See This Casio? Watch It Unlock My Tesla!

September 4, 2020 by Kristina Panos 2 Comments

The whole point of gaining the remote unlock ability for our cars was to keep us from suffering the indignity of standing there in the rain, working a key into the lock while the groceries get soaked. [Mattia Dal Ben] reports that even Teslas get the blues and don’t unlock reliably all the time, in spite of the price tag.

[Mattia] decided that a spare key card might be good to have around, and that building it into his Casio F-91W watch would put the key as close at hand as it could be without getting an implant.

After programming a new J3A040-CL key card to match the car, getting the chip out was the easy part — just soak it in acetone until you can peel the layers apart. Then [Mattia] built a fresh antenna for it and wound it around the inside of a 3D printed back plate.

The hardest part seems to be the tuning the watch antenna to the resonant frequency expected by the car-side antenna. [Mattia] found that a lot of things mess with the resonant frequency — the watch PCB, casing, and even the tiny screws holding the thing together each threw it off a little bit.

Since the watch is less comfortable now, [Mattia] thought about making a new back from transparent resin, which sounds lovely to us. It looks as though the new plan is to move it to the front of the watch, with a resin window to show off the chip. That sounds pretty good, too. Check out the secret unlocking power after the break.

Casio watches are great, though we are more into the calculator models. Someone out there loves their F-91W so much that they made a giant wall clock version.

Continue reading “See This Casio? Watch It Unlock My Tesla!” →

Automation With A New Twist

August 29, 2020 by Brian McEvoy 4 Comments

Turning on a lightbulb has never been easier. You can do it from your mobile. Voice activation through home assistants is robust. Wall switches even play nicely with the above methods. It was only a matter of time before someone decided to make it fun, if you consider a Rubik’s cube enjoyable. [Alastair Aitchison] at Playful Technology demonstrated that it is possible to trigger a relay when you match all the colors. Video also after the break.

The cube does little to obfuscate game data, so in this scope, it sends unencrypted transmissions. An ESP32 with [Alastair]’s Arduino code, can track each movement, and recognize a solved state. In the video, he solves the puzzle, and an actuator releases a balloon. He talks about some other cool things this could do, like home automation or a puzzle room, which is in his wheelhouse judging by the rest of his YouTube channel.

We would love to see different actions perform remote tasks. Twisting the top could set a timer for 1-2-3-4-5 minutes, while the bottom would change the bedroom lights from red-orange-yellow-green-blue-violet. Solving the puzzle should result in a barrage of NERF darts or maybe keep housemates from cranking the A/C on a whim.

Continue reading “Automation With A New Twist” →

Breaking Smartphone NFC Firmware: The Gory Details

August 23, 2020 by Sven Gregori 2 Comments

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details” →

DropController Sets The Bar For Documentation

August 18, 2020 by Brian McEvoy 4 Comments

dropController has the kind of documentation we wish would spontaneously generate itself whenever we build something. [Martyn Currey] built a robust rig for water droplet photography, and we don’t want to dismiss the hardware, but the most impressive part might be the website. It might not be very fancy, but it’s thorough and logically organized. You can find parts lists, assembly manuals, tutorials, sketches, and schematics. If only all the projects that came our way were so well detailed.

Water droplet photography is pretty cool, although freehanding it will make your patience fall faster than 9.81 m/s². The concept is that a solenoid valve will flicker open to release a drop of water, wait for a certain number of microseconds, and then trigger your DSLR via a wired remote cable. The tricky part comes from controlling as many as six valves and three flashes. We don’t have enough fingers and toes to press all those buttons.

The bill of materials contains many commonly available parts like an Arduino Nano, an LM2596 voltage regulator, some MOSFETS, an HC-06 Bluetooth module, plus standard audio connectors to hook everything up. Nothing should break the bank, but if money is not an issue, [Martyn] sells kits and complete units.

Waterdrop controllers are not the newest kids on the block, and strobe photography is a time-honored tradition.

Continue reading “DropController Sets The Bar For Documentation” →

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

August 7, 2020 by Pedro Umbelino 5 Comments

This year, at ~~DEF CON 28~~ DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

Two radio systems occupy neighboring frequencies and carrier leakage occurs
The harmonics of one transmitter fall on frequencies used by another system
Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack” →

ESP32 Turned Open Source COVID-19 Contact Tracer

July 28, 2020 by Tom Nardi 17 Comments

Over the past few months we’ve heard a lot about contact tracers which are designed to inform users if they’ve potentially come into close proximity with someone who has the virus. Generally these systems have been based on smartphone applications, but there are also hardware solutions that can operate independently for those who are unable or unwilling to install the software. Which is precisely what [Tom Bensky] has implemented using an ESP32 and a USB battery bank.

The idea is simple: the software generates a unique ID which is broadcast out by the ESP32 over Bluetooth Low Energy. Appended to that ID is a code that indicates the person’s current physical condition. There’s no centralized database, each user is expected to update their device daily with any symptoms they may be experiencing. If your tracker is blinking, that means somebody has come in close enough proximity that you should look at the collected data and see how they were feeling at the time.

It’s not a perfect system, of course, as for one thing the number of people that are willing and able to flash this firmware onto a spare ESP32 and carry the thing around with them all day is going to be extremely small. This might have filled an interesting niche if we were still going to hacker and maker cons this summer, but all of those have gone virtual anyway. That said, it’s an interesting look at how a decentralized contact tracing system can be implemented cheaply and quickly.

Another detail worth taking a look at is how [Tom] handled the user experience in his firmware. In an effort to make the tracer as easy as possible to configure, he’s using the Web Bluetooth capability of Google Chrome. Just open up the local web page in your browser, and it will handle talking to the hardware for you. Even if you’re not in the market for a contract tracer, we think this is a great example for how to handle end-user configuration on the ESP32.

We’ve already looked at contact tracer APIs from Google and Apple, dedicated COVID-19 hardware tokens, and even other open source attempts at decentralized proximity tracking. It’s a lot to process, and everyone seems to have their own idea on how it should be done. In the end, the most practical solution is probably to just stay at home as much as possible.

ESP8266 Makes A Wireless Card Reader

July 25, 2020 by Al Williams 19 Comments

You can find commercial USB sticks that can also connect via WiFi. But [Neutrino] made his own using an ESP8266 married to a card reader. It all starts with the old trick of soldering a header to an SD card adapter. The USB port is still there, but it is only for power. A 3.3 V regulator and an ESP12E board round out the hardware.

Of course, the trick is the software. Starting from a few examples, he wound up providing an FTP server that you can connect to and send or receive files using that protocol.

Continue reading “ESP8266 Makes A Wireless Card Reader” →