Attacks Against Top Consumer Products
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36303 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 249 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Information securityProduct (business)Multiplication signHypermediaSlide ruleGoodness of fitRule of inferenceWindowElectronic mailing listHookingGame theoryFood energySingle-precision floating-point formatWireless LANInformationHecke operatorPublic key certificateComputer animation
02:09
Ramsey theoryProxy serverChaos (cosmogony)Suite (music)Proxy serverNatural numberHydraulic jumpFile formatPanel painting
03:13
Large eddy simulationRule of inferenceTrailRight angleIntegrated development environmentComputer animation
03:52
RAIDCellular automatonSocial engineering (security)Key (cryptography)DistanceElectronic mailing listPlastikkarteDifferent (Kate Ryan album)BitTrailNegative numberCartesian coordinate systemRadio-frequency identificationTelecommunicationPattern recognitionPhysical systemCellular automatonComputer animation
04:43
TrailCohen's kappaPoint (geometry)Cellular automatonDistanceRAID1 (number)Mobile WebNP-hardRadio-frequency identificationPlastikkarteKey (cryptography)Disk read-and-write headPoint (geometry)
05:42
Address spacePlastikkarteAmsterdam Ordnance DatumMessage passingMultiplication signStack (abstract data type)Address spaceSystem callRotationInformation securityClassical physicsMereologySound effectFood energyBroadcasting (networking)Plastikkarte2 (number)Computer animation
07:03
Large eddy simulationInformation securityInformation privacyTerm (mathematics)Video trackingRandom numberBroadcasting (networking)MathematicsGeneric programmingUser profileInformationAsynchronous Transfer ModeRandomizationGroup actionBlogInformation privacyWebsiteGodMultiplication signDigital photographyPlastikkarteTrailService (economics)Generic programmingTelecommunicationAttribute grammarProfil (magazine)PlanningConnected spaceAsynchronous Transfer ModeCodeStandard deviationBitPerspective (visual)Term (mathematics)Goodness of fitAddress spaceDifferent (Kate Ryan album)Computer-assisted translationRight angleComputer animation
09:22
AverageBroadcasting (networking)Control flowComputer configurationAddress spaceOptical disc driveTrailFrequencyConnected spaceRadical (chemistry)WindowMusical ensembleBand matrixRange (statistics)Revision controlSoftware-defined radioImplementationRight angleComputer animation
11:10
ImplementationASCIIRadio-frequency identificationLogical constantBroadcasting (networking)TrailSoftware testingTraffic reportingInformation privacyInformationMathematicsBitMobile appStack (abstract data type)HexagonComputer-assisted translationData conversionAddress spaceTesselationRotationElectronic visual displayIntrusion detection systemRaw image formatCASE <Informatik>Fluid staticsIdentifiabilityService (economics)Broadcasting (networking)Multiplication signProfil (magazine)RandomizationWater vaporBootingSingle sign-onPlastikkarteComputer animation
13:47
Food energyMultiplication signRandomizationBitReal numberRaw image formatInformation securityAddress spaceAxiom of choiceBroadcasting (networking)Computer animation
14:30
Random numberSerial portInformationRandomizationDigital libraryProfil (magazine)MathematicsInformationAddress spaceNumberFluid staticsAxiom of choiceComputer animation
15:07
Asynchronous Transfer ModeSynchronizationMusical ensembleFluid staticsMaxima and minimaAsynchronous Transfer ModeSynchronizationAddress spaceRandomizationMusical ensembleInsertion lossInformation security1 (number)BitAndroid (robot)Connected spaceComputer animation
15:45
RandomizationPrime idealBroadcasting (networking)Android (robot)Dependent and independent variablesoutputFood energyTrailNoise (electronics)Mobile appAddress spaceComputer animation
16:35
TrailBroadcasting (networking)Ideal (ethics)TrailTraffic reportingCausalityPunched cardPoint (geometry)Process (computing)CodeRegular expressionComputer animation
17:15
ImplementationInformation privacyStatistical hypothesis testingImplementationRepository (publishing)Open sourceTrailChecklistSerial portDenial-of-service attackRandomizationInternet der DingeLatent heatComputer animation
18:11
Standard deviationRandom numberSerial portCloud computingMereologyFrequencyBitRight angleWireless LANDefault (computer science)Standard deviationNoise (electronics)Information securityPasswordOffice suiteMultilaterationComputer animation
19:07
PasswordInformation securityComputer network.NET FrameworkException handlingPasswordVulnerability (computing)RoutingMultiplication signInternetworkingSoftwareYouTubePlastikkarteSource codeComputer animation
19:46
Information securitySlide ruleCausalityInformation securityComputer animation
20:22
Process (computing)Information securityHidden Markov modelInformation2 (number)Computer animation
21:10
InformationSystem identificationFormal languageCASE <Informatik>Googol
21:59
Wireless LANBitHorizonPhysical systemPoint (geometry)Random matrixEuler anglesComputer animation
23:02
Different (Kate Ryan album)Order (biology)Information security
24:04
Computer networkComputer configurationVideoconferencingData storage deviceData typeAdditionFunction (mathematics)Computer configurationCache (computing)Local ringState observerFunctional (mathematics)BitSoftwareSoftware testingPoint (geometry)Multiplication signType theoryLine (geometry)VideoconferencingData storage deviceThresholding (image processing)Procedural programmingComputer animation
24:49
Software testingComputer network2 (number)Procedural programmingPattern recognitionSoftwareRight angleMultiplication signAiry functionMobile appData recoveryComputer animation
