35C3: Finding Bugs in Bluetooth

[Jiska Classen] and [Dennis Mantz] created a tool called Internal Blue that aims to be a Swiss-army knife for playing around with Bluetooth at a lower level. The ground for their tool is based in three functions that are common to all Broadcom Bluetooth chipsets: one that lets you read arbitrary memory, on that lets you run it, and one that lets you write it. Well, that was easy. The rest of their work was analyzing this code, and learning how to replace the firmware with their own version. That took them a few months of hard reversing work.

In the end, Internal Blue lets them execute commands at one layer deeper — the LMP layer — easily allowing monitoring and injection. In a series of live (and successful!) demos they probe around on a Nexus 6P from a modified Nexus 5 on their desk. This is where they started digging around in the Bluetooth stack of other devices with Broadcom chipsets, and that’s where they started finding bugs.

As is often the case, [Jiska] was just poking around and found an external code handler that didn’t do bounds checking. And that meant that she could run other functions in the firmware simply by passing the address handler offset. Since they’re essentially calling functions at any location in memory, finding which functions to call with which arguments is a process of trial and error, but the ramifications of this include at least a Bluetooth module crash and reset, but can also pull such tricks as putting the Bluetooth module into “Device Under Test” mode, which should only be accessible from the device itself. All of this is before pairing with the device — just walking by is sufficient to invoke functions through the buggy handler.

All the details of this exploit aren’t yet available, because Broadcom hasn’t fixed the firmware for probably millions of devices in the wild. And one of the reasons that they haven’t fixed it is that patching the bug will disclose where the flaw lies in all of the unpatched phones, and not all vendors can be counted on to push out updates at the same time. While they focused on the Nexus 5 cellphone, which is fairly old now, it’s applicable to any device with a similar Broadcom Bluetooth chipset.

Aside from the zero-day bug here, the big story is their Bluetooth analysis framework which will surely help other researchers learn more about Bluetooth, finding more glitches and hopefully helping make Bluetooth more openly scrutinized and more secure. Now anyone with a Raspberry Pi 3/3+ or a Nexus 5, is able to turn it into a low-level Bluetooth investigation tool.

You might know [Jiska] from her previous FitBit hack. If not, be sure to check it out.

Continue reading “35C3: Finding Bugs in Bluetooth”

Bitcoin’s Double Spending Flaw Was Hush-Hush During Rollout

For a little while it was possible to spend Bitcoin twice. Think of it like a coin on a string, you put it into the vending machine to get a delicious snack, but if you pull the string quickly enough you could spend it again on some soda too. Except this coin is worth something like eighty-grand.

On September 20, the full details of the latest fix for the Bitcoin Core were published. This information came two days after the fix was actually released. Two vulnerabilities were involved; a Denial of Service vulnerability and a critical inflation vulnerability, both covered in CVE-2018-17144. These were originally reported to several developers working on Bitcoin Core, as well as projects supporting other cryptocurrencies, including ABC and Unlimited.

Let’s take a look at how this worked, and how the network was patched (while being kept quiet) to close up this vulnerability.

Continue reading “Bitcoin’s Double Spending Flaw Was Hush-Hush During Rollout”

Hackaday Links: June 3, 2018

All the Radio Shacks are dead. adioS, or something. But wait, what’s this? There are new Radio Shacks opening. Here’s one in Idaho, and here’s another in Claremore, Oklahoma. This isn’t like the ‘Blockbuster Video in Nome, Alaska’ that clings on by virtue of being so remote; Claremore isn’t that far from Tulsa, and the one in Idaho is in a town with a population of 50,000. Are these corporate stores, or are they the (cool) independent Radio Shacks? Are there component drawers? Anyone want to take a field trip and report?

A few years ago, [cnxsoft] bought a Sonoff WiFi switch to control a well pump. Despite this being a way to control the flow of massive amounts of water with an Internet of Things thing, we’re still rocking it antediluvian style, and for the most part this WiFi-connected relay worked well. Until it didn’t. For the past few days, the switch wouldn’t connect to the network, so [cnxsoft] cracked it open to figure out why. There was one burnt component, and more than one electrocuted insect. Apparently, an ant bridged two pins, was shortly electrocuted, and toasted a resistor. It’s a bug, a real bug, in an Internet of Things thing.

eInk is coming to license plates? Apparently. Since an eInk license plate already includes some electronics, it wouldn’t be much to add some tracking hardware for a surveillance state.

Hold up, it’s a press release about crypto hardware. No, not that crypto, the other crypto. Asus has announced a new motherboard that is capable of supporting twenty graphics cards. This isn’t a six-foot-wide motherboard; it’s designed especially for coin mining, and for that, the graphics cards really only need a PCIe x1 connection. The real trick here is not using PCIe headers, and instead piping everything over vertical-mount USB ports. Yes, this is a slight cabling nightmare. So, you still think the early 80s with fluorinert waterfalls and Blinkenlights that played Game of Life was the pinnacle of style in computer hardware? No, this is it right here.

