Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

Proteus, The Shape-Shifting And Possibly Non-Cuttable Material

How cool would it be if there was a material that couldn’t be cut or drilled into? You could make the baddest bike lock, the toughest-toed work boots, or the most secure door. Really, the list of possibilities just goes on and on.

Proteus chews through an angle grinder disc in seconds.

Researchers from the UK and Germany claim that they’ve created such a magical material. It can destroy angle grinder discs, resist drill bits, and widen the streams of water jet cutters.

The material is made of aluminium foam that’s embedded with a bunch of small ceramic spheres. It works by inducing retaliatory vibrations into the cutting tools, which turns the tools’ force back on themselves and quickly dulls their edges.

The creators have named the material Proteus after the elusive and shape-shifting prophet of Greek mythology who would only share his visions of the future with those who could get their arms around him and keep him still. It sounds like this material could give Proteus a run for his money.

The ceramic spheres themselves aren’t indestructible, but they’re not supposed to be. Abrading the spheres only makes Proteus stronger. As the cutting tool contacts them, they’re crushed into dust that fills the voids in the aluminium foam, strengthening the material’s destructive vibratory effect. The physical inspiration for Proteus comes from protective hierarchical structures in nature, like the impact-resistant rind of grapefruit and the tendency of abalone shells to resist fracture under the impact of shark teeth.

How It’s Made

Proteus recipe in pictures.

At this point, Proteus is a proof of concept. Adjustments would likely have to be made before it can be produced at any type of scale. Even so, the recipe seems pretty straightforward. First, an aluminium alloy powder is mixed with a foaming agent. Then the mixture is cold compacted in a compressor and extruded in dense rods. The rods are cut down to size and then arranged along with the ceramic spheres in a layered grid, like a metallurgical lasagna.

The grid is spot-welded into a steel box and then put into a furnace for 15-20 minutes. Inside the furnace, the foaming agent releases hydrogen gas, which introduces voids into the aluminium foam and gives it a cellular structure.

Effects of cutting into a cylinder of Proteus with an angle grinder.

According to their paper, the researchers tried to penetrate the material with an angle grinder, a water jet cutter, and a drill. Of these, the drill has the best chance of getting through because the small point of contact can find gaps more easily, so it’s less likely to hit a ceramic sphere. The researchers also made cylindrical samples without steel cladding which they used to test the compressive strength and prove Proteus’ utility as a structural material for beams and columns. It didn’t fare well initially, but became less compressible as the foam matrix collapsed.

The creation process lends some leeway for customization, because the porosity of the aluminium foam can be varied by changing the bake time. As for the drill bit problem, tightening up security is as easy as adjusting the size and/or density of the ceramic spheres.

In the video after the break, you can watch a chunk of Proteus eat up an angle grinder disc in under a minute. Some may argue about the tool wielder’s technique, but we think there’s something to be said for any material that can destroy a cutting disc that fast. They don’t claim that Proteus is completely impenetrable, but it does look impressive. We wish they would have tried more cutting tools like a gas torch, or experimented with other destructive techniques, like plastic explosives, but we suppose that research budgets only go so far.

Continue reading “Proteus, The Shape-Shifting And Possibly Non-Cuttable Material”

The Smell Of Space

In space, so the Alien tagline goes, nobody can hear you scream. One of the most memorable pieces of movie promotion ever, it refers to the effect of the vacuum of space on the things human senses require an atmosphere to experience. It’s a lesson that Joss Whedon used to great effect with theĀ Serenity‘s silent engine light-ups in Firefly, while Star Wars ignored it completely to give us improbable weapon noises in space battles.

Sound may not pass through the vacuum of space, but that’s not to say there are not things other than light for the senses. The Apollo astronauts reported that moon dust released a smell they described as akin to burnt gunpowder once it was exposed to the atmosphere inside their lander, and by now you may have heard that there is a Kickstarter that aims to recreate the smell as a fragrance. Will it replace the cloying wall of Axe or Lynx Africa body spray that pervades high-school boys’ changing rooms, or is it a mere novelty?

Continue reading “The Smell Of Space”

Hackaday Remoticon: Our 2020 Conference Is Packed With Workshops And We’re Calling For Proposals

We’re proud to announce the Hackaday Remoticon, taking place everywhere November 6th – 8th, 2020. It’s a weekend packed with workshops about hardware creation, held virtually for all to enjoy.

But we can’t do it without you. We need you to host a workshop on that skill, technique, or special know-how that you acquired through hard work over too many hours to count. Send in your workshop proposal now!

What is a Remoticon?

