Bluetooth Vulnerability Affects All Major OS

September 14, 2017 by 52 Comments

Security researchers from Armis Labs recently published a whitepaper unveiling eight critical 0-day Bluetooth-related vulnerabilities, affecting Linux, Windows, Android and iOS operating systems. These vulnerabilities alone or combined can lead to privileged code execution on a target device. The only requirement is: Bluetooth turned on. No user interaction is necessary to successfully exploit the flaws, the attacker does not need to pair with a target device nor the target device must be paired with some other device.

The research paper, dubbed BlueBorne (what’s a vulnerability, or a bunch, without a cool name nowadays?), details each vulnerability and how it was exploited. BlueBorne is estimated to affect over five billion devices. Some vendors, like Microsoft, have already issued a patch while others, like Samsung, remain silent. Despite the patches, some devices will never receive a BlueBorne patch since they are outside of their support window. Armis estimates this accounts for around 40% of all Bluetooth enabled devices.

A self-replicating worm that would spread and hop from a device to other nearby devices with Bluetooth turned on was mentioned by the researchers as something that could be done with some more work. That immediately reminds us of the BroadPwn vulnerability, in which the researchers implemented what is most likely the first WiFi only worm. Although it is definitely a fun security exercise to code such worm, it’s really a bad, bad idea… Right?…

So who’s affected?

Continue reading “Bluetooth Vulnerability Affects All Major OS”

Arduino Cinque – The RISC-V, ESP32, WiFi, Bluetooth Arduino

May 20, 2017 by 61 Comments

This weekend at the Bay Area Maker Faire, Arduino in conjunction with SiFive, a fabless provider of the Open Source RISC-V micros, introduced the Arduino Cinque. This is a board running one of the fastest microcontrollers available, and as an added bonus, this board includes Espressif’s ESP32, another wonderchip that features WiFi and Bluetooth alongside a very, very powerful SoC.

Details on the Arduino Cinque are slim at the moment, but from what we’ve seen so far, the Cinque is an impressively powerful board featuring the RISC-V FE310 SoC from SiFive, an ESP32, and an STM32F103. The STM32 appears to be dedicated to providing the board with USB to UART translation, something the first RISC-V compatible Arduino solved with an FTDI chip. Using an FTDI chip is, of course, a questionable design decision when building a capital ‘O’ Open microcontroller platform, and we’re glad SiFive and Arduino found a better solution. It’s unknown if this STM32 can be used alongside the FE310 and ESP32 at this point.

We’ve taken a look at SiFive’s FE310 SoC, and it is an extremely capable chip. It was released first at the HiFive1, and our hands-on testing revealed this is a chip that outperforms the current performance champ of the Arduino world, the Teensy 3.6. Of course, with any new architecture, there will be a few problems porting the vast number of libraries over to the FE310, but SiFive has included an Arduino compatible SDK. It’s promising, and we can’t wait to see SiFive’s work in more boards.

Portable Bluetooth Speaker Reacts To Sound

May 1, 2017 by 11 Comments

[IanMeyer123] should be working on his senior design project. Instead, he’s created a sound-reactive Bluetooth speaker that may not earn him an A grade but will at least keep the team entertained.

[Ian] started with the amp and power. The amp is a 15 watt, 12 volt model based on the popular TDA7297 chip. Power comes from a portable laptop battery rated at 185 Wh. [Ian] himself said that is absolute overkill for this project. While [Ian] hasn’t run any longevity tests on his setup, we’re guesstimating it would be rated in days.

Every Bluetooth speaker needs a sweet light show, right? [Ian] wrapped his 2″ full range speakers in Neopixel rings from Adafriut. The WS2812’s are driven by an Arduino. When music is playing, MSGEQ7 allows the Arduino to play a light show in time to the beat. When the stereo is off, a DS3231 real-time clock module allows the Arduino to display the time on the two rings. If you’re curious about the code for this project, [Ian] posted it on his Reddit thread. Reddit isn’t exactly a great code repository, so please, [Ian] setup a GitHub account, and/or drop your project on Hackaday.io!

