Pentesting over Power lines

Video in TIB AV-Portal: Pentesting over Power lines

Formal Metadata

Pentesting over Power lines
Alternative Title
Hacking Your Victims Over Power Lines
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
When performing penetration tests on the internal network in conjunction with physical pentests your always concerned about being located. Let's remove that barrier and perform your penitents over power lines and never be detected. In this presentation we'll cover how you can perform full penetration tests over the power lines and hack into home automation systems. Home automation has been gaining momentum not only in small homes but in large companies and organizations. There's a huge variety of solutions out there both open-source and "proprietary" that provide these solutions to your homes and businesses. Home automation gives us severaal things for example, full-fledge 85mbps networks, security systems, lights, windows, HVAC, doors, and cameras and they are all generally done through the power lines or through short-wave wireless communications. So let's break it.... During this presentation we'll be going over the non-existence of security over these devices, show proof of concept demonstrations on hacking these devices, and while we're at it, demonstrate how to disable all security mechanisms that use the different protocols like X10. Dave Kennedy (ReL1K) is a Director of Information Security for a Fortune 1000 company and the founder of DerbyCon. David is a penetration tester that likes to write code, break things, and develop exploits. Dave is on the Back|Track and Exploit-Database development team and the co-host of the Social-Engineer podcast and started the first Offensive-Security Ohio Chapter. David continues to contribute to a variety of open-source projects. David had the privilege in speaking at some of the nations largest conferences on a number of occasions including BlackHat, Defcon and Shmoocon. David is the creator of the Social-Engineer Toolkit (SET), Fast-Track, modules/attacks for Metasploit, and has released a number of public exploits. David heavily co-authored the Metasploit Unleashed course available online and has a number of security related white-papers in the field of exploitation. David is the author of the book "Metasploit: A Penetration Testers Guide". Lastly, David worked for three letter agencies during his U.S Marine career in the intelligence field specializing in red teaming and computer forensics.

Related Material

Video is accompanying material for the following resource
Source code Group action Presentation of a group Line (geometry) Mathematical analysis Cartesian coordinate system Power (physics) Statistical hypothesis testing Twitter Power (physics) Digital photography Software testing Information security Information security
Backtracking Presentation of a group Backtracking Process (computing) Software developer Exploit (computer security) Extreme programming Social engineering (security)
Programming language Demo (music) Covering space Keyboard shortcut Bit Microcontroller Data storage device Electric power transmission Neuroinformatik Indian Remote Sensing Personal digital assistant Semiconductor memory Computer hardware Set (mathematics) Proxy server Sinc function Physical system
Different (Kate Ryan album) Semiconductor memory 1 (number) Data storage device Virtual machine Right angle Window Statistical hypothesis testing
Axiom of choice Emulator Keyboard shortcut Order (biology) Binary code 1 (number) Data storage device Menu (computing) Figurate number Quicksort Spacetime
Module (mathematics) NP-hard Code Binary code Code Average Hexagon Schmelze <Betrieb> Data conversion Addressing mode Physical system Computer worm Physical system
Metre Code Code Hecke operator Statistical hypothesis testing Social engineering (security) Revision control Antivirus software Read-only memory Semiconductor memory Order (biology) System programming Gastropod shell MiniDisc Right angle Circle Physical system
Open source Code Variety (linguistics) Interface (computing) Software developer Binary code Set (mathematics) IP address Social engineering (security) Power (physics) Number Statistical hypothesis testing Revision control Vector space Different (Kate Ryan album) Gastropod shell Reverse engineering
Email Right angle Bit Electric power transmission
Emulator Type theory Touchscreen Code Binary code Keyboard shortcut Right angle Data conversion Window Physical system
Serial port Computer file Code Multiplication sign Flash memory Virtual machine Device driver Repetition Shape (magazine) Coma Berenices Mereology Binary file Neuroinformatik Emulator Gastropod shell Representation (politics) Office suite Compilation album Form (programming) Physical system Key (cryptography) Keyboard shortcut Binary code Plastikkarte Connected space Type theory Process (computing) Hexagon Screensaver output Table (information) Physical system
Trail Freeware Product (business) Product (business)
Noise (electronics) Standard deviation Code Line (geometry) 1 (number) Ultraviolet photoelectron spectroscopy Bit Electric power transmission Power (physics) Connected space Transmitter Power (physics) 2 (number) Type theory Very-high-bit-rate digital subscriber line Different (Kate Ryan album) Bridging (networking) Automation
Frequency Type theory 1 (number) Physics Plastikkarte Electric power transmission Physical system Power (physics)
