Archive for the ‘Bluetooth’ Category

DEFCON 31 news flash.

Friday, September 8th, 2023

By way of Hacker News, and I only discovered this 15 minutes ago so I haven’t had time to go through all of it yet:

“Snoop unto them, as they snoop unto us”.

Here’s the original description:

BLE devices are now all the rage. What makes a purpose built tracking device like the AirTag all that different from the majority of BLE devices that have a fixed address? With the rise of IoT we’re also seeing a rise in government and corporate BLE surveillance systems. We’ll look at tools that normal people can use to find out if their favorite IoT gear is easily trackable. If headphones and GoPro’s use fixed addresses, what about stun guns and bodycams? We’ll take a look at IoT gear used by authorities and how it may be detectedable over long durations, just like an AirTag.

The first link will get you to slides, video of the talk, files, and code. As you know, Bob, Bluetooth is a thing for this blog, so this is relevant to my interests…

DEFCON 30 notes.

Monday, August 15th, 2022

Lawrence (who I hope is feeling better) pinged me over the weekend about missing DEFCON 30 coverage. (At least, that’s what I think he was pinging me about: his email was kind of cryptic.)

There are some things going on here.

One is that, as I said last week, I was in a mood. It takes a lot of time and effort to pull together the preliminary list of DEFCON panels, the day to day coverage, and the post-DEFCON writeups. That effort is even harder now, because Twitter has pretty much removed the ability to view more than a couple of a person’s tweets without being signed in. I just didn’t have it in me last week.

Which kind of leads to the second reason: it just doesn’t seem that my DEFCON coverage gets the level of engagement that justifies the effort. As far as I can tell, people just aren’t all that interested in it. That may be (probably is) a flaw on my part as a writer, it may be that my audience just isn’t interested in computer security subjects, or it may be that I’m completely misreading what people are interested in.

It also feels like DEFCON has moved beyond me in the post-Wuhan Flu world. It used to feel like a gathering of one of my tribes. Now, it costs $360 (“with a processing fee of $9.66 added to online orders”). Masks are required. And supposedly, you may run into trouble with the hotel if you want to bring a legal firearm. (Hattip: McThag.) They’re also still doing that weird “semi-hybrid” model again, and I’m just not willing to spend a bunch of time hanging out on Discord.

(I’m pretty sure I stayed at that “s–tball” Travelodge on my last DEFCON trip. “they just want their $56 per night and prefer you to not leave used heroin works in the potted plants outside” seems pretty accurate.)

The last thing is: I’ve seen almost no other coverage or discussion of DEFCON 30 this year. At least not in the places I’d expect to see it: Wired, ArsTechnica, or HackerNews. ThreatGrid did a round-up post this morning if you want a different take than mine, but other than that, I’ve seen nothing.

I went and checked the schedule (which you can find here: I haven’t found the media server yet.) One thing that is really nice is that they’ve added much more information to the schedule entries, including links and references where available.

And…there just are not a lot of presentations this year that I find interesting. I can see why people would be interested in “Computer Hacks in the Russia-Ukraine War“, but at only 20 minutes, I have questions.

Maybe “Wireless Keystroke Injection (WKI) via Bluetooth Low Energy (BLE)” because Bluetooth, but that’s not so much breaking Bluetooth as it is pretending to be a legit Bluetooth device.

The PACMAN Attack: Breaking PAC on the Apple M1 with Hardware Attacks” and “Process injection: breaking all macOS security layers with a single vulnerability” probably have some relevance to Apple folks. So does “The hitchhacker’s guide to iPhone Lightning & JTAG hacking“. And I can see the interest in “Glitched on Earth by humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal“, but I don’t have a Starlink terminal to play with.

“You’re Muted Rooted” has the Zoom thing going for it. I’ll confess to a small amount of interest in “HACK THE HEMISPHERE! How we (legally) broadcasted hacker content to all of North America using an end-of-life geostationary satellite, and how you can set up your own broadcast too!” and no interest at all in this year’s “Hippy, please.” one.

“Defeating Moving Elements in High Security Keys” does sort of get my attention. And that’s the last thing that does.

It just feels smaller and less interesting. Perhaps DEFCON is still finding their footing again after the last two years. I don’t know. I also don’t know if I’m going to do anything next year.

“What you gonna do when you get out of jail?…” part 394

Thursday, April 29th, 2021

Travel Thursday!

Why don’t we continue with our tour of the United States and visit another exotic destination?

“More Per Mile”, a 1950s travelogue about the great state of Kentucky, “the state where the young have fun”.

