Category Archives: computing

Exploring Bluetooth Trackers at GeekWeek 7.5

I recently participated in GeekWeek 7.5, the Canadian Centre for Cyber Security’s (CCCS) annual cybersecurity workshop. I was assigned to a team of peers in banking, telecom, government and academia. We were to work together on analyzing how Bluetooth item trackers (eg: Apple AirTags, Tile) can be covertly used for malicious purposes, and developing processes and tools to detect them.

It was my first time attending the event, and I wasn’t sure what to expect. Here’s how it worked. The CCCS builds teams from the pool of GeekWeek applicants, based on interests and skills identified by the applicant in the application process. Leading up to the event, CCCS appoints a team lead, who defines goals for the team.

A map with a drive to Vaughan that was tracked at multiple points.
Testing a homemade AirTag clone

I was appointed as a team co-lead and assigned a team. My co-lead and I were to define a challenge in the IoT space. Inspired by recent headlines concerning stalking facilitated by AirTags, my co-lead suggested analyzing how item trackers can be covertly used for malicious purposes, and developing processes and tools to detect them.

The team worked in 5 streams:

Collecting Data

An existing baseline data collection tool was modified for our purposes for logging Bluetooth LE data for further analysis.
https://gitlab.com/GeekWeek/events/geekweek-7.5/G1/1.3/loggingble

Detect Stealth AirTag Clones

“Can you find my stealth AirTag clone in this data?” we asked the data scientist on our team.
🍰 <piece of cake>, he responded.

As various news outlets reported about the malicious use of these trackers, manufacturers implemented anti-stalking measures which were quickly defeated by research efforts such as find-you. The find-you tracker avoids detection by rotating through identifiers – to an iPhone, it appears no differently from walking past other people with iPhones.

The team built find-you stealth trackers which rotated through 4 keys and went to work. We wanted to see if we could develop a technique for detecting and identifying the trackers. Data was collected by stalking ourselves, walking through busy urban areas with find-you trackers, and logging all Apple Find My Bluetooth advertisements.

Our hypothesis was that we could identify the find-you tracker based on signal strength patterns. We believed that the signal strength of the find-you tracker we were wearing would be consistent over time, as its location relative to our data logger wouldn’t change, and other Find My devices would vary, as we walked past other pedestrians carrying devices.

A team member assessed the data and built a model for identifying the keys based on signal strength.

Stealth Tag Easily Identified
Stealth Tag Easily Identified

The stealth tag, with its four keys, could easily be picked out in the data.

We experimented with randomizing the transmit power and time between key rotations of the stealth tracker.

Stealth Tag with Varying Transmit Power

Even at its lowest transmit power, the stealth tag’s four keys could still be could easily be picked out in the data.

Enhancing Stealth AirTag Clones

We created a “SneakyAirTag”, which tried to increase the stealthiness of Positive Security’s Find-You tag, found here: https://github.com/positive-security/find-you, which itself was built on the excellent work of: https://github.com/seemoo-lab/openhaystack

It tries to improve the stealthiness as follows:

  • Rotates keys on a random interval, between 30 and 60 seconds (Find-You rotates every 30 seconds)
  • Transmits at random power levels, in an attempt to avoid detection based on a consistent signal strength.

In our testing, even with these changes, we were still able to identify stealth tags in an area with other Apple Find My devices. Even at the ESP32’s lowest power level, the stealth tracker can be identified as the signal strength of the stealth tracker is higher than other devices the vicinity of the tracked subject.

Further areas for exploration would be reducing signal strength with shielding material or some other means, and adding an accelerometer such that the device only transmitted Bluetooth advertisements when the target subject is in motion.

Building a Clone Tile Tracker

The team was inspired by Seemoo Lab‘s work on the AirTag. Could we do similar things with the Tile tracker?

And, we figured out some things, but got stumped. Tile uses the Bluetooth MAC address to track a Tile. We got our clone Tile to the point where we could take MAC of a tile registered to our account, load our firmware with the MAC onto an ESP32, and walk around with our Tile app and it would track it.

But, it seemed like if we sent our Tile’s MAC ID to someone else to load on to their ESP32, and track with their Tile app, it wouldn’t report the location. And, although Tile reports thousands of users in my area, even a genuine Tile didn’t seem to get picked up by other Tile users walking through office food courts, malls, or transit hubs. As a result, at the end of two weeks, many questions remained unanswered.

