Black Hat Asia 2014 - The Machines That Betrayed Their Masters

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

my name's Glenn Wilkinson and my talk today is entitled the machines that betrayed their masters thanks for coming along it's a topic that I'm quite excited about and yeah like to share share the excitement with you at my office I'm known as the guy with the toys because every second day there's a parcel from eBay or Amazon or somewhere with toys in it and I've brought a few of my toys along today and as hackers were all a bunch of big kids basically so I'll play with my toys and afters if you want play with them too I feel free to come and come and check it all out so as I said my name is Glenn that's my twitter handle if you're interested in such things my lucky number is 11 which is why that man's wearing 11 on a shirt I'm originally from a country called a Zimbabwe it's a small landlocked country in southern Africa I studied at the University of Oxford in England on a road scholarship so I have a master's degree from computer science from there and I currently work for a information security firm pest and testing firm called sense post it's a company started in South Africa about fourteen years ago in fact was our 14th birthday this year but I work for the London office which has been running for for a few years now so my day job is hacking stuff I guess I'm a security analyst or pen tester or whatever you want to call it so I get paid to hack stuff which is you know kind of a dream growing up I never thought I'd get paid to hack into banks and now I do so that's pretty cool and also spend a lot of time training search blackhat Vegas other black hats hacking the Box all that kind of stuff we give training on most continents and then 20 percent of my time is research time so I get to play with toys and then come and speak at conferences to lovely people like you and spoken in a few conferences over the last year about this tech and a few other interests that I have but enough about me let's talk about you does anybody in the audience recognize any of these addresses or some of these photographs maybe it's a your house your friend's house a place you visited I see we have some addresses in Amsterdam Germany Italy Turkey now I see there are fewer people here than the word the key note when I collected this data yesterday so we may not get a hit but do let me know if you see anything of interest anyone from Israel I see a nice coffee shop there that someone may have visited recently and maybe someone stayed in the Intercontinental Hotel and a whole bunch of us from the states and one recognize the office or the house or someone stay at the Essex in in Chicago well I'm asking but I'm actually telling you have stayed here you do live here so don't worry about owning up and of course welcome to those of you who attended Black at Vegas in 2012 good to see some continuity over the years and also a black hat EU so welcome to those of you who have attended that conference in the past welcome back and nice to see people visiting from from all over the world so got people here from the States from all over Europe and of course from Asia and Southeast Asia so nice this year a good spread of audience a very different picture too of course black hat Brazil and of last year who assumed a lot of people were visiting from from the region locally interesting how do I know all of that well the topic of the talk something about machines something about betrayal and I'll give demos a little while about how it got that information but I got it legally above the board by passively listening to devices that you guys are carrying in your pockets and so something about surveillance what's interesting is that I'm doing some degree of surveillance here and profiling but everything I'm discussing is research done pre Snowden and a colleague Daniel Casper to myself a couple of years ago had the idea that maybe governments and private sector organizations are spying on us and trying to figure out what kinds of information about us and they have really deep pockets and really big budgets and we are curious to see that if on a kind of a shoestring budget so my research time twenty percent one day a week effectively no budget open-source software you know cheap hardware if we could build some degree of surveillance system to basically make some kind of large dragnet type systems not focusing on individuals initially but on giving a large group of people say people at a conference people in a city people in the country could we build technology to surveil people on that scale so the talk says something about machines and something about betrayal so what are these machines and how are they betraying us so machines relates to devices that we carry that have some kind of computing power and have some kind of wireless connection I go back five years ten years maybe had a cell phone but it's only connectivity what's the cell network go back a bit further than that and maybe had a wristwatch or something maybe the crystal emitted some tiny signal but effectively you're isolated but these days more and more so we're carrying devices that have some degree of computing power and also emit signals cellphone is the most common example a smartphone most of us here carry a smartphone in fact based on those previous images I know that you guys carry smartphones but that's not the only example bank cards these days have NFC chips Near Field Communication London where I live we use the Oyster Card travel card also users NFC type technology and the states have noticed that your identity cards have some wireless chips inside them I see is at least one person here wearing Google glass so Google glasses the futures weird your your your glasses and your book and your watch suddenly everything's got computers and wireless technology which is kind of strange when you think about it and the the thing with a nike symbol there that's a fitness bracelet that's getting really popular these days you have this brace that you put on your wrist and a chip you put on your shoe and a hot meter you stick on your chest and all of this stuff monitors your activity and all communicates wirelessly either to your phone or to some other device for synchronization passports these days have chips in them and you'll notice on these devices essentially