Dr.-Ing. Jiska Classen

BibTeX DOI: 10.48550/arXiv.2111.05313

2022 Other

Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging

Patrick Leu Giovanni Camurati Alexander Heinrich Marc Roeschlin Claudio Anliker Matthias Hollick Capkun Srdjan Jiska Classen

Abstract

We present the first over-the-air attack on IEEE802.15.4z High-Rate Pulse Repetition Frequency (HRP) Ultra-Wide Band (UWB)distance measurement systems. Specifically, we demonstrate a practical distance reduction attack against pairs of Apple U1 chips (embedded in iPhones and AirTags), as well as against U1 chips inter-operating with NXP and Qorvo UWBchips. These chips have been deployed in a wide range of phones and cars to secure car entry and start and are projected for secure contactless payments, home locks, and contact tracing systems. Our attack operates without any knowledge of cryptographic material, results in distance reductions from 12m (actual distance) to 0m (spoofed distance) with attack success probabilities of up to 4%, and requires only an inexpensive (USD 65) off-the-shelf device. Access control can only tolerate sub-second latencies to not inconvenience the user, leaving little margin to perform time-consuming verifications. These distance reductions bring into question the use of UWB HRPinsecurity-critical applications.

2022 43rd IEEE Symposium on Security and Privacy Conference

Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation

Jiska Classen Francesco Gringoli Michael Hermann Matthias Hollick

BibTeX DOI: 10.1109/CNS53000.2021.9705023

2021 IEEE Conference on Communications and Network Security Conference

Very Pwnable Network: Cisco AnyConnect Security Analysis

Gerbert Roitburd Matthias Ortmann Matthias Hollick Jiska Classen

Abstract

Corporate Virtual Private Networks (VPNs) enable users to work from home or while traveling. At the same time, VPNs are tied to a company’s network infrastructure, forcing users to install proprietary clients for network compatibility reasons. VPN clients run with high privileges to encrypt and reroute network traffic. Thus, bugs in VPN clients pose a substantial risk to their users and in turn the corporate network. Cisco, the dominating vendor of enterprise network hardware, offers VPN connectivity with their AnyConnect client for desktop and mobile devices. While past security research primarily focused on the AnyConnect Windows client, we show that Linux and iOS are based on different architectures and have distinct security issues. Our reverse engineering as well as the follow-up design analysis and fuzzing reveal 13 new vulnerabilities. Seven of these are located in the Linux client. The root cause for privilege escalations on Linux is anchored so deep in the client’s architecture that it only got patched with a partial workaround. A similar analysis on iOS uncovers three AnyConnect-specific bugs as well as three general issues in iOS network extensions, which apply to all kinds of VPNs and are not restricted to AnyConnect.

2021 26th European Symposium on Research in Computer Security (ESORICS 2021) Conference

ARIstoteles - Dissecting Apple's Baseband Interface

Tobias Kröll Stephan Kleber Frank Kargl Matthias Hollick Jiska Classen

BibTeX DOI: 10.1007/978-3-030-88418-5_7

2021 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Happy MitM: Fun and Toys in Every Bluetooth Device

Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3448300.3467822

2021 28th Network and Distributed System Security Symposium (NDSS 2021) Conference

Dinosaur Resurrection: PowerPC Binary Patching for Base Station Analysis

Uwe Müller Eicke Hauck Timm Welz Jiska Classen Matthias Hollick

PDF BibTeX DOI: 10.14722/bar.2021.23009

2021 28th Network and Distributed System Security Symposium (NDSS 2021) Conference

Polypyus - The Firmware Historian

Jan Friebertshäuser Florian Kosterhon Jiska Classen Matthias Hollick

PDF BibTeX DOI: 10.14722/bar.2021.23004

2020 29th USENIX Security Symposium Conference

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

Jan Ruge Jiska Classen Francesco Gringoli Matthias Hollick

2020 14th USENIX Workshop on Offensive Technologies (WOOT 2020) Conference

Firmware Insider: Bluetooth Randomness is Mostly Random

Jörn Tillmanns Jiska Classen Felix Rohrbach Matthias Hollick

2020 29th USENIX Security Symposium Conference

ToothPicker: Apple Picking in the iOS Bluetooth Stack

Dennis Heinze Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3395351.3399422

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Lost and Found: Stopping Bluetooth Finders from Leaking Private Information

Mira Weller Jiska Classen Fabian Ullrich Denis Waßmann Erik Tews

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Attaching InternalBlue to the proprietary macOS IOBluetooth framework

Davide Toldo Jiska Classen Matthias Hollick

BibTeX DOI: 10.1145/3395351.3401697

Abstract

In this demo, we provide an overview of the macOS Bluetooth stack internals and gain access to undocumented low-level interfaces. We leverage this knowledge to add macOS support to the InternalBlue firmware modification and wireless experimentation framework.

