Inside a low budget consumer hardware espionage implant
Analysis of the S8 data line locator
The following analysis was performed on a S8 data line locator […]A while back Joe Fitz tweeted about the S8 data line locator1. He referred to it as “Trickle down espionage” due to its reminiscence of NSA spying equipment. The S8 data line locator is a GSM listening and location device hidden inside the plug of a standard USB data/charging cable. It supports the 850, 900, 1800 and 1900 MHz GSM frequencies. Its core idea is very similar to the COTTONMOUTH product line by the NSA/CSS  in which an RF device is hidden inside a USB plug. Those hidden devices are referred to as implants. The device itself is marketed as a location tracker usable in cars, where a thief would not be able to identify the USB cable as a location tracking device. Its malicious use-cases can, however, not be denied. Especially since it features no GPS making its location reporting very coarse (1.57 km deviation in my tests). It can, e.g., be called to listen to a live audio feed from a small microphone within the device, as well as programmed to call back if the sound level surpasses a 45 dB threshold. The fact that the device can be repackaged in its sliding case, after configuring it, i.e. inserting a SIM, without any noticeable marks to the packaging suggests its use-case: covert espionage.[…]
I was not able yet to write new firmware via flashrom because I was not able to disable block protection on the flash, yet. Maybe a different avenue for flashing new firmware could be the SPFlash tool4 and/or the Flash tool. However, that would not be open source. If know something about the weird FAT12 file system used in the device or are able to flash your S8 data line locator please contact me with details![…]
No writeup would be complete without at least one fuck up. So here it is: While using the S8 data line locator with OpenBTS I provisioned imaginary numbers. When switching SIM cards I forgot to turn of the voice activated callback. So long story short, some guy with the number 3333333 listend in on me for 2 minutes:
Provider call log fail. I did not notice this until I reviewed the logs! So my resume on these little hardware espionage implants: They are stealthy and dangerous as fuck![…]
Nice to see Joe Fitzpatrick doing firmware hacks on CSPAN!
Colin O’Flynn joins Joe+Joe+Dymtry, so ‘power trio’ is no longer appropriate.
Does ‘power trio’ apply to training companies, as well as rock bands? 🙂
“Combined, we have over 25 years of experience teaching hardware security trainings and we have taught hundreds of classes. We have helped leading tech companies build their security teams and taught thousands of hardware security engineers the skills necessary for their day to day work. Our unique experience is unparalleled in the industry.”
Joe Fitzpatrick of Securing Hardware has announced a new course:
[…]This course focuses on approaching hardware as part of a pentest or red team engagement, implementing advanced hardware hacks, and managing the hardware ‘problem’. This two-day course builds directly upon the skills covered in Physical Attacks on Embedded Systems – consider taking the two together for a complete 4 days. If you’ve already taken another class that covers the basics of embedded/IOT/hardware hacking, including UART, JTAG, and SPI, you should have sufficient background.[…]
If you have not killed your TV yet, you might want to wait a day, after this episode, until you do.
Does not appear to be a public Github project yet.
For those who need Evil Maid skills take note: Joe Fitzpatrick has added a BIOS mod lab to his Black Hat training on x86 physical attacks.
Applied Physical Attacks on x86 Systems
Joe FitzPatrick, SecuringHardware.com
July 30-August 2
This course introduces and explores attacks on several different relatively accessible interfaces on x86 systems. Attendees will get hands-on experience implementing and deploying a number of low-cost hardware devices to enable access, privilege, and deception which is in some cases imperceptible from software. The course has several modules: USB, SPI/BIOS, I2C/SMBus, PCIe, and JTAG. Each begins with an architectural overview of an interface, and follows with a series of labs for hands-on practice understanding, observing, interacting with, and exploiting the interface, finishing with either potentially exploitable crashes or directly to root shells.
This month is B-Sides Seattle, and there are 3 hardware workshops (Attacking USB, JTAG, and Arduino) one by Joe (SecurelyFitz) and two by Matt (CryptoMonkey):
I think I heard Matt say this was the last time he was offering this Attacking USB training…
Note that Joe also has training at CanSecWest and Black Hat, in addition to B-Sides Seattle..
Thanks to JoeFitz at SecuringHardware.com for showing me about the libsigrok project!
New supported devices in libsigrok:
* Logic analyzers: AKIP-9101, BeagleLogic, LeCroy LogicStudio, mcupro Logic16 clone, Pipistrello OLS, SysClk LWLA1016
* Oscilloscopes: Rigol/Agilent DS1000Z series, Yokogawa DLM2000 series, Yokogawa DL9000 series, Hung-Chang DSO-2100, GW Instek GDS-800
* Multimeters: Agilent U1241A/B, Agilent U1242A/B, Brymen BM25x series, MASTECH MS8250B, Metrahit 16T/16U/KMM2002, PeakTech 3415, Tenma 72-7730/72-7732/72-9380A, Testo 435-4, UNI-T UT372, UNI-T UT71A/B/C/D/E, * * Velleman DVM4100, Voltcraft VC-870/VC-920/VC-940/VC-960
* Programmable power supplies: Fluke/Philips PM2800 series, HP 663xx series, Manson HCS-3xxx series, Motech LPS-30x series, Rigol DP800 series, Korad KAxxxxP series (a.k.a Velleman LABPS3005D and others)
* AC/DC sources: Agilent N5700A series (DC sources), Chroma 61600 series (AC sources), Chroma 62000 series (DC sources)
* Electronic loads: Maynuo M97 (and compatibles)
* LCR meters: DER EE DE-5000
* Scales: KERN EW 6200-2NM
* BeagleBone Black capes: BayLibre ACME (revA and revB)
Joe Fitzpatrick (@securelyfitz) has released the slides and samples for the recent 44Con talk on “JTAGsploitation”.
Quoting the *entire* 1-line readme here:
jtagsploitation: scripts and examples for using JTAG debug tools to gain root access
44con just finished. I didn’t mention this event earlier, but it included a few interesting presentations and workshops:
Is there an EFI monster inside your apple?
Hands-on JTAG for fun and root shells
Pen Test Partners IoT Workshop
What: HushCon 2015
Where: Seattle, WA, USA
When: December 2015
The event includes Hardware Training:
Joe Grand (@joegrand) – Hands-on Hardware Hacking and Reverse Engineering
Joe FitzPatrick (@securelyfitz) – Applied Physical Attacks On x86 Systems
The conference’s web site is under construction, look at their Twitter feed for current info.
I didn’t know about this company until today. It looks like Joe Fitzpatrick of SecuringHardware is or soon will be joining them:
It appears Xipiter does security training, including Intel- and ARM-based hardware-level courses, including at upcoming DEF CON. They appear to have an upcoming Android course in the works, related to the Wiley Android Hacker’s Handbook, which has a nice chapter on ARM firmware hacking. They have other services besides training, and some hardware products as well.
In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:
ThunderStrike 2: Sith Strike
Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC
The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.
Attacking Hypervisors Using Firmware and Hardware
Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher
In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.
And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of SecuringHardware.com) has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.