Physical Security

Inspired by Mr Robot, I decided pick up a cheap set of picks and a practice lock off of Amazon and taught myself to pick locks. This sparked my love for locksport, leading me to explore higher security locks, as well as many different locking mechanisms. From pin tumblers, I moved on to exploring wafer, dimple, cruciform and tubular locks, before moving on to warded and combination locks.

As useful as picking a lock open is, simple exploits of the lock reduce the effort required significantly. Using bump keys, comb picks, or jiggler keys allow for rapid entry to the many locks in which these methods work.

But why even attack the lock? In many cases, we are able to bypass locks entirely by using shims, jims and not even touching the pins. I’m equal parts fascinated and terrified by how many lock cores present high security, while the mechanism they are attached to can be opened with no effort at all. I’m constantly searching for the simplest way past a barrier, and love all that physical security has taught me so far.

I am now moving towards the intersection of physical security with cybersecurity - principally, smart locks. With so much to learn about both worlds, manufacturers often create smart locks which are secure in one aspect and less so in the other - or provide decent but imperfect security on both fronts. For my master’s thesis, I analysed two smart locks - one Wi-Fi based, one BLE based - and found a total of 12 vulnerabilities across the two locks. Details of my hacks on them will be released when the vulnerabilities are eventually patched.

 

Wireless Technologies

I’ve found wireless to be a broad field with a lot of interesting technologies to discover. I began by exploring the world of Wi-Fi, learning how to crack passwords in WPA connections, exploit vulnerabilities in WEP, and the various problems making Wifi vulnerable to multiple denial of service attacks. I then transitioned over to WPA3, looking into the Dragonblood vulnerabilities and performing the downgrade attacks to apply my existing knowledge of WPA2.

More recently, I’ve been focusing on RFID and NFC, diving into the deep end by exploiting hardened Mifare Classic cards. I applied my knowledge of cryptography to attempt an analysis of the Crypto-1 cipher used by Mifare, reading further about existing vulnerabilities after doing my own analysis. I’ve also looked into low frequency cards and the associated technologies, and used tools such as the Proxmark and Chameleon for RFID hacking.

I have also learned a great deal about both Bluetooth and BLE through my masters dissertation, using man in the middle attacks and reverse engineering to analyse smartlock communications. I have identified an attack on the weak key exchange of a lock, as well as a separate chain of vulnerabilities leading to a form of replay attack.

Reverse Engineering

I began, as many hackers have, by wanting to understand how things work. I disassembled toys, computers, locks and more even before I knew anything about security because I loved working out how everything was built. With my newfound security expertise, I have expanded on this art of constructively disassembling things by reverse engineering various applications to find vulnerabilities. From investigating Android applications to analysing binary applications using Ghidra and generating circuit diagrams from x-rays of PCBs, I’ve learned a lot about learning about new systems and love to apply this to novel situations.

 

Cryptography

From simple historic ciphers to complex modern systems, I love exploring and breaking the different ways people hide their communications. While historic ciphers do not offer much security by modern standards, they were an excellent entry point to exploring the many ways that secret messages can be revealed. While modern ciphers are significantly more complex, there are still a great many ways that they can be improperly implemented or misused in ways that leave them vulnerable to attack. I have explored various cryptographic systems and ways of breaking them, as well as attacking some poor implementations of cryptography in real world systems such as BLE smart locks.

I have also taught cryptography supervisions for the 3rd year Cambridge undergraduate course , including creating CTF-style bonus challenges for students to attempt.