36C3: All Wireless Stacks Are Broken

December 30, 2019 by 29 Comments

Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.

One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.

Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.

[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.

John McMaster Explains Crypto Ignition Phone Keys And How To Reproduce Them

December 2, 2019 by 17 Comments

When you’re a nation state, secure communications are key to protecting your sovereignty and keeping your best laid plans under wraps. For the USA, this requirement led to the development of a series of secure telephony networks over the years. John McMaster found himself interested in investigating the workings of the STU-III secure telephone, and set out to replicate the secure keys used with this system.

An encryption key in a very physical, real sense, the Crypto Igntion Key was used with the STU-III to secure phone calls across many US government operations. The key contains a 64KB EEPROM that holds the cryptographic data.

[John] had a particular affinity for the STU-III for its method of encrypting phone calls. A physical device known as a Crypto Ignition Key had to be inserted into the telephone, and turned with a satisfying clunk to enable encryption. This physical key contains digital encryption keys that, in combination with those in the telephone, are used to encrypt the call. The tactile interface gives very clear feedback to the user about securing the communication channel. Wishing to learn more, John began to research the system further and attempted to source some hardware to tinker with.

As John explains in his Hackaday Superconference talk embeded below, he was able to source a civilian-model STU-III handset but the keys proved difficult to find. As carriers of encryption keys, it’s likely that most were destroyed as per security protocol when reaching their expiry date. However, after laying his hands on a broken key, he was able to create a CAD model and produce a mechanically compatible prototype that would fit in the slot and turn correctly.

Continue reading “John McMaster Explains Crypto Ignition Phone Keys And How To Reproduce Them”

This Week In Security: Is RSA Finally Broken? The Push For Cloud Accounts, Encrypted DNS, And More Mobile Mayhem

October 4, 2019 by 24 Comments

Ever wondered what “cyberwar” looks like? Apparently it’s a lot of guessing security questions and changing passwords. It’s an interesting read on its own, but there are some interesting clues if you read between the lines. A General in the know mentioned that Isis:

clicked on something or they did something that then allowed us to gain control and then start to move.

This sounds very similar to stories we’ve covered in the past, where 0-days are used to compromise groups or individuals. Perhaps the NSA supplied such an exploit, and it was sent in a phishing attack. Through various means, the U.S. team quietly compromised systems and collected credentials.

The article mentions something else interesting. Apparently the targets of this digital sting had also been compromising machines around the world, and using those machines to manage their efforts. The decision was made by the U.S. team to also compromise those machines, in order to lock out the Isis team. This might be the most controversial element of the story. Security researchers have wanted permission to do this for years. How should the third parties view these incursions?

The third element that I found particularly interesting was the phase 2 attack. Rather than outright delete, ban, and break Isis devices and accounts, the U.S. team installed persistent malware that emulated innocuous glitches. The internet connection is extremely laggy on certain days, certain websites simply don’t connect, and other problems. These are the sort of gremlins that networking pros spend all day trying to troubleshoot. The idea that it’s intentional gives me one more thing to worry about. Continue reading “This Week In Security: Is RSA Finally Broken? The Push For Cloud Accounts, Encrypted DNS, And More Mobile Mayhem”

The Satellite Phone You Already Own: From Orbit, UbiquitiLink Will Look Like A Cell Tower

August 26, 2019 by 53 Comments

For anyone that’s ever been broken down along a remote stretch of highway and desperately searched for a cell signal, knowing that a constellation of communications satellites is zipping by overhead is cold comfort indeed. One needs specialized gear to tap into the satphone network, few of us can justify the expense of satellite phone service, and fewer still care to carry around a brick with a chunky antenna on it as our main phone.

But what if a regular phone could somehow leverage those satellites to make a call or send a text from a dead zone? As it turns out, it just might be possible to do exactly that, and a Virginia-based startup called UbiquitiLink is in the process of filling in all the gaps in cell phone coverage by orbiting a constellation of satellites that will act as cell towers of last resort. And the best part is that it’ll work with a regular cell phone — no brick needed.

