The Machines That Betrayed Their Masters by Glenn Wilkinson

Video Statistics and Information

Video

Captions Word Cloud

Captions

right welcome everybody my name's Glen wilkinson and my talk today is entitled the machines that betrayed their masters thanks for coming along and it's a topic that I'm quite excited about and yeah like to share share their excitement with you at my office I'm known as the guy with the toys because every second day there's a parcel from eBay or Amazon or somewhere with toys in it and I've brought a few of my toys along today and as hackers we're all a bunch of big kids basically so I'll play with my toys and afters if you don't play with them too I feel free to come and uh come and check it all out so as I said my name is Glenn and that's my twitter handle if you're interested in such things my lucky number is 11 which is why that man's wearing 11 on a shirt I'm originally from a country called a Zimbabwe it's a small landlocked country in southern Africa I studied at the University of Oxford in England on a road scholarship so I have a master's degree from computer science from there and I currently work for a information security firm pest and testing firm called sense post it's a company started in South Africa about fourteen years ago in fact was our 14th birthday this year but I work for the London office which has been running for for a few years now so my day job is hacking stuff I guess I'm a security analyst or pen tester or whatever you want to call it so I get paid to hack stuff which is you know kind of a dream growing up I never thought I'd get paid to hack into banks and now I do so that's pretty cool and also spend a lot of time training search blackhat Vegas other black hats hack in the box all that kind of stuff we give training on most continents and then 20 percent of my time is research time so I get to play with toys and then come and speak at conferences to lovely people like you and spoken in a few conferences over the last year about this tech and a few other interests that I have but enough about me let's talk about you does anybody in the audience recognize any of these addresses or some of these photographs maybe it's a your house your friend's house a place you visited I see we have some addresses and Amsterdam Germany Italy Turkey now I see there are fewer people here than the word the keynote when I collected this data yesterday so we may not get a hit but do let me know if you see anything of interest anyone from Israel I see a nice coffee shop there that someone may have visited recently and maybe someone state an intercontinental hotel and a whole bunch of us from the states and UN recognize the office or the house or someone stay at the Essex in Chicago well I'm asking but I'm actually telling you have state you do live here so don't worry about owning up and of course welcome to those of you who attended blackhat Vegas in 2012 good to see some continuity over the years and also a black hat EU so welcome to those of you who have attended that conference in the past welcome back and nice to see people visiting from from all over the world so got people here from the states from all over Europe and of course from Asia and Southeast Asia so nice this year a good spread of audience a very different picture too of course black hat Brazil and of last year who assumed a lot of people are visiting from from the region locally interesting how do I know all of that well the topic of the talk something about machines something about betrayal and I'll give demos a little while but how it got that information but I got it legally above the board by passively listening to devices that you guys are carrying in your pockets and so something about surveillance I what's interesting is that I'm doing some degree of surveillance here and profiling but everything that I'm discussing is research done pre Snowden and colleague Daniel Kasper to myself a couple of years ago had the idea that maybe governments and private sector organizations are spying on us and trying to figure out all kinds of information about us and they have really deep pockets and really big budgets and we are curious to see that if on a curve a shoestring budget so my my research time twenty percent one day a week effectively no budget open-source software you know cheap hardware if we could build some degree of surveillance system to basically make some kind of large dragnet type systems not focusing on individuals initially but on giving a large group of people say people at a conference people in a city people in the country could we build technology to surveil people on that scale so the talk says something about machines and something about betrayal so what are these machines and how are they betraying us so machines relates to devices that we carry that have some kind of computing power and have some kind of wireless connection I go back five years ten years maybe had a cell phone but it's only connectivity what's the cell network go back a bit further than that and maybe had a wristwatch or something maybe the crystal emitted some tiny signal but effectively you're isolated but these days more and more so with carrying devices that have some degree of computing power and also emit signals cellphone maybe the most common example a smartphone most of us here carry a smartphone in fact based on those previous images I know that you guys carry smartphones but that's not the only example bank cards these days have NFC chips Near Field Communication London where I live we use the Oyster Card travel card also uses NFC type technology and the states have noticed that your identity cards have some wireless chips inside them I see is at least one person here wearing Google glass so Google glasses the features weird your your glasses and your book and your watch suddenly everything's got computer and wireless technology which is kind of strange when you think about it and the the thing with a nike symbol there that's a fitness bracelet that's getting really popular these days you have this brace that you put on your wrist and the chip you put on your shoe and a heart meter you stick on your chest and all of this stuff wonders your activity and all communicates wirelessly either to your phone or to some other device for synchronization passports these days have chips in them and