AirTag

15 Articles

This Week In Security: Oracle Opera, Passkeys, And AirTag RFC

May 5, 2023 by 10 Comments

There’s a problem with Opera. No, not that kind of opera. The Oracle kind. Oracle OPERA is a Property Management Solution (PMS) that is in use in a bunch of big-name hotels around the world. The PMS is the system that handles reservations and check-ins, talks to the phone system to put room extensions in the proper state, and generally runs the back-end of the property. It’s old code, and handles a bunch of tasks. And researchers at Assetnote found a serious vulnerability. CVE-2023-21932 is an arbitrary file upload issue, and rates at least a 7.2 CVSS.

It’s a tricky one, where the code does all the right things, but gets the steps out of order. Two parameters, jndiname and username are encrypted for transport, and the sanitization step happens before decryption. The username parameter receives no further sanitization, and is vulnerable to path traversal injection. There are two restrictions to exploitation. The string encryption has to be valid, and the request has to include a valid Java Naming and Directory Interface (JNDI) name. It looks like these are the issues leading Oracle to consider this flaw “difficult to exploit vulnerability allows high privileged attacker…”.

The only problem is that the encryption key is global and static. It was pretty straightforward to reverse engineer the encryption routine. And JDNI strings can be fetched anonymously from a trio of endpoints. This lead Assetnote to conclude that Oracle’s understanding of the flaw is faulty, and a much higher CVSS score is appropriate. Particularly with this Proof of Concept code, it is relatively straightforward to upload a web shell to an Opera system.

The one caveat there is that an attacker has to get network access to that install. These aren’t systems intended to be exposed to the internet, and my experience is that they are always on a dedicated network connection, not connected to the rest of the office network. Even the interconnect between the PMS and phone system is done via a serial connection, making this network flaw particularly hard to get to. Continue reading “This Week In Security: Oracle Opera, Passkeys, And AirTag RFC”

Hackaday Links Column Banner

Hackaday Links: November 6, 2022

November 6, 2022 by 20 Comments

Remember the chip shortage? We sure do, mainly because as far as we can tell, it’s still going on, at least judging by the fact that you can’t get a Raspberry Pi for love or money. But that must just be noise, because according to a report in the Straits Times, the chip shortage is not only over, it’s reversed course enough that there’s now a glut of semiconductors out there. The article claims that the root cause of this is slowing demand for products like smartphones, an industry that’s seeing wave after wave of orders to semiconductor manufacturers like TSMC canceled. Chips for PCs are apparently in abundance now too, as the spasm of panic buying machine for remote working during the pandemic winds down. Automakers are still feeling the pinch, though, so much so that Toyota is now shipping only one smart key with new cars, instead of the usual two. So there seems to be some way to go before balance is restored to the market, but whatever — just call us when Amazon no longer has to offer financing on an 8 GB Pi.

Continue reading “Hackaday Links: November 6, 2022”

Hackaday Links Column Banner

Hackaday Links: October 23, 2022

October 23, 2022 by 21 Comments

There were strange doings this week as Dallas-Forth Worth Airport in Texas experienced two consecutive days of GPS outages. The problem first cropped up on the 17th, as the Federal Aviation Administration sent out an automated notice that GPS reception was “unreliable” within 40 nautical miles of DFW, an area that includes at least ten other airports. One runway at DFW, runway 35R, was actually closed for a while because of the anomaly. According to GPSjam.org — because of course someone built a global mapping app to track GPS coverage — the outage only got worse the next day, both spreading geographically and worsening in some areas. Some have noted that the area of the outage abuts Fort Hood, one of the largest military installations in the country, but there doesn’t appear to be any connection to military operations. The outage ended abruptly at around 11:00 PM local time on the 19th, and there’s still no word about what caused it. Loss of GPS isn’t exactly a “game over” problem for modern aviation, but it certainly is a problem, and at the very least it points out how easy the system is to break, either accidentally or intentionally.

In other air travel news, almost as quickly as Lufthansa appeared to ban the use of Apple AirTags in checked baggage, the airline reversed course on the decision. The original decision was supposed to have been based on “an abundance of caution” regarding the potential for disaster from its low-power transmitters, or should a stowed AirTag’s CR2032 battery explode. But as it turns out, the Luftfahrt-Bundesamt, the German civil aviation authority, agreed with the company’s further assessment that the tags pose little risk, green-lighting their return to the cargo compartment. What luck! The original ban totally didn’t have anything to do with the fact that passengers were shaming Lufthansa online by tracking their bags with AirTags while the company claimed they couldn’t locate them, and the sudden reversal is unrelated to the bad taste this left in passengers’ mouths. Of course, the reversal only opened the door to more adventures in AirTag luggage tracking, so that’s fun.

Energy prices are much on everyone’s mind these days, but the scale of the problem is somewhat a matter of perspective. Take, for instance, the European Organization for Nuclear Research (CERN), which runs a little thing known as the Large Hadron Collider, a 27-kilometer-long machine that smashes atoms together to delve into the mysteries of physics. In an average year, CERN uses 1.3 terawatt-hours of electricity to run the LHC and its associated equipment. Technically, this is what’s known as a hell of a lot of electricity, and given the current energy issues in Europe, CERN has agreed to shut down the LHC a bit early this year, shutting down in late November instead of the usual mid-December halt. What’s more, CERN has agreed to reduce usage by 20% next year, which will increase scientific competition for beamtime on the LHC. There’s only so much CERN can do to reduce the LHC’s usage, though — the cryogenic plant to cool the superconducting magnets draws a whopping 27 megawatts, and has to be kept going to prevent the magnets from quenching.

