SirenJack: Cracking a 'Secure' Emergency Warning Siren System

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you for that introduction ladies and gentlemen welcome thanks for coming down here to learn about sarin Jack mmm my name is Marlon Seba I'm the director of vulnerability research at Bastille and today I'd like to take you through a bit of a whirlwind tour as I say about this particular bit of research I've got some props here on stage that I hope to show you a little bit later in the talk as well so I'll take you through the the overview I'm going to be talking about emergency warning siren systems in general the phases of the research the two big phases they're flying the signal analyzing the signal the disclosure process and suggestions looking into the future so who has actually heard an emergency warning siren system go off now a show of hands oh people I guess they really are everywhere so as you may know then the purpose is mass notification of the public in the event of serious emergency and this is also important where other modes of communication such as mass text or emergency warning broadcasts through radio and TV might not work due to infrastructure problems tsunami is obviously common one - you've probably seen those signs around the place so those alternatives you might be familiar with some of them unfortunately there was that incident in Hawaii you might recognize that screenshot from the press the emergency alert system is deployed across the US and uses radio and TV and that's an example of a TV broadcast so your normal programming would be interrupted and you would see message on the screen but sirens and horns and the like have been around for a long time the old ones originally in World War 2 the air raid siren civil defense sirens and nowadays we see a variety of mechanical not so much anymore there so being supplanted by electronic sirens and if you are a siren enthusiast or are thinking of becoming one then I recommend visiting siren board the one the place online where every siren enthusiast goes to talk about the subtleties of every model under the Sun it's it's quite incredible there's a subculture for everything and this is where you need to go a few black sirens so in terms of of the mass notification space these are some of the the big players in this space you might be familiar with some of those brands anybody familiar with any of these these brands may be from from the media and I actually live in San Francisco so who's heard of the Tuesday noon siren test in San Francisco yeah a couple of you so there's there's a ritual and it goes like this at noon every day and there should be some audio coming through so hopefully you'll do that so if you move to the city and you're not aware this is happening in the situation I found myself in it's quite a surprise it's quite a shock you don't quite know what's going on and then you'll learn about about this ritual and then you have the reassuring voice good so how does the journey begin well this is San Francisco and I found myself living here and writing to work and I would hear this going off and also zooming in I would ride past the sirens and they have this little distinctive signature on Google Maps which we'll see more of later but I was always wondering well how did they work there's a control box solar panel horns at the top of the pole and antenna and the security researcher in me was wondering well looks like it's radio controlled on one newer but is secure so I took some photos initially do a bit of recon and figure out if there were any distinguishing features I looked at one box and then looked the other box and there was a little sticker on the door there and so I looked the company up and if you go to the website this is what it looks like now it's actually been redesigned in the very recent past that was a nice high-res picture but way back machine that that's how I remember looking at it and they have spec sheets available online so I looked at that and they have a couple of core models of their product and some interesting notes that I've found in in the spec sheet were that was that they uses conventional VHF and UHF radio for receiving and transmitting FSK DTMF or two-tone sequential signals there's an optional upgrade for digital and trunked radio systems but what caught my eye was that in the communication section it said encrypted FSK DTMF or TTS so I was wondering well if it's DTMF it's probably not gonna be encrypted or naughty TS but maybe FSK they might have something interesting going on so remember this is starting from scratch I don't know anything about the system don't have access to the system this is essentially a fancy amateur radio a fox hunt so the first thing is obviously new find a signal I need to find where these transmissions are going on but how do you actually find them well I decided to collect some more public intelligence and also look at the radio spectrum but of course this turns into a very long running project because you only get to sample the radio spectrum once a week very short window of time so looking at their spec sheet some more they have these siren nodes two models central controller that communicates with them and this can be set up over a simplex radio network where the controller communicates directly or through a repeater which can bounce the signal through the repeater and give you a larger coverage area looking on YouTube I found this informational video actually on the vendors website where they I don't mean this might have been a news little news short and they talked about the system they interview people at the San Cisco Department of Emergency Management and they were always you know little choice frames that I found so that there's a map of all