General analysis of the product to determine common security weaknesses and attacks

 Access to the internal circuit without evidence of device tampering

 Retrieval of any internal or secret data components

 Cloning of the device (useful for authentication tokens and other identity-type devices)

 Retrieving memory contents

 Elevation of privilege

Types of Tamper Mechanisms

There exist a large number of tamper mechanisms that can be designed into a product to protect or prevent access to components and data. Tamper mechanisms are divided into four areas:

Often, products have tamper mechanisms that can only be discovered by complete disassembly of the product. This may require obtaining more than one device in order to sacrifice one for the sole purpose of discovering any tamper mechanisms. For example, there might be a simple switch used to detect if the device is being opened, which would erase all memory contents as a result of the device’s being opened. Opening the device makes it apparent that the mechanism exists, but that particular device is rendered useless for further analysis. Once the mechanisms are noted, hypotheses can be formed about how to attack and bypass them.

External Interfaces

It is useful to identify any external interfaces that are used by the product to communicate to the outside world. These interfaces may be used for a number of purposes, from simply connecting to peripherals (such as mouse, monitor, keyboard, desktop computer) to field programming or upgrading. Any interface that is transmitting information from the product to a third-party may contain information that is useful for an attack. Some examples of typical external interfaces are listed below. This is by no means a complete list, but rather a starting point:

Often, products will have development or programming interfaces that are not meant for everyday consumer use, but can benefit a potential attacker immensely. Take note of any out-of-the-ordinary connector types, peculiar access doors or holes, or evidence in the chassis that may indicate a prior location of a door or access panel for debugging or development activities. These clues will help reveal the location of possible de-populated debugging points or programming interfaces. Figure 14.3 and Figure 14.4 show examples of two products that have some type of programming or test interface available to all users: a hardware authenticator key fob and a PDA. The test points shown in Figure 14.3, the five brass-colored dots, are accessible by simply removing a small plastic sticker on the back of the device housing. Once the test points have been probed or used, the sticker can be replaced, leaving no signs of tampering. In Figure 14.4, the seven holes in the plastic housing (shown on the bottom of the right image) allow the test points to be accessed when the case is closed.

If such interfaces are transmitting critical information, or used for device programming or control with minimal or no security/authentication, the product could easily be hacked or modified. For example, the Palm Operating System transmits an obfuscated version of the system password over the serial port during a HotSync operation. (See the “Cryptanalysis and Obfuscation Methods” section for more details.)

Protocol Analysis

Data transfer can occur either between components at board-level or through an external interface to the outside world. Understanding the methods of data transfer used is a crucial part of hardware hacking and, if successful, you may be able to retrieve critical information, or control or reprogram the product.

Unknown protocols can be monitored with the use of a digital oscilloscope or logic analyzer (see the “What Tools Do I Need?” section for more information). With these tools, the target transmission sequences can be captured and stored for later analysis. Dedicated protocol analyzers could be used on known protocols. One attack against a known protocol would be to generate malformed or intentionally bad packets (using the traffic generation features of a protocol analyzer) and observe the results. If the software controlling the product is not correctly programmed to handle errors or illegal packets (in other words, not conforming to the protocol specification), a failure may trigger an unintended operation that is useful to the attacker. A large number of protocols and specifications exist for various data transfer mechanisms.

The Universal Serial Bus (USB) specifications (www.usb.org) provide technical details to understand USB requirements (mechanical and electrical) and design USB-compatible products. USB Snoopy (www.jps.net/˜koma) is a Windows-based monitoring tool/protocol analyzer that serves as a low-cost alternative to using a hardware-based solution. This tool captures and displays all USB data traffic and is extremely useful for determining what information a product is transmitting to the host computer and vice-versa. Using such a tool can help you figure out what commands or what format of data the device is expecting, so you can attempt to send the device “undocumented” commands or data and discover any anomalies.

Infrared (IR) is another form of wireless that is designed for close-quarters, point-to-point communications. IR is commonly used on PDAs and mobile telephones in order to transfer phone number, memo pad, date book, and to-do list information between the device and a host computer. The Infrared Data Association (IrDA) standard (www.irda.org) is the most popular of interconnection standard for Infrared. The standard supports a broad range of appliances, computing and communications devices.

