CVE-2022-46480, CVE-2023-26941, CVE-2023-26942, CVE-2023-26943

Introduction

The following technical report provides background information relating to four CVEs found in the following products:

Ultraloq UL3 BT (2nd Generation) (Firmware 02.27.0012) – CVE-2022-46480

Yale Conexis L1 Smart Lock (Firmware v1.1.0) – CVE-2023-26941

Yale IA-210 Intruder Alarm (Firmware v1.0) – CVE-2023-26942

Yale Keyless Smart Lock (Firmware v1.0) – CVE-2023-26943

The work discussed here was carried out by Ash Allen, Dr. Alexios Mylonas, and Dr. Stilianos Vidalis as part of a wider research project into smart device security. Responsible disclosure of all four issues has been made with the appropriate vendors, and they have been acknowledged as vulnerabilities.

CVE-2022-46480

The Ultraloq UL3 BT (2nd Generation) (hereafter referred to as the UL3) is one of the most popular smart locks in the United States (“#1 Selling Smart Lock Online” – https://u-tec.com/). Previous non-academic research (1) discusses flaws found with the companion app, and the ability to brute-force the Bluetooth encryption. Our work uncovered an even more fundamental flaw with the Bluetooth implementation. The device unlocks by receiving a 16-byte value to a service specified via the GATT (General ATTribute Profile).Our work uncovers that this value is changed on a per session basis, rather than per unlock event. This means that whilst a session remains open, unlock commands using replayed data will be successful, even if they do not come from the original client.

2022.11.15 17:59:32.844 | < C | 7200 | 7201 | 08c71149fb1a7105298eaf175bf5166b ( I q ) [ k)
2022.11.15 17:59:33.047 | > N | 7200 | 7201 | 5970e43108c32af5811fbfb3bfce5400 (Yp 1 * T )
2022.11.15 17:59:33.766 | > N | 7200 | 7201 | f086584891767d5f32b22674bb2dcb49 ( XH v}_2 &t - I)
2022.11.15 17:59:38.762 | > N | 7200 | 7201 | 2b2dcdae303f8df4fb109e818189fb74 (+- 0? t)
2022.11.15 17:59:41.244 | < C | 7200 | 7201 | 08c71149fb1a7105298eaf175bf5166b ( I q ) [ k)
2022.11.15 17:59:41.446 | > N | 7200 | 7201 | 5970e43108c32af5811fbfb3bfce5400 (Yp 1 * T )
2022.11.15 17:59:42.167 | > N | 7200 | 7201 | f086584891767d5f32b22674bb2dcb49 ( XH v}_2 &t - I)
2022.11.15 17:59:47.147 | > N | 7200 | 7201 | 2b2dcdae303f8df4fb109e818189fb74 (+- 0? t)
2022.11.15 17:59:49.644 | < C | 7200 | 7201 | 08c71149fb1a7105298eaf175bf5166b ( I q ) [ k)
2022.11.15 17:59:49.847 | > N | 7200 | 7201 | 5970e43108c32af5811fbfb3bfce5400 (Yp 1 * T )
2022.11.15 17:59:50.567 | > N | 7200 | 7201 | f086584891767d5f32b22674bb2dcb49 ( XH v}_2 &t - I)
2022.11.15 17:59:55.547 | > N | 7200 | 7201 | 2b2dcdae303f8df4fb109e818189fb74 (+- 0? t)
2022.11.15 17:59:57.263 | < C | 7200 | 7201 | 08c71149fb1a7105298eaf175bf5166b ( I q ) [ k)
2022.11.15 17:59:57.467 | > N | 7200 | 7201 | 5970e43108c32af5811fbfb3bfce5400 (Yp 1 * T )
2022.11.15 17:59:58.187 | > N | 7200 | 7201 | f086584891767d5f32b22674bb2dcb49 ( XH v}_2 &t - I)
2022.11.15 18:00:03.168 | > N | 7200 | 7201 | 2b2dcdae303f8df4fb109e818189fb74 (+- 0? t)

Furthermore, our work uncovered poor session management while a user attempts to unlock the device. We were able to force sessions to remain open for more than 12 minutes, giving an attacker plenty of opportunity to exploit the vulnerability.