of the sirens of the city and they actually have a very short period in the video with a couple of frames they show you inside the box so you get to see and what caught my eye was that there was a Motorola radio that in the top left going to look like a sort of standard VHF radio wasn't quite sure at that stage what model it was and I should add to that this was initially two years ago actually over two years ago now a little bit when I first moved to the city so doing some more research online they have these these controllers that it would be situated you know somewhere where the officials can access them in the city and then the siren nodes in this photo from the Venice website there's actually a CM 200 radio comes in two flavors the VHF and uhf flavors so that might give a hint as to the frequency range but my thought there was that since this is critical infrastructure you want to have it secure you probably want to have a large coverage area so it makes sense to maybe use the city's existing trunked radio networks of which there are two one handy site if you're interested in looking up license frequencies and networks is radio reference comm and I had a look at San Fransisco and there were two significant public safety truck networks one was Motorola type 2 smart zone the other ones for P 25 so I thought well they're probably worth looking at too because they're designed to cover the entire city and you know they might be using that so they give you the various frequencies that are in use various channels to look at and what-have-you and if you actually look at where some of these radio towers are located then you know it becomes apparent that they serve the whole city so it's not an unreasonable thing to guess the signal might be there the FCC Universal licensing system has an online database that you can access and do various queries and so I started doing that just looking around guessing that the license for whatever frequency was in use probably licensed to the san francisco city and county of but nothing really very interesting turned up and i'm focused on the public safety classification there you can also look at the station class for these sine frequencies and if you again use radio reference they got a nice we're keeping all this kind of stuff and give you a hint as to what type of device or that frequency might be assigned but the thing you have to keep in the back of your head is this is often inaccurate so you have to often treat with a grain of salt because you know they might have been in a rush with the application or things might have changed it might not be reflected in the database there are also emission designators and this can give you a hint of the type of signal being used on this frequency but again it's just a hint and it's often wrong so there's a huge list of them besides the bandwidth and the modulation scheme ins and so on there also do control points and they have different addresses and you know you could geocode them and you know figure out on the map maybe if it's relevant to this particular system and this one for example you know it's close to or at or very close to they actually have a nice informative page on their website that talks about what system is gives you a map you know public information you can actually download that map and know a rough idea of where they all are they've had false alarms 2014 couple of sirens went off apparently in the middle of the night they wrote a blog about it to reassure the public that everything was okay and it's important to remember that these systems are designed to alert the public and so the public has to have this implicit trust in them that they will only go off at the appropriate time so I said about hoovering out large portions of the spectrum this is a sort of picture of Maddock the old attic where I had a variety of antennas going and I had them all connected to Dennis research us our peas and I started doing some captures so this is one back in September 2015 out sort of roughly time-stamped various parts of the research in the top right corner so just to talk a little bit about what we're looking at here who's worked with or understands what a what an f50 waterfall is a couple of you so just just to run over quickly time runs from top to bottom and we're looking at a chunk of the radio spectrum so the radio gets tuned to the center frequency which is in the middle in this case is 850 megahertz and then sorry look into the light that's gone and then we capture some bandwidth and here I think it was I can't quite remember it was 12 and a half or so megahertz or thereabouts and remember we had those lists of frequencies from any reference part of this on the right hand side is actually the smart zone network and we're looking at the output channels of the repeater so you can seal those transmissions there and I'll show you what they look like in a bit more detail on this thing there's also the p25 digital trunk network this is another capture that I did you can see all the transitions you know people first responders have their mobile handheld radio they key up transmit and then the signal shows up here at a channel allocated by the trunking network if you zoom in on that then you can see the individual visual transmissions there so interestingly in around this time this isn't march 2017 spookley related to this was the Dallas siren tech who who remembers the Dallas site attack so in this case late in the night in April or 156 odd sirens were triggered as a false alarm woke everyone up tossed a bit of mayhem and there was some speculation as to what happened it looks like it was a radio based attack to cover that large area they might have might have been using a repeater this looks like an older system that uses