then you'll notice amuse devices essentially have short-range communication some have long-range communication but even things like NFC are sometimes not that short on the left does anybody know what that devices just under the Google glass image yeah pacemaker Wow the feature is messed up pacemakers have wireless technology and not some small custom subset actual Wi-Fi yeah which is just really weird so the point is that we all carry devices either on us or essentially inside us that have some computing power and they use some kind of wireless technology and the wireless technology that they use varies between devices so perhaps the cell phone has the most number of technologies in this image we see it has Wi-Fi Bluetooth NFC GSM so a whole bunch of wireless transmitters and receivers they're essentially just shouting out information now the betrayal comes and when we think about what these signals are and how we can interact with them and what we can learn from them so is essentially two things that I'm interested in one the uniqueness of the signal is being emitted by a one device or a collection of devices if a device be at a cellphone or a passport or a fitness bracelet if it's emitting some wireless signal that's unique at least for some period of time then I can uniquely identify if I'm able to detect that signal so most common example and example have the most success with is Wi-Fi so all of your mobile devices if you've left your Wi-Fi on you if you're not actively using it as I say that I've left my Wi-Fi on and the guy give him a talk so if you've left your Wi-Fi on your device is constantly making noise and sending out a unique signal that includes the MAC address of the device essentially so I can uniquely identify this device in this room and if I was at conference last year and I had the same device I could note that that device was in this room at this point in time and in that room at that point in time and at the airport and this point in time if I had the ability to detect the device at those locations that's the first part a unique signature and that's either gonna be something like the RFID signature or the MAC address or a whole bunch of other options but generally speaking some kind of unique signature what we want after that potentially is some way to get information about the owner of the device and again the way we interact with that could be a whole bunch of different options looking at Wi-Fi again when if you've left your Wi-Fi on your phone is constantly looking for networks that's previously connected to and maybe there's some information and there as you'll see as we go along this RFID may be included and the signal is a name or unique identify ID number or something of that nature so if you just give me a second it seems the projector is not playing nicely with me that's better okay so yeah as I said the idea of a machine previous deals better wasn't it so it doesn't like - okay fine we'll just do merge mode doesn't like to do present mode I'll just guess what slides coming next so I think the next slide will be what episode anyway so a machine so the machine can be anything that's sorry yeah so it's murud technology's great isn't it so it's mirrored mr. AV guy 800 by 600 mirrored sorry 1 0 2 4 okay we'll skip the so the idea of a machine a unique signature and then a link potentially from that device to a human being and that's what I'm interested in so the devices that you are carrying in your pockets right now on your wrists can I uniquely identify you in this room and then kind of figure out who you are where you live you interact with are you here with colleagues or by yourself or the spouse or something and mobile phones smartphones are wonderful like five years ago 10 years ago if you wanted to bug somebody or surveil somebody you had to break into their house and install a camera in the smoke detector or something and put a physical bug on the phone and so then follow them in a car these days we all carry them a sophisticated bugging device ever created voluntarily on our person it's bizarre Scott GPS and camera and a plethora of wireless technologies and photographs and personal information banking information and we just voluntarily carry it around and don't really give it a second thought now as I say there's a bunch of unique signatures the one I'm I've had the most success with and I'll discuss today is Wi-Fi or wireless technology and the idea is that your device has a unique MAC address and the way the Wi-Fi protocol works as you're sitting here you're not connected to a wireless network even if you're in the middle of the Sahara Desert your device is constantly sending out a message looking for every wireless network it's ever connected to and this stuff dates back to the camera tech diner deserve you back in 2005 but it's still completely relevant not fixed and in fact more dangerous than than ever before so your furnace sending out this message and now I want to link that's unique signature to a person and there's two ways we can approach that passively or actively now passive linking I don't have any interaction with your device at all and that's what I've been doing as I was doing yesterday to get information on you guys so your furnace sitting in your pocket and it's looking for every network you've ever connected to you it's looking for BT home hub AFV one is looking for Starbucks just looking for virgin it's looking for is anybody there so as you've traveled the globe you've connected to different wireless networks in different countries and you've clicked join that network and you haven't say forget that network after you've left your phone as remember that and it's in the room right now shouting out the names of all of those networks now immediately I can infer certain things from that if your phone is looking for McDonald's free Wi-Fi and L budget airlines free Wi-Fi then I know you're a bit of a low roller if your phone is looking for the Ritz premier suite and looking for British Airways first-class lounge that I can come infer that you're a bit of a high roller and sometimes the name of the network might be immediately obvious if I see somebody looking for Royal Bank of Scotland corporate then someone pretty works RBS if someone's looking for Royal Bank of Scotland corporate and they're looking for Hooters then immediately we