wifi

457 Articles

RESQ Hunts For Lost Hikers From The Air

August 12, 2020 by 23 Comments

When lost hiking out in the back country, a cell phone might not seem like the most useful tool. Absent a signal from the cellular network, it’s not possible to make outgoing calls for help. However, carrying your phone may just make it a lot easier for rescuers to find you, and [Eric] is making a tool to do the job.

The handheld version of ResQ features a directional Yagi antenna to help pinpoint the location of the signal.

[Eric]’s project is named ResQ, and aims to find lost hikers by detecting the beacon packets from a cellphone’s WiFi adapter. The project comes in two forms; a handheld unit with a directional Yagi antenna, and a drone-mounted unit that can overfly terrain to scan for signals.

ResQ is built around the ESP8266, which is a cheap and accessible way to build a custom WiFI scanner. Currently, the system is able to detect WiFi devices and log MAC addresses along with timestamps and GPS location data to an SD card to help rescuers locate lost individuals. Future plans involve adding a live downlink to the drone such that any pings can be reported live for rescuers to investigate.

Similar systems exist commercially, primarily working with cell signals rather than WiFi. Costs are prohibitively high for many organisations though, so we can see ResQ filling in gaps as a useful tool to have. We’ve featured other radio gear for search and rescue before, too. Video after the break.

Continue reading “RESQ Hunts For Lost Hikers From The Air”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

August 7, 2020 by 5 Comments

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

Stop Bad Laws Before They Start

July 25, 2020 by 88 Comments

With everything else going on this summer, you might be forgiven for not keeping abreast of new proposed regulatory frameworks, but if you’re interested in software-defined radio (SDR) or even reflashing your WiFi router, you should. Right now, there’s a proposal to essentially prevent you from flashing your own firmware/software to any product with a radio in it before the European Commission. This obviously matters to Europeans, but because manufacturers often build hardware to the strictest global requirements, it may impact everyone. What counts as radio equipment? Everything from WiFi routers to wearables, SDR dongles to shortwave radios.

The idea is to prevent rogue reconfigurable radios from talking over each other, and prevent consumers from bricking their routers and radios. Before SDR was the norm, and firmware was king, it was easy for regulators to test some hardware and make sure that it’s compliant, but now that anyone can re-flash firmware, how can they be sure that a radio is conformant? Prevent the user from running their own firmware, naturally. It’s pretty hard for Hackaday to get behind that approach.

The impact assessment sounds more like advertising copy for the proposed ruling than an honest assessment, but you should give it a read because it lets you know where the commission is coming from. Reassuring is that they mention open-source software development explicitly as a good to be preserved, but their “likely social impacts” include “increased security and safety” and they conclude that there are no negative environmental impacts. What do you do when the manufacturer no longer wants to support the device? I have plenty of gear that’s no longer supported by firmware updates that is both more secure and simply not in the landfill because of open-source firmware.

Similarly, “the increased capacity of the EU to autonomously secure its products is also likely to help the citizens to better protect their information-related rights” is from a bizarro world where you can trust Xiaomi’s home-automation firmware to not phone home, but can’t trust an open-source replacement.

Public comment is still open, and isn’t limited to European citizens. As mentioned above, it might affect you even if you’re not in the EU, so feel free to make your voice heard. You have until September, and you’ll be in some great company if you register your complaints. Indeed, reading through the public comments is quite heartening: Universities, researchers, and hackers alike have brought up reasons to steer clear of the proposed approach. We hope that the commission hears us.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Great Badge Concept: A “Geiger Counter” For WiFi Deauthentication Frames

June 20, 2020 by 15 Comments

[Nick Price] had a wonderful concept for a DEFCON badge: a device that worked a lot like a directional Geiger counter, but chirped at detecting WiFi deauthentication packets instead of radiation. That’s a wild idea and it somehow slipped past us last year. Why detect such a thing? Well, the WiFi deauth attack is a kind of invisible toxicity, effectively jamming wireless communications by forcing users to be constantly tied up with authentication, and this device would detect it.