[Ian] didn’t realize how many wires would be flying around inside the speaker. That may be why the wiring looks a bit scary. All the chaos is hidden away, underneath a well-built wooden case.

If you want to see another take on a Bluetooth speaker with a Neopixel display, check [Peter’s] project here. Interested in more portable power units? This one’s for you!

Continue reading “Portable Bluetooth Speaker Reacts To Sound”

OBD-II Dongle Attack: Stopping A Moving Car Via Bluetooth

April 14, 2017 by 30 Comments

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

$10 Raspberry Pi Zero W Adds WiFi And Bluetooth

February 28, 2017 by 168 Comments

The Raspberry Pi was born on February 29th which means we’re only three years away from its second birthday, and a new hardware release from the Pi Foundation is becoming somewhat of a tradition. This year is no different: a new Raspberry Pi has been announced. The Raspberry Pi Zero W is the latest iteration of the Pi foundation’s tiny and extremely inexpensive single board computer. It’s a Raspberry Pi Zero with WiFi and Bluetooth.

The specs of the new Pi Zero W are nearly identical to the previous incarnation of the non-W Zero. It sports a 1GHz single-core processor, 512 MB of RAM, features Mini HDMI and USB OTG ports, uses a micro USB port for power, features the now-standard 40-pin header with four additional pins for composite video and a reset button. This board, like the second hardware revision of the Pi Zero, also features a CSI camera connector.

Of course, the big feature is the addition of WiFi and Bluetooth. The Pi Zero W adds the wireless functionality from the Raspberry Pi 3B. That’s 802.11n and Bluetooth 4.0.

The Pi Zero’s claim to fame was, of course, the price. The original Pi Zero was at first a bit of hardware glued to the cover of the MagPi magazine, later to sell for just $5 USD. The Raspberry Pi Zero W is priced at just $10.

Continue reading “$10 Raspberry Pi Zero W Adds WiFi And Bluetooth”

Reverse Engineering Enables Slick Bluetooth Solution For Old Car Stereo

February 21, 2017 by 20 Comments

Those of us who prefer to drive older cars often have to make sacrifices in the entertainment system department to realize the benefits of not having a car payment. The latest cars have all the bells and whistles, while the cars of us tightwads predate the iPod revolution and many lack even an auxiliary input jack. Tightwads who are also hackers often remedy this with conversion projects, like this very slick Bluetooth conversion on a Jeep radio.

There are plenty of ways to go about piping your favorite tunes from a phone to an old car stereo, but few are as nicely integrated as [Parker Dillmann]’s project. An aftermarket radio of newer vintage than the OEM stereo in his 1999 Jeep would be one way to go, but there’s no sport in that, and besides, fancy stereos are easy pickings from soft-top vehicles. [Parker] was so determined to hack the original stereo that he bought a duplicate unit off eBay so he could reverse engineer it on the bench. What’s really impressive is the way [Parker] integrates the Bluetooth without any change to OEM functionality, which required a custom PCB to host an audio level shifter and input switch. He documents his efforts very thoroughly in the video after the break, but fair warning of a Rickroll near the end.

So many of these hacks highjack the tape deck or CD input, but thanks to his sleuthing and building skills, [Parker] has added functionality without sacrificing anything.

Continue reading “Reverse Engineering Enables Slick Bluetooth Solution For Old Car Stereo”

No-Etch: The Proof In The Bluetooth Pudding

February 2, 2017 by 40 Comments

In a previous episode of Hackaday, [Rich Olson] came up with a new no-etch circuit board fabrication method. And now, he’s put it to the test: building an nRF52 Bluetooth reference design, complete with video, embedded below.

The quick overview of [Rich]’s method: print out the circuit with a laser printer, bake a silver-containing glue onto the surface, repeat a few times to get thick traces, glue the paper to a substrate, and use low-temperature solder to put parts together. A potential drawback is the non-negligible resistance for the traces, but a lot of the time that doesn’t matter and the nRF52 reference design proves it.

The one problem here may be the trace antenna. [Rich] reports that it sends out a weaker-than-expected signal. Any RF design folks want to speculate wildly about the cause?

Continue reading “No-Etch: The Proof In The Bluetooth Pudding”