2022.11.19 15:04:47.385 | < C | 7200 | 7201 | 8e91fb970f0bbdac85906943b9c60a90 ( iC ) 
2022.11.19 15:17:05.384 | < C | 7200 | 7201 | 8e91fb970f0bbdac85906943b9c60a90 ( iC )

CVE-2023-26941

The Yale Conexis L1 was until recently the flagship model of the Yale smart lock range (the Conexis L2 has now taken that spot). Winning plaudits in many consumer surveys (2)(3)(4), the Conexis L1 has a significant number of installed units. The Conexis L1 uses standard Mifare Classic 1K cards (larger cards can be provisioned, but the extra space is not required and is not used). Initial setup is done using a master keycard. We were able to crack the encryption on the card using a Proxmark3. Easy RFID development tool and dump the contents to a text file. The first seven blocks on the card use non-standard encryption keys(the default is FFFFFFFFFFFF). We were able to recover these within 20 seconds in almost every case. Data was written in several places, all of which protected by the non-default keys. During the initial pairing process a counter is incremented in block 2. This is incremented again after each factory reset of the device, as demonstrated below:

blocks": { 
"0": "95E43AA5EE08040002E9981FA7F5D11D", 
"1": "095FCA99D806ECCEB9328A6466CA3D10", 
"2": "08080700000000000000000000000000", 
 
"blocks": { 
"0": "95E43AA5EE08040002E9981FA7F5D11D", 
"1": "095FCA99D806ECCEB9328A6466CA3D10", 
"2": "09090700000000000000000000000000",

Of greater interest is a batch of data written to a pair of neighboring blocks, the locations of which are chosen at random during the initial pairing of the RFID tag. These values are updated in a “tick-tock”manner during the unlock process:

"4": "F55129991B0000000000000000000000",
"5": "60E0E0E0870000000000000000000000",

"4": "FF931B6B230000000000000000000000",
"5": "60E0E0E0870000000000000000000000",

"4": "FF931B6B230000000000000000000000",
"5": "E6EEBEDE6F0000000000000000000000",

"4": "3070F0F0470000000000000000000000",
"5": "E6EEBEDE6F0000000000000000000000",

If the values in these blocks are altered in any way, then the card will not work. We were able to create duplicate cards from the text file dump and were able to successfully open the lock. Additionally, as data on the duplicate card was updated as part of the unlock process, the original card is locked out and no longer works. The reverse is also true – if the original card is used before the duplicate then the duplicate will fail to open the lock.

CVE-2023-26942

The Yale IA-210 intruder alarm is a consumer-grade device designed for home installation. The keypad supports both PIN entry and RFID tag disarming. Investigating the tag provided with the device, we attempted to dump the contents to a text file. Investigation showed that all sectors were using the default encryption key (the sector 0 key can be seen in block 3):

[=] ----+-------------------------------------------------+ 
[=] blk | data                                            | 
[=] ----+-------------------------------------------------+ 
[=]   0 | 3D 06 CD 45 B3 88 04 00 C8 42 00 20 00 00 00 16 | 
[=]   1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 
[=]   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 
[=]   3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF |

This makes cloning the fob incredibly easy – it is possible to clone the tag with an NFC-enabled mobile phone or a dedicated cloning tool with just a couple of seconds access to the tag. The only authentication step performed by the alarm is to ensure that the tag can be decrypted using the default keys, and that the contents of block 0 also match. This block is read-only and contains data that can be used to identify the tag. Special tags known as “magic” tags are available, and these allow the rewriting of this sector. This is how we are able to duplicate the original tag.

CVE-2023-26943

The Yale Keyless Smart Lock is a mid-range device that supports PIN entry, RFID, and 868MHz RF remote control via an optional add-in module. As with the Conexis L1, this lock uses RFID tags with a non-default set of encryption keys for the first seven sectors, as shown below:

[+] -----+-----+--------------+---+--------------+---- 
[+]  Sec | Blk | key A        |res| key B        |res 
[+] -----+-----+--------------+---+--------------+---- 
[+]  000 | 003 | 681E9E9B3FE9 | N | FFFFFFFFFFFF | D 
[+]  001 | 007 | ADAE73113441 | N | FFFFFFFFFFFF | D 
[+]  002 | 011 | 6C6FAAC8E598 | N | FFFFFFFFFFFF | D 
[+]  003 | 015 | BFBCF91B36CB | N | FFFFFFFFFFFF | D 
[+]  004 | 019 | 58599AF4D3A4 | N | FFFFFFFFFFFF | D 
[+]  005 | 023 | 828340E60956 | N | FFFFFFFFFFFF | D 
[+]  006 | 027 | 5F5E9D3BD48B | N | FFFFFFFFFFFF | D 
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D 
[+] -----+-----+--------------+---+--------------+----

Unlike the Conexis L1, however, no extra data is written on the tag. During authentication the tag is decrypted using the given encryption keys, then checking that the data in block 0 matches that stored during the initial pairing of the tag. We were able to consistently duplicate these tags with approximately 20 seconds of access to the original tag. Furthermore, once duplicated, no indication of duplication is given to the original user. There is no audit log available, and users are not alerted of duplicate tag usage. Unlike with the Conexis L1, there is no tripwire (the “tick-tock” updates) that can be triggered to indicate that a duplicate card exists.

