![Page 1: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/1.jpg)
Black Hat Briefings, August 3, 2006v1.0.0
$30, 30 Minutes, 30 Networks
Project Cowbird
Jonathan Squire, CISSP
![Page 2: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/2.jpg)
2
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Agenda
• Always popular disclaimer
• Project cowbird background
• Hardware
• Demo
• Why this works
• Future research
![Page 3: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/3.jpg)
3
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Important Disclaimer(Pay Attention)
• This project is my own personalresearch and is not sponsored byanyone but me.
• If you break something you get to keepthe pieces.
• If you’d like to contribute, please see meafter the talk.
![Page 4: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/4.jpg)
4
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
What Is a Cowbird?
• A cowbird is a brood parasite which lays itseggs within another bird’s nest in order tohave its offspring nurtured.
• These parasite eggs do not look muchdifferent then a normal egg, but whenhatched the birds grow quickly due to theirvoracious appetites.
• If starving does not kill the natural offspring,the larger bird pushing them out of the nestwill definitely help them on their way.
![Page 5: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/5.jpg)
5
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
What Is a Cowbird?
• Nice little birdie.
![Page 6: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/6.jpg)
6
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Background
• Project Cowbird is part of a larger researchproject "The Ecology of Information Security"which equates different attack and defensetechniques to creatures participating in anecological system.
• Various forms of predator and prey areproposed and in some cases implementedusing off the shelf hardware.
• "The Ecology of Information Security" isslated for release this time next year.
![Page 7: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/7.jpg)
7
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Project Cowbird
• Project Cowbird is an implementation ofa parasitic predator using a standard offthe shelf wireless media adapter,originally designed to display photosand play music on your TV.
• This device, which can be acquired for$30-70, has been re-purposed to runkismet.
![Page 8: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/8.jpg)
8
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Project Cowbird Hardware
• Linksys WMA11b– Prism2 wifi card– 10/100 Ethernet– JTAG– TV Out!- IR Remote Control- 16 MB of ram- 2 MB of flash
![Page 9: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/9.jpg)
9
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Other Nice “Features”
• WMA11b already boots from thenetwork– Uses UPnP to boot
• Device happily tells you it’s on thenetwork
• GPL code for the device available(though distribution has some problems)
![Page 10: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/10.jpg)
10
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Demonstration
![Page 11: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/11.jpg)
11
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Why Can We Do This?
• Boot “.img” files are just cramfs images
• No verification of image authenticity
• No control over who can boot the device
• Config file for boot server is just xmlwith a filesize and image file
![Page 12: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/12.jpg)
12
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Is This Bad?
• Who else is looking at your photos?– Cowbird makes it obvious it’s not the original
software– Will everyone else?
• This is not the only consumer device to bootinsecurely off the network
• The hardware is cheap enough to throw-awayyet provides a lot of hardware for the price
• No physical access to the device is needed
![Page 13: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/13.jpg)
13
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
What Can Be Done?
• Sign boot images
• Authenticate devices to the network
• Private media networks
• Demand secure consumer devices
![Page 14: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/14.jpg)
14
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Future Research
• Cowbird Research– CHIRP
• Cowbird Hypertext Inner Roost Protocol
– FLOCK• Formal Loosely Organized Cowbird Kingdom
– NEST• Cowbird booting other cowbirds
– PEACOCK• Eye candy on the TV (still for $30)
– BIRD BRAIN• New boot loader / flash image
![Page 15: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/15.jpg)
15
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Future Research
• The Ecology of Information Security– Project Hawk
• Predator for Cowbirds and other wireless pests
• Potential to reuse same cheap hardware
– Project Homing Pigeon• Self organizing mesh networks that find a way
home
• Will build on Cowbird/Hawk research
![Page 16: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/16.jpg)
16
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
Questions?
Jonathan Squire, CISSP
project.cowbird<at>gmail<dot>com
![Page 17: $30, 30 Minutes, 30 Networks - Black Hat | Home€¦ · –FLOCK •Formal Loosely Organized Cowbird Kingdom –NEST •Cowbird booting other cowbirds –PEACOCK •Eye candy on the](https://reader031.vdocument.in/reader031/viewer/2022011912/5f9d80ae2b769601f6156945/html5/thumbnails/17.jpg)
17
Jonathan Squire, CISSP, IAM, IEMCyber Security Summit, May 23, 2006
Jonathan Squire, CISSP, IAM, IEMBlack Hat Briefings, August 3, 2006
References
• Cowbird updates and other research– http://www.bigbrainlabs.com/
• WMA11b information page– http://www-jcsu.jesus.cam.ac.uk/~acw43/projects/wma11b/
• Kismet– http://www.kismetwireless.net/