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication

Florentin Putz Flor Álvarez Jiska Classen

PDF BibTeX DOI: 10.1145/3395351.3399420

Abstract

Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate devices. This requires a common hardware interface, which limits the use of existing SDP systems. We propose to use short-range acoustic communication for the initial pairing. Audio hardware is commonly available on existing off-the-shelf devices and can be accessed from user space without requiring firmware or hardware modifications. We improve upon previous approaches by designing Acoustic Integrity Codes (AICs): a modulation scheme that provides message authentication on the acoustic physical layer. We analyze their security and demonstrate that we can defend against signal cancellation attacks by designing signals with low autocorrelation. Our system can detect overshadowing attacks using a ternary decision function with a threshold. In our evaluation of this SDP scheme’s security and robustness, we achieve a bit error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on Android smartphones, we demonstrate pairing between different smartphone models.

2020 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Conference

MagicPairing: Apple’s Take on Securing Bluetooth Peripherals

Dennis Heinze Jiska Classen Felix Rohrbach

PDF BibTeX DOI: 10.1145/3395351.3399343

2020 Embedded Wireless Systems and Networks (EWSN) Conference

Improving the Reliability of Bluetooth Low Energy Connections

Michael Spörk Jiska Classen Carlo Alberto Boano Matthias Hollick Kay Römer

Abstract

o sustain a reliable data exchange, applications based on Bluetooth Low Energy (BLE) need to effectively blacklist channels and adapt the physical mode of an active connection at runtime. Although the BLE specification foresees the use of these two mechanisms, their implementation is left up to the radio vendors and has not been studied in detail yet. This paper fills this gap: we first investigate experimentally how to assess the quality of a BLE connection at runtime using information gathered from the radio. We then show how this information can be used to promptly blacklist poor channels and select a physical mode that sustains a high link-layer reliability while minimizing power consumption. We implement both mechanisms on two popular platforms and show experimentally that they allow to significantly improve the reliability of BLE connections, with a reduction in packet loss by up to 22 % compared to existing solutions.

2020 International Conference on Embedded Wireless Systems and Networks (EWSN 2020) Conference

Analyzing Bluetooth Low Energy Connections on Off-the-Shelf Devices

Jiska Classen Michael Spörk Carlo Alberto Boano Kay Römer Matthias Hollick

2020 Technische Universität Darmstadt Darmstadt PhD thesis

Security and Privacy for IoT Ecosystems

PDF BibTeX DOI: 10.25534/tuprints-00011422

Abstract

Smart devices have become an integral part of our everyday life. In contrast to smartphones and laptops, Internet of Things (IoT) devices are typically managed by the vendor. They allow little or no user-driven customization. Users need to use and trust IoT devices as they are, including the ecosystems involved in the processing and sharing of personal data. Ensuring that an IoT device does not leak private data is imperative. This thesis analyzes security practices in popular IoT ecosystems across several price segments. Our results show a gap between real-world implementations and state-of-the-art security measures. The process of responsible disclosure with the vendors revealed further practical challenges. Do they want to support backward compatibility with the same app and infrastructure over multiple IoT device generations? To which extent can they trust their supply chains in rolling out keys? Mature vendors have a budget for security and are aware of its demands. Despite this goodwill, developers sometimes fail at securing the concrete implementations in those complex ecosystems. Our analysis of real-world products reveals the actual efforts made by vendors to secure their products. Our responsible disclosure processes and publications of design recommendations not only increase security in existing products but also help connected ecosystem manufacturers to develop secure products. Moreover, we enable users to take control of their connected devices with firmware binary patching. If a vendor decides to no longer offer cloud services, bootstrapping a vendor-independent ecosystem is the only way to revive bricked devices. Binary patching is not only useful in the IoT context but also opens up these devices as research platforms. We are the first to publish tools for Bluetooth firmware and lower-layer analysis and uncover a security issue in Broadcom chips affecting hundreds of millions of devices manufactured by Apple, Samsung, Google, and more. Although we informed Broadcom and customers of their technologies of the weaknesses identified, some of these devices no longer receive official updates. For these, our binary patching framework is capable of building vendor-independent patches and retrofit security. Connected device vendors depend on standards; they rarely implement lower-layer communication schemes from scratch. Standards enable communication between devices of different vendors, which is crucial in many IoT setups. Secure standards help making products secure by design and, thus, need to be analyzed as early as possible. One possibility to integrate security into a lower-layer standard is Physical-Layer Security (PLS). PLS establishes security on the Physical Layer (PHY) of wireless transmissions. With new wireless technologies emerging, physical properties change. We analyze how suitable PLS techniques are in the domain of mmWave and Visible Light Communication (VLC). Despite VLC being commonly believed to be very secure due to its limited range, we show that using VLC instead for PLS is less secure than using it with Radio Frequency (RF) communication. The work in this thesis is applied to mature products as well as upcoming standards. We consider security for the whole product life cycle to make connected devices and IoT ecosystems more secure in the long term.

2019 13th USENIX Workshop on Offensive Technologies (WOOT 19) Conference

Vacuums in the Cloud: Analyzing Security in a Hardened IoT Ecosystem

Fabian Ullrich Jiska Classen Johannes Eger Matthias Hollick

Fabian Ullrich Jiska Classen

2019 Other

Vacuum Cleaning Security—Pinky and the Brain Edition

BibTeX DOI: 10.1145/3307334.3326089

2019 The 17th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys ’19) Conference

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Dennis Mantz Jiska Classen Matthias Schulz Matthias Hollick

Abstract

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In par ticular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep in sights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework—outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware.

