Skip to content

Security Hardening

c0smic edited this page Jun 20, 2026 · 1 revision

Security Hardening

This fork exists because the upstream Bruce firmware had operational security failures that could expose red team operators. Every fix is documented in the forensic audit report.

Audit Findings Summary

Finding Upstream Issue Fix
AV-001 App Store over unencrypted HTTP HTTPS enforced
AV-002 Deep sleep leaves radios powered on Full radio power-down on sleep
AV-003 Fake sleep mode (screen off, device still active) Proper power state management
AV-004 MJS scripts can access any module Module whitelist with permission system
AV-005 Hardcoded default credentials MAC-derived unique passwords
AV-006 GhostStrats steganography Notified upstream
AV-007 Server divergence from upstream Server-side fix
AV-008 Reverse shell backdoor Authentication enforcement

Always-On (No Toggle)

All security fixes are compiled in by default. There is no #define HEAVYBUTTER_HARDENED flag to forget.

  • MAC-derived unique passwords -- Every device generates its own password from its MAC address
  • Reverse shell authentication -- No auth = no shell access
  • JS module whitelist -- MJS scripts can only access permitted modules
  • SHA-256 App Store verification -- Every payload is hashed before install
  • HTTPS-only App Store -- No unencrypted HTTP traffic
  • Sleep mode kills radios -- Deep sleep powers down WiFi, BLE, RF completely
  • HeavyButter SSID/BLE naming -- Randomized suffixes, no "Bruce" broadcast

Encrypted Config Removed

AES-256-CBC config encryption was added in an earlier version and later removed after careful evaluation:

  • Physical access means flash encryption is already game over
  • Key derivation + encrypt/decrypt on every config read/write added complexity without real benefit
  • Corrupted encrypted blobs forced factory reset as the only recovery path
  • MAC-derived passwords and the module whitelist provide real protection without the complexity

Existing devices with leftover encrypted config strings are handled gracefully -- looksLikeOldEncryptedData() detects them and treats them as empty.

Codebase Audit (v0.2.1)

  • Zero uses of strcpy() -- all replaced with strlcpy() or C++ strings
  • Zero uses of system() / popen() / exec() / fork() -- no shell injection vectors
  • Zero hardcoded credentials -- not in source, not in headers, not in configs
  • 18 sprintf() calls converted to snprintf() -- no silent buffer overflows
  • Empty catch block fixed in HFP_Exploit -- no silently swallowed exceptions
  • va_list double-consumption fixed in BLESerialService -- no argument corruption
  • Zero project-code build warnings across all 9 targets

Clone this wiki locally