In Defence of Academic Qualifications in Cybersecurity

The consensus at the moment seems to be that academic qualifications for cybersecurity are expensive, out of date, and do not prepare students for life in the real world.

I agree.

However, that does not mean they are not useful, and indeed I would say that they are probably the first thing hiring managers should look at.

Especially in the USA, but increasingly in the UK and the rest of the English-speaking world, the path into security is laid out like this: get the CompTIA trifecta (A+, Network+, Security+). Create some projects in GitHub. Go spend months on TryHackMe to get into the top n%. Cram as many other certs as you can, and you should get a cybersecurity role. If all else fails, get a helpdesk job for experience and jump after 18 months as you’ll have experience.

Whilst the above scenario may work for some, it does not demonstrate that you actually know anything at all. The CompTIA exams are perfectly decent, but the idea of certification is to demonstrate what you already know. Current advice seems to be to learn from books or videos in order to pass the exam. The two are different mindsets. The first one challenges you to apply what you know to the aims of the qualification. The second gives you the answers and expects you to hit the ground running once you are let loose in the real world. I do not blame new entrants for choosing the second path. Getting experience is hard without a job, and getting a job is harder now (much harder than it ever has been for me as a GenX job seeker) because employers expect certification as a minimum. So people learn to pass the exams and not how to do the job that requires them.

Similarly, whilst there is definitely merit in creating your own projects, or working through tens of hours of hacking challenges, they do not represent the real world. The real world does not have pages of YouTube tutorials, nor does it have influencers suggesting projects and giving hints and walkthroughs on how to do them. As a learning experience, they are heavily influenced by the person doing them. Some may work through everything from scratch, filling GitHub repos and pwning boxes left, right, and centre. Others may have the same output, but have gotten there on the backs of video hints and answers in blog posts. Again, the two are not the same, and a hiring manager cannot see which type of person you are from your CV.

Which brings me to academia. To highlight potential biases, let me state first that I have a Masters in Cybersecurity, and am studying for a PhD in the same. Degrees are expensive. They require serious thought around the financial commitment if you are in the UK, and in the USA it can be almost ruinously expensive. This has to change. Education benefits everyone, and we should make it as cheap as possible for everyone to access tertiary education. My Masters cost me £7,200 over 2 years, and my PhD will be around £15,000 over 6 years. Both are part-time study. An undergraduate degree done full-time can easily reach £40-50,000 once living expenses are included. It is a massive commitment. What it does provide, however, is evidence that the person taking the course has reached a particular level of competency. Note that I’m not saying that they should be immediately employed in a security role, because I’m not. But what a degree proves is that you can follow a syllabus and submit work that reaches a particular standard. It is possible to cheat, for example by having someone else do the work, but universities have years of experience in detecting plagiarism and other types of cheating, and I would argue that they are more adept at spotting this than any certificate awarding body. By forcing students to submit multiple pieces of coursework and conduct independent research, hiring managers can be reasonably sure that the degree holder is capable of learning, and applying that knowledge.

What then of the course material itself? I would agree that many institutions are stuck using aging software, and teaching techniques that may be out of date. This needs to change. Core modules should be updated much more frequently, and help with designing training pathways should come from industry. However, to return to my point, the key takeaway from a degree is the ability to learn. What you’ve actually learned is almost irrelevant – this is why many roles specify a degree requirement only, without requiring a specific subject. During your working life, the technology you work with will be replaced, replaced, and replaced again. What is important is that you have the ability to learn. A degree, for all its faults, is the best indicator of this.

What of the future? More certification bodies should look to move away from multiple-choice testing and towards a thorough test of the candidate’s knowledge through practical demonstrations and longer-form coursework. This, of course, is more labour-intensive, and more expensive. Ultimately, though, if everyone has a certificate, then nobody has one, so hiring managers need another way of differentiating candidates. For the foreseeable future, that is often going to be an undergraduate or postgraduate degree.

