re: AWS conference spyware device 

@bamfic pic3 might be an antenna?

probbly custommade for the conf

re: AWS conference spyware device 

@riking That square-wave looking thing is definitely an antenna; seen them in all kinds of devices. C and D pads look like "clock" and "data", possibly i2c. What I don't know is:

1) What microprocessor is it?
2) What frequency/band does it operate at?
3) What does it, like, *do*?
Follow

re: AWS conference spyware device 

@bamfic @riking @rey Immediate suspicion based on the package marking: a Nordic RF device. They make all sorts of microcontrollers that do wireless things. Mostly in the 2.4GHz ISM band.
Went looking, found this: twipu.com/cybergibbons/tweet/1
My bets are on BT-SMART (aka BLE) indoor positioning / location beacon stuff.

· · Web · 3 · 0 · 2

re: AWS conference spyware device 

@tbr @bamfic @riking @rey So, basically, "we can track where you go"?

re: AWS conference spyware device 

@KitsuneAlicia @bamfic @riking @rey yes, exactly.
For conference organizers this would likely be:
* which talks did they attend
* did they leave a talk early
* which booths/stands/vendors did they visit (share info with those?)
* which other people did they hang out with
* …

re: AWS conference spyware device 

@bamfic @riking @rey
I guess it's a custom part close to the nRF51802: nordicsemi.com/Products/Low-po
Possibly an ARM Cortex-M0.
Usually silicon vendors will castrate features out. So likely is missing some of the features that the 51802 has. Maybe only speaks BT or doesn't have AES or smaller Flash.
The chips get 'binned' and if something is broken / doesn't pass, it gets disabled by blowing a 'fuse'.

re: AWS conference spyware device 

@tbr @riking @rey Thanks! Though, we didn't see any of these come up in bluetooth scans on our phones.

re: AWS conference spyware device 

@tbr @rey @riking I'd love to figure out a way to get the software off of the damn thing, decompile it, and figure out what it's doing. It doesn't show up on bluetooth scans when it is powered up.

re: AWS conference spyware device 

@bamfic @rey @tbr BLE device detection is weirdly different from regular bluetooth - i think the host has to probe the device for it to wake up

re: AWS conference spyware device 

@riking @rey @tbr Aha, that was it: I got it to show up:

sudo hcitool lescan |sort |uniq AC:23:3F:52:24:C0 TurnoutNow

So it appears to be a “TurnoutNow” device.

re: AWS conference spyware device 

@bamfic @rey @tbr branding jibes with talk attendance measurement (what is turnout of that talk)

re: AWS conference spyware device 

@riking @rey @tbr Their marketing is bullshit tho: "there’s no way to validate this data other than a costly, hourly rate personnel scanning badges at every door." But they *did* have hourly rate personnel scanning badges at every door! And long lines to get in while they did that.

re: AWS conference spyware device 

@bamfic @riking @rey Maybe doing A/B comparison to verify the technology? Just guessing.
As to the BLE aspect, it's probably just going to show up as a beacon type device/endpoint. The rest is then happening on the location base station network. There are explicit protocol provisions to measure distance, although I think simple signal strength RSSI is still most popular. Anyway for enhanced accuracy it might use triangulation.
Dumping the device: SWD, if not RO.

re: AWS conference spyware device 

@tbr @riking @rey Thanks! I'm going to bring the device to the local hackerspace this weekend and let a friend have his way with the thing.

re: AWS conference spyware device 

@riking @rey @tbr

And there’s not a lot of useful info in it, probably using the MAC address to track us:

