security

470 Articles

Serious Vulnerability In European Trunked Radio System

July 26, 2023 by 41 Comments

Trunked radio systems can be difficult to wrap one’s mind around, and that’s partially by design. They’re typically used by organizations like police, firefighters, and EMS to share a limited radio frequency band with a much larger number of users than would otherwise be able to operate. From a security standpoint, it also limits the effectiveness of scanners who might not know the control methods the trunked systems are using. But now a global standard for encrypted trunked radio systems, known as TETRA, has recently been found to have major security vulnerabilities, which could result in a lot more headache than disrupted voice communications.

One of the vulnerabilities in this radio system was a known backdoor, which seems to have been protected largely via a “security through obscurity” method. Since the system has been around for about 25 years now, it was only a matter of time before this became public knowledge. The backdoor could allow non-authorized users to snoop on encrypted radio traffic. A second serious vulnerability, unrelated to this backdoor, would further allow listening to encrypted voice traffic. There are a few other minor vulnerabilities recently uncovered by the same security researchers who found these two major ones, and the current recommendation is for anyone using a TETRA system to take a look to see if they are impacted by any of these issues.

Part of the reason this issue is so concerning is that these systems aren’t just used for encrypted voice among first responders. They also are used for critical infrastructure like power grids, rail networks, and other systems controlled by SCADA. This article from Wired goes into much more detail about this vulnerability as well, and we all know that most of our infrastructure already needs significant help when it comes to vulnerabilities to all kinds of failure modes.

Thanks to [cfacer] and [ToniSoft] who sent these tips!

Photo via Wikimedia Commons.

Car Security System Monitors Tiny Voltage Fluctuations

July 25, 2023 by 43 Comments

As the old saying goes, there’s no such thing as a lock that can’t be picked. However, it seems like there are plenty of examples of car manufacturers that refuse to add these metaphorical locks to their cars at all — especially when it comes to securing the electronic systems of vehicles. Plenty of modern cars are essentially begging to be attacked as a result of such poor practices as unencrypted CAN busses and easily spoofed wireless keyfobs. But even if your car comes from a manufacturer that takes basic security precautions, you still might want to check out this project from the University of Michigan that is attempting to add another layer of security to cars.

The security system works like many others, by waiting for the user to input a code. The main innovation here is that the code is actually a series of voltage fluctuations that are caused by doing things like turning on the headlights or activating the windshield wipers. This is actually the secondary input method, though; there is also a control pad that can mimic these voltage fluctuations as well without having to perform obvious inputs to the vehicle’s electrical system. But, if the control pad isn’t available then turning on switches and lights to input the code is still available for the driver. The control unit for this device is hidden away, and disables things like the starter motor until it sees these voltage fluctuations.

One of the major selling points for a system like this is the fact that it doesn’t require anything more complicated than access to the vehicle’s 12 volt electrical system to function. While there are some flaws with the design, it’s an innovative approach to car security that, when paired with a common-sense approach to securing modern car technology, could add some valuable peace-of-mind to vehicle ownership in areas prone to car theft. It could even alleviate the problem of cars being stolen via their headlights.

Continue reading “Car Security System Monitors Tiny Voltage Fluctuations”

Sniffing Passwords, Rickrolling Toothbrushes

July 18, 2023 by 14 Comments

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

Continue reading “Sniffing Passwords, Rickrolling Toothbrushes”

Remote Code Execution On An Oscilloscope

July 17, 2023 by 10 Comments

There are a huge number of products available in the modern world that come with network connectivity now, when perhaps they might be better off with out it. Kitchen appliances like refrigerators are the classic example, but things like lightbulbs, toys, thermostats, and door locks can all be found with some sort of Internet connectivity. Perhaps for the worse, too, if the security of these devices isn’t taken seriously, as they can all be vectors for attacks. Even things like this Rigol oscilloscope and its companion web app can be targets.

