1
00:00:00,083 --> 00:00:04,250
JOSH "m0nk" THOMAS: I'm Josh Thomas, m0nk.

2
00:00:04,834 --> 00:00:08,959
A couple of intros to the talk.

3
00:00:09,209 --> 00:00:11,667
I made a drinking game and then it got really lame and I don't have anything

4
00:00:11,667 --> 00:00:13,292
to drink on stage.

5
00:00:13,292 --> 00:00:17,501
But if you do and want to play around, this is Ricky.

6
00:00:17,918 --> 00:00:19,584
Ricky likes to drink.

7
00:00:19,584 --> 00:00:21,626
If you see Ricky, take a drink.

8
00:00:22,834 --> 00:00:24,542
He'll come up a lot.

9
00:00:24,834 --> 00:00:25,834
So ...

10
00:00:26,999 --> 00:00:29,999
This talk has a couple faces, but before I even get started

11
00:00:29,999 --> 00:00:33,959
with the actual talk, hands up if you are on Android.

12
00:00:34,125 --> 00:00:35,959
All right.

13
00:00:36,125 --> 00:00:39,083
Hands keep them up if you actually have your own kernel.

14
00:00:39,334 --> 00:00:40,792
Okay.

15
00:00:40,792 --> 00:00:43,709
Did you actually compile it?

16
00:00:43,959 --> 00:00:44,959
Okay.

17
00:00:45,999 --> 00:00:48,292
Did you ever look at the source?

18
00:00:48,292 --> 00:00:49,459
Like any source at all?

19
00:00:49,542 --> 00:00:50,626
Wow.

20
00:00:50,667 --> 00:00:51,667
Okay.

21
00:00:51,667 --> 00:00:52,876
All of it?

22
00:00:54,083 --> 00:00:55,709
(Laughter.) Yeah.

23
00:00:55,709 --> 00:00:58,334
So you have no fucking clue what's running on your phone,

24
00:00:58,334 --> 00:01:00,709
that's we'll come back.

25
00:01:00,709 --> 00:01:02,167
(Laughter.) Like even if like someone was in the room like,

26
00:01:02,167 --> 00:01:05,501
yeah, I looked at every fucking line, no, you didn't.

27
00:01:06,083 --> 00:01:07,292
Sorry.

28
00:01:07,292 --> 00:01:08,999
(Laughter.) And we all know that.

29
00:01:08,999 --> 00:01:10,999
But this is this talk is going to play with what you don't know

30
00:01:10,999 --> 00:01:13,959
about what's already running on your phone.

31
00:01:14,083 --> 00:01:15,459
So start.

32
00:01:15,876 --> 00:01:18,876
I wanted to skip this because personally I really don't

33
00:01:18,876 --> 00:01:20,876
like these slides.

34
00:01:20,876 --> 00:01:21,626
But given what I'm going to be talking about,

35
00:01:21,626 --> 00:01:23,375
I guess I needed a little bit of background,

36
00:01:23,375 --> 00:01:25,459
so why you should trust me.

37
00:01:25,709 --> 00:01:31,667
Don't if this makes logical sense to you thank you, man then believe me.

38
00:01:31,667 --> 00:01:34,250
If not, have fun with the tools I'm going to show you.

39
00:01:34,250 --> 00:01:36,417
These are my opinions, not my employer's.

40
00:01:36,417 --> 00:01:39,918
And the tools on the second half of the preso are really, yeah,

41
00:01:39,918 --> 00:01:44,375
they're fun, they're playful, they're offensive, whatever.

42
00:01:44,959 --> 00:01:46,626
The whole point of me open sourcing them

43
00:01:46,626 --> 00:01:49,667
is we don't know these type of tools exist, let's learn

44
00:01:49,667 --> 00:01:54,125
about these tools, let's figure out how to protect against them.

45
00:01:54,667 --> 00:01:56,709
I'm not really talking 0 days.

46
00:01:56,751 --> 00:01:59,501
We'll get to that in a second and I'll get on a tirade.

47
00:01:59,501 --> 00:02:02,918
But this is post 0 day, post EX.

48
00:02:02,918 --> 00:02:04,501
Like I'm in the system.

49
00:02:04,501 --> 00:02:07,959
We as a community don't really ever look at that type of persistence

50
00:02:07,959 --> 00:02:10,667
and how to protect against it.