In the past few years, serial (RS232) and parallel connections have become less common as products and peripherals are replaced with newer USB and IR interfaces. However, transmitting data in a generic serial or parallel format is extremely easy and requires minimal overhead. PortMon by Sysinternals (www.sysinternals.com/ntw2k/freeware/portmon.shtml) monitors and displays all of a system’s serial and parallel port activity. As with USB Snoopy, this tool is useful for examining data transfer between a host computer and target device. Figure 14.5 shows a screenshot of PortMon logging the data transfer between a PDA and desktop serial port.

Wireless technologies are becoming very popular, and are being implemented in an increasing number of products. Much of the various protocols’ wireless traffic is sent in the clear, which allows an attacker with minimal resources to monitor the traffic. Such is the case for paging protocols (POCSAG and FLEX), air traffic control (ACARS), police and mobile data terminals (MDC4800), and particular implementations of two-way pagers such as Research In Motion’s BlackBerry (Mobitex). The most popular protocol for networking-related wireless products is 802.11b wireless Ethernet (http://standards.ieee.org/getieee802). Airopeek, a software-based tool from WildPackets (www.wildpackets.com/products/airopeek), is designed for analyzing the network traffic on 802.11b wireless networks. Another software-based 802.11b wireless monitoring tool and analyzer is Sniffer Wireless from Sniffer Technologies (www.sniffer.com/products/sniffer-wireless). Bluetooth (www.bluetooth.com) and HomeRF (www.homerf.org) are two consumer product-oriented wireless protocols, both of which operate in the 2.4GHz band and use Frequency Hopping Spread Spectrum (FHSS).

For a reference on Ethernet and network protocol analysis, Comer’s Internetworking with TCP/IP volume 1 – Principles, Protocols, and Architecture, published by Prentice-Hall, provides an introduction and details to the TCP/IP network protocols. Other network technologies are also discussed.

Electromagnetic Interference and Electrostatic Discharge

All electronic devices generate electromagnetic interference (EMI) in one form or another. This is a by-product of electrical properties, printed circuit board layout, and component value variations. This phase of analysis aims to determine how much EMI a device produces and whether or not it is useful for attack purposes.

Hardware hacking attacks by measuring EMI were first hypothesized and detailed by Wim van Eck in his paper Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? (Computers & Security, Vol. 4, 1985, www.jya.com/emr.pdf). This paper describes the results of research into the possibility of eavesdropping on video display units by picking up and decoding the electromagnetic interference, now known as “van Eck monitoring.” John Young’s “TEMPEST Documents” Web page (http://cryptome.org/nsa-tempest.htm) provides a wealth of information and recently unclassified government documents on van Eck monitoring and government shielding requirements (known as “TEMPEST”). Much of the TEMPEST shielding information is still classified by the United States Government. With the right antenna and receiver, EMI emanations can be intercepted from a remote location and redisplayed (in the case of a monitor screen) or recorded and replayed (such as with a printer or keyboard) by the attacker.

In recent times, EMI measurements have become a popular technique for smart card analysis, since they can yield interesting information about processing power and cryptographic operations (which might lead to discovery of certain portions of the cryptographic key). Rao and Rohatgi’s EMPowering Side-Channel Attacks (www.research.ibm.com/intsec/emf.html) provides preliminary results of compromising information via EMI emanations from smart cards. This research is based on power analysis and Kocher, Jaffe, and Jun’s Differential Power Analysis paper (Advances in Cryptology: Proceedings of Crypto ′99, 2000, www.cryptography.com/dpa/Dpa.pdf) in which the electrical activity of a smart card is monitored and advanced statistical/mathematical methods are used to determine secret information stored in the device. These types of EMI and power analysis attacks are useful on small, portable devices such as smart cards, authentication tokens, and secure cryptographic devices. Larger devices, such as desktop computers and network appliances, might generate too much EMI to be able to measure specific, minute changes as cryptographic functions are being processed.

