43 years ago, a small team led by Chuck Peddle changed the way society computes today. In 1975, encased in plastic, this 40-pin DIP 8-bit microprocessor, known as the MOS Technology 6502, made its debut. Why should you care? Not only was this the cheapest microprocessor on the shelf, but I believe, without this OG beauty queen of tech, our technology landscape and cultural impact would be an exponentially different landscape. Granted, I would have preferred a future with less dog-feature-filtered selfies, but alas we are living in a pretty impressive time. This revolutionary home computing age ran its course creating everything from the Apple II, the Commodore family, and the soon to be addictive personal game consoles. Point being: you can’t appreciate one innovation, without understanding the heritage behind it. This 8-bit processor lineage soon led to the mighty mouse of projects, the Raspberry Pi. And as we tend to do with everything, that led eventually to some fun Raspberry Pi Hacking!
Background of My Raspberry Pi Hacking Adventure
I first heard about the Raspberry Pi at DEF CON about two years ago. I had just invested in my first WiFi Pineapple with youthful ignorance and broad intentions, generally a common theme in DEF CON noobs. Upon the purchase, I walked by a table for The Human Rights Foundation, who were explaining Flash Drives for Freedom, a project focused on smuggling small media devices filled with western pop-culture content across the DMZ of North Korea in hopes of spreading information about the outside world. In addition to these thumb drives, the gentlemen mentioned more people donating Raspberry Pi Zeros, a smaller yet fully functioning version of the credit card sized computer, filled with information as well. I was inspired.
In hopes of avoiding sounding like a fan girl, the second time I spotted a Raspberry Pi was while watching Mr. Robot. I know, I went from humanitarian to a schizophrenic, insomniac hacker. In one episode, Elliot utilizes a Raspberry Pi to later access and hack an HVAC console in order to “hypothetically” damage some backup tapes. I became intrigued with the continued referenced potential of these tiny boards. As I learned more and did some of my own personal testing, I was hooked like the transformation of Sméagol to Gollum.
Sharing Our Raspberry Pi Hacking Experiences
With the help of my partner, we decided to team up and host a Raspberry Pi basics workshop at our local BSides Boise conference, allowing attendees to not only learn and play but also depart with their Pi Zero fully configured, ready to hack and interface with the physical world. Riding that success of feeding the community need for white hat hacking, we were asked to put on a security-focused Raspberry Pi workshop for the 16th Annual Boise ISSA Conference 2018! This time, we wanted it to be bigger and more comprehensive. This more ambitious goal led us to incorporate a security-oriented operating system for which we chose Kali Linux. We hosted our first “Poisonous Pi” workshop, marrying a pre-built version of Kali with the Raspberry Pi making it easy to merge such a powerful low profile, stealthy computer capable of physical interaction with powerful software toolsets. We hoped everyone would be as giddy and excited to hack and play as we were.
It turns out that in order to make things simple, the Raspberry Pi Foundation, the non-profit organization behind this great hardware device, has gone to great lengths to identify compatible and recommended hardware. That recommended hardware is not typically the least expensive. In order to maximize our ability to provide good hardware included with the workshop, we had to make some sacrifices that came in the form of duct tape, personal scripts, identified shortcomings, and compromises. In the end, the hardware all worked and worked well with what we call in the software world “Features”. For example, our 3.5” $16 touchscreen used SPI instead of VGA, HDMI, or any other video standard. In order to use the provided kernel driver, we had to use their precompiled source strictly with the Debian Operating System specifically made for the Raspberry Pi (Raspian OS), so that knocked a pre-built Kali OS image out of our workshop possibilities. Unfortunately, this wasn’t clear until well after we had received these items.
Like all business decisions, the driving factor of maximized economic return on investment for our workshop attendees dictated by default some software and OS constraints. This had a huge impact on the workshop and administrative time required to build a successful workshop. In the end that same complexity conversely ended up as a benefit. The touchscreen and the lack of an onboard HDMI controller, which was incredibly low on power consumption, meant that we could drop our included battery to 4000mA (about the same as a Galaxy Note 8). With no specific power saving measures implemented such as sleep mode for the touchscreen, running the CPU at an average of 5% usage, using wifi and a bluetooth keyboard, we were able to get a maximum runtime of approximately 332 minutes. These were very impressive numbers.