can draw some conclusions that was an embarrassing demo I gave once now it's also interested interesting about the signals that are being sent out and as your phone is looking for these wireless networks is if those networks are sufficiently unique then it's possible to determine the geolocation of those networks who knows what wardriving is but about a third of the audience is this technique that goes way back to 2001 and the idea is that number one you have to wear a ninja outfit so there's me in the top corner there was my ninja outfit and you have some device that has both GPS capability and Wi-Fi capability and you basically Traverse an entire city or area and every time you see a wireless network you note the GPS coordinates so there I am being a ninja wandering around London there's only four wireless networks in London maybe it's a few years ago that I think there's at least five now and every time I see a wireless network I note the name and the GPS coordinates I make a table like in the bottom corner there and things like Starbucks unlikely to see thousands of times if you take the planet probably tens of thousands of times but if a name is sufficiently unique then it's it's possible that is only you know only until decades to one exact location and I'm not sure about in Singapore but at least in the UK where I live you have providers like British Telecom BT and to get the Internet at home you get BT home hub - one two three four or something so some unique name - at Virgin Media Virgin Media six one two four nine so the name of the provider and then a unique identifier the same with businesses so BT business hub and then some unique identifier so if I can create a list like this and then I noticed that your device is looking for BT business hub - df1 and I have this big table I can then look up the name of the network that your device and your pocket is looking for and infer that at some point in the past you have connected to a network in London on the corner of all Street and City Road it's going to take a while to do that so luckily there's crowdsource projects that anyone can be part of and you can submit your own data so project dating back to 2001 wiggle so wiggle net awesome bunch of guys and they've been running the site for thirteen years now and they have on the order of a hundred million observations and I run the software I travel and I just collect the names and networks GPS coordinates submitted to them and what that means is there anybody who can go and create that database and essentially figure out where devices are from so now I see someone looking for BT home hub and I immediately know that you're from this address now our interesting anecdote when I was working on the software that kind of does all of the stuff I was sitting at a coffee shop in Oxford raised to live and I had my software running I'm just watching the screen and two guys walk into the coffee shop speaking Arabic to each other and I was watching the screen and I see two new mobile devices probing for a network and my software geo-located those networks to small town in Saudi Arabia under certainly watching my screen these guys walk in a thank you I know you're from right down to right down to the street view of their of their house or at least of a place where they have lived or least visited so passively linking one signature and then actively linking so now are interacting with the device so with Wi-Fi interacting with Wi-Fi or for some other technology sending signals to the device and interacting with it to either extract information or get it to perform some action to get more information about about the owner now again this is not particularly new the states all the way back to 2005 and the attack called the comma attack but basically when your device is looking for Starbucks or McDonald's free Wi-Fi or something number one I can hear that signal and two I can reply say hey it's me Starbucks now someone was doing this yesterday in the conference it wasn't me but you would notice that there were access points popping up like Starbucks and like Heathrow Airport Wi-Fi which is always a good indicator that somebody is messing with this kind of stuff it wasn't me I did yeah I did try and shut down the access point but the point is that you can respond and say hey it's me Starbucks connect to me and your device will connect and then you'll be happier and you probably won't even notice you'll get a little wireless symbol popping up a little Wi-Fi symbol but you won't get a prompt because you know it's like when you go home where you walk into Starbucks you wanted to automatically and immediately connect and by doing that I can then intercept your traffic again this is old-school stuff pull out your session cookies look at your brow look look at what you're browsing and yeah determine who you are from your Facebook account your Twitter account or your email and pull out that kind of information now the Snoopy framework is a tool that I worked on back in 2012 and I spoke at a conference called 44 corner London that's DEFCON London and essentially released a proof of concept Snoopy tool back then but over the last few months I've been working on a new version that's all nicely Python fide and it's modular and it's a bit more efficient but what the Snoopy framework is it's a distributed tracking profiling and data interception framework so it takes all the ideas that we've briefly touched on and there's nothing new about any of that that's been known for a long time but it packages it together into a nice unified framework that you can expand on and on so there's a new protocol that comes out tomorrow called green tooth to replace blue tooth then we can write a Snoopy plug-in that can detect those signals and interact with those signals and populate data manipulate data so I said four things they're distributed tracking data interception and profiling framework so distributed the idea is that you can have these Snoopy devices running on some small inconspicuous hardware and distribute these little Snoopy sensors over a large area so the whole of Singapore and you can run the Snoopy software on anything that runs essentially Linux and has the the wireless adapters that you're interested in so this device here is a it's a BeagleBone black which is sort of similar to the Raspberry Pi so it's a single