Apple’s Secure Enclave Processor (SEP) Firmware Decrypted

The decryption key for Apple’s Secure Enclave Processor (SEP) firmware Posted Online by self-described “ARM64 pornstar” [xerub]. SEP is the security co-processor introduced with the iPhone 5s which is when touch ID was introduced. It’s a black box that we’re not supposed to know anything about but [xerub] has now pulled back the curtain on that.

The secure enclave handles the processing of fingerprint data from the touch ID sensor and determines if it is a match or not while it also enables access for purchases for the user. The SEP is a gatekeeper which prevents the main processor from accessing sensitive data. The processor sends data which can only be read by the SEP which is authenticated by a session key generated from the devices shared key. It also runs on its own OS [SEPOS] which has a kernel, services drivers and apps. The SEP performs secure services for the rest of the SOC and much more which you can learn about from the Demystifying the Secure Enclave Processor talk at Blackhat

[xerub] published the decryption keys here. To decrypt the firmware you can use img4lib and xerub’s SEP firmware split tool to process. These tools make it a piece of cake for security researchers to comb through the firmware looking for vulnerabilities.

The Amazon Echo As A Listening Device

It is an inevitability that following swiftly on the heels of the release of a new device there will be an announcement of its rooting, reverse engineering, or other revealing of its hackability. Now the device in question is the Amazon Echo, as MWR Labs announce their work in persuading an Echo to yield the live audio from the microphone and turn the voice assistant device into a covert listening device.

The work hinges on a previous discovery and reverse engineering (PDF) of Amazon’s debug connector on the base of the Echo, which exposes both an SD card interface and a serial terminal. Following that work, they were able to gain root access to the device, analyze the structure of the audio buffers and how the different Echo processes use them, and run Amazon’s own “shmbuf_tool” application to pipe raw audio data to a network stream. Astoundingly this could be done without compromising the normal operation of the device.

It should be stressed, that this is an exploit that requires physical access to the device and a bit of knowledge to perform. But it’s not inconceivable that it could be made into a near-automated process requiring only a device with a set of pogo pins to be mated with an Echo that has had its cover quickly removed.

That said, inevitably there will be enough unused Echos floating around before too long that their rootability will make them useful to people in our community. We look forward to what interesting projects people come up with using rooted Echos.

This isn’t the first time we’ve covered the use of an Echo as a listening device.

Via Hacker News.

Amazon Echo image: FASTILY [CC BY-SA 4.0].

Getting Data Out Of Air-Gapped Networks Through The Power Cable

If you are an organisation that is custodian of sensitive information or infrastructure, it would be foolhardy of you to place it directly on the public Internet. No matter how good your security might be, there is always the risk that a miscreant could circumvent it, and perform all sorts of mischief. The solution employed therefore is to physically isolate such sensitive equipment from the rest of the world, creating an air gap. Nothing can come in and nothing can go out, or so goes the theory.

Well, that’s the theory, anyway. [Davidl] sends us some work that punches a hole in some air-gapped networks, allowing low-speed data to escape the air gap even if it doesn’t allow the reverse.

So how is this seemingly impossible task performed? The answer comes through the mains electrical infrastructure, if the air gap is bridged by a mains cable then the load on that mains cable can be modulated by altering the work undertaken by a computer connected to it. This modulation can then be detected with a current transformer, or even by compromising a UPS or electricity meter outside the air gap.

Of course, the Hackaday readership are all upstanding and law-abiding citizens of good standing, to whom such matters are of purely academic interest. Notwithstanding that, the article goes into the subject in great detail, and makes for a fascinating read.

We’ve touched on this subject before with such various techniques as broadcast radio interference and the noise from a fan,  as well as with an in-depth feature.

Broadpwn – All Your Mobiles are Belong to Us

Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

  • Samsung Galaxy from S3 through S8, inclusive
  • All Samsung Notes3. Nexus 5, 6, 6X and 6P
  • All iPhones after iPhone 5

So how did this happen? And how does a bug affect so many different devices?

A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.

Continue reading “Broadpwn – All Your Mobiles are Belong to Us”

Superconference Interview: Samy Kamkar

Samy Kamkar has an incredible arsenal of self-taught skills that have grown into a remarkable career as a security researcher. He dropped out of high school to found a company based on Open Source Software and became infamous for releasing the Samy worm on the MySpace platform. But in our minds Samy has far outpaced that notoriety with the hardware-based security exploits he’s uncovered over the last decade. And he’s got a great gift for explaining these hacks — from his credit card magstripe spoofing experiments to hacking keyless entry systems and garage door opener remotes — in great depth during his talk at the 2016 Hackaday Superconference.

We pulled Samy aside after his talk to discuss how the security scene has grown up over the years and asked him to share his advice for people just coming up now. We’re happy to publish it for the first time today, it can be seen below.

Now it’s your turn. The Call for Proposals is now open for the 2017 Hackaday Superconference. You don’t need to be Samy Kamkar to qualify for a talk. You just need an interesting story of hardware engineering, creativity in technical design, an adventure with product design, or a sordid tale of your prototyping experiences. We hope everyone with a story will submit their proposal, but for those who don’t tickets are now available. The Hackaday Superconference will take place in Pasadena, California on November 11th and 12th.

Smart Gun Beaten by Dumb Magnets

[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video below the break.

Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.

Not stopping there, [Plore] went to the other extreme, creating what he calls an “electromagnetic compatibility tester” (in other words, a jammer) that jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!

Not one to call it quits, [Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.

Now, we’ve already covered the many hurdles that smart guns face, and this specific investigation of the state of smart gun technology doesn’t make the picture look any brighter. We’re aware that hindsight is always 20/20, so let us know in the comments how you would fix the problems with the Armatix IP1.
Continue reading “Smart Gun Beaten by Dumb Magnets”

Sneak Thieves Beware: A Pi Watcheth

Ever have that strange feeling that somebody is breaking into your workshop? Well, Hackaday.io user [Kenny] has whipped up a tutorial on how to scratch that itch by turning a spare Raspberry Pi you may have kicking around into a security camera system that notifies you at a moment’s notice.

The system works like this: a Raspberry Pi 3 and connected camera module remain vigilant, constantly scanning for motion and recording video. If motion is detected, it immediately snaps and sends a picture to the user’s mobile via PushBullet, then begins recording video. If there is still movement after a few seconds, the process repeats until the area is once again devoid of motion. This also permits a two-way communication with your Pi security system, so you can check in on the live feed whenever you feel the urge.

To get this working for you — assuming that your Pi has been recently updated — setup requires setting up a PushBullet account as well as installing it on your mobile and  linking it with an API. For your Pi, you can go ahead with setting up some Python PushBullet libraries, installing FFmpeg, Pi Camera Notifier, and others. Or, install the ready-to-go image [Kenny] has prepared. He gets into the nitty-gritty of the code in his guide, so check that out or watch the tutorial video after the break.

Continue reading “Sneak Thieves Beware: A Pi Watcheth”