This Week In Security: Triangulation, ProxyCommand, And Barracuda

It’s not every day we get to take a good look inside a high-level exploit chain developed by an unnamed APT from the western world. But thanks to some particularly dedicated researchers at Kaspersky, which just happens to be headquartered in Moscow, that’s exactly what we have today. The name Operation Triangulation was picked, based off part of the device fingerprinting code that rendered a yellow triangle on an HTML canvas.

The entire talk is available, given this week at the 37th Chaos Communication Congress, 37c3. The exploit starts with an iMessage attachment, delivered silently, that exploits an undocumented TrueType font instruction. Looking at the source code implies that it was a copy-paste error where a programmer didn’t quite get the logic right for a pointer calculation. That vulnerability gives a memory write primitive that pivots into code execution. What’s particularly interesting is that Apple silently fixed this bug January 2023, and didn’t make any public statements. Presumably there were an uptick of crash logs that pointed to this problem, but didn’t conclusively show attempted exploitation.

The exploits then moves to using NSExpression as a next stage. NSExpression is an ugly way to write code, but it does allow the exploit chain to get to the next stage, running JavaScript as an application, without Just In Time compilation. The JS payload is quite a beast, weighing in at 11,000 lines of obfuscated code. It manages to call native APIs directly from JS, which then sets up a kernel exploit. This is multiple integer overflow flaws that result in essentially arbitrary system memory reads and writes. Continue reading “This Week In Security: Triangulation, ProxyCommand, And Barracuda”

Global Radio Direction Finding In Your Browser

Radio direction finding is one of those things that most Hackaday readers are likely to be familiar with at least on a conceptual level, but probably without much first-hand experience. After all it’s not everyday that you need to track down a rogue signal, let alone have access to the infrastructure necessary to triangulate its position. But thanks to the wonders of the Internet, at least the latter excuse is now a bit less valid.

Triangulated location of “The Buzzer”

The RTL-SDR Blog has run a very interesting article wherein they describe how the global network of Internet-connected KiwiSDR radios can be used for worldwide radio direction finding. If you’ve got a target in mind, and the time to fiddle around with the web-based SDR user interface, you now have access to the kind of technology that’s usually reserved for world superpowers. Indeed, the blog post claims this is the first time such capability has been put in the hands of the unwashed masses. Let’s try not to mess this up.

To start with, you should have a rough idea of where the signal is originating from. It doesn’t have to be exact, but you want to at least know which country to look in. Then you pick one of the nearby public KiwiSDR stations and tune the frequency you’re after. Repeat the process for a few more stations. In theory the more stations you have the better, but technically three should be enough to get you pretty close.

With your receiving stations selected, the system will then start Time Difference of Arrival (TDoA) sampling. This technique compares the time the signal arrives at each station in relation to the KiwiSDR’s GPS synchronized clock. With enough of this data from multiple stations, it can estimate the origin of the signal based on how long it takes to reach different parts of the globe.

It’s not perfect, but it’s pretty impressive for a community run project. The blog post goes on to give examples of both known and unknown signals they were able to triangulate with surprising accuracy: from the US Navy’s VLF submarine transmitter in Seattle, Washington to the mysterious “Buzzer” number station hidden somewhere in Russia.

We’ve covered small-scale triangulation using Wi-Fi, and even a project that aimed to use drones to home in on rescue beacons, but the scale of the KiwiSDR TDoA system is really on a whole new level. Use it wisely.

Anti-Drone Fence: Science Or Snakeoil?

Remember when it was laser pointers? Well, now it’s drones.

[Thinkerer] sent us this link to what’s essentially a press release for a company called Sensofusion that makes a UAV detector and (they claim) smart jammer, and apparently one is being installed at Denver International airport.

We buy that the “Airfence” system will be able to detect known systems by signature, and possibly even take them over. We’ve seen two exploits of quadcopter radio protocols (one a timing attack and the other a controller ID spoof) that would allow them to do just that. But is that the problem? Don’t most of the major manufacturers fence off airports in software these days anyway? And are drones really the droids that you’re looking for?

They also make some claims about being able to detect and stop DIY copters, but we don’t see how. Imagine that your copter ran encrypted on 2.4 GHz. How is this different from any other WiFi signal? Or imagine that it sends and receives infrequent data in the congested pager bands? And short of jamming, we don’t see how they’re going to take down anything that they don’t already understand.

So, commenteers, how would you do it? Detect and even take over an arbitrary drone? Possible or snakeoil?

Find The Source: WiFi Triangulation

[Michael] was playing with his ESP8266. Occasionally he would notice a WiFi access point come up with, what he described as, “a nasty name”. Perhaps curious about the kind of person who would have this sort of access point, or furious about the tarnishing of his formerly pure airspace, he decided to see if he could locate the router in question.

[Michael] built himself a warwalking machine. His ESP8266 went in along with a GPS module interfaced with a PIC micro controller. It was all housed in an off the shelf case with a keypad and OLED screen. He took his construction for a nice calming war walk around the neighborhood and came home with a nice pile of data to sort through. To save time, he placed the data in a SQL database and did the math using queries. After that it was a quick kludge to put together a website with the Google Maps API and some JavaScript to triangulate the computed results.

Sure enough, the person with the questionable WiFi access point shows up on the map.

Office Dog Triangulation Keeps Spot Accounted For

[Matt Reed] works at a pet friendly work-space, where his pooch called [Bean] loves to wander around and disappear. She’s not getting in trouble, but nonetheless, [Matt] worries about her. So he took the creepy stalker route and put a beacon on her collar to track her every move.

He’s using a small BLE beacon that will poll a signal every second, sending out a unique ID code and a RSSI value (Received Signal Strength Indicator). Normally beacons are placed in a stationary location to help people navigate — but this time, it’s on a moving dog.

In order to better understand [Bean’s] location in the office, [Matt] set up three Raspberry Pi’s with Bluetooth adapters around the office. Using Noble, Node.js listens for the RSSI values and triangulates [Bean’s] position, much like a cellphone can be located using different ping times from cellular towers.

Continue reading “Office Dog Triangulation Keeps Spot Accounted For”