Bonus: “Real Appalachia with Shane Simmons” visits Harlan.

Bonus #2: This stretches the definition of “travel” a bit, but I found it amusing: “Flight Attendant: Is There A Doctor On This Flight? Dad: Yeah, Me [It Happened Again]”. This guy seems to get dragged into in-flight medical emergencies a lot.

Also, to be honest, I’m fascinated by this portable Bluetooth EKG machine. Not that I have heart trouble, but at $149, this almost falls into “impulse buy” territory. Throw it in your carry-on if you are a doctor and are traveling…not that I know anybody who falls into that category…

Please refrain from tasting the KNOB.

Friday, August 16th, 2019

As a Bluetooth guy, and as someone who just posted a bunch of DEFCON 27 stuff, I feel compelled to say something about the Key Negotiation of Bluetooth Attack (aka KNOB) which has been getting a lot of attention the past few days.

Here’s the actual paper from the USENIX Security Symposium.

The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. [Emphasis in the original – DB]

Here’s a higher level overview of how the attack works.

Also of interest, also from USENIX, also getting some media attention: “Please Pay Inside: Evaluating Bluetooth-based Detection of Gas Pump Skimmers“. What’s cool about this is that the authors have developed Bluetana, an Android app that scans for Bluetooth devices in the area (every five seconds), displays a list of devices it found, and highlights ones that show characteristics similar to those of Bluetooth skimmers.

First, the app checks the device’s class. All skimmers studied within this work, whether discovered by Bluetana or not, had a device class of Uncategorized. If the device class is not uncategorized, the data is saved for later analysis. The device’s MAC prefix is then compared against a “hitlist” of prefixes used in skimming devices recovered by law enforcement. If the device has a MAC that is not on this hitlist, it is unlikely to be a skimmer, and the app highlights the record yellow. Next, if the device name matches a common product using the same MAC prefix, the record highlights in orange. If all three fields (MAC prefix, Class-of-Device, and Device Name) indicate the device is likely to be a skimmer, Bluetana highlights the record in red. The highlighting procedure is the result of a year of refinements based on our experience finding skimmers in the field, and Bluetana includes a remote update procedure to account for these incremental changes.

I’m fascinated by both of these papers, just based on a preliminary skimming. I’m hoping to do a detailed reading at that mythical point in the future when I have more free time…

Black Hat/DEFCON 27 links: August 16, 2019.

Friday, August 16th, 2019

Apologies for being behind on this: I’m also working on another project that’s taking up a lot of my blogging time, but I hope to be done with that soon.

Lock, lock, baby, baby.

Wednesday, August 7th, 2019

I missed these the first time around, but the Hacker News Twitter linked to them a couple of days ago. I thought I’d blog them for the benefit of all my lock/computer security/Internet of Broken Things fans.

There’s a type of lock called the FB50 smart lock. It’s manufactured by a Chinese company, and sold “under multiple brands across many ecommerce sites”. As you might guess, it has Bluetooth and an app.

And, of course, it’s vulnerable. Once you get the lock’s MAC address (which, you know, you can get just by looking for Bluetooth devices in the area), you can use a series of HTTP requests to get the lock ID and the user ID, and then disassociate the user from the lock and associate yourself.

Discussion and proof of concept code here.

And the footnotes on that led me to another Pen Test Partners lock exploit (these are the folks who brought you the Tapplock one). This time the target is something called the Nokelock, which is apparently popular on Amazon (“…they do a number of different formats in a number of different body types, sometimes with other unlocking devices, such as a fingerprint sensors. There are other brand names they get repackaged as, such as Micalock.”)

So the Bluetooth packets are encrypted. But…

…the key can be obtained from the API by two methods. All the API requests need a valid API token, which can be obtained by simply creating a user with a throw away email address.

And:

…all traffic, including the user’s traffic is sent via the unencrypted HTTP protocol.

And there’s no authorization for API calls. All you need is a token, which (as noted above) you can get with an email address. Once you’ve got a token, you can grab the information about any lock, “including email address, password hash and the GPS location of a lock”.

And the password hash is unsalted MD5. “This is a cryptographically weak hash type that can be run through very quickly.”

Extra bonus points: the footnotes for the Pen Test Partners entry point to yet another lock exploit, this one for something called the Klic Lock.

An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2

I don’t think I can put it any better than icyphox did:

DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with keys.

DEFCON 27/Black Hat 2019 preliminary notes.