DTMF to activate it so it's trivial to do a replay attack DTMF as you may recall those jewel tone multi-frequency tones you hear on a phone or even on a handheld radio like this one if you were to tune that to the right frequency and type in the same numbers you set it off so if you heard them do the regular test the previous time you can record that onto your computer or a tape recorder and then set off the network so that's what people speculated shortly after this ATR systems the vendor that produced the San Francisco system released a press release on their website entitled is my emergency notification system safe from hacking and this sentence stood out to me which was that many older systems include few if any of the advanced security features eighteen I can provide so you know DTMF is not secure if they're using the FSK protocol that might have something else built in all command packets are protected by several security features including encryption with AES well ok that sounds pretty serious so I might not be able to find what I'm looking for after all but I pushed on did some more captures again this is now 855 this is sort of honing in on the smart zone network and you can see the individual analog transmissions there so because it's analog they like a FM radio receiver just tuned to the frequency and you can listen to what's going on and there's usually you stall or chatter from various employees of the city and its service this I enhanced it a little bit cuz you know if you do this across the whole variety of frequencies it's a hell of a lot of signal staff to listen to and scroll through and analyze so I made the system automatically recognize detect and extract the transmissions so that I could just listen to them in order one by one and optimize that process and every time I did that every week I would sort of keep a log as to interesting things I heard it wasn't going to be anything analogues I was trying to pay attention to various digital sounding signals but again I couldn't hear anything that was of a repeating nature every week so I looked at p25 p25 is a digital network that uses a digital protocol for voice transmission and again you know you can see how multitude of them and in this particular version of the analysis actually color codes the various parts of the p25 transmission so you can distinguish voice traffic from data traffic from trunking traffic visually and again it was just mainly first responders going about their their business keeping the community safe keep doing more captures and at this point I'm pulling a lot of bandwidth so modern software-defined radios can actually track receive a lot of and transmit a high bandwidth so here actually in this little custom 3d printing case is a software-defined radio it's a b200 mini from that it's research can XY USB 3 to the computer and it's capable of receiving or transmitting it up to 56 mega samples and megahertz worth of usable bandwidth so you can pull in a lot of signal and here I'm looking at 473 megahertz 50 megahertz wide and again there are even more signals in here so it becomes this this increasing magnitude of stuff to look through zooming in there you can just see how many things are going on now a lot of them you know going off all the time you want to find some correlation with the noon activity you know looking elsewhere in that band remember these frequencies now are actually compatible with that Motorola radio we saw in the spec sheet before another thing is if you're doing captures it's very important that you have good RF filtering so this is without our filtering you can see there's a lot of out of band interference coming in there looks like it might be LTE traffic from nearby base stations if you put a filter in and cleans it right up and you can get it weaker signals underneath I also found another informational video this was the older style controller so you know what to look out for you know it gives you an idea of what the user interface is like what the what the system looks like this is a portable pack that you can use to activate the system and then you know they show various screenshots of the software so you get a sense of how that would be controlled through the software apparently you know these siren nodes can have different states which comes in later I did some further surveying where I went up around San Francisco looking for more of these sirens and again trying to find the frequency from another angle tried to look at the antennas that we're in use because they can sometimes give you a clue as to what frequency they're tuned for an antenna is usually tuned for a narrow range of frequencies so I had a look and really they were all like this omnidirectional antenna and the thing is you know you learn that for a particular frequency there's one specific wavelength and you can have your antenna at that wavelength or some proportion of it there doesn't necessarily apply here because such a whip style Omni might actually be comprised of collinear stack elements inside the housing so if you can't see through the housing you have no idea what's inside it and so it really could be anything so that wasn't particularly fruitful and I thought well I'd like to get a measurement on this I can't climb the pole I'm not gonna bring a ladder so I tried once when I was riding my bike to pull up by the pole and I used a tape measure to measure the shadow on the ground that the pole was casting to figure out the circumference of the pole and then use you know the relative pixel ratios in the image to extrapolate the approximate length of the antenna and as you do that you quickly come to know that there are intrinsic you know parameters of your camera lens that will distort the image you know as as