2019 REcon 2019 Conference

Reversing and Exploiting Broadcom Bluetooth

Dennis Mantz Jiska Classen

Jiska Classen Matthias Hollick

2019 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'19) Conference

Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices

BibTeX DOI: 10.1145/3317549.3319727

Abstract

Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system’s driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke.

2019 EWSN'19-International Conference on Embedded Wireless Systems and Networks Conference

Practical VLC to WiFi Handover Mechanisms

Richard Meister Jiska Classen Muhammad Saad Saud Marcos Katz Matthias Hollick

Abstract

Visible light communication (VLC) is an emerging communication technology that perfectly integrates into crowded legacy radio frequency (RF) environments to increase bandwidth. Despite the fact that integrating these technologies would be beneficial for both of them, there is only little research on handover mechanisms, and most of it is simulation only. We design a software defined radio (SDR) based VLC+WiFi testbed in which both technologies can coexist, design handover mechanisms between VLC and WiFi, and evaluate them based on user-induced link blockage measurements in our testbed.

2018 Other

Dissecting Broadcom Bluetooth

Jiska Classen Dennis Mantz

2018 Other

Pinky & Brain are taking over the world with vacuum cleaners

Jiska Classen Daniel Wegemer

2018 Other

Fitbit Firmware Hacking

2018 PACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) Conference

Anatomy of a Vulnerable Fitness Tracking System: Dissecting the Fitbit Cloud, App, and Firmware

Jiska Classen Daniel Wegemer Paul Patras Tom Spink Matthias Hollick

Jiska Classen Daniel Wegemer

2017 34th Chaos Communication Congress Conference

Doping your Fitbit

PDF BibTeX DOI: 10.5446/34791

2017 IEEE WCNC Conference

Pseudo Lateration: Millimeter-Wave Localization Using a Single RF Chain

Joe Chen Daniel Steinmetzer Jiska Classen Edward Knightly Matthias Hollick

PDF BibTeX DOI: 10.1145/2994459.2994463

2016 6th Workshop on Security and Privacy in Smartphones and Mobile Devices Conference

Analyzing TETRA Location Privacy and Network Availability

Martin Pfeiffer Jan-Pascal Kwiotek Jiska Classen Robin Klose Matthias Hollick

Abstract

TETRA is a digital communication standard taking over from analog communication in various emergency services and governmental agencies in Europe since the late 1990s. TETRA has to meet stringent requirements for a dependable communication infrastructure as it is used in the public safety sector by professional users and first responders. In fact, TETRA is claimed to enhance resilience, security, and availability compared to former analog communication standards. In this paper, we demonstrate that TETRA's location privacy and dependability can easily be undermined and weakened. In particular, TETRA devices can be localized by means of antenna arrays and direction finding techniques on the physical layer. Further, we practically evaluate the impact of various jamming and fuzzing attacks on two commonly used devices. The digital standard even raises new attack vectors, since regular beaconing enables localization of idle devices, and forged frames can provably crash devices.

2016 3rd ACM Workshop on Visible Light Communication Systems Article

Opportunities and Pitfalls in Securing Visible Light Communication on the Physical Layer

Jiska Classen Daniel Steinmetzer Matthias Hollick

Daniel Steinmetzer Jiska Classen Matthias Hollick

2016 IEEE Infocom 2016 Poster Presentation (Infocom'16 Posters) Conference

Exploring Millimeter-Wave Network Scenarios with Ray-tracing based Simulations in mmTrace

2016 Other

Software Defined Radio – Open Source Wireless Hacking

Daniel Steinmetzer Jiska Classen Matthias Hollick

2016 Millimeter-wave Networking Workshop (mmNet 2016) Article

mmTrace: Modeling Millimeter-wave Indoor Propagation with Image-based Ray-tracing

2015 Other

Building and Breaking Wireless Security

BibTeX DOI: 10.1109/CNS.2015.7346844

2015 IEEE Conference on Communications and Network Security 2015 (CNS) Conference

Eavesdropping with Periscopes: Experimental Security Analysis of Highly Directional Millimeter Waves

Daniel Steinmetzer Joe Chen Jiska Classen Edward Knightly Matthias Hollick

2015 2nd ACM Workshop on Visible Light Communication Systems Conference

The Spy Next Door: Eavesdropping on High Throughput Visible Light Communications

Jiska Classen Joe Chen Daniel Steinmetzer Matthias Hollick Edward Knightly

Jiska Classen Matthias Schulz Matthias Hollick

2015 IEEE Conference on Communications and Network Security (CNS) Conference

Practical Covert Channels for WiFi Systems

2015 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE UbiSafe Symposium) Conference

A Distributed Reputation System for Certification Authority Trust Management

Jiska Classen Johannes Braun Florian Volk Matthias Hollick Johannes Buchmann Max Mühlhäuser