board computer and it's got a add-on module on the top that has 3G connectivity and a GPS device and then a wireless antenna plugged in here so very small very inconspicuous I can plug it in and leave it lying around somewhere put a nice little case and the idea is I can leave it here unattended and as you're all interacting here and walking around and day-in day-out this device will be collecting information and syncing it back to a central Snoopy server I can drop these devices over say the whole of Singapore thousands of them and as people move around the city these devices will detect them interact with them and send the data back to a central server so that's nice because existing technology things like the pineapple it runs on the single device and then you got to put in the memory card take out the memory card put in your laptop open up Wireshark so it's a bit cumbersome so this is nice because it's distributed collects the data sends it back to a central server so it's distributed so tracking kind of obvious you have this blanket of devices and as people with wireless transmitters in their pockets walk through the environment we know okay they're at this location in this location in this location and it's going to GPS device that knows effectively exactly where it is so distributed tracking data interception so as mentioned depending on technology using Wi-Fi for example or GSM maybe we set up a femtocell intercept your traffic pause the traffic and sync it back to the central server so instead of collecting data locally I intercept your traffic and it goes back to central server so I have 10,000 devices scattered over the whole of Singapore and they're all intercepting traffic and sending everyone's traffic back to a central server for examination and visualization and then profiling so much as collecting more traffic I'm exploring and manipulating the traffic and work out things like where you live what your Facebook profile is who your Facebook friends are what Facebook friends you have in common your inbox you've been emailing comment links of people you've been emailing so those are kind of before pieces of the tech and essentially nothing new but putting it all together into one unified framework and then the next generation Snoopy which is after the 44 con PFC there's only one image on the whole of Google images that has Snoopy wearing a next-generation Star Trek uniform this is if you can find another one or draw me one please let me know but next generation Snoopy essentially all written in Python and you have the main Snoopy process that runs and it has a series of plugins so be it Wi-Fi with GPS or Bluetooth or NFC and it saves that data to a local database from the device and very customizable sequel I tore my sequel or Postgres synchronizes that data to a central server that writes that database and very emotionally can choose which plugins you want to run and then multiple Snoopy devices all running syncing data back to a server and the server can do data exploration and visualization either in a web interface or via a tool called multigo and we'll see a demo of that a little bit you can also sync data over different technologies so these are things here are called ZigBee radios so the Snoopy drone if I plug in the ZigBee module it will then collect data synchronize it back to kind of a central Snoopy device maybe up to up to eight kilometers away depending on the ZigBee radio so you can have a whole bunch of Snoopy drones with ZigBee radio and then one central device with a ZigBee radio and the whole synchronize data back to that one and then maybe the middle one uploads data over 3G or something to some other central server and ZigBee is great so it's this one's two and a half kilometers range so a tiny little antenna with two and a half kilometers outside range and draws frail or current so I think 300 milliamps and then you can create any configuration you want so have these devices sinking over ZigBee to device over 3G to device over Ethernet so basically a nice big distributed ya network to catch stuff and here's an illustration of just the ability to intercept and manipulate traffic so we have over here to Snoopy drones you see my mouse cursor you can to drones here and a bunch of client devices or victims I've told I mustn't use the word victim's client so devices over here that have in this case associated with Wi-Fi and the traffic is going through the drone and then through the Snoopy server and effectively I do netting at the server so I can see this client's exact IP address and traffic flowing through the server I just passed the traffic through a proxy I can pull out things like cookies and websites that you're visiting pass it through SSL strip to try and defeat SSL which works remarkably well against most sites and then through a man the man the middle proxy setup where I can insert arbitrary code insert arbitrate JavaScript for example or change every image to picture of a cat or one of my favorites is turn every image upside down so you see the guys in Starbucks you know on the device browsing funny cats and upside down they turn upside down and I turn this stuff upside down it kind of goes on like that you of course shouldn't do that and then degree of traffic inspections of pulling out things like PDF documents or VoIP conversations and then some social media API so songs browsing Facebook I am able to obtain the Facebook if the session password I can then grab all of their friends and their friends friends and things like that and of course over here we see the the geolocation technology using wiggle of course what's nice is these drones are fairly dumb they don't have that much processing power and edge pass on the grunt work to the server potentially which hands out internet over there and yes you can run sniffing a whole bunch of different technologies so we have the Nokia n900 fantastic cell phone runs Linux unfortunately decommissioned but there's a new project breathing life back into it the Neo 900 project kind of Kickstarter II go and I recommend you go and donate to that to get yourself a device the Raspberry Pi the BeagleBone black the shiva plug the BeagleBone black is my favorite device so it's stable it can run a modern OS so I've got Kali Linux running on here which is great it's essentially a pen test box on a small device like