Bluetooth Battery Monitors That Also Monitor Your Position, Without Asking

June 27, 2023 by Maya Posch 40 Comments

These days Bluetooth-based gadgets are everywhere, including for car and solar batteries. After connecting them up to the battery, you download the accompanying app on your smartphone, open it up and like magic you can keep tabs on your precious pile of chemistry that keeps things ticking along. Yet as [haxrob] discovered during an analysis, many of these devices will happily pass your location and other information along to remote servers.

The device in question is a Bluetooth 4.0 Battery Monitor that is resold under many brands, and which by itself would seem to do just what it is said to do, from monitoring a battery to running crank tests. Where things get unpleasant is with the Battery Monitor 2 (BM2) mobile app that accompanies the device. It integrates a library called AMap which is “a leading provider of digital map in China” and part of Alibaba. Although the app’s information page claims that no personal information is collected, the data intercepted with Wireshark would beg to differ.

In part 2 of this series, the BM2 app is reverse-engineered, decompiling the Java code. The personal information includes the latitude and longitude, as well as GPS, cell phone tower cell IDs and WiFi beacon data, which understandably has people rather upset. In addition to leaking your personal info, the BM2 app seems to be also good at running constantly in the background, which ironically drains your phone’s battery at an alarming rate.

Cases like these should be both a warning to not just install any app on your smartphone, as well as a wake-up call to Google and others to prevent such blatant privacy violations.

(Thanks to [Drew] for the tip)

Prompt Injection: An AI-Targeted Attack

May 19, 2023 by Bryan Cockfield 12 Comments

For a brief window of time in the mid-2010s, a fairly common joke was to send voice commands to Alexa or other assistant devices over video. Late-night hosts and others would purposefully attempt to activate voice assistants like these en masse and get them to do ridiculous things. This isn’t quite as common of a gag anymore and was relatively harmless unless the voice assistant was set up to do something like automatically place Amazon orders, but now that much more powerful AI tools are coming online we’re seeing that joke taken to its logical conclusion: prompt-injection attacks. Continue reading “Prompt Injection: An AI-Targeted Attack” →

Thermal Camera Plus Machine Learning Reads Passwords Off Keyboard Keys

May 4, 2023 by Donald Papp 43 Comments

An age-old vulnerability of physical keypads is visibly worn keys. For example, a number pad with digits clearly worn from repeated use provides an attacker with a clear starting point. The same concept can be applied to keyboards by using a thermal camera with the help of machine learning, but it also turns out that some types of keys and typing styles are harder to read than others.

Researchers at the University of Glasgow show how machine learning can pull details from thermal images like these quickly and effectively.

Touching a key with a fingertip imparts a slight amount of body heat, and that small amount of heat can be spotted by a thermal sensor. We’ve seen this basic approach used since at least 2005, and two things have changed since then: thermal cameras gotten much more common, and researchers discovered that by combining thermal readings with machine learning, it’s possible to eke out slight details too difficult or subtle to spot by human eye and judgement alone.

Here’s a link to the research and findings from the University of Glasgow, which shows how even a 16 symbol password can be attacked with an average accuracy of 55%. Shorter passwords are much easier to decipher, with the system attacking 6 and 8 symbol passwords with an accuracy between 92% and 80%, respectively. In the study, thermal readings were taken up to a full minute after the password was entered, but sooner readings result in higher accuracy.

A few things make things harder for the system. Fast typists spend less time touching keys, and therefore transfer less heat when they do, making things a little more challenging. Interestingly, the material of the keycaps plays a large role. ABS keycaps retain heat far more effectively than PBT (a material we often see in custom keyboard builds like this one.) It also turns out that the tiny amount of heat from LEDs in backlit keyboards runs effective interference when it comes to thermal readings.

Amusingly this kind of highly modern attack would be entirely useless against a scramblepad. Scramblepads are vintage devices that mix up which numbers go with which buttons each time the pad is used. Thermal imaging and machine learning would be able to tell which buttons were pressed and in what order, but that still wouldn’t help! A reminder that when it comes to security, tech does matter but fundamentals can matter more.

PUF Away For Hardware Fingerprinting

April 17, 2023 by Matthew Carlson 9 Comments

Despite the rigorous process controls for factories, anyone who has worked on hardware can tell you that parts may look identical but are not the same. Everything from silicon defects to microscopic variations in materials can cause profoundly head-scratching effects. Perhaps one particular unit heats up faster or locks up when executing a specific sequence of instructions and we throw our hands up, saying it’s just a fact of life. But what if instead of rejecting differences that fall outside a narrow range, we could exploit those tiny differences?

This is where physically unclonable functions (PUF) come in. A PUF is a bit of hardware that returns a value given an input, but each bit of hardware has different results despite being the same design. This often relies on silicon microstructure imperfections. Even physically uncapping the device and inspecting it, it would be incredibly difficult to reproduce the same imperfections exactly. PUFs should be like the ideal version of a fingerprint: unique and unforgeable.

Because they depend on manufacturing artifacts, there is a certain unpredictability, and deciding just what features to look at is crucial. The PUF needs to be deterministic and produce the same value for a given specific input. This means that temperature, age, power supply fluctuations, and radiation all cause variations and need to be hardened against. Several techniques such as voting, error correction, or fuzzy extraction are used but each comes with trade-offs regarding power and space requirements. Many of the fluctuations such as aging and temperature are linear or well-understood and can be easily compensated for.