25:34
Ideal (ethics)Goodness of fitSocial classMathematicsSharewareTouchscreenControl flow2 (number)ResultantComputer animation
26:11
PlastikkarteInformation securityRevision controlNegative numberData recoverySign (mathematics)Negative numberData recoverySoftware developer40 (number)Point (geometry)BitRoundness (object)Software testingPosition operatorMobile appProduct (business)Information securityGreatest elementDifferent (Kate Ryan album)Computer animation
27:52
Multiplication signWireless LANHypermediaPhysical systemWebsiteProjective plane
28:39
Negative numberData storage deviceSynchronizationModule (mathematics)Sign (mathematics)Computer configurationWorkstation <Musikinstrument>Read-only memoryDomain-specific languageInformation securityRow (database)2 (number)Data recoveryWireless LANSoftwareComputer configurationLink (knot theory)Execution unitData storage deviceConditional-access module.NET FrameworkNegative numberVideoconferencingDigital video recorder
30:09
Computer configurationData storage deviceSign (mathematics)Negative numberCircleExecution unitCircleLogical constant2 (number)Data storage device1 (number)Negative numberComputer configurationData recoveryLogicCausality
31:23
Read-only memoryNegative numberData storage deviceComputer configurationPlastikkartePoint cloudData recoverySign (mathematics)Cache (computing)2 (number)Buffer solutionExecution unitSoftwareWebsiteMobile appConsistencySemiconductor memoryWhiteboardNegative numberOnline helpComputer configurationPoint cloudCache (computing)Information securityData storage deviceData recoveryComputer-assisted translationMereologySoftware testingPosition operatorDirection (geometry)Computer animation
33:53
Product (business)Plastikkarte1 (number)DatabaseLimit (category theory)Computer configurationWindowRow (database)Real number2 (number)Product (business)Cache (computing)Computer animation
35:27
Information securityPrisoner's dilemmaLaptopComputer virusPasswordWindowTablet computerProcess (computing)Configuration spaceInformation securityReading (process)Installation artPasswordAntivirus softwareData managementSlide ruleFocus (optics)YouTubeMultiplication signSoftwareAuthenticationComputer animation
36:09
AuthenticationComputer networkClient (computing)Server (computing)CodeDirect numerical simulationDynamic Host Configuration ProtocolComputer configurationComputer fileFile formatHash functionKerberos <Kryptologie>WindowGraphical user interfaceAuthenticationPoint (geometry)Cartesian coordinate systemPasswordInjektivitätRevision controlCore dumpProper mapVideoconferencingClient (computing)SoftwareWeb serviceFile formatSign (mathematics)Message passing
37:33
PasswordComputer networkVirtuelles privates NetzwerkMessage passingShared memoryLocal ringBroadcasting (networking)WindowFilesharing-SystemHash functionPasswordComputer fileSharewareVideoconferencingWebsiteReal-time operating systemComputer configurationServer (computing)Point (geometry)Service (economics)EmailExploit (computer security)Address spaceComputer animation
38:36
AreaComa BerenicesSpeech synthesisoutputGoogolFacebookSign (mathematics)PasswordAddress spaceAuthenticationEmailVirtual machineSoftwareBroadcasting (networking)Real-time operating systemLoginSign (mathematics)Source codeComputer animationXMLProgram flowchart
39:12
Sign (mathematics)CodeEmailPasswordMaxima and minimaInformationInformationSoftwareGoodness of fitWindowMultiplication signMaxima and minimaVirtual machineCodePasswordWeb 2.0Context awarenessComputer animation
39:59
Address spaceNumerical digitInformationPasswordLarge eddy simulationHacker (term)HypermediaComputer fileEmailCodeInformationPlastikkarteSensitivity analysisNumberTraffic reporting1 (number)Commitment schemeBroadcasting (networking)PasswordPhysical systemRemote procedure callFile systemShared memoryPoint (geometry)SoftwareEmailComputer fileComputer animation
40:48
Service (economics)Local area networkToken ringComputer fileEncryptionComputer virusPasswordLocal area networkCartesian coordinate systemDefault (computer science)Antivirus softwareBroadcasting (networking)Data managementPasswordIntrusion detection systemInstallation artTable (information)Computer animationSource code
41:22
Computer virusPasswordWeb serviceVirtuelles privates NetzwerkArithmetic meanPasswordService (economics)RandomizationCausalityAuthenticationGodWebsiteBitUniqueness quantificationEmailSource codeComputer animation
41:59
Physical systemLaptopComputer networkFitness functionInformation securityIdentity managementWindowPhysical systemFerry CorstenLaptopSoftwareLoginLocal ringState of matterSoftware crackingMultiplication signTrailFitness functionRow (database)Exception handlingCache (computing)ImplementationComputer animation
42:35
Slide ruleRight angleMultiplication signLine (geometry)TrailComputer animation
Transcript: English(auto-generated)
00:00
Good morning everyone. I see most of Def Con is not here today because it is Saturday morning. Can't expect that. So welcome to I Fight for the Users, episode one attacks against top consumer products. I'm Zach, this is Erin, she's tech Barbie. And we always
00:22
like to start with a slide of what our credentials are. We like to always say don't trust the speaker just cause they're up here, trust them because you validate what they're saying. So instead of having a long list of certifications, things we do, we like to say judges for everything else. So before we get started, uh it's Erin's first time speaking
00:41
at Def Con. And we've been informed that goons are no longer allowed to do shots with first time speakers. So this is Erin's way of celebrating. Congratulations Erin.