you move in and out and so the any extrapolation of pixels to physical length becomes quite inaccurate but it was worth a shot and then this was me attempting to try to try to get some other angle on it with my camera not not being terribly successful but you know you're trying to be a little bit and conspicuous about it right so I didn't more captures now this was at the lower end of the spectrum of that radio supported at 155 all manner of signals in there and there's a very very strong TV digital TV transmission in there as well so this one I one-week happen to start late and Island started early I was you know trying to coordinate captures between three computers and so couldn't always get it happening did some research Elan online about antennas tried to find antennas that looked similar to the two the one that I saw in the photos eBay listings Amazon listings other listings tried to measure the proportions here again the relative pixel ratios of what I found in my images versus online and then I found the catalog these antennas really looked like the same ones and these would give you the frequency ranges and the antenna links and you know using that as a basis to try and match it up to the photos again nothing really quite fit and then I went went all out and I spent it felt like days on Street View going using that public map as a reference trying to find everyone that I could in the city to try and get as many screen street view samples of the pictures of the antenna so that I could build up some average of the antenna proportions and match that against the PDF and again didn't quite work out so I just started mapping them out on the Google Earth so I wouldn't duplicate my efforts and you know that they do cover quite a broad area and then I had seen this many months ago and I too am I just sat there in bed really not knowing what else to do and I watched again and again there are these choice this is another informational video other choice frames again that this is the software with a map of the city on there the individual siren nodes and you know different different coloring I'm guessing indicating status this looked like it was the dialogue that they clicked to actually activate the sirens at noon and again this is the corner of that control unit so that's was a good clue as to what they were actually using using that and then this frame flashes on screen for less than a second and it never occurred to me and that's who I am I sort of put freeze frame it and then I realized there's a clue here I've highlighted it but anybody can guess what it is louder there's a yagi antenna that a yagi antenna is a directional antenna and it's characteristics of visually far more obvious so I thought that's great where is it because they're you know a hundred over a hundred in the sea so again I hopped back onto Google Maps and of course you can use satellite view you can see that the interesting little footprint but you need to go in a street view for every single one of them to find this young antenna actually I got lucky and just after a few trials I found that it was one up from the the series that I found on the western side so I went there and pretended to be a tourist with my camera oh you know ocean beaches view beautiful look at these people - nice cloudless day there's a big ship departing the port oh and look there's a yagi antenna sticking up a siren ball and I got it nice and close as inconspicuously as I could and I thought wow look at that three elements you've got the stepped links you've got an interesting thicker part of probably the driven element in the middle really good features and there's a sticker on the on the right side they couldn't get a photo of the stick of it that was okay so then I said about oh and then I went home and took took more of my own photos in case I needed them of the omni's and then I use a compass also to figure out where I was pointing and then drew these rays you know in some air imagine and it was pointing at the middle of the city and you know they have ready infrastructure up there and I thought well if it's there then maybe that would be the place to communicate to all of them from and if you lay that this is actually Twin Peaks this is 3d view in Google Earth looking back and so that yagi is behind that hill so it makes perfect sense they would have used the yagi because they would have needed a little bit of extra gain to get over the hill that was partially obstructing the view so that fit and the radio transmitters turned out to be not on Sutro Tower but they have two other small towers there that has a lot of infrastructure and actually there's a siren of one on top of the building near so then it was a matter of trolling through every single antenna manufacturers PDF that I could possibly find there a lot and eventually I found it two candidates very close in band and if you put the one I found there then that looks like a pretty good match so it's a much smaller part of the frequency range to look at as it turned out I went back and I looked at the captures that I'd made you know the ones that I started early in late and there was this activity lined up with the mid day test I couldn't believe it and then in the one that I also captured this was I think a little bit early because I'm capturing so much data I'm using a ram disk to stream all the data in and of course you only have very limited time and space when you're using Ram disk at that throughput and what was interesting I look closer is that you could tell that a repeater system was in use this is the output on the riot input on the left and you can actually match up the transmissions that occur from the control unit that they had maybe at the Department of Emergency Management versus the