have short-range communication some have long-range communication but even things like NFC are sometimes not that short on the left does anybody know what that devices just under the Google glass image yeah pacemaker Wow the future is messed up pacemakers have wireless technology and not some small custom subset actual Wi-Fi yeah which is just really weird so the point is that we all carry devices either on us or essentially inside us that have some computing power and they use some kind of wireless technology and the wireless technology that they use varies between devices so perhaps the cellphone has the most number of technologies and this image we see it has Wi-Fi Bluetooth NFC GSM so a whole bunch of wireless transmitters and receivers they're essentially just shouting out information now The Betrayal comes in when we think about what these signals are and how we can interact with them and what we can learn from them so is essentially two things that I'm interested in one the uniqueness of the signal that's being emitted by a one device or a collection of devices if a device we had a cellphone or a passport or a fitness bracelet if it's emitting some wireless signal that's unique at least for some period of time then I can uniquely identify if I'm able to detect that signal so the most common example and the example have the most success with is Wi-Fi so all of your mobile devices if you've left your Wi-Fi on even if you're not actively using it as I say that I've left my Wi-Fi on I'm the guy giving a talk so if you've left your Wi-Fi on your device is constantly making noise and sending out a unique signal that includes the MAC address of the device essentially I can uniquely identify this device in this room and if I was that conference last year and I had the same device I could note that that device was in this room at this point in time and in that room at that point in time and at the airport and this point in time if I had the ability to detect the device at those locations that's the first part a unique signature and that's either gonna be something like the RFID signature or the MAC address or a whole bunch of other options but generally speaking some kind of unique signature what we want after that potentially is some way to get information about the owner of the device and again the way we interact with that could be a whole bunch of different options looking at Wi-Fi again when if you've left your Wi-Fi on your phone is constantly looking for networks that's previously connected to and maybe there's some information and there as you'll see as we go along because RFID may be included in the signal is a name or unique identifier ID number or or something of that nature so if just give me a second it seems the projector is not playing nicely with me it's better okay so yeah as I said the idea of a machine feels better wasn't it so it doesn't like - okay fine we'll just do merge mode doesn't like to do presenter mode I'll just guess what slides coming next so I think the next slide will be whatever anyway so a machine so the machine can be anything that's sorry yeah so it's Murud technology's great isn't it so it's mirrored mr. AV guy 800 by 600 mirrored sorry 1 0 2 4 okay we'll skip the so the idea of a machine a unique signature and then a link potentially from that device to a human being and that's what I'm interested in so the devices that you're carrying in your pockets right now and your wrists can I uniquely identify you in this room and then can I figure out who you are where you live you interact with are you here with colleagues or by yourself or the spouse or something and mobile phones smartphones are wonderful like five years ago ten years ago if you wanted to bug somebody or surveil somebody you had to break into their house and install a camera in the smoke detector or something and put a physical bug on the phone and so then follow them in a car these days we all carry the most sophisticated bugging device ever created voluntarily on our person it's bizarre Scott GPS and camera and a plethora of wireless technologies and photographs and personal information banking information and we just voluntarily carry it around and don't really give it a second thought now as I say there's a bunch of unique signatures the one I'm I've had the most success with and I'll discuss today is Wi-Fi wireless technology and the idea is that your device has a unique MAC address and the way the Wi-Fi protocol works as you're sitting here you're not connected to a wireless network even if you're in the middle of the Sahara Desert your device is constantly sending out a message looking for every wireless network it's ever connected to and this stuff dates back to the khamar attack diner deserve you back in 2005 but it's still completely relevant not fixed and in fact more dangerous than than ever before so your phone is sending out this message and now I want to link that's unique signature to a person and there's two ways we can approach that passively or actively now passive linking I don't have any interaction with your device at all and that's what I've been doing as I was doing yesterday to get information on you guys so your furnace sitting in your pocket and it's looking for every network you've ever connected to you it's looking for BT home hub AFV one is looking for Starbucks just looking for virgin it's looking for is anybody out there so as you've traveled the globe you've connected to different wireless networks in different countries and you've clicked join that network and you haven't say forget that network after you've left your furnace remember that and it's in the room right now shouting out the names of all of those networks now immediately I can infer certain things from that if your phone is looking for McDonald's free Wi-Fi and ell budget airlines free Wi-Fi then I know you're a bit of a low roller if your phone is looking for the Ritz premier suite and looking for British Airways first-class lounge I can kind of infer that you're a bit of a high roller and sometimes the name of the network might be immediately obvious if I see somebody looking for Royal Bank of Scotland corporate then someone pretty works at RBS if someone's looking for Royal Bank of Scotland corporate and they're looking for Hooters then immediately we can draw some conclusions that was an embarrassing