bluetooth

591 Articles

Side Channel Attacks Against Mixed Signal Microcontrollers

July 30, 2018 by 7 Comments

You shouldn’t transmit encryption keys over Bluetooth, but that’s exactly what some popular wireless-enabled microcontrollers are already doing. This is the idea behind Screaming Channels, an exploit published by researchers at EUERCOM, and will be a talk at Black Hat next week. So far, the researchers have investigated side-channel attacks on Bluetooth-enabled microcontrollers, allowing them to extract tinyAES keys from up to 10 meters away in controlled environments. A PDF of the paper is available and all the relevant code is available on GitHub.

The experimental setup for this exploit consisted of a BLE Nano, a breakout board for a Nordic nRF52832 Bluetooth microcontroller, a Hack RF, a USRB N210 software defined radio from Ettus, and a few high-gain antennas and LNAs. The example attack relies on installing firmware on the BLE Nano that runs through a few loops and encrypts something with tinyAES. Through very careful analysis of the RF spectrum, the AES keys can be extracted from the ether.

Side channel attacks have received a bit more popularity over recent years. What was once limited to Three Letter Agency-level Van Eck phreaking can now be done inexpensively and in a system with devices like the ChipWhisperer.

Of course, this is only a demonstration of what is possible with side-channel attacks in a highly controlled environment with a significant amount of work gone into the firmware running on the microcontroller. This isn’t evidence that balaclava-wearing hackers are sniffing your phone from across the parking lot to get the password to your Instagram account, but it does show what is possible with relatively cheap, off-the-shelf hardware.

Why Have Only One Radio, When You Can Have Two?

July 28, 2018 by 4 Comments

There are a multitude of radio shields for the Arduino and similar platforms, but they so often only support one protocol, manufacturer, or frequency band. [Jan Gromeš] was vexed by this in a project he saw, so decided to create a shield capable of supporting multiple different types. And because more is so often better, he also gave it space for not one, but two different radio modules. He calls the resulting Swiss Army Knife of Arduino radio shields the Kite, and he’s shared everything needed for one on a hackaday.io page and a GitHub repository.

Supported so far are ESP8266 modules, HC-05 Bluetooth modules, RFM69 FSK/OOK modules, SX127x series LoRa modules including SX1272, SX1276 and SX1278, XBee modules (S2B), and he claims that more are in development. Since some of those operate in very similar frequency bands it would be interesting to note whether any adverse effects come from their use in close proximity. We suspect there won’t be because the protocols involved are designed to be resilient, but there is nothing like a real-world example to prove it.

This project is unique, so we’re struggling to find previous Hackaday features of analogous ones. We have however looked at an overview of choosing the right wireless tech.

Screaming Channels Attack RF Security

July 27, 2018 by 15 Comments

As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.

Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.

Continue reading “Screaming Channels Attack RF Security”

Turn A Cheap Bluetooth Speaker Into An Audio Receiver

July 23, 2018 by 16 Comments

Cheap Bluetooth speakers come in all different kinds of shapes and colors, and they let you conveniently stream music, for example from your mobile phone. For [mcmchris], they had one significant shortcoming though: while most of them come with some auxiliary input port as alternative audio source, they usually lack an audio output port that would let him route the audio to his more enjoyable big-speaker sound setup. Lucky for him, it’s a problem that can be fixed with a wire cutter and soldering iron, and so he simply turned his cheap speaker into a Bluetooth audio receiver.

After opening the speaker, [mcmchris] discovered a regular F-6188 Bluetooth audio module built around the BK8000L chip, with the audio jack connected to the chip’s aux input pins. Taking a close look at the PCB, the solution seemed obvious: cut the connection to the chip’s aux input pins, and connect the audio jack parallel to the audio signal itself. After some trial and error, the output pins of the on-board op amplifier seemed to provide the best audio signal for his shiny new output jack. You can see more details about the speaker’s inner life and a demonstration in the video after the break — in Spanish.