Smart Security Device RFID Vulnerability Disclosure

The details below discuss the vulnerabilities found in the following devices:

  • Suleve 5-in-1 Smart Door Lock (firmware v1.0)
  • Digoo DG-HAMB Smart Home Security System (firmware v1.0)
  • Etekcity 3-in-1 Smart Door Lock (firmware v1.0)

The use of low-frequency (LF) RFID tags is a significant security issue. These tags do not support any form of encryption and so can be read using an NFC-equipped mobile phone or dedicated reader in under a second. The only information encoded is a number, and so using software to write to blank tags it is possible to create any number of duplicate tags possessing the same permissions as the original. In addition, no indication would be given to the owner of the original tag that it had been compromised.

As of 5th August, 2023, none of the devices has been issued with a fix for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Wireless Smart Lock Vulnerability Disclosure

The details below discuss the vulnerabilities found in the following devices:

WAFU Keyless Smart Lock (firmware v1.0) – CVE-2023-34553

An attacker can use a software-defined radio to capture commands sent to the alarm from the remote keyfob. As no rolling code is implemented, it is a simple matter to play back the code and gain full access to the alarm’s functions. As an example, see the following image, comparing subsequent keypresses of the arm/disarm keyfob:

As of 22nd May, 2023, no fix has been released for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Wireless Alarm System Vulnerability Disclosure

The details below discuss the vulnerabilities found in the following devices:

  • Kerui W18 Alarm (firmware v1.0) – CVE-2023-31759
  • Blitzwolf BW-IS22 Smart Home Security Alarm (firmware v1.0) – CVE-2023-31761
  • Digoo DG-HAMB Smart Home Security System (firmware v1.0) – CVE-2023-31762
  • AGSHome Smart Alarm (firmware v1.0) – CVE-2023-31763

All of the devices above demonstrate the same security weakness. An attacker can use a software-defined radio to capture commands sent to the alarm from the remote keyfob. As no rolling code is implemented, it is a simple matter to play back the code and gain full access to the alarm’s functions. As an example, see the following image, comparing subsequent keypresses of the AGSHome Alarm keyfob:

As of 13th May, 2023, none of the devices has been issued with a fix for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Wireless Alarm System Vulnerabilities

Recently I had a chance to look at a number of intruder alarm systems sold via Amazon and eBay. These devices sell for up to £150, and a number are best sellers

  • Kerui W18 Alarm
  • Blitzwolf BW-IS22 Smart Home Security Alarm
  • Digoo DG-HAMB Smart Home Security System
  • AGSHome Smart Alarm

As discussed in my last post, RF frequency communication can be captured relatively easily, using a software-defined radio (SDR). All four devices use 433MHz RF to communicate between the sensors and the base station. Capturing transmissions from each device proved extremely simple; the following shows the result of triggering one of the door sensors included with the Kerui alarm:

I decided to capture the results of pressing the alarm arm/disarm fob for each device. These are used to remotely enable or disable the alarm. Using SDR# I captured both the AF and IQ transmissions. The results for each are as follows:

Digoo IQ Data
Blitzwolf IQ Data
AGSHome IQ Data
Kerui IQ Data

The top line shows keypress 1, and the bottom keypress 2. As you can see, for each device the two are identical. This means that once the code is captured it can be reused by an attacker to arm and disarm the alarm at will. Not something that is desirable for a security system!

It appears that the majority of these generically named devices use 433MHz and non-rolling codes. More expensive devices seem to prefer the 868MHz band, and also rolling codes. These are more secure, but can still be jammed to stop a sensor activation from registering at the base station and triggering the alarm. They are also vulnerable to RollJam-type attacks. The moral of the story? Use something with wires!

The following CVEs are related to this work: CVE-2023-31759, CVE-2023-31761, CVE-2023-31762, CVE-2023-31763.