Here’s a book you should readIgnition!: An Informal History of Liquid Rocket Propellants by John Drury Clark is a fantastic book about how modern liquid rocket fuel came to be. Want to know why 60s cartoons and spy movies always referenced a ‘secret rocket fuel formula’ when kerosene and liquid oxygen work just fine? This is that. Back when we covered it, the book, used, on Amazon, cost $500. It’s now in print again and priced reasonably. It’s on the Inc. 9 Powerful Books Elon Musk Recommends list, so you know it’s good. Thanks, [Ben] for sending this one in on the tip line.

Tiny Transmitter Brings Out the Spy Inside You

When it comes to surveillance, why let the government have all the fun? This tiny spy transmitter is just the thing you need to jumpstart your recreational espionage efforts.

We kid, of course — you’ll want to stay within the law of the land if you choose to build [TomTechTod]’s diminutive transmitter. Barely bigger than the 337 button cell that powers it, the scrap of PCB packs a fair number of surface mount components, most in 0201 packages. Even so, the transmitter is a simple design, with a two transistor audio stage amplifying the signal from the MEMS microphone and feeding an oscillator that uses a surface acoustic wave (SAW) resonator for stability. The bug is tuned for the 433-MHz low-power devices band, and from the video below, it appears to have decent range with the random wire antenna — maybe 50 meters. [TomTechTod] has all the build files posted, including Gerbers and a BOM with Digikey part numbers, so it should be easy to make one for your fieldcraft kit.

If you want to dive deeper into the world of electronic espionage, boy, have we got you covered. Here’s a primer on microphone bugs, a history of spy radios, or how backscatter was used to bug an embassy.

Continue reading “Tiny Transmitter Brings Out the Spy Inside You”

Mini Spy Bug Walkthrough

What we like most about [GreatScott’s] project videos is that he not only shows making them but also the calculations for selecting parts and the modifications along the way. This time he’s made a mini spy bug that records up to nine hours of audio.

His first task was to figure out if the ATmega328p’s ADC is suitable for audio sampling, but only after he explains how sampling works by periodically checking the input voltage from the microphone. Checking the datasheet he found that the ADC’s fastest conversion time is 13 microseconds, which works out to a sampling rate of 76.923 kHz. Good enough.

He then walks through why and how he decided to go with a pre-made amplifier circuit built around the MAX9814 IC. Spoiler alert. His electret’s amplifier output voltage was too low, using an off-the-shelf circuit instead of making his own kept things simple, and the circuit has automatic gain control.

At this point, he added the MicroSD card adapter. Why not just transmit the audio over FM as so many others have done with their hacks? Perhaps he’s worried about someone detecting the transmission and finding his bug.

His final optimization involved getting a good battery life. He measured the circuit’s current draw at 20 milliamps. With a 160 mAh battery capacity, that would be 8 hours of recording time. Removing the Arduino Pro Mini’s voltage regulator and two LEDs got the current down to 18 milliamps and a recording time of 9 hours. Better.

Those are the highlights. Enjoy his full walkthrough in the video below.

Continue reading “Mini Spy Bug Walkthrough”

Inside an Amateur Bugging Device

[Mitch] got interested in the S8 “data line locator” so he did the work to tear into its hardware and software. If you haven’t seen these, they appear to be a USB cable. However, inside the USB plug is a small GSM radio that allows you to query the device for its location, listen on a tiny microphone, or even have it call you back when it hears something. The idea is that you plug the cable into your car charger and a thief would never know it was a tracking device. Of course, you can probably think of less savory uses despite the warning on Banggood:

Please strictly abide by the relevant laws of the state, shall not be used for any illegal use of this product, the consequences of the use of self conceit.

We aren’t sure what the last part means, but we are pretty sure people can and will use these for no good, so it is interesting to see what they contain.

Continue reading “Inside an Amateur Bugging Device”

10 Year Old Bug Crushed By Hacker on a Mission

PCI pass through is the ability of a virtualized guest system to directly access PCI hardware. Pass through for dedicated GPUs has just recently been added to the Linux kernel-based virtual machine. Soon afterward, users began to find that switching on nested page tables (NPT), a technology intended to provide hardware acceleration for virtual machines, had the opposite effect on AMD platforms and slowed frame rate down to a crawl.

Annoyed by this [gnif] set out to to fix the problem. His first step was to run graphics benchmarks to isolate the source of the problem. Having identified the culprit in the GPU, [gnif] began to read up on the involved technology stack. Three days of wrapping his head around technical docs allowed [gnif] to find the single line of code that resulted in a faulty memory set up and to implement a basic fix. He then passed the work on to [Paolo Bonzini] at patchwork.kernel.org, who released a more refined patch.

The bug affecting PCI pass through had been around for ten years and had received little attention from the manufacturer. It gained prominence when graphics cards were affected. In the end it took one very dedicated user three days to fix it, and then another day to roll out a patch for Open Source operating systems. In his notes [gnif] points out how helpful AMDs documentation was. With the right to repair in debate, DRMed technical docs and standards locked behind paywalls, [gnif]’s story is a reminder of the importance of accessible quality documentation.