We also experimented with altering transmit power and rotating through MAC addresses as a means of avoiding detection. Our work can be found here:
https://gitlab.com/GeekWeek/events/geekweek-7.5/G1/1.3/tileclone

Blueprints

One of our team members had access to a few HackRF One Software Defined Radios (SDRs), and set about learning how to use them. They wanted to duplicate the results of a paper that demonstrated that with an SDR, one can identify individual bluetooth devices based on differences in how they transmit as a result of minute manufacturing imperfections. The team member called their Bluetooth device fingerprint a Blueprint, and documented their work here: https://gitlab.com/GeekWeek/events/geekweek-7.5/G1/1.3/blueprint

Overall Experience

The experience of stepping away from the day-to-day, learning about different technologies and building things was very similar to my previous experiences participating in corporate hackathons.

What made GeekWeek exciting for me was leading a team of people from different companies, with different professional backgrounds. At a corporate hackathon, everyone already knows their teammates, what they’re capable of, they share the same corporate culture, they typically work on the same software stack, and have the same collaboration tools pre-loaded on their laptops. At GeekWeek, it was interesting just breaking down the problem, and finding out who had what tools, what experience, and was best suited to take on a task. Also, it was interesting to hear about everyone’s professional work – some were really pushing boundaries in their fields.

I hope to participate again in the future!

Virtual Hackintosh

Ever since I first read about Hackinthoshes, I’ve thought about building one. A friend of mine edits all of his video on a purpose built Hackintosh. I never did build one – for myself, I like to run Linux, I don’t really need a Mac for anything, and I find that off-lease corporate grade laptops are the best value in computing. But, every once in a while, I have something I want to build on my iPhone, and a Mac is like a dongle that makes it possible.

Simple things, like finding out why the site I’ve built with the HTML5 geolocation API will work on my PC, but not on my iPhone, are just not possible without a Mac. To solve these types of problems in the past, I’ve just borrowed a Mac from the office.

Recently, another project came up, and I decided to try to build a virtual Hackintosh with OSX-KVM – a package that simplifies running OSX in a virtual machine. Years ago, I tried running OSX in VMWare Player – this would have been on a Intel Core 2 system at the time – in my opinion, it was interesting, but unusable. My experience with OSX-KVM has been much better.

Just following the instructions, within a couple of hours, I had OSX Big Sur running in a VM. OSX-KVM does almost everything, including downloading the OS from Apple. My PC is pretty basic – a Ryzen 3400g, SSD, 16 GB. I assigned the VM a couple CPU cores and 12 GB of ram, and it’s usable.

In a few hours of dabbling around, I’ve come across four issues:

  1. First, I couldn’t “pass through” my iPhone from the host PC to the guest OSX OS. The best overview of this issue I could find is logged on Github. There are configuration related workarounds, but I decided the easiest way to solve it was to acquire a PCIe USB controller and allocate it to the VM. PCIe cards with the FL1100 and AS3142 chipsets are said to work with OSX – I ended up buying this AS3142 card, as it was the one I could get my hands on quickest, and it seems to work fine – I can see my iPhone in OSX now, and run the dev tools for Safari iOS.
  2. Second, I can’t log into Apple ID, and as a result, I can’t compile iOS apps in Xcode. It looks like this is solvable.
  3. Chrome doesn’t display properly. I wonder if this is related to graphics acceleration. I don’t need Chrome to work, but its a reminder to me that this exercise is really just a big hack – I don’t think I would count on this to do any real work.
  4. Finally, I seem to lose control keyboard/mouse of the VM if it goes to sleep, and I can’t seem to get it back. I’m sure this is solvable, but addressed it by turning sleep mode off.

Presumably, Hackintoshes will eventually stop working as Apple moves its platform to ARM processors, but for now, it’s definitely worth trying out.

Update (2022/03/03):
The Apple ID issue was addressed by following the previously linked instructions, the Chrome issue was resolved by turning off GPU acceleration (–disable-gpu).

Update (2022/03/26): I needed Bluetooth. I bought an Asus BT-400 adapter, it seems to work fine. AirDrop functionality doesn’t seem to work – haven’t investigated. And – not a Hackinstosh issue, but a Mac issue – the CH9102F serial chip on one of my ESP32 microcontroller boards isn’t natively supported by Big Sur, found a third-party driver. Apple Maps doesn’t work, as it requires a GPU, and the OpenHaystack project that I’m playing with requires Maps.

Lilygo TTGO, TFT_eSPI, and the Dino/T-Rex Game

Ever since the Espressif’s ESP8266 wi-fi capable microcontroller was launched, I’ve been thinking about all the possibilities for low cost network connected devices. And, nothing world changing, but I have used it to build a data logging CO2 monitor and a device to control my old TV with Alexa.