The Hackaday Remoticon achieves something that we just couldn’t do at the Hackaday Superconference: host more workshops that involve more people. Anyone who’s been to Supercon over the past six years can tell you it’s space-limited and, although we do our best to host a handful of workshops each day, those available seats are always in high demand.

We’re sad that we can’t get together in person for Supercon this year, but now we have an opportunity to host more workshops, engaging more live instructors and participants because they will be held virtually. This also means that we can make recordings of them available so that more people can learn from the experience. This is something that we tried way back during the first Supercon with Mike Ossmann’s RF Circuit Design workshop and 140,000 people have watched that video. (By the way, that link is worth clicking just to see Joe Kim’s excellent art.) Continue reading “Hackaday Remoticon: Our 2020 Conference Is Packed With Workshops And We’re Calling For Proposals”

COVID Tracing Apps: What Europe Has Done Right, And Wrong

Europe has been in COVID-containment mode for the last month, in contrast to the prior three months of serious lockdown. Kids went back to school, in shifts, and people went on vacation to countries with similarly low infection rates. Legoland and the zoo opened back up, capped at 1/3 capacity. Hardware stores and post offices are running “normally” once you’ve accommodated mandatory masks and 1.5 meter separations while standing in line as “normal”. To make up for the fact that half of the tables have to be left empty, most restaurants have sprawled out onto their terraces. It’s not really normal, but it’s also no longer horrible.

But even a country that’s doing very well like Germany, where I live, has a few hundred to a thousand new cases per day. If these are left to spread unchecked as before, the possibility of a second wave is very real, hence the mask-and-distance routine. The various European COVID-tracing apps were rolled out with this backdrop of a looming pandemic that’s tenuously under control. While nobody expects the apps to replace public distancing, they also stand to help if they can catch new and asymptomatic cases before they get passed on.

When Google and Apple introduced their frameworks for tracing apps, I took a technical look at them. My conclusion was that the infrastructure was sound, but that the implementation details would be where all of the dragons lay in wait. Not surprisingly, I was right!

Here’s an update on what’s happened in the first month of Europe’s experience with COVID-tracing apps. The good news is that the apps seem to be well written and based on the aforementioned solid foundation. Many, many people have installed at least one of the apps, and despite some quite serious growing pains, they seem to be mostly functioning as they should. The bad news is that, due to its privacy-preserving nature, nobody knows how many people have received warnings, or what effect, if any, the app is having on the infection rate. You certainly can’t see an “app effect” in the new daily cases rate. After a month of hard coding work and extreme public goodwill, it may be that cellphone apps just aren’t the panacea some had hoped.

Continue reading “COVID Tracing Apps: What Europe Has Done Right, And Wrong”

CampZone 2020 Badge Literally Speaks To Us

The pandemic has left my usual calendar of events in shambles this year. Where I’d have expected to have spent a significant portion of my summer mingling with our wonderful and diverse community worldwide, instead I’m sitting at home cracking open a solitary Club-Mate and listening to muffled techno music while trying to imagine myself in a field somewhere alongside several thousand hackers.

As a knock-on effect of the event cancellations there’s another thing missing this summer, the explosion of creativity in the world of electronic conference badges has faltered. Badges are thin on the ground this year, so the few that have made it to production are to be treasured as reminders that life goes on and there will be another golden summer of hacker camps in the future. This year, the CampZone 2020 badge was given its own voice and perform neat tricks like presenting a programming interface via WebUSB!

Continue reading “CampZone 2020 Badge Literally Speaks To Us”

No-Melt Nuclear ‘Power Balls’ Might Win A Few Hearts And Minds

A nuclear power plant is large and complex, and one of the biggest reasons is safety. Splitting radioactive atoms is inherently dangerous, but the energy unleashed by the chain reaction that ensues is the entire point. It’s a delicate balance to stay in the sweet spot, and it requires constant attention to the core temperature, or else the reactor could go into meltdown.

Today, nuclear fission is largely produced with fuel rods, which are skinny zirconium tubes packed with uranium pellets. The fission rate is kept in check with control rods, which are made of various elements like boron and cadmium that can absorb a lot of excess neutrons. Control rods calm the furious fission boil down to a sensible simmer, and can be recycled until they either wear out mechanically or become saturated with neutrons.

Nuclear power plants tend to have large footprints because of all the safety measures that are designed to prevent meltdowns. If there was a fuel that could withstand enough heat to make meltdowns physically impossible, then there would be no need for reactors to be buffered by millions of dollars in containment equipment. Stripped of these redundant, space-hogging safety measures, the nuclear process could be shrunk down quite a bit. Continue reading “No-Melt Nuclear ‘Power Balls’ Might Win A Few Hearts And Minds”