EMI measurements and van Eck monitoring are referred to as passive attacks. An active attack consists of directing high-energy RF (HERF) signals at a particular product to analyze susceptibility to EMI/RF noise. This can disrupt the normal operation of digital equipment such as computers and navigational equipment. Large amounts of HERF often damage electrical devices, however; and generally don’t provide useful results for hardware hacking (unless the objective is to destroy a product). Another active attack consists of injecting static electricity into a device in order to cause failures. Electrostatic discharge (ESD) protection components are often designed into external connectors and contacts to reduce the chance of failure (by using diodes or Transient Voltage Suppressor devices). One attack uses an ESD simulator tool to generate a high voltage spike and inject it into a device’s external interface or keypad in hopes of causing an unexpected or unintended condition (by causing the program counter to jump to a different code portion or change the values on the address or data bus, which would confuse the operating program). However, unless the injection of HERF or ESD can be reproduced in a controlled manner, the results may be too unpredictable to be useful.

Reverse-engineering the Device

The schematic is essentially an electrical operation road map and forms the base for determining any electrical-related vulnerabilities. Reverse-engineering a complete system can be time consuming for products larger than a small portable device (such as an authentication token). For larger products, any schematics and technical repair manuals that might be available from the product vendor would be extremely helpful.

When reverse-engineering the target product, it is necessary to determine the part numbers and device functionality of most, if not all, of the components. Understanding what the components do may provide details for particular signal lines that may be useful for active probing during operation. Nearly all integrated circuit (IC) vendors post their component data sheets on the Web for public viewing, so simple searches will yield a decent amount of information. “IC MASTER Online” (www.icmaster.com) provides part number searches, pinout and package data, logos, application notes, second sources, and cross-references for over 135,000 base components from over 345 manufacturers. Drawing the schematic can be done by hand, but a schematic entry system such as Cadence Design Systems’ OrCAD Capture (www.orcad.com/Product/Schematic/Capture/default.asp), makes the task much more manageable. Physically examining the circuit board can reveal unpopulated debug ports, reset buttons, or logic analyzer probe headers for bus analysis, all of which can prove useful for active data gathering.

Figure 14.6 shows the circuit board from an Aladdin Knowledge Systems’ eToken R1 USB hardware authentication device. It is easy to pick out the major components: the microprocessor, denoted as CY7C63001A, on the left, and an external memory device to the right of that. The backside of the board (shown on the bottom) has some supporting glue circuitry, including some capacitors, a timing crystal, and a microprocessor reset IC. There is a green light-emitting diode (LED) on the right edge of the board and the obvious USB connector on the left. Reverse-engineering the design and creating a schematic (Figure 14.7) took about one hour. In this particular example, our first attack was to attempt to read the contents of the external memory device using a device programmer, which provided us with enough information to successfully defeat the security features and gain access to private data. Full details of this attack can be read in Kingpin’s “Attacks on and Countermeasures for USB Hardware Token Devices” (Proceeding of the Fifth Nordic Workshop on Secure IT Systems, www.atstake.com/research/reports/usb_hardware_token.pdf).

Basic Techniques: Common Attacks

Once the schematic has been drawn to the best of our knowledge, we can begin to identify and hypothesize on possible attack vectors. Can certain areas of the circuitry be accessed without opening up the entire device? This knowledge is especially useful if there are tamper mechanisms covering certain areas, and may lead to quick attacks rather than having to completely open the unit. Some of the most basic attacks are related to data extraction from microprocessors or external memory components (see the “Memory Retrieval” section) in which critical information may be read and/or modified to the attacker’s advantage. Information can also be gleaned by analyzing the internal address and data bus lines, which is often achieved with a logic analyzer or digital oscilloscope. Varying the voltage supplied to the circuit or changing the temperature environment (such as by applying direct heat or cold to an individual component or making a more general change in ambient operating temperature) to bring the device outside of normal operating conditions may cause beneficial side effects.

Anderson and Kuhn’s Low Cost Attacks on Tamper Resistant Devices (Security Protocols, 5th International Workshop, 1997, www.cl.cam.ac.uk/˜mgk25/tamper2.pdf) describes a number of techniques that low-budget attackers can use to break smart cards and “secure” microcontrollers.

Advanced Techniques: Epoxy Removal and IC Delidding

Encapsulation of critical components using epoxy or other adhesives is commonly done to prevent tampering and device access (the microprocessor shown in Figure 14.9 is covered by a hard epoxy encapsulate to prevent probing). There are many different types of epoxies and resins that can be used to provide component protection. Some of this material can be dissolved or removed using chemicals (such as Methylene Chloride or Fuming Nitric Acid). A quick-turn solution is to use a Dremel tool or drill with a wooden bit (such as the shaft of a cotton swab or a toothpick). Moving the drill lightly along the epoxy surface will weaken and thin the bonding material. It is recommended that you take proper precautions and wear protective gear for this stage of the attack. Once the epoxy is removed from the component, you may be able to begin probing the device.

