This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
tuogex's profile picture

Spoofing Rednet Computer Ids

Started by tuogex, 03 November 2013 - 09:47 PM
tuogex #1
Posted 03 November 2013 - 10:47 PM
When using Rednet on multiplayer servers where the wireless range has been increased to some ridiculous amount, checking the sender's ID may seem like a fool proof way to authenticate messages, but it really isn't. As it turns out, it's very easy to spoof the sender's ID on Rednet, as I will explain. In many ways, the Rednet API is just a wrapper for other API. For example, rednet.receive() just does

local e, p1, p2, p3, p4, p5 = os.pullEvent( "rednet_message" )
and returns p1, p2, and p3.
The problem with this lies in the rednet.send() function; rednet.send() uses the Peripheral API to actually send messages

peripheral.call( sSide, "transmit", nRecipient, os.getComputerID(), sMessage )
Looking at this function call, we can tell the function just calls os.getComputerID() when sending the message to get the sender's ID. This means we can easily change the fourth parameter to any ID, and the ID of the sender would be spoofed when received

peripheral.call( sSide, "transmit", nRecipient, 1337, sMessage )
or even broadcast the message

peripheral.call( sSide, "transmit", 65535, 1337, sMessage )
Just make sure you open the modem on the side first

rednet.open( sSide )

tl;dr?
Don't rely on the sender's ID to authenticate your Rednet messages in multiplayer environments.
theoriginalbit #2
Posted 04 November 2013 - 12:33 AM
tl;dr?
Don't rely on the sender's ID to authenticate your Rednet messages in multiplayer environments.
Unless you're using a version of ComputerCraft before the modem api existed as there was no way to change the ID back then.
sens #3
Posted 04 November 2013 - 06:24 AM
Unless you're using a version of ComputerCraft before the modem api existed as there was no way to change the ID back then.
Yes, it was even possible then :ph34r:/>
Wojbie #4
Posted 04 November 2013 - 06:40 AM
Unless you're using a version of ComputerCraft before the modem api existed as there was no way to change the ID back then.
Yes, it was even possible then :ph34r:/>
Oh? Do share how exactly did you accomplished such thing? Sounds interesting (if not outdated)
sens #5
Posted 04 November 2013 - 06:50 AM
Will the moderators allow it?

Not malicious!If memory serves me, it was accomplished by overriding os.computerID() in a top-level coroutine hook.
Wojbie #6
Posted 04 November 2013 - 07:59 AM
Will the moderators allow it?

Not malicious!If memory serves me, it was accomplished by overriding os.computerID() in a top-level coroutine hook.

Oh!!! Didn't think about that. Will need to remember that for future. It could be used to do many other nice (and not so nice) things too.
Lyqyd #7
Posted 04 November 2013 - 11:09 AM
He's wrong.
Wojbie #8
Posted 04 November 2013 - 11:21 AM
He's wrong.
Ok.. Oh well it sounded probable. Well back to normal i guess.
sens #9
Posted 04 November 2013 - 11:23 AM
Someone will just have to install an old version of Minecraft and test it :)/>
Unfortunately it won't be me at this time.
Cranium #10
Posted 04 November 2013 - 11:46 AM

local os.getComputerID = function()
    return 5 --#or any number you want
end
rednet.broadcast("My ID has been spoofed")
It's way easy to trick rednet, because you cannot prevent someone from overwriting their computer ID.
ETHANATOR360 #11
Posted 05 November 2013 - 09:01 PM
thats an interesting exploit you found
theoriginalbit #12
Posted 05 November 2013 - 09:45 PM
thats an interesting exploit you found
Its not really an exploit. Its more just knowing how it the new system works, not really anything groundbreaking.
Lyqyd #13
Posted 07 November 2013 - 01:24 AM
Someone will just have to install an old version of Minecraft and test it :)/>
Unfortunately it won't be me at this time.

No, you're simply wrong. Using the pre-channels-update modems, there is no way to spoof or otherwise misrepresent your computer's ID.
Cranium #14
Posted 07 November 2013 - 04:29 PM
No, you're simply wrong. Using the pre-channels-update modems, there is no way to spoof or otherwise misrepresent your computer's ID.
Actually, using any version of the rednet api(at least, since i've been a member) you can spoof your ID with the method I posted earlier.
Edited on 07 November 2013 - 03:30 PM
Lyqyd #15
Posted 07 November 2013 - 05:02 PM
Sigh. Over the wireless modems prior to channels, the rednet API does not invoke os.computerID(). Over bundled cable, yes, but it is not used at all over modems. Did you ever successfully use that to spoof rednet pre-channels? There's nothing in the Lua to suggest that it would be possible, and I highly doubt the Java side would use a Lua function when setting the ID of the sender for the event.
sens #16
Posted 07 November 2013 - 05:02 PM
Someone will just have to install an old version of Minecraft and test it :)/>
Unfortunately it won't be me at this time.

No, you're simply wrong. Using the pre-channels-update modems, there is no way to spoof or otherwise misrepresent your computer's ID.
Certainly wouldn't be the first time I'm wrong, but that is the method I recall from… er… winter 2012 maybe. The community I played with then has gone its separate way and I have no copies of our programs. Since I will be on the road for the next few weeks (no opportunity for Minecraft), I'll leave it to you clever people to find the answer.
Cheerio!

Over bundled cable, yes, but it is not used at all over modems. Did you ever successfully use that to spoof rednet pre-channels?
It was rednet pre-channels, but I can't remember whether it was over bundled cables or wireless.
Edited on 07 November 2013 - 04:27 PM
Cranium #17
Posted 11 November 2013 - 11:23 AM
Sigh. Over the wireless modems prior to channels, the rednet API does not invoke os.computerID(). Over bundled cable, yes, but it is not used at all over modems. Did you ever successfully use that to spoof rednet pre-channels? There's nothing in the Lua to suggest that it would be possible, and I highly doubt the Java side would use a Lua function when setting the ID of the sender for the event.
I was talking about pre-channels(I always called them frequencies since that's what they're referred to as in the wiki) yes. I think I was mistaken as to what you were saying before.
Cloudy #18
Posted 13 November 2013 - 09:32 AM
You were mistaken!
Cranium #19
Posted 15 November 2013 - 05:01 PM
You were mistaken!
It does occur from time to time.