Hacking 433MHz Radio – An Overview

Have you ever wondered how wireless devices like remote controls or wireless sensors work? Chances are they use 433MHz radio technology. However, as with any technology, 433MHz radio signals can be vulnerable to hacking and exploitation. In this blog post, we’ll take a closer look at how 433MHz radio signals work, the tools and techniques used for hacking them, and the potential risks and benefits of such activities.

To understand how to hack 433MHz radio, it’s important to first understand the basics of how these signals work. 433MHz radio signals operate on a specific frequency range and use various modulation and encoding techniques to transmit information.

Modulation is the process of changing the frequency, phase, or amplitude of a radio signal to carry information. There are several types of modulation that you may encounter when working with 433MHz radio, including amplitude shift keying (ASK), frequency shift keying (FSK), on-off keying (OOK), and phase shift keying (PSK).

If you’re interested in hacking 433MHz radio, you’ll need specialized hardware and software tools like software-defined radios (SDRs), signal analyzers, and decoders. SDRs are radio communication systems that use software to control radio hardware, allowing you to manipulate radio signals and analyze them in real-time. Popular SDRs for hacking 433MHz radio include HackRF One and RTL-SDR. Signal analyzers are devices that can capture and analyze radio signals, helping you to better understand the signals and how to decode them. Popular signal analyzers for 433MHz radio hacking include the RF Explorer and the Signal Hound USB-SA44B. Decoders are software tools that can help you decode and interpret 433MHz radio signals. Popular decoders for 433MHz radio include Universal Radio Hacker (URH) and GNU Radio.

There have been several notable vulnerabilities related to 433MHz radio hacking. For example, researchers have demonstrated how vulnerable wireless home security systems can be to hacking, with some systems using 433MHz radio signals that can be easily intercepted and decoded. Additionally, replay attacks have been used to remotely control garage doors and other devices that use 433MHz radio signals. For further reading on these vulnerabilities, see “Hacking Alarm Systems with an RTL-SDR and RFCAT” and “How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It”.

While hacking 433MHz radio can be a fascinating and powerful tool, it’s important to be aware of the potential risks and ethical considerations involved. By acting responsibly and using the right tools and techniques, you can help ensure that your hacking activities are safe and beneficial. If you want to learn more about 433MHz radio technology, there are many resources available that can help you explore this fascinating area of wireless technology.

ChatGPT tries blogging

With all the hype around ChatGPT, I thought I’d give it a go at writing this next post. So here we are:

The Internet of Things (IoT) has revolutionized the way we live and work, connecting a vast array of devices and enabling them to communicate and share data. However, as the number of IoT devices continues to grow, so too do the challenges surrounding their security. In the coming year, these challenges will only become more pressing, as IoT technology becomes even more deeply integrated into our daily lives.

One of the biggest challenges facing IoT security in 2023 will be the sheer scale of the IoT. As more and more devices are connected to the internet, the potential attack surface for hackers and cybercriminals grows exponentially. This makes it difficult for security professionals to keep up with the latest threats and vulnerabilities, and leaves many IoT devices vulnerable to attack.

Another major challenge will be the diversity of IoT devices. The IoT encompasses a wide range of devices, from smart thermostats and security cameras to industrial control systems and medical devices. Each of these devices has its own unique security requirements and vulnerabilities, making it difficult for security professionals to develop a comprehensive security strategy that covers all of them.

In addition, many IoT devices are designed with convenience in mind, rather than security. This means that they often have weak passwords and lack advanced security features such as encryption and two-factor authentication. As a result, these devices can be easily compromised by hackers, putting the security of the entire IoT ecosystem at risk.

Finally, the decentralized nature of the IoT makes it difficult to implement effective security measures. With so many different devices and systems connected to the internet, it can be difficult to identify and address security vulnerabilities in a timely manner. This makes it harder to prevent attacks and respond to security breaches, leaving the entire IoT ecosystem vulnerable to a wide range of threats.

Overall, the challenges facing IoT security in 2023 are significant and will require a concerted effort from both security professionals and device manufacturers to overcome. By prioritizing security and working together, we can ensure that the IoT remains a safe and secure environment for all.