01:03
Alright so before we get started, and in all seriousness, this is our our con speaker rule 101. So both Zach and myself have been around this game a few few years. And what we see persistently is companies go out and they they love to use these conferences as
01:20
great PR hooks. So I want to start off by apologizing to every single news media outlet that reached out to us. But we learned really quickly years ago that as soon as you start dropping information, especially when you have things like consumer product, IOT, your talk will get pulled right away. So you've heard probably very little about what we're going to
01:41
talk about but we hope to excite you with a few uh I don't know, names. We're not being very vague today. So welcome to Def Con. So we're we're kind of covering three different topics here today. First is we're going to talk about or I'll talk about bluetooth uh some fun things with that for bluetooth low energy. Uh Erin's going to be
02:03
talking about some wireless security products uh especially on the camera side. And then I'll also talk about uh on Windows security side some fun things we found on there. So you might be like this is a little ADD, this seems a little odd ball to be jumping all over the place. Uh yeah it is. Uh but having one talk that goes on for forty five
02:21
minutes, it kind of gets a lot of setup, a lot of like okay well let's talk about ourselves. We spent five minutes now. Um let's talk about the background of this. So we just want to get through it and we're kind of ADD by nature about the stuff we want to look at. So we figured what better format than to just kind of jump through a bunch of fun topics and do it that way. So first thing bluetooth. Um yes we have another
02:42
bluetooth talk. We we've had a few bluetooth talks over the last four days including black hat um blue hydro was released this week by uh Zero Chaos and Granolocks over at uh Def Con 101 earlier. Um we've got a talk coming up about pic actually it's today isn't it? The bluetooth lock picking uh from a mile away. That's really cool I do want to go see it actually. Um and then over at black hat side there was a gap proxy
03:05
tool and a replay um tool and a kind of fun bluetooth suite. So why do we have another talk about bluetooth low energy? Um so a little back story. Um I like magic. Uh I've always been kind of fascinated with it and I always had this dream as a kid to start a magic
03:23
bar. Like a theme kind of magic bar and yes they exist but it was kind of my little thing of like being able to have fun with that. And there's always the basic rules of magic. One never reveal a secret. Two never repeat the same trick twice. Three practice over and over and over. Right? And so one and three we can get covered but how do you in a
03:41
restaurant or some other establishment track if you've shown the same trick to someone over and over and over? So it kind of got my mind going as to how can you track who someone is in any kind of environment? So I kind of came up with this long list of ideas as to how you could track someone. You know can you get them on the car on the license plate reader, through their electronic toll collection RFID, through bluetooth on
04:02
their car. Uh and there was a great talk 2 or 3 years ago about how the toll systems are using bluetooth to track cars. Um if they come in by foot though or you're in a major metropolitan area where people aren't coming by car. Um could you do it by facial recognition, voice recognition, different ways to their cell phone, what do they have on them? Um credit card, all these different fun things. And then always the not so
04:22
fancy ways of just asking what is your name? Um and so I kind of was thinking about like well how do you, outside of like this from that kind of application, how do you track someone right? And so it kind of came down to these 3 areas of or 4 areas of like well these are the key ways that if you could get positive data that isn't all garbage. Um
04:41
but Wi-Fi is a little bit of a problem. Uh so we've gone through the Wi-Fi tracking thing for years. We've talked about it, about how the phones are probing for Wi-Fi. I'm not going to dive too much into it but I hate to pick on Nordstrom's because I love them but they were the ones who got called out hard. Home Depot was doing it too. All of them kind of stopped this practice but it was a way that we were tracking user behavior by looking for the Bluetooth or the Wi-Fi probes from your phone.
05:04
Uh but the mobile device manufacturers caught on to this, they started doing randomized MAC addresses and they decided that ok only if you connect to a genuine SSID will I take and actually display my real MAC. So we kind of take it as a data point but we don't trust it now for Wi-Fi as not all devices randomize but most kind of do on a
05:25
Wi-Fi. So that leaves us with Bluetooth, car keys, RFID loyalty card. That's kind of the key ideas I was like messing with in my head. And well yeah we could do car keys, I'm not great on my SDR skills, I'm getting better but uh and the RFID loyalty card is kind of lame. So let's talk about Bluetooth. I'm not going to spend too much time on
05:43
Bluetooth 101. If you want to learn more about Bluetooth and its stacks there's plenty of talks about it but for those of you who are catching up with us today uh Bluetooth Classic uses one meg- one megahertz channels, has 79 of them for data, one for broadcast, hops at 1600 times a second. The MAC address, effective MAC address, the
06:01
address it uses uses a uh upper address part and a lower address part to make up the address. You only get the lower address part in the packets. Um and we all know about this and the only thing that's really using Bluetooth now is obviously audio devices, um headphones, Bluetooth here pieces, that kind of stuff. But we've kind of moved a lot more to this Bluetooth low energy or as Bluetooth likes to call it, Bluetooth smart.
06:25
Smart. Um and we talked about a lot about the insecurity in the past at other talks. There's 37 channels, there are 2 megahertz wide for data, 3 announcement channels and then the increment of rotation of those channels and the interval and all that is dictated when it does the join to the master. And what you get basically is you have a
06:43
6 byte address, effectively a MAC we'll call it for the sake of everyone, um that's used to do it in the advertisement and then when it actually connects a 4 byte access address that is actually used to communicate for that session. Everyone with me so far? I know it's early but I don't want to waste too much time on Bluetooth. So Bluetooth does
07:03
have security though. When we talked about the wifi randomization um the Bluetooth group actually started a randomization also for it's it's addresses. And Bluetooth smart. Uh and actually this is the the funny thing they actually have an ad on their site or an ad, a blog post on their site about protecting your privacy with Bluetooth. We've got
07:21
good stuff. And they use this photo of this child walking alone. The biggest thud I've seen in a long time of scaring you of like my kid's being tracked oh my god. So like I said there's the access address right? That's what's actually used in those data packets um but they change upon the disconnect and reconnect every time a device is connecting except for in the advertisements in which is static. Um so long term
07:44
tracking of these access addresses isn't so reliable. Uh obviously if a device is connected for a long time you can track some behavior moving throughout for an hour, two hours but if there's any kind of disconnected activity it'll regenerate. So it gives you a good short term tracking but from a long term perspective you can't
08:01
really track someone with those access addresses. So it got me thinking. So we we've got randomized addresses on that side. We've got randomized addresses on the access around the advertisements and the access. So what else is there? So when it comes to Bluetooth there's two different kind of profiles. There's the generic access profile, GAP, and the generic attribute profile, GAT. Um I'm not going to dive too much into
08:23
these because obviously this is not a 101 talk. Um but basically the GAP and GAP profile provide the communication standard for communicating to the device to basically sub the connection and actually communicate with the services that the device the slave has. So I started looking at these devices to see what could be tested and
08:41
obviously you go around you play with the tools you're like okay nothing nothing nothing. I travel a lot. Um a lot. So I've noticed when I was on planes that all of a sudden a lot of devices started showing up. So um so normally walking around you saw a few devices and we we didn't really know what the behavior of all these devices were.