For more complicated product designs, IC delidding and analysis of the silicon die might need to take place (especially if security features are in place to prevent proper reading from a memory device as described in the “Memory Retrieval” section). The goal of delidding is to get access to the actual die of the integrated circuit (which could be a microprocessor, analog or digital memory, or programmable logic). IC delidding is extremely difficult without the use of proper tools because hazardous chemicals are often required and the underlying die is very fragile. Decapsulation products are offered by companies such as B&G International (www.bgintl.com) that will aid in certain types of epoxy removal.

Cryptanalysis and Obfuscation Methods

Products and systems commonly use simple obfuscation to protect secret data components that are stored in memory. Simple obfuscation and reversible transforms lull the user into a false sense of security. Even solid cryptographic algorithms are at risk if the secret components can be retrieved and identified.

Once data is retrieved from a device, it may be necessary to analyze the contents to determine what the real data values are. Knowing the simple cryptographic algorithms (described in Chapter 6) and commonly used obfuscation techniques will aid in such recovery. There are also more complicated data protection/obfuscation mechanisms, such as Tamper Resistant Software by Cloakware Corporation (www.cloakware.com). Applied Cryptography (John Wiley & Sons, 1996) by Bruce Schneier can also be of help; it describes the history of cryptography and presents dozens of cryptographic protocols, algorithms, and source code, and is a great starting point when attempting cryptanalysis of data you have retrieved from a hardware device.

One example of a weak, reversible encoding scheme is the one used by Palm OS to protect a PDA’s system password: the password is obfuscated and stored in system memory. It is also transmitted through the serial or Infrared port during a HotSync operation, which can easily be monitored. As shown in Kingpin’s “Palm OS Password Retrieval and Decoding” advisory (www.atstake.com/research/advisories/2000/a092600-1.txt), it is possible to easily determine the actual password: The password is set by the legitimate user with the Palm “Security” application; the maximum length of the ASCII password is 31 characters. Regardless of the length of the ASCII password, the resultant encoded block is always 32 bytes. Two methods are used to encode the ASCII password, depending on its length. Our example will look at the scheme for passwords of four characters or less. By monitoring the serial port during a HotSync operation (using PortMon) and comparing the encoded password blocks of various short passwords, it was determined that a 32-byte constant was simply being Exclusive ORed (XOR, a logical operation) against the ASCII password block. To decode the obfuscated password back into the original password, the encoded block is simply XORed with the constant bock.

Let A = Original ASCII password

Let B = 32-byte constant block

Let C = 32-byte encoded password block

For passwords of length 4 characters or less, we can define B to be the following:

09 02 13 45 07 04 13 44 0C 08 13 5A 32 15 13 5D

D2 17 EA D3 B5 DF 55 63 22 E9 A1 4A 99 4B 0F 88

First, we will calculate the starting index, j, which determines where in the constant block the XOR operation will begin. j is computed by adding the length of the original password (for example, we will use a password of ‘test’, so the length is 4) to the ASCII decimal value of the first character of the password (‘t’ is equal to 116 decimal) modulo 32. In this example, the XOR operation will begin with the 24th character in the 32-byte constant block.

j = (A[0] + strlen(A)) % 32;

Next, a simple loop occurs, repeating 32 times and XORing the original ASCII password with the 32-byte constant block (indexed by j, as calculated above), storing the result in a new 32-byte array: C, the encoded password block.

C, the resultant encoded password block of ASCII password ‘test’, is shown below. Note that only 4 of the bytes differ from the constant block above. Those represent the encoded version of the password.

56 8C D2 3E 99 4B 0F 88 09 02 13 45 07 04 13 44

0C 08 13 5A 32 15 13 5D D2 17 EA D3 B5 DF 55 63

Knowing both the constant and encoded blocks allows us to easily determine the original ASCII password. We can do this by comparing both blocks, rotating the constant block until all similar bytes line up, and then individually XORing the bytes that differ. For example, 0×56 XOR 0×22 = 0×74 (which corresponds to ‘t’), 0×8C XOR 0×E9 = 0×65 (‘e’), 0×D2 XOR 0×A1 (‘s’), and so on.