So, overall not bad. It has captured a lot of pretty generic threats, and the writing is good if a little devoid of colour. Expect to see a lot of “creators” leveraging this sort of shortcut in 2023. An interesting challenge would be to try and fingerprint computer-generated posts…

Starting off – how to begin IoT hacking

I thought I’d give some brief references for anyone interested in IoT hacking. My experience here is fairly comprehensive; I have a couple of CVEs already, with a few more in the pipeline. My Masters dissertation was on the topic, and I am writing papers on it as part of my PhD work.

BOOKS:

There are three that should be on any bookshelf. They are:

“The IoT Hacker’s Handbook” by Aditya Gupta

“Practical IoT Hacking” by Fotios Chantzis and Ioannis Stais

“Practical Hardware Pentesting” by Jean-Georges Valle

These three books are a fantastic introduction to both on-board (e.g. JTAG, UART, I2C) and remote (Bluetooth, RFID, Zigbee). I would recommend you read through all three at least once.

HARDWARE:

In terms of hardware, this will depend on what you wish to investigate; the tools required for firmware dumping are wildly different from those needed for Bluetooth attacks. These are the ones I’ve found most useful (prices are approximate in GBP at the time of writing).

RFID: Proxmark3 Easy. This is honestly the best piece of entry level pentesting kit you can buy. It allows you to read and write all manner of RFID tags. There is a big brother version, the RDV4, but you don’t need that when starting out. The Easy should be around £60-70. Pick up some rewritable cards as well for a few pounds and have fun!

Bluetooth: A lot of people swear by the Ubertooth One (about £100 from eBay). Personally I found it really flaky. Instead I would look at a Nordic Semiconductor nRF52840 dongle at around £15. Add to that an Adafruit BlueFruit (based on the nRF51822 chipset) for £25 and that should be enough. If you want to try MitM attacks, then a couple of Raspberry Pi’s and a pair of cheap Bluetooth dongles should be plenty (probably £100 all in)

RF (433/868MHz): A lot of devices still use these reserved bands for communication, and you can capture transmissions using a cheap DVB-T dongle (£15-20). By default these will scan up to about 1.2GHz. For capturing transmissions at higher frequencies then you’ll either need a Yardstick One (about £100) or a HackRF (about £250). The last two have whole ecosystems around them; personally I think they’re more suited to advanced topics.

I have not included anything around Z-Wave and Zigbee as they are not popular protocols in the devices I test (smart locks, mainly). You can find tools to interface with them for a few tens of pounds. I’ve also not included any on-board debugging tools, as that’s not my area of expertise. I would suggest taking a look at the Attify Badge for around £40.

SOFTWARE:

These are the tools I uses in my dissertation:

BLUETOOTH:

BTLEjack – https://github.com/virtualabs/btlejack

Sweyntooth scripts – https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks

BTLEjuice – https://github.com/DigitalSecurity/btlejuice

HomePWN – https://github.com/Telefonica/HomePWN

Gattacker – https://github.com/securing/gattacker

RF:

URH – https://github.com/jopohl/urh

SDR# – https://airspy.com/download/

RFID:

HomePWN – https://github.com/Telefonica/HomePWN

Proxmark3 (Iceman Fork) – https://github.com/RfidResearchGroup/proxmark3

The above should give you plenty to work with. Find some willing test subjects (that you own!); I have found that anything cheap from AliExpress with one or more of these protocols enabled should give you plenty of enjoyment. Same goes for things from eBay and Amazon. I have broken into £10 devices and £310 devices, so take your pick! It’s fun, you get your hands dirty, and IoT hacking is a skill that will be in ever greater demand in the next decade.

Am I an academic now?

So, for the past two years I have been studying for a Masters in Cybersecurity part time, and thankfully managed to pass with a Distinction. Yay! It’s an itch that I’ve been wanting to scratch for a good long while, and I’m glad to have done it.