09:00
We saw certain bit bits and that kind of stuff but what what's the deal? So it turns out that certain devices when they are disconnected from their phones or whatever they're paired to uh they jump back into advertisement mode. So uh for your simple coding pleasure if it's not paired it goes into advertisement mode. Uh and and again this is unique behavior we started determining with some of these devices. So can we
09:24
get devices to disconnect and actually take and start broadcasting again? Uh the the answer is uh yeah we can. Uh it's interesting that you can actually jam the 2.4 gigahertz range with uh some success right? Uh basically using the USRB USRPB210 uh you have about 56
09:43
megahertz of bandwidth. It's not reliable uh especially it takes a lot to drive it. But you can basically effectively create a 2.4 gigahertz jammer using a SDR uh by generating some random data and all. So we did this and we tested it and we noticed by jamming the two those frequency bands of two hundred two thousand four hundred twenty eight megahertz
10:02
to two thousand four hundred seventy eight megahertz so basically that fifty six fifteen megahertz band we can actually take and get the devices to fall off and jump back to their advertisement channels. Uh but obviously this depends on the host uh I have to give credit to iOS they have great frequency hopping and detection so basically the phone detects okay I see a lot of jamming I'm gonna move to this frequency band and repair. So it
10:24
does have some reliability but it's a little odd. The other way to get them to disconnect is by blasting terminate connection packets. Uh this is basically effectively the the bluetooth version of DAuth is you look for the access address and then you just spoof a disconnect and it terminates. Now granted again limited window and it gets
10:42
wonky with some devices uh we know some devices don't like to rejoin after they've been told to disconnect. So it's one of those things that if you're trying to track someone it kind of gives you some good opportunity to get an ID from them and get connection to the advertisement side but not so much that it's not gonna be noticed. So we've all talked about tracking before right? So why am I rambling about tracking
11:01
tracking tracking? Well a lot of the talk before has been about well it's possible. Okay well with who? With what? You know this is really more of an implementation issue. Um this is when it comes down to individual devices implementing it especially on the consumer side what does what? Amazon Best Buy probably loves me by now because I just
11:21
bought a crap ton of bluetooth devices that people use every day. Um and we're gonna go through a few of them and set what we tested and basically we did a consumer report style kind of testing against them to see what privacy information are they actually leaking? And we'll start with the worst. Sorry I need water. These guys were on
11:44
Shark Tank a while back and you may have heard them because it's kind of a funny idea of shocking yourself every time you do something bad. Um it's also a fun thing to shock your friends when they do something bad and they're like oh I'm trying to learn to be hit what what stop it! Um but basically they use a static MAC address the MAC
12:01
last 4 sorry 8 bits? 8 bits. 16 bits. 16 bits sorry math is hard. Last 16 bits of the MAC is actually in the SSI er in the name of the device. Correct me on my math. Um and if you don't happen to have the the MAC address from the static MAC address or from its name send a GAT request to it and it gives it to you and it asks you to
12:25
hex. I don't I just. Somebody wrote a bad converter on that. So this is super easy to track because we have a static address. Never rotates. But like I said they've started implementing this rotation in Bluetooth smart that devices are starting to take
12:40
advantage of. But then we have these devices that are meant to track you. Um tracker and tile we'll talk about tile next but effectively these addresses they show up in the broadcast as being random uh and they do generate a random one because the ID's rotate through it but the ID actually never really rotates on it. Uh the MAC address we've noticed over a period of over 4 months they never rotate. I said they did but they never
13:04
rotate. So it effectively seems that as the device powers on it generates a new one but it never powers off it never rotates after that. As well as with these devices meant to track you it's meant to as a community can track you so irregardless of the MAC address there's a static ID associated in the GAT profile that will take and actually
13:21
display in the case of the tracker the raw MAC address of the device and it constantly broadcasts when it's disconnected. Tiles the same way um the tile identifier in GAT is uh one of the services in there. Uh again static MAC address effectively because it does randomize but never rotates uh it randomizes on boot. And it stays connected to a device but only while the tile app on a phone is open. Once you
13:44
close the tile app it disconnects. Our friends over at Fitbit the Fitbit 1 also uses a random MAC address but after about 4 months we didn't notice it rotated at all. Uh it doesn't remain connected to a mobile device at all. So basically to save energy it only connects when you connect to it and say hey how many steps do I have? What's my my
14:02
time? All that stuff. But it does remain connected so it's constantly broadcasting as well. So things have started to get better after this. A little bit. Uh with the withings active another device we tested the MAC address randomizes but it still advertises the raw MAC address in the advertisement data which broadcasts out. So
14:22
while the MAC address is changing it's advertising it's real MAC address inside the manufacturer data. Uh okay. Uh that's a security choice. Then the Pebble Seal also uses another way we can track the devices is in their name and we've talked about this before too but has in the name the last 4 digits I'm done doing math um of the MAC address and
14:45
it's random but still after days of rebooting the device and turning it on and off and losing power it still kept the same static address. Uh but advertising it as random. Again in the device info in the gap profile it's got the serial number of the device and it goes to sleep every once in a while so it's not really reliable but it's a cool choice it
15:03
also uses classic so we can track its lower address too. So interesting choices on how it connects. The Fitbit Ulta the MAC address randomizes but again like all the other ones they stay static for 4 months even after battery loss. Um getting a little bit
15:20
better. This one doesn't turn Bluetooth on until you actually turn it on to sync mode. This one has the name er the Microsoft band has the name of the address uh inside of the device name and it does randomize the MAC so we're halfway there. We got a name that's kind of static as to what you set it for but the addresses are rotating. So and then on the better side of things the people who actually implemented security well we