this and yeah if you can't see it over here that's a sim ejector and it's got this fantastic GPS and GSM board on top which is a prototype which has just been released and what else can we do well since you have brought my little friend along today so I've got my my quadcopter this is the controller as you can see it's watching you guys so this is the controller for the quadcopter so I fly it from here it's got a fpv camera mounted on it and so essentially I can pilot it from here and that's all well and good but so what well so what is that I can attach one of these Snoopy devices to it and do this kind of surveillance and a mobile fashion so attach the device to this and then fly over a large area or pursue somebody or any number of possible things now because this is fairly it's a fairly small lightweight device so the idea is you attach it to this and I'm trying to emphasize that's not just stunts acting so it's kind of cool yeah it's a flying hacking machine but also it's kind of useful so it's useful for a few reasons one I can get altitude so I can fly this device at about 80 meters you won't see it you won't hear it but with the right antenna I'll be able to detect signals on the ground so if there's some area where I'm not able to plug in devices locally I can attach it to the flying machine and fly overhead at a safe altitude where you can't see me or hear me but I can hear the signals from your device secondly if there's some kind of physical barrier I can bypass that so big walls or men with guns or dogs or something can bypass that physical barrier and collect data from the other side and also it's very fast so if you want to blanket a whole city very quickly you can just do a nice grid pattern just cover the whole area collecting data from everybody down below now this units only got about 20 minutes battery life up to 40 minutes if I get the right kit for it but then you can also get fixed-wing devices or fixed-wing devices you can fly for up to two hours essentially just yeah do a grid pattern of entire city and pick up everybody from down below and I can foresee all kinds of things that we could play were there so I'm just gonna bill Sutekh so joy there's good users and bad users as with most technology as an example say there's a riot downtown people are looting and being very bad you could fly one these devices over the right area and collect all the unique signatures from the rioters below to either use and prosecution going forward or to profile and figure out who they are and where they live and that kind of thing so maybe some degree of good depending on who the government is but then at the same time maybe there's an oppressive regime and people having a peaceful protest and oppressive regime could fly this tech over and figure out who the protesters are downstairs which which could be a yeah a bad scenario but the idea is that was just the technology all technology can be used for for good or for bad as an example here's me flying in London so this is a park in London and from this altitude about 80 meters and I'm that little tiny speck down and the kind of middle left there so essentially you can't see it you can't hear it the devices in real time collecting data as I fly around from people down on the ground anybody recognizes that yes that's that's the hotel sets this morning man it's hot outside I think in the future I'll sit in my hotel room and fly by FPV from there which is probably about 100 120 meters I think and yeah I can't see it at all but you can't get access to pool but you have the directional antenna and a camera and you know there's a person of interest up there well you can fly up from safe distance and get a video feed and use a directional antenna to pick up devices that are of people that are on the pool maybe there's some kingpin up there that you want to surveil and get information on and we'll just identify that he's at a location at a point in time so other things we can do with the aerial unit so say we have John there's John and he's walking around with his his phone or its bracelet or whatever in his pocket and we already know John's signature so maybe he was arrested some time ago or we somehow identified who he is and what his signature says address we know what is MAC addresses is phones in his pocket and he's somewhere in Singapore and we want to find John to ask him some questions just ask him how how he isn't that kind of thing it's what we can do we can do a spiral search so we can launch the UAV from some central location there's good altitude and slowly circle out wider and wider pattern until it finds John based on his signature below of course you can blank it a very large area so you can have yeah for drones or hundred drones and have them deployed over large area okay we need to find person X based on the signature push-button launch drones and they all individually do their own circular search pattern for their grid until one of them identifies the signature that we're looking for so here in the bottom right that one's managed to found John then he calls his buddies is have I found John and then we can use potentially trilateration it's like triangulation which most people are familiar with that term but you probably mean trilateration when you say triangulation so trilateration works on distances as opposed to angles and the distance metric in this scenario is the signal strength of the device so how many decibels the signal strength is from this device and so the idea here is that you have one master drone say the guy in the bottom there and the two other drones are controlled by him and they all have a GPS device and because they know their own position and the signal strength of John's device they can work out exactly the GPS coordinates of John and as he moves around the one drone at the bottom relays the message to the other two to move them so they can stay in a fixed position and one or two John as he walks around right enough talking let's have a demo a screen resolution is a little bit funny but let's see how it works all right so you have these Snoopy drones they all happily running collecting data and send that data back to a central server but data is boring if it's in a text file or a database or something so what I use is this tool called multi go so I don't write this tool I just use this tool multi go is a