Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

August 7, 2020 by Pedro Umbelino 5 Comments

This year, at ~~DEF CON 28~~ DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

Two radio systems occupy neighboring frequencies and carrier leakage occurs
The harmonics of one transmitter fall on frequencies used by another system
Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack” →

Hackaday Podcast 079: Wobble Sphere, Pixelflut, Skeeter Traps, And Tracing Apps

August 7, 2020 by Mike Szczys 3 Comments

Hackaday editors Mike Szczys and Elliot Williams gaze upon the most eye-popping projects from the past week. Who would have known that springy doorstops could be so artistic? Speaking of art, what happens if you give everyone on the network the chance to collectively paint using pixels? There as better way to catch a rat, and a dubious way to lure mosquitoes. We scratch our heads at sending code to the arctic, and Elliot takes a deep look at the contact tracing apps developed and in use throughout Europe.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 079: Wobble Sphere, Pixelflut, Skeeter Traps, And Tracing Apps” →

This Week In Security: Garmin Ransomware, KeePass , And Twitter Warnings

August 7, 2020 by Jonathan Bennett 9 Comments

On July 23, multiple services related to Garmin were taken offline, including their call center and aviation related services. Thanks to information leaked by Garmin employees, we know that this multi-day outage was caused by the Wastedlocker ransomware campaign. After four days, Garmin was able to start the process of restoring the services.

It’s reported that the requested ransom was an eye-watering $10 million. It’s suspected that Garmin actually paid the ransom. A leaked decryptor program confirms that they received the decryption key. The attack was apparently very widespread through Garmin’s network, as it seems that both workstations and public facing servers were impacted. Let’s hope Garmin learned their lesson, and are shoring up their security practices. Continue reading “This Week In Security: Garmin Ransomware, KeePass , And Twitter Warnings” →

Odyssey Is A X86 Computer Packing An Arduino Along For The Trip

August 7, 2020 by Roger Cheng 58 Comments

We love the simplicity of Arduino for focused tasks, we love how Raspberry Pi GPIO pins open a doorway to a wide world of peripherals, and we love the software ecosystem of Intel’s x86 instruction set. It’s great that some products manage to combine all of them together into a single compact package, and we welcome the recent addition of Seeed Studio’s Odyssey X86J4105.

[Ars Technica] recently looked one over and found it impressive from the perspective of a small networked computer, but they didn’t dig too deeply into the maker-friendly side of the product. We can look at the product documentation to see some interesting details. This board is larger than a Raspberry Pi, but its GPIO pins were laid out in exactly the same order as that on a Pi. Some HATs could plug right in, eliminating all the electrical integration leaving just the software issue of ARM vs x86. Tasks that are not suitable for CPU-controlled GPIO (such as generating reliable PWM) can be offloaded to an on-board Arduino-compatible microcontroller. It is built around the SAMD21 chip, similar to the Arduino MKR and Arduino Zero but the pinout does not appear to match any of the popular Arduino form factors.

The Odyssey is not the first x86 single board computer (SBC) to have GPIO pins and an onboard Arduino assistant. LattePanda for example has been executing that game plan (minus the Raspberry Pi pin layout) for the past few years. We’ve followed them since their Kickstarter origins and we’ve featured creative uses here and there. LattePanda’s current offerings are built around Intel CPUs ranging from Atom to Core m3. The Odyssey’s Celeron is roughly in the middle of that range, and the SAMD21 is more capable than the ATmega32U4 (Arduino Leonardo) on board a LattePanda. We always love seeing more options in a market for us to find the right tradeoff to match a given project, and we look forward to the epic journeys yet to come.

Lightning Analysis With Your SDR

August 7, 2020 by Jenny List 19 Comments

Perhaps it’s just one of those things adults dream up to entertain their children, but were you ever told to count slowly the time between seeing a lightning flash and hearing the rumble of thunder? The idea was that the count would tell you how far away the storm was, but from a grown-up perspective the calibration accuracy of a child saying “one… two…three…” in miles seems highly suspect. It’s a valid technique though, and it can be used to monitor thunderstorms by the radio emissions created through the electrical discharge. It’s an area the SAGE project has been working in, and they’ve posted some details including a fascinating run-down of the software techniques , on how lightning can be detected with an RTL-SDR.

A lightning strike produces a characteristic wideband burst that shows up in the time domain as a maximum point that can easily be detected but could also be confused with radio interference from another source. Thus after identifying maxima they zoom in and perform a Fourier transform to spot the wideband burst. It’s all done in Python, and the pleasant surprise is how straightforward to understand it all is.

SAGE are working on a distributed sensor network, so we hope this work might one day give us real-time open lightning data. The FFT approach should ensure that it won’t be fooled by false positives as a traditional detector might be.

Via RTL-SDR.com.

The Google Chrome Dinosaur Game, In Real Life

August 6, 2020 by Orlando Hoilett 6 Comments

[Ryan] wanted to hack the Google Chrome Dinosaur Game so he could control the dinosaur with his own movements. The game only requires two keyboard presses (up and down arrow keys), so controlling the game with the Arduino Keyboard library only requires a few simple function calls.

He uses the Arduino MKR board in his build, but notes any number of other boards would work as well. A force sensor detects his jumps and a stretch sensor detects him ducking. Both the stretch and force sensors are resistive transducers, so two simple voltage divider circuits (one for each sensor) are needed to convert changes in force to a voltage. You may need to adjust the sensor threshold to ensure the code responds to your movements, but [Ryan] makes that pretty easy to do in software as both thresholds are stored as global variables.

It’s a pretty simple hack, but could make for some good socially-distanced fun. What other hackable Google Chrome extensions do you like?

Continue reading “The Google Chrome Dinosaur Game, In Real Life” →

IRobot Makes Learning Robot More Affordable

August 6, 2020 by Al Williams 10 Comments

When you think of iRobot, you probably think of floor cleaning or military robots. But they also have a set of robots aimed at education. The Root robot — an acquisition the company made in 2019 — originally targeted classrooms and cost about $200 each. A new version costs about $130 and is a better fit for home users.

The original version — Root rt1 — is still available, but the rt0 version has several missing features to hit the desired price. What’s missing? Apparently, the rt1 can stick to a whiteboard using magnets, but that feature is missing on the rt0. There are also no “cliff” sensors or color scanner.

Continue reading “IRobot Makes Learning Robot More Affordable” →