(suspenseful music) - It's just nice to see,
the "Mr. Robot" example and you actually doing it and showing is it real or is it just a movie scene? And it's nice to see you,
actually showing us how to do it. - [OccupytheWeb] And today is gonna be among the most advanced, the most complex hacks
that we saw in "Mr. Robot", and maybe also maybe the most valuable in that we're gonna be looking
at essentially creating a mobile spy machine. (techno music) - Hey everyone, David Bombal
back with OccupytheWeb. If you haven't seen our previous videos, he's the author of this book,
"Linux Basics For Hackers". Fantastic book if you wanna learn Linux, but also from a hacker's perspective. And he's also the author of this book, "Getting Started Becoming
a Master Hacker". OccupytheWeb, welcome. - [OccupytheWeb] It's good
to be back again, David, always great to be talking to
you and talking about hacking. I'd love this effort of trying to explain, the "Mr. Robot" hacks. So let's do another one today. And today is gonna be
among the most advanced, the most complex hacks
that we saw in "Mr. Robot", and maybe also maybe the most valuable in that we're gonna be looking
at essentially creating a mobile spy machine. - I love that, so, I mean, you've kind of mentioned it offline, and I don't wanna jump the gun. So which episode are we talking about? - [OccupytheWeb] This is season
2, I think it's episode 5. I'm pretty sure there's episode 5. They talk about it in episode 4. They do it in episode 5. And this is, well, we know that Elliot has taken down Evil Corp. Him and F Society have
taken down Evil Corp. And we have this kind of
chaos in the global economy. And we've now have lots
of things going on, including the Chinese are now involved, and we have the FBI's involved. FBI is actually in China. We have the female FBI
agent, what's her name? DiPierro, I think is her name. Dom DiPierro is her name. Dom DiPierro is in China,
she's meeting with the Chinese, the FBI are on the trail of
Elliot and his whole gang. I mean, they're kinda freaking out. They're getting paranoid. They realize that, their
FBI are not very far behind. And so, they've gotta come up with a plan to be able to find out what the FBI know, because everybody is getting
paranoid thinking that they're gonna be arrested
soon for the 5/9 hack. And so, they come up with
this plan to be able to spy on the FBI. In the first part, we learned
that the FBI has switched to Android phones. That's the first step. And that comes up in episode 4. And then in episode 5, we see Elliot begins to
develop some exploits, but he has to have a way to be
able to deliver the exploits. And so, what he comes up
with is to basically create a mini-cell tower that he's going to place inside of Evil Corp. And Angela, who's now
working for Evil Corp, she can walk in apparently
and place it in apparently, that's kind of a big if, and
place it in the Evil Corp to be able to pick up the
cell signals from the FBI. And of course, then also
implant some malware. So what we're talking about here is what's called a FemtoCell. This is a FemtoCell. These are a couple of FemtoCells. And these are the ones that
are actually used in the show. And I have this one right here. I bought this one a few years ago. This is the new, You
can see this of course. - Yep, yep.
