Breaking, Building, Events

ACM WiSec 2020

Last week I attended ACM WiSec. Of course, only virtually. The first virtual conference I attended. Coincidentally, it was also the first conference I presented at. While the experience was quite different from a “real” conference, the organizers did a great job to make the experience as good as possible with, for example, a mattermost instance to interact with other conference participants.

In the following, I will list a few talks and papers that I either found very interesting or that generally stood out to me:

  • Truncate after Preamble: PHY-based Starvation Attacks on IoT Networks:
    Essentially, the authors realized they could jam WiFi and Zigbee by just sending the preamble and the signal field of the respective data frames, without actually transmitting the whole MAC payload. According to the WiFi standard, devices need to wait until they have received the whole frame before they can get back to the state where new frames can be received. The Zigbee standard does not specify the behaviour for this case. So you can easily jam both Zigbee and WiFi just by sending the preamble and signal field. The impact varies between different WiFi chipsets, with some of them being less affected than others. This is an extremely interesting and energy-efficient way of jamming!
  • Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication:
    Instead of relying on traditional wireless technologies like Bluetooth or WiFi, the authors propose another way to securely pair device that have speakers: Acoustic Integrity Codes. Due to the nature of how sound is handled on computers, speakers can basically act as an SDR. Different to WiFi and Bluetooth, sound can basically be used to transmit arbitrary samples, making it easy to implement such a scheme. I think this is an extremely cool paper and recommend checking it out!
  • Valkyrie: A Generic Framework for Verifying Privacy Provisions
    in Wireless Networks:

    In this paper the authors present a framework that can be used to detect privacy issues in protocols that implement measures like device address randomization. A prominent example here are Bluetooth Low-Energy advertisements. Most vendors implement a Bluetooth device address randomization where the address changes about every 15 minutes. The problem is, if the payload that is transmitted in these payloads is static or incremental, a device/user can still be tracked despite the address randomization. This is where Valkyrie comes into play. The framework can be used to detect such privacy issues given a packet capture of the communication. This even works with e.g. the incremental IV value that is included in Apple’s Handoff BLE advertisements.
  • Fingerprinting Encrypted Voice Traffic on Smart Speakers with Deep Learning:
    In this paper, the authors were able to derive voice commands from smart speakers such as Amazon’s Echo or Google’s Home speaker by observing the encrypted traffic from the speakers to the speech recognition servers. For a given set of commands it was possible to derive the command by solely observing the traffic coming from the cloud servers. While recorded voice data can differ significantly depending on the person sending off the command, the server’s response is often similar for a given type of query. Also, the way they trained their model is pretty funny. They used text-to-speech software to play voice commands over a loudspeaker and collected traffic for multiple days.
  • BaseSAFE: Baseband SAnitized Fuzzing through Emulation:
    A cool fuzzing paper targeting basebands. The authors use AFL++ and unicorn to emulate and fuzz the baseband firmware of MediaTek basebands. The introduced BaseSAFE platform itself could also be used to target other (baseband) firmwares which is pretty useful.

Of course there were many more interesting talks. You can rewatch the whole conference on YouTube. I also recommend checking out the Demos & Posters, especially BTLEmap: Nmap for Bluetooth Low Energy, the winner of the Best Demo Award.

In case you’re interested in how Apple implemented the seamless pairing mechanism between their wireless earbuds (the AirPods) and their devices, why this could be a beneficial approach for general IoT environments, and how you can crash or DoS Apple’s Bluetooth stacks, you can also check out my talk on YouTube.


Leave a Reply

Your email address will not be published. Required fields are marked *