Monthly Archives: May 2016

History, Poetry, Security

“T V E S L E”: The Poetry of Encryption in 1080s AD

1 Comment

1550-boite-a-chiffrerWhile reading about the French use of encryption during the 16C I ran into a reference that said French Kings borrowed cryptography concepts from Arabs. A little more digging and I found an example by Hervé Lehning in “L’Univers des codes secrets: De l’antiquité à Internet”.

He writes that Muhammad ibn Abbad al-Mu’tamid (المعتمد بن عباد), King of Seville from 1069-1092, used birds in poetry for secret correspondence. For example:

La tourterelle du matin craint le vautour,
Qui pourtant préfère les nuées d’étourneaux,
Ou au moins les sarcelles et les loriots
Qui plus que tout craignent les éperviers.

Matching names of birds to their first letter we get “t v e s l e”, which Lehning contends is the message “tues-le”: kill him

My translation:

The morning dove fears the vulture,
yet who prefers swarms of starlings,
or at least teal and orioles,
who most of all fear the hawk.

Would love to find the original imagery as I imagine the King’s poetry to be highly calligraphic or even a form of pictorial encoding.

Security

Easy BlueTooth Car Hack: “Press OK to Continue”

1 Comment

Looking at a brand new vehicle console interface for BlueTooth connections we found it prompted the user to select a device name, yet used a limited visual space. The prompt, right in front of the driver on the center console, asks (changed slightly to mask offending vehicle manufacturer):

Would you like to connect…

Then the device name gets inserted immediately after. This led to the natural question whether we could dictate behavior instead of asking the user to make a decision.

We changed a phone name to “Press OK to Continue” put phone into discovery/connect mode and waited in a parking lot. Soon after we had a rogue connection to a car, as a driver thought “Press OK to Continue” was a prompt, not the device name.

That’s a bit of social engineering to fool the human, testing human vulnerability to formatting. To check the device itself before human, you could similarly change the device name to odd characters and test non-human vulnerability to string formats.