- Okay, okay. So what these are is that
all of the cell companies, no matter where you're
at around the world, they sell what are
called network extenders. These are for people who live in areas where there is not good cell service. So you put one of these in your home, you put one of these in your office. If you don't have good cell
service, maybe it's a dead zone. And essentially, what it does
is it works as a cell tower within your home or office. Now, we know, maybe not, but we do that your cell phone will connect to the closest and strongest cell signal. And so essentially, what these are, but putting one of these in
somebody's home or office, you are gonna, they're gonna
connect to these FemtoCell and kind of give you a
diagram of what it looks like in somebody's home. So here's the FemtoCell
in somebody's home. They got a cellphone, it's an
old-style flip phone there, it's kind of an old diagram. And then the FemtoCell
connects to broadband access into the internet then
connects to the cell network. So it is essentially
intercepting the cell signal and putting it across the internet into the cellular network. So it goes through the internet
into the cellular network. - So, can I ask you, is this similar to the
StingRay-type thing? 'Cause that's the one
you always hear about the police or whatever, FBI, whatever, using these StingRay
ISMI catcher type things. - [OccupytheWeb] Exactly,
so essentially what this is, is that it's a mini-StingRay. It's a mini-StingRay. Whereas a StingRay can capture signals for a larger distance. I mean, you can put one in a neighborhood and it'll pick up all the cell
signals in that neighborhood and the FBI and other
law enforcement use them. And it's only legal for law enforcement to actually have one. It's not legal for
anybody else to have one. I will put out there
that at Hackers-Arise, we are working on building one with a software-defined radio. So that's part of our project. So we'll see that- - You better come on the show when you've got that ready. Sorry to interrupt. - [OccupytheWeb] Well,
it's pretty much ready. It's not something,
we're not inventing it. We're building it, because
it's already been invented. But you can go ahead and
use a software-defined radio to make a StingRay. Now it's illegal to have
actually own one a StingRay. We'll, put this up on your channel and we'll put it up on
Hackers-Arise in the future. - But a FemtoCell is legal. - [OccupytheWeb] A FemtoCell is legal. So that's a good thing. FemtoCell is legal. So this is being sold from the
largest carrier in the U.S. which is Verizon. They sell 'em on their website. This is coming right off their website, very similar to the one that I have. I bought mine off eBay for I think $120 a few years ago and
people sell 'em on eBay, because they bring 'em home
and they don't want 'em or don't need 'em and
they put 'em up on eBay, knew they cost between $250-$300 and it's a legal device that the carriers and all the carriers sell 'em, but they're all slightly different. So what I'm showing you here today is going to apply in
general to all of them, but specifics are gonna be very different. So every carrier has their own. Notice, you can see here
the Samsung logo right here. I don't know if you can see
that in the screen, yeah. So these are made by Samsung. Verizon makes the Samsung, other carriers use other
manufacturers, to make these. And what these are is
just a mini-cell tower. The key and this mini-cell
tower is to be able to get inside of it, because
if we can get inside of it, then in essence we can eavesdrop
and do a man in the middle on all the traffic that goes through it. And that's essentially what
Elliot's doing in the show. So we see him, he's developing an exploit, but what he's doing is he's
going to put that exploit into the FemtoCell. So the first step to
getting inside the FemtoCell is that I have one here and
I've taken some pictures to show you, the first step is you look
down at the bottom right here. Well, I'm gonna back up a little bit. So there's both enterprise
level FemtoCells and there's consumer level FemtoCells. So we're looking at consumer level. It's actually a little bit easier to hack the enterprise level FemtoCells. On the consumer level,
which are cheap ones, that's what we're talking about here, there's a connection down below in the bottom of these things right here. And what's that look like? Can you see that? You see what kind of connection that is? - Yeah, I can see it, yep. - [OccupytheWeb] What's it look like? - I can't see clearly. Is it like RJ45 or is it like a screen? - [OccupytheWeb] No, wait
a minute, look at it. I'm bringing it a little closer. - You testing me, I'm
not sure, I can see it. - [OccupytheWeb] Oh, you can't see it. Okay, it's an HDMI connection. - Oh, I thought it might be. Yep, let me pretend
that I knew what it was. Is it HDMI? - [OccupytheWeb] Yes,
it's an HDMI, exactly. But what can we do with an HDMI? I mean, this is what's really
puzzling when you see this, you go, what can I do with
this HDMI connection here? It turns out that the Samsung and Verizon have a specially made cable
that is essentially USB on one end and HDMI on the other end. - Oh wow, 'cause I mean HDMI,
you think it's just a monitor. Why would you wanna screen
connected to such a device, yeah. - [OccupytheWeb] Exactly, exactly. But they've developed their own unique and proprietary cables to be able to get inside of these things, but it's not that hard to make your own. And so, that's what we're gonna do next, so this is basically, I'm looking at the bottom side under here on that last picture. So what we need to do is that
