WIRELESS VILLAGE - Attacking Gotenna Networks

Video thumbnail (Frame 0) Video thumbnail (Frame 5548) Video thumbnail (Frame 12567) Video thumbnail (Frame 14718) Video thumbnail (Frame 17331) Video thumbnail (Frame 25736) Video thumbnail (Frame 29652) Video thumbnail (Frame 30394)
Video in TIB AV-Portal: WIRELESS VILLAGE - Attacking Gotenna Networks

Formal Metadata

Title
WIRELESS VILLAGE - Attacking Gotenna Networks
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Talk will focus on privacy (or lack thereof) of gotenna networks. We will cover traditional attacks which have only been available to state sponsored prior to popularization and wide availability of software defined radios. We will cover signal analysis, triangulation, protocol analysis, deanonimization, cryptanalysis, spoofing and selective jamming. Since the gotenna ecosystem also includes an app we will cover the vulnerabilities in the underlying crypto libraries, weak token generation, broken API segregation as well as other vulnerabilities. You too can learn how to analyze, snoop on and exploit RF networks like a pro with a hackrf, laptop and some elbow grease, sweat and sleep deprivation.
Presentation of a group Service (economics) Pay television Function (mathematics) Portable communications device Power (physics) Energy level Software testing Data structure Wireless LAN Physical system Covering space Electric generator Regulator gene Physical law Denial-of-service attack Bit Line (geometry) Software Personal digital assistant Telecommunication Video game Quicksort Wireless LAN Family
Standard deviation Android (robot) Code Data center Range (statistics) Workstation <Musikinstrument> Source code ACID Insertion loss Open set Proper map Neuroinformatik Military operation Negative number Encryption Cuboid Office suite Position operator Physical system Covering space Area Algorithm Discrete element method Mapping Software developer Moment (mathematics) Data storage device Bit ACID Mereology Open set Connected space Message passing Process (computing) Tower Website Energy level Reading (process) Point (geometry) Slide rule Implementation Electronic data processing Pay television Computer file Open source Software developer Connectivity (graph theory) Data storage device Drop (liquid) Power (physics) Number Frequency Broadcasting (networking) Internetworking Operator (mathematics) Musical ensemble Data structure Implementation Message passing Game theory Installation art Default (computer science) Pairwise comparison Standard deviation Matching (graph theory) Key (cryptography) Computer network Cartesian coordinate system System call Uniform resource locator Personal digital assistant Musical ensemble
Multiplication sign Workstation <Musikinstrument> Open set Counting Public key certificate Proper map Computer programming Software bug Coefficient of determination Encryption Vulnerability (computing) Source code Touchscreen Mapping Keyboard shortcut Data storage device Demoscene Connected space Category of being Message passing Process (computing) Telecommunication Configuration space Inverter (logic gate) Online chat Firmware Slide rule Mobile app Implementation Game controller Service (economics) Observational study Software developer Image resolution Drop (liquid) Plastikkarte Distance Number Power (physics) Product (business) Revision control Broadcasting (networking) Bargaining problem Goodness of fit Centralizer and normalizer Crash (computing) Spacetime Data structure Message passing Firmware Computer architecture Default (computer science) Dependent and independent variables Key (cryptography) Validity (statistics) Information Surface Code Counting Planning Computer network Cartesian coordinate system Exploit (computer security) Peer-to-peer Uniform resource locator Broadcasting (networking) Software Communications protocol
Point (geometry) Slide rule Service (economics) Multiplication sign Range (statistics) Data storage device Cartesian coordinate system Public-key cryptography Power (physics) Number Revision control Frequency Coefficient of determination Mathematics Different (Kate Ryan album) Office suite Communications protocol
Execution unit Public key certificate
hello my name is like this and asking the presentation a half hour each day is attacking go ten the networks. put the screamer high you should definitely try to not violate the other laws that she regulation saw applicable laws in your stay in a country all the good stuff. anything i say is my personal opinion and not that he the my employer so don't blame them. not little bit background news professional for eighteen years a dual ability we search out attacking verizon wireless systems and medical devices are life critical devices and infrastructure. after those of you not familiar with the go to the mash this is what you're talking about are not talking about the first generation go down as you're talking about. the second generation go to matches. this is what's inside level of plastic case for those of you know while sacking village something should jump by that you are first of all is that really amazing antenna either you can swap out which is actually doesn't exist because to regulate device out that it does not require licensing sorts of your limited by. its power output you're not supposed to be able to add on the jillian ten on for some folks have been amada find them a second thing you should know this is that amazing tiny little battery which us suppose the last twenty four hours but up from testing you've done i fear that convair getting about three and a half hours special with that the people live in. among the network. not this is building a is on the device the you could use one that works go down when i everything else fails to so something you should knows is the waterproof seal on this case which also doesn't exist it's basically out over sonic well that together which