ESP8266 And ESP32 WiFi Hacked!

September 5, 2019 by Elliot Williams 48 Comments

[Matheus Garbelini] just came out with three (3!) different WiFi attacks on the popular ESP32/8266 family of chips. He notified Espressif first (thanks!) and they’ve patched around most of the vulnerabilities already, but if you’re running software on any of these chips that’s in a critical environment, you’d better push up new firmware pretty quick.

The first flaw is the simplest, and only effects ESP8266s. While connecting to an access point, the access point sends the ESP8266 an “AKM suite count” field that contains the number of authentication methods that are available for the connection. Because the ESP doesn’t do bounds-checking on this value, a malicious fake access point can send a large number here, probably overflowing a buffer, but definitely crashing the ESP. If you can send an ESP8266 a bogus beacon frame or probe response, you can crash it.

What’s most fun about the beacon frame crasher is that it can be implemented on an ESP8266 as well. Crash-ception! This takes advantage of the ESP’s packet injection mode, which we’ve covered before.

The second and third vulnerabilities exploit bugs in the way the ESP libraries handle the extensible authentication protocol (EAP) which is mostly used in enterprise and higher-security environments. One hack makes the ESP32 or ESP8266 on the EAP-enabled network crash, but the other hack allows for a complete hijacking of the encrypted session.

These EAP hacks are more troubling, and not just because session hijacking is more dangerous than a crash-DOS scenario. The ESP32 codebase has already been patched against them, but the older ESP8266 SDK has not yet. So as of now, if you’re running an ESP8266 on EAP, you’re vulnerable. We have no idea how many ESP8266 devices are out there in EAP networks, but we’d really like to see Espressif patch up this hole anyway.

[Matheus] points out the irony that if you’re using WPA2, you’re actually safer than if you’re unpatched and using the nominally more secure EAP. He also wrote us that if you’re stuck with a bunch of ESP8266s in an EAP environment, you should at least encrypt and sign your data to prevent eavesdropping and/or replay attacks.

Again, because [Matheus] informed Espressif first, most of the bugs are already fixed. It’s even percolated downstream into the Arduino-for-ESP, where it’s just been worked into the latest release a few hours ago. Time for an update. But those crusty old NodeMCU builds that we’ve got running everything in our house? Time for a full recompile.

We’ve always wondered when we’d see the first ESP8266 attacks in the wild, and that day has finally come. Thanks, [Matheus]!

Pegleg: Raspberry Pi Implanted Below The Skin (Not Coming To A Store Near You)

August 29, 2019 by Brian McEvoy 87 Comments

Earlier this month, a group of biohackers installed two Rasberry Pis in their legs. While that sounds like the bleeding edge, those computers were already v2 of a project called PegLeg. I was fortunate enough to see both versions in the flesh, so to speak. The first version was scarily large — a mainboard donated by a wifi router roughly the size of an Altoids tin. It’s a reminder that the line between technology’s cutting edge and bleeding edge is moving ever onward and this one was firmly on the bleeding edge.

How does that line end up moving? Sometimes it’s just a matter of what intelligent people can accomplish in a long week. Back in May, during a three-day biohacker convention called Grindfest, someone said something along the lines of, “Wouldn’t it be cool if…” Anyone who has spent an hour in a maker space or hacker convention knows how those conversations go. Rather than ending with a laugh, things progressed at a fever pitch.

The router shed all non-vital components. USB ports: ground off. Plastic case: recycled. Battery: repurposed. Amazon’s fastest delivery brought a Qi wireless coil to power the implant from outside the body and the smallest USB stick with 64 GB on the silicon. The only recipient of PegLeg version 1.0 was [Lepht Anonym], who uses the pronoun ‘it’. [Lepht] has a well-earned reputation among biohackers who focus on technological implants who often use the term “grinder,” not to be confused with the dating app or power tool.

Continue reading “Pegleg: Raspberry Pi Implanted Below The Skin (Not Coming To A Store Near You)” →

Following Pigs: Building An Injectable Livestock Tracking System

August 27, 2019 by Sean Boyce 43 Comments

I’m often asked to design customer and employee tracking systems. There are quite a few ways to do it, and it’s an interesting intersection of engineering and ethics – what information is reasonable to collect in different contexts, anonymizing and securely storing it, and at a fundamental level whether the entire system should exist at all.

