Breaking Smartphone NFC Firmware: The Gory Details

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details”

Eavesdropping On Satellites For Fun And Profit

Geosynchronous satellites, girdling the Earth from their perches 36,000 km above the equator, are remarkably useful devices. Depending on where they’re parked, they command views of perhaps a third of the globe at a time, making them perfect communications relays. But as [James Pavur] points out in his DEF CON Safe Mode talk, “Whispers Among the Stars”, geosynchronous satellite communication links are often far from secure.

[James], a D. Phil. student in Systems Security at Oxford University, relates that his exploits rely on the wide areas covered by the downlink signals from the satellites, coupled with security as an afterthought, if it was even thought of at all by satellite service providers. This lackadaisical approach let him use little more than a regular digital satellite TV dish and a tuner card for a PC — off-the-shelf stuff that you’d really have to try hard to spend more than $300 on — to tap into sensitive information.

While decoding the digital signals from satellites into something parseable can be done with commercial applications, [James] and his colleagues built a custom tool, GSExtract, to pull data from the often noisy signals coming down from on high. The setup returned an amazing bounty of information, like maritime operators relaying the passport information of crew members from ship to shore, point-of-sale terminal information from cruise ships in the Mediterranean, and in-flight entertainment systems in jet airliners. The last example proved particularly alarming, as it revealed an exploitable connection between the systems dedicated to keeping passengers content and those in the cockpit, which clearly should not be the case.

We found [James’] insights on these weaknesses in satellite communications fascinating, and it’s well worth the 45 minutes to watch the video below and perhaps try these exploits, which amount to side-channel attacks, for yourself.

Continue reading “Eavesdropping On Satellites For Fun And Profit”

This Week In Security: DEF CON, Intel Leaks, Snapdragon, And A Robot Possessed

Last weekend, DEF CON held their “SAFE MODE” conference: instead of meeting at a physical venue, the entire conference was held online. All the presentations are available on the official DEF CON YouTube channel. We’ll cover a few of the presentations here, and watch out for other articles on HaD with details on the other talks that we found interesting.
Continue reading “This Week In Security: DEF CON, Intel Leaks, Snapdragon, And A Robot Possessed”

Hands-On: AND!XOR Unofficial DC28 Badge Embraces The Acrylic Stackup

Still hot from the solder party, a new AND!XOR badge just landed on my desk courtesy of the hacking crew that has been living the #badgelife for the past five years. Originally based on the Futurama character Bender, the design has morphed to the point that it’s no longer recognizable as a descendant of that belligerent robot. Instead we have a skeletal midget whose face is half covered by a gear-themed mask.

At first glance, you might not even notice the character design because you’re too distracted by the beautiful composure of the hardware. This year’s badge includes a double stack-up of acrylic on top of a red circuit-board. Anyone who has used acrylic bezels in a badge design can tell you the cost for material and laser cutting time is significant. In this case the overall aesthetic of the badge is based upon the look of the mirrored gold with the art detail laser etched into the back. It’s a unique bling without even turning the power on. Continue reading “Hands-On: AND!XOR Unofficial DC28 Badge Embraces The Acrylic Stackup”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

2020: Everything Is Virtual

It’s like the dystopian future arrived out of the blue. From one year to the next we went from holing up in overly air-conditioned hotel ballrooms and actually meeting our fellow meatbags in the flesh, to huddling in our pods and staring at the screens. I’m looking for the taps to hook me in to the Matrix at this point.

But if you haven’t yet received your flying car or your daily Soma ration, you can still take comfort in one thing: all of the hacker conferences are streaming live, as if it were some fantastic cyber-future! In fact, as we type this, someone is telling you how to print your way to free drinks on USAir flights as part of HOPE’s offering, but the talks will continue for the next few days. (Go straight to live stream one.)

If retrocomputing is more your thing, Saturday marks the start of the virtual Vintage Computer Festival West of which Hackaday is a proud sponsor. (Here’s the schedule.)

And next weekend is DEF CON in Safe Mode with Networking. While we can totally imagine how the talks and demo sessions will work, the Villages, informal talks and hack-togethers based on a common theme, will be a real test of distributed conferencing.

OK, I’ll admit it: I really miss getting together with folks and having the truly random conversations that pre-scripted teleconferences just don’t seem to facilitate. Lobbycon suffers in lockdown. But if you’ve never been to any of these events, and you just want a taste of the talks and presentations at least, now’s your chance to get in for free. And if you like what you see, and if the virus lets us, we’ll see you in person next summer!

Hands-On: The Pandemic DEF CON Badge Is An Audio Cassette

My DEF CON Safe Mode badge just arrived in the mail this afternoon. The Vegas-based conference which normally hosts around 30,000 attendees every year has moved online in response to the global pandemic, and the virtual event spins up August 6-9. Known for creative badges, North America’s most well-known infosec con has a tick-tock cycle that alternates electronic and non-electronic badges from year to year. During this off-year, the badge is an obscure deprecated media: the audio cassette.

This choice harkens back to the DEF CON 23 badge which was an vinyl record — I have the same problem I did back in 2015… I lack access to playback this archaic medium. Luckily [Grifter] pointed everyone to a dump of the audio contents over at Internet Archive, although knowing how competitive the badge hacking for DEF CON is, I’m skeptical about the reliability of these files. Your best bet is to pull the dust cover off your ’88 Camry and let your own cassette roll in the tape deck. I also wonder if there are different versions of the tape.

But enough speculation, let’s look at what physically comes with the DEF CON 28 badge.

Continue reading “Hands-On: The Pandemic DEF CON Badge Is An Audio Cassette”