we can go out okay and get, this is actually, I bought
this one I think off Amazon and what we can do is by using
an HDMI cable and this cable, it's called a FTDI TTL 232R, and then we can take this cable. So if you wanna buy one, they're about anywhere
from about $7-$8 to $15 in that area, they're not that expensive. And so, what we can do is we can splice these
two cables together, HDMI cable and this cable, and this is the wiring for it. You take the HDMI bare copper
ground to the FTDI Black, there's the FTDI Black right there, and the HDMI White to the FTDI Yellow and the HDMI Orange to the FTDI Orange. - How did you work this out? Was this just like trial and error or did you find the
specifications somewhere? - [OccupytheWeb] I found
specifications for it. I'm not the first one to do this. And so, it's actually comes
from a hack that was developed and was first presented
at Black Hat in 2011, I think it was 2011. And so, but the specifications, they didn't give these specifications to the cables at Black Hat. So I had to go digging
around some of the manuals for these FemtoCells to find
out what the cabling was like. So anyways, once you have this cable, then you can access the
console inside the FemtoCell. So the first step is we
gotta build the cable, that's the first step, gotta build the cable that
gives us a proprietary access to the FemtoCell through that HDMI port. That's step number 1. Remember we're far from done, because when we get inside the FemtoCell, essentially we have a
very small Linux kernel. It's called Monta Linux, Some of you may have heard of it before. It's using a lot of IoT devices. So it's a company out of California that makes these really
small Linux kernels put in all kinds of devices. And so, that's what's
inside the FemtoCell. But you'll find Monte Linux in all kinds of IoT devices, no matter what you, whether it be a router or a baby monitor, what have you. These all use very small Linux. And so, this is once again, I'm gonna plug Learning Linux if you wanna be a hacker. - So let's see, which
book should you read? But there's more.
- But there's more. Yes, so that book we're
really looking at Linux as how to use it as an attack tool. But the truth of the matter is, is that all these IoT
devices also have Linux. So you get inside one of these device and if you don't know Linux,
you can't find your way around, you don't know how to get find
anything, what to do with it. You need to know Linux to be able to do this,
it ends up with this- - Linux is like speaking English, let's say in the U.S. or the UK. It's like a basic skill that
you have to have these days in IT, I think. - [OccupytheWeb] I agree, I agree. It's basic skills you have to have. So once you're inside, now
you've got this Monta Linux, but it doesn't have a Bash shell, so it's not like what we're accustomed to. And so, it becomes
pretty hard to work with. Once again, this is a pretty complex hack, but it can be done. - It's just nice to see, because you... Sorry to interrupt again. It's just nice to see
the "Mr. Robot" example and you actually doing it and showing, is it real or is it just a movie scene? And it's nice to see you
actually showing us how to do. - [OccupytheWeb] It's
real, but it's not easy, and once again, we've always
talked about "Mr. Robot" and the timeframe that he works. And this one, if they
were already familiar, one of the team was
already familiar with it, yeah, it might be able to be done in a couple of few days that they had, but it's not easy, so once we're inside, we've got the console, we've
gotta get rooted access. And so, here's the two
models that Verizon uses and these are the two methods
to escalate privileges to get to root. So the one I have is this one right here, which is the easier one. And Verizon now says that
this no longer works, but it doesn't matter, because we can just go buy the old ones that have never been updated
off eBay or any place and get root access. So once we got root
access on these things, so we now are in, we've got
root access on the Linux inside this device. Unfortunately, even with root access, it's not really functional, we
can't do a whole lot with it. And so, if you watch
closely on "Mr. Robot", you'll see that this comes up. This is, see the screen right here? This is OpenWrt, these are Linux images that
can be used on IoT devices. So if you've got some hardware, you can go ahead and download the Linux to install and flash into the IoT device. Here's all the hardware, this has been going on for years and very few people are familiar with it. Now you can just download the software. It's open source software
for a particular device for any device. And this is what they do is that basically they take this FemtoCell and now they go ahead and flash it with a Linux operating system that
they have developed themselves or they've basically
taking the image from here and made some alterations to it. The show, what happens is that Elliot actually puts some malware, he puts malware, it's kind
of a well-known browser RCE exploit into the
FemtoCell that would then put the shell code onto the phones. What I'm most interested
in from this perspective is being able to eavesdrop on the traffic. So we don't need to actually have an RCE, we don't need to have any exploit at all to be able to listen in
and watch the traffic. So Elliot is trying to infect the phones, but to be able to listen in, there's still a few