demo I gave once now it's also interesting interesting about the signals that are being sent out and as your phone is looking for these wireless networks is if those networks are sufficiently unique then it's possible to determine the geolocation of those networks who knows what wardriving is but about a third of the audience is this technique that goes way back to 2001 and the idea is that number one you have to wear a ninja outfit so there's me in the top corner there's my ninja outfit and you have some device that has both GPS capability and Wi-Fi capability and you basically Traverse an entire city or area and every time you see a wireless network you know the GPS coordinates so there I am being a ninja wandering around London there's only four wireless networks in London maybe it's a few years ago I think there's at least five now and every time I see a wireless network I note the name and the GPS coordinates I make a table like in the bottom corner there and things like Starbucks are likely to see thousands of times if you take the planet probably tens of thousands of times but if a name is sufficiently unique then it's it's possible that it's only at only G other case to one exact location and I'm not sure about in Singapore but at least in UK where I live you have providers like British Telecom BT and forget the internet at home you get BT home hub - one two three four or something so some unique name - at Virgin Media Virgin Media 6 1 2 49 so the name of the provider and then a unique identifier the same with businesses so BT business hub and then some unique identifier so if I can create a list like this and then I noticed that your device is looking for BT business hub - df1 and I have this big table I can then look up the name of the network that your device and your pocket is looking for and infer that at some point in the past you have connected to a network in London on the corner of all Street and City Road it's going to take a while to do that so luckily there's crowdsource projects that anyone can be part of and you can submit your own data so project dating back to 2001 wiggle so wiggle net awesome bunch of guys and they've been running the site for 13 years now and they have on the order of a hundred million observations and I run the software I travel and I just collect the names and networks GPS coordinates submitted to them and what that means is that anybody can then go and create that database and essentially figure out where devices are from so now I see someone looking for BT Home Hub and I immediately know that you're from this address now I interesting anecdote when I was working on the software that kind of does all of this stuff are sitting at a coffee shop in Oxford where I used to live and I had my software running I'm just watching the screen and two guys walk into the coffee shop speaking Arabic to each other and I was watching the screen and I see two new mobile devices probing for a network and my software geo-located those networks to small town in Saudi Arabia under certainly watching my screen these guys walk in a thicket I know you're from right down to right down to the street view of their of their house or at least of a place where they've lived or at least visited so passively linking in signature and then actively linking so now our interacting with the device so with Wi-Fi interacting with Wi-Fi or force another technology sending signals to the device and interacting with it either extract information or get it to perform some action to get more information about about the owner now again this is not particularly new this dates all the way back to 2005 and the attack called the khamar attack but basically when your device is looking for Starbucks or McDonald's free Wi-Fi or something number one I can hear that signal and two I can reply say hey it's me Starbucks now someone was doing this yesterday in the conference it wasn't me but you would notice that there were access points popping up like Starbucks and like Heathrow Airport Wi-Fi which is always a good indicator that somebody is messing with this kind of stuff but it wasn't me I did yeah I did try and shut down the access point but the point is that you can respond and say hey it's me Starbucks connect to me and your device will connect and then you'll be happily browsing and you probably won't even notice they'll get a little wireless symbol popping up a little Wi-Fi symbol but you won't get a prompt because you know it's like when you go home where you walk into Starbucks you wanted to automatically and immediately connect and by doing that I can then intercept your traffic again this is old-school stuff pull out your session cookies look at your brow look at what you're browsing and you know determine who you are from your Facebook account your Twitter account or your email and pull out that kind of information now the Snoopy framework is a tool that I worked on back in 2012 and I spoke at a conference called 44 corner London that's Def Con London and essentially released a proof of concept Snoopy tool back then but over the last few months I've been working on a new version that's all nicely Python fide and it's modular and it's a bit more efficient but what the Snoopy framework is it's a distributed tracking profiling and data interception framework so it takes all the ideas that we've briefly touched on and there's nothing new about any of that that's been known for a long time but it packages it together into a nice unified framework that you can expand on add on so there's a new protocol that comes out tomorrow called green tooth to replace blue tooth then we can write a Snoopy plug-in that can detect those signals and interact with those signals and populate data manipulate data so I said four things they're distributed tracking data interception and profiling framework so distributed the idea is that you can have these Snoopy devices running on some small inconspicuous hardware and distribute these little Snoopy sensors over a large area say the whole of Singapore and you can run the Snoopy software on anything that runs essentially Linux and has the wireless adapters that you're interested in so this device here is a it's a BeagleBone black which is sort of similar to the Raspberry Pi so it's a single board computer and it's got a add-on module on the top that has 3G connectivity