fantastic graphing data visualization engine completely customizable that's a really lovely way to explore data and it's made by South Africans which from my point of view is excellent so what I've done on the site yeah I've written a few I've created a few Snoopy entities so you have these entities and you drop them onto the map over here and then against entities you can run a transform which is just an operation so we have this starting point the base of operations I can run the transform it says fetch drones now this fetches you can customize what data you want to select on a time care you have on the side you can have time metrics so you wanna fetch drones they were active today whether active last Tuesday or the active a year ago default is to fetch all drones that have ever been active so this is an including historical data here so during the last year and a half I run all of these drones on my n900 on my laptop on the Beagle burn on the Beagle burn attached to the flying machine and when you run it you can specify the location that you're at so I've been running this at security conferences for the last year and a half and keep in mind this is all broadcast traffic so I haven't done anything illegal at least in these countries it's broadcast unencrypted traffic that your phone is just shouting out to the world so in Poland at cert 44 corn two years in a row black hat Vegas security and Scotland black eyed reserved blackhat singapore's you guys besides DEFCON blackhat EU IT web and South Africa's arenites and Moscow and Russia so all these conferences I've been running this well let's just grab you guys she has black at Singapore and in around transform fetch clients hey it's you guys who forgot to turn their Wi-Fi off so these are all of your devices laptops tablets mobile phones and based on the MAC address of the device because we're just looking at Wi-Fi at the stage we can see that this device is a Samsung device based on the first half of the MAC address Apple device HTC Apple etc so you can see all of you guys ok live demos always interesting let's see if we can find something cool just grab a subset of you guys down there and let's just say fetch SS IDs now if it comes back with no a society's that just means your device was sending a broadcast message or any wireless networks out there so little brown blips down there or the networks that these devices are looking for so meg Meg Morpheus Logitech don't touch this one's pretty noisy it's a whole bunch of devices there well what's interesting is when you see so this device I guess here isn't it and when you see multiple devices looking for the same network that's sometimes interesting so you may or maynot may not get a result here but often you might see five devices looking for RBS which is Royal Bank of Scotland then you know there's employees here from the Royal Bank of Scotland okay that's cool let's grab so this device looks kind of noisy it's grab those wireless networks you can say fetch locations that's what that does it queries the wigle website now Riggle doesn't have an API which means you have to do page scraping if no results come back that could mean that either they weren't in there let's just try that one let's grab a few more so usually when you see fairly unique network names you would expect to get a hit yes one I prepared earlier so he has a device until device and it's looking for rapid7 and here we've G allocated that either to you know the United States I assume somewhere in Russia and I'm not sure what that was there so I guess rapid7 maybe has offices in those locations if you double click that then we get street view photograph so maybe that's the office there and ya get the address and yeah link to Google Maps if you want to view it in Google Maps or something these guys come back with anything yes there's one good hit so this device here ones there are six whatever so geo-located the states unfortunately no Google Maps image of that place it seems but we get the full address so where's this JSON away Nevada sort of someone from Nevada okay so that's interesting what else can we do so we can potentially afford to see overlap between different conferences let's grab two locations to be sized London and blackhat EU and let's see if anybody here was at both of those events so just turn up the number of results all the way up to the maximum and grab both of those and say fetch clients and there's receive these three devices were at both of those conferences then maybe grab just those devices copy two new graph and then try and figure out more about just those guys so fetch Isis IDs so there's some pretty noisy devices there maybe we can get a hit on one of those okay what else can we do so I'm entered I mentioned a data interception so I can create I can set it up to run a rogue access point and then connect to it or convince your devices to connect to it oops that we got a hit so that geo locates - that's not a good hit so if we go across this window so this is the Snoopy software this is running on my laptop at the moment and I'm gonna run it and I'm gonna say bring up a road access point and then get my phone to connect to it and of course it's stopped working while I was talking to you guys all right lucky I was running it before the break and if we look at which growth was it actually I can do this slightly differently okay so I'm gonna show you this demo so here's a photograph and it's a photograph of the sense post offices in South Africa and let's pretend that we release this photograph there's me and one of my colleagues we had our hackathon this past week so what can we do it was photograph I can get EXIF information from the photograph so I Reckling up right click on it and say get exif data that's a kind of metadata so it could be location information or the type of camera used and the kind of thing and it seems woops we actually didn't accidentally or intentionally geotag that photograph so no way that photograph was taken and we know relates the sense post I can then I have a transform here to query all access points that are around that location so I've got some GPS coordinates somewhere in the world and now I'm gonna say fetch from the wiggle database or access points that are within a 500 meter radius of of that address so this is not data I've collected this is data in the wiggle