Default (computer science) Key (cryptography) Information Real number Mereology Electric power transmission Power (physics) Statistical hypothesis testing Neuroinformatik Connected space Integrated development environment Software Different (Kate Ryan album) Password Self-organization Cloning Advanced Encryption Standard Information security
Wave Hooking Telecommunication 1 (number) Authorization Right angle Electric power transmission Information security Window Number
Topological vector space Sigma-algebra Codierung <Programmierung> Electric power transmission Code Frequency String (computer science) Encryption Website Remote procedure call Wireless LAN Information security Window Physical system
Module (mathematics) Dialect Greatest element Simulation Touchscreen Demo (music) Code Multiplication sign Execution unit Set (mathematics) Plastikkarte Electric power transmission Mereology Code Statistical hypothesis testing Number Different (Kate Ryan album) Personal digital assistant Internetworking Right angle Window Physical system Software development kit
Bit Remote procedure call Musical ensemble Electric power transmission Discrete element method Code
Message passing Software Backup Active contour model Value-added network 2 (number)
Mobile app Telecommunication Bit Coma Berenices Electric power transmission Statistical hypothesis testing Window Product (business) Statistical hypothesis testing
Ocean current Multiplication sign Voltmeter Bit Data conversion Mereology Electric current
Polygon mesh Code Range (statistics) Vermaschtes Netz Bit Distance Electric power transmission Social engineering (security) Wave Frequency Software Telecommunication Perimeter
Point (geometry) Wave Advanced Encryption Standard Frequency Key (cryptography) Software Telecommunication Vermaschtes Netz Bit Encryption Advanced Encryption Standard Software development kit
Game controller Key (cryptography) Mereology Social engineering (security) Revision control Type theory Hexagon Software Different (Kate Ryan album) Blog Order (biology) Encryption Freeware Physical system
Default (computer science) Standard deviation Key (cryptography) Shared memory Encryption Twitter
alright so I'm gonna try to talk as loud as I can hopefully you can hear me or not but thanks for coming a real quick
introduction this is rob Simon also known as kickin chicken he's got a really weird Twitter photo so you can follow him on twitter there he's a penetration tester he works for me at a fortune 1000 company it works in the application security group and basically what we wanted to get out of this this presentation was a lot of cool stuff around the home automation side as well as the broadband over power so we be talking a little about that but me in
the career of the social engineer toolkit fast-track I'm on the back track development team I'm a CISO for a fortune 1000 company and I give hugs so if anybody wants to give a hug after my presentation thought I did a good job that's how I show it also one of the
founders of der beek on so before we start I do want to get an introduction there's there's a person in the audience that works with me that has an extreme fear of people people people that brush their teeth and am no joke just the talk of it makes them start to drive even in throw up so I've slipped in some some
pictures of i solicited pictures of heel brushes teach that person gets up and walks out you know exactly who it is will point and my laugh at him so he told he told his wife he's going to try to get over it in a year so we're going to try to expedite that a little bit today okay so a quick slight diversion since we're talking a lot about hardware
hacking where you get into it one of the voices that we used was called the Tinzy device which you can get from PR JC calm and what the 10 z device is not familiar and crenshaw our iron geek found these little guys about a year ago and you know a guy named josh kelley myself presented at black hand Def Con last year on it and so we've kind of expanded our research a bit and I wanted to just do a quick hit on this before we dive down into the power line stuff and really what the Tinzy device is this little micro controller here about this big and we're using some of the stuff that we're going to be showing you today in the broadband stuff but especially what this does is it's you can program it via the adrenal programming language and could be anything you want to I'm in these cases we basically programmed it to be a keyboard and so when you insert it into a computer it's got onboard memory and starts executing commands very fast and rapidly on the machine and you're able to basically attack the system via a fake keyboard and why that's important is most companies disable auto run assume you insert it's not going to automatically run this circumvents and bypass is it because it's lating an actual keyboard itself now last year we morphed into a weapon it was kind of a kludge what we did was you inserted it into the into the computer itself and it wrote out a vbscript and then or a PowerShell downloader went and downloaded something and then execute it on the system well we did we were really happy with that and so you can see
that's it that's an advice right there and how small it is I mean you can buy them for about 16 bucks and here's some