Broadly speaking, there are two types of PUFs: weak and strong. Weak offers only a few responses and are focused on key generation. The key is then fed into more traditional cryptography, which means it needs to produce exactly the same output every time. Strong PUFs have exponential Challenge-Response Pairs and are used for authenticating. While strong PUFs still have some error-correcting they might be queried fifty times and it has to pass at least 95% of the queries to be considered authenticated, allowing for some error. Continue reading “PUF Away For Hardware Fingerprinting” →

Sufficiently Advanced Tech: Has Bugs

April 15, 2023 by Elliot Williams 74 Comments

Arthur C. Clarke said that “Any sufficiently advanced technology is indistinguishable from magic”. He was a sci-fi writer, though, and not a security guy. Maybe it should read “Any sufficiently advanced tech has security flaws”. Because this is the story of breaking into a car through its headlight.

In a marvelous writeup, half-story, half CAN-bus masterclass, [Ken Tindell] details how car thieves pried off the front headlight of a friend’s Toyota, and managed to steal it just by saying the right things into the network. Since the headlight is on the same network as the door locks, pulling out the bulb and sending the “open the door” message repeatedly, along with a lot of other commands to essentially jam some other security features, can pull it off.

Half of you are asking what this has to do with Arthur C. Clarke, and the other half are probably asking what a lightbulb is doing on a car’s data network. In principle, it’s a great idea to have all of the electronics in a car be smart electronics, reporting their status back to the central computer. It’s how we know when our lights are out, or what our tire pressure is, from the driver’s seat. But adding features adds attack surfaces. What seems like magic to the driver looks like a gold mine to the attacker, or to car thieves.

With automotive CAN, security was kind of a second thought, and I don’t mean this uncharitably. The first goal was making sure that the system worked across all auto manufacturers and parts suppliers, and that’s tricky enough. Security would have to come second. And more modern cars have their CAN networks encrypted now, adding layers of magic on top of magic.

But I’m nearly certain that, when deciding to replace the simple current-sensing test of whether a bulb was burnt out, the engineers probably didn’t have the full cost of moving the bulb onto the CAN bus in mind. They certainly had dreams of simplifying the wiring harness, and of bringing the lowly headlight into the modern age, but I’d bet they had no idea that folks were going to use the headlight port to open the doors. Sufficiently advanced tech.

Disabling Intel’s Backdoors On Modern Laptops

April 12, 2023 by Bryan Cockfield 32 Comments

Despite some companies making strides with ARM, for the most part, the desktop and laptop space is still dominated by x86 machines. For all their advantages, they have a glaring flaw for anyone concerned with privacy or security in the form of a hardware backdoor that can access virtually any part of the computer even with the power off. AMD calls their system the Platform Security Processor (PSP) and Intel’s is known as the Intel Management Engine (IME).

To fully disable these co-processors a computer from before 2008 is required, but if you need more modern hardware than that which still respects your privacy and security concerns you’ll need to either buy an ARM device, or disable the IME like NovaCustom has managed to do with their NS51 series laptop.

NovaCustom specializes in building custom laptops with customizations for various components and specifications to fit their needs, including options for the CPU, GPU, RAM, storage, keyboard layout, and other considerations. They favor Coreboot as a bootloader which already goes a long way to eliminating proprietary closed-source software at a fundamental level, but not all Coreboot machines have the IME completely disabled. There are two ways to do this, the HECI method which is better than nothing but not fully trusted, and the HAP bit, which completely disables the IME. NovaCustom is using the HAP bit approach to disable the IME, meaning that although it’s not completely eliminated from the computer, it is turned off in a way that’s at least good enough for computers that the NSA uses.

There are a lot of new computer manufacturers building conscientious hardware nowadays, but (with the notable exception of System76) the IME and PSP seem to be largely ignored by most computing companies we’d otherwise expect to care about an option like this. It’s certainly still an area of concern considering how much power the IME and PSP are given over their host computers, and we have seen even mainline manufacturers sometimes offer systems with the IME disabled. The only other options to solve this problem are based around specific motherboards for 8th and 9th generation Intel desktops, or you can go way back to hardware from 2008 and install libreboot to eliminate, rather than disable, the IME.

Thanks to [Maik] for the tip!

Arbitrary Code Execution Over Radio

April 7, 2023 by Bryan Cockfield 71 Comments

Computers connected to networks are constantly threatened by attackers who seek to exploit vulnerabilities wherever they can find them. This risk is particularly high for machines connected to the Internet, but any network connection can be susceptible to attacks. As highlighted by security researcher and consultant [Rick Osgood], even computers connected to nothing more than a radio can be vulnerable to attacks if they’re using certain digital modes of communication.

The vulnerability that [Rick] found involves exploiting a flaw in a piece of software called WinAPRS. APRS is a method commonly used in the amateur radio community for sending data over radio, and WinAPRS allows for this functionality on a PC. He specifically sought out this program for vulnerabilities since it is closed-source and hasn’t been updated since 2013. After some analysis, he found a memory bug which was used to manipulate the Extended Instruction Pointer (EIP) register which stores the memory address of the next instruction to be executed by the CPU. This essentially allows for arbitrary code execution on a remote machine via radio.

The exploit was found while using Windows XP because it lacks some of the more modern memory protection features of modern operating systems, but the exploit does still work with Windows 10, just not as reliably and with a bit of extra effort required. It’s a good reminder to use open-source software when possible so issues like these can get resolved, and to regularly install security updates when possible. If you’re looking to delve into the world of APRS in more modern times, take a look at this project which adds APRS to budget transceivers. Just make sure you get your license first.