Exploiting toilets

The “My Satis” Android application has a hard-coded Bluetooth PIN of “0000”

as can be seen in the following line of decompiled code from the


BluetoothDevice localBluetoothDevice =

BluetoothManager.getInstance().execPairing(paramString, “0000”)

As such, any person using the “My Satis” application can control any Satis

toilet. An attacker could simply download the “My Satis” application and

use it to cause the toilet to repeatedly flush, raising the water usage and

therefore utility cost to its owner.

Attackers could cause the unit to unexpectedly open/close the lid, activate

bidet or air-dry functions, causing discomfort or distress to user.

While this may seem amusing the increasing connectivity of even the most mundane objects coupled with a total lack of security suggests a very dangerous future. We are all surrounded these days by wireless controllable or accessible cameras, alarms systems, weather sensors, pressure monitors, air quality control systems, parking meters, and much more. Most have little to no security and count on their utter mundaneness to avoid detection and exploitation yet as more of these system become interconnected the more likely they will be used for nefarious purposes.

via https://www.trustwave.com/spiderlabs/advisories/TWSL2013-020.txt.


Moscow Metro says new tracking system is to find stolen phones; no one believes them | Ars Technica

On Monday, a major Russian newspaper reported that Moscow’s metro system is planning what appears to be a mobile phone tracking device in its metro stations—ostensibly to search for stolen phones.

According to Izvestia (Google Translate), Andrey Mokhov, the operations chief of the Moscow Metro system’s police department, said that the system will have a range of five meters (16 feet). “If the [SIM] card is wanted, the system automatically creates a route of its movement and passes that information to the station attendant,” Mokhov said.

Many outside experts, both in and outside Russia, though, believe that what local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a device that can fool a phone and SIM into reading from a fake mobile phone tower. (IMSI, or an International Mobile Subscriber Identity number, is a 15-digit unique number that sits on every SIM card.) Such devices can be used as a simple way to see what phone numbers are being used in a given area or even to intercept the audio of voice calls.

The Moscow Metro did not immediately respond to our request for comment.

“Many surveillance technologies are created and deployed with legitimate aims in mind, however the deploying of IMSI catchers sniffing mobile phones en masse is neither proportionate nor necessary for the stated aims of identifying stolen phones,” Eric King of Privacy International told Ars.

via Moscow Metro says new tracking system is to find stolen phones; no one believes them | Ars Technica.

A $40 Software-Defined Radio – IEEE Spectrum

The last time I ventured into the waters of software-defined radio (SDR) was seven years ago, when I reviewed Matt Ettus’s Universal Software Radio Peripheral. While it’s an excellent product, the basic motherboard at the time cost US $550; daughterboards for different frequency ranges cost $75 to $275 [see “Hardware for Your Software Radio,” IEEE Spectrum, October 2006]. And I spent more than a few frustrating hours compiling the needed software on my MacBook Pro. This time I was able to get my feet wet for about $40—and the software took about 2 minutes to download, install, and run.


US commercial wireless infrastructure, really worldwide infrastructure, is amazingly vulnerable to exploitation, hacking, monitoring and the like. In part this is because it was originally designed to be so ubiquitous and backwards compatible. It is also so insecure because its grown so rapidly and organically. Finally it is insecure because commercial vendors, in part due to the rapid growth but more importantly due to sales and innovation cycles, have focused on features and meeting market demands not security or the potential ways the protocols they have rapidly developed might be exploited. The issues with our wireless infrastructure have not really become a major issue in part because, perhaps with the exception of 802.11 WiFi, detecting, intercepting, and manipulation wireless signals was very difficult and expensive. With the advent of SDR’s this has changed. Now researchers with five or ten thousand USD can do some really interesting work with wireless protocols. That being said in the last 4 or 5 years we occasionally see researches find or demonstrate exploits in wireless systems they still have not become common due to the shear difficulty of working with many of the COTS SDR’s and open source platforms. This is about to change.

Recently with the advent of very cheap SDR’s (like the one mentioned above), open source protocol stacks, open source base station’s, and internet communities dedicated to documenting and understanding various wireless protocols more and more security researchers and just general hobbyists have started to take serious looks at commercial radio systems. With tools like the RTL2832U and various other cheap SDR’s and researchers hobbyists are starting to find and document all sore of security issues in everything from alarm systems, smart meters, critical infrastructures, to UTMS and LTE. Researchers at places like Department 13 have even demonstrated some capabilities with low cost commercial radios that, until recently, did not exist outside multimillion dollar SIGINT and EW systems. For this reason the proliferation of cheap SDR’s and tools for working with and manipulation radio’s is perhaps a far greater immediate concern that 3D printing weapons and additive manufacturing. We believe this in that while additive manufacturing in the next couple of years has the potentially to greatly lower the bar for the development of various types of weapons they will not be real game changers; with perhaps the exception of the ability to generate WMD but that is probably farther out that a few years. SDR’s and the aforementioned technologies and trends could allow individuals, for very cheap, the ability to manipulate radios in ways that could potentially cause vast damage. While we won’t explore these scenarios here it should take very little imagination realize the impact of cheap, throw away, and small EW platforms. 

via A $40 Software-Defined Radio – IEEE Spectrum.