This hack is clearly an invocation of the Emergency Alert System. The EAS is a
hierarchically-organized digital message propagation system that has no authentication scheme for the vast majority of the nodes that participate in
the network. Since every moderately-sized licensed broadcast radio and TV station in the United States is required to participate in the network, that is a lot of
attackable nodes.
The hierarchy is easy to exploit if you wish to spoof an alert on a specific station. All you need to know is the specific list of stations that your
target listens to for alerts and a mobile radio transmitter that you can position relatively closely to your target's EAS receiving equipment. The
list of "source" stations for your target is often public information, or can be deduced very easily. (Search for "<city> eas plan" in your favorite search
engine.) The radio transmitter required is nothing more than a VHF two-way radio, which can often be a "modded" Amateur Radio which can transmit
outside of the legal Amateur bands.
Step 1: Assemble an EAS alert on a computer using a little bit of code to
generate the appropriate tones and an audio editor to stitch them together.
The exact format is tricky, but the information is publicly available.
Step 2: Find your likely target's listening list. These are often listed as
the "Local Primary" and "Local Secondary" stations in your target's
metropolitan area. These, unfortunately, are hard to spoof because
broadcast-band FM and AM transceivers are harder to get a hold of. Instead,
look up the NOAA weather radio transmission frequencies in your target's
area. These stations are often used as additional EAS sources by almost
every broadcast station in the system, and they are easy to spoof with
portable equipment.
Step 3: Put the spoof transmitter in a car and drive as close as possible to
the target's published studio headquarters. Targets often place their
receiving equipment in their primary studio locations.
Step 4: Put your transmitter into transmit mode and play back your spoofed
alert. You need to remain nearby just long enough to complete the injection
process. With a short message you only need about 60 seconds.
Step 5: Drive away. The automated relay system at your target will do the
rest.
Step 4 (transmission) is extremely easy, even with low-powered equipment
(250mW). Because of your proximity and the FM Capture Effect you will have no problem
overpowering the real source station without adversely affecting or alerting
anyone outside a 1/2 mile radius.
My guess is the attackers here did precisely this. They probably exploited
this TV station by spoofing a local NOAA weather radio channel that the TV station was listening to for alerts.
I'm sorry that there's no direct article for this submission, and I'm not certain who submitted it, but as an employee of CRI and one of the designers of the demo, I'd like to give you some details about what's going on.
At CRI we have a lab full of what I consider to be cool equipment, and what's more, some spare time to look at things. We specialize in side-channel analysis and we asked ourselves: what sort of side-channel leaks might be present in consumer PDAs? We took a USRP(1) interface that we had lying around and started investigating the RF emanations of a few of the devices we had easily on hand. We coded some simple cryptographic applications and were surprised at how quickly we were able to find ways to demodulate the various signals in the device in a way that revealed the bits of the secret keys being used.
We are indeed using GNURadio for the demo. It's been very helpful because it makes rapid prototyping very easy. We use gnuradio-companion to set up the signal processing blocks (mostly AM demodulation) and to set up a simple UI that helps us tune into the right carrier frequencies in real-time during the demo. The rest of the demo involves using our own custom waveform viewer to look at the demodulated signal and show visitors how we can analyze the signal on the screen and extract the key bits that were used during the encryption/decryption process on the device.
I've been studying SD cards for the last few months and I've managed to dig up some heretofore "secret" leaked documents about SD Digital Rights Management mechanism and I think I know how such a permanent modification could be performed.
One of the things that all SD cards support is the ability to designate a certain portion (which can include ALL) of the card's block storage as "secure". Once designated as secure, the blocks in question cannot be read, written to, or the area resized without performing an authentication step with the card. This authentication step is known as "AKE".
I'm willing to bet that the phone is using this "secure" facility and marking the entire card, or some significant portion thereof, as a secure storage area.
I'm sure the honorable Lt. Bob Lozito, the officer quoted as stating that the antennas are illegal, could articulate which section of the law makes them so. Give him a call:
Hi-Tech Crimes Task Force 4510 Orange Grove Avenue Sacramento, CA 95841 916.874.3002
I'm a member of JPA (JP Aerospace) and had the honor of attending this event. The launch went perfectly and we had some fun chasing and recoving a high-altitude balloon.