customized ones you can see the one in the middle the one on the left is the 10 to 20 the one in the middle is the 10 z plus plus which has more onboard memory storage and then the one on the right is one of the ones are weaponized by iron geek that has different dip switches which you can program them to do different things so you can program dip switch one to target on Windows machine dip switch to so if you're on a penetration test you pop it in does some cool stuff right and this is one of the
ones that garland did which I know he's in the islands as well did the motion sensor one which is also really cool so you can actually detect if that person is there or not so let's walk through
some basics real quick of this in order what we wanted to do with the Tennessee vine Josh myself was basically take this device and figure out a way to drop a binary onto it and we're do it all through keyboard emulation now there's one major problem in hurdle the 10 z device only stores about 34 k of storage space and on the tin c++ about a hundred 28 k so your binaries would have to be awfully small or you'd have to use some sort of download or something like that and so our choice to get a binary on there what we wanted to start off with first was taking a binary converting it to hexadecimal basics before and then writing it out via a keyboard and then converting it back to a binary via PowerShell so here's just some simple
Python code that imports been a ski which is one of the Python modules for for binary conversions to ascii and then we basically read in a binary which is a metasploit based payload and we convert it to a hexadecimal representation that binary
okay so we got some hex now which is great now we need a way to actually convert it back to a binary on the system itself so once you insert it it's going to write out this blob of hex and then you pop you pop it back into the system powershell basically and then is going to take it reverse it back to a binary and they trigger on the system itself so here's some more Python code
and all this i'll talk about it it's available in the new version released today in the social engineer toolkit meters from the code there and so here's
kind of what it looks like on that NZ device itself we have different way to raise to be breaking down the the the heck Shinto in order to get it to work
and so that's some more unfortunately we didn't have enough size right amateur proverbial is probably to be around 74 k even if it's packed and so we started looking around were like well hey we could do some really cool stuff with shell co2 Zac if you're not familiar with shellcode exact it's a it's a small 5k executable that reads in alphanumeric shellcode and Jackson straight into memory and actually execute on the system so we're like okay this is pretty cool maybe we can get shellcode exact as a binary and then drop an alphanumeric shell code base of meterpreter on to that and gesturing the memory never touching disk so circle bedding antivirus and everything else out there and get that to work directly into memory with whatever we want to so testing it out we custom compiled a shellcode exact to make it a small as possible humanly possible and convert it to hex we created a matter perverse tcp stager that was alphanumeric shellcode and then we converted that to hexadecimal and popped into the system
and it's real quick sorry he hates the froth that's what gets them so that's the best one I could find doing our buddy
alright so here I want to show you example and this is in the the new
version of the social engineer toolkit
and so we're going to go and run setting for not familiar with the social engineer toolkit it's a Python driven open source tool set aimed at social engineering and penetration testing it's been out for about two years now and has a wide variety of different attack vectors in it it's free community driven hopefully enjoy first in here somewhere Joe fur is one of the development teams prime is on the development team and then Thomas worth so thanks to all those guys for making all this happen but essentially we're going to go on the adrenal basic attack vectors which is number six and we're going to do the binary data Tinzy attack which is number seven I'm gonna enter our interface IP address which is going to be the reverse connect back and then we're going to do a matter Patricia we're going to have a connect back to us in 4 43 and what set will automatically do is take that buying or convert it to hex pop it in redo all the power shell code of commands convert that unicode then base64 pop it in for you and create a listener took a lot of code and then i'm
going to do is i'm gonna copy this onto my mac drive here and then i'm going to
upload it to my new 10c device okay so
now here's the adrenal stuff right here and this is all going to be a good
precursor to what we're talking about again on the power line stuff we're going to go and compile it I'm going to take a device right here which is at NZ devices modified a bit stay out to 10 to 20 pop it in upload it
sorry alright so now we got our new code running on and I got a fully patched you know windows XP or Windows 7 system here we're going to insert it and see
hopefully it worse so again this is all for keyboard emulation you guys going to see some cooler stuff than this right now obviously this is typing on the screen for everybody to see I can't type that fast and pretty fast typer but that actually there was a 10 millisecond delay in there so it can't go faster but we'll talk about something here in a second that's just gonna blow you guys is mine this is this is this is basically the trivial stuff compared to what Josh was able to do here in a few minutes every need is something I'll dance Dean right buddy so it's doing this conversion to back the binary for us and then we should have our show let's find out alas we got him a terp
