This Week In Security: Find My Keylogger, Zephyr, And Active Exploitation

Keyloggers. Such a simple concept — you secretly record all the characters typed on a keyboard, and sort through it later for interesting data. That keyboard sniffer could be done in software, but a really sneaky approach is to implement the keylogger in hardware. Hardware keyloggers present a unique problem. How do you get the data back to whoever’s listening? One creative solution is to use Apple’s “Find My” tracking system. And if that link won’t let you read the story, a creative solution for that issue is to load the page with javascript disabled.

This is based on earlier work from [Fabian Bräunlein], dubbed “Send My”. As an aside, this is the worst naming paradigm, and Apple should feel bad for it. At the heart of this cleverness is the fact that Apple used the standard Bluetooth Low Energy (BLE) radio protocol, and any BLE device can act like an Apple AirTag. Bits can be encoded into the reported public key of the fake AirTag, and the receiving side can do a lookup for the possible keys.

A fake AirTag keylogger manages to transfer 26 characters per second over the “Find My” system, enough to keep up with even the fastest of typists, given that no keyboard is in use all the time. Apple has rolled out anti-tracking protections, and the rolling key used to transmit data also happens to completely defeat those protections. Continue reading “This Week In Security: Find My Keylogger, Zephyr, And Active Exploitation”

Hackaday Links Column Banner

Hackaday Links: October 9, 2022

Don’t you just hate it when you walk out of the bathroom with toilet paper stuck to your shoe? That’s a little bit like what happened when the Mars helicopter Ingenuity picked up a strange bit of debris on one of its landing pads. The foreign object was spotted on the helicopter’s down-pointing navigation camera, and looks for all the world like a streamer of toilet paper flopping around in the rotor wash. The copter eventually shed the debris, which wafted down to the Martian surface with no further incident, and without any apparent damage to the aircraft. NASA hasn’t said more about what the debris isn’t — aliens — than what it is, which of course is hard to say at this point. We’re going to go out on a limb and say it’s probably something we brought there, likely a scrap of plastic waste lost during the descent and landing phase of the mission. Or, you know, it’s getting to be close to Halloween, a time when the landscape gets magically festooned with toilet paper overnight. You never know.

Continue reading “Hackaday Links: October 9, 2022”

Apple AirTags Hacked And Cloned With Voltage Glitching

Apple AirTags are useful little devices. They essentially use iPhones in the wild as a mesh network to tell the owner where the AirTag is. Now, researchers have shown that it’s possible to clone these devices.

The research paper explains the cloning process, which requires physical access to the hardware. To achieve the hack, the Nordic nRF52832 inside the AirTag must be voltage glitched to enable its debug port. The researchers were able to achieve this with relatively simple tools, using a Pi Pico fitted with a few additional components.

With the debug interface enabled, it’s simple to extract the microcontroller’s firmware. It’s then possible to clone this firmware onto another tag. The team also experimented with other hacks, like having the AirTag regularly rotate its ID to avoid triggering anti-stalking warnings built into Apple’s tracing system.

As the researchers explain, it’s clear that AirTags can’t really be secure as long as they’re based on a microcontroller that is vulnerable to such attacks. It’s not the first AirTag cloning we’ve seen either. They’re an interesting device with some serious privacy and safety implications, so it pays to stay abreast of developments in this area.

[Thanks to Itay for the tip!]