Warshipping: A Free Raspberry Pi In The Mail Is Not Always A Welcome Gift

Leading edge computer security is veiled in secrecy — a world where novel attacks are sprung on those who do not yet know what they need to protect against. Once certain tactics have played out within cool kids’ circles, they are introduced to the rest of the world. An IBM red team presented what they’re calling “warshipping”: sending an adversarial network to you in a box.

Companies concerned about security have learned to protect their internet-accessible points of entry. Patrolling guards know to look for potential wardrivers parked near or repeatedly circling the grounds. But some are comparatively lax about their shipping & receiving, and they are the ideal targets for warshipping.

Bypassing internet firewalls and security perimeters, attack hardware is embedded inside a shipping box and delivered by any of the common carriers. Security guards may hassle a van bristling with antennas, but they’ll wave a FedEx truck right through! The hardware can be programmed to stay dormant through screening, waiting to probe once inside the walls.

The presentation described several ways to implement such an attack. There is nothing novel about the raw hardware – Raspberry Pi, GPS receiver, cellular modems, and such are standard fare for various projects on these pages. The creative part is the software and in how they are hidden: in packing material and in innocuous looking plush toys. Or for persistence, they can be hidden in a wall mounted plaque alongside some discreet photovoltaic panels. (Editor’s note: What? No Great Seals?)

With this particular technique out in the open, we’re sure others are already in use and will be disclosed some years down the line. In the meantime, we can focus our efforts on more benign applications of similar technology, whether it is spying on our cat or finding the nearest fast food joint. The hardware is evolving as well: a Raspberry Pi actually seems rather heavyweight for this, how about a compact PCB with both an ESP32 and a cellular modem?

Via Ars Technica.

Broken HP-48 Calculator Reborn As Bluetooth Keyboard

Considering their hardware specification, graphing calculators surely feel like an anachronism in 2019. There are plenty of apps and other software available for that nowadays, and despite all preaching by our teachers, we actually do carry calculators with us every day. On the other hand, never underestimate the power of muscle memory when using physical knobs and buttons instead of touch screen or mouse input. [epostkastl] combined the best of both worlds and turned his broken HP-48 into a Bluetooth LE keyboard to get the real feel with its emulated counterpart.

Initially implemented as USB device, [epostkastl] opted for a wireless version this time, and connected an nRF52 based Adafruit Feather board to the HP-48’s conveniently exposed button matrix pins. For the software emulation side, he uses the Emu48, an open source HP calculator emulator for Windows and Android. The great thing about Emu84 is that it supports fully customizable mappings of regular keyboard events to the emulated buttons, so you can easily map, say, the cosine button to the [C] key. The rest is straight forward: scanning the button matrix detects button presses, maps them to a key event, and sends it as a BLE HID event to the receiving side running Emu84.

As this turns [epostkastl]’s HP-48 essentially into a regular wireless keyboard in a compact package — albeit with a layout that outshines every QWERTY vs Dvorak debate. It can of course also find alternative use cases, for examples as media center remote control, or a shortcut keyboard. After all, we’ve seen the latter one built as stomp boxes and from finger training devices before, so why not a calculator?

Continue reading “Broken HP-48 Calculator Reborn As Bluetooth Keyboard”

Spain’s First Open Source Satellite

[Fossa Systems], a non-profit youth association based out of Madrid, is developing an open-source satellite set to launch in October 2019. The FossaSat-1 is sized at 5x5x5 cm, weighs 250g, and will provide free IoT connectivity by communicating LoRa RTTY signals through low-power RF-based LoRa modules. The satellite is powered by 28% efficient gallium arsenide TrisolX triple junction solar cells.

The satellite’s development and launch cost under EUR 30000, which is pretty remarkable for a cubesat — or a picosatellite, as the project is being dubbed. It has been working in the UHF Amateur Satellite band (435-438 MHz) and recently received an IARU frequency spectrum allocation for LoRa of 125kHz.

The satellite’s specs are almost as remarkable as the acronyms used to describe them. The design includes an onboard computer (OBC) based on an ATmega328P-AU microcontroller, an SX1278 transceiver for telecommunications, and an electric power system (EPS) based on three SPV1040 MPPT chips and the TC1262 LDO. The satellite also uses a TMP100 temperature sensor, an INA226 current and voltage sensor, a MAX6369 watchdog for single-event upset (SEU) protection, a TPS2553 for single-event latch-up (SEL) protection and various MOSFETs for the deployment of solar panels and antennas.