Rochelle nice job Josh nothing nothing yet so
that's a tall guys so that was doing it through shell code example we weren't happy there we're like okay well we can get shell cottage jackman get off a numeric shellcode but what about a binary that we want as large as we possibly possibly want so Josh Saturn in an SD card mounts onto the 10 C device and basically we can natively read in the SD card so when you insert into a computer it doesn't recognize as a flash storage device it still recognizes as a computer the adrenal device then reads off of the SD card natively and starts writing that binary of that representation of hex on to that system as long as you want it to be so now we can basically put a 16 gig file on to that system all through a tensity device announcer keyboard emulation so that's not really not all so try it try trying to type in out you know 128 k file or a 2 Meg file all through the keyboard emulation it's going to take a long time right so Josh figured out is a way to open up a serial com adapter and copy it over Syria leaf all through the native USB driver itself so you plug it in it rewrites itself as a comp Drive Thru port and then basically copies it over and you have about a two-second right out of a binary file versus about a 5-minute size of a binary file so essentially you can copy any binary binary / you want in any way shape or form and so you might be seeing to resolve this is kind of you know I mean you can see the stuff writing out on this machine itself right so someone's going to notice that so what we're doing right now and unfortunately were able to bring it here it's like all literally rep run our table in office all started with different parts but what we did was we did an inline repeater for the keyboard so essentially what we're able to do is take a keyboard remove all the connections from it have the audrina device be the inline input for the keyboard so when you type a key it goes to the adrenal device then replays back onto machine itself but why is that important is we can now detect when someone's not there so if someone hasn't you know touch the computer in 20-30 minutes or six hours we can still move the mouse because we can emulate a mouse move it up and over so the screensaver doesn't kick in and when they're not their off-hours you just inject all your stuff into their no one knows that it happened and it disables itself you never know I mean so that's all easily concealable inside of the attendee
itself and so that stuff's starting off with the basics that's when we're trying to get the SD mounts into place and you
can see we just started soldering a whole bunch of them and that didn't go very far but that's that's a free one for somebody and that was the finished
product looks like right there alright
so back to what we're talking about before that was a good introduction to what we're talking about when we decided
to do this top you wanted to talk about a couple of different technologies that are using it but we focused heavily on on home automation aspects so what we're going to talking about a little bit is broadband broadband overpower are we talking a little bit about the different types that are out there right now like a like home plug which is one of the more common ones we'll talk a little bit about x10 crestron lutron z-wave a few the different home automation systems out there and releasing some new tools and some new code out there for breaking them up a bit and so a little bit about
BPL broadband over power lines was really a standard that came out to transmit ethernet-based signals over power lines right and you can get them at at Best Buy and go to best buy and spend a hundred bucks and you had these two pieces of these two devices one plugs into your your outlook power jack ups the upstairs to downstairs you plug another one up somewhere else and it bridges the connection of Ethernet through those power lines and so you can get pretty high speeds I mean I've seen anywhere from 35 to 40 Meg's per second to what they talent anywhere up to 365 x per second all over power lines it really depends on how how much noise you have going through on your power lines themselves and so one of the more popular ones right now is the home plug which is the standard that's that's essentially used for these new devices that are out right now so so normal
wiring systems can transmit this in another standard powers know the drawback is it's really hard to carry I'm higher frequency ranges during on these type of things most of the the newer devices support 56-bit does and for a yes as well so the newer ones that you can find in best buy do support AES gotcha no problem we're bouncing a bit and and uh it's also used a lot by the
smart grid systems there's a lot of foreign countries as well as third parties that a lot that like to use this because they don't have to invest in any type of existing infrastructure so really they can you know communicate via ethernet pay systems all through power lines and so the more the home ones