This leads me on to my next announcement. I’m going to be studying for a PhD in IoT Security part time, alongside my current work commitments. A couple of people have asked me why I’m doing it, so I thought I’d lay out my reasons here:

  1. It sounds like fun! Seriously; I’m a bit of a nerd with this stuff, and the ability to really dig down into the weeds of a topic is really appealing!
  2. I want to discover something new! The thesis has to show originality, and again that appeals. I’m not expecting to discover gravitational waves, or evolution, but having a little bit of the tree of knowledge that I found first is a really cool thought.
  3. I think I’ll be good at it! Having had a 20 year break between undergraduate and Masters study, I wasn’t sure what to expect, but thankfully I managed to pick things up pretty quickly. Speaking to my now supervisor and putting together a proposal, it seems that I have the ability to do this, and that others agree.
  4. I want to be Doctor Allen! Maybe it’s an ego thing, but I like the idea of knowing I can use that title. I’m not going to, but it’s a cool thing, and it’s a validation. So yeah, Dr. Ash!

I’m not doing this for career progression; there are much shorter and cheaper ways of getting qualifications that employers want. I also don’t want to transfer to academia full time – I’ve seen enough to know that I’m happy in my current little niche! So, that’s the announcement. Let’s see what the next six (!) years bring…

Fortessa FTBTLD Smart Lock allows unauthorized users to change the device name. Hilarity ensues…

The Fortessa FTBTLD smart lock is a fairly bog-standard type of generic smart lock, sold in the UK by CEF for around £100, and available on auction sites for maybe 3/4 of that price.

Fortessa FTBTLD smart lock showing the default device name

As can be seen on the sticker on the left hand portion of the lock above, it is configured with a default device name. The lock offers a variety of features, such as auto-locking, key sharing, and so on, and in the main they work pretty well. It’s never going to win any beauty awards, and the app interface is pretty basic, but in the main it does what it sets out to do. Unfortunately, however, there is an issue with the lock allowing unauthorized updates to config parameters that mean it should not be used anywhere outside of the lab.

The tool of choice for this investigation is HomePwn, an IoT testing suite developed by a group of Spanish researchers. It provides a similar interface to Metasploit, and is able to work with a number of different protocols such as BLE and RFID which means less switching between tools.

HomePwn splash screen

Loading up the Bluetooth Low Energy discovery tool, we can see that amongst a bunch of other devices, our Fortessa lock is detected (2nd from the bottom):

Locally detected BLE devices

We can then look to run the read-characteristics tool, with the various options laid out like so:

ble/read-characteristics options

We can then use the discovered MAC address of the lock, and the local BLE adapter, like so:

ble/read-characteristics configuration

Running the command then returns the following (abbreviated):

Fortessa lock name

Note that at this time we have not had to authenticate, and that is correct; the companion app needs to be able to read these fields. However, this particular service is set to READ WRITE. In general, again, this is not necessarily an issue; it may be perfectly reasonable for an unauthenticated user to write to a particular BLE service. In this case, though, the lock name is likely something that we would not want just anyone updating. Unfortunately, that is how the devices is configured. Using the ble/write-characteristics plugin, we can update the lock name without authentication, like so:

Updating the lock name

Checking again with the ble/read-characteristics plugin, we can see that the device name has been updated:

Updated lock name

It should be noted that you don’t need to use HomePwn to do this; something like the nRF Connect app will let you do this from your phone.

So, what’s the big deal? Your neighbor may be able to give your door lock an obscene name, but this can’t do any damage, right? Right?

Well…

Once the lock name is updated, the app refuses to connect, as seen below:

Fortessa app fails to connect

In fact, it will refuse to connect until the power to the lock is cycled by removing the batteries. If you are locked outside of your house, because the battery compartment is on the inside, you can see the issue! I have reached out to the distributor and manufacturer with this finding, but have had nothing back. Whether this can be patched in a firmware update, I can’t say. It seems like something that would be pretty easy to fix, but who knows. For the moment, though, if you have a Fortessa lock, remember to take your keys with you as well…