Windows XP at DEFCON: Preparation

Posted by Jen Tong on July 21, 2017

I’m on my way to my first ever DEFCON. It’s a very popular hacker / cybersecurity conference in Las Vegas that some people compare to Burning Man for hackers. I’m super excited.

Over the years I’ve received advice about how to survive the event without getting pwnd. The advice ranges from don’t use the open wifi with your work laptop to don’t bring any electornics at all.

But, I’m a fool. So instead, I’m bringing the least secure computer possible to see how deep pwnage can go. Then, after the event, I’ll try to figure out what happened.

Laptop & OS selection

You’d think this would be as easy as finding a Lappy 486 at a thrift store and slapping Windows ME on it, but you’d be wrong. Laptops that old can’t connect to modern wifi, and might not even be able to mount malicious USB devices. I’d probably go the whole conference without getting hacked, and that’s unacceptable.

I need vulnerabilities that are still in the wild, and a computer that is capable of connecting to modern wifi networks. Specifically, I need a computer that meets these requirements:

  • Vulnerable to attacks that people still remember
  • Capable of connecting to modern wifi and USB drives
  • Swappable boot disk, in case it becomes unusable in the middle of a session
  • Cheap enough that I won’t feel bad if someone manages to kill it entirely

Laptop Fail: Ideapad U110

I discussed this with my helpful coworkers. One of them had recently found a laptop in a recycling heap: a Lenovo Ideapad U110. It seemed to meet most of my requirements, and had a bonus feminine red case.

I started adjusting it to fit my needs, but quickly encountered some issues. The boot disk was connected with a delicate, proprietary ZIF40 cable, and required partial disassembly to access. I attempted to repurpose some components widely available for iPod hacking to change it to a CompactFlash, but I only ended up learning way too much about the challenges of booting Windows XP from CompactFlash.

After hours of hacking away I coerced Windows XP to install, and boot off of a comically long chain of adapters: ZIF40 to CompactFlash to SD to MicroSD. Unsurprisingly, it was slow and flaky. It booted about 30% of the time.

I decided my time was better spent coming up with easter eggs, so I cleaned up the U110, and moved on.

Laptop Win: Thinkpad X220

A couple hours of research turned up the Thinkpad X220. It met all of my minimum requirements, and was a respectable laptop in its day. I snagged one in great shape for under $100 on ebay.

I picked up some 16GB SATA SSDs that fit great once I removed some of the drive casing. Installing Windows XP on this laptop went smoothly, and drivers were pretty easy to find from official sources.

The only challenge I encountered was around programmable chips on the main board. I know that the BIOS, WiFi module, and several other components could conceivably be reprogrammed, but I was unable to figure out how to dump them, or even get a checksum. All I could find was a mysterious CD-ROM bootable BIOS flasher. Theoretically, this should help me recover from a compromised BIOS, but reverse engineering it to get a checksum was one too many yaks to shave.

All the ThinkPad needed was some Windows XP era tech stickers, and it was ready to go!

Easter eggs

With the laptop usable, I had to make it worth exploring to my hacker friends. I registered 5 new email accounts, and hid them in various places about the laptop. Some are pretty easy to find, others are hidden behind riddles that I’m not sure anyone will solve.

Hopefully, someone will find some of them and drop me an email to say hi :)

The DEFCON plan

Here’s the full project kit. It includes:

  • An ethernet cable for plugging into suspicious ports
  • A big USB disk, for saving images of compromised boot disks
  • The IBM X220, dubbed Not a honeypot by my friends
  • An LTE wifi hotspot, for slightly less corrupt Internet access
  • A Windows XP install CD and USB CD-ROM, just in case all of my boot disks get trashed
  • 3 extra boot disks for easy swapping on the go
  • Kali Linux on a bootable USB stick, for imaging compromised boot disks
  • A drive duplicator, for restoring clean Windows XP installations
  • A USB SATA reader with write blocker, for capturing boot disk images

Once I make it to DEFCON, I plan to engage the conference community through a variety of channels:

  • If I can connect to a wifi SSID, I’ll connect and try to surf the web
  • If I see a USB thing, I’ll plug it in and see what happens
  • If there’s an ethernet port, I’ll connect to that too

If the laptop becomes unusable due to excessive pwnage, I’ll swap the boot drive and repeat. Whenever I get a break I’ll save an image of the compromised disk and restore it to a clean Windows XP installation.

Hopes and Fears

I hope that I’ll encounter a variety of interesting attacks that will be educational and enjoyable to investigate for weeks to come. I hope I make some new friends who each out to me on the planted email addresses. But, projects like this one rarely go as planned.

It’s possible that every time I boot up, my laptop immediately stops working, and every time it’s for the same boring reason. That’d be a bummer, but I can deal with that by actually patching some of the vulnerabilities or running a different operating system.

It’s also possible that nothing happens. If I make it a day without any visible intrusion, I’m going to step it up a notch. I’ll fire up a bunch of known insecure services like obsolete versions of IIS, MySql, and WordPress.

In any case, I’m going to find out soon. Wish me luck, and check back later for an update on the aftermath.