means if there is pouring rain and flooding again these devices don't seem to survive very. all. so why we didn't do a talk about attacking something that's supposed to be the backup network when everything tales of all first of all the only way to see if something is a really has a new business being emerge the communication device is to see whether or not they're going to troops and their towels emergency infrastructure they receive quite be the theme of. one thing i did know they're being deployed at some of the large ski resorts not to help people off on the family's amount but also to be used during a marshy communications and york city i actually is giving away quite a few of these two businesses that were previously impacted by sandy so again a large metropolitan area a plus million people who are. that would be relying on it as critical infrastructure when there is no cell phone service. i'm so go ten has had an opportunity to become i'm receiver structure in puerto rico obvious have not had a lot of good data coming back on about what how well it's working its kind of been scattered because while but now things are still a mostly down. but the from what i've been able to fine line has not been very encouraging are going to go through some of those things not to expect. interesting things have no you'll see them using output of one want. i know exactly what you want to see in the emergency infrastructure. not by some radio band on nine hundred megahertz roughly i.c.m. covers both region one and two it can work with a cellular interlinked if you pay for the premium subscription going to get to that again if this emerging infrastructure and the soldier goes down then so does your seller in to link to.
again not very helpful. compare that with a typical hand held a walkie talkie the covers are b.h.f. huge advance someone five by what range and some cases a lot more file you buy from a certain she changed many factors. you're able to have a pure s. which is on on a position reporting system. about makes the way to quite a bit more expensive but again it gives you actual digital radio that you can connect a computer you can send messages and some positions data you actually have a night g.p.s. that's built of the radio it's an open standards you're not locked into of the little plastic device it's an open standards he of interoperability you can use multiple manufactures multiple law. different components the conclusion together even just to play in the years and up open source often the rabbi. and of course again if you buy of various research e.u. manufactures you could do other band operations are covering mars bands i send dance. some cases even police frequencies which you should definitely not transmit on but receiving is obviously find depending where you are. not cost of entry this morning go to the nationals hundred seventy nine box best thing is we're still twenty two dollars an amazon primed to live with your door. i have to start yes so it's a once and nine for to go towns cracked we need to him to work if i have one go to an advantage i can't call this gentleman because he may not have a go tennis so. the. correct yes you have a white community of a hammer users as opposed to people who just bought in to disclose the ecosystem. and of course all the police officers who are not the island to hear the moment the. looking at that can with radios you have an actual digital amo them again built in g.p.s. something he could use without a cell phone being connected. not basic operations person you to install the go to an application of own which becomes rather difficult if file out been to is down so even if your to air drop ago tennis somewhere i'd instruction start out with fully charge you go down well powers down then you. download application from where internet is down. you connect your phone to the go ten now and you turn on to go ten i centrally and then you couldn't connect with other users in your messages can the travel hop to hop out for of the reason for dems x. number of pops up until a few weeks ago it was our three hops last update that pushed out to six hops again because a proper. station issues because you're only getting if you see box if you're really lucky you have with our the various it. are looking at the team a website this is what the demand from emerging structure needs to be resilient being at a loss they up even if they're sliding if there is a monsoon rains earthquakes now needs to be robust on the sea secure reliable and that last one opened. standard. now i haven't seen any other ways to work with the go to a match so again that it fails and that point alone before we even exam the secure portion a little bit deeper. encryption and incursions handle in the cell phone application non and device. that means it opens up the i phone android devices to attacks. because there's been two major up a to go to an application process he had to scramble to do a kind of awe sources of you while you're here at the conference. you're going to be publishing updates of slides with actual issues that we found in there. i can tell you is that we have an initial ization back to issues in open source code that they're using their ski storage issues once the keys actually generate it's a story that way that's essential accessible to many other applications on the device so if you have a malicious application or if you don't fully trust the government an area where you're reading application that he could extract. at that and moved into the device and the have a plantation she's the algorithms that they're using our sound and peer reviewed however their implementation is flawed. i've won the big countries that out for going to be again is go topless as must relate so if somebody splay is up paying for premium subscription they're using somebody else's device for back calling the using solar connectivity.
