Wireless Hacks

1097 Articles

Breaking Smartphone NFC Firmware: The Gory Details

August 23, 2020 by 2 Comments

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details”

DropController Sets The Bar For Documentation

August 18, 2020 by 4 Comments

dropController has the kind of documentation we wish would spontaneously generate itself whenever we build something. [Martyn Currey] built a robust rig for water droplet photography, and we don’t want to dismiss the hardware, but the most impressive part might be the website. It might not be very fancy, but it’s thorough and logically organized. You can find parts lists, assembly manuals, tutorials, sketches, and schematics. If only all the projects that came our way were so well detailed.

Water droplet photography is pretty cool, although freehanding it will make your patience fall faster than 9.81 m/s². The concept is that a solenoid valve will flicker open to release a drop of water, wait for a certain number of microseconds, and then trigger your DSLR via a wired remote cable. The tricky part comes from controlling as many as six valves and three flashes. We don’t have enough fingers and toes to press all those buttons.

The bill of materials contains many commonly available parts like an Arduino Nano, an LM2596 voltage regulator, some MOSFETS, an HC-06 Bluetooth module, plus standard audio connectors to hook everything up. Nothing should break the bank, but if money is not an issue, [Martyn] sells kits and complete units.

Waterdrop controllers are not the newest kids on the block, and strobe photography is a time-honored tradition.

Continue reading “DropController Sets The Bar For Documentation”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

August 7, 2020 by 5 Comments

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

ESP32 Turned Open Source COVID-19 Contact Tracer

July 28, 2020 by 17 Comments

Over the past few months we’ve heard a lot about contact tracers which are designed to inform users if they’ve potentially come into close proximity with someone who has the virus. Generally these systems have been based on smartphone applications, but there are also hardware solutions that can operate independently for those who are unable or unwilling to install the software. Which is precisely what [Tom Bensky] has implemented using an ESP32 and a USB battery bank.

The idea is simple: the software generates a unique ID which is broadcast out by the ESP32 over Bluetooth Low Energy. Appended to that ID is a code that indicates the person’s current physical condition. There’s no centralized database, each user is expected to update their device daily with any symptoms they may be experiencing. If your tracker is blinking, that means somebody has come in close enough proximity that you should look at the collected data and see how they were feeling at the time.

It’s not a perfect system, of course, as for one thing the number of people that are willing and able to flash this firmware onto a spare ESP32 and carry the thing around with them all day is going to be extremely small. This might have filled an interesting niche if we were still going to hacker and maker cons this summer, but all of those have gone virtual anyway. That said, it’s an interesting look at how a decentralized contact tracing system can be implemented cheaply and quickly.

Another detail worth taking a look at is how [Tom] handled the user experience in his firmware. In an effort to make the tracer as easy as possible to configure, he’s using the Web Bluetooth capability of Google Chrome. Just open up the local web page in your browser, and it will handle talking to the hardware for you. Even if you’re not in the market for a contract tracer, we think this is a great example for how to handle end-user configuration on the ESP32.

We’ve already looked at contact tracer APIs from Google and Apple, dedicated COVID-19 hardware tokens, and even other open source attempts at decentralized proximity tracking. It’s a lot to process, and everyone seems to have their own idea on how it should be done. In the end, the most practical solution is probably to just stay at home as much as possible.

ESP8266 Makes A Wireless Card Reader

July 25, 2020 by 19 Comments

You can find commercial USB sticks that can also connect via WiFi. But [Neutrino] made his own using an ESP8266 married to a card reader. It all starts with the old trick of soldering a header to an SD card adapter. The USB port is still there, but it is only for power. A 3.3 V regulator and an ESP12E board round out the hardware.

Of course, the trick is the software. Starting from a few examples, he wound up providing an FTP server that you can connect to and send or receive files using that protocol.

Continue reading “ESP8266 Makes A Wireless Card Reader”

Ham Radio Mobile Operations Circa 1919

July 16, 2020 by 16 Comments

You used to be able to tell a die-hard ham radio operator on the road by the number and length of antennas protruding porcupine-like from their vehicle. There are still some mobile high frequency operators that have respectable car-mounted antenna farms, but they have nothing on Alfred H. Grebe. In 1919, he fitted a medium wave transmitter in his car that operated around 2 MHz. Since it needed a very large antenna, Grebe rigged a wire antenna that looked like a clothesline between the two bumpers. Obviously, you had to stop, set up your antenna, and then operate — you couldn’t talk and drive. But this may have been the world’s first automotive radio setup for voice communication.

The car had a separate battery for the radio and a dynamotor to generate high voltage for the tubes. Although many radio enthusiasts found ways to add receivers to their cars in the 1920s, it would be 1930 before Motorola made radios especially for cars in production quantities.

Continue reading “Ham Radio Mobile Operations Circa 1919”

Bubbles, The People-Pleasing Pandemic Panda

July 13, 2020 by 10 Comments

This year, [Thomas]’ neighborhood has gone from a quiet burg to a bustling lane full of families and children who go out walking for exercise and a change of scenery. Early on, a game emerged to distract children from the pandemic by turning these walks into bear hunts — that is, looking for stuffed bears sitting in the windows of houses and keeping count of them.

With no stuffed bears in the house, he decided to join in the fun by pasting up a 2D panda bear in the window that’s cute enough to calm anyone’s nerves. That was fun for a while, but then he turned it up to eleven by making an interactive 3D version named Bubbles the Bear that blows bubbles and speaks in a friendly voice.

Bubbles sits in a second-story window and waits for passers-by to press one of the buttons mounted on the utility pole below. Both buttons are wired to a 433MHz remote that sends a signal to an ESP32 in Bubbles’ habitat that says it’s time to perform.

We particularly like the bubble maker that [Thomas] designed, which aims a blower fan with an air concentrator at a carousel of 3D printed bubble wands. Both the fan and the carousel can be controlled with a custom web app, and he gets an email every time Bubbles has a visitor that tells him how much bubble liquid is left. Check out the fun-size demo after the break.

Bubbles are fun, especially if you can make them in extremely large quantities. Bubbles can also do work — remember this next time you need a random number generator.

Continue reading “Bubbles, The People-Pleasing Pandemic Panda”