things that we need to do. You can see all of the data traffic. It all goes unencrypted. But the SMS traffic and the phone traffic, you have to be able to decode that traffic 'cause it's all encoded. But that's publicly available information that you can decode. It's really kind of beyond the scope of what we're doing here today. I'm just trying to give you the outlines of what can be done to be
able to build essentially a small spy device, a mini-StingRay that gives you access to
all of the mobile traffic in the area. Now these StingRays are kind of low power. So the target has to be within 15 feet of the FemtoCell to be
able to connect to it, but they can then travel
within 50 feet of the FemtoCell and they'll still be
connected to that FemtoCell. So the initial connection has
to be within about 15 feet. So what is that, about five meters and then about 17, 16
meters in that range. They travel throughout
the room or the office, you can pick up all of their traffic. So it's kind of giving you
the kind of the bare outlines of what we have to do. But there's a lot of work involved here. Probably, the first step of course is getting that cable
made so you can get access to the device and then
you have to go ahead and flash it, you've got root access and then you gotta flash
it with a new Linux kernel, and then once you have new Linux kernel, then you have access to all of the traffic that's going over the device. - But I mean, if you
put that in the ceiling or like he did, they hid it in a store room or something, didn't they? And then, the distance is fine. - [OccupytheWeb] Yeah,
he put it in the floor. In the show there's a scene where Angela puts it on the floor and connects it into the ethernet cable there. But it's still, it's
kind of a large device. It's probably, it's, well not that large, it's a size of a small purse. But it's set on the floor next
to other electronic devices, it may be, people may not notice it, but it's not so small like a raspberry pie that it's basically people
are not gonna see it. But one of the things
that I wanted to point out is this OpenWrt project, which I don't think many
people are familiar with it, and that you can go ahead
and get open source firmware for just about any IoT device. And then if you have your own firmware, of course, then you can
make your own edits to it and have it do just about
anything that you want. And that's what Elliot does in the show is he goes
and downloads firmware and much of this is Monta Linux for various different
devices you can see it here. There's some Cisco devices here- - As you said, it's quite a complex thing 'cause you'd have to connect to that cell and then flash it basically, and then somehow capture the
traffic going through it. - [OccupytheWeb] Yeah,
and so the hardest part, once you've got the cable, then you gotta go and flash it, you gotta get root access, and then flash it and
then you gotta go ahead and figure out what the
codex are for the SMS and the voice traffic across it. I'll also point out that
on the enterprise level of these FemtoCells, they actually a little bit easier, because they have a standard connection. To connect to the enterprise level it's simply a ethernet connection. - [David] That's much easier, yeah. - [OccupytheWeb] Yeah, much easier. And then the root password on it is FemtoCell and then xxx, four x's... FemtoCell capital F, the capital C, and then the last four
digits of the serial number on the device. So if those are the keys are being able to connect into the device,
then get root access. And the enterprise level one, it's the default password is
Publix or the x's represent the last four digits of the
serial number of the device, for these consumer level ones,
it's a little more difficult. And as I said earlier is that Verizon has said they've now
closed this vulnerability, the vulnerability that they've closed is that the ease of
getting the root password? But like I said, there's always a way to get to escalate privileges. So this is basically a
privilege escalation issue and it's gonna differ
from device to device. So, this applies to these Samsung devices that Verizon uses that I have
and are used on the show, but if you're in UK, if you're in Germany, if you're in China, they're all gonna be using
in different carriers, they're gonna be using
different FemtoCells. So, but the process is
still gonna be the same. One, get yourself into the console. In our case here, we had to build a special
cable to get ourselves into the console. Then once you're inside the console, then get root privileges and then three, you have to go ahead and flash it with a more
complete Linux operating system. And then once you have
that inside the system, then you can go ahead and
put in something like tcpdump or Wireshark and watch the traffic. You can watch the data traffic from there without having to do anything further. But as far as the SMS traffic
and the voice traffic, it has to be, you have to find the proper codex that that particular company is using to be able to decode the SMS
traffic and the voice traffic. It's a complex task. If you build one, you've got yourself a really cool spy tool that you can use. And like Elliot did, I mean Elliot used it both, remember he listened
into the FBI conversations and he also hacked their phones with it, because he used, as their traffic is going through the FemtoCells, he's sending an exploit to their phones and taking control over their phones. But you don't have to take
control over the phones, you can just simply listen
in on all the traffic, both the data traffic, the SMS traffic, and the voice traffic. Essentially you're taking
control of the FemtoCell. - What they showed in "Mr.