15:42
gotta give credit to Apple they rotate their MACs pretty well. Android wear um this was on sale thank you Amazon Prime Day. Hey! Um but also notice that this is really cool on the uh Android Wear watch is once it's connected it stops responding to broadcasts forever. Uh basically it'll still randomize it'll connect to the device it knows but
16:03
unless you go into the watch and say let me reconnect it doesn't respond to broadcasts anymore so I have to give kudos to them cause that's actually the best we saw of all the things. iOS devices as well like to broadcast some Bluetooth low energy noise. Uh they do randomize though and advertise that they're an iPhone, iPad, etcetera but
16:20
that MAC address randomizes constantly so while it's being used in fun apps including Safari we noticed um take that one on for size and think about that. It does randomize quickly and randomly so there's not really any trackability on the actual iOS devices we noticed. So we have to give kudos to these three doing it right the rest we kind of went through quick cause it's kind of the consumer report style. Um
16:41
and what we were gonna do is we were gonna release a tool with this to kind of track all these things. Fuck you zero chaos. He kind of beat us to the punch and got a better tool out so I just said nope bravo we'll we'll we'll do it on that side and point over there because they they did a great job on that so the Pony uh Pony Express crew released this uh was it Thursday at one oh one? I think he posted it probably three days before
17:04
there and four days before then so um this is definitely a great tool to look at for tracking those things it doesn't I don't think it supports GATT yet but I'm sure it will soon if I have a few more minutes to tweak some code. So where do we go from here about all these devices? Do we complain about them all? Um and I spent fifteen minutes rambling about this. Um we really need to start testing more and more of these devices to
17:22
determine what's the implementation issues with them instead of just like well it's a problem. With these new IoT things it's obviously a problem across the space and we've all complained about IoT this IoT that. Um so we're throwing up on oh I forgot to actually commit this this morning. Uh throwing up on GitHub uh basically a repository that we can submit pull requests to that as you test the device and say hey I looked at this and
17:43
it does this this this this behavior and we'll have a little checklist of things we're looking for. Then we can all kind of source together as to hey here's how this specific device behaves, here's the trackability of this device. Not that it's possible, not fill people with FUD FUD FUD FUD uh but that it's actually possible or that it's possible for this device and this implementation. Long story short uh when
18:04
MAC addresses are random look for things that aren't involved in the MAC addresses include not actually randomizing them. The uh gaps and gats leaking serials and the device names. You can knock a device off bluetooth uh using either uh the deauth packets or actually broadcasting on 2.4 gigahertz a lot of noise. Um certain frequencies. And when
18:24
the standard while the standard of bluetooth is great supports a lot of cool stuff uh these devices aren't implementing it. Alright I'm gonna switch it over now to Erin who's gonna talk more about the home security side. Alright this is a squirrel part of our talk. Squirrel. Oh he's not done. He has to get back up again. Don't you guys don't do that
18:43
to him. Just give him a minute. Right yeah right. You're gonna yeah don't don't feed the ego. Not yet. Later later. Alright so we're gonna talk a little bit about consumer wireless camera and office security. So before we get into this we've had lots of talks
19:01
about uh wireless CCTV all this kind of stuff so let's chat about what we're not gonna talk about. We are not gonna talk about weaker default passwords. You guys have Google you can use it. Yes everybody with the exception of maybe 10% of people still use all of these. Congratulations. We're also not gonna talk about IP weaknesses but if you
19:20
wanna make your uh network even more insecure this guy on YouTube can actually help you out and tell you exactly how to route it to the external internet if you really want to. Good times. I mean it was helpful. It was his intent. We're also not gonna talk about deauthing 101. Um everybody has Google. Download Cali. Use some Google fu and you
19:41
can figure out yourself how to buy the cards that'll work and deauth it yourself. So. Hint. Hint. Also we're not gonna talk about shoden. It's awesome. Not this talk though. Go have fun with it and I wanted to put a slide up and say we're also not gonna talk about Pokemon Go cause it's almost as fun as shoden but. So uh so who cares about
20:03
these CCTV cameras and the security? Well you know what? It grinds my gears. I care. Because these camera companies are selling it as security devices. Not all of them. Most of them are selling security. So that got me to thinking. You know what if? What if these
20:27
were used as security devices? Well I wanna be a bad guy and for anybody that knows me knows that I have a little problem when it comes to automobiles. I like them a lot. So uh so step one in my little mental process when I was thinking about these cameras was was kinda
20:44
getting into the mood. So I wanted to channel my inner sway and think about hmm if I had this this absolutely amazing warehouse full of Ferraris that was protected by these security cameras. What would I do? This also plays into homes and stuff but I find Ferraris
21:03
to be a lot more fun than thinking about the homes right now. So the first thing I would do. Get into the mood. Second thing I would do. I'd get some information. Information's a pretty easy to find. Especially you know we have this technology or I'm gonna use that really loosely. Everyone in this conference we've been talking about
21:20
war driving for freaking years. Decades almost. Wow decades. Wow that's old. Anyway it's old. So some people call it war driving. In this case we're gonna call it target identification. So with that you can drive around because these devices are lovely and like to tell you who they are all the time and in their MAC addresses you can actually
21:41
tell who they're from. So you can go onto the nice little Googles help us out again and identify who exactly these cameras belong to. Or you can actually just look for the cute little stickers that come with the cameras that say hey you're on camera and some of them even have the brand name on them. Even easier. So with that I'm thinking about where the
22:02
attack goes. So obviously we've had many talks that have talked about um wireless yawing and whatnot so let's take that a little bit of a step further. This talk was kind of composed with the idea that let's find out what these cameras actually do. Let's find out what happens when they get de-offed. Let's find out do they notify? Do they recover?