Notes:

(1) – Spring, T., 2019. Smart Lock Turns Out to be Not So Smart, or Secure – https://threatpost.com/smart-lock-turns-out-to-be-not-so-smart-or-secure/146091/

(2) – https://diyworks.co.uk/best-smart-lock/

(3) – https://www.goodhousekeeping.com/uk/product-reviews/tech/g40557412/best-smart-locks/

(4) – https://www.t3.com/features/best-smart-lock

In Defence of Academic Qualifications in Cybersecurity

The consensus at the moment seems to be that academic qualifications for cybersecurity are expensive, out of date, and do not prepare students for life in the real world.

I agree.

However, that does not mean they are not useful, and indeed I would say that they are probably the first thing hiring managers should look at.

Especially in the USA, but increasingly in the UK and the rest of the English-speaking world, the path into security is laid out like this: get the CompTIA trifecta (A+, Network+, Security+). Create some projects in GitHub. Go spend months on TryHackMe to get into the top n%. Cram as many other certs as you can, and you should get a cybersecurity role. If all else fails, get a helpdesk job for experience and jump after 18 months as you’ll have experience.

Whilst the above scenario may work for some, it does not demonstrate that you actually know anything at all. The CompTIA exams are perfectly decent, but the idea of certification is to demonstrate what you already know. Current advice seems to be to learn from books or videos in order to pass the exam. The two are different mindsets. The first one challenges you to apply what you know to the aims of the qualification. The second gives you the answers and expects you to hit the ground running once you are let loose in the real world. I do not blame new entrants for choosing the second path. Getting experience is hard without a job, and getting a job is harder now (much harder than it ever has been for me as a GenX job seeker) because employers expect certification as a minimum. So people learn to pass the exams and not how to do the job that requires them.

Similarly, whilst there is definitely merit in creating your own projects, or working through tens of hours of hacking challenges, they do not represent the real world. The real world does not have pages of YouTube tutorials, nor does it have influencers suggesting projects and giving hints and walkthroughs on how to do them. As a learning experience, they are heavily influenced by the person doing them. Some may work through everything from scratch, filling GitHub repos and pwning boxes left, right, and centre. Others may have the same output, but have gotten there on the backs of video hints and answers in blog posts. Again, the two are not the same, and a hiring manager cannot see which type of person you are from your CV.

Which brings me to academia. To highlight potential biases, let me state first that I have a Masters in Cybersecurity, and am studying for a PhD in the same. Degrees are expensive. They require serious thought around the financial commitment if you are in the UK, and in the USA it can be almost ruinously expensive. This has to change. Education benefits everyone, and we should make it as cheap as possible for everyone to access tertiary education. My Masters cost me £7,200 over 2 years, and my PhD will be around £15,000 over 6 years. Both are part-time study. An undergraduate degree done full-time can easily reach £40-50,000 once living expenses are included. It is a massive commitment. What it does provide, however, is evidence that the person taking the course has reached a particular level of competency. Note that I’m not saying that they should be immediately employed in a security role, because I’m not. But what a degree proves is that you can follow a syllabus and submit work that reaches a particular standard. It is possible to cheat, for example by having someone else do the work, but universities have years of experience in detecting plagiarism and other types of cheating, and I would argue that they are more adept at spotting this than any certificate awarding body. By forcing students to submit multiple pieces of coursework and conduct independent research, hiring managers can be reasonably sure that the degree holder is capable of learning, and applying that knowledge.

What then of the course material itself? I would agree that many institutions are stuck using aging software, and teaching techniques that may be out of date. This needs to change. Core modules should be updated much more frequently, and help with designing training pathways should come from industry. However, to return to my point, the key takeaway from a degree is the ability to learn. What you’ve actually learned is almost irrelevant – this is why many roles specify a degree requirement only, without requiring a specific subject. During your working life, the technology you work with will be replaced, replaced, and replaced again. What is important is that you have the ability to learn. A degree, for all its faults, is the best indicator of this.