and a GPS device and then a wireless antenna plugged in here so very small very inconspicuous I can plug it in and leave it lying around somewhere put a nice little case and the idea is I can leave a chair unattended and as you're all interacting here and walking around and day-in day-out this device will be collecting information and syncing it back to a central Snoopy server I can drop these devices over say the whole of Singapore thousands of them and as people move around the city these devices will detect them interact with them and send the data back to a central server so that's nice because existing technology things like the pineapple it runs on the single device and then you've got to put in the memory card take out the memory card put in your laptop open up Wireshark so it's a bit cumbersome so this is nice because it's distributed collects the data sends it back to a central server so it's distributed so tracking kind of obvious you have this blanket of devices and as people with wireless transmitters in their pockets walk through the environment we know ok they're at this location in this location in this location and it's go to GPS device that knows effectively exactly where it is so distributed tracking data interception so as mentioned depending on technology using Wi-Fi for example or GSM maybe we set up a femtocell intercept your traffic pass the traffic and sync it back to the central server so instead of collecting data locally I intercept your traffic and it goes back to a central server so I have 10,000 devices scattered over the whole of Singapore and they're all intercepting traffic and sending everyone's traffic back to a central server for examination and visualization and then profiling so much as collecting more traffic I'm exploring and manipulating the traffic and work out things like where you live what your Facebook profile is who your Facebook friends are what Facebook friends you have in common your inbox you've been emailing comment links of people you've been emailing so those are kind of the four pieces of the tech and essentially nothing new but putting it all together into one unified framework and then the next generation snoopy which is after the 44 con PRC there's only one image on the whole of google images that has Snoopy wearing a next-generation Star Trek uniform this is if you can find another one or draw me one please let me know but next generation Snoopy essentially all written in Python and you have the main Snoopy process that runs and it has a series of plugins so be it Wi-Fi with GPS or Bluetooth or NFC and it saves that data to a local database on the device and very customizable sequel I tore my sequel or Postgres synchronizes that data to a central server that rights at that database and very modulation choose which plugins you want to run and then multiple Snoopy devices all running syncing data back to a server and the server can do data exploration and visualization either in a web interface or via a tool called multi go and we'll see a demo of that and a little bit you can also sync data over different technologies so these are all things here are called ZigBee radios so this Snoopy drone if I plug in the ZigBee module it will then collect data synchronize it back to kind of a central Snoopy device maybe up to up to eight kilometers away depending on the ZigBee radio so you can have a whole bunch of Snoopy drones with the ZigBee radio and in one central device with a ZigBee radio and the whole synchronize data back to that one and then maybe the middle one uploads data over 3G or something to some other central server and ZigBee is great so it's this once two and a half kilometers range so a tiny ol antenna with two and a half kilometers I guess outside range and draws very little current so I think 300 milliamps and then you can create any configuration you want they have these devices sinking over ZigBee two device over 3G two device over Ethernet so basically a nice big distributed ya network to catch stuff and here's an illustration of just the ability to intercept and manipulate traffic so we have over here to Snoopy drones you see my mouse cursor you can two drones here and a bunch of client devices or victims I've told I mustn't use the word victim's client so devices over here that have in this case associated with Wi-Fi and the traffic is going through the drone and then through the Snoopy server and effectively I do netting at the server so I can see this client's exact IP address and traffic flowing through the server I just pass the traffic through a proxy and I can pull out things like cookies and websites that you're visiting pass it through SSL strip to try and defeat SSL which works remarkably well against most sites and through a Manman the middle proxy set up where I can insert arbitrary code insert arbitrate JavaScript for example or change every image to picture of a cat or one of my favorites is turn every image upside down so you see the guys in Starbucks you know on the device browsing funny cats and upside down they turn it upside down and I turn their stuff upside down and kind of goes on like that of course shouldn't do that and then you have traffic inspections of pulling out things like PDF documents or wipe conversations and then some social media API so saans browsing Facebook I'm able to obtain the Facebook session or password I can then grab all of their friends and their friends friends and things like that and of course over here we see that the geolocation technology using wiggle of course what's nice is these drones are fairly dumb they don't have that much processing power and they just pass on the grunt work to the server potentially which hands out internet over there and yeah you can run sniffing a whole bunch of different technologies so we have the Nokia n900 fantastic cell phone runs Linux unfortunately decommissioned but there's a new project breathing life back into it the Neo 900 project kind of Kickstarter II go and I recommend you go and donate to that and get yourself a device the Raspberry Pi the BeagleBone black the Shiva plug the BeagleBone black my favorite device so it's stable can run a modern OS so I've got Kali Linux running on here which is great so it's essentially a pen test box on a small device like this and yeah if you can't see it over here that's a job up there and it's got