database so all of these access points are around that that location I can then go through all my historical data from all the conferences I've been to you and see if I've been to any event where a device I observed at that event was looking for a wireless network within 500 meters of this address which I suspect is the sense post office alternatively I tested it with some other companies yeah so you can find the address of koalas say plug it in and check your historical data and see if anyone here is a Qualis or any prior event that I've been to but I find it better to pick on cents purse because I don't get beaten up afterwards so yeah we see that these devices here are looking for WLAN ap not that interesting whiteford maybe more interesting Linksys Linksys so given this name is quite unique so what that means is that these six devices here at some conference in my massive database we're looking for a network within 500 metres of the sense post office so let's just grab those devices copy them to new graph and let's fetch locations what locations where these devices observed that observed at B side security IQ web so most conferences actually so this probably is sense post people and then we can just check what networks they're looking for so what networks with these guys looking for noisy devices it seems bad sense person employees and we start to see stuff like so I added a bit of extra data just to highlight the point but if we see stuff like Akita ergo sum so we notice a hacker conference def con so because we see named networks that appear to be you know security related that's probably sense person employees so what did i do there I know that I figured out where since posts offices are so I could have entered the street address but I had a photograph here the EXIF data figured out the GPS coordinates of a sense post office then looked for all networks that are around that area within 500 meters of that office so if you went to South Africa went to our office you would see these networks and then all of those networks I checked my historical data to see if I'd ever observe any client devices that were looking for those devices and I found six devices looking for a network within 500 meters of the sensor post office and then I see these devices are looking for networks like Akita ergo sum' and like DEFCON and then for network names like this they're fairly unique they would have managed to geolocate this one to two possible addresses I'm not gonna double click that so might give my address but potentially I can very quickly figure out the address of all the home address of sense post employees tried that against a few other companies here and does work pretty well but yeah I don't want to get into into trouble what else can we do as I mentioned the rogue access point so let's just grab these devices and copy to a new graph and sales running the rogue access point I want to intercept data from you from these guys so I intentionally did this to myself because I don't want to you know do any date inception with you guys and there I see this Apple device which is my phone was browsing these two websites whilst tricked into associating to my phone so vampire freaks and Rubicon project so it's browsing a vampire freaks calm and I can grab the cookies so there we go there's the session cookie for this device that was browsing username Jimmy nine-one-one so you can actively intercept data from devices and one final demo just to put all of that together so what's nice with multi go is you can run what's called a machine which is running multiple transforms at once so here I have base of operations I can do a whole bunch of transform simultaneously now this is going to do it's going to fetch fetch all active drones it's then going to get the location of all those active drones get all clients that were within those areas it's then going to look for some commonality so look for devices are observed in multiple locations so preserved at the airport and at Starbucks and at the hotel grab those devices and then it's going to bring up a go through historical data of a rogue access point and see if any data was being browsed and then it's going to grab Facebook friends and potentially the facebook inbox but I won't show that and the end result is running a bit slow but the end result is the slide here and so I click one button and it does all these operations in one go and it finds that it was a device at Heathrow Airport phones Hyde Park and Starbucks and these devices the BlackBerry the Apple an HTC observed of those devices looking for these networks a GMC guests and the Verizon which would geolocator to San Francisco and the Arab Emirates then the data interception might bring up a rogue access point the guys are browsing Facebook so we stole the Facebook session and managed to get a friends list and we see that those two guys Jim Anderson and Charles Smith have those three friends in common so multigo is really nice for exploring data here's another graph of people who have attended all the conferences I've been to so you can see all the overlap between the different cons there so for example that Apple device has been 244 Khan and to verse 44 cons and blackhat 2012 yeah so it's nice for visualizing data like that am i showed you figure out the sense person employees he has an experiment I did sitting in Kings Cross train station in London for 12 about 12 hours and see the graph number of unique devices observed over time so no yeah big spike over breakfast small spike over lunch big spike in the evening so just looking at a kind of macro level there and then the ratio of device is observed so this is from all the conferences so seventy-seven thousand devices I've observed and a big chunk of Apple over three quarters Apple then HTC and Samsung and then going down interesting to see how popular Apple is there a bunch of scenarios like envision stuff being deployed on so I mentioned the UAVs flying over there maybe a right area or something so degree of law enforcement or bad stuff peaceful protesters another example let's say you want to figure out the identity of a celebrity so I noticed Jeff moss founder blackhat he's he's at the back of the room so if I know he's here and I'm running my Snoopy drone he's playing on his phone I know he was at another blackhat conference say Brazil and I collect