I have been thinking of NEW possibilities as I see development boards with the ESP8266’s successor, the ESP32, with a small screen, for less than $20CAD shipped from Aliexpress. What can I build with a really tiny internet connected dashboard? So I ordered a Lilygo TTGO.

A day after it arrived, Hackaday published an article about a re-creation of Google Chrome’s T-Rex game for this TTGO dev board. Getting that loaded on to the board seems like a good test. I downloaded the TRexTTGOdisplay and installed Lilygo’s TFT_eSPI driver, compiled and…

undefined reference to `TFT_eSprite::pushToSprite(TFT_eSprite*, int, int, unsigned short)'

Hmm. I search around, and I see a hint in the comment’s of the author’s Youtube video: “You will need to update tft library”. I find the source of the TFT_eSPI library, review it a bit, and see that it is designed for a number of microcontrollers and screen controllers – so I copy the User_Setup_Select.h from the Lilygo repository to Bodmer’s most recent TFT_eSPI libary. For anyone doing this now, this will fix the TFT_eSprite::pushToSprite issue and just work… but I got:

TFT_eSPI/TFT_eSPI.cpp: In member function 'virtual void TFT_eSPI::drawPixel(int32_t, int32_t, uint32_t)':
TFT_eSPI/TFT_eSPI.cpp:3289:21: error: 'SPI_X' was not declared in this scope
while (spi_get_hw(SPI_X)->sr & SPI_SSPSR_BSY_BITS) {};


I take a look at what’s happening around line 3289 in TFT_eSPI.cpp, and it appears to be optimization code for the RP2040 – it shouldn’t be compiled in… Taking a look at line 3285:

// Temporary solution is to include the RP2040 optimised code here
#elif (defined (ARDUINO_ARCH_RP2040) || !defined (ARDUINO_ARCH_MBED)) && !defined(TFT_PARALLEL_8_BIT)

See that exclamation point? And everywhere else in the code there are RP2040 optimizations, I see:

// Temporary solution is to include the RP2040 optimised code here
#elif (defined (ARDUINO_ARCH_RP2040) || defined (ARDUINO_ARCH_MBED)) && !defined(TFT_PARALLEL_8_BIT)

Cool, I’ll submit a patch. So I fork the code, and… I don’t see the bug, it’s already been fixed.

I was hoping for another successful contribution to open source, but I was beaten to the punch – if I had started this project a day later, it just would have worked with the latest TFT_eSPI library. In any case, the important thing is, I got TRexTTGOdisplay running. My next project for this dev board will be a little internet connected dashboard.

Mesh network in my neighborhood. Not how I had envisioned it.

I got an email from Amazon today. I’m automatically opted-in to “Amazon Sidewalk”, unless I choose to opt out. Amazon Sidewalk allows devices participating their Sidewalk program to connect to the Internet through Amazon devices, like the Amazon Echo.

Amazon Sidewalk – a mesh network for Amazon devices to connect to the Internet:
https://www.amazon.com/Amazon-Sidewalk/b?ie=UTF8&node=21328123011

Not exactly how I’d envisioned a neighborhood mesh, but their “read the fine print to opt out” strategy will probably work better than my asking neighbors to build a network.

1-Click Passwords

I was recently presented with a situation where I would have to regularly enter a 48 random character password for a month or more to log in to a computer that was assigned to me. Given that I couldn’t possibly memorize this string, and the computer is reasonably physically secure, I decided to build a device to do this for me.

I had previously used an Arduino to emulate a gamepad for a homemade Dance Dance Revolution mat. This time, I needed to emulate a keyboard. A search for “HID Arduino” returned the Arduino HID page, which suggested an Arduino with an Atmel 32u4 microcontroller. A search for Arduino 32u4 on Amazon returned the KeeYees Pro Micro clone, which I ordered.

Arduino Pro Micro Clone, button wired to I/O 4

It came in, I soldered a button to I/O 4, and uploaded the following code:

include "Keyboard.h"
include "Bounce2.h"
const int buttonPin = 4;
Bounce bounceTrigger = Bounce();
void setup() {
bounceTrigger.attach(buttonPin, INPUT_PULLUP );
Keyboard.begin();
}
void loop() {
bounceTrigger.update();
if ( bounceTrigger.rose() ) {
Keyboard.println("I put my password here");
}
}

Now, every morning, instead of copying 48 characters from a Post-it, I just click the button.