this fantastic GPS and GSM board on top which is a prototype which has just been released and what else can we do well since you have brought my little friend along today so I've got my my quadcopter this is the controller as you can see it's watching you guys so this is the controller for the quadcopter so I fly it from here it's got a fpv camera mounted on it and so essentially I can pilot it from here and that's all well and good but so what well so what is that I can attach one of these Snoopy devices to it and do this kind of surveillance and a mobile fashion so attach the device to this and then fly over a large area or pursue somebody or any number of possible things now because this is fairly it's a fairly small lightweight device so the idea is you attach it to this and I'm trying to emphasize that's not just stunts acting so it's kind of cool yeah it's flying hacking machine but also it's kind of useful so it's useful for a few reasons one I can get to altitude so I can fly this device at about 80 meters you won't see it you won't hear it but with the right antenna I'll be able to detect signals on the ground so if there's some area where I'm not able to plug in devices locally I can attach it to the flying machine and fly overhead at a safe altitude where you can't see me or hear me but I can hear the signals from your device secondly if there's some kind of physical barrier I can bypass that so big walls or men with guns or dogs or something can bypass that physical barrier and collect data from the other side and also it's very fast so if you want to blanket a whole city very quickly you can just do a nice grid pattern just cover the whole area collecting data from everybody down below now this units only got about 20 minutes battery life up to 40 minutes if I get the right kit for it but then you can also get fixed-wing devices so fixed-wing devices you can fly for up to two hours essentially just yeah do a grid pattern of entire city and pick up everybody from down below and I can foresee all kinds of things that we could play were there so I'm just guy who builds the tech so I'm sure there's good users and bad users as with most technology as an example say there's a riot downtown people are looting and being very bad you could fly one these devices over the right area and collect all the unique signatures from the rioters below to either use and prosecution going forward or to profile and figure out who they are and where they live and that kind of thing so maybe some degree of good depending on who the government is but then at the same time maybe there's an oppressive regime and people having a peaceful protest and oppressive regime could fly this tech over and figure out who the protesters are downstairs which which could be a yeah a bad scenario but the idea is that there's just the technology all technology can be used for for good or for bad as an example he has me flying in London so this is a park in London and from this altitude about 80 meters and I'm that little tiny speck down and the kind of middle left there so essentially you can't see it you can't hear it the devices in real time collecting data as I fly around from people down on the ground anybody recognize that yes that's that's the hotel sets this morning man is hot outside I think in the future I'll sit in my hotel room and fly by FPV from there but yeah that's probably about 100 120 meters I think and yeah can't see it at all but you can't get access to pool but you have the directional antenna and a camera and you know there's a person of interest up there well you can fly up from safe distance and get a video feed and use a directional antenna to pick up devices that are of people that on the pool maybe there's some kingpin up there that you want to surveil and get information on and we'll just identify that he's at a location at a point in time so other things we can do with the aerial unit so say we have John there's John and he's walking around with his either was phone or it's bracelet or whatever in his pocket and we already know John's signature so maybe he was arrested some time ago or we've somehow identified who he is and what his signature says MAC address we know what his MAC address his phones in his pocket and he's somewhere in Singapore and we want to find John to ask him some questions just ask him how how he isn't that kind of thing so what we can do we can do a spiral search so you can launch the UAV from some central location of a good altitude and slowly circle out wider and wider pattern until it finds John based on his signature below of course you can blanket a very large area so you can have here for drones or hundred drones and have them deployed over a large area ok we need to find person X based on the signature push-button launch drones and they all individually do their own circular search pattern for their grid until one of them identifies the signature that we're looking for so here in the bottom right that one's managed to find John then he calls his buddies is have I found John and then we can use potentially trilateration it's like triangulation which most people are familiar with that term but you probably mean trilateration when you say triangulation so trilateration works on distances as opposed to angles and the distance metric in the scenario is the signal strength of the device so how many decibels the signal strength is from this device and so the idea here is that you have one master drone say the guy in the bottom there and the two other drones are controlled by him and they all have a GPS device and because they know their own position and the signal strength of John's device they can work out exactly the GPS coordinates of John and as he moves around the one drone at the bottom relays the message to the other two to move them so we can stay in a fixed position and one or two John as he walks around right enough talking let's have a demo a screen resolution is a little bit funny but let's see how it works all right so you have these Snoopy drones they all happily running collecting data and send that data back to a central server but data is boring if it's in a text file or a database or something so what I use is this tool called multi go so I don't write this tool I just use this tool Multi goes a fantastic graphing data visualization engine completely customizable