WIRELESS VILLAGE - Exploring the 802.15.4 attack surface

Video thumbnail (Frame 0) Video thumbnail (Frame 785) Video thumbnail (Frame 3739) Video thumbnail (Frame 5002) Video thumbnail (Frame 7894) Video thumbnail (Frame 9666) Video thumbnail (Frame 11559) Video thumbnail (Frame 13246) Video thumbnail (Frame 15398) Video thumbnail (Frame 18216) Video thumbnail (Frame 19537) Video thumbnail (Frame 20508) Video thumbnail (Frame 22254) Video thumbnail (Frame 23256) Video thumbnail (Frame 23958) Video thumbnail (Frame 24696) Video thumbnail (Frame 25294) Video thumbnail (Frame 26877) Video thumbnail (Frame 27491) Video thumbnail (Frame 28870)
Video in TIB AV-Portal: WIRELESS VILLAGE - Exploring the 802.15.4 attack surface

Formal Metadata

WIRELESS VILLAGE - Exploring the 802.15.4 attack surface
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Whilst 802.15.4 technologies such as Zigbee have been around for some time, our understanding of threats and risks associated with it have been lacking. As new use cases evolve, so have the opportunities for attack and exploitation. The purpose of this talk is to provide a real world exploration of where I've been finding zigbee devices with a purpose built war driving kit, some of the live collection I've done as well as an exploration of risks and what can be done. By the end of this talk, audience members will have an appreciation for cool technologies floating around their environments, an appreciation the issues associated with the 802.15.4 protocol, and how to plan and prepare from a security standpoint.
Surface Euler angles Website Sound effect Bit Wireless LAN
Suite (music) Boss Corporation Interface (computing) Source code Bit Fallbasiertes Schließen Student's t-test Evolute Number Data mining Arithmetic mean Quicksort Information security Metropolitan area network Spacetime Physical system Social class
Standard deviation Software Euler angles Characteristic polynomial Mereology Perspective (visual)
Point (geometry) Surface Game controller Spline (mathematics) Execution unit Source code Student's t-test Mereology Event horizon Power (physics) Mathematics Pell's equation Bridging (networking) Natural number Information security Metropolitan area network Consistency Interactive television Stress (mechanics) Independence (probability theory) Connected space Type theory Software Phase transition Quicksort Very long instruction word
Information View (database) Mathematical analysis Motion capture Memory management Student's t-test Disk read-and-write head Product (business) Hand fan Computer configuration Software Term (mathematics) Computer hardware Software framework Information Quicksort Musical ensemble Computing platform Physical system
Point (geometry) Boss Corporation Multiplication sign Execution unit Counting Computer network Bit Motion capture Complete metric space Digital object identifier System call Power (physics) Frequency Proof theory Software Integrated development environment Quicksort Office suite Freeware Hill differential equation Position operator Condition number
Laptop Building Scripting language Observational study Code Mathematical analysis Memory management Bit Mathematical analysis Device driver Content (media) Digital object identifier Power (physics) Triangle Resultant Laptop
Building Personal digital assistant State of matter Building Right angle
Software developer Constructor (object-oriented programming) Bit
Building Software Infinite conjugacy class property Endliche Modelltheorie Exploit (computer security)
Boss Corporation Building Scaling (geometry) Data storage device Motion capture Set (mathematics) System identification Bit Motion capture System call
Information Integrated development environment Multiplication sign Memory management Motion capture Mathematical analysis Online help Student's t-test Tunis
Data storage device Code
the effects a my name's head or read as and this is a talk of exploring at the attitude of fifteen before tax if a site.
the the talk not have for today's really more of a exploration from knowing absolutely nothing to to knowing that. and now for two to get a bit of a familiarity and on saying with what's what's out there and start drawing following tuesday's. so i ever most obscure the practice in sydney australia which have been doing for the last few years the pen to see from greece as well but also an electric get at the defense was academy at a in cambridge.
so at this was thought to a friend of mine sent through a little bit earlier this morning. we had the means to visit. that's convoy that heads up stuff ransoms could destroy a four hour from the government saw the house at funnily enough we had our labs and of course we have things going in so the yet everyone that it had was was very patient some stuff that to be doing so well i'm. i took over the course for our wallets and auntie security and twenty seventeen and it's been evolving ever since and you know what a composite to evolution pain know what we really want to get out of the course as well as in some shouldn't contributions. so do i think we've found that a bunch of in a number of our classes in that suit just purchased equipment and brought it in early this year we had a boss from costco there are the sort of to pick up to that we found a couple of bucks on the haiti. interface this was a home allowance system that the i'm a dishonest man who sent barnett to actually pay to face at that could be said without medication. so you were late last year one of my students like a book it's also working at age eleven space source were working in forty three forty five years. can we start doing so be it was well yeah ok what city.