Starter Kit

The following “starter kit” tools are required for the hardware hacker’s arsenal:

Advanced Kit

Depending on the complexity of the target product and your determination to successfully hack it, additional resources may be necessary. Much of this equipment is expensive (upwards of $10K+) but can be rented or leased from a test equipment rental firm (such as Technology Rentals and Services, www.trsonesource.com) on a weekly or monthly basis. Academic laboratory environments will often have these tools available as well.

Experimenting with the Device

The DS1991 contains 1,152 bits of non-volatile memory split into three 384-bit (48-byte) containers known as subkeys. Each subkey is protected by an independent 8-byte password. Only the correct password will grant access to the data stored within a subkey area and return the data. If an incorrect password is given, the DS1991 will return 48-bytes of random data intended to prevent an attacker from comparing it against a known constant value. Dallas Semiconductor marketing literature (www.ibutton.com/software/softauth/feature.html) states that “false passwords written to the DS1991 will automatically invoke a random number generator (contained in the iButton) that replies with false responses. This eliminates attempts to break security by pattern association. Conventional protection devices do not support this feature.”

By using the iButton-TMEX software (www.ibutton.com/software/tmex/index.html), which includes an iButton Viewer to explore and connect to iButton devices, it was determined that the data returned on an incorrect password attempt is not random at all and is calculated based on the input password and a constant block of data stored within the DS1991 device. Figure 14.12 shows the data contents of a DS1991 device. Note the identical values returned for Subkey IDs 1 and 2 when an incorrect password of “hello” is entered.

The returned data has no correlation to the actual valid password, which is stored in the DS1991’s internal memory. The constant block of data, which is a 12k array containing 256 entries of 48-bytes each, is constant across all DS1991 devices and has no relation to the actual contents of the subkey memory areas. This means that for any given character (1 byte = 256 possibilities), there is a unique 48-byte response sent back from the iButton device. To determine what comprised that constant block, Dallas Semiconductor wrote a test program (based on the TDS1991.C sample code, ftp://ftp.dalsemi.com/pub/auto_id/softdev/tds1991.zip) to simply set the password 256 times, ranging from 0x00 to 0xFF, and record the response. The serial port was monitored to view the responses from the iButton device. It was then a matter of puzzle-solving to determine what the responses would be for longer passwords. By pre-computing the return value expected for an incorrect password attempt, it is possible to determine if a correct password was entered. This is due to the fact that, if the password is correct, the data returned by the DS1991 will be the actual data stored in the subkey, not the “incorrect password” response.

The transaction time is limited to 0.116 seconds for each password attempt by the computational speed of the DS1991 and the bus speed of its 1-Wire interface. Because of this, it is not possible to perform an exhaustive brute-force search of the entire 64-bit password keyspace, or that of only ASCII-printable characters (which would require approximately 22,406,645 years). However, it is still possible to perform a dictionary attack against the device using a list of commonly used passwords.

Reverse-engineering the “Random” Response

By comparing the 48-byte “random” device responses of various known incorrect passwords, it was determined that they were computed in a simple loop, as shown below. Although the code may appear complex, we are essentially just XORing a number of constant strings together.

Let A_j be the jth byte of A, the 8-byte password (padded with 0x20 if less than 8-bytes)

Let B_k be the kth entry of B, the 12kB constant block (256 entries each 48-bytes in length)

Let C_m be the mth byte of C, the 48-byte response (initialized to 0x00)

for (j = 0; j < 8; ++j) // For each remaining character in p/w.

There is an additional step taken if the last character of the password (A_7) is signed (greater than 0x7F). If this is the case, the pre-computed subkey value is XORed against another constant block containing 128 entries of 48-bytes each. It is unclear why iButton performs this step, but it is possibly to add an additional level of obscurity to the “random” response.

As shown in the code above, the constant block is used to retrieve a 48-byte string for each byte of the entered password. Each string is XORed together to produce the final response that the iButton device returns if the password is incorrect. For the example shown below, let’s use a password of “hello” (padded up to 8 characters with 0x20, which is a blank space) and compute the 48-byte “incorrect password” string. In the interest of space, we will only look at the first 16-bytes of the resultant 48-byte response.

