentation clickers) and Bluetooth keyboards. Again, we were able to find several security issues and presented them at Confidence in Krakow. Read more

With its online IT news platform “Heise online” and magazines like “c’t” Heise Medien GmbH & Co. KG is one of Germany’s biggest IT-related publisher. Therefore, I was happy when they offered me the opportunity to write some small articles, do an interview and even a video podcast. Back in 2017 they hand an article introducing an collection of “Hacking Gadgets” in c’t 18 /2017. Because the article was liked by its readers and there have been several new hacking gadgets/tools released since, they decided to make a new one. Read more

In 2016 my colleague, Matthias Deeg, and I have looked into the security of wireless alarm systems. At this time, the ABUS Secvest alarm system did not sign and/or encryption its packets, allowing an attacker to disarm it. Some time later they introduced rolling codes to their protocol. But as Thomas Detert found found out, they were still not secure. The used algorithm for generating the next valid code is predictable, just by looking at the communication. Read more

Together with my colleague Matthias Deeg I’ve done some research on several Bluetooth keyboards. This was a follow-up project to our research on wireless desktop sets. In general, Bluetooth-based keyboards seem to be more secure as the wireless keyboards with proprietary protocols. However, when it comes to Bluetooth security, there are some things which need to be taken into account. For me, the most interesting realization was about the trust relationship between paired devices. In some Bluetooth stacks (e.g. Android or iOS) a device can change complete without any waring to the user. For example a Bluetooth headset can turn into a full functional keyboard. Read more

I’ve did a presentation on the basics of RFID/NFC from my (a pentester) perspective. Since several parties were interested, I gave the presentation twice, once at the “Gulaschprogrammiernacht” in Karlsruhe and once at the “IT-Sicherheitskonferenz” in Stralsund. The main goal was to explain how some of the RFID/NFC technologies work and what security issues there are. Read more

I’ve been invited to the Vector Cyber Security Symposium to talk about pentesting cars. Since the audience does not only consists of techies, this presentation I gave was rather basic. It aims at providing a better understanding of why pentesting is important and souled be done for cars. The general theme of the talk is “improving security by breaking it”. Read more

About a year ago I bought and assembled the open source and open hardware Geiger counter by MightyOhm at the Chaos Communication Congress. Since this device does not have a display to show the current measured values, I extended it by some hardware to do the job. I’ve used a ESP8266 SoC by Wemos and connected a cheap OLED display via i2c. The measured data is send from the Geiger counter to the ESP8266 via UART. Since the ESP8266 has WiFi capabilities, the measured values are not only shown on the display, but also on a small web page. Read more

Together with my colleague Matthias Deeg I’ve done some research on several (cheap) wireless alarm systems. We found that it is possible to disarm all systems by a simple replay attack. Such an attack can be easily carried out using a Software Defined Radio (SDR). The results of our research have been documented by “Plusminus”, a German TV show. Read more

Together with my colleague Matthias Deeg I’ve done some research on several modern wireless desktop sets. All of the manufacturers claim they are secure because they encrypt data using AES 128. All keyboards and mice use a proprietary communication protocol (not Bluetooth), therefore we were interested in if they are really secure. The result of the analysis was presented at several IT security conferences including Ruxcon in Melbourne, Hacktivity in Budapest, ZERONIGHTS in Moscow, DeepSec in Vienna and hack.lu in Luxembourg. Read more

After playing around with my SDR and wireless sockets I had a look at other devices, which also use ASK/OOK modulated signals. I found a different wireless socket system, an alarm system and a sex toy. After analyzing the signals, I wanted do build a remote to control them all. I used an Adafruit Trinket (ATtiny85) as micro controller and a cheap OOK transmitter module at 433MHz. The code on the controller just sends the same signal as the original remote replay attack). Read more

In order to improve my understanding of Software Defined Radios (SDRs) and wireless communication in general, I tinkered with cheap wireless sockets. The results are two pieces of software. Sniffer: This script can eavesdrop on the signals the remote control sends to the sockets. It displays the address, the socket identifier (A, B, C, D or E) and the state (on/off). Remote control: This script allows you to change the state of any socket by supplying the address and the socket identifier. Alternatively you can use the brute-force mode to turn on/off every socket within range. Read more