it's a really lovely way to explore data and it's made by South Africans which from my point of view is excellent so what I've done on the site here I've written a few I've created a few Snoopy entities so you have these entities and drop them onto the map over here and then against entities you can run a transform which is just an operation so we have this starting point the base of operations I can run the transform it says fetch drones now this fetches you can customize what data you want to select on a time care you have on the side you can have time metrics so you wanna fetch drones they were active today whether active last Tuesday or they're active a year ago default is to fetch all drones that have ever been active so this is including historical data here so during the last year and a half I run all of these drones on my n900 on my laptop on the Beagle burn on the Beagle burn attached to the flying machine and when you run it you can specify the location that you're at so I've been running this at security conferences for the last year and a half and keep in mind this is all broadcast traffic so I haven't done anything illegal at least in these countries it's broadcast unencrypted traffic that your phone is just shouting out to the world so in Poland at cert 44 corn two years and row black hat Vegas security and Scotland black at Brazil black at Singapore so you guys besides DEFCON like a tu IT web in South Africa zero nights and Moscow and Russia so all these conferences I've been running this well let's just grab you guys she has black at Singapore I can run a transform fetch clients hey is you guys who forgot to turn their Wi-Fi off so these are all of your devices laptops tablets mobile phones and based on the MAC address of the device because we're just looking at Wi-Fi at the stage we can see that this device is a Samsung device based on the first half of the MAC address Apple device HTC Apple etc so you can see all of you guys okay live demos always interesting let's see if we can find something cool just grab a subset of you guys down there and let's just say fetch SS IDs now if it comes back with no SSIDs that just means your device was sending a broadcast message or any wireless networks out there so little brown blips down there or the networks that these devices are looking for so meg Meg Morpheus Logitech don't touch this one it's pretty noisy it's a whole bunch of devices there blah what's interesting is when you see so this device I guess here isn't it but when you see multiple devices looking for the same network that's sometimes interesting so you may or maynot may not get a result here but often you might see five devices looking for RBS which is Royal Bank of Scotland they know there's employees yeah from the Royal Bank of Scotland okay so that's cool it's grab so this device looks kind of noisy its grab those wireless networks you can say fetch locations so what that does it queries the wigle website now Riggle doesn't have an API which means you have to do page scraping if no results come back that could mean that either they weren't in there let's just try that one let's grab a few more so usually when you see fairly unique network names you would expect to get a hit it's one I prepared earlier so he has a device until device and it's looking for rapid7 and here we ve allocated that either to yes the United States I assume somewhere in Russia and I'm not sure what that was there so I guess rapid7 maybe has offices in those locations if you double click that then we get street view photograph so maybe that's the office there and yeah I get the address and yeah link to Google Maps if you want to view it in Google Maps or something these guys come back with anything yes there's one good hit so this device here ones there are six whatever so geo-located the states unfortunately no Google Maps image of that place it seems but we get the full address so where's this JSON away Nevada so someone from Nevada ok so that's interesting what else can we do so we can potentially if you want to see overlap between different conferences let's grab two locations so besides London and blackhat EU let's see if anybody here was at both of those events so just turn up the number of results all the way up to the maximum and grab both of those and say fetch clients and that's receive these three devices were at both of those conferences then maybe grab just those devices copy two new graph and then try and figure out more about just those guys so Isis IDs so there's some pretty noisy devices there maybe we can get a hit on one of those okay what else can we do so I'm entered I mentioned a data interception so I can create I can set it up to run a rogue access point and then connect to it or convince your devices to connect to it oops that we got a hit so that cheer locates - it's not a good hit so if we go across this window so this is the Snoopy software this is running on my laptop at the moment and I'm gonna run it and I'm gonna say bring up a road access point and then get my phone to connect to it and of course it's stopped working what I was talking to you guys all right lucky I was running it before the break and if we look at which graph was it actually I can do this slightly differently okay so I will show you this demo so here's a photograph and it's a photograph of the sense post offices in South Africa and let's pretend that we released this photograph there's me and one of my colleagues we had our hackathon this past week so what can we do is photograph I can get EXIF information from the photograph so I right click right click on it and say get exif data that's a kind of metadata so it could be location information or the type of camera used and the kind of thing and it seems woops we actually didn't we accidentally or intentionally geo tagged that photograph so in no way that photograph was taken and we know relates the sense post I can then I have a transform here to query all access points that are around that location so I've got some GPS coordinates somewhere in the world and now I'm gonna say fetch from the wiggle database or access points that are within a 500 meter radius of of that address so this is not data I've collected this is data in the wiggle database so all of these access points are around that that location I can then go through all my historical