Since our hardware choice dictated our restriction to the Raspian OS, we had to find a way to include the Kali tool suite while still maintaining all of the other hardware functionality. There are a few purpose-built Kali builds and prebuilt images for the Pi hardware, but as we discussed this was impractical with our workshop constraints. However, all of the tools included in Kali are published and open-source. There is even an open-source Python script called Katoolin that can install the whole or partial toolchain on any Debian-based system. We opted for the brute-force full install via the pre-scripted Katoolin which was last updated in the fall of 2017. Well, it was broken (or more to the actual problem), it called advanced package tool (APT) with a string of applications to install. With APT, when a package is mislabeled or doesn’t exist in a string of packages, the entire command fails. So due to Kali’s evolution and rolling package distribution, it failed hard. After some updates to the brute-force package list, this fail was eventually remedied for our workshop.
The list of encountered challenges when building a hardware and software workshop is almost endless. While none of them individually were particularly difficult, like any project management problem, it became part of a Gantt chart with a growing task list and ever increasing overlapping bars. Inevitably, some things were prioritized and completed on task while others that weren’t even discovered until Venn diagram overlapping areas were identified and added.
And What Shall We Hack?
With the attack platform complete, we could now focus our attention on recreating Elliot Alderson’s hacking scenario. So, we constructed a simulated heating and air conditioning control (HVAC) unit using a Pi Zero, a suite of sensors, an optically-isolated high voltage relay and some python thermostatic control software. The culmination of the workshop involved using developed skills in attacking passwords through open-source collection and a customized dictionary list, exploiting common credentials across various protocols, modifying either the sensor input stream or target temperature (depending on 1337 skillz), and causing the Pi Zero (which simulated a colocation facility or particular rack) to overheat causing a simulated fail.
We added some tasks that are relevant in using the skills we practiced including hardware assembly and software configuration. There was also a power module discussing consumption and the choices that it may lead to during long-term field deployments. We scanned the network by protocol and vulnerability to produce a network map, rounding out the defined systems we identified publicly.
Our priorities meant that we were unable to complete the automated honeynet deployment meant to increase the complexity of the lab workshop both virtually and physically. We also didn’t complete a command short-list by choice in order to compel attendees to participate in order to populate their own command history. In hindsight, we should have had this list available for an immediate download following the completion of the workshop. We were able to transparently include all administrative workshop fees and other associated expenditures within the single cost our workshop. We provided working materials and the final presentation via a shared Google Drive. Our feedback included several comments about wanting the command list for copy-and-paste. We principally disagreed with this idea for the workshop itself but absolutely need to refine it for the final iteration. The second most common comment was to ask for more detailed instructions and additional time for assembling the hardware. For our next workshop, we will complete some of our incomplete additions as well as re-budget our time on the above two items specifically.
Although there were a few changes we would like to have made to this workshop, we nonetheless relished in the fact that we were lucky to have a range of expertise in the room. Still, even the most advanced practitioners, enjoyed themselves. We didn’t do this for money or accolades. We did it because, point blank, we truly believe that the goal of the Poisonous Pi Workshop is directly in line with the mission put forth by the Raspberry Pi Foundation. Their desire is to create “A small and affordable computer that you can use to learn programming.” We not only inspired others to program and innovate, but we also did it with a hacker mindset. Mission Accomplished!
Featured Image Credit: USA Networks – Mr. Robot – (FBI Finds Elliot’s Raspberry Pi)
MacKenzie Brown brings both technical and research experience to her position as an Enterprise Incident Management Consultant, where she focuses on providing clients with proactive and reactive services in order to assess their incident response capability, effectively navigate through breaches, and ultimately design a strategic program roadmap for improved overall posture maturity. In her previous role as a Research Principal at Optiv, Brown focused on developing enterprise security program frameworks and strategic deliverables which provide model, direction, and development for implementing security solutions against emerging threats. Brown is a subject matter expert in compliance and risk management, policy implementation, incident response, and cybersecurity program deployment. Brown also has practical experience in ICS/SCADA security protocols and assessment. She leverages her program development skills with her expertise and charismatic disposition for developing business, partner, and client relationships. Brown is a member of many information security community associations and regularly contributes to security organizations, holds industry certifications, has been regularly published writing on topics specific to business needs in cybersecurity, and has founded and runs an Idaho non-profit, The Ms. GreyHat Organization, that focuses on transforming the culture of cybersecurity through the empowerment of women and initiatives for developing early year cybersecurity education.brown control systems embedded hacking hardware hvac iot kali katoolin mr. robot raspberry pi Raspberry Pi Hacking