Robot" is once again realistic. But like you always say,
it's the timeframes, right, that are not realistic. - [OccupytheWeb] Yeah, this
is, it's very realistic. It's been done, there's a lot of research into these devices. Some of that research has been published. You can find the research and
be able to do it yourself, but it's time-consuming. But somebody's already done
it and so it can be done. The guys who originally
did this at Black Hat were iSEC partners did
it and they did it 2011. So this would've been available to Elliot when the show was made in 2014, 2015. So he would've had this kind of research already available to him to
be able to hack the FemtoCell. And it was also was in the show that shows that he is actually using, he's building a browser exploit that was well-known at that time. It came out like in 2014 that
he's building in the show. In Ruby, if you watch closely, he's building an exploit in Ruby to be able to put into the FemtoCell to then be able to place the exploit onto everybody's phone who connects to. - That's great, and I mean the
device that you're building, is that using HackRF or some kind of software-defined radio like that? - [OccupytheWeb] Well, the
device that we're working on is actually a StingRay, a StingRay-like device that
actually is using LimeSDR. So the HackRF is a nice piece of hardware that can do a lot of things, but it can only go, it's only half duplex. So it can't go in both directions. It also is relatively
slow, it's half duplex. It's only uses USB 2.0, not USB 3.0. And it's relatively slow. So we're building with a
LimeSDR, which is a lot faster. It's full duplex, it go
USB-3, what have you. So it has a lot of the capabilities, basically enhanced capabilities
of like the HackRF. The HackRF is a nice
hobbyist and a learning tool. But when you start getting
into serious projects, you gotta take a bump up to
these little bit more powerful pieces of hardware, a
little bit more expensive. - I like to ask the sort
of the beginner questions or the dumb questions,
for lack of a better word. The FemtoCell is connecting, sorry, it's using cell phone frequencies. So the phone connects via
typical cell phone connections to the FemtoCell and then
it's connecting via IP... Yeah, sorry. - [OccupytheWeb] Right, exactly. So here we have the cell phone, it's connecting to the FemtoCell. The FemtoCell then via ethernet is connecting to the broadband gateway, the gateway then's going
via IP out to the internet, to the radio network controller and the whole network
of the mobile carrier. Now the back haul on these
FemtoCells is varying, some of them are private networks and some of 'em simply
use the public internet. So it varies by carrier, but really it's not that important to us, because what we're doing is
we're intercepting right here at this stage right here,
we're inside this device, but there are some people who've worked on trying to intercept this traffic in here. And of course, when we start talking about building a StingRay, essentially what we're
doing is building this whole tower right here with the BTS they call a Macrocell BTS, you're building a cell tower with an entire cell
phone transmission unit. - My question was,
couldn't you run a sniffer between the FemtoCell and the
gateway, like in that diagram? So it's got broadband access, could you sniff the traffic
or is it all encrypted? - [OccupytheWeb] Well, it's all encrypted from here to here. So that's what... That's part of the
problem that you run into is that one, this is all encrypted and so you have to intercept the traffic - Before it gets encrypted.