What of the future? More certification bodies should look to move away from multiple-choice testing and towards a thorough test of the candidate’s knowledge through practical demonstrations and longer-form coursework. This, of course, is more labour-intensive, and more expensive. Ultimately, though, if everyone has a certificate, then nobody has one, so hiring managers need another way of differentiating candidates. For the foreseeable future, that is often going to be an undergraduate or postgraduate degree.

Smart Security Device RFID Vulnerability Disclosure

The details below discuss the vulnerabilities found in the following devices:

  • Suleve 5-in-1 Smart Door Lock (firmware v1.0)
  • Digoo DG-HAMB Smart Home Security System (firmware v1.0)
  • Etekcity 3-in-1 Smart Door Lock (firmware v1.0)

The use of low-frequency (LF) RFID tags is a significant security issue. These tags do not support any form of encryption and so can be read using an NFC-equipped mobile phone or dedicated reader in under a second. The only information encoded is a number, and so using software to write to blank tags it is possible to create any number of duplicate tags possessing the same permissions as the original. In addition, no indication would be given to the owner of the original tag that it had been compromised.

As of 5th August, 2023, none of the devices has been issued with a fix for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Wireless Smart Lock Vulnerability Disclosure

The details below discuss the vulnerabilities found in the following devices:

WAFU Keyless Smart Lock (firmware v1.0) – CVE-2023-34553

An attacker can use a software-defined radio to capture commands sent to the alarm from the remote keyfob. As no rolling code is implemented, it is a simple matter to play back the code and gain full access to the alarm’s functions. As an example, see the following image, comparing subsequent keypresses of the arm/disarm keyfob:

As of 22nd May, 2023, no fix has been released for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Wireless Alarm System Vulnerability Disclosure

The details below discuss the vulnerabilities found in the following devices:

  • Kerui W18 Alarm (firmware v1.0) – CVE-2023-31759
  • Blitzwolf BW-IS22 Smart Home Security Alarm (firmware v1.0) – CVE-2023-31761
  • Digoo DG-HAMB Smart Home Security System (firmware v1.0) – CVE-2023-31762
  • AGSHome Smart Alarm (firmware v1.0) – CVE-2023-31763

All of the devices above demonstrate the same security weakness. An attacker can use a software-defined radio to capture commands sent to the alarm from the remote keyfob. As no rolling code is implemented, it is a simple matter to play back the code and gain full access to the alarm’s functions. As an example, see the following image, comparing subsequent keypresses of the AGSHome Alarm keyfob:

As of 13th May, 2023, none of the devices has been issued with a fix for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Wireless Alarm System Vulnerabilities

Recently I had a chance to look at a number of intruder alarm systems sold via Amazon and eBay. These devices sell for up to £150, and a number are best sellers

  • Kerui W18 Alarm
  • Blitzwolf BW-IS22 Smart Home Security Alarm
  • Digoo DG-HAMB Smart Home Security System
  • AGSHome Smart Alarm

As discussed in my last post, RF frequency communication can be captured relatively easily, using a software-defined radio (SDR). All four devices use 433MHz RF to communicate between the sensors and the base station. Capturing transmissions from each device proved extremely simple; the following shows the result of triggering one of the door sensors included with the Kerui alarm:

I decided to capture the results of pressing the alarm arm/disarm fob for each device. These are used to remotely enable or disable the alarm. Using SDR# I captured both the AF and IQ transmissions. The results for each are as follows:

Digoo IQ Data
Blitzwolf IQ Data
AGSHome IQ Data
Kerui IQ Data

The top line shows keypress 1, and the bottom keypress 2. As you can see, for each device the two are identical. This means that once the code is captured it can be reused by an attacker to arm and disarm the alarm at will. Not something that is desirable for a security system!

It appears that the majority of these generically named devices use 433MHz and non-rolling codes. More expensive devices seem to prefer the 868MHz band, and also rolling codes. These are more secure, but can still be jammed to stop a sensor activation from registering at the base station and triggering the alarm. They are also vulnerable to RollJam-type attacks. The moral of the story? Use something with wires!

The following CVEs are related to this work: CVE-2023-31759, CVE-2023-31761, CVE-2023-31762, CVE-2023-31763.

Hacking 433MHz Radio – An Overview

Have you ever wondered how wireless devices like remote controls or wireless sensors work? Chances are they use 433MHz radio technology. However, as with any technology, 433MHz radio signals can be vulnerable to hacking and exploitation. In this blog post, we’ll take a closer look at how 433MHz radio signals work, the tools and techniques used for hacking them, and the potential risks and benefits of such activities.