data from all the conferences I've been to you and see if I've been to any event where a device I observed at that event was looking for a wireless network within 500 meters of this address which I suspect is the sense post office alternatively I tested it with some other companies here so you can find the address of koalas say plug it in and check your historical data and see if anyone here is a koala or any prior event that I've been to but I find it better to pick on sense post because I don't get beaten up afterwards so here we see that these devices here are looking for WLAN ap not that interesting whiteford maybe more interesting Linksys Linksys so given this name is quite unique so what that means is that these six devices here at some conference in my massive database will looking for a network within 500 meters of the center post office let's just grab those devices copy them to new graph and let's fetch locations what locations where these devices observed at observe Det besides security IT web so most conferences actually so this probably is sensible people and then we can just check what networks they're looking for so what networks who these guys looking for noisy devices it seems bad sense person employees and we start to see stuff like so I added a bit of extra data just to highlight the point but if we see stuff like Akita ergo sum so we notice a hacker conference DEFCON so because we see named networks that appear to be security related that's probably sense person employees so what did i do there I know that I figured out where since posts offices are so I could have entered the street address but I had a photograph here the EXIF data figured out the GPS coordinates of a sense post office then looked for all networks that are around that area within 500 meters of that office so if you went to south africa went to our office you would see these networks and then all of those networks I checked my historical data to see if I'd ever observe any client devices that were looking for those devices and I found six devices looking for a network within 500 meters of the center post office and then I see these devices are looking for networks like Akita ergo sum' and like DEFCON and then for network names like this that are fairly unique they would have managed to geolocate this one to two possible addresses I'm not gonna double-click that so it might give my address but potentially very quickly figure out the address of all the home address of sense post employees I tried that against a few other companies here and it does work pretty well but yeah I don't want to get into into trouble what else can we do so I mentioned the rogue access point so let's just grab these devices and copy to a new graph and sales running the rogue access point I want to intercept data from you from these guys so I intentionally did this to myself because I don't want to you know do any date inception with you guys and there I see this Apple device which is my phone was browsing these two websites whilst tricked into associating to my phone so vampire freaks and Ruby corn project so it's browsing in vampire freaks calm and I can grab the cookies so there we go there's the session cookie for this device that was browsing username Jimmy nine-one-one so ya can actively intercept data from devices and one final demo just to put all of that together so it's nice with multi go is you can run what's called a machine which is running multiple transforms at once so here I have base of operations and I can do a whole bunch of transforms simultaneously now this is going to do it's going to fetch fetch or active drones it's then going to get the location of all those active drones get all clients that were within those areas it's then going to look for some commonality so look for devices are observed in multiple locations so preserved at the airport and s Starbucks and at the hotel grab those devices and then it's going to bring up or go through historical data of a rogue access point and see if any data was being browsed and then it's going to grab Facebook friends and potentially the facebook inbox but I weren't sure that and the end result is running a bit slow but the end result is the slide here and so I click one button and it does all these operations in one go and it finds that it was a device at Heathrow Airport Finsbury Park Hyde Park and Starbucks and these devices the blackberry the Apple HTC are observed at those devices looking for these networks a GMC and the Verizon which would geolocator to San Francisco and the Arab Emirates then the data interception by bring a baroque access point the guys are browsing Facebook so we stole the Facebook session and managed to get a friends list and we see that those two guys Jim Anderson and Charles Smith have those three friends in common so Morty goes really nice for exploring data he has another graph of people who have attended all the conferences I've been to so you can see all the overlap between the different cons there so for example that Apple device has been 244 Khan and to birth 44 Khan's and black at 2012 yeah so it's nice for visualizing data like that that's them i showed you figuring out the sense post employees he has an experiment i did sitting in Kings Cross train station in London for 12 about 12 hours and she the graph number of unique devices observed over time so yeah big spike over breakfast small spike over lunch big spike in the evening so just looking at a kind of macro level there and then the ratio of devices observed so this is from all the conferences so seventy-seven thousand devices I've observed and a big chunk of Apple over three quarters Apple then HTC and Samsung and then going down but interesting to see how popular Apple is they're a bunch of scenarios like envision stuff being deployed on so I mentioned the UAVs flying over maybe a riot area or something so a degree of law enforcement or bad stuff peaceful protesters another example let's say you want to figure out the identity of a celebrity so I noticed Jeff Moss founder of blackhat he's he's at the back of the room so if I know he's here and I'm running my Snoopy drone he's playing on his phone I know he was at another blackhat conference say Brazil and I collect data from that conference then I know he's at some charity event so I go to that event and I keep going to events I