SoylentNews is people
SoylentNews
Submitted via IRC for boru.
https://www.infoq.com/news/2020/07/nRF52-debug-resurrect/:
A recent hardware attack on the Nordic nRF52 chip uses local access to gain chip-level debugging capabilities that persist in silicon, unpatchable in software. Nordic has confirmed the issue and encouraged device manufacturers to detect openings of the enclosure, as the chip is not hardened against fault injection.
This chip is used in so many bluetooth products. Might be fun to go wardriving and find some and see if any have accessible SWD pins.
This discussion has been archived.
No new comments can be posted.
Hardware Attack Exposes nRF52 Debugger
|
Log In/Create an Account
| Top
| 29 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
Never use "etc." -- it makes people think there is more where there is not
or that there is not space to list it all, etc.
(Score: 4, Touché) by Immerman on Friday July 17 2020, @02:18PM (14 children)
Am I missing something? How is wardriving going to carry out a hardware attack?
(Score: 1, Informative) by Anonymous Coward on Friday July 17 2020, @03:11PM (3 children)
(Score: 2) by DannyB on Friday July 17 2020, @03:38PM (2 children)
I don't have any direct experience with this, but I would presume that it would be more effective to take cash, drugs and weapons instead of taking people's gadgets.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by Snotnose on Friday July 17 2020, @03:45PM (1 child)
Sigh. The drugs I take nowdays don't do you any good unless you have high blood pressure or cholesterol.
I came. I saw. I forgot why I came.
(Score: 2) by DannyB on Friday July 17 2020, @03:50PM
Prescription narcotic pain killers might be appealing to a thief.
Thieves of all ages can enjoy boner drugs.
Who says boomers might not have good drugs in their house?
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 4, Funny) by Anonymous Coward on Friday July 17 2020, @03:19PM (3 children)
Millenial wardriving: it's where you borrow Mom's car, take a photo of yourself linking in a Ruby gem called "nRF52_Crack" while driving, then you realize the library's infected with Russian malware and while trying to remove it swerve into a boomer's front lawn where (with luck) you burst into flames and die an agonizing death.
(Score: 3, Insightful) by The Vocal Minority on Saturday July 18 2020, @06:18AM (2 children)
Why are we upmodding this annoying boomer/millenial troll hate bullshit?
(Score: 1, Interesting) by Anonymous Coward on Saturday July 18 2020, @08:00AM (1 child)
its a hard and rather useless question, but i'll try.
People are a species of chimp.
And these things enjoy discord and meaningless suffering of others.
They need a reason to hate maim kill mutilate, because it brings them pleasure.
Its entertaining.
On the internet, is the almost only place where chimps can be chimps. If they try doing what brings them pleasure irl, they will get hurt.
Especially in the land of the prison, home of the jail.
Chimps are incredibly risk averse.
So they create a possible identity that can exist "a troll", and a whole world of text-based depravity "anywhere where comments can be posted", because real depravity is not available to them, and text is real enough.
That way its internally legitimate.
What you see is a product of a/b testing for soon 30 years, if not more.
"Why are we" - there is no we. And never has been.
In all seriousness, go read about chimpanzee and bonobo group dynamics.
Then realise and weep, if you that much into pretending to being non-chimp, lol.
(Score: 2) by The Vocal Minority on Saturday July 18 2020, @11:40AM
Obviously these "chimps" also have trouble identifying rhetorical questions.
It's always school holidays somewhere I guess...
(Score: 2) by ilsa on Friday July 17 2020, @07:35PM
Nope. They're using completely incorrect terminology.
(Score: 3, Insightful) by sjames on Friday July 17 2020, @09:34PM (2 children)
That's why I take vulnerability reports with a few pounds of salt.
Background for people who don't do a lot of embedded device work:
Many devices, including the nrf52 series include a hardware debugging interface (also used for initial firmware loading at the factory). Often those are exposed on the board as small conductive test points rather than having a socket. They're visible on many devices. To access them, the board is placed in a jig with spring loaded pogo pins (contact pins with an action very much like the bottom of a pogo stick). Sometimes they are disabled after the factory firmware load to make reverse engineering harder.
Any hack involving the debugging interface is necessarily hands-on and involves opening the case. There will be no drive by hacking of devices through the debugging interface.
On the nrf52 series, the hardware debugging can be disabled by setting a register on the device. The vulnerability is that given enough tries, it is possible to use well timed power glitching to make the device fail to disable the debug interface as it powers up, allowing you to read out the firmware and data.
Other devices with debugging interfaces have fuses you can blow after factory load to disable debugging, but a sufficiently determined attacker with resources can probably de-cap the chip and read the firmware out anyway. So it's more a matter of how hard is it rather than is it possible.
(Score: 3, Insightful) by Immerman on Friday July 17 2020, @11:50PM (1 child)
Yeah, it strikes me as very bizarre that hardware controlled access to debugging and other features is considered by anyone to be a security flaw.
I mean, sure, if you're talking owner-hostile security such as keeping secret the Blueray decryption keys in a drive, debug modes are a potential weakness. Maybe too if you're talking high-security electronic locks, or medical equipment that might be tampered with to insert a literal "kill switch".
But for consumer hardware? Access to debug modes, etc. is a wonderful boon to tinkerers, and reinforces that it's *your* hardware, not just hardware you've purchased the right to use.
(Score: 2) by sjames on Saturday July 18 2020, @07:26AM
There are a few legitimate cases where the BLE device holds access tokens to the owner's devices, but I agree that locking the owner out is less than honorable.
The nrf isn't so bad about that, you can restore debugging to the device itself if you do a full chip erase (that function works even when debugging is disabled), but of course then it's on you to provide new firmware.