which we did a lot of research on but they're also being used a lot in corporate environments for bridging networks which we're not even seeing a lot of we're not eating pen testing as attackers the generally support does like I said Ras um keys for those AAS keys are generally linksys or you know whatever the manufacturer of them was so the default password key for the aes encryption is generally guessable one cool one is the netgear 500 which actually you can press a button it randomizes the aes security key between the two unfortunately they're not generally use in phipps compliant basic encryption key exchange so you can actually intercept those if you want to but I mean for the most part they're pretty heavily decent and they're awesome for penetration testing and so
what we wanted to do was use it for a real world scenario and so we did it for our own company we did a penetration test and we used one of those badge cloners to coleman's badge go into the info into our organization and then we basically on modified a power supply for a computer and use that as our method to transfer the ethernet connection over the power lines and then back to a different room that we're hiding in and so we're able to actually attack the network through the power lines itself which is pretty neat so you know small small example here now this is when we start getting into the cool stuff ok so
next thing we're going to be talking about is some of the home automation stuff that we're looking at all right we're going to be talking about some of the home automation stuff that we were looking at so we looked at two of the main ones which is a x 10 and then z-wave I don't add them don't all right can we go on all right so there's a number of other ones including a proprietary and commercial ones there's a crest on lutron zigbee and in c on you might have heard of some of those sorry guys so
home automation basics basically the x10 devices you plug those into the power line and you don't have to run additional wires throughout your house you can use these for security devices so they have motion sensors door sensors window sensors you hook these up to your doors your windows and then when they sense the signal whenever the doors and windows are open it sends a burst through the power lines whenever the AC wave is hitting the zero-crossing it sends data through to a transceiver and this is going to pick it up and it's going to notice whenever somebody's breaking in your house it's going to send the signals to the security alarm then the security alarm is going to send these signals to the rest of your lights throughout the house flash lights on and off and it's going to have a alarm signal that's going to go off to an audible alarm that's going to alert your neighbors and then it also calls out and it's going to alert you know the authorities or a number that you set up so some of the stuff that we were looking at is being able to maybe sniff that communication or jam the communications and we'll be talking about that here in a second so the basics of x 10 equipment that you can also hook up on that you can hook up your HVAC devices so you can have you know time signals whenever you want your air conditioning the kick on and off and set that up through the power lines you don't have to run anything through it and then again we cover the motion sensors lights this camera security systems and your doors some of the
drawbacks of X 10 that we found is they don't have any encryption on them so the data that goes through there it's all documented online and on their website it goes through and clear text there's no encryption another drawback is that there's only 256 devices that you can have on a system with x10 and there is also heavy interference on that sometimes so if you've got heavy appliances like TVs microwaves appliances like that they're going to cause some interference and drop the Sigma that's going over the power lines
some of the devices 4x10 also communicate over RF they communicate over in the US over the 310 megahertz frequency the devices that use the RF would be your motion sensors and your windows and door sensors and then there's some there's also some of the other devices that you can get where you plug into the wall and use wireless remotes to turn your lights and stuff on and then also transmit some arara the RF transceiver is going to pick up that signal and it's going to replay the signal back through the power lines to communicate with the devices so here's some of the x10 codes that we have you can see the different binary strings that get sent across some of the commands for turning units on and off turning lights off some of the extended codes that they have out there to not not all of the devices use the extended codes but some of the security devices use the extended coach so this is the
x10 kit that we got on the Left we've got the the transceiver that we use the send me devices to the power lines and then on the right is going to be one of our appliance modules and this is going to be what you're going to control your lights with your HVAC systems so you're going to plug advice in here you gotta dial on the top for a unit number 115 and then you've got a dial on the bottom for a housecoat so you can set different rooms of different house codes control the devices on house phone a you know turn them all off and that could be like cornering or whatever so that's how you can kind of communicate with the different devices and the window door sensors are the same way you know they've got different codes that they'll send in so when when a door is open or when a window is open it's going to send that the vice coat over to the Security Council that's going to let you know which device was opened so we decided to