It should be said, this defeats the purpose of the password, and the password isn’t stored in a secure way on the microcontroller. But this technique is great for any time you need to automate a sequence of keystrokes.

iOS Safari’s WebSockets implementation doesn’t work with self signed certs

I’m building a Node application hosted on a Raspberry Pi, that will not be connected to the internet. A user will interface with the application through the browser on their phone. The application calls the browser for its GPS coordinates using the HTML Geolocation API.

In iOS, the HTML Geolocation API only works for HTTPS sites. I found an excellent post on Stackoverflow for creating a self signed cert that works in most browsers. I created the cert, added it to my desktop and phone. HTTPS worked great.

I first tried the Node ws websocket library, and the Node application would call out to the browser to fetch GPS coordinates when it needed them.

The application worked great in Firefox and Chrome, but it would not work in the iOS browser. If I dropped to HTTP (vs HTTPS) and WS (vs WSS), it worked fine. For some reason, the iOS browser accepted the cert for HTTPS, but not WSS. Unfortunately, I needed HTTPS to use Geolocation.

I couldn’t get it to work. I ended up moving my application to Socket.IO, which has a fallback method to HTTPS polling if a websocket connection cannot be established. This worked for my scenario. If you need a websocket like capability and have to use self signed certificates on iOS, try Socket.IO.

Alexa skill, written in Node JS, Using Express, with ask-sdk-express-adapter

In 2018, after reading an article on Hackaday, I picked up an Amazon Echo Dot to experiment with building voice interfaces. It was surprisingly easy, and with no experience, I got something up and running in a couple hours.

I haven’t looked at this in a while, and had another project in mind. Looking at the Alexa development documentation today, all the examples leverage Amazon’s Lambda’s compute service. For my project, I didn’t want to use Lambda, I just wanted to use Express on Node JS. Amazon has NPM library for this, ask-sdk-express-adapter, but I couldn’t find ANY end-to-end example, and I struggled for a bit to get it to work. I think it took me longer the 2nd time around!

SO – here’s a simple example, hopefully it’s got the right keywords for anyone who’s stumbling on the same problem. Keywords:

  • node js
  • javascript
  • ask-sdk-express-adapter
  • express
  • sample code
  • example code
  • alexa
const express = require('express');
const { ExpressAdapter } = require('ask-sdk-express-adapter');
const Alexa = require('ask-sdk-core');
const app = express();
const skillBuilder = Alexa.SkillBuilders.custom();

var PORT = process.env.port || 8080;

const LaunchRequestHandler = {
    canHandle(handlerInput) {
        return handlerInput.requestEnvelope.request.type === 'LaunchRequest';
    },
    handle(handlerInput) {
        const speechText = 'Hello World - Your skill has launched';

        return handlerInput.responseBuilder
            .speak(speechText)
            .reprompt(speechText)
            .withSimpleCard('Hello World', speechText)
            .getResponse();
    }
};

skillBuilder.addRequestHandlers(
    LaunchRequestHandler
)

const skill = skillBuilder.create();

const adapter = new ExpressAdapter(skill, false, false);

app.post('/', adapter.getRequestHandlers());

app.listen(PORT);

Hope that helps!

Playing around with Hugo and different ways of hosting content

When I initially built out this blog, I:

  • wanted a content management tool. I didn’t want to be writing pages in HTML
  • wanted to host it myself. Geocities came and went. I wanted ownership of my hosting.
  • wanted a VM on the Internet anyway. I wanted something always up, that I could host services on. I had hosted PCs on the Internet at home, but with cloud services, I just didn’t need this anymore
  • wanted very low costs
  • needed to support extremely low readership.

So, I built out a tiny VM on AWS I can deploy services on, and it costs next to nothing.

But my content is static. It really makes more sense to host the files on S3, and use a static content generator. It’s much more secure, I don’t have to worry about keeping OSs and applications patched, and it could scale if ever required.

So over Christmas break, I built https://articles.hotelexistence.ca/ with Hugo, hosted on S3, fronted by CloudFront, which seemed to be the only way to host content from S3 on my domain with HTTPS. With Hugo (and any other static site generator), you create your content, it applies a template, and creates the links – it reminds me of working with Fog Creek Software’s defunct CityDesk almost 20 years ago. This AWS Hugo Hosting article was really helpful for the AWS setup. I still can’t figure out how to use Hugo’s Image Processing features, but I didn’t need them. The new site is accessible from the ‘Articles’ section up top. I’m not sure if I’ll move everything over or what I’ll do that moving forward.