he said. as i was starting to go through a lot of my perspective before this for this it was will. this helps if the stuff out there but this really starts phone part of the attitude of fifty before standard. which deals with networks that is on full of how a high probability and reliability. of which during the explorations in youssif us will get lighter. there are different and it will accept their elderly missions once in a lot of allah not so much on was not so much but the be over sunset become course the home one at the one that was fairly widely adopted so what are some characteristics about this.
it does operate on the non hundred megahertz in two point four hits ice and events that being said that doesn't main unit were cautioned actually connect with it was funny was actually doing he props on some of the research i was doing to student had a twitch at eighty and observe had just said well you can just do this with. the upon upper right. yet it can. other faxes while you keep the phone that is a a bridge to a control point or need to net connection. off the back which will you probably find somewhere on that how will that bridge some sort of haiti pay to face it's probably going to be vulnerable you also you know that there's actually limited a user interaction on the highway so could just be something as simple as about and push all a home or a couple of buttons and that's it with love the other. other control features taking place in other parts he also found that that the low power devices lower traction why traffic as well. which of course related to our security the globe traffic what i think was quite interesting from a discovery standpoint for the prices all was researching around in that. actually capture not gentrification prove to be difficult. as we try to do would drop to map out all sorts of networks. see as i know that they're picking stuff out said come quite difficult but at the end of the day it's was that work and we do have the exact same issues. in this same environment as with hapless hundred fifteen years which was be in post night we can monitor the we can replay we can jam all those same fundamental issues that we have with while security out us to their and so this was a little math i drew up to to get my head around.
they're out what can we do and how can we we start doing any type of cell phone this from this episode. how consumption in was one that came up quite is showing that because lot of these networks have independent pell sources of i that operated by battery and i are quite an. i quite constrained by that a sort of heavy interaction could write power and that actually put at risk the different i was interesting that this came up in a discussion i had with someone who does research twenty four phase out well if you think about it the nature of the devices means that it's quite. and they definitely really were save so much power a thing about that could actually damage the devices of the back this within still have a same consistent attacks off things such as jamming. monitoring even locating networks as well and the these will stay on to what it says.
so was trying to prepare for this hey let's to see been what's actually start writing into the course. i was struggling to find a lot of information at this there is some really cool stuff by way of one of the club the framework add some the researchers write his son but identifying products that we can research at sort of light bulb started to to prove difficult and then even getting in understanding what the. wood was where i started fighting to fall in short he also had to stop practicing some the tool sits that i wanted which used to one of my students it was also another pace of gay my head around capture and analysis as well of what would that look like and how could that be structured into a course. and also the into the day i want to do something practical relevant and found that was in some sort of the ready which are view on all something that could be googled so. icahn the start of resorting to you well let's start actually exploring what is at the so that could start of all being a high pace all of it all back so that could actually start holding something for students to come and to train with.
so in terms of as software us have existing kill the platform which which is actually pretty cool and then you also have a heap of software that you get for manufacturers things such as sexy instruments as a pretty appreciation stuff at the tips of the the hardware so you see as a drive in. our which allows us to transmit new to save which is pretty cool but funnily enough the the. the system. and the teen agers pace of how our fan to apply with was his at texas instruments say the on the top left the onscreen there have also you pursued a year and another device from your which is a sea were to outstrip the so i'm going to be playing with that. that's it. as things that have all of that will allow us to also work in the nine hundred megahertz awesome band where is the other two devices are really focused on on to put all the tickets. so what did the start to look like as i was doing research so my my first set up was simply a out.
nexus five with the the as it right and was doing was walking around polling at networks that issue i have here is or what the issues i did starts discovered was that only a handful of networks would actually i'm would actually respond to any sort of polling and. that sum. but the actual. that was actually getting done the other probably have as well as if you think about it was also having to to channel hawking it's having to do it across up to sixteen frequency so if you're walking along the environment way you may only have a couple of phone. from the way many have a couple of them may is to to actually translate into server save on you probably going to be able to capture everything this was really cool after an introductory standpoint just walking up on the main streets in in sydney in australia. it was a conditioning unit at saw that all of a rather large financial institution those also i hate shopping malls his bow to actually if a few bosses that said that responded to taking such what became evident off the back of that was well.
