25 | March | 2020 | The Linkielist

SINGAPORE – In a move to help the international community combat the coronavirus pandemic, the Government will be making the software for its contact-tracing application TraceTogether, which has already been installed by more than 620,000 people, freely available to developers around the world.

In a Facebook post on Monday (March 23), Minister-in-charge of the Smart Nation Initiative Vivian Balakrishnan said that the app, developed by the Government Technology Agency (GovTech) and the Ministry of Health, will be open-sourced.

This means that the software’s source code will be made freely available and may be redistributed and modified.

“We believe that making our code available to the world will enhance trust and collaboration in dealing with a global threat that does not respect boundaries, political systems or economies,” said Dr Balakrishnan, who is also Foreign Minister.

“Together, we can make our world safer for everyone.”

Launched last Friday, the TraceTogether app can identify people who have been within 2m of coronavirus patients for at least 30 minutes, using wireless Bluetooth technology. Its developers say the app is useful when those infected cannot recall whom they had been in close proximity with for an extended duration.

For the app to start tracing, the Bluetooth setting on mobile phones has to be turned on.

If a user gets infected, the authorities will be able to quickly find out the other users he has been in close contact with, allowing for easier identification of potential cases and helping curb the spread of the virus.

Official contact tracers will provide a code that users can match with a corresponding verification code on their app. Once authenticated, users will get a PIN that allows data to be submitted.

Contact tracers will not ask for any personal financial details or request that money be transferred over the phone.

In his post on Monday, Dr Balakrishnan said that the GovTech team was working “around the clock” to finalise documents to allow others to use the BlueTrace protocol – the building blocks of the TraceTogether app. He added that TraceTogether has been installed by more than 620,000 users so far.

Dr Janil Puthucheary, Minister-in-charge of GovTech, also weighed in on the app in a radio show on Monday, saying that a team of about 40 engineers spent more than 10,000 man-hours developing TraceTogether.

Dr Janil also encouraged more people to download TraceTogether as added protection.

TraceTogether’s developers uploaded a manifesto for BlueTrace on the app’s website on Monday, calling for international adoption of contact-tracing solutions in today’s globalised world as weapons to turn the tide against the Covid-19 outbreak.

“Covid-19 and other novel viruses do not respect national boundaries. Neither should humanity’s response. In a globalised world, with high volumes of international travel, any decentralised contact-tracing solution will need mass adoption to maximise network effects,” stated the app developers’ manifesto.

Help fight the spread of COVID-19 with TraceTogether!

Interested parties can contact the TraceTogether team via e-mail or check this website for more information.

Source: Coronavirus: S’pore Government to make its contact-tracing app freely available to developers worldwide, Singapore News & Top Stories – The Straits Times

During a recent event I decided to setup a passive monitoring station to check for any attempts to impersonate, hi-jack, or deny service to our WiFi . For this task I decided to use an Alpha card, and Kismet (which comes already installed on Kali linux). To deploy for wireless intrusion detection (WIDS)

Kismet worked as advertised and I was able to monitor channel utilization and for wireless anomalies (think pwnagotchi or hak5 pineapple)

Channel Utilization Monitoring

Kismet WIDS alerting

This worked great, but I soon noticed that Kismet also was logging WPA handshakes for client connections. Which made me wonder, could kismet be used as an attack platform?

Captured WPA key exchange

After some quick googling I found indeed its very possible using this 3 step process.

Export PCAP data out of the kismet session database (by default stored at the root of a user home dir) by issuing the command kismet_log_to_pcap — in foo.kismet — out foo.pcap

Convert that PCAP into something consumable by hashcat by issuing the command cap2hccapx.bin foo.pcap foo.hccapx

Setup hashcat to crack the stored key exchanges by using the command hashcat64.exe -m 2500 foo.hccapx rockyou.txt -r rules/rockyou-30000.rule

What was surprising was that it took seconds or less to crack many of the captured sessions. Whats more interesting is that its possible to deploy kismet on extremely cheap hardware such as a Raspberry Pi and form fleets of sensors that all log to a central point, and that are all cracked and monitored.

hashcat output

Today’s key take away? If you use a portable access point such as your phone as a hotspot you still need to use an extremely long and complex password. It used to take an exorbitant amount of time to crack WPA2 but that is no longer true. Modern techniques for cracking the pairwise master key have been developed which combined with GPU based password cracking means weak passwords can often be instantly cracked.

To read more about this check out Ins1gn1a’s article titled Understanding WPA/WPA2 Pre-Shared-Key Cracking