I'll remember Defcon 18 for a long time. It was the first Defcon I spoke at (which I did twice), it had some excellent parties, and was overall just a great experience. But if I had to pick one thing that I did this weekend that I'll remember the most, it has to be how I interacted with the Ninja Badge from Ninja Networks - with Zigbee.
The Ninja Badge this year was a slick Game Boy like device, with a 4 button D-pad, 2 buttons on the other side, and an LCD screen. It came loaded with a game that allowed you to attack other badge holders to gain levels, get loot, and through bonuses gained by doing quests, become increasingly more popular.
The game and the intended use was interesting, but I wanted to see what was really going on here, so I began reading and collecting information. By way of the Wired article and talking with some friends, I gathered enough intelligence that it was using the Freescale mc1322x MCU, a chip I was very familiar with.
Back in April 2010, I helped organize a hacker conference in Rhode Island called QuahogCon. Aside from being the first hacker con ever in Rhode Island, we had electronic badges that in fact used the mc1322x MCU. With our badge, we used the Zigbee capabilities of the Freescale chip to implement a "Zombies versus Humans" game, where attendees would either be a zombie or a human and attempt to attack the other side. In the short span of 3 weeks, myself and one other coder built this firmware, and turned a neat electronic badge into a somewhat compelling game for the attendees to enjoy.
All of the attacking was done wirelessly, and people had a blast attacking their friends and other con-goers. We collected over 30 megs of logs from this game, and this became the centerpiece of one of my Defcon presentations this year, titled "How Hackers Won the Zombie Apocalypse", with the slides available here.
During QuahogCon, several people attacked the badges over Zigbee, which enabled people to severely impact the game. Some enterprising hackers even gained "God Mode", where they were able to change all badges in their vicinity into anything they wanted. Perfect for amassing a zombie army. They did this by using provided sample code to create network sniffers out of the badges, capture packets, decode them and discover the protocol's details and set their own values. It worked wonderfully, and really opened up a new dynamic to the game.
Coming back to Defcon, when I learned the details about the badge, I decided that I had to learn the secrets of the Ninja Badge, or, as many as I could discover while still experiencing Defcon. Fortunately, since I was talking about the QuahogCon badge at Defcon, I had several in my possession. But how would I sniff the packets?
In anticipation of my talk, Dragorn, the creator of Kismet and one of the firmware developers for the QuahogCon badge, wrote some (very alpha) code that turned the QuahogCon badge into a Kismet-compatible Zigbee sniffer. This code is available in the Kismet SVN repository, and is implemented as the dot15d4 plugin, and should work on any device using the mc1322x chip. While I could have used some available sample code to log the packets, using Kismet provided several capabilities that proved very useful when dealing with an unknown device, such as Channel Hopping. After a few seconds of use, Kismet identified that the packets were all on Channel 11, which allowed me to narrow things down and capture every packet my badge was sending.
On Friday, the day Defcon began, I acquired a Ninja Badge, and immediately got to work. I fired up my QuahogCon Zigbee Sniffer and Kismet, and watched the packets coming in. It didn't take long before I made a few discoveries about the packets. Namely, the player names were broadcast in cleartext. Now it was time to have some fun!
I loaded the rftext-tx.c sample that is a part of the mc1322 development tools, and simply copied the data I was seeing into the packet array in the sample. The player name portion of the packet was obvious, so I replaced it with a different name, "Your Mom" to see if the badge had any safeguards against this type of packet injection. After compiling and loading the new firmware onto a QuahogCon badge, my Ninja badge informed me that it was seeing a new player: Your Mom.
Your Mom was not too impressive, as it looked just like any other player. I wanted it to have some special properties, so I decided to see if I could affect anything else that the Ninja badge would display about it. At this point, I began playing with different values in the packet. There were a few values that looked to be somewhat static, or changing only between a few values, so I assumed these denoted different modes like beaconing a player or initiating an attack. I ignored those to start, and after playing around for a bit, I found a result that pleased me - changing the players level.
The Ninja Networks guys were gracious enough to provide an instruction manual about the game, giving details such as how to play the game and ways you could improve your character. There was one bit of data that they provided that I zeroed in on, where the maximum level for any player was level 10.
After playing with the level value for a short amount of time, I discovered that the maximum level value that the game would accept is 15. The odd part was that the same value appeared to influence how many characters in the players name it would display. After trying out a few things, I found the correct value to display the entire name for "Your Mom", and after another compilation and flashing, Your Mom was now level 15. Success! The best part that it was being beaconed from an unassuming QuahogCon badge, so no one would ever actually find who Your Mom was. Ninja badge indeed!
I've put this code on Pastebin in its original form, which contains some terrible commented out code and general sloppiness. I think its a perfect example of what code written by someone partying at Defcon should look like! It's available at http://pastebin.com/tG1upFwK
I continued collecting packets hoping to find out the right value to change my icon from a ninja to something more exciting like a pirate of pool2girl, and gathered over 300k of Zigbee packets to go through. Although time and the nature of Defcon kept me from adding more to Your Mom, I have put these packets online for anyone to download and explore, which is available here.
Overall, messing with the Ninja badge was a lot of fun. When I heard people mentioning Your Mom in passing, or in some cases, unknowingly mentioning it to me, it made all the time I spent working on it (and not drinking) worthwhile. It also served as a good test for the Zigbee Kismet module, which worked flawlessly in discovering the secrets of the Ninja badge - not bad for extremely alpha code! Walking around with 3 badges around my neck all weekend (Defcon, Ninja and QuahogCon) may have weighted me down a bit, but it was all definitely worth it - even if I stayed a little more sober than I should have!
I haven't unlocked all its secrets yet though, so I have more fun ahead of me!
