savagejen's octopress blog

Github is the new facebook.

Home Invasion 2.0

Home Invasion 2.0 was a talk that I gave with Dan Crowley and David Bryan at Defcon 21 and Blackhat 2013. It shows off some attacks on smart home devices.

I Will Be Speaking at Defcon and Blackhat This Year

If you are attending Defcon or Blackhat this year, look for me on the schedule. I will be presenting alongside Dan Crowley and David Bryan. Here is the talk summary:

“Home Invasion 2.0 - Attacking Network-Controlled Consumer Devices”

A growing trend in electronics is to have them integrate with your home network in order to provide potentially useful features like automatic updates or to extend the usefulness of existing technologies such as door locks you can open and close from anywhere in the world. What this means for us as security professionals or even just as people living in a world of network-connected devices is that being compromised poses greater risk than before.

Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm. If your door lock or space heater are compromised, you’re going to have a very bad day. This talk will discuss the potential risks posed by network-attached devices and even demonstrate new attacks against products on the market today.

See you in Vegas!

Moogle Time

I’ve coded a new Pebble watchface that I am calling “Moogle Time”. The moogle sprite has three states: awake, tired, and asleep, and these change depending on the time of day. The HP represents the hour and the MP represents the minutes. You can download the code on (github) and the pbw from (myPebbleFaces).



I Finally Made a Pebble Watchface

I decided to make a watchface as part of a birthday gift for my boyfriend, (Dan Crowley).

It was surprisingly easy and only took me a few hours to make. I had set up the pebble development environment previously, but turned out not to need it thanks to (CloudPebble). I was surprised to learn that CloudPebble is the work of a student and not something put out there by Pebble! It’s a really nice interface that makes Pebble development simple and accessible.

For the watchface, I started with the code from the Simplicity watchface and then adapted it using the tutorials included in the SDK. I used a font downloaded from a (Legend of Zelda fansite). The top of the watchface is the triforce, which is actually just an asterix in the font pack. I arranged the text below the triforce in such a way that it would continue the pyramid shape downward. The time is at the bottom of the watchface, represented as a number of rupees, so that you get richer throughout the day. The day of the month is the “Level” you’re on, with the month above it in short month format to maintain the pyramid shape.

Dan loves it, but of course his favorite game is actually Final Fantasy VI (orignally marketed as Final Fantasy III here in the US). So I might have to make another watchface.

I uploaded the code to (Github) and the pbw to (MyPebbleFaces).

Python Boolean *features*

(Amatus) brought to my attention the fact that True can be set to False in python.

So, for instance, if you open up your python interpreter and do:

1
2
3
>>> True=False
>>> print True
False

So, True can be set to False. True can be set to None. False can be set to True. False can be set to None. Luckily setting None to anything will give you an assignment error. Why on earth setting True to False doesn’t give you an assignment error, I will never understand. I certainly don’t consider this to be “expected behavior”or anything.

After you get over the shock of realizing that python’s boolean values are not immutable, you might think “Ok, but why would I ever set True=False?” I have no idea! But check this out:

1
2
3
4
5
6
7
8
9
>>> something=True=False
>>> myVariable=something
>>> myOtherVariable=True
>>> print myVariable
False
>>> print myOtherVariable
False
>>> print True
False

So you can change the value of True or False on the same line as you set a variable and that redefinition will affect setting every boolean value following it.

(The PEP for bool is also really a bizarre and interesting read.)

Python Module Hijacking

Reading through documentation, I noticed a peculiarity about python: it’s susceptible to library hijacking attacks.

Open your python interpreter and type in:

1
2
import sys
print sys.path

The result should be a list of paths that python will look in to find a module, in the order that python looks for them in. In other words, a pythonpath is the python equivalent of a DLL search path in windows.

You’ll note that the very first item on the list is ”, which means your current working directory. So if you import io, the first place python will look for the io module is your current working directory.

Now, let’s say that someone places an io.py file in the same directory as your script. Now, the next time your script is run, it will load their version of io instead of yours. A user can essentially hijack the intended functionality of a module and replace it with their own, and all they need are write permissions to the same directory as your python script. For servers that offer shells to a variety of users, this type of attack could be used as a local privelege escalation on that box.

For example, here we have a script poc.py that opens a file (I know, not very useful, but it’s an example, so shhhh)

1
2
3
import io

io.open('spam.txt', 'w')

If you place this script in the same directory as the following io.py file:

1
2
def open(foo,bar):
  print "Pining for the fjords?!"

Then when you go to run poc.py, you will get the output “Pining for the fjords?!”

I sent this along to the python security team with a set of suggestions for fixing it. For one thing, I think the current working directory should be the last thing listed in the pythonpath by default. For another, python could provide a way for developers to specify the static path to their modules.

The python security team let me know that this attack is already well known to them, and they have something called isolation mode planned for a future version of python.

The good news is that this doesn’t work for protected modules! The bad news is that most modules aren’t protected modules.

In the meantime, I’m told that you can configure virtualenv to only allow specific modules to be used by your python applications.

And sysadmins, please, never allow people to write to the same directories that your python scripts run out of.

The Patsy Proxy

The Patsy Proxy was a talk that I gave with Dan Crowley at Derbycon 2 and Defcon 20 Skytalks. It was recorded at Derbycon and is available to view via YouTube.

First Post!

Well, first post to this blog anyway. Since I gave up blogging in earnest ages ago, the purpose of this blog is to focus on tech rather than drivel on about life. If you want to hear me drivel on about life, check out: (my twitter account).