which is really great if your eye in the middle of a city and everything is working fine i'm not so useful if possible towers are down. when somebody zuma default install diageo idea which is the global even under fire by default is said to be your cell phone number. again on not really great for the nominee is possible to set the g. idea manually but it's not very strict for the essential have to know the want to do this and go back and do it. so if you're in a large network such as here that khan aviv in the harvesting quite a few phone numbers even the audience here has been using phone numbers we haven't bahcall up this people to verify their india to go to users when large cities they typically are. public shouts again hot the phone numbers go out and peers not their text i emerged broadcasts include the g eight the as well as somebody g.p.s. location or some his last known g.p.s. location your cell phone application is leaking data. and there's been a really fun application released in iowa store which is the mash developer to get us have been dire able to do open source we cannot developers who are working on the go to mesh devices and essentially a locating them physically on a map and their to undergo tennis acid we have a nice compare.
it's a map of where they are located in york city where they got to lunch with their phone still running application. the you're going to see if you want to release the fullest are not so lucky to default screenshots a from california but i think we're going to release the new york map. you mention the g eight he briefly out by default it's the phone number i still in i often america it is user configurable so that increase the tax surface when his way through all cell phone numbers the go to mesh application the official one does limit how many direct messages you could send but since an openness to k. i you can go out there be an awesome grab a five hundred the a.p.i. keys and just starts bamboo the whole network for hours and hours and there's absolutely nothing anybody can do to stop you. and of course there's nothing to cations it's always going to be off the network. now one the almost funny idea tax to be implemented by the way if you're in this room he may have knows the you're going to keep his dropped us significantly out is the g. idea attacked the way it works is a base of the hop count on the g. idea of the device that will be it on fire however you can pair multiple. sounds to have the same g.m.t. so for example i have a device with g. idea of one two three four five six seven eight nine and i'm a good citizen i'm helping you process and i work but wait this device is the same g. id and this device and possibly his device. knol suddenly have messages a drum essential around robbing in the same network their packet town is dropping the pals so i receive a message and that we people on the hop count the six and every broadcaster drops the pack a county five then this where you get and says it would be to the scene jd drops back at the four.