Let A = “hello” = 68 65 6C 6C 6F 20 20 20

B_68 (‘h’) = D8 F6 57 6C AD DD CF 47 CC 05 0B 5B 9C FC 37 93 …

B_65 (‘e’) = 03 08 DD C1 18 26 36 CF 75 65 6A D0 0F 03 51 81 …

B_6C (‘l’) = A4 33 51 D2 20 55 32 34 D8 BF B1 29 40 03 5C 9C …

B_6C (‘l’) = A4 33 51 D2 20 55 32 34 D8 BF B1 29 40 03 5C 9C …

B_6F (‘o’) = 45 E0 D3 62 45 F3 33 11 57 4C 42 0C 59 03 33 98 …

B_20 (‘’) = E0 2B 36 F0 6D 44 EC 9F A3 D0 D5 95 E3 FE 5F 7B …

B_20 (‘’) = E0 2B 36 F0 6D 44 EC 9F A3 D0 D5 95 E3 FE 5F 7B …

B_20 (‘’) = E0 2B 36 F0 6D 44 EC 9F A3 D0 D5 95 E3 FE 5F 7B …

The final pre-computed “random” response is calculated by XORing all of the above lines together, keeping the most significant 48 bytes. Note that this string is the hexadecimal representation of the “garbage” in Figure 14.12 that was returned when “hello” was entered as an incorrect password:

D8 F5 FB 26 4B 46 03 9B CC 2E 68 82 22 F7 F3 2B …

The DS1991 device will return the 48-byte “incorrect password” string if the given password is incorrect (as demonstrated by our example). The pre-computed value will always be the same for any device that is given the same password. Because of this, if the pre-computed value matches the response returned from the DS1991, we know the guessed password is incorrect. If the responses are different, the guessed password is the correct password. This is because the device is returning the actual subkey data rather than the “random” data normally returned for a given incorrect password.

A proof-of-concept tool with source code (showing the 12kB constant block) is available (www.atstake.com/research/advisories/2001/ds1991.zip) to demonstrate dictionary attacks against the DS1991 iButton. The demonstration performs the following actions:

Opening the Device

The NetStructure 7110 device is housed in a standard 19” rack-mount case and closed with non-descript screws (Figure 14.13). Opening the unit reveals a standard PC motherboard and Pentium II 333MHz processor. A Rainbow CryptoSwift Accelerator card (www.rainbow.com/cryptoswift/PCI.html) is attached on the local PCI bus of the motherboard and handles the actual encryption and decryption functionality of the NetStructure. There is no hard drive, as the filesystem is located on a Flash ROM-based CompactFlash (www.compactflash.org) memory card. There are no apparent tamper mechanisms, other than a small seal on the exterior of the housing, which was carefully removed before opening (and replaced when the experiments were complete).

Reverse-engineering the Password Generator

While examining the contents of the filesystem created from the filesys.gz image, it was noted that a number of applications existed on the CompactFlash that should have been removed from a production unit: such applications included gdb and tcpdump, which were both found in the /debug directory. The /bin directory contained xmodem, which could be used to upload additional tools to the device; and a number of diagnostic applications (cr_diag for the Rainbow CryptoSwift Accelerator card, ser_diag for the serial port, exp_diag for the network interface card, and lm_diag for system timing).

Other applications specific to the Intel NetStructure 7110 device exist, such as saint, ipfwasm, ipfwcmp, gen_def_key, and gp. The strings output of gp reveals a usage string that takes in an Ethernet MAC address or interface. This seems interesting and warrants further investigation.

Usage: gp [aa:bb:cc:dd:ee:ff | ifname]

Using rec, a reverse–engineering compiler (www.backerstreet.com/rec/rec.htm), it was determined that the gp application will take in a MAC address and convert it to the default supervisor password. Furthermore, gp was compiled with all debug symbols enabled, making the reverse–engineering process much easier.

The supervisor password of each NetStructure device is derived from the MAC address of the primary NIC installed in the unit. During the device’s boot process and before every login, the MAC address is presented to the user on the serial console port. The password can be entered from the management console (via the serial port) if the attacker has physical access to the machine, or remotely if a modem has been connected to the NetStructure and configured for remote access. The password will override any administrator settings and allow full access into the device. A proof–of–concept tool with source code is available (www.atstake.com/research/tools/ipivot.tar.gz) to demonstrate the MAC address–to–password encoding.