-
Notifications
You must be signed in to change notification settings - Fork 1
Security Hardening
c0smic edited this page Jun 20, 2026
·
1 revision
This fork exists because the upstream Bruce firmware had operational security failures that could expose red team operators. Every fix is documented in the forensic audit report.
| Finding | Upstream Issue | Fix |
|---|---|---|
| AV-001 | App Store over unencrypted HTTP | HTTPS enforced |
| AV-002 | Deep sleep leaves radios powered on | Full radio power-down on sleep |
| AV-003 | Fake sleep mode (screen off, device still active) | Proper power state management |
| AV-004 | MJS scripts can access any module | Module whitelist with permission system |
| AV-005 | Hardcoded default credentials | MAC-derived unique passwords |
| AV-006 | GhostStrats steganography | Notified upstream |
| AV-007 | Server divergence from upstream | Server-side fix |
| AV-008 | Reverse shell backdoor | Authentication enforcement |
All security fixes are compiled in by default. There is no #define HEAVYBUTTER_HARDENED flag to forget.
- MAC-derived unique passwords -- Every device generates its own password from its MAC address
- Reverse shell authentication -- No auth = no shell access
- JS module whitelist -- MJS scripts can only access permitted modules
- SHA-256 App Store verification -- Every payload is hashed before install
- HTTPS-only App Store -- No unencrypted HTTP traffic
- Sleep mode kills radios -- Deep sleep powers down WiFi, BLE, RF completely
- HeavyButter SSID/BLE naming -- Randomized suffixes, no "Bruce" broadcast
AES-256-CBC config encryption was added in an earlier version and later removed after careful evaluation:
- Physical access means flash encryption is already game over
- Key derivation + encrypt/decrypt on every config read/write added complexity without real benefit
- Corrupted encrypted blobs forced factory reset as the only recovery path
- MAC-derived passwords and the module whitelist provide real protection without the complexity
Existing devices with leftover encrypted config strings are handled gracefully -- looksLikeOldEncryptedData() detects them and treats them as empty.
- Zero uses of
strcpy()-- all replaced withstrlcpy()or C++ strings - Zero uses of
system()/popen()/exec()/fork()-- no shell injection vectors - Zero hardcoded credentials -- not in source, not in headers, not in configs
- 18
sprintf()calls converted tosnprintf()-- no silent buffer overflows - Empty
catchblock fixed in HFP_Exploit -- no silently swallowed exceptions -
va_listdouble-consumption fixed in BLESerialService -- no argument corruption - Zero project-code build warnings across all 9 targets
SharkSoup by HEAVYBUTTER