sudo gatttool -b AC:23:3F:52:24:C0 -I [AC:23:3F:52:24:C0][LE]> connect Attempting to connect to AC:23:3F:52:24:C0 Connection successful [AC:23:3F:52:24:C0][LE]> primary attr handle: 0x0001, end grp handle: 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb attr handle: 0x0008, end grp handle: 0x000b uuid: 00001801-0000-1000-8000-00805f9b34fb attr handle: 0x000c, end grp handle: 0x000f uuid: 0000180f-0000-1000-8000-00805f9b34fb attr handle: 0x0010, end grp handle: 0x0020 uuid: 0000180a-0000-1000-8000-00805f9b34fb attr handle: 0x0021, end grp handle: 0xffff uuid: 0000fff0-0000-1000-8000-00805f9b34fb [AC:23:3F:52:24:C0][LE]> char-desc handle: 0x0001, uuid: 00002800-0000-1000-8000-00805f9b34fb handle: 0x0002, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb handle: 0x0004, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb handle: 0x0006, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0007, uuid: 00002a04-0000-1000-8000-00805f9b34fb handle: 0x0008, uuid: 00002800-0000-1000-8000-00805f9b34fb handle: 0x0009, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x000a, uuid: 00002a05-0000-1000-8000-00805f9b34fb handle: 0x000b, uuid: 00002902-0000-1000-8000-00805f9b34fb handle: 0x000c, uuid: 00002800-0000-1000-8000-00805f9b34fb handle: 0x000d, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x000e, uuid: 00002a19-0000-1000-8000-00805f9b34fb handle: 0x000f, uuid: 00002902-0000-1000-8000-00805f9b34fb handle: 0x0010, uuid: 00002800-0000-1000-8000-00805f9b34fb handle: 0x0011, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0012, uuid: 00002a29-0000-1000-8000-00805f9b34fb handle: 0x0013, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0014, uuid: 00002a24-0000-1000-8000-00805f9b34fb handle: 0x0015, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0016, uuid: 00002a25-0000-1000-8000-00805f9b34fb handle: 0x0017, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0018, uuid: 00002a27-0000-1000-8000-00805f9b34fb handle: 0x0019, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x001a, uuid: 00002a26-0000-1000-8000-00805f9b34fb handle: 0x001b, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x001c, uuid: 00002a28-0000-1000-8000-00805f9b34fb handle: 0x001d, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x001e, uuid: 00002a23-0000-1000-8000-00805f9b34fb handle: 0x001f, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0020, uuid: 00002a2a-0000-1000-8000-00805f9b34fb handle: 0x0021, uuid: 00002800-0000-1000-8000-00805f9b34fb handle: 0x0022, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0023, uuid: 0000fff1-0000-1000-8000-00805f9b34fb handle: 0x0024, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0025, uuid: 0000fff2-0000-1000-8000-00805f9b34fb handle: 0x0026, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0027, uuid: 0000fff3-0000-1000-8000-00805f9b34fb handle: 0x0028, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0029, uuid: 0000fff4-0000-1000-8000-00805f9b34fb handle: 0x002a, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x002b, uuid: 0000fff5-0000-1000-8000-00805f9b34fb handle: 0x002c, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x002d, uuid: 0000fff6-0000-1000-8000-00805f9b34fb handle: 0x002e, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x002f, uuid: 0000fff7-0000-1000-8000-00805f9b34fb handle: 0x0030, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0031, uuid: 0000fff8-0000-1000-8000-00805f9b34fb handle: 0x0032, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0033, uuid: 0000fff9-0000-1000-8000-00805f9b34fb handle: 0x0034, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0035, uuid: 0000fffa-0000-1000-8000-00805f9b34fb handle: 0x0036, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0037, uuid: 0000fffe-0000-1000-8000-00805f9b34fb handle: 0x0038, uuid: 00002803-0000-1000-8000-00805f9b34fb handle: 0x0039, uuid: 0000ffff-0000-1000-8000-00805f9b34fb Attempting to connect to AC:23:3F:52:24:C0 [AC:23:3F:52:24:C0][LE]> char-read-hnd 0x0008 Characteristic value/descriptor: 01 18 [AC:23:3F:52:24:C0][LE]> char-read-hnd 0x000c Characteristic value/descriptor: 0f 18 [AC:23:3F:52:24:C0][LE]> char-read-hnd 0x0010 Characteristic value/descriptor: 0a 18 [AC:23:3F:52:24:C0][LE]> char-read-hnd 0x0021 Characteristic value/descriptor: f0 ff [AC:23:3F:52:24:C0][LE]> char-read-hnd 0x000e Characteristic value/descriptor: 64

There’s an ID qrcoded onto the front of it, which is nothing like the MAC address, but probably is correlated to it in some database somewhere.

Sign in to participate in the conversation
Society of Trolls

A nice little Mastodon instance. Mild trolling encouraged (keep it local), but not required. Malicious behaviour is not tolerated. Follow Wheaton's law and you'll be fine.