try to make a jammer and a sniffer 4x10 we thought it'd be kind of cool if you could walk up to someone's house and pop a plug-in on the outside of their house and kind of sniff the commands that go back and forth so what we've got right here is we started doing an Arduino based sensor it's going to plug into your into your outlet and we can walk up to the outside house which is a cool part you got to have to be inside keep plugging it in and it's going to receive all the signals that are going through the house so when people are turning their lights on turning the lights off any kind of sensors at a trip or set off will get a code for that we're actually working on a sniffer that's going to be working over gsm so we can plug a sim card internet plug it into someone's house and walk away and is going to send us a text notification every time someone comes in and out of the house every time somebody turns on the devices so we can kind of case the place out you know find out when are they home or the not home you know get an idea of one might be a good time to break into the house even better with it on sending commands to so you send a command to it other different well we'll show you here real quick what the sniffer looks like those so we got a demo setup and you can see on our screen
to give you an idea of what kind of codes you'll be able to see I gotta turn so what we have here is this is one of the standard remotes that you can find for it it plugs into the power line and then you push one of the buttons on the remote here and it's going to send the signal to turn the lights on off we need christmas lights unfortunately it's not christmas in july swirl it missed it by a little bit but the spirits there so you can imagine you know if somebody's are tripping alarms or whatever it's going to be sending these signals as well so a good visible demonstration we got some Christmas lights for you guys to see so someone comes home they send the signal timber lights on and nothing happens with the lights turn on so that's good so let's go double-check this make sure it's still right
the TSA was not kind to me when my devices went through and they knocked a couple of the wires out so I'm just want to make sure everything's connected up right here here we here we go so it that often and then you can see that the lights went off the lights go back on so we can sniff these commands and we can actually have these commands that are being snakes sent to us through text messages so we know when people are tending their lights on off kind of get an idea of when they're going to bed and then up so these are actually hooked up to any other devices but there's other commands on here so we can sniff these as well so any of the other devices that are being controlled will be able to see van so think about it you know in a large scenario a lot of corporations are leveraging home automation aspects you can essentially sniff their entire infrastructure I find out everything that's going on there and we'll talk about the jammer second but you know they build it actually send messages
over like a Verizon network or something like that to that device and start jamming it I need security systems are those and walking into the infrastructure being undetected is definitely plausible situation get the backup
okay so just another screenshot of a device that we have set up here so
moving on we're going to talk about the app the TW 5523 that's going to be the device that we had plugged in there with a phone jack and that's up to our we know so that's what's going to be doing our sniffing and sending this is one of the products you can buy you can get it from smarthome com and this is going to allow you to do the communications over the power line so what we thought would be really cool is instead of having all this mess over here you know the breadboard and all the wires you know it's going to be kind of noticeable plug-in that into an outlet outside to somebody's house so we thought we could take one apart we can put a tinsy inside of it and then we're going to put that all back together kind of make it a little bit stealthier and we can lock up outside someone's house and plug that in and then we could start jamming signals so we could turn off all the devices and then whenever you're tripping is motion sensors the window sensors the door sensors it's going to jam the signal it's not going to be able to get through it's not going to be able to work the Security Council and then the lights won't flash on and off and the alarm is not going to go on so basically you just walk in the house you trip all the sensors they're not going to be able to do anything so this is where we hooked it up and we're testing
it out the first time we tried it we actually sent a little bit too much voltage and current through our tinsy so we gotta hit one here that we fried so AC is a kind of difficult to work with sometimes so we tried it again we got a