what if we did i a proof of concept where we were to set up with a just a couple of the texas months on calls and and just received the also at this time was playing with receiving operate the as it right and and the s.e.c. to fall of three one don't use of text which once and. oz identifying that. the target was actually quite was able for effort to it captures off that and that at five dollars it's actually far better than the five dollars i pictured off from somewhere it was far more reliable that sound that at receive in the eyes it right not purchased said. off the back this i decided to put together a a a very simple proof of concept for the caption. now the software was using those who using the. so it was using both software for tea on as well as. on the hill be from work to add to start going around and hunting to networks and just off the set up alone completions i wasn't counting was a ramp palate so being able to power the u.s. based artist proved quite difficult. another issue i i was having was just having the software remain stable and reliable on our the nexus were on the positives also proven point to quite irritating relative to stuff always doing off the back of a laptop but after back this were able to say hey will look with be able to match that a few spaces. i'm just within the city of our office to things things actually worked quite well and off the back this where i would stop building things at a little bit more of this is where i decided to get sixteen don't lose one free channel there's also a really cool to have discovered a good have also is going through.
however i did notice that being able to add to that the gap puts from the other the tool said was study purple little bit frustrating so i had to actually start writing a few scrapes convert that us that produce a proper analysis also you add the. the actual policy in the next the swiss struggling support all sixteen mm but all sixteen don't go so i decided to go back to my laptop. to export. all these songs which actually worked at quite quite well. um. so off the back this us started doing a whole who was driving and iran camber and sydney.
this was the results for bed only minutes in camber i just popped up q.r. code if a want to check that. i have always out there for a bit but just two to give you a bit of an explanation of cambourne what's actually ran camber you will see you've got the bike they add to the south which he had the power of the triangle and a a whole heap of effort to government buildings and to the north of it you can't have the commercial said to have can. for. so what was quite interesting that ran this it was a consistent knows no seen across by city and camber was that a lot of hotels and hotel walks out all with a baking and will always be transmitted in transmitting quite a lot so this actually became a really interesting characteristic two.
to attract about was a a hotel local would be communicating and and just sending stuff that in this case could actually see two different hotels. this one here is also would be interesting. getting someone shaking they hit the ad. in the audience right now. so one of the to one of those buildings is probably far if his which also was a department of state problem is though a few would have a look if you have a quiet also did a couple bleacher and this building so seeing a lot of traffic on the south a sell out of it which i'm pretty sure is associated with the true for. hotels. the boy. and then also has some were around pound house and i started picking up a few a few more days.
so had sydney look i'm so i thought it would be a fantastic diet not add to go for a bit of a war dr and dads laughing in the corner they did. would be fantastic date not to go for bit of war dr and introduced won't go for two will this is war driving. so are we managed to pick at three thousand six hundred ninety and packets of a three and a half hours before that before dinner.
what was interesting he was a star city which is the only casino in in city was that those who hated traffic which were in there but there was also hairstreak so hairstreak is also where there's a whole the data such as in sydney believe that seven. i will switch thank you so close which in and had two or three others are down there are so this is also a brand new priests and that's also been built in city recently so we can say with a new construction development.
as new facilities be put up and involve you see got the latest and greatest tech so there was a a lot of traffic around here that that was that we identified the model that this isn't the after up at a bad a few minutes driving past age of these that way it was too it was just identify some of these networks so.
off the back this and saying it cool found stuff we can start saying well this is what we understand is occurring in these buildings based on what we are that purposes off the back is in-stat was doing things such as as much larger question and mapping out what is occurring and then maybe notionally planning for years. attack or exploitation which at the end of the dates is stuff that i don't actually on it.
so one of things i have been doing a lot of our back this is building and what i call capture the bosses so this is a solar power plant in the chef whiles and this is a rubbery par with a battery pack and a couple of. a couple of don't build connected to a which. and i am not for anyone who decided to find it just say hey call me say this. but year we were able to just lay this setting at saw day a solar power plant for a bit twenty four thirty six hours. to to see what we could actually see so i managed to get a bad day s. sixty's make about pay half the back of this offence of cool stuff nothing major but it's enough for says stop the store will work and we identify he of the back of this what can we. that doing.
so after all of this identification and large scale capture.
of masada to identify as much takes i can on want to stop poaching in sapping and websense stuff so i simply talking into alibaba or of the be has brought up a whole heap of voices subsequent research so on.
we're going to be doing a lot will watch help where we call logical capture an analysis turning up a lot more polished to actually click information on. now that i have a bunch of devices that have purchased i should actually start to add to it to fuel touted tax on them. i'm also trying to work at can i actually have for students and emulated environment off the back for us because we just replaying traffic that with our the casual simulated and even probably building at a few more the tools that someone at the end the day they is a lot of existing to six after its tuning in to help you. apply apply those to the environments that you testing at that time that i think really become one of the things i started doing of last six months to work at what this is what will be doing enough for us humans. but so.
this is very much still evolving pay swimming so hopefully all i will be having a lot more of the next six to twelve months if you have any questions you have any thoughts all or even a suggestions. feel free am he also mind a. but business is about bond who are codes well if you want to charge by school or at which it was thanks for having me. it had already questions. though everyone stored. thank you.