A few things were harder than expected, however. To make the device directional, [Nick] designed and built a PCB Yagi antenna but it wasn’t practical. Not only was it far too big, it would also have required going to four layers on a PCB that was already expensive. The solution he settled on — inspired by a friend’s joke about just dropping the badge into a Pringles can — was to surround the PCB omni antenna with a copper pipe end cap from the plumbing section of any hardware store. [Nick] figured that soldering that to the ground plane should result in a simple, cheap, and attractive directional antenna mod. Did it work? We’ll all have to wait and see.

Sadly, [Nick] wasn’t able to finish in time for last year’s DEFCON. Hardware revisions mounted, and fabrication times for his specialized PCB were longer than usual. Worse news is that this year’s is cancelled, or rather is going virtual, which means he’s going to have to deauth himself. The good news is that now he’s got another 12-month extension. Watch the brief video of the functional prototype, embedded below.

Continue reading “Great Badge Concept: A “Geiger Counter” For WiFi Deauthentication Frames”

WiFi Goes Open

May 29, 2020 by 21 Comments

For most people, adding WiFi to a project means grabbing something like an ESP8266 or an ESP32. But if you are developing your own design on an FPGA, that means adding another package. If you are targeting Linux, the OpenWifi project has a good start at providing WiFi in Verilog. There are examples for many development boards and advice for porting to your own target on GitHub. You can also see one of the developers, [Xianjun Jiao], demonstrate the whole thing in the video below.

The demo uses a Xilinx Zynq, so the Linux backend runs on the Arm processor that is on the same chip as the FPGA doing the software-defined radio. We’ll warn you that this project is not for the faint of heart. If you want to understand the code, you’ll have to dig into a lot of WiFi trivia.

Continue reading “WiFi Goes Open”

Lowering The Boom On Yagi Element Isolation

May 10, 2020 by 19 Comments

Antenna design can be confusing, to say the least. There’s so much black magic that goes into antennas that newbies often look at designs and are left wondering exactly how the thing could ever work. Slight changes in length or the angle between two elements result in a vastly different resonant frequency or a significant change in the antenna’s impedance. It can drive one to distraction.

Particularly concerning are the frequent appearances of what seem to be dead shorts between the two conductors of a feedline, which [andrew mcneil] explored with a pair of WiFi Yagi antennas. These highly directional antennas have a driven element and a number of parasitic elements, specifically a reflector behind the driven element and one or more directors in front of it. Constructive and destructive interference based on the spacing of the elements and capacitive or inductive coupling based on their length determine the characteristics of the antenna. [Andrew]’s test antennas have their twelve directors either isolated from the boom or shorted together to the shield of the feedline. In side-by-side tests with a known signal source, both antennas performed exactly the same, meaning that if you choose to build a Yagi, you’ve got a lot of flexibility in what materials you choose and how you attach elements to the boom.

If you want to dive a little deeper into how the Yagi works, and to learn why it’s more properly known as the Yagi-Uda antenna, check out our story on their history and operational theory. And hats off to [andrew] for reminding us that antenna design is often an exercise in practicality; after all, an umbrella and some tin cans or even a rusty nail will do under the right circumstances.

Continue reading “Lowering The Boom On Yagi Element Isolation”

Turn An Unused Pi Zero Into A Parts Bin WiFi Extender

May 10, 2020 by 17 Comments

We know a lot of you are sitting on an unused Raspberry Pi Zero W, maybe even several of them. The things are just too small and cheap not to buy in bulk when the opportunity presents itself. Unfortunately, the Zero isn’t exactly a powerhouse, and it can sometimes be tricky to find an application that really fits the hardware.

Which is why this tip from [Tejas Lotlikar] is worth taking a look at. Using the Pi Zero W, a cheap USB WiFi adapter, and some software trickery, you can put together a cheap extender for your wireless network. The Pi should even have a few cycles left over to run ad-blocking software like Pi-hole while it shuffles your packets around the tubes.

[Tejas] explains every step of the process, from putting the Raspbian image onto an SD card to convincing wpa_supplicant to put the Pi’s WiFi radio into Access Point mode. Incidentally, this means that you don’t need to be very selective about the make and model of the USB wireless adapter. Something with an external antenna is preferable since it will be able to pull in the weak source signal, but you don’t have to worry about it supporting Soft AP.

With the software configured, all you need to finish this project off is an enclosure. A custom 3D printed case large enough to hold both the Pi and the external WiFi adapter would be a nice touch.