can physically know he's at and like a correlation of all those different events and he's I see one device being observed all of those different events then I know that that device is most likely Jeff and then once I've identified him I can probably do some more active attacks to try and get information off of his device there's a lot of other scenarios where Aztec is actively being used so you may not know but most shopping malls have the stuff running already so in retail for example its companies like path intelligence and Euclid analytics and they track your devices they use the same tech year so Wi-Fi Bluetooth NFC all this kind of stuff they'll also use cameras and audio and stuff the military is also using it so next line and Verint they have this exact technology to do exactly what I described here differences both of these cost lots of money and the stuffs open source and free and off-the-shelf hardware I found this image which I thought was cute considering I'm flying drones yeah the drone Survival Guide if you're interested in how to survive drones go to the drone Survival Guide org quick graph here on conferences I've attended and seen number of devices I was live observed related number of attendees a metric on the end devices per person which is very rough so it's black hat here I've observed 398 devices of 500 attendees so yeah quite a lot but I'm sure I haven't covered all the areas this was just running on the small device yesterday for a few hours and yeah I think that gives me about three minutes for questions if I'm not mistaken but yeah thank you very much for your time and let me know if you have any questions yes yep good question so how can you defend yourself this is all banana but attack so can you stop your smartphone at least in the Wi-Fi side from being so noisy no it seems that the latest iOS so iOS the most recent release it seems that they stopped it to a degree I've had various tests sometimes so it's mostly cool it's much more quiet but Android Windows all the others they're still just as noisy so you have two options turn off your Wi-Fi me not at home or clear your network lists so on Apple products there's only one option delete all networks not so convenient but Android and Windows Phone even selectively remove so should keep those so you should ideally delete those so delete ones that are open networks or Starbucks that'll stop the rogue ap type attack because that only works against open networks but then also you may not like it's convenient when you go home to your BT Home Hub one two three four to automatically connect but you might be shouting at your home address to the world which a roomful of hackers might not be a good idea so it might be a good idea to name name your home network something a little bit more common yeah the other problem there's there's other problems there but that's a good idea yeah planting SS IDs that allow me to track users in all right yeah that's a good idea so I could offer I could bring up a normal access point called something slightly unique internet four four five and somebody voluntarily connects to it then going forward in the future if I see someone looking for that a society that I know that's the previous device I've interacted with yes that's that's a good idea and the nice thing with the new Snoopy framework is very modular so you could add that kind of functionality quite easily any more questions yeah good question where do you draw the ethical boundary so as security researchers I think our main role is to look for weaknesses in existing systems and shout them out to the world and that's how that's how the security industry moves forward that's why systems like SCADA of very you know they're so full of holes because they've been hidden from hackers and something better you must hide from the hackers because hackers are bad but by not doing that they haven't been attacked by hackers and therefore the defenders haven't had to you upgrade the defenses so what I hope to get from this project because I'm releasing this I'm releasing the source code I'm speaking at conferences I'm saying look at all this terrible stuff I can do but now you're all aware of the terrible stuff I can do that other military organizations and retails are already doing so I'm hoping that I'm maybe on the moral high ground here because I am demonstrating how how dangerous this is and now maybe Apple and Google and whatnot will say hey maybe this is a bad idea to be giving away so much information maybe we should update our stuff so I guess I don't think about it too much as a security researcher I'm demonstrating they're all weaknesses I hope by demonstrating those weaknesses people will make their stuff more secure yeah so if you physically compromised a device can you use it to your advantage yeah good question so the way it works so there's a few configuration options one is to use a VPN so I bring up a VPN from this device to the server and that's nice because then I can send all traffic interceptor traffic through the VPNs at exits at one central device on the server other option is capturing data locally and there's a web service that synchronizes the data now when you're synchronizing the data you have the option to flush data immediately as soon as it's synchronized remove it locally but if you capture the device and physically pull out the memory card you'll either see the the key for the for the web server to sync the data or you'll get the VPN creds but what's nice is I don't have it on this one but on the Nok here for example there's an accelerometer you can get a USB accelerometer for the device and I've got a plug in that if the accelerometer is activated in some way destroy the device so just flush the filesystem of course if using encrypted filesystem as well then you can just maybe just shut down but you are using accelerometer you can have a self-destruct mode I wanted to use thermite for this that I couldn't so I just deleted the data any other questions excellent well thank you very much for your time

Info

Channel: Black Hat

Views: 37,486

Rating: 4.8502674 out of 5

Keywords: Information Technology (Industry), Asia, BlackHat, Briefings, Black Hat, Information Security, Black Hat Briefings (Conference Series), InfoSec

Id: NiiI_oZ7y64

Channel Id: undefined

Length: 58min 14sec (3494 seconds)

Published: Thu Apr 03 2014