this re-use user drops the back again to three so now the distance or must can propagate has been dropped to sensual half of what it would have been with the distance of what's in my car pocket. again not brazilian for structure. and just we emphasize murray situations it could be nations that level attack it could be a bunch of study says is the guy on a plane intentionally caused up a grid down situation asked if you can implement attack the drops emerge infrastructure for the costs of under two hundred dollars that is not robust. if you want to play with this attack. when you need to do is you need two percent up one go to end up with a your friends g eight the us so central china by out something has to go to set up their phone number us the pair they go to turn off they go ten you've been using and pairing you go to china so essential you're telling the app the you dropped off the although china without the leading the id from that. actual radio so this lets you bypass the controls with an application that prevents the g. idea attack. if they ever do fix an application will you do is stop by out and pick up a few burner phones a twenty thirty dollars phones and you stopped application with a custom jd being exactly the same. another really funny thing is a few program your friends jd because these advice are meant to work offline it doesn't do property to pick a validation so if you will know your friend is supposed to do as you can run he was somebody else you set up their jd and you go there in their place you will receive the direct messages they're meant for them they're supposed to be encrypted and your device. people successfully the crypt them because i mention there's initially station that the issue with the how go to a dozen corruption. i. a there's been a major former update on august seventh. but they finally pushed the fix for version won it last time you heard of all the bills for virgin one released over a year ago right here while secular jew last year so if you're talking about robust infrastructure over the years to fix the us to secure vulnerabilities is a not really what you want to see from a trick of the structure. they pushed both an app and former update odd the new farmer has been over thirty two megabytes soviet not a chance i have not had a chance to police and our teeth into it which is why we're going to know she got diversions slide in the forms. i. mention they are using known good ciphers. the ciphers themselves seven peers you how over the implementation of the go ten is using it has not been caught and of peer review. not let them know about this as far back as a tiger seventeenth so i feel really too bad about releasing information here are publishing exploits. other response basically has been well they feel like a bunch of white something better and my response to his you have begun are the guys who are pushing out of robust up. architecture in saying that this is a curious about people should be using. the fact is that we have our the phone application itself if you have other our mum wishes on application of phone connection track the application of the have nots down the malicious application a third party app store's yet but it doesn't mean there won't be by the time to stock is down. the of abouet you the tax there's been a really cool bluetooth be binding attack which means if somebody sitting here and has their out ago china with them you cannot force their phones yuan bind a bluetooth connection and essentially took over their ago china. i have used the attacks argues be bugs actually still turn on these go down as so if you have physical access and you find somebody is a repeat in though that's been placed in a strategic high location you can actually program and then leave it there and nobody will be the visor. you actually can mess with other china and nodes out of even playing with fussing over the goods and products all and a good ten of nash's have not been robust all you had numerous intend to solve lockout time dhabi been able to save him with the firmware update over there. but you could certainly go around in that crash other times over the go to nash protocol you can also buy a push malicious former updates over there because these devices are not do proper certificate validation. a. who here seems obvious. but arguably lives on these this was on his look like when the power goes down people just miles to stare at their screen hoping the bar will show up even if this year the support has spilled over half. we zombies you tell your dog to get her gone. and then you start building infrastructure and this is what gives communications up this is what helps hospitals communicate this is what helps him or services actually respond even a great down situation. this is a toy this does not again back up infrastructure.
toy. i. it is the murray situation i could hear new radio even the human though you may not have a hammer your license and now all the sudden you can connect about our to merge the services you can be given other op hamidi users with police officers if i were to hand you go top if you do not be so have the applications on your store and don't have all the. markets they go time is completely useless. the questions. i. i. and the have not that i found an f.b.i. dogs so they push the number of dates recently so the of the go to a perversion one is up and afterward but not that the latest updates the deaf joy the stories about three versions behind right now. i. a very very significant as so they use different frequencies version one did not include any kind of a national i did have a better robust antenna are physically speaking however than ten times less efficient so the new devices emit are using less power actually do you have. the range is a mention the of gnashing right now if everything works directly they can do six hops where's the old version was direct point to point mutation. i. i gave up a the a.p.i. twice since then so yes they're able to push more data between it and that's how they were able to add the cellphone back all. so did because the teacher protocol its and in both the change an application and the farmer i still have not had a chance to dig into a what they do with a version wanted a push for days ago because have been too busy up think us slides for the version too. he said. your questions. but.
i century use the g eight the off for the private key to it.
the. are correct but neither does the other user so essential when you're offering offline if i walk up to unit looks like i have the courage the id since your phone doesn't doesn't really have my certificate able just a on out the trust.
i. the correct yes. that. thank him for coming.
Feedback