Inside an Amateur Bugging Device

[Mitch] got interested in the S8 “data line locator” so he did the work to tear into its hardware and software. If you haven’t seen these, they appear to be a USB cable. However, inside the USB plug is a small GSM radio that allows you to query the device for its location, listen on a tiny microphone, or even have it call you back when it hears something. The idea is that you plug the cable into your car charger and a thief would never know it was a tracking device. Of course, you can probably think of less savory uses despite the warning on Banggood:

Please strictly abide by the relevant laws of the state, shall not be used for any illegal use of this product, the consequences of the use of self conceit.

We aren’t sure what the last part means, but we are pretty sure people can and will use these for no good, so it is interesting to see what they contain.

Continue reading “Inside an Amateur Bugging Device”

10 Year Old Bug Crushed By Hacker on a Mission

PCI pass through is the ability of a virtualized guest system to directly access PCI hardware. Pass through for dedicated GPUs has just recently been added to the Linux kernel-based virtual machine. Soon afterward, users began to find that switching on nested page tables (NPT), a technology intended to provide hardware acceleration for virtual machines, had the opposite effect on AMD platforms and slowed frame rate down to a crawl.

Annoyed by this [gnif] set out to to fix the problem. His first step was to run graphics benchmarks to isolate the source of the problem. Having identified the culprit in the GPU, [gnif] began to read up on the involved technology stack. Three days of wrapping his head around technical docs allowed [gnif] to find the single line of code that resulted in a faulty memory set up and to implement a basic fix. He then passed the work on to [Paolo Bonzini] at patchwork.kernel.org, who released a more refined patch.

The bug affecting PCI pass through had been around for ten years and had received little attention from the manufacturer. It gained prominence when graphics cards were affected. In the end it took one very dedicated user three days to fix it, and then another day to roll out a patch for Open Source operating systems. In his notes [gnif] points out how helpful AMDs documentation was. With the right to repair in debate, DRMed technical docs and standards locked behind paywalls, [gnif]’s story is a reminder of the importance of accessible quality documentation.

Spy Tech: Nonlinear Junction Detectors

If you ever watch a spy movie, you’ve doubtlessly seen some nameless tech character sweep a room for bugs using some kind of detector and either declare it clean or find the hidden microphone in the lamp. Of course, as a hacker, you have to start thinking about how that would work. If you had a bug that transmits all the time, that’s easy. The lamp probably shouldn’t be emitting RF energy all the time, so that’s easy to detect and a dead give away. But what if the bug were more sophisticated? Maybe it wakes up every hour and beams its data home. Or perhaps it records to memory and doesn’t transmit anything. What then?

High-end bug detectors have another technique they use that claims to be able to find active device junctions. These are called Nonlinear Junction Detectors (NLJD). Spy agencies in the United States, Russian and China have been known to use them and prisons employ them to find cell phones. Their claim to fame is the device doesn’t have to be turned on for detection to occur. You can see a video of a commercial NLJD, below

Continue reading “Spy Tech: Nonlinear Junction Detectors”

Broadpwn – All Your Mobiles are Belong to Us

Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

  • Samsung Galaxy from S3 through S8, inclusive
  • All Samsung Notes3. Nexus 5, 6, 6X and 6P
  • All iPhones after iPhone 5

So how did this happen? And how does a bug affect so many different devices?

A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.

Continue reading “Broadpwn – All Your Mobiles are Belong to Us”

Fixing Bugs In Ancient BASIC Games

Before everyone learned programming on Stack Exchange, things were much different. Computer magazines had BASIC programs in them, which readers would type out, line by line, and hit RUN. In theory, this is a terrible way to learn programming; it’s simply rote recitation without any insight into what the code is actually doing. Of course, copying and pasting from Stack Exchange is exactly the same thing, so maybe these magazines were ahead of the curve.

[0xA000] recently came across one of his old computer magazines containing the type-in listing for Blindganger, a game where you wander a maze blindly. When [0xA000] typed this game into his C64 back in 1988, the game didn’t work. Thirty years later, he decided to give it another go and ended up fixing bugs in an old computer game.

When [0xA000] typed this game into his computer back in 1988, the map just didn’t work, and the final screen revealed a maze where the walls were where they shouldn’t be. A quick Google turned up a disk image of the same game that had the same problem. This bug was obviously in the section of code that draws the map at the end of the game, so [0xA000] started looking there. The offending typo in the code was an $F4 instead of an $F5, or 244 instead of 255. This shifted the colors of the map by 11 positions, meaning the locations marked as visited in the final screen were wrong. Whether this bug cropped up in development or was just a simple typo when typesetting the magazine doesn’t really matter now; after 29 years, this bug is fixed.

Build a Tiny (Unstable) Bugging Device

We don’t know who the [amgworkshop] wanted to listen in on, but they apparently went searching for a small FM wireless transmitter. There’s plenty of circuits around, but they wanted something smaller. The original circuit had a variable capacitor to tune the output frequency. The new design uses a fixed capacitor and a spring for an antenna. You can see the build steps in the video below, but don’t expect a lot of frequency stability or fidelity out of a single transistor transmitter.

The parts list is minimal. In addition to a coin cell holder (which serves as the construction base), you need a transistor, two resistors, three capacitors, a homemade inductor (very easy to make with some wire and a drill bit), and an electret microphone. Of course, you need a battery, too. The whole thing is potted with hot glue.

Continue reading “Build a Tiny (Unstable) Bugging Device”

Hacking When It Counts: Spy Radios

World War II can be thought of as the first electronic war. Radio technology was firmly established commercially by the late 1930s and poised to make huge contributions to the prosecution of the war on all sides. Radio was rapidly adopted into the battlefield, which led to advancements in miniaturization and ruggedization of previously bulky and fragile vacuum tube gear. Radios were soon being used for everything from coordinating battlefield units to detonating anti-aircraft artillery shells.

But it was not just the battlefields of WWII that benefitted from radio technology. From apartments in Berlin to farmhouses in France, covert agents toiled away over sophisticated transceivers, keying in coded messages and listening for instructions. Spy radios were key clandestine assets, both during the war and later during the Cold War. Continue reading “Hacking When It Counts: Spy Radios”