22:27
So in the attack we're gonna be thinking about the fact of how long it would take an intruder to get into a facility, a building, a house, whatnot. What they would have to do ahead of it. How long they would have to de-off the cameras and could they make it
22:43
away clean so to speak. So that being said you know we're not gonna talk about point of entry and whatnot like Zach said earlier there's a wonderful uh bluetooth lock talk and so I'm assuming some of these homes that have these lovely uh camera systems also have the bluetooth locks and we can do a whole bunch of fun things with that as well. So the
23:03
attack. So in the attack we're gonna talk about which cameras are weak. So in order to do that we had to just like Zach go and buy a whole bunch of cameras. But you know since we this is Def Con and you know we're progressive these years I wanted to make sure that we had diversity. So we have lots of different cameras that we tested. Lots and lots of
23:28
them from different manufacturers of different sizes. So we went from the big guys to small guys that's them. So which one of them are not saying they're a security camera was my question. I showed you guys earlier all the articles and whatnot. So how
23:45
many actually uh say they do security? All but two. So there are two really really I'll say forthcoming companies that don't claim to be security cameras they're just like hey we're this this is what we are. Good for them. So what was tested? So we did a little
24:07
bit of everything. So obviously we want to know what the offline time was. We want to know if it does any kind of notifications. So if you get bumped offline network interference what not what's the threshold of notifications? Is there any type of cached video on the device? So if it's knocked off how you know what what amount's
24:22
gonna actually store locally before we have to recover? What if there's any type of wired network options? If there's any type of SD options on the device itself for local storage? Type of power kind of I was curious whether it was battery or wired obviously it's points of failure there. Additional equipment needed for the function of
24:40
cameras. It's not all of them are just stick up. And any other performance observations. So because we were actually being pretty pragmatic about how this was done we actually had a test procedure. So you know at zero stopwatch starts at about a minute in we did a targeted deauth attack. About every thirty seconds we were waving our hands for motion recognition cause some of the cameras did require it. And at about ten
25:03
minutes into the attack we did the targeted deauth ending so we terminated it and we gave it about five minutes from there to see when it would come back online on the network. So this is my high tech setup. It's pretty impressive. So we have the uh the timer.
25:20
Whatever camera was being tested at the time. The iPad with the camera app so we could actually visually see what was going on with the camera when it was gonna recover and obviously a whole bunch of uh air replay fun going on right there. So that being said I like to always prove my work like in my good old math classes. And live demos never work so.
25:41
And live demos never work so for you guys I want you to know I spend many a weekends with my GoPro taping these lovely things. But I fast forwarded them for you. So this is your drink break. Anyone who has coffee or anything have a nice drink. Take a second. Yeah there's about like two minutes and I fast forwarded the crap out of these
26:05
and split screened them so uh yeah. You get the idea. So now the results. Kuna. I love this little Kuna device. It was a kick starter actually um as were a few of these. But the
26:21
cute thing was the Kuna device eh it kinda did what it said it was gonna do. Not quite security. You know it recovered after about a minute thirty a minute forty after the deauth ended. The positives. It's a light. If the camera doesn't work you got a front light. Yay! Another positive it's wired. There's no way around it. There's no battery powered. It's it's
26:41
hard wired. Um the negatives only if the app's open are we getting notifications. Uh one of the other negatives or positives depends on how you look at it. It had this really cool uh pardon me. The clanking is killing me. It had these cool status lights.
27:00
At the bottom of the light. Which were super helpful and I appreciate the developers that put them on there because you know it's supposed to help out the consumers to let them know if it's paired and what not. Or if it's online. That's always a good one for an outside security light to have it flash red. So one of the things we learned from the deauth attack is after uh ten minutes of it being online uh deauth it kinda just
27:26
doesn't recover. Uh before that if you cut it a little bit early it'll do the the minute forty recovery. But you let it go longer it kinda falls over. So in the testing you know these are consumer products. We did a few rounds of testing and found these things out. Well like I told you about these cute little status lights. I was googling you
27:45
know for the point of this talk and trying to see if I could find you guys a pretty picture because I actually didn't fly to Vegas with a picture of the bottom of the the status lights. And I come across this. On their website they actually do tell you, good to
28:02
them, that it will fall over and not recover and you have to reset up the wireless camera after ten minutes of deauth. So let's just say hypothetically you have one of these lights out in front of your house. You lose power for more than ten minutes. You forget. Your your light's useless you know. So I would love to talk to someone who's doing
28:23
the IOT monitoring of things. There's your uh your start for your little project because these are some of the things you should be looking for. So because of timing I'm gonna try to go through these a little faster. The uh media has this cute little blink wireless HD monitoring and alarm system. The blink is totally cute. I will give it credit that with
28:42
movement it will recover in about about nine seconds. It does have a onboard about ten five to ten second video recording. Um it's clip based though. None of this is persistent recording it's just clips. But the cute thing is it's easy to mount. It does continue doing the clips. Negative you know it does require a base station. It is battery power. There is
29:02
no option for uh SD there's no wired option. It is what it is. Amcrest which I had never heard of this until again let's look at Amazon and find out what the best selling wireless camera on Amazon is. It's this one. I don't know how. Anyway uh it is cheap it is cheap but you would think that maybe Nest would anyway uh so it recovers in two
29:26
minutes. Not a bad little camera. It keeps about ten seconds onboard storage that does have a wired option for wire for wired network not wired power. Um it does have wired power. And there is an on off switch on the unit. Not overall a bad camera. Somebody
29:41
like that? Yay Amcrest. Anyway D-Link. D-Link we love D-Link just for the purpose that they don't actually claim to be a security camera. They're like hey we're a net cam. We're cool like that. I'm like alright. So on the positive it does have an SD option. Negative there's uh there's no actual wired option for the camera itself. It
30:01
recovers after about a minute after the D-Off. No movements required for that one actually. So Netgear cute little Arlos. I love these Arlos. They recover after about forty five seconds. They're versatile cause they have a cute little magnet. That's how they attach. And they have a sticker. So remember to the war driving. Please yeah put
30:22
no no let's not put the sticker up and say it's not even bad that it's a sticker it actually just tells you what it is. So you have a few options when it comes to my little putting on my sunglasses and being sway and breaking into my little Ferrari warehouse for these. These are great. I could just d-off it go grab em all put em in my
30:41
bag throw it in the Ferrari and drive out. So. So again requires a base station. It is battery powered. There's no SD or on board storage. Again no actual wired option for the camera itself because again pops on a little magnet battery powered. Here we're getting into the fun ones. So the Logitech the Logi Circle. Oh sorry. Alright we gotta run.