Continue reading “The Satellite Phone You Already Own: From Orbit, UbiquitiLink Will Look Like A Cell Tower”

Bone Conducting Headphones Built Into Eye Glasses

April 18, 2019 by 21 Comments

There are times when being seen to listen to music through headphones might get you into trouble. For these moments, reach for a handy solution: bone conduction speakers that discreetly pipe the music to your eardrums through the bone of your skull. [Samuel] wanted just such a covert music listening device, so created his own in a set of 3D-printed glasses.

He first tried using an Adafruit bone-conducting transducer but found that to be too bulky. What you see here is a smaller module that [Samuel] found on AliExpress (search for bone conduction module). The GD-02 is much smaller and thus more suitable for hiding in the arm of a pair of glasses. For the rest of the electronics he used a PCB and battery from a donated set of broken Bluetooth headphones, a space for which he was able to conceal easily in the 3D-printed frame of the glasses. The battery is in one arm and the board in the other, and he says the wiring was extremely fiddly.

The result is a surprisingly svelte set of specs that you might not immediately think concealed some electronics. His choice of bright yellow filament might give the game away, but overall he’s done a great job. This certainly isn’t the first bone conduction project we’ve shown you, some of the others have used motors instead of bone conduction transducers.

Hacker Abroad: Cellphone Repair In Huaqiangbei And A Huge Meetup At Seeed

March 25, 2019 by 13 Comments

Shenzhen, China is the home of the legendary electronics markets of Huaqiangbei. Friday was my first full day in the city, having spent the previous three days in Shanghai. We got a little bit of a late start as our flight didn’t arrive until after 1 am and we stayed at the first night at an airport hotel. We met up with Scotty Allen for an amazing meal followed by a very unique experience in the electronics markets, not just seeing the items, but meeting the booth owners who showed off some of their secrets.

The day was capped off by an absolutely packed meetup at X.factory, the collaborative creative space run by Seeed Studio. They lined up a half dozen hardware talks that were quite excellent, and there was a ton of hardware being demonstrated as the night progressed. They had to kick us out or we’d have stayed all night!

Continue reading “Hacker Abroad: Cellphone Repair In Huaqiangbei And A Huge Meetup At Seeed”

CNC Mill Repairs IPhone 7

January 20, 2019 by 39 Comments

Modern smartphones are highly integrated devices, bringing immense computing power into the palm of one’s hand. This portable computing power and connectivity has both changed society in innumerable ways, and also tends to lead to said powerful computers ending up dropped on the ground or into toilets. Repairs are often limited to screen replacement or exchanging broken modules, but it’s possible to go much further.

The phone is an iPhone 7, which a service center reported had issues with the CPU, and the only fix was a full mainboard replacement. [The Kardi Lab] weren’t fussed, however, and got to work. The mainboard is installed in a CNC fixture, and the A10 CPU is delicately milled away, layer by layer. A scalpel and hot air gun are then used for some further cleanup of the solder pads. Some conductivity testing to various pads is then carried out, for reasons that aren’t entirely clear.

At this point, a spare A10 CPU is sourced, and a stencil is used to apply solder paste or balls – it is not immediately obvious which. The new chip is then reflowed on to the mainboard, and the phone reassembled. The device is then powered on and shown to be functional.

It’s an impressive repair, and shows that modern electronics isn’t so impossible to fix – as long as you have the right tools to hand. The smart thing is, by using the CNC machine with a pre-baked program, it greatly reduces the labor required in the removal stage, making the repair much more cost-effective. The team are particularly helpful, linking to the tools used to pull off the repair in the video description. We’ve seen similar hacks, too – such as upgrading an iPhone’s memory.  Video after the break.

[Thanks to Nikolai for the tip!]

Continue reading “CNC Mill Repairs IPhone 7”