what look like responses from the different nodes because if you look at the second part of each group there's one which is sort of a standard signal strength and then the second part varies so the that one is sorry the one that is just about to be hired now that's strong that one's the the the ping that's the palm from a node so I was getting this as a sort of a polling response where they would check the status after the test and then that one's quite weak so that was further away from my antenna because I'm receiving both the input in the output so and then if you're really interested the repeater repeaters by law need to announce their call sign in Morse code at regular intervals so you can get the call sign in that way and so then every Tuesday at noon this would be the ritual you'd hear the signal go out off there you go a little bit closer this is this is the radio so what's interesting if the audio you're hearing is actually coming out of this thing too which means that although they're using FSK to make it compatible with to make it compatible with existing analog repeater networks conventional audio they look like they were probably using afsk so that's audio frequency shifting over a normal FM link so that means a radio such as this $30.00 can be used to do the transmission and reception you don't even need to use a software-defined radio just the headphone and mic mic Jack from this thing so found a signal great well we have to figure out what's in the signal so every Tuesday at noon then every single week I would record you know cram my plots and then begin peeling back the layers so I would use canoe radio and I have you know the flow graph that went through many stages of development and it would stream the the audio into there and as I peeled back the layers of the protocol I could you know print out the various things that could make sense of so this is the flow graph some of you may have seen my flow graphs before it's good because you if you're disabled if you hide the disabled blocks it looks a little bit cleaner but this is actually I decided to go all out and make an optimal noncoherent two of us Cade Dakota with no clock recovery because the length of the packet is so short that your clock drift would never cause the symbol boundaries to cross so that was you know that makes it a little bit simpler from clock recovery point of view but I you know had the two branches for the two tone levels and what-have-you to make it more robust so if you look at a physical layer this is again a waterfall this is just the raw baseband and this is audio FSK / FM you can see you've got some sort of sync preamble you're at the payload you've got some idle filler that happens at the end and then once the modulation disappears you you're only left with the CT CSS tone that's used to key up the repeater to get into the repeater it's just a sub-audible tone that is shared by the system and then you've got the repeated tale where there's no modulation if you FMD modulate that then again in the frequency domain this is the filter width that I applied where the top and bottom that's just unmodulated RF it's clear that you have two tones that he used to convey the bits and those two tones were actually standard tones for two FS k again you've got the preamble your your payload looks like three in three parts a post amble filler and then just the CTC system if you look very very very very faint line on the left that constant line it's running through the from top to bottom that's the CTC system that you need to so the repeater lets you it what does that look like so if you if you change your parameters you can see the modulator Doh varying and this is in the frequency domain but you can see the tune levels you're jumping back and forth for those bids so I took a sample put into Jupiter and very clearly you can see the two levels there if you slice at the zero line you know anything above at a certain time is a one anything below is a zero and then you've got your one zero but you need to know how quickly your ones and zeros are coming through the system so you can do some simple cyclo stationary analysis and it sounds hard but it's it's not you basically multiply the signal by a delayed version of itself and then take the Fourier transform and then the strongest pink is usually the periodic rate of the signal and here it was 1200 board so you know two tones 12 and a board all very standard stuff so we know all this about the physical layout I started getting raw bits out and you'll notice that there's this kind of odd alignment there's a pattern there for sure but if you look around the middle where you've got the long strings of ones they don't quite line up so I didn't know what was going on there but if you sort of start playing round text editor you can line things up a little bit make it look a lot nicer and you've got these extra zeros that turn up and if you think of cereal you know line protocols often you have a start bit and you have some idle time before that so I think it was either that or some other level of security and then turning them to hex you know look like there was a you know good repeating structure coming out and then looking at them well you have long strings of ones so maybe that's not good try some inversion and then things started looking better so these were the three packets that were sent out before the sirens went off on Tuesday and you know they all look the same apart from just a few bits changing and then on another week a lot of things look the same actually so that was a little bit of cause for concern so the other interesting thing was apart from the activation there's those trigger packets I called them and the polling and response after the test around about every 