The only other interesting thing that I could provide that you won't find elsewhere is that the rocket motor was slightly stronger than an 'N'. (I am not sure what this impulse equals in Newtons. Maybe someone else can provide that).
The space boundary is defined to be 60 nautical miles. One nautical mile = 1.15 statute miles.
Your math assumes that the rocket keeps a constant speed throughout the journey; this is not the case. The CSXT rocket motor was to burn entirely out in a mere 15 seconds. From thence onward it merely coasts to space!
I helped out at this launch attempt as part of the recovery team and I can tell you the following:
Amateur rocketry, like all rocketry, is used to failure
If you've met or heard of Ky, you'd realize that he has had plenty of successes and failures to deal with. And Ky is just the CEO of sorts to what amounts to a massively talented technical team. Having gotten the rocket off the ground was an accomplishment itself; the FAA puts enormous safety restrictions on the launch, of which very few are satisfied at any given moment.
The failure itself wasn't that dangerous either. The rocket did not explode like a fireball. It just made a sort of "pop" sound and broke into pieces. The selection of the launch site has a lot to do with ensuring that such pieces don't come down and harm anyone.
Can a Robot Commit a War Crime?
on
Robots Go Spelunking
·
· Score: 3, Interesting
The robots in this article appear to be remotely controlled by a human operator but I can't help think that over time these robots and their predecessors will be given limited autonomy to execute tasks, and perhaps even kill. So given that future (which I admit is unlikely), what happens if a bot fails to obey the oxymoronicly-titled but somehow accepted Law of Land Warfare? If this violation came to trial, who would stand accused of the crime?
1) The relationship between Apple and Microsoft has been strained by the lackluster sales of Office v.X. Apple supports the porting of StarOffice because it doesn't want MacOS X to be cutoff from the ability to interact with the ever-important Microsoft dominated office file formats should Microsoft decide to abandon the platform.
2) Development hurdles that Sun must overcome are removing and redesigning X11 protocol specific code to work with Quartz 2D -- Apple's windowing API -- and redesigning the user interface such that it conforms to the Apple Aqua guidlines. (That's a tall order, especially considering that much of the Aqua guidlines are incomplete and still being formed.) Currently, StarOffice uses its own interface toolkit, built from the ground up.
3) The ever-pressing issue of how to make money by selling an essentially open-source product. Sun plans to do this not by merely offering support, but also adding special enticements to a commercial distribution that wouldn't be available in an open-source distribution. (An example is the bundling of commercial quality fonts with the software).
The point of this story was to illustrate the use of Flash in building user interfaces for remote web-based control, not for use as a primary interface on the device itself.
Hacking and Ethics are two different entities
on
L0pht And The FBI
·
· Score: 5, Insightful
It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.
All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.
Slashdot Mirror
This hack is clearly an invocation of the Emergency Alert System. The EAS is a hierarchically-organized digital message propagation system that has no authentication scheme for the vast majority of the nodes that participate in the network. Since every moderately-sized licensed broadcast radio and TV station in the United States is required to participate in the network, that is a lot of attackable nodes.
The hierarchy is easy to exploit if you wish to spoof an alert on a specific station. All you need to know is the specific list of stations that your target listens to for alerts and a mobile radio transmitter that you can position relatively closely to your target's EAS receiving equipment. The list of "source" stations for your target is often public information, or can be deduced very easily. (Search for "<city> eas plan" in your favorite search engine.) The radio transmitter required is nothing more than a VHF two-way radio, which can often be a "modded" Amateur Radio which can transmit outside of the legal Amateur bands.
Step 4 (transmission) is extremely easy, even with low-powered equipment (250mW). Because of your proximity and the FM Capture Effect you will have no problem overpowering the real source station without adversely affecting or alerting anyone outside a 1/2 mile radius.
My guess is the attackers here did precisely this. They probably exploited this TV station by spoofing a local NOAA weather radio channel that the TV station was listening to for alerts.
I'm sorry that there's no direct article for this submission, and I'm not certain who submitted it, but as an employee of CRI and one of the designers of the demo, I'd like to give you some details about what's going on.