And finally, as if the COVID-19 pandemic hasn’t been weird enough, the fact that it has left in its wake survivors whose sense of smell is compromised is alarming. Our daily ritual during the height of the pandemic was to open up a jar of peanut butter and take a whiff, figuring that even the slightest attenuation of the smell would serve as an early warning system for symptom onset. Thankfully, the alarm hasn’t been tripped, but we know more than a few people who now suffer from what appears to be permanent anosmia. It’s no joke — losing one’s sense of smell can be downright dangerous; think “gas leak” or “spoiled food.” So it was with interest that we spied an article about a neuroprosthetic nose that might one day let the nasally challenged smell again. The idea is to use an array of chemical sensors to stimulate an array of electrodes implanted near the olfactory bulb. It’s an interesting idea, and the article provides a lot of fascinating details on how the olfactory sense actually works.

Apple AirTags Hacked And Cloned With Voltage Glitching

July 14, 2022 by 33 Comments

Apple AirTags are useful little devices. They essentially use iPhones in the wild as a mesh network to tell the owner where the AirTag is. Now, researchers have shown that it’s possible to clone these devices.

The research paper explains the cloning process, which requires physical access to the hardware. To achieve the hack, the Nordic nRF52832 inside the AirTag must be voltage glitched to enable its debug port. The researchers were able to achieve this with relatively simple tools, using a Pi Pico fitted with a few additional components.

With the debug interface enabled, it’s simple to extract the microcontroller’s firmware. It’s then possible to clone this firmware onto another tag. The team also experimented with other hacks, like having the AirTag regularly rotate its ID to avoid triggering anti-stalking warnings built into Apple’s tracing system.

As the researchers explain, it’s clear that AirTags can’t really be secure as long as they’re based on a microcontroller that is vulnerable to such attacks. It’s not the first AirTag cloning we’ve seen either. They’re an interesting device with some serious privacy and safety implications, so it pays to stay abreast of developments in this area.

[Thanks to Itay for the tip!]

A small round NRF51822 board glued to the underside of a mailbox lid, with a small vibration sensor attached

Check Your Mailbox Using The AirTag Infrastructure

May 30, 2022 by 32 Comments

When a company creates an infrastructure of devices, we sometimes subvert this infrastructure and use it to solve tricky problems. For example, here’s a question that many a hacker has pondered – how do you detect when someone puts mail into your mailbox? Depending on the availability of power and wireless/wired connectivity options, this problem can range from “very easy” to “impractical to solve”. [dakhnod] just made this problem trivial for the vast majority of hackers, with the FakeTag project – piggybacking off the Apple’s AirTag infrastructure.

This project uses a cheap generic CR2032-powered NRF51822 board, sending the mailbox status over the FindMy system Apple has built for the AirTag devices. For the incoming mail detection, he uses a simple vibration sensor, glued to the flap lid – we imagine that, for flap-less mailboxes, an optical sensor or a different kind of mechanical sensor could be used instead. Every time someone with a FindMy-friendly iPhone passes by [dakhnod]’s mailbox, he gets an update on its status, with a counter of times the sensor has been triggered. [dakhnod] estimates that the device could run for up to a year on a single battery.

Continue reading “Check Your Mailbox Using The AirTag Infrastructure”

No Privacy: Cloning The AirTag

February 22, 2022 by 55 Comments

You’ve probably heard of the infamous rule 34, but we’d like to propose a new rule — call it rule 35: Anything that can be used for nefarious purposes will be, even if you can’t think of how at the moment. Case in point: apparently there has been an uptick in people using AirTags to do bad things. People have used them to stalk people or to tag cars so they can be found later and stolen. According to [Fabian Bräunlein], Apple’s responses to this don’t consider cases where clones or modified AirTags are in play. To prove the point, he built a clone that bypasses the current protection features and used it to track a willing experimental subject for 5 days with no notifications.

According to the post, Apple says that AirTags have serial numbers and beep when they have not been around their host Apple device for a certain period. [Fabian] points out that clone tags don’t have serial numbers and may also not have speakers. There is apparently a thriving market, too, for genuine tags that have been modified to remove their speakers. [Fabian’s] clone uses an ESP32 with no speaker and no serial number.

The other protection, according to Apple, is that if they note an AirTag moving with you over some period of time without the owner, you get a notification. In other words, if your iPhone sees your own tag repeatedly, that’s fine. It also doesn’t mind seeing someone else’s tags if they are near you. But if your phone sees a tag many times and the owner isn’t around, you get a notification. That way, you can help identify random tags, but you’ll know if someone is trying to track you. [Fabian] gets around that by cycling between 2,000 pre-loaded public keys so that the tracked person’s device doesn’t realize that it is seeing the same tag over and over. Even Apple’s Android app that scans for trackers is vulnerable to this strategy.

Even for folks who aren’t particularly privacy minded, it’s pretty clear a worldwide network of mass-market devices that allow almost anyone to be tracked is a problem. But what’s the solution? Even the better strategies employed by AirGuard won’t catch everything, as [Fabian] explains.

This isn’t the first time we’ve had a look at privacy concerns around AirTags. Of course, it is always possible to build a tracker. But it is hard to get the worldwide network of Bluetooth listeners that Apple has.

This Week In Security: Breaking Apple ID, Political Hacktivism, And Airtag Tracking

August 20, 2021 by 10 Comments

Have you ever thought about all the complexities of a Single Sign On (SSO) implementation? A lot of engineering effort has gone into hardened against cross-site attacks — you wouldn’t want every site you visit to be able to hijack your Google or Facebook account. At the same time, SSO is the useful ability to use your authentication on one service to authenticate with an unrelated site. Does SSO ever compromise that hardening? If mistakes are made, absolutely, as [Zemnmez] discovered while looking at the Apple ID SSO system.

Continue reading “This Week In Security: Breaking Apple ID, Political Hacktivism, And Airtag Tracking”