data from that conference then I know he's at some charity event so I go to that event and I keep going to events I can physically know he's at it's like a correlation of all those different events and he's I see one device being observed all of different events then I know that that device is most likely Jeff and then once I've identified him then I can probably do some more active attacks to try and get information off of his device there's a lot of other scenarios where Tech is actively being used so you may not know but most shopping malls have the stuff running already so in retail for example it's companies like path intelligence and Euclid analytics and they track your devices they use the same tech yet so Wi-Fi Bluetooth NFC all this kind of stuff they also use cameras and audio and stuff the military is also using it so next line and Verint they have this exact technology to do exactly our to scripture differences both of these cost lots of money the stuffs open source and free and off-the-shelf hardware I found this image which I thought was cute considered a I'm flying drones yeah the drone Survival Guide to understand how to survive drones go to the drone Survival Guide dog a quick graph here on conferences I've attended and seen number of devices I've observed related number of attendees a metric on the end devices per person which is very rough so it's black hat here I've observed 398 devices of 500 attendees so yeah quite a lot but I'm sure I haven't covered all the areas this was just running on the small device yesterday for a few hours and yeah I think that gives me about three minutes for questions if I'm not mistaken but yeah thank you very much for your time and let me know if you have any questions yes yep good question so how can you defend yourself this is Alba Navarre attack so can you stop your smartphone least in the Wi-Fi side from being so noisy no it seems that the latest iOS so iOS the most recent release it seems that they stopped it to a degree I've had various tests sometimes so it's mostly it's much more quiet but Android Windows all the others they're still just as noisy so have two options turn off your Wi-Fi were you not at home or clear your network lists so on Apple products there's only one option delete all networks not so convenient but Android and Windows phones you can selectively remove so should keep those so you should ideally delete those so delete ones that are open networks or Starbucks that'll stop the rogue ap type attack because that only works against open networks but then also you may not like as convenient when you go home to your BT Home Hub 1 2 3 4 to automatically connect but you might be shouting at your home address to the world which a roomful of hackers might not be a good idea so it might be a good idea to name name your home network something a little bit more common yeah the other problem there's there's other problems there but that's a good idea yeah planting SS IDs that allow me to track users in all right yeah that's a good idea so I could offer I could bring up a normal access point called something slightly unique internet four four five and somebody voluntarily connects to it then going forward in the future if I see someone looking for that a society that I know that's a previous device have interacted with yes that's that's a good idea the nice thing with the new Snoopy framework is very modular so you could add that kind of functionality quite easily any more questions yeah good question where do you draw the ethical boundary so as security researchers I think our main role is to look for weaknesses in existing systems and shout them out to the world and that's how that's how the security industry moves forward that's why systems like SCADA of very you know they're so full of holes because they've been hidden from hackers and something better you must hide it from the hackers because hackers are bad but by not doing that they haven't been attacked by hackers and therefore the defenders haven't had to upgrade the defenses so what I hope to get from this project because I'm releasing this I'm releasing the source code I speak at conferences I'm saying look at all this terrible stuff I can do but now you're all aware of the terrible stuff I can do that other military organizations and retails are already doing so I'm hoping that I'm maybe on the moral high ground here because I am demonstrating how dangerous this is and now maybe Apple and Google and whatnot will say hey maybe this is a bad idea to be giving away so much information maybe we should update our stuff so I guess I don't think about it too much as a security researcher I'm demonstrating they're all weaknesses I hope by demonstrating those weaknesses people will make their stuff more secure yeah so if you physically compromised a device can you use it to your advantage yeah good question so the way it works so there's a few configuration options one is to use a VPN so I bring up a VPN from this device to the server and that's nice because then I can send all traffic interceptor traffic through the VPN so exits at one central device on the server of option is capturing data locally and there's a web service that synchronizes the data now when you're synchronizing the data you have the option to flush data immediately so as soon as are synchronized remove it locally but if you capture the device and physically pull out the memory card you'll either see the the key for the for the web server to to sync the data or you'll get the VPN creds but what's nice is I don't have it on this one but on the Nokia for example there's an accelerometer you can get a USB accelerometer for the device and I've got a plug-in that if the accelerometer is activated in some way destroy the device so just flush the filesystem and of course if using encrypted filesystem as well then you can just maybe just shut down but you are using accelerometers you can have a self destruct mode I wanted to use thermite but this that I couldn't so I just delete to the data cool any other questions excellent well thank you very much for your time

Info

Channel: Black Hat

Views: 13,599

Rating: 4.630435 out of 5

Keywords: Information Security, InfoSec, Black Hat, BlackHat

Id: GvrB6S_O0BE

Channel Id: undefined

Length: 58min 17sec (3497 seconds)

Published: Sun Aug 03 2014

Reddit Comments