Impersonate The President With Consumer-Grade SDR

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Jeremy Hong: Weaponizing The Radio Spectrum

Jeremy Hong knows a secret or two about things you shouldn’t do with radio frequency (RF), but he’s not sharing.

That seems an odd foundation upon which to build one’s 2018 Hackaday Superconference talk, but it’s for good reason. Jeremy knows how to do things like build GPS and radar jammers, which are federal crimes. Even he hasn’t put his knowledge to practical use, having built only devices that never actually emitted any RF.

So what does one talk about when circumspection is the order of the day? As it turns out, quite a lot. Jeremy focused on how the military leverages the power of radio frequency jamming to turn the tables on enemies, and how civilian police forces are fielding electronic countermeasures as well. It’s interesting stuff, and Jeremy proved to be an engaging guide on a whirlwind tour into the world of electronic warfare.

Continue reading “Jeremy Hong: Weaponizing The Radio Spectrum”

Fooling Samsung Galaxy S8 Iris Recognition

We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.

Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!

Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode.  A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right.  No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.

Continue reading “Fooling Samsung Galaxy S8 Iris Recognition”

Fail Of The Week: Pinewood Derby Cheat Fails Two Ways

Would you use your tech prowess to cheat at the Pinewood Derby? When your kid brings home that minimalist kit and expects you to help engineer a car that can beat all the others in the gravity-powered race, the temptation is there. But luckily, there are some events that don’t include the kiddies and the need for parents to assume the proper moral posture. When the whole point of the Pinewood Derby is to cheat, then you pull out all the stops, and you might try building an electrodynamic suspension hoverboard car.

Fortunately for [ch00ftech], the team-building Derby sponsored by his employer is a little looser with the rules than the usual event. Loose enough perhaps to try a magnetically levitating car. The aluminum track provided a perfect surface to leverage Lenz’s Law. [ch00ftech] tried different arrangements of coils and drivers in an attempt to at least reduce the friction between car and track, if not outright levitate it. Sadly, time ran out and physics had others ideas, so [ch00ftech], intent on cheating by any means, tried spoofing the track timing system with a ridiculous front bumper of IR LEDs. But even that didn’t work in the end, and poor [ch00f]’s car wound up in sixth place.

So what could [ch00ftech] had done better? Was he on the right course with levitation? Or was spoofing the sensors likely to have worked with better optics? Or should he have resorted to jet propulsion or a propeller drive? How would you cheat at the Pinewood Derby?


2013-09-05-Hackaday-Fail-tips-tileFail of the Week is a Hackaday column which celebrates failure as a learning tool. Help keep the fun rolling by writing about your own failures and sending us a link to the story — or sending in links to fail write ups you find in your Internet travels.

SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms”

Palm Pre IPod Spoofing Confirmed

palmpre

The new Palm Pre cellphone has a “media sync” feature which lets the device sync with iTunes in a fashion identical to an iPod. Last week [Jon Lech Johansen] speculated that this was not done in cooperation with Apple and that Palm was spoofing the iPod’s USB controller. This was confirmed today when a tipster sent him a screenshot of what the device reports in both standard and media sync modes. The Palm Pre reports its Product ID as iPod and Vendor ID as Apple with a few other changes. [Jon] notes that it doesn’t change the root USB node, so Apple should be able to block this behavior with an iTunes update. With Palm already pulling tricks like this presumably through software we wonder if this will become a full-on arms race.