20 minutes these packets would go out and you know pretty regularly 20 minutes I thought well maybe it's some sort of a keepalive mechanism and maybe there's you know something changing in there like a time every twenty minutes so it wasn't obvious you know how things were incrementing or decrementing and I sort of you know this is a copy of my notes they're the things that I identified as those patterns and things that were static and not and I thought well hang on maybe I've just packed the bytes the wrong way so I'm gonna pack them in the opposite order and then what do you know you've got incrementing values during a trigger sequence so that's a pretty good sign I mean boring but good sign in terms of analysis what about CRC good good to know that the data that you're dealing with is is solid so I tried CRC eight because you know if you look at the the last bytes there they're the ones that are changing on the end usually the CRC is appended and there were no hits with CRC eight there's a neat tool called revving a brute forces all sorts of CICS with different polynomials and all you know settings for how the CRC is computed no hits and I thought well let's try something super simple I've seen them do this before another embed it's I just summed up all the bytes more than my 256 and bingo that was it so in terms of the timestamp I just kept collecting more data of these announcements and I could see that there were these values they were incrementing at a predictable interval so initially there you know I plus whatever is the offset I was taking two bytes but then I just started looking at the one and you could see when you know seconds would roll over the minutes were very very clearly rolling over and then the owl's as well and then even the days and this is not synchronized to you know real-world time the system is running on its own time domain but at a normal second rate and then you know again other elements of it rolling over so it's quickly becoming a parents at times there so you know we've learned these things about the packet format they repeat the payload three times for redundancy and you know they had that serial protocol still a minute so the surprise of protocol and often as is the case that what happens is security may be unintentionally security through obscurity so this is home announcement and interestingly when I looked there was no transmission into the repeater for the time announcement it was only ever an output so that would indicate that there was actually another controller of some sort at the repeater to send out this time announcement so it became clear that really there was no security you can very clearly see the clock incrementing and you could very clearly see the sequence that's used to test them off so a malicious act that could take this knowledge extrapolate the time and set the sirens off whenever they want and that was of a concern after the test the control poles each node and does that ping response was interesting too because whenever I would watch this each week I could see you know if you look there if you can see that there are incrementing node number so it pings each one but then sometimes it wouldn't be able to reach a node so it would retry a number of times then it would move on and so it was kind of interesting be able to get a sense of the state of the network because you know people in the city would've been watching this and you know going out to repair them but you could also get some sense as to what was going on as well so everything looks like it was in a clear no encryption or secure authentication and you know you could extrapolate the values so did this week after week and then you know the the other part of the time stamp the month and day quickly became apparent if you look from bottom up you can see it incrementing that way and then my decoder wasn't perfect either sometimes it would be able to decode a packet I tried to make it fancy by doing this some sort of tree search because if you think about it if you get a crop bit you need to have you need to know what the stop bit is for the next byte and if you get a crop it you might start too soon and then everything after that is corrupt so it would try this tree I cut this depth of breath but it would try to go down until some limit to brute force out a packet sometimes it would work but often it would tell you couldn't find the valid frame and I thought well it'd be cooled also to overlay on top of the waterfall the elements of the pack and whether it passed CRC so that way I could tell you know basically if I was able to receive signal properly and you know where I might need to do more work on the decoder interestingly what was sad news but there was a break in the pattern one cue stay there was nothing and unfortunately that was the day when our former mayor passed away so they didn't run the test in honor of him but it was just interesting to see the break in the patent so with this knowledge obviously we were concerned you know we don't want crippled infrastructure systems to be vulnerable to this sort of exploitation even though there's no replay attack you know you can see how it would be in a sense much easier to craft malicious payloads like this so we set about doing our responsible disclosure and our policy is a 90 day disclosure policy where we contact the vendor offer our assistance give them all information we have and try to work with them as closely as possible or closer they like so that some sort of remediation we put in place patch can be can be created and then we inform the public so that if something hasn't been made available so them they can make their own decisions about how to secure their system so that they're not at risk and this is pretty industry standard