If the concept looks familiar to you, we’ve indeed seen a very similar approach to equip a Google Home Mini with an audio output jack before. The alternative is of course to just build a decent sized Bluetooth speaker yourself.

Continue reading “Turn A Cheap Bluetooth Speaker Into An Audio Receiver”

Explore Low-Energy Bluetooth By Gaming

July 13, 2018 by 5 Comments

For several years now, a more energy-efficient version of Bluetooth has been available for use in certain wireless applications, although it hasn’t always been straightforward to use. Luckily now there’s a development platform for Bluetooth Low Energy (BLE) from Texas Instruments that makes using this protocol much easier, as [Markel] demonstrates with a homebrew video game controller.

The core of the project is of course the TI Launchpad with the BLE package, which uses a 32-bit ARM microcontroller running at 48 MHz. For this project, [Markel] also uses an Educational BoosterPack MKII, another TI device which resembles an NES controller. To get everything set up, though, he does have to do some hardware modifications to get everything to work properly but in the end he has a functioning wireless video game controller that can run for an incredibly long time on just four AA batteries.

If you’re building a retro gaming console, this isn’t too bad a product to get your system off the ground using modern technology disguised as an 8-bit-era controller. If you need some inspiration beyond the design of the controller, though, we have lots of examples to explore.

Continue reading “Explore Low-Energy Bluetooth By Gaming”

Vintage Headphones Bluetooth Conversion Goes The Extra Mile

July 9, 2018 by 2 Comments

[KaZjjW] wanted to retrofit a pair of nicely styled vintage headphones to be able to play wirelessly over Bluetooth. In principle this is an easy task: simply stick a Bluetooth audio receiver on the line-in, add a battery, and you’re all set. However, [KaZjjW] wanted to keep the aesthetic changes to the headphones at an absolute minimum, retaining the existing casing and volume control, whilst cramming the electronics entirely inside and out of sight.

With the inherent space constraints inside the cups of the headphones, this proved to be quite a challenge. The existing volume potentiometer which hung half outside the case was remounted on an ingenious hinge made of two PCBs, with the pot floating next to a surface mounted switch. This allowed it to not only control the volume, but also act as an on/off switch for the Bluetooth. The only other existing cuts in the casing were a circular hole for the audio cable, and a slit for the cable strain relief. These worked perfectly for an LED status indicator and micro-USB battery charging.

The main chip used for receiving audio over Bluetooth was the BM62 by Microchip. It’s a great all-in-one solution for this kind of project as it has built-in battery charging, an on-board DAC and audio amp, as well as a serial control interface. In part 2 of the project log, the process of programming the BM62 was documented, and it was painful – it’s a shame that the software support lets it down. But a hacker will always find a way, and we’ve seen some pretty neat hacks for reprogramming existing chips in off-the-shelf Bluetooth headphones.

Two PCBs for the pot button hinge, one for the LED and micro-USB connector, as well as one for the Bluetooth receiver and a PIC. That’s four PCBs in a pretty small space, enabled by some commendable design effort both electronically and mechanically. It certainly paid off, as the finished product looks very slick.

Continue reading “Vintage Headphones Bluetooth Conversion Goes The Extra Mile”

Worn Train Rails Get Judged By Laser

July 8, 2018 by 32 Comments

[Calango] is a railway technician, and for a school final project created the Rail Wear Surveillance Trolley (RWST) which is a delightfully designed device made mainly from PVC conduit with one job: travel down a segment of train track while shining a green laser onto the rail, and capture camera images. The trolley holds both the laser and the camera at just the right angles for the camera to capture a profile of the rail’s curved surface. The images are sent via Bluetooth to a smartphone for later analysis. Rail wear can be judged by checking how well the profile of the rail conforms to the ideal profile of an unworn segment. The trolley is manually pushed by an operator, but [Calango] says that ideally, it would be self-propelled and able to inspect a length of the track then return on its own.

The project was made on a tight budget, which led to some clever solutions like using a rotary encoder attached to a wheel as a makeshift distance sensor. If things get desperate enough, it’s even possible to roll your own rotary encoder with a 3D printer and two microswitches.