Wireless Hacks

1047 Articles

ESP8266 Turned Secretive WiFi Probe Request Sniffer

September 20, 2020 by 21 Comments

When a Wi-Fi device is switched on, it starts spewing out probe requests to try and find a familiar access point. These probe requests contain the device’s MAC address and the SSID of the hotspot it’s looking for, which can potentially be used to identify a specific device and where it’s been. After experimenting with these probe requests, [Amine Mehdi Mansouri] has created OpenMAC, a tiny ESP8266 based sniffer that could be hidden anywhere.

The device consists of an ESP-07S module, a regulator circuit for getting power from a USB-C connector, and a button for power cycling. An external antenna is required for the module, which can be selected based on the size or gain requirements for a specific deployment. [Amine] tested the OpenMAC at a local library (with permission), in combination with a number of his own little Wi-Fi repeaters to expand the reach of the network. All the recorded MAC addresses were logged to a server, where the data can be used for traffic analysis in and around the library, or even for tracking and locating specific devices.

This is nothing new, and is relatively common technique used for gathering information in retail locations, and could be also be used for more nefarious purposes. Newer versions of iOS, Android, and Windows 10 feature MAC address randomization which can limit the ability to track devices in this manner, but it isn’t always activated.

We’ve seen a number of projects that exploit probe requests. FIND-LF can be used for locating devices in your home, and Linger fools probe requests sniffers by replaying previously recorded requests.

Weather Warnings And Dust Detection From This Meteorological Marvel

September 14, 2020 by 4 Comments

We love getting our weather in a flurry of different methods, but have you tried building your own sensor suite to harvest the data for you? [Giovanni ‘CyB3rn0id’ Bernardo] needed to monitor isolated locations outside the reach of WiFi. His ray of hope is an ESP32 controller coupled with a LoRa module to beam data to a remote station that can access the cloud.

In addition to radios, he poured a deluge of sensors into the base station to read the temperature, barometric pressure, humidity, and fine dust. Why monitor dust as part of weather data collection? Particulate matter has a huge effect on air quality, something of great interest during a respiratory pandemic. For those readers near wildfires, quantifying your air quality (both indoors and out) is certainly of interest. [Giovanni] is using an SDS011 air quality sensor and has a long writeup just on this part. It uses a fan to move air past a laser-based sensing mechanism.

At the base station, live readings are shown on an OLED screen, but you can also connect to the ESP32 through your phone like a hotspot. If you keep a memory card installed, it will cache the readings in a perpetually-updated CSV file. In regular operation, the LoRa module overcasts the telemetry to its sister unit that acts as a Wifi/LoRa bridge so anyone can view gauges and graphs in real-time on ThingSpeak.

We want to shower [CyB3rn0id] with praise for seeing the cirrus serious impact of harmful dust and making something that can alert people. We don’t want to rain on anyone’s parade, but sometimes it is better to stay inside.

Cell Phone Signal Booster Gets Teardown And Demo

September 10, 2020 by 7 Comments

Ever wonder what was inside a cell phone booster, or what it is like to set up or use one? If so, [Kerry Wong]’s got you covered with his teardown of a Cel-Fi Go X Cell Signal Booster by Nextivity. [Kerry] isn’t just ripping apart a cheap unit for laughs; his house has very poor reception and this unit was a carefully-researched, genuine investment in better 4G connectivity.

The whole setup consists of three different pieces: the amplifier unit pictured above, and two antennas. One is an omnidirectional dome antenna for indoors, and the other is a directional log-periodic dipole array (LPDA) antenna for outdoors. Mobile phones connect to the indoor antenna, and the outdoor antenna connects to the distant cell tower. The amplifier unit uses a Bluetooth connection and an app on the mobile phone to manage settings and actively monitor the device, which works well but bizarrely doesn’t seem to employ any kind of password protection or access control whatsoever.

Overall [Kerry] is happy, and reports that his mobile phone enjoys a solid connection throughout his house, something that was simply not possible before. Watch a hands-on of the teardown along with a short demonstration in the video embedded below.

Continue reading “Cell Phone Signal Booster Gets Teardown And Demo”

New Zealand To Test Wireless Power Transmission

September 10, 2020 by 82 Comments

Nikola Tesla wanted to beam power without wires. NASA talked about building power-generating satellites that would do the same thing. But now New Zealand’s second-largest power utility — Powerco — is working with a start-up company to beam energy to remote locations. There have been several news releases, but possibly the most technical detail is from an interview [Loz Blain] did with the founder of the startup company.

It isn’t really news that you can send radio waves somewhere and convert the signal back into power. Every antenna does that routinely. The question is how efficient is the power transmission and — when the power levels are high — how safe is it? According to [Greg Kushnir], the founder of Emrod, the technology is about 70% efficient and uses ISM frequencies.

Continue reading “New Zealand To Test Wireless Power Transmission”

See This Casio? Watch It Unlock My Tesla!

September 4, 2020 by 2 Comments

The whole point of gaining the remote unlock ability for our cars was to keep us from suffering the indignity of standing there in the rain, working a key into the lock while the groceries get soaked. [Mattia Dal Ben] reports that even Teslas get the blues and don’t unlock reliably all the time, in spite of the price tag.

[Mattia] decided that a spare key card might be good to have around, and that building it into his Casio F-91W watch would put the key as close at hand as it could be without getting an implant.

After programming a new J3A040-CL key card to match the car, getting the chip out was the easy part — just soak it in acetone until you can peel the layers apart. Then [Mattia] built a fresh antenna for it and wound it around the inside of a 3D printed back plate.

The hardest part seems to be the tuning the watch antenna to the resonant frequency expected by the car-side antenna. [Mattia] found that a lot of things mess with the resonant frequency — the watch PCB, casing, and even the tiny screws holding the thing together each threw it off a little bit.

Since the watch is less comfortable now, [Mattia] thought about making a new back from transparent resin, which sounds lovely to us. It looks as though the new plan is to move it to the front of the watch, with a resin window to show off the chip. That sounds pretty good, too. Check out the secret unlocking power after the break.

Casio watches are great, though we are more into the calculator models. Someone out there loves their F-91W so much that they made a giant wall clock version.

Continue reading “See This Casio? Watch It Unlock My Tesla!”

Automation With A New Twist

August 29, 2020 by 4 Comments

Turning on a lightbulb has never been easier. You can do it from your mobile. Voice activation through home assistants is robust. Wall switches even play nicely with the above methods. It was only a matter of time before someone decided to make it fun, if you consider a Rubik’s cube enjoyable. [Alastair Aitchison] at Playful Technology demonstrated that it is possible to trigger a relay when you match all the colors. Video also after the break.

The cube does little to obfuscate game data, so in this scope, it sends unencrypted transmissions. An ESP32 with [Alastair]’s Arduino code, can track each movement, and recognize a solved state. In the video, he solves the puzzle, and an actuator releases a balloon. He talks about some other cool things this could do, like home automation or a puzzle room, which is in his wheelhouse judging by the rest of his YouTube channel.

We would love to see different actions perform remote tasks. Twisting the top could set a timer for 1-2-3-4-5 minutes, while the bottom would change the bedroom lights from red-orange-yellow-green-blue-violet. Solving the puzzle should result in a barrage of NERF darts or maybe keep housemates from cranking the A/C on a whim.

Continue reading “Automation With A New Twist”

Breaking Smartphone NFC Firmware: The Gory Details

August 23, 2020 by 2 Comments

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details”