To understand how to hack 433MHz radio, it’s important to first understand the basics of how these signals work. 433MHz radio signals operate on a specific frequency range and use various modulation and encoding techniques to transmit information.

Modulation is the process of changing the frequency, phase, or amplitude of a radio signal to carry information. There are several types of modulation that you may encounter when working with 433MHz radio, including amplitude shift keying (ASK), frequency shift keying (FSK), on-off keying (OOK), and phase shift keying (PSK).

If you’re interested in hacking 433MHz radio, you’ll need specialized hardware and software tools like software-defined radios (SDRs), signal analyzers, and decoders. SDRs are radio communication systems that use software to control radio hardware, allowing you to manipulate radio signals and analyze them in real-time. Popular SDRs for hacking 433MHz radio include HackRF One and RTL-SDR. Signal analyzers are devices that can capture and analyze radio signals, helping you to better understand the signals and how to decode them. Popular signal analyzers for 433MHz radio hacking include the RF Explorer and the Signal Hound USB-SA44B. Decoders are software tools that can help you decode and interpret 433MHz radio signals. Popular decoders for 433MHz radio include Universal Radio Hacker (URH) and GNU Radio.

There have been several notable vulnerabilities related to 433MHz radio hacking. For example, researchers have demonstrated how vulnerable wireless home security systems can be to hacking, with some systems using 433MHz radio signals that can be easily intercepted and decoded. Additionally, replay attacks have been used to remotely control garage doors and other devices that use 433MHz radio signals. For further reading on these vulnerabilities, see “Hacking Alarm Systems with an RTL-SDR and RFCAT” and “How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It”.

While hacking 433MHz radio can be a fascinating and powerful tool, it’s important to be aware of the potential risks and ethical considerations involved. By acting responsibly and using the right tools and techniques, you can help ensure that your hacking activities are safe and beneficial. If you want to learn more about 433MHz radio technology, there are many resources available that can help you explore this fascinating area of wireless technology.

ChatGPT tries blogging

With all the hype around ChatGPT, I thought I’d give it a go at writing this next post. So here we are:

The Internet of Things (IoT) has revolutionized the way we live and work, connecting a vast array of devices and enabling them to communicate and share data. However, as the number of IoT devices continues to grow, so too do the challenges surrounding their security. In the coming year, these challenges will only become more pressing, as IoT technology becomes even more deeply integrated into our daily lives.

One of the biggest challenges facing IoT security in 2023 will be the sheer scale of the IoT. As more and more devices are connected to the internet, the potential attack surface for hackers and cybercriminals grows exponentially. This makes it difficult for security professionals to keep up with the latest threats and vulnerabilities, and leaves many IoT devices vulnerable to attack.

Another major challenge will be the diversity of IoT devices. The IoT encompasses a wide range of devices, from smart thermostats and security cameras to industrial control systems and medical devices. Each of these devices has its own unique security requirements and vulnerabilities, making it difficult for security professionals to develop a comprehensive security strategy that covers all of them.

In addition, many IoT devices are designed with convenience in mind, rather than security. This means that they often have weak passwords and lack advanced security features such as encryption and two-factor authentication. As a result, these devices can be easily compromised by hackers, putting the security of the entire IoT ecosystem at risk.

Finally, the decentralized nature of the IoT makes it difficult to implement effective security measures. With so many different devices and systems connected to the internet, it can be difficult to identify and address security vulnerabilities in a timely manner. This makes it harder to prevent attacks and respond to security breaches, leaving the entire IoT ecosystem vulnerable to a wide range of threats.

Overall, the challenges facing IoT security in 2023 are significant and will require a concerted effort from both security professionals and device manufacturers to overcome. By prioritizing security and working together, we can ensure that the IoT remains a safe and secure environment for all.

So, overall not bad. It has captured a lot of pretty generic threats, and the writing is good if a little devoid of colour. Expect to see a lot of “creators” leveraging this sort of shortcut in 2023. An interesting challenge would be to try and fingerprint computer-generated posts…

Starting off – how to begin IoT hacking

I thought I’d give some brief references for anyone interested in IoT hacking. My experience here is fairly comprehensive; I have a couple of CVEs already, with a few more in the pipeline. My Masters dissertation was on the topic, and I am writing papers on it as part of my PhD work.

