Forgot your password?
typodupeerror

Comment: Likely attack vector: NOAA weather radio (Score 5, Interesting) 235

by Dr. JJJ (#42869079) Attached to: Local Emergency Alert System Hacked, Warns Dead Rising From Graves

This hack is clearly an invocation of the Emergency Alert System. The EAS is a hierarchically-organized digital message propagation system that has no authentication scheme for the vast majority of the nodes that participate in the network. Since every moderately-sized licensed broadcast radio and TV station in the United States is required to participate in the network, that is a lot of attackable nodes.

The hierarchy is easy to exploit if you wish to spoof an alert on a specific station. All you need to know is the specific list of stations that your target listens to for alerts and a mobile radio transmitter that you can position relatively closely to your target's EAS receiving equipment. The list of "source" stations for your target is often public information, or can be deduced very easily. (Search for "<city> eas plan" in your favorite search engine.) The radio transmitter required is nothing more than a VHF two-way radio, which can often be a "modded" Amateur Radio which can transmit outside of the legal Amateur bands.

  • Step 1: Assemble an EAS alert on a computer using a little bit of code to generate the appropriate tones and an audio editor to stitch them together. The exact format is tricky, but the information is publicly available.
  • Step 2: Find your likely target's listening list. These are often listed as the "Local Primary" and "Local Secondary" stations in your target's metropolitan area. These, unfortunately, are hard to spoof because broadcast-band FM and AM transceivers are harder to get a hold of. Instead, look up the NOAA weather radio transmission frequencies in your target's area. These stations are often used as additional EAS sources by almost every broadcast station in the system, and they are easy to spoof with portable equipment.
  • Step 3: Put the spoof transmitter in a car and drive as close as possible to the target's published studio headquarters. Targets often place their receiving equipment in their primary studio locations.
  • Step 4: Put your transmitter into transmit mode and play back your spoofed alert. You need to remain nearby just long enough to complete the injection process. With a short message you only need about 60 seconds.
  • Step 5: Drive away. The automated relay system at your target will do the rest.

Step 4 (transmission) is extremely easy, even with low-powered equipment (250mW). Because of your proximity and the FM Capture Effect you will have no problem overpowering the real source station without adversely affecting or alerting anyone outside a 1/2 mile radius.

My guess is the attackers here did precisely this. They probably exploited this TV station by spoofing a local NOAA weather radio channel that the TV station was listening to for alerts.

Comment: Some background (Score 5, Informative) 85

by Dr. JJJ (#35215688) Attached to: Keys Leaking Through the Air At RSA

I'm sorry that there's no direct article for this submission, and I'm not certain who submitted it, but as an employee of CRI and one of the designers of the demo, I'd like to give you some details about what's going on.

At CRI we have a lab full of what I consider to be cool equipment, and what's more, some spare time to look at things. We specialize in side-channel analysis and we asked ourselves: what sort of side-channel leaks might be present in consumer PDAs? We took a USRP(1) interface that we had lying around and started investigating the RF emanations of a few of the devices we had easily on hand. We coded some simple cryptographic applications and were surprised at how quickly we were able to find ways to demodulate the various signals in the device in a way that revealed the bits of the secret keys being used.

We are indeed using GNURadio for the demo. It's been very helpful because it makes rapid prototyping very easy. We use gnuradio-companion to set up the signal processing blocks (mostly AM demodulation) and to set up a simple UI that helps us tune into the right carrier frequencies in real-time during the demo. The rest of the demo involves using our own custom waveform viewer to look at the demodulated signal and show visitors how we can analyze the signal on the screen and extract the key bits that were used during the encryption/decryption process on the device.

Comment: Probably using SD's DRM Mechanism (Score 5, Informative) 426

by Dr. JJJ (#34224432) Attached to: Windows Phone Permanently Modifies MicroSD Cards, Warns Samsung

I've been studying SD cards for the last few months and I've managed to dig up some heretofore "secret" leaked documents about SD Digital Rights Management mechanism and I think I know how such a permanent modification could be performed.

One of the things that all SD cards support is the ability to designate a certain portion (which can include ALL) of the card's block storage as "secure". Once designated as secure, the blocks in question cannot be read, written to, or the area resized without performing an authentication step with the card. This authentication step is known as "AKE".

I'm willing to bet that the phone is using this "secure" facility and marking the entire card, or some significant portion thereof, as a secure storage area.

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...