At the end of November last year awesome crew from AT&T organized a hackathon about various aspects of smart technology. They have a long tradition in organizing those and they are really good at it. We spoke at various conferences with them and they asked us whether we would be interested in joining as we have interesting hardware to lend contestants and also developers skilled in various areas that could help the attendees to overcome various issues. We jumped on board right a way!
Let’s start by explaining how the hackathon worked. It started on Friday morning. People came, divided into teams and listened to the presentations about the rules and about the hardware available like our routers, Hardwareios Big Clown kits, FabLabs truck or the immerse amount of stuff AT&T folks brought. At noon the contest started and teams could go and borrow some
hardware and start prototyping. From there on the contestants had 24 hours to come up with innovative idea and create a working proof of concept. At the end, there were two juries. One technical – judging whether stuff works and is not just a mock, how hacky the code is, whether there is some documentation or if it can actually survive more than five minutes. Second jury was non-technical and judged the idea – it’s novelty and usefulness based on the presentation teams had to do in the end. So the teams had not only to come up with something interesting, but they had to “sell it” as well.
Apart from the hardware, we were also helping with mentoring. Our role was to help people to finish successfully. Here I must say a big hats-off to the organizers. Their experience really helped a lot. We were periodically checking on people and trying to help them. Asking the right questions at the right time. At the beginning, asking people about their ideas and helping some of the teams to realize where are the weak spots and in general polish the ideas. Later during the night we checked how they are making progress, whether they are not stuck somewhere and how is the idea bending. As they progressed with the implementation, they were finding more interesting features to add or they were starting to focus on one specific part of the problem. Sometimes we talked whether their scope is not to broad to get done in 24 hours, sometimes whether it is not too narrow and too specific and whether there isn’t something that could be easily added that would move the whole idea to a completely different level. And in the morning, we reminded people that they should start thinking about how to present the idea as they will be partly judged by how they are able to relay the information about how awesome their project is. In the ends, all participants managed to successfully finish the project and had nice presentations ready for the jury. Which I personally consider really amazing success.
What I would like to talk more about is Turris and it’s role on this hackathon. There was quite some interested from contestants. One team even brought their own Turris Omnia with them. In the end they didn’t used it as part of the project they were building, but just as a router to connect with each other, but it was a nice example that our routers are geek friendly 🙂 We provided several other teams with MOXes in various configurations to develop their ideas on. During brainstorming part we handed out quite a few, later on some them returned as people started to get a better idea what will they focus on.
All the projects were interesting and varied a lot in what they were trying to solve. Ranging from smart buses and traffic lights to theater system and smart hen house. But I would like to especially mention one of the projects that evolved around Wi-Fi, networking and security. This team came up with an idea (called “Rouge AP detection“) that they will help secure company infrastructure against one specific but really dangerous attack and they used our routers in the process.
Rouge AP detection
In professional environment people use 802.1x to get to the Wi-Fi. In this protocol devices authenticate using login and password. Quite often those credentials are taken from some central LDAP and are used for variety of services running inside the company. So obtaining those might be really tempting as those might allow you to get access to internal systems or for example emails containing sensitive information (which is problem by itself, but quite spread).
One possible attack relying on peoples laziness is to setup Wi-Fi AP with same SSID and lure people to log into it. In typical setup, apart from username and password you have a server certificate that you use to validate that you are trying to login to the correct server. But getting that certificate for example to your cellphone is just an extra boring and complicated task. And it works even without it, so why bother? Those pesky IT guys in their tin foil hats always worrying about security and making stuff unusable… So people ignore those recommendations out of laziness. And then attacker can just setup fake AP and start asking for credentials from Internet demanding cellphones.
Making people comply is hard, so the project was aimed at detecting those kind of attacks. Basic assumption is that as IT infrastructure manager you have multiple APs through the building. What you can do is to use this network to scan for APs with same SSID and invalid certificates. Pretty simple idea. But that is not where it ends. What to do when you find such a device? Team working on this project came with another clever idea. You know where your APs are located, you can get signal strength to the evil AP from various points in the building and then you can triangulate it’s rough position. So the IT guy wouldn’t know just that there is an attack, but also roughly where to look for attacker/attackers hardware to neutralize it. Pretty cool, right? Well, the jury thought so too, so this project actually ended up on second place.
Few last words. Big thanks to AT&T and the other partners to make an amazing event! It was awesome, we really enjoyed it and it was amazing how much can be done in just 24 hours.