and a lot of folks have much sort of timeframes but this is generally well understood that this results in action and helps all all parties so in terms of our timeline we notified the vendor on the act of January we also notified the department's Emergency Management because they were looking after the system so we thought and then 90 days later we released a public disclosure on April 10 and at that time the the positive outcome was that the vendor ATI and created a patch and provided to at least one customer obviously the city and I'll show you how that looked as well but initially it took a little bit of effort to try and get people's attention we've found this without previous disclosures as well so we first try bar email and phone calls and more emails trying you know different departments then I also might deal with it by telephone trying External Affairs the press office and we actually did a sit in my formal colleague Matt who's sitting there with his hand up we sat in there and tried to find the appropriate senior people to make sure that they understood that this was an issue and we were try and get in contact with them and doing our best to do so I'm so we ended up leaving a hard copy there also tried you know looking at how we might contact ATI engineers they believe they were in different time zone so that wasn't going to be easy we we kept on because we hadn't really heard any confirmation yet so we got our first email back from the DM it turns out that the department technology managers the the infrastructure the outdoor public warning system so they forwarded our email to them and then I also tried to chase down an employee that I found publicly was had been previously familiar with the project and and again Matt and I went to the new department where he worked and also the remote location and tried to you know physically find him and email and phone him and the supervisor and then we called ATI again they couldn't guarantee that a call would be returned we sent more emails and finally in February we had our first call with ATI oh nice they establish a dialogue and I said they'd look into it and hope their engineers and then we had a call from Department of Technology and they were in contact with ATI that point so that was good news then in later in February we had a first proper dialogue with the defiant technology ATI said they were working on it when we tried to call them received the formal letter from ATI later that month and then we had further phone calls for the department Technologies just to find out how things were progressing and then we requested the vendor response for the public disclosure by email by letter and then by email we finally received one later in March and then we worked together to come up with the final version an excerpt of that was that they recommended if you wanted highly secure encrypted links to use p25 to use the trunk radio upgrade as well as the fact that they had created a patch which adds additional security features to the command packets sent over the radio so that sounded good meanwhile while this is all going on on their website if you would look they had a number of featured installations so we were interested in finding out whether the was 7 Cisco unique or whether other people also potentially affected by this owner ability so you know we looked around online and this was the old version the website this is the new one and again you know different customers and different markets they're plotted them out on the map cross cross country on LinkedIn it also says that there are thousands of worldwide installations of this equipment in operation today and that one that was highlighted in their featured lists was central accounting and they had had malfunctions as well and they did this little via report so as I play this we've heard what the command packets look like what the two FSK looks like and you saw that it wasn't trivial to find out the frequency of the system hallelu video and now that well let me take the audio from the video and try and demodulate that so here again is the three repeater payloads with the idle filler so it looks like the system that we've had I couldn't get the raw ones and zeros out because obviously the audio gets compressed when they put it online and so that destroys the the two tones but they have a map of their sirens in the county there I tried to visit it again but that's four or four now that frequency that was on the sticker that was on the radio is registered in the FCC ULS you can go to that address and Street View and sure enough there's a big honkin antenna in there so they probably have have a small antenna on there so I flew out there booked at a hotel and made sure that I got a room that was facing the antenna so that I oh my it's my reception and took a little bit of tour and sure enough they had installations out there and again there are warning signs they're trying to be a bit inconspicuous there if they've got everything on camera and this is my hotel room getting ready because they also do these regular tests and they have a different tone for their siren it's just a constant tone but I got it all tuned up there multiple laptops for redundancy multiple STRs all looking good and unfortunately same deal this was a little bit different from San Francisco there were some subtle difference but there was enough stimuli here that we decided to I called up there the relevant folks in their County and you know it's a little bit difficult because if you have someone cold calling you saying that we found a problem of your system it's perfectly reasonable to say well you know if there's a problem we'll hear from the vendor and if there's anything crucial senator was in writing and we did that and then it