(Score: 2) by c0lo on Friday July 17 2020, @11:08PM
At amateur level, wardriving can't get much hardwarer than using an AK47.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Saturday July 18 2020, @06:55PM
I believe it was a joke. Wardriving for SWD (software defined) pins.
(Score: 2) by DannyB on Friday July 17 2020, @03:48PM (9 children)
Suppose you can put your own nRF52 into debug mode. On your own device, like an ESP32.
Can you then manipulate your device, to interact with other bluetooth devices to compromise the other devices?
This would require that the other device have bluetooth with some vulnerability in its implementation. Might it be possible for you to send malformed packets that can affect the other device, in particular getting a beach head within the other bluetooth device, and then maybe attack some other vulnerability, say, within the devices bluetooth device driver? Now you're on your way to kernel access, or the microcontroller equivalent.
Now we can come back to Wardriving. Go around with your new handy-dandy bluetooth hacking device, looking for the vulnerable devices to attack.
Suppose you found a bluetooth vulnerability, in a consumer IoT device. Say, a common doorbell or thermostat. A vulnerability that is exercised by the device receiving malformed packets that could not ordinarily be sent -- except with an attacker's hacked bluetooth RF transmitter.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 4, Funny) by VLM on Friday July 17 2020, @05:26PM (3 children)
I would imagine its more fun to pown someone's BT keyboard to obtain all their passwords and login information, than to pown their remotely controlled vibrator or doorbell. Although it would be funny to cross connect the two if you pown them both. "I don't know why my wife leaps off the couch every time a door to door salesman comes by, but its interesting to observe"
(Score: 2) by DannyB on Friday July 17 2020, @06:09PM (2 children)
Many of these bluetooth doorbells also capture video. Suppose porch pirates could jam the video or replace it with goatse videos or Trump speech videos.
It might not be necessary to PWN a bluetooth device. I don't know the feasibility of this, but suppose it were possible to passively capture encrypted bluetooth traffic. Now you don't have to "hack" their keyboard, just be able to determine the encryption parameters (if any). You could capture doorbell videos.
Imagine if you could inject the audio of your choosing (but not Justin Bieber) into people's music headphones or telephone headsets. Or simply record their conversations.
The other thing this chip is used in is NFC. Potential implications for payments or payment systems or terminals?
I don't want to sound like the end is coming, but the election is only a hundred some odd days away.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 1) by redneckmother on Saturday July 18 2020, @02:15AM
Pass the brainbleach, please.
Mas cerveza por favor.
(Score: 2) by VLM on Saturday July 18 2020, @06:07PM
Yeah physical security door locks too. Interesting.
(Score: 2) by ilsa on Friday July 17 2020, @07:45PM (4 children)
You can't wardrive it, nor can you use it to attack other systems. The disclosure specifically says that it's a physical attack, which means you have to physically open up the device and futz around with the components.
If your goal is to try to weaponize people's bluetooth hardware en masse, this is not the attack you want to use. This is the kind of attack you would use to perform targeted espionage.
(Score: 2) by DannyB on Friday July 17 2020, @08:41PM (3 children)
Yes, I get it that you have to tamper with your own bluetooth chip to get debug mode.
Once you have that, what level of control of the hardware do you have? Can you transmit bluetooth packets in ways that you ordinarily would not be able to? Especially malformed packets? Reaching that point is the very beginning of what I suggest.
From transmitting malformed packets, that no ordinary bluetooth device would transmit, can you then exploit other bluetooth devices?
Another way of putting it is this: the security of a bluetooth device might partly rest on the assumption that no invalid malformed packets would ever be received. Why should I check for this overflow condition, etc? No device that would send such a malformed packet would ever get certified! (but what if the device were in debug mode and manipulated?)
I don't know how much of this is feasible. What capabilities do you actually gain by getting your own RF hardware into debug mode?
Then there is the thought about, what if you were to use SDR ?
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by ilsa on Friday July 17 2020, @10:40PM
Oh I see what you mean. Yes, I suppose that's entirely possible. Who knows what corners got cut during the implementation of the chip.
At a minimum, having debug access to the chip would certainly make it much easier to uncover other potential bugs/exploits that the chip may contain. Then you could freely target any device using that chip. It wouldn't necessarily mean you now have broad access to all BT devices though... only the ones using Nordic chip.
But if you found other exploits.... You could build up a library of exploits across different BT chips, and then you could execute it from a single SDR for a one stop BT hacking shop.
(Score: 2) by c0lo on Friday July 17 2020, @11:15PM (1 child)
You can transmit anything you want with a software defined radio. Why go through the pain of cracking first a device that you own when you can put together something far more powerful?
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by DannyB on Monday July 20 2020, @01:49PM
That is what occurred to me too in my very last sentence.
If you want to study fuzzing bluetooth packets, maybe just use SDR?
But I like fizzing packets instead.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 5, Touché) by Opportunist on Friday July 17 2020, @07:37PM (1 child)
...seems to be rather that the user gets access to a device he bought.
We can't have that! Imagine, people using the devices they own in a way they want rather than in the way the manufacturer intended!
(Score: 0) by Anonymous Coward on Saturday July 18 2020, @06:59PM
Yeah.. that's the new "security" meme.
(Score: 2) by sjames on Friday July 17 2020, @08:00PM
A sufficiently determined attacker will always be able to read out data from hardware. It's just a matter of how determined the attacker is.
The best you can do is to make the device tamper evident and make it take long enough that you can notice that the device is missing and take appropriate security measures.
(Score: 2) by DannyB on Friday July 17 2020, @08:43PM
Could Bluetooth be done via SDR?
If so, what is the potential to transmit malformed bluetooth packets to do "interesting things" to ordinary bluetooth devices you don't have physical access to?
Young people won't believe you if you say you used to get Netflix by US Postal Mail.