Thursday, August 1st, 2019

DEFCON 27 starts a little later than I’m used to this year (August 8th, so a week from today.) Black Hat 2019 starts August 7th. Black Hat schedule is here. DEFCON schedule is here.

Again this year, I’m not going. While I feel like I’m moving closer to the point where I’m ready to return (expenses paid or expenses unpaid) I’m not quite where I want to be yet to go on my own dime. And as far as the company paying for me to go…not this year, for reasons I won’t go into. (Nothing bad. At least I don’t think so. Just don’t want to run my mouth about internal stuff.)

So, as usual: what would I go to, if I were going?

Let’s look at the DEFCON schedule first.

(more…)

More Black Hat/DEFCON 26 updates.

Wednesday, August 15th, 2018
  • Slides for “A Dive in to Hyper-V Architecture & Vulnerabilities” with Joe Bialek and Nicolas Joly can be found here. (The link on the Black Hat site is still borked.)
  • This isn’t an actual DEFCON 26 presentation, but it’s referenced in Vincent Tan’s “Hacking BLE Bicycle Locks for Fun and a Small Profit”, and I want to bookmark it for later: “Blue Picking: Hacking Bluetooth Smart Locks” by Slawomir Jasek.
  • Slides for “Ring 0/-2 Rookits: Compromising Defenses” with Alexandre Borges are here.
  • Also not a DEFCON presentation, but picked up by way of an Ars Technica story: “Fear the Reaper: Characterization and Fast Detection of Card Skimmers” by Nolen Scaife, Christian Peeters, and Patrick Traynor. In which the authors analyze a bunch of skimmers confiscated by NYPD…and then build a device that can detect skimmers, based on nothing more than the physical properties of how card readers work. Quote of the day: “Security solutions requiring significant behavioral changes are unlikely to be successful.”
  • Content for “All your math are belong to us” with sghctoma is here: slides, white paper, and exploit code.

DEFCON 26/Black Hat updates: August 14, 2018.

Tuesday, August 14th, 2018

I apologize that I wasn’t able to post more coverage over the weekend: as I expected, it turned out to be fun, but packed.

I intended to post this yesterday, but I wasn’t able to find many updates on my lunch hour. Then I got stuck in a gumption trap late in the day at work, and basically came home and collapsed.

In retrospect, that was better, because this story broke late in the afternoon: Caesars Palace security was (in the opinion of at least some DEFCON attendees) a little too aggressive about searching rooms. More from Defiant, a company that was at DEFCON. Statement from Marc Rogers.

Good post with links over at Borepatch’s site about the widely covered “voting machine vulnerabilities”.

Also: badge related coverage if you care. Personally, I don’t need a stinking badge.

Black Hat updates:

DEFCON 26 updates:

DEFCON 26/Black Hat 2018 preliminary notes.

Sunday, August 5th, 2018

DEFCON 26 and Black Hat 2018 start up later this week. Again, I’m not going, but I do feel like I’m inching closer to making a return. Full-timers from my group have been sent to Black Hat in the past, so who knows what’s going to happen next year?

What would I do if I was there? A quick skim of the Black Hat briefings schedule doesn’t show a whole lot that really jumps out at me. I’d probably just be hitting targets of opportunity, with a few exceptions:

What about DEFCON 26? After the jump…

(more…)

Let’s go!

Friday, July 13th, 2018

More car related updates and thoughts.

First of all, RoadRich left an excellent and thoughtful comment on the last post which you should go read.

(more…)

Here in my car…

Thursday, July 5th, 2018

I bought a new to me car last Saturday. It’s a 2006 Honda Accord EX-L that had 82,000 miles on it (not bad, in my opinion, for a 12 year old car) and has quite few features I like: leather interior, sun roof, cabin air filter, power seats, and even seat heaters for that one month a year when those are actually useful in Texas. (Also ABS. I’m not clear on whether it has traction control or not. I checked the Honda-Tech VIN decoder and while it is useful, it doesn’t talk about traction control.)

Now that I have the car, I splurged on a couple of things. I got a dashcam for it: the Papago GoSafe 535, which is what the Wirecutter currently recommends. That one has gone up by about $13 in the couple of days since I ordered it, and it really wasn’t my first choice. I wanted the Spy Tec G1W-C, which was a previous Wirecutter choice that I bought for my mother’s car and have been happy with. But by the time I was ready to order, Amazon had sold out of the Spy Tec.

My other splurge item was a LELink Bluetooth Low Energy BLE OBD-II car diagnostic tool. Why? Several reasons:

(more…)