31:04
I never thought that. Okay anyway. Alright ADD theater here. Logi Circle. Logi Circle recovers in about a minute thirty. Um it does do some uh constant push notifications. Negatives has on off switch on the unit. Again magnet can grab it throw it in my bag in the Ferrari out of here. No SD or on board storage. No wired option. Belkin my little
31:25
buddy. I'm gonna give you like one more second. He recovers after I call it the negative ten seconds cause it does have an on board buffer. So the nice thing is it does come back pretty quick. So the on board memory does recover it. I don't know if that was intentional or network interference based because they don't actually tell you on
31:40
their website in marketing that they do that at all. They also don't tell you that they're a security camera either. Yay Belkin. Um there is an on off switch on the unit and we did find inconsistent push notifications through the app. So it doesn't help you too much. Samsung recovers up to ten seconds if there's immediate movement. Down side to that one. Not immediate movement. Eh until the cat walks through. So positive SD option. There
32:06
is a wired option to it. Uh the kinda negative is they're kinda working on their cloud option. There isn't one. There wasn't one for our camera. There was for other cameras and so that's that's forthcoming and the SD storage only is on downloadable through the app. Download the clip to the SD directly. It's not permanently it's not running a
32:23
constant cache. So the canary all in one security device. Canary's awesome on the recovery if there's immediate movement. Again please have your cat running through after a burglary. So uh again the deauth attack there's a very quick recovery two seconds. There is a
32:41
wired option. There's notifications. The sad part to the notifications is it takes thirty minutes. So it has to be offline for thirty minutes and that's kinda not enough. Uh because the other side of that it has to be offline consistently for thirty minutes. We did try an attack where we deauth it for about ten minutes brought it back. Deauth it
33:00
ten minutes brought it back. You can pretty much do that for awhile. So the negatives uh movement is required for recovery. Nest. Nest. Not drop cam. Nest. Anyway recovers after twenty seconds. Uh Nest is actually pretty good. I'm not gonna I'm not gonna beat them up too bad. I I hope that we see better things coming from them in
33:22
the future. It does keep between thirty thirty seconds and four minutes of cache. We were finding inconsistencies through the testing of that just because we did everything at uh 720p but it seemed that lighting any other uh ambient movements were causing that to change and fluctuate. There are push notifications for activity. Uh they're pretty
33:42
consistent so that's definitely a positive. No SD option. No wired option. So. Huh. I know. I'm going I'm going going. Okay so very fast. Oh shoot. Uh bad guys won't put in the effort. Yeah right bad guys are putting in the effort to do some of these attacks. We're not talking about it to consumers so then what should consumers actually
34:02
do? Uh wired's better than wireless. Uh verify and understand the limitation of the products like Zach said. We're trying to put together a database so that way everybody in this room can also contribute to what they're finding on their own. Nobody's talking about this to consumers. This is our consumer disclosure. Just tell consumers this is what you're putting in your house to protect yourself. Let's be
34:21
let's be smart and understand what we're doing. These cameras do have unintended great uses like real estate. Anybody selling your house in here? I feel put one of these cameras that has the voice, listen to what the potential buyers are telling you. Anyway I'm out. I went too long. Thank you. I have 10 minutes to do a whole topic. Uh one
34:45
thing I want to reiterate about Erin's side that I don't think she uh really announced and made everyone really clear on that I thought was great. Um so all these cameras basically do the wifi d-auth on and they're offline and Erin is there any cash recordings for the majority of these cameras or which ones have cash recordings? Oh her
35:01
mic's not working. She said very few. Sorry. Um but yeah so like I I know that the next camera was 30 seconds or 30 seconds to 4 minutes. 4 minutes is the max. So basically once you d-auth these cameras they're offline. They're not seeing any movement. They're not seeing anything. So if you wifi d-auth them guess what? You have no recording and there's no cash recording on most of the devices. The ones that the SD card options do. So I have to talk about Windows for its consumers. I have 10
35:22
minutes. We're gonna get through this fast and the teleprompter's gonna try to keep up with me. Good luck. Have fun. Um so a lot of people are buying Windows devices especially with Windows 10. These are tablets. We have fun with them. Um and we're not gonna be talking about OEM devices with all these custom configurations cause the duo security crew they did a great job on that. Uh but we tell users all these things. Patchy device, install antivirus, use HTTPS, use a password manager, watch out for
35:42
suspicious downloads. Uh don't use suspicious wifi. Pick a strong password. All these are great things. Oh it's gonna get faster. Uh reading. Sorry gotta keep going. These are all great things we need to keep telling users but these are things that are not gonna stop this. So back at Deficon 20 I gave this talk about NTLM relaying. I don't have
36:01
time to slow down. I have probably 20 slides to go. Um back at Deficon 20 I gave this talk about NTLM relaying. You can watch it on YouTube or all the other places that it's up there. The old focus was about relaying NTLM network authentication to corporate accounts. We were focusing on corporate corporate corporate and focusing on internal attacks. For those of you who are just joining us today, Windows uses NTLM for some network authentication. It does use Kerberos as well but uses NTLM for hashing. It's
36:22
an MD4, the password. Uh but it's also used for network authentication and signing of network authentication at some points. NTLM network authentication has 2 flavors. Version 1, version 2. Uh basically has a client say hey what's up? Do you support this? Yup here's my challenge and here's the uh the hash of the hash. Have fun. Um Microsoft recommends uh to switch over to Kerberos. Indescribable. Love you. I hope
36:48
that shows up in the video somehow. Um and by the way Windows auto authenticates things. So how does Windows auto authenticate? It uses uh we've talked about WPAD. There's not another WPAD talk. There's been 2 other WPAD talks about all the fun things with that. But with WPAD Windows auto authenticates with NTLM and some things.
37:03
Windows 10 does this less but Chrome still does it. Um there's other ways to get users to auto authenticate with things. Um it's not just WPAD. You can also use injection of UNC pass into HTTP traffic if you're on a rogue access point. Uh certain file formats support UNC pass and third party applications that don't use uh proper cores. Uh yeah.