On one end of the spectrum, a system that simply counts the number of people that are in your restaurant at different times of day is pretty innocuous and allows you to offer better service. On the other end, when you don’t pay for a mobile app, generally that means your private data is the product being bought and sold. Personally, I find that the whole ‘move fast and break things’ attitude, along with a general disregard for the privacy of user data, has created a pretty toxic tech scene. So until a short while ago, I refused to build invasive tracking systems – then I got a request that I simply couldn’t put aside…

Continue reading “Following Pigs: Building An Injectable Livestock Tracking System” →

The Satellite Phone You Already Own: From Orbit, UbiquitiLink Will Look Like A Cell Tower

August 26, 2019 by Dan Maloney 54 Comments

For anyone that’s ever been broken down along a remote stretch of highway and desperately searched for a cell signal, knowing that a constellation of communications satellites is zipping by overhead is cold comfort indeed. One needs specialized gear to tap into the satphone network, few of us can justify the expense of satellite phone service, and fewer still care to carry around a brick with a chunky antenna on it as our main phone.

But what if a regular phone could somehow leverage those satellites to make a call or send a text from a dead zone? As it turns out, it just might be possible to do exactly that, and a Virginia-based startup called UbiquitiLink is in the process of filling in all the gaps in cell phone coverage by orbiting a constellation of satellites that will act as cell towers of last resort. And the best part is that it’ll work with a regular cell phone — no brick needed.

Continue reading “The Satellite Phone You Already Own: From Orbit, UbiquitiLink Will Look Like A Cell Tower” →

Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised

August 23, 2019 by Dan Maloney 83 Comments

It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.

The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to [LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.

With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.

The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.

Continue reading “Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised” →

Warshipping: A Free Raspberry Pi In The Mail Is Not Always A Welcome Gift

August 19, 2019 by Roger Cheng 39 Comments

Leading edge computer security is veiled in secrecy — a world where novel attacks are sprung on those who do not yet know what they need to protect against. Once certain tactics have played out within cool kids’ circles, they are introduced to the rest of the world. An IBM red team presented what they’re calling “warshipping”: sending an adversarial network to you in a box.

Companies concerned about security have learned to protect their internet-accessible points of entry. Patrolling guards know to look for potential wardrivers parked near or repeatedly circling the grounds. But some are comparatively lax about their shipping & receiving, and they are the ideal targets for warshipping.

Bypassing internet firewalls and security perimeters, attack hardware is embedded inside a shipping box and delivered by any of the common carriers. Security guards may hassle a van bristling with antennas, but they’ll wave a FedEx truck right through! The hardware can be programmed to stay dormant through screening, waiting to probe once inside the walls.

The presentation described several ways to implement such an attack. There is nothing novel about the raw hardware – Raspberry Pi, GPS receiver, cellular modems, and such are standard fare for various projects on these pages. The creative part is the software and in how they are hidden: in packing material and in innocuous looking plush toys. Or for persistence, they can be hidden in a wall mounted plaque alongside some discreet photovoltaic panels. (Editor’s note: What? No Great Seals?)

With this particular technique out in the open, we’re sure others are already in use and will be disclosed some years down the line. In the meantime, we can focus our efforts on more benign applications of similar technology, whether it is spying on our cat or finding the nearest fast food joint. The hardware is evolving as well: a Raspberry Pi actually seems rather heavyweight for this, how about a compact PCB with both an ESP32 and a cellular modem?

Via Ars Technica.

Broken HP-48 Calculator Reborn As Bluetooth Keyboard

August 16, 2019 by Sven Gregori 8 Comments

Considering their hardware specification, graphing calculators surely feel like an anachronism in 2019. There are plenty of apps and other software available for that nowadays, and despite all preaching by our teachers, we actually do carry calculators with us every day. On the other hand, never underestimate the power of muscle memory when using physical knobs and buttons instead of touch screen or mouse input. [epostkastl] combined the best of both worlds and turned his broken HP-48 into a Bluetooth LE keyboard to get the real feel with its emulated counterpart.

Initially implemented as USB device, [epostkastl] opted for a wireless version this time, and connected an nRF52 based Adafruit Feather board to the HP-48’s conveniently exposed button matrix pins. For the software emulation side, he uses the Emu48, an open source HP calculator emulator for Windows and Android. The great thing about Emu84 is that it supports fully customizable mappings of regular keyboard events to the emulated buttons, so you can easily map, say, the cosine button to the [C] key. The rest is straight forward: scanning the button matrix detects button presses, maps them to a key event, and sends it as a BLE HID event to the receiving side running Emu84.

As this turns [epostkastl]’s HP-48 essentially into a regular wireless keyboard in a compact package — albeit with a layout that outshines every QWERTY vs Dvorak debate. It can of course also find alternative use cases, for examples as media center remote control, or a shortcut keyboard. After all, we’ve seen the latter one built as stomp boxes and from finger training devices before, so why not a calculator?

Continue reading “Broken HP-48 Calculator Reborn As Bluetooth Keyboard” →