working jammer what we had to do was use a buck converter to step down to high voltage and current to get a stable 5 volts for that 10 C to work off of so that was the most difficult part for us but then once we got that all set out if it actually worked pretty cool so we'll be showing you this device here real quick so this is the jammer so all you have to do is you walk in a you know up to someone's house you go into one of the outside outlets you plug this device in and it's going to kill all the lights it's going to kill the sensors and it's going to jam the signal so now if I try to turn the lights back on you can see that the lights blinking up here you probably can't see it from back there but trust me it's blinking and nothing is going through here so as soon as we unplug this device again now everything is working so essentially what that means is all we have to do is walk do you know if you're using the security system we're going to plug a device into your house and now all of your all of your lights go out none of your sensors work your alarms not going to trip it's not going to call the cops or going to walk right in you know take whatever we want to be able to walk out so we got a
new tool release we're going to be releasing the code for the x10 sniffer in the social engineer toolkit which sniffs all the traffic what you just seen and then we've got the what we call the x10 blackout device where you plug it in and it kills all the lights and then it's going to jam up some of the
other technology that we've been looking into was a z-wave it's a little bit more improved than the x10 it leverages mesh networking so it doesn't actually transfer any of the data over the power lines but the way that it works is it sends signals over the perimeter I think we got a bike oh sorry ok so it sends the signals over 900 megahertz frequency range and it uses the mesh networking so it's got different devices in the network and you can kind of get a little bit of a better extended range on that so what that means is you got one device hooked up on the mesh network and you're trying to reach another one but the distance is too far they can leverage some of the existing notes the network and kind of hawk the communication through to pass along so you're going to get a little bit of a better range with these devices and they also have support for AES however we haven't seen many devices that use it unfortunately so you know that's unfortunate the jamming you
can do some jamming on the z-wave it's run since it's running on the 900 megahertz frequency range if you just try to build a device that's going to send some interference through that 900 beg refer megahertz frequency range it's going to be able to block the communication so it's not going to be able to get through which is by somewhat illegal yeah soso the whole RF thing is illegal so we didn't bring any of those devices so I don't think we'd be able to get that to the TSA so we were looking at the sdk for z-wave and it actually comes with a sniffer with it so you can kind of sniff the protocol but they're a little bit pricey run they run around two thousand three thousand dollars so it's not going to be something that your average person is going to be able to afford to pick up but they do have that with it
so the aes encryption when we're looking into this when you do AES when you initialize the keys we found out that it doesn't appear to be using our fifth compliant method for initializing those keys so it's actually possible to sniff those keys as their you know initializing devices so we can pick up those keys one of the new device is being added to the network and now we'll be able to sniff the communication that's going through the mesh network and then also be able to maybe inject packets or you know whatever else you want to do at that point again we
haven't seen any devices traditionally we saw one that was a door handle basically that supported AES been a senator from that for the most part the majority of them do not so so again all the stuff that you just saw here the start of the 10 z device with the version 2 I think I'm talking about what's that oh gotcha so all something soft from from the 10 z device as far as the ability to take a binary convert it back to hex and then write off into the system will be is is on the new version the social engineers toolkit and you can get that from sec maniac calm so that's SDC ma NIAC calm and it's got all the code for for all the x10 based attacks that you saw here as well as the different types of attacks that we got on there coming soon we have a sniffer based on z-wave initialization keys encryption keys so basically you'll be able to run that off of the the network itself and actually start to identifying and do n spoof sua based based controller and then basically i'll send it to the system for you and then also if you're interested in how we actually built these devices will have a blog post that has exactly what we did in order to solder devices on the parts you use to do it everything like then it's very easy i mean it's not it's not significantly challenging to do so well
we rent a little faster this one but i want to say to anybody free hugs after this i'm all for that and check out der
beek on it's in louisville kentucky and thank you very much anybody any
questions yes sir in the back now the only the only issue that we've seen with the home plugs are the default keys that are being used by the actual vendors themselves the actual actual encryption standard for it's actually working really well so we haven't seen any exposure as far as that goes minus the default keys and like the the netgear 508 vs you they randomized the share keys / initialization which is really good just interesting just interesting I was in