37:20
I won't name names. Um but for a while we talked about this on the corporate side, the corporate side, the corporate side on the internal attacks. But was it internally only? Defcon20 talked about how exchange web services were also vulnerable. But this is still a huge issue. Now I've talked about corporate corporate corporate. We never really talked about cracking these hashes which are possible and we've always said it's possible to crack them. We never talked about the implications of them. Um so for corporate sides we can do VPN access, SharePoint, SharePassers, all that
37:41
fun stuff. But what about personal users? We're talking about fighting for the users. Things that we're gonna go and defend against them. Um so well what if they have a SharePass with a certain accounts? What if they're broadcasting these things? What about local file shares? What about those things? So we've talked about this for years for Windows XP, Windows 7. Then Windows 8 came along and Microsoft decided to introduce a thing called Microsoft accounts. On Microsoft accounts they included logging into your Windows device. Yay! I have a one minute demo video because
38:05
demos rock. This is the point where I actually have to wait the full minute. So we launch a rogue HTTP and SMB server in a tool called Zach Attack. Yay! There's an update soon. Um we use the MBNS broadcast. We set the options to broadcast to this
38:21
device that has a rogue HTTP and SMB service. Exploit. We wait. This is real time by the way. If you notice this is a Microsoft account with an email and an Outlook dot com address. Yes that's a fake email that we set up for this. And there goes the auth. We run it in
38:42
OCL hash tag. Crack the password. We get the password of hunter2bang. Wow no one got that. You guys are all noobs. I love you. We go ahead and go into Microsoft dot com. This is the Microsoft account. This is the account used to log into the machine. We log in with that Microsoft account and the password we just cracked from a network
39:01
broadcast authentication request. We copy. We paste. Copy and paste. Come on. Real time. Sign in. Come on get there. I have ten or five minutes left. We're logged in. Yay! So what does that mean? I don't have time for applause. First off Moomic said that I have
39:24
to release an update. Uh yes Zach Attack is getting an update for Zach's who can't code good and want to learn to do other stuff good too. Um yes I have to post that but yeah there is cool new things with webhooks and with um uh the Microsoft accounts I've added in there. But yes sure enough your Microsoft account that you're using to log into those machines to log into your Windows 10 devices it's using your Outlook, Gmail,
39:42
Hotmail, all those fun emails you use. It's actually broadcasting those across the network. So what? At a minimum it's information disclosure of the user's information. But we this is the first time offline password attacks are valid over a network thing. Yes it's worked on some bad services before but never in this thing. So what happens when you crack someone's password? You get in their Microsoft account. What do you actually get? You get their date of birth. You get their zip code. You get
40:02
their billing information. You get the last four of their credit card numbers for all the billing things attached to their Microsoft account. And yes these things are sensitive. This is a 2012 article from this a reporter who got completely pwned. Um but basically someone got a hold of one of his accounts, got the last four of his credit card and used that to pivot to all his things. You also get their search history including things well this is a libertarian noob who wants to commit first degree murder. Um and
40:30
if you're a heavy Microsoft user using your Microsoft account not just all your things but for all the things you've got your OneDrive, all your freaking files, your emails, you've got remote file access to systems if you haven't enabled. You've got Wi-Fi sense that fun thing to share passwords if it's enabled obviously. But yes
40:44
from a network broadcast thing from sniffing someone on the same Wi-Fi access point. No offline cracking is not original but it's the original application of this. We've used our offline passwords before and but we've never had it where it's harvestable from a LAN before. So what we've told users, patch your devices. Yes it's still important but it doesn't matter for this. Install antivirus. Yes some ha- uh host intrusion
41:03
detection systems detect default challenge. Just change it. You're cracking it anyways. You're not using a rainbow table. Um by default uses NTLV2 so it doesn't matter. Use HTTPS only well you're gonna hit HTTP endpoint and WPAD broadcasts don't care. Um user password manager health but doesn't actually help if you're cracking this. Helps with other accounts. Don't use or suspicious downloads doesn't apply to this. Whoops. Um
41:24
don't use suspicious Wi-Fi seriously we tell people this why don't we just protect them. Pick a strong password that doesn't mean something. Well we should we should never tell users just use a random VPN service cause that's a horrible friggin idea to trust traffic with someone else. But for some reason we think that's a good idea to tell people. Um what we need to tell them. Pick a strong password. Enable two factor
41:40
authentication. Yes in Microsoft it takes over ten steps to take and enable two factor authentication including in adding device passwords to all your devices. Oh my god it's painful. Um you need to use unique credits per site. Yes that's important so if someone gets one credit they're not gonna be able to publish it. And maybe avoid hotmail and outmail and all of one drive for a little bit until you can take and use a local account. How do we fix this? Disable NTLMAuth? Uh yeah
42:01
that's kinda sucks telling users how to disable NTLMAuth but that's one way to fix it. The other thing is just don't use a Microsoft login account to login your system. Use a local account instead. So TLDR. Gotta stock Windows laptop. Attack around the same network. Use a Microsoft account to login. You're pwned. Alright I have three minutes. Summary of the issues. Uh fitness tracking devices that we talked about with Bluetooth can be tracked and monitored for certain implementations. Wi-Fi security cameras. You de-auth them. They're off the network. There's no recordings and
42:22
some don't give notifications. A few give notifications after 30 minutes and there's very limited caching on most devices except for the two we pointed out. Consumer Windows laptops are constantly leaving credits for offline cracking. This is the first time we've seen that there's gonna actually be offline cracking against those kind of things. Wanna acknowledge these people for doing some cool things. Moobics. Fuck you. And end of line. Two minutes remaining. We're gonna go ahead and post the slides. I'll slow
42:53
down. We'll post the slides up there. Um we're gonna go ahead and I don't know where we can take Q and A because we're right up on the time. Uh we'll s- where can we
43:00
do Q and A? Right to the side? Outside? We have two minutes so we'll have to go outside. Yeah. Uh we'll take outside uh to the next track and get in here. Thanks everyone for coming. We appreciate you guys coming out to you. Make Defcon great again. Thanks for coming out.