I wrote my bachelor thesis about finding and exploiting USB security issues in USB host implementations. The first chapter imparts some basic knowledge about the USB technology. The second part is about USB security. This includes theoretical approaches as well as practical attack vectors. In the last chapter of the thesis you will find my work of trying to exploit some USB vulnerabilities and building a malicious USB device. Read more

In the process of making and improving the MifareClassicTool (MCT) I wrote two documentations about the development process. The first one covers the initial development until version 1.0.0 and also explains the basics of the MIFARE Classic technology and Android app development. It was created as part my internship semester. The second documentation covers the development process from version 1.0.0 to 1.5.2 and has some download and usage statistics. It was created as part of university project. Read more

This is a paper about RFID security. It was part of my university studies (sixth semester). The main focus is on the theory and feasibility of different attack vectors and their counter measures. Especially logical issues and physical attack vectors have been taken into account. Read more

This is a paper about the basics of digital forensics. It was part of my university studies (sixth semester). It is an introduction to the topic and aims to answer questions like “what is digital forensics?”, “what is it for?” and “how is it done?”. There also is a practical part about some basic tools and how to use them. Read more

The “Gulaschprogrammiernacht” (GPN) is a congress organized by Entropia e.V. (CCC Karlsruhe). I presented my research about the security of the student card at this congress. The similar student card system is present at most German universities. At this point in time the system was very broken, mostly because of the usage of the insecure MIFARE Classic RFID tags. Read more

MifareClassicTool (MCT) is a Android NFC app for reading, writing, analyzing, etc. MIFARE Classic RFID tags. It provides several features to interact with (and only with) MIFARE Classic RFID tags. It is designed for users who have at least basic familiarity with the MIFARE Classic technology. You also need an understanding of the hexadecimal number system, because all data input and output is in hexadecimal. A list of features can be taken from the readme. Read more

The c’t-Bot is a simple robot of the German IT journal c’t published by Heise. As part of a university lecture we should program it to do simple tasks (e.g. follow a light source). Furthermore, we should implement something we want the robot to do. This is were some fellow students and I implemented a remote control system. The code on the bot is written in C and the code on the controlling computer is written in Python. Read more

As part of my studies, some fellow students and I held a lecture about GSM security. The purpose was to give other students a theoretical and practical background. We put together a script, a handout and some exercises. To make this as palatial as possible we used some Motorola C123 phones running OsmocomBB software. Read more

This is a paper about the basic security concepts of the smart phone operating systems Android and iOS. It was part of my university studies (fourth semester). Please note: The information in the paper are very outdated. Much has changed since then. You will find better and more recent information on the internet. This paper is just here for “completeness”. Read more

This is a paper about basic RFID security issues but with focus on the MIFARE Classic technology. It was part of my university studies (fourth semester). As part of this research, I had a closer look at the MIFARE Classic-based system of my university. Because of the multiple use cases (payment, access control, amount of free copies at the printers, etc.) there are plenty of attack vectors. Furthermore, I build an RFID zapper. This device can destroy RFID chips without leaving a trace (visible from the outside). Read more

JAMM is an implementation of the code-baking game Mastermind. It is written in Java and ships with a simple GUI. There are up to 15 colors and 8 columns, the possibility to save and load games, key bindings to play it with keyboard only and a guess generator if you find yourself clueless. However, the most special part is the artificial intelligence which can solve your code. It is based on the paper “Efficient solutions for Mastermind using genetic algorithms” by Lotte Berghman, Dries Goossens and Roel Leus. Read more

This is a paper about basic and common security issues with wireless LANs. It was part of my university studies (first semester). After cracking the WiFi security, basic attack vectors like ARP spoofing and SSL/TLS man-in-the-middle have been taken into account as well. The last part is about my practical experience with wardriving. Read more

ABYSS is a small 2D space game written in C#. It is build using the Irrlicht 3D engine. Maps can be specified using a XML file. The controls are challenging to master and there even is a small power-up system. Read more