The vulnerability for this oscilloscope starts with an analysis of the firmware, which includes the web control application. To prevent potentially bricking a real oscilloscope, this firmware was emulated using QEMU. The vulnerability exists in the part of the code which involves changing the password, where an attacker can bypass authentication by injecting commands into the password fields. In the end, the only thing that needs to be done to gain arbitrary code execution on the oscilloscope is to issue a curl command directed at the oscilloscope.

In the end, [Maunel] suggests not connecting this oscilloscope to the Internet at all. He has informed the producer about it but as of this writing there has not been a resolution. It does, however, demonstrate the vulnerabilities that can be present in network-connected devices where the developers of the software haven’t gone to the lengths required to properly secure them for use with the modern Internet. Even things not connected to a traditional Internet connection can be targets for attacks.

Presence Sensor Locks Computer When You Step Away

July 2, 2023 by 14 Comments

Having a computer that locks its screen after a few minutes of inactivity is always a good idea from a security standpoint, especially in offices where there is a lot of foot traffic. Even the five- or ten-minute activity timers that are set on most workstations aren’t really perfect solutions. While ideally in these situations we’d all be locking our screens manually when we get up, that doesn’t always happen. The only way to guarantee that this problem is solved is to use something like this automatic workstation locker.

The project is based around the LD2410 presence sensor — a small 24 GHz radar module featuring onboard signal processing which simplifies the detection of objects and motion. [Enzo] paired one of these modules with a Seeed Studio XIAO nRF52840 development board to listen to the radar module and send the screen lock keyboard shortcut to the computer when it detects that the user has walked away from the machine. The only thing that [Enzo] wants to add is a blinking LED to let the user know when the device is about to timeout so that it doesn’t accidentally lock the machine when not needed.

One of the parts of this build that is a little bit glossed over is the fact that plenty of microcontroller platforms can send keystrokes to a computer even if they’re not themselves a USB keyboard. Even the Arduino Uno can do this, so by now this feature is fairly platform-agnostic. Still, you can use this to your advantage if you have the opposite problem from [Enzo] and need your computer to stay logged in no matter what.

Bluetooth Battery Monitors That Also Monitor Your Position, Without Asking

June 27, 2023 by 40 Comments

These days Bluetooth-based gadgets are everywhere, including for car and solar batteries. After connecting them up to the battery, you download the accompanying app on your smartphone, open it up and like magic you can keep tabs on your precious pile of chemistry that keeps things ticking along. Yet as [haxrob] discovered during an analysis, many of these devices will happily pass your location and other information along to remote servers.

The device in question is a Bluetooth 4.0 Battery Monitor that is resold under many brands, and which by itself would seem to do just what it is said to do, from monitoring a battery to running crank tests. Where things get unpleasant is with the Battery Monitor 2 (BM2) mobile app that accompanies the device. It integrates a library called AMap which is “a leading provider of digital map in China” and part of Alibaba. Although the app’s information page claims that no personal information is collected, the data intercepted with Wireshark would beg to differ.

In part 2 of this series, the BM2 app is reverse-engineered, decompiling the Java code. The personal information includes the latitude and longitude, as well as GPS, cell phone tower cell IDs and WiFi beacon data, which understandably has people rather upset. In addition to leaking your personal info, the BM2 app seems to be also good at running constantly in the background, which ironically drains your phone’s battery at an alarming rate.

Cases like these should be both a warning to not just install any app on your smartphone, as well as a wake-up call to Google and others to prevent such blatant privacy violations.

(Thanks to [Drew] for the tip)

Prompt Injection: An AI-Targeted Attack

May 19, 2023 by 12 Comments

For a brief window of time in the mid-2010s, a fairly common joke was to send voice commands to Alexa or other assistant devices over video. Late-night hosts and others would purposefully attempt to activate voice assistants like these en masse and get them to do ridiculous things. This isn’t quite as common of a gag anymore and was relatively harmless unless the voice assistant was set up to do something like automatically place Amazon orders, but now that much more powerful AI tools are coming online we’re seeing that joke taken to its logical conclusion: prompt-injection attacks. Continue reading “Prompt Injection: An AI-Targeted Attack”