- Before it gets encrypted. So yeah, that's why you
need to go ahead and change the Linux kernel inside that device, because as it's built, it's encrypting it as soon as it hits the kernel and you can't get it
before it gets encrypted. So that's why Elliot changes the kernel. That's why he uses OpenWRT
to change the Linux kernel before it gets encrypted. And then once he has that,
he can see all the traffic. - It's interesting. In the UK, I don't know if
it's the same in the U.S., in the UK, carriers allow you
to make calls on your wifi. So if you've got no cell phone reception, but like your home broadband is there it'll just jump onto the home broadband. So you just make calls and
receive calls on your wifi. Is it similar in the U.S.? - [OccupytheWeb] Yeah, in the U.S. you can make calls on
the wifi here as well. - So the same problem there. If it did the traffic's encrypted, that's why you can't sniff it. - [OccupytheWeb] Yeah, the
traffic's encrypted there. So most of the carriers now, especially when you get to 4G, when you're talking about 2G and 3G, the authentication and
encryption is very weak. When you get to 4G and 5G, it gets much stronger
and it harder to break. Actually, the FemtoCells are using 3G, so they're a little bit
slower than regular traffic. But this is for people
who don't have any traffic in their area. If you are no cell in their area, if you're making phone (indistinct) wouldn't even notice the
difference between 3G and 4G. But it's only when you're sending, you're sending data traffic through that you'll notice the difference. But for regular cell calls, you won't notice the difference at all. - Yeah, I think I kind of missed it. So I think we should emphasize that if you with that FemtoCell, you can eavesdrop on SMSs typical like cellular phone calls, but also the internet traffic that would typically go across
4G or 3G, is that right? - [OccupytheWeb] Yes, so you
can get the internet traffic is unencrypted at the FemtoCell. The SMS is encrypted,
but it can be decrypted and the voice traffic
can be decrypted as well. - And this was demonstrated, like you said at Black Hat 2011, right? - [OccupytheWeb] I think,
it was first shown, there's been a number of
researchers who have worked on it. The folks at iSEC partners
demonstrated at Black Hat 2011, and then somebody else
did it through 2010. And then there's been
a number of researchers who have continued this
research in recent years. There's a fellow in
China who's been doing, he's been tearing apart
all these FemtoCells around the world. And basically, he says
they're all vulnerable to being hacked. And so, but the hack is
going to be different via, depending on what FemtoCell you're using. This is, in this case, we're just talking about this one that's probably the most widely
used in the United States. Now Verizon has about one third
of all the mobile customers in the U.S. and this is the product that they're still selling
that they use for people who are in dead zones of
cellular, of the cellular network. And the new ones, they say
that you can't get root access. So if you can't get root access, you can't obviously
flash the Linux kernel. There's always a way,
there's always a way, there's always a way. So they've made it harder, but
there's still always a way. And then, how you're gonna
get root access on the others is gonna vary by the company
who's manufactures it and the carrier who's carrying it. - So we weren't able to
show everything here. Do you have, I know you
always asked the question 'cause you've always got
these amazing courses, have you got a course on this or are you covering some
of this in your courses? - [OccupytheWeb] I don't
have a course on it, but I think I'm going to go ahead and put at least a tutorial
up on Hackers-Arise on all the steps. - That'd be great. - [OccupytheWeb] Yeah, I have
to be a little bit careful on this one.
- Yeah, definitely. - [OccupytheWeb] So I'm
still trying to decide that the whole StingRay
thing being illegal, it puts me in kind of
legal jeopardy there. This one is actually a legal
device that is being hacked. It's something that I'm considering doing, putting it up on
Hackers-Arise on how to do it. But I've got one here
that's very vulnerable. I bought it about three
years ago off eBay. And it's relatively easy to hack. - It's brilliant. - [OccupytheWeb] Meaning, it
takes 2 or 3 days of work. - For you, not for us, but for you. - [OccupytheWeb] Not for 30 seconds. - By the way, but I
really want to thank you for sharing your knowledge. And I have to say this, yeah,
we'll take you two days, but for the rest of us might take a lot, lot longer than that. But thank you for sharing your knowledge, but also talking about how
realistic "Mr. Robot" is and why you enjoy it. For everyone who's watching, put below what you'd like us to cover. We've been reading the comments, so we've been seeing the kind of things that you've been asking for and hopefully we kind of
covering the most popular topics. But put your comments below, let us know what you wanna cover. OccupytheWeb as always, thanks so much. - [OccupytheWeb] Thanks David. (techno music)
