Eavesdropping On Satellites For Fun And Profit

Geosynchronous satellites, girdling the Earth from their perches 36,000 km above the equator, are remarkably useful devices. Depending on where they’re parked, they command views of perhaps a third of the globe at a time, making them perfect communications relays. But as [James Pavur] points out in his DEF CON Safe Mode talk, “Whispers Among the Stars”, geosynchronous satellite communication links are often far from secure.

[James], a D. Phil. student in Systems Security at Oxford University, relates that his exploits rely on the wide areas covered by the downlink signals from the satellites, coupled with security as an afterthought, if it was even thought of at all by satellite service providers. This lackadaisical approach let him use little more than a regular digital satellite TV dish and a tuner card for a PC — off-the-shelf stuff that you’d really have to try hard to spend more than $300 on — to tap into sensitive information.

While decoding the digital signals from satellites into something parseable can be done with commercial applications, [James] and his colleagues built a custom tool, GSExtract, to pull data from the often noisy signals coming down from on high. The setup returned an amazing bounty of information, like maritime operators relaying the passport information of crew members from ship to shore, point-of-sale terminal information from cruise ships in the Mediterranean, and in-flight entertainment systems in jet airliners. The last example proved particularly alarming, as it revealed an exploitable connection between the systems dedicated to keeping passengers content and those in the cockpit, which clearly should not be the case.

We found [James’] insights on these weaknesses in satellite communications fascinating, and it’s well worth the 45 minutes to watch the video below and perhaps try these exploits, which amount to side-channel attacks, for yourself.

Continue reading “Eavesdropping On Satellites For Fun And Profit”

This Week In Security: DEF CON, Intel Leaks, Snapdragon, And A Robot Possessed

Last weekend, DEF CON held their “SAFE MODE” conference: instead of meeting at a physical venue, the entire conference was held online. All the presentations are available on the official DEF CON YouTube channel. We’ll cover a few of the presentations here, and watch out for other articles on HaD with details on the other talks that we found interesting.
Continue reading “This Week In Security: DEF CON, Intel Leaks, Snapdragon, And A Robot Possessed”

Hands-On: AND!XOR Unofficial DC28 Badge Embraces The Acrylic Stackup

Still hot from the solder party, a new AND!XOR badge just landed on my desk courtesy of the hacking crew that has been living the #badgelife for the past five years. Originally based on the Futurama character Bender, the design has morphed to the point that it’s no longer recognizable as a descendant of that belligerent robot. Instead we have a skeletal midget whose face is half covered by a gear-themed mask.

Continue reading “Hands-On: AND!XOR Unofficial DC28 Badge Embraces The Acrylic Stackup”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

2020: Everything Is Virtual

It’s like the dystopian future arrived out of the blue. From one year to the next we went from holing up in overly air-conditioned hotel ballrooms and actually meeting our fellow meatbags in the flesh, to huddling in our pods and staring at the screens. I’m looking for the taps to hook me in to the Matrix at this point.

But if you haven’t yet received your flying car or your daily Soma ration, you can still take comfort in one thing: all of the hacker conferences are streaming live, as if it were some fantastic cyber-future! In fact, as we type this, someone is telling you how to print your way to free drinks on USAir flights as part of HOPE’s offering, but the talks will continue for the next few days. (Go straight to live stream one.)

If retrocomputing is more your thing, Saturday marks the start of the virtual Vintage Computer Festival West of which Hackaday is a proud sponsor. (Here’s the schedule.)

And next weekend is DEF CON in Safe Mode with Networking. While we can totally imagine how the talks and demo sessions will work, the Villages, informal talks and hack-togethers based on a common theme, will be a real test of distributed conferencing.

OK, I’ll admit it: I really miss getting together with folks and having the truly random conversations that pre-scripted teleconferences just don’t seem to facilitate. Lobbycon suffers in lockdown. But if you’ve never been to any of these events, and you just want a taste of the talks and presentations at least, now’s your chance to get in for free. And if you like what you see, and if the virus lets us, we’ll see you in person next summer!

Hands-On: The Pandemic DEF CON Badge Is An Audio Cassette

My DEF CON Safe Mode badge just arrived in the mail this afternoon. The Vegas-based conference which normally hosts around 30,000 attendees every year has moved online in response to the global pandemic, and the virtual event spins up August 6-9. Known for creative badges, North America’s most well-known infosec con has a tick-tock cycle that alternates electronic and non-electronic badges from year to year. During this off-year, the badge is an obscure deprecated media: the audio cassette.

This choice harkens back to the DEF CON 23 badge which was an vinyl record — I have the same problem I did back in 2015… I lack access to playback this archaic medium. Luckily [Grifter] pointed everyone to a dump of the audio contents over at Internet Archive, although knowing how competitive the badge hacking for DEF CON is, I’m skeptical about the reliability of these files. Your best bet is to pull the dust cover off your ’88 Camry and let your own cassette roll in the tape deck. I also wonder if there are different versions of the tape.

But enough speculation, let’s look at what physically comes with the DEF CON 28 badge.

Continue reading “Hands-On: The Pandemic DEF CON Badge Is An Audio Cassette”

Stay At Home, HOPE And DEF CON Will Come To You

We’ve often heard conferences like HOPE and DEF CON called Hacker Summer Camp (although there are certainly more camp-like camps that also fit the bill). As we get into the hot parts of the summer, heading indoors for security talks, workshops, and untold shenanigans sounds like a good idea… if it weren’t for an ongoing pandemic. The good news is that you can still get a strong dose of these cons over the next three weekends as they’re being offered virtually.

Hackers on Planet Earth (HOPE) is a biennial conference hosted in NYC. After much drama about the dank Hotel Pennsylvania hiking prices astronomically for the con, a new venue was found and we all breathed a sigh of relief. The best laid plans, etc. etc. — you know how this turns out. But beginning this Saturday, July 25th, over 100 speakers will present in HOPE’s first-ever live online presentation. Hackaday is a proud sponsor of HOPE 2020.

DEF CON happens every year, and every year we tell you that DEF CON has been cancelled. What do you do if it has actually been cancelled when the boy constantly cries wolf? Well it’s not cancelled, it’s morphed into what is called DEF CON Safe Mode — an online offering for all to enjoy. Go head, hook your computer up to the online version of DEF CON, what could go wrong? Find out when the virtual con goes live starting August 6th.

These are not the same as meeting up IRL. There are so many chance interactions and spectacles to see that you simply cannot spark with a virtual offering. However, the platform for presenters, the coming together to talk, learn, and share about privacy, security, and internet freedom are meaningful and worth our time. So support your favorite cons by joining in, even when it’s from the comfort of your own couch.