Up until this point the group has been tracking adoption of LoRa through the use of weather balloons. The cubesat project plans to test the new LoRa spread spectrum modulation using less than $5 worth of receivers. Ultimately with the goal of democratizing telecommunications worldwide.

The satellite is being built in a cleanroom at Rey Juan Carlos University and has undergone thermovacuum and vibration testing at the facility. The group has since developed an educational satellite development kit, which offers three main 40×40 mm boards that allow the addition of modifications. As their mission states, the group is looking to develop an open source project, so the code for the satellite is freely available on their GitHub.

Continue reading “Spain’s First Open Source Satellite”

Remote ADS-B Install Listens In On All The Aircraft Transmissions With RTL-SDR Trio, Phones Home On Cellular

When installing almost any kind of radio gear, the three factors that matter most are the same as in real estate: location, location, location. An unobstructed location at the highest possible elevation gives the antenna the furthest radio horizon as well as the biggest bang for the installation buck. But remote installations create problems, too, particularly with maintenance, which can be a chore.

So when [tsimota] got a chance to relocate one of his Automatic Dependent Surveillance-Broadcast (ADS-B) receivers to a remote site, he made sure the remote gear was as bulletproof as possible. In a detailed write up with a ton of pictures, [tsimota] shows the impressive amount of effort he put into the build.

The system has a Raspberry Pi 3 with solid-state drive running the ADS-B software, a powered USB hub for three separate RTL-SDR dongles for various aircraft monitoring channels, a remote FlightAware dongle to monitor ADS-B, and both internal and external temperature sensors. Everything is snuggled into a weatherproof case that has filtered ventilation fans to keep things cool, and even sports a magnetic reed tamper switch to let him know if the box is opened. An LTE modem pipes the data back to the Inter, a GSM-controlled outlet allows remote reboots, and a UPS keeps the whole thing running if the power blips atop the 15-m building the system now lives on.

Nobody appreciates a quality remote installation as much as we do, and this is a great example of doing it right. Our only quibble would be the use of a breadboard for the sensors, but in a low-vibration location, it should work fine. If you’ve got the itch to build an ADS-B ground station but don’t want to jump in with both feet quite yet, this beginner’s guide from a few years back is a great place to start.

1940s Portable Radio Is A Suitcase

The meaning of the word portable has changed a bit over the years. These days something has to be pretty tiny to be considered truly portable, but in the 1940s, anything with a handle on it that you could lift with one hand might be counted as portable electronics. Zenith made a line of portable radios that were similar to their famous Transoceanic line but smaller, lighter, and only receiving AM to reduce their size and weight compared to their big brothers. If you want to see what passed for portable in those days, have a look at [Jeff Tranter’s] video (below) of a 6G601 — or maybe it is a GG601 as it says on the video page. But we think it is really a 6G601 which is a proper Zenith model number.

According to [Jeff], 225,350 of these radios were made, and you can see that it closes up like a suitcase. The initial 6 in the model number indicates there are 6 tubes and the G tells you that it can run with AC or batteries.

Continue reading “1940s Portable Radio Is A Suitcase”

PaperLedger: An E-Ink Cryptocurrency Ticker

For a long time it seemed like e-ink displays were outside the reach of us lowly hackers, as beyond the handful of repurposed Kindles that graced these pages, we saw precious few projects utilizing this relatively exotic display. But that’s changed over the last couple of years, and we’re thrilled to start seeing hackers bend this incredible technology to their will.

A perfect example is PaperLedger, an entry into the 2019 Hackaday Prize by [AIFanatic]. This wireless device is designed to display the current price of various cryptocurrencies on its 2.9-inch e-ink screen and provide audible price alerts with its built-in speaker. It even has a web portal where users can configure the hardware or view more in-depth price information.

The PaperLedger is based on the TTGO T5 V2.2 ESP32, but it looks like [AIFanatic] is in the process of spinning up a new board for the MIT licensed project to address some nagging issues for this particular application. Unfortunately, it doesn’t look like there are any pictures of the new board yet, but a description of the changes on the Hackaday.IO page shows that most of the work seems to be going into improving support for running on batteries.

Even if you’re not interested in cryptocurrency, the PaperLedger looks like a fantastic little e-ink monitor for pretty much anything else you’d like to keep a close eye on. The GPLv3 licensed firmware is available on the project’s GitHub page, so expanding or completely changing the device’s functionality shouldn’t be too tricky for anyone with a desire to do so and a working knowledge of C++.

We’ve seen several projects using the various TTGO boards that mate an ESP32 with a display at this point, and it looks like a great platform to check out if you want to push some data to a little WiFi screen with the minimum amount of hassle.

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.