Wireless Hacks

1047 Articles

Poking Around The Wide World Of Bluetooth

January 30, 2020 by 8 Comments

Bluetooth is a technology with a very interesting history. When it first came around in the late 1990s, it promised to replace the mess of wires that was tucked behind every desk of the day. Unfortunately, the capabilities of early Bluetooth didn’t live up to the hype, and it never quite took off. It wasn’t until the rise of the smartphone more than a decade later that Bluetooth, now several versions more advanced, really started to make sense.

As [Larry Bank] explains in a recent blog post, that means there’s a whole lot to learn if you want to really understand Bluetooth hacking. For example, the Bluetooth versions that were used in the 1990s and 2000s are actually a completely different protocol from that which most modern devices are using. But the original protocol, now referred to as “Classic”, is still supported and in use.

That means to really get your head wrapped around working with Bluetooth, you need to learn about the different versions and all the tools and tricks associated with them. To that end, [Larry] does a great job of breaking down the primary versions of Bluetooth and the sort of tools you might find yourself using. That includes microcontrollers such as the ESP32 or Arduino Nano 33 BLE.

But the post isn’t just theory. [Larry] also goes over a few real-world projects of his that utilize Bluetooth, such as getting a portable printer working with his Arduino, or figuring out how to use those tiny mobile phone game controllers for his own purposes. Even if you don’t have these same devices, there’s a good chance that the methods used and lessons learned will apply to whatever Bluetooth gadgets you’ve got your eye on.

Readers may recall [Larry] from our previous coverage of his exploits, such as his efforts to increase the frame rate of the SSD1306 OLED display or his wireless bootloader for the SMART Response XE. Whenever we see his name pop up in the Tip Line, we know a fascinating hardware deep dive isn’t far behind.

NanoVNA Tests Antenna Pattern

January 11, 2020 by 6 Comments

When [Jephthai] wanted to build his own Yagi antenna, he turned to MMANA software for antenna modeling. This is an antenna analysis program that uses the moment method to calculate parameters for different antenna geometries. After building the Yagi, the predicted tuning and impedance matched the real antenna nicely. But what about the radiation pattern? To test that, he used a NanoVNA and a clever test setup.

He needed a test spot out of the antenna’s near field so he set up his workstation 18 feet away from the test antenna which was on a mount that could rotate. On the edge of the workstation table — affixed with painter’s tape — is a NanoVNA connected to a laptop.

Continue reading “NanoVNA Tests Antenna Pattern”

Full Duplex Radio Claimed Easier With Analog Module

January 6, 2020 by 37 Comments

There’s an old saying that we have one mouth and two ears so you can listen twice as much as you talk. However, talking and listening at the same time is fairly difficult and doing it with radio signals is especially hard. A company called Kumu Networks has an analog module that can use self-interference cancellation which allows transmitting and receiving on the same frequency with around 50 dB of the transmitted signal in the transceiver. You can see a video about Kumu’s claims its technology below.

You may think that cell phones and ham radio repeaters transmit and receive at the same time, which of course they do, but usually on different frequencies to avoid direct interference. A diplexer is a device that sorts out the two frequencies while a duplexer sorts them out by the direction of the signal, but they are tricky to use. A duplexer can operate on a single frequency in applications such as radar, and even then it is still very difficult to prevent leakage from the transmitter from overloading and desensitizing the receiver.

Continue reading “Full Duplex Radio Claimed Easier With Analog Module”

36C3: All Wireless Stacks Are Broken

December 30, 2019 by 29 Comments

Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.

One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.

Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.

[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.

Tiny Bubbles In The Clock

December 20, 2019 by 9 Comments

When [DonHo] sang about tiny bubbles, he probably wasn’t thinking of them embedded in glycerine. But that’s where the bubbles in [ShinodaY]’s clock reside. The viscous fluid holds the bubbles better allowing the time to be read more easily. You can watch the relaxing display in the video below.

The theory of operation is simple and reminds us somehow of a reverse Tetris game. Solenoid valves at the base release air bubbles to form a row of the display. The bubbles rising makes room for the next row. The display has as many columns as there are air outlets at the bottom. Spacing the bubble pixels is as simple as adjusting the timing between air bubbles.

Continue reading “Tiny Bubbles In The Clock”

Cloned Gate Remote Does It (Slightly) Better

December 11, 2019 by 21 Comments

Ever make something just to see if you could? Yeah, we thought so. [serverframework] wanted to see if he could clone the remote that opens his neighborhood gate, inspired by the long distance ding-dong-ditch efforts of [Samy Kamkar].

This clone uses an ATtiny85 and an RF module to emulate and send the frequency that the gate is waiting for. To accomplish that, [serverframework] had to figure out both the operating frequency and the timing used by the remote. The crystal inside seemed to indicate 295 MHz, and a quick check of the device’s FCC registration confirmed it. Then he used an SDR dongle to watch the data coming across when he pressed the button, and ran it through Audacity to figure out the timing.

Unfortunately, the 295 MHz crystal is a rare beast, so [serverframework] had to transplant the original to the donor RF module. Then it was just a matter of programming the ATtiny85 to send the frequency with the right timing. It actually does a better job since the original has no timing crystal, and the ‘tiny is clocked with a standard 16 kHz oscillator. The code is available within [serverframework]’s excellent write-up, and you can see a tiny demo after the break.

There’s more than one way to clone a gate remote. This one leverages MQTT to turn friends’ phones into remotes.

Continue reading “Cloned Gate Remote Does It (Slightly) Better”

Your WiFi Signals Are Revealing Your Location

November 28, 2019 by 43 Comments

The home may be the hearth, but it’s not going to be a place of safety for too long.

With the abundance of connected devices making their ways into our homes, increasing levels of data may allow for more accurate methods for remote surveillance. By measuring the strength of ambient signals emitted from devices, a site can be remotely monitored for movement. That is to say, WiFi signals may soon pose a physical security vulnerability.

In a study from the University of Chicago and the University of California, Santa Barbara, researchers built on earlier studies where they could use similar techniques to “see through walls” to demonstrate a proof-of-concept for passive listening. Attackers don’t need to transmit signals or break encryptions to gain access to a victim’s location – they just need to listen to the ambient signals coming from connected devices, making it more difficult to track bad actors down.

Typically, connected devices communicate to an access point such as a router rather than directly with the Internet. A person walking near a device can subtly change the signal propagated to the access point, which is picked up by a receiver sniffing the signal. Most building materials do not block WiFi signals from propagating, allowing receivers to be placed inconspicuously in different rooms from the access point.

WiFi sniffers are relatively inexpensive, with models running for less than $20. They’re also small enough to hide in unsuspecting locations – inside backpacks, inside a box – and emit no signal that could be detected by a target. The researchers proposed some methods for safeguarding against the vulnerability: insulating buildings against WiFi leakage (while ensuring that desirable signals, i.e. signals from cell tower are still able to enter) or having access points emit a “cover signal” that mixes signals from connected devices to make it harder to sniff for motion.

While we may not be seeing buildings surrounded by Faraday cages anytime soon, there’s only going to be more attack surfaces to worry about as our devices continue to become connected.

[Thanks to Qes for the tip!]