BOOKS:

There are three that should be on any bookshelf. They are:

“The IoT Hacker’s Handbook” by Aditya Gupta

“Practical IoT Hacking” by Fotios Chantzis and Ioannis Stais

“Practical Hardware Pentesting” by Jean-Georges Valle

These three books are a fantastic introduction to both on-board (e.g. JTAG, UART, I2C) and remote (Bluetooth, RFID, Zigbee). I would recommend you read through all three at least once.

HARDWARE:

In terms of hardware, this will depend on what you wish to investigate; the tools required for firmware dumping are wildly different from those needed for Bluetooth attacks. These are the ones I’ve found most useful (prices are approximate in GBP at the time of writing).

RFID: Proxmark3 Easy. This is honestly the best piece of entry level pentesting kit you can buy. It allows you to read and write all manner of RFID tags. There is a big brother version, the RDV4, but you don’t need that when starting out. The Easy should be around £60-70. Pick up some rewritable cards as well for a few pounds and have fun!

Bluetooth: A lot of people swear by the Ubertooth One (about £100 from eBay). Personally I found it really flaky. Instead I would look at a Nordic Semiconductor nRF52840 dongle at around £15. Add to that an Adafruit BlueFruit (based on the nRF51822 chipset) for £25 and that should be enough. If you want to try MitM attacks, then a couple of Raspberry Pi’s and a pair of cheap Bluetooth dongles should be plenty (probably £100 all in)

RF (433/868MHz): A lot of devices still use these reserved bands for communication, and you can capture transmissions using a cheap DVB-T dongle (£15-20). By default these will scan up to about 1.2GHz. For capturing transmissions at higher frequencies then you’ll either need a Yardstick One (about £100) or a HackRF (about £250). The last two have whole ecosystems around them; personally I think they’re more suited to advanced topics.

I have not included anything around Z-Wave and Zigbee as they are not popular protocols in the devices I test (smart locks, mainly). You can find tools to interface with them for a few tens of pounds. I’ve also not included any on-board debugging tools, as that’s not my area of expertise. I would suggest taking a look at the Attify Badge for around £40.

SOFTWARE:

These are the tools I uses in my dissertation:

BLUETOOTH:

BTLEjack – https://github.com/virtualabs/btlejack

Sweyntooth scripts – https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks

BTLEjuice – https://github.com/DigitalSecurity/btlejuice

HomePWN – https://github.com/Telefonica/HomePWN

Gattacker – https://github.com/securing/gattacker

RF:

URH – https://github.com/jopohl/urh

SDR# – https://airspy.com/download/

RFID:

HomePWN – https://github.com/Telefonica/HomePWN

Proxmark3 (Iceman Fork) – https://github.com/RfidResearchGroup/proxmark3

The above should give you plenty to work with. Find some willing test subjects (that you own!); I have found that anything cheap from AliExpress with one or more of these protocols enabled should give you plenty of enjoyment. Same goes for things from eBay and Amazon. I have broken into £10 devices and £310 devices, so take your pick! It’s fun, you get your hands dirty, and IoT hacking is a skill that will be in ever greater demand in the next decade.

Am I an academic now?

So, for the past two years I have been studying for a Masters in Cybersecurity part time, and thankfully managed to pass with a Distinction. Yay! It’s an itch that I’ve been wanting to scratch for a good long while, and I’m glad to have done it.

This leads me on to my next announcement. I’m going to be studying for a PhD in IoT Security part time, alongside my current work commitments. A couple of people have asked me why I’m doing it, so I thought I’d lay out my reasons here:

  1. It sounds like fun! Seriously; I’m a bit of a nerd with this stuff, and the ability to really dig down into the weeds of a topic is really appealing!
  2. I want to discover something new! The thesis has to show originality, and again that appeals. I’m not expecting to discover gravitational waves, or evolution, but having a little bit of the tree of knowledge that I found first is a really cool thought.
  3. I think I’ll be good at it! Having had a 20 year break between undergraduate and Masters study, I wasn’t sure what to expect, but thankfully I managed to pick things up pretty quickly. Speaking to my now supervisor and putting together a proposal, it seems that I have the ability to do this, and that others agree.
  4. I want to be Doctor Allen! Maybe it’s an ego thing, but I like the idea of knowing I can use that title. I’m not going to, but it’s a cool thing, and it’s a validation. So yeah, Dr. Ash!

I’m not doing this for career progression; there are much shorter and cheaper ways of getting qualifications that employers want. I also don’t want to transfer to academia full time – I’ve seen enough to know that I’m happy in my current little niche! So, that’s the announcement. Let’s see what the next six (!) years bring…