turned out you know while a we heard that they were in touch with the vendor so that was good also we managed to procure some of the equipment because at this point I hadn't actually had physical access to it before and you know when you do your own tests obviously don't want to wake the neighbors up but also you don't want to use you don't want to transmit in the air of an unlicensed frequencies so I've got a big fat attenuator because there's quite a bit of power coming out the radio here instead of using this massive speaker I thought well maybe I woke up a little a known speaker and any of you at all you know figure out there's a small load on there and adjust and I hooked it up and of course the magic smoke came out of the speaker but the good news was of playing around brute-forcing stuff playing around looking all the data that we had triangles as combinations and then I managed to get this now I don't have I had that item speaker hooked up and I thought it was coming out of that so I wasn't gonna have this big honkin thing hooked up and what I realized a little bit later on was that audio is actually what I believe is the the thermal changes in the big transformer in the amplifier under the board there as it's having a huge amount of power push through it so there's there's no actual you know diaphragm or anything moving to produce the audio it's the vibration of the electronics in there that's emitting this this audio as well so there's quite a bit going through there so we did an outdoor toc um you might have seen that I'll skip that and then toward the end of our disclosure window things started happening on here that I couldn't have possibly imagined because I was just so used to listening to those tones have a listen human voice couldn't believe it so that was good and finally enough my friend from Australia who happened to be visiting just for a few days he was in Union Square you know oh you know we're both we both like radio he took a photo just totally out of the blue unaware of the research obviously and they were going around to all their siren nodes and presumably applying the new firmware to make it aware of this new protocol that they would be using and I saw over the weeks you can see the green sections there the packets that I've analyzed in my decoder recognizes but there's all this failure now all these red ones and I'm sure that the bits were coming up fine but they had changed the format so zooming in there you can see you know there are still some known trigger sequences but the other ones are not known anymore and then come the day of the public disclosure everything was red so they change everything I am looking into in detail but if you look at the values on the side there they're all you know they look they don't have structure anymore so that's that's do it and we also worked with ics-cert and had an advisory listed there and also nice to see just very recently in the Wichita Eagle they rolled those sixes out there amongst so just to wrap up then suggestions you need to design an RF security from the ground up it's very easy to overlook tools such as these software-defined radios over to software cheap easily accessible security researchers enthusiasts and bad actors especially if they're well well-funded brainy unable critical infrastructures everywhere and it has to be scrutinized if you have any have an obvious way for people to get in touch with you if they think that you've they've found a problem so you know commonly is an email setup with a PGP key and so on there has to be done for everybody that has this sort of equipment alright the radio specs from is a shared medium as soon as you jump from anything on the wire to over-the-air it's accessible to anyone you know it's a very important thing to bear in mind so you cannot rely on security through obscurity anymore and then if you are disclosing strictly adhere to some robust process that you design a headstone thank you for your attention more information you can go the website or the ICS details I want to shout out big thank you to J brands cim yux was my boots on the ground on the East Coast capturing spectrum and doing some experiments out there and also Neil penny and Nate temple who's sitting here in the front row they wear my emergency response team when I couldn't couldn't get the power supply work my demo so they rushed over here with a new power supply so really appreciate your help thank you very much and also want to thank my colleagues at Bastille for helping me and supporting me through this especially in the disclosure process thank you for your attention and I might try to get this going if anybody has any questions in the meantime South Pacific be great see you there if you have questions and I've got my little thing running here let's see if it'll actually work so this is showing what's coming back from the radio just gonna start up the little little program here to hopefully stop that Rick remote all right so now we're gonna let's see what's going on here okay so I've activated the public address mode so I just sent them you pack it out there and now I'm going to launch another program that's actually going to send its waiting for a new signal to come in which is the modulated FM audio that it's going to output over the speaker so I'm gonna launch that program now there we go so it's running this is this is just a little transmitter at the audio and then I can slowly turn the volume up so that's it thank you very much [Applause]

Info

Channel: Black Hat

Views: 67,628

Rating: 4.869813 out of 5

Keywords: Black Hat, Black Hat USA, Black Hat 2018, Black Hat USA 2018, BlackHat, BHUSA, SDR, ICS

Id: 49KoUmiJuts

Channel Id: undefined

Length: 51min 20sec (3080 seconds)

Published: Tue Aug 28 2018