At CRI we have a lab full of what I consider to be cool equipment, and what's more, some spare time to look at things. We specialize in side-channel analysis and we asked ourselves: what sort of side-channel leaks might be present in consumer PDAs? We took a USRP(1) interface that we had lying around and started investigating the RF emanations of a few of the devices we had easily on hand. We coded some simple cryptographic applications and were surprised at how quickly we were able to find ways to demodulate the various signals in the device in a way that revealed the bits of the secret keys being used.
We are indeed using GNURadio for the demo. It's been very helpful because it makes rapid prototyping very easy. We use gnuradio-companion to set up the signal processing blocks (mostly AM demodulation) and to set up a simple UI that helps us tune into the right carrier frequencies in real-time during the demo. The rest of the demo involves using our own custom waveform viewer to look at the demodulated signal and show visitors how we can analyze the signal on the screen and extract the key bits that were used during the encryption/decryption process on the device.
I've been studying SD cards for the last few months and I've managed to dig up some heretofore "secret" leaked documents about SD Digital Rights Management mechanism and I think I know how such a permanent modification could be performed.
One of the things that all SD cards support is the ability to designate a certain portion (which can include ALL) of the card's block storage as "secure". Once designated as secure, the blocks in question cannot be read, written to, or the area resized without performing an authentication step with the card. This authentication step is known as "AKE".
I'm willing to bet that the phone is using this "secure" facility and marking the entire card, or some significant portion thereof, as a secure storage area.
I'm sure the honorable Lt. Bob Lozito, the officer quoted as stating that the antennas are illegal, could articulate which section of the law makes them so. Give him a call:
e rvices/hi_tech.cfm)
Hi-Tech Crimes Task Force
4510 Orange Grove Avenue
Sacramento, CA 95841
916.874.3002
(Courtesy of:
http://www.sacsheriff.com/organization/contract_s
I'm a member of JPA (JP Aerospace) and had the honor of attending this event. The launch went perfectly and we had some fun chasing and recoving a high-altitude balloon.
The only other interesting thing that I could provide that you won't find elsewhere is that the rocket motor was slightly stronger than an 'N'. (I am not sure what this impulse equals in Newtons. Maybe someone else can provide that).
I helped out at this launch attempt as part of the recovery team and I can tell you the following:
Amateur rocketry, like all rocketry, is used to failure
If you've met or heard of Ky, you'd realize that he has had plenty of successes and failures to deal with. And Ky is just the CEO of sorts to what amounts to a massively talented technical team. Having gotten the rocket off the ground was an accomplishment itself; the FAA puts enormous safety restrictions on the launch, of which very few are satisfied at any given moment.
The failure itself wasn't that dangerous either. The rocket did not explode like a fireball. It just made a sort of "pop" sound and broke into pieces. The selection of the launch site has a lot to do with ensuring that such pieces don't come down and harm anyone.
The robots in this article appear to be remotely controlled by a human operator but I can't help think that over time these robots and their predecessors will be given limited autonomy to execute tasks, and perhaps even kill. So given that future (which I admit is unlikely), what happens if a bot fails to obey the oxymoronicly-titled but somehow accepted Law of Land Warfare? If this violation came to trial, who would stand accused of the crime?
The main points of the article are:
1) The relationship between Apple and Microsoft has been strained by the lackluster sales of Office v.X. Apple supports the porting of StarOffice because it doesn't want MacOS X to be cutoff from the ability to interact with the ever-important Microsoft dominated office file formats should Microsoft decide to abandon the platform.
2) Development hurdles that Sun must overcome are removing and redesigning X11 protocol specific code to work with Quartz 2D -- Apple's windowing API -- and redesigning the user interface such that it conforms to the Apple Aqua guidlines. (That's a tall order, especially considering that much of the Aqua guidlines are incomplete and still being formed.) Currently, StarOffice uses its own interface toolkit, built from the ground up.
3) The ever-pressing issue of how to make money by selling an essentially open-source product. Sun plans to do this not by merely offering support, but also adding special enticements to a commercial distribution that wouldn't be available in an open-source distribution. (An example is the bundling of commercial quality fonts with the software).
The point of this story was to illustrate the use of Flash in building user interfaces for remote web-based control, not for use as a primary interface on the device itself.
It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.
All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.