Hands-On: Internet Of Batteries Quantum Badge Brings Badgelife Add-Ons The Power And Internet They Crave

Our friends in the Whiskey Pirates crew sent me the unofficial DEF CON badge they built this year. The Internet of Batteries QUANTUM provides power and connectivity to the all-important add-on badges of DC28. The front of the badge is absolutely gorgeous to the point I don’t really want to solder on my add-on headers and disrupt that aesthetic.

The gold-plated copper makes for a uniformed and reflective contrast to the red solder mask which occupies the majority of the front. Here we see the great attention to detail that [TrueControl] includes in his badges. The white stripe of silk screen separating the two colors is covered by some black detailing tape that looks much better than the white.

The antenna of the ESP32 module poking out the underside of the gold cover end of the badge gets its own rectangle of the holographic sticker material, the same as the sheet of stickers that was included in the box. Both decals are small details that make a huge difference to your eye.

The line of nine RGB LEDs have black bezels which goes along with the black stripe motif and underscores the typography of the badge name. These lights are hosted on a daughter board soldered to the underside of the badge with a slot for the LEDs to pass through. They are addressed in a 2×15 matrix that is scanned on the low side by the PSoC5 that drives the badge. This low-res image shows that daughter board before the lithium cell is placed.

Continue reading “Hands-On: Internet Of Batteries Quantum Badge Brings Badgelife Add-Ons The Power And Internet They Crave”

Hands-On: AND!XOR Unofficial DC28 Badge Embraces The Acrylic Stackup

Still hot from the solder party, a new AND!XOR badge just landed on my desk courtesy of the hacking crew that has been living the #badgelife for the past five years. Originally based on the Futurama character Bender, the design has morphed to the point that it’s no longer recognizable as a descendant of that belligerent robot. Instead we have a skeletal midget whose face is half covered by a gear-themed mask.

Continue reading “Hands-On: AND!XOR Unofficial DC28 Badge Embraces The Acrylic Stackup”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

Hands-On: The Pandemic DEF CON Badge Is An Audio Cassette

My DEF CON Safe Mode badge just arrived in the mail this afternoon. The Vegas-based conference which normally hosts around 30,000 attendees every year has moved online in response to the global pandemic, and the virtual event spins up August 6-9. Known for creative badges, North America’s most well-known infosec con has a tick-tock cycle that alternates electronic and non-electronic badges from year to year. During this off-year, the badge is an obscure deprecated media: the audio cassette.

This choice harkens back to the DEF CON 23 badge which was an vinyl record — I have the same problem I did back in 2015… I lack access to playback this archaic medium. Luckily [Grifter] pointed everyone to a dump of the audio contents over at Internet Archive, although knowing how competitive the badge hacking for DEF CON is, I’m skeptical about the reliability of these files. Your best bet is to pull the dust cover off your ’88 Camry and let your own cassette roll in the tape deck. I also wonder if there are different versions of the tape.

But enough speculation, let’s look at what physically comes with the DEF CON 28 badge.

Continue reading “Hands-On: The Pandemic DEF CON Badge Is An Audio Cassette”