51
00:02:10,667 --> 00:02:12,959
So I'm going to show you how I as an attacker would do things

52
00:02:12,959 --> 00:02:17,501
and maybe we can all start figuring out to how to protect against me.

53
00:02:17,999 --> 00:02:20,834
So I'm going to talk about boring ass things.

54
00:02:20,834 --> 00:02:22,459
I'm going to talk about the actual WarGames that we're

55
00:02:22,459 --> 00:02:24,375
going to talk about today and then today,

56
00:02:24,375 --> 00:02:26,459
and then we'll go through a couple scenarios

57
00:02:26,459 --> 00:02:28,918
on my tools and what they do.

58
00:02:29,999 --> 00:02:33,792
Then we'll wrap up at the very send, so.

59
00:02:33,876 --> 00:02:34,999
Boring kit.

60
00:02:34,999 --> 00:02:40,792
I hear malware, I hear rootkits, I fucking think spam, it's boring.

61
00:02:40,792 --> 00:02:42,209
It's really, really boring.

62
00:02:42,209 --> 00:02:43,501
It makes money.

63
00:02:43,999 --> 00:02:44,999
You know.

64
00:02:44,999 --> 00:02:45,999
Someone wants to pop 50,000 boxes so

65
00:02:45,999 --> 00:02:49,792
they can do something, blah, blah, blah, blah.

66
00:02:49,792 --> 00:02:50,792
It's boring.

67
00:02:50,792 --> 00:02:52,334
It's not not interesting at all.

68
00:02:52,999 --> 00:02:56,125
But hackers love the malwares, right, because with the malwares you can get

69
00:02:56,125 --> 00:02:59,417
the credit cards and then you can buy all the things.

70
00:02:59,417 --> 00:03:01,876
Again, fucking boring.

71
00:03:02,209 --> 00:03:05,999
(Laughter.) So it is.

72
00:03:05,999 --> 00:03:06,999
Right?

73
00:03:06,999 --> 00:03:08,292
I mean it's not innovation.

74
00:03:08,292 --> 00:03:09,375
There's nothing new.

75
00:03:09,375 --> 00:03:11,999
It's normally not actually anything sexy at all.

76
00:03:11,999 --> 00:03:13,417
It's just iterative, boring.

77
00:03:13,417 --> 00:03:13,999
You don't have to do anything cool

78
00:03:13,999 --> 00:03:17,626
because you don't really care if your bots get popped, right?

79
00:03:17,626 --> 00:03:19,292
I mean that's that's not the point.

80
00:03:19,292 --> 00:03:20,999
You know you're going to lose them.

81
00:03:20,999 --> 00:03:23,751
You know you can just pop another 50,000 next month.

82
00:03:23,751 --> 00:03:25,083
It just goes back and forth.

83
00:03:25,083 --> 00:03:26,459
Everything is disposable.

84
00:03:26,459 --> 00:03:28,083
No one is specifically targeted.

85
00:03:28,083 --> 00:03:29,083
Boring.

86
00:03:29,083 --> 00:03:30,626
If you want to know more about that mentality, Mudge did

87
00:03:30,626 --> 00:03:33,667
a great keynote two years ago.

88
00:03:33,999 --> 00:03:35,999
Pretty much everything he's talked about since then talks

89
00:03:35,999 --> 00:03:39,751
about that symbiotic relationship and how that's boring.

90
00:03:40,083 --> 00:03:41,501
Whatever.

91
00:03:41,999 --> 00:03:43,876
Our real fun.

92
00:03:44,292 --> 00:03:47,918
For every game, we need rules, right?

93
00:03:47,918 --> 00:03:48,918
So what do we need?

94
00:03:48,918 --> 00:03:49,417
We need two players, we need game mechanics,

95
00:03:49,417 --> 00:03:51,876
and we need goals for a game.

96
00:03:51,959 --> 00:03:53,167
Player one.

97
00:03:54,209 --> 00:03:56,209
I wonder who player one is.

98
00:03:57,167 --> 00:04:01,167
I'm going to go with player one is any government worldwide,

99
00:04:01,167 --> 00:04:04,417
any state sponsored organization.

100
00:04:04,417 --> 00:04:06,209
So you're talking people with a lot of money or corporations

101
00:04:06,209 --> 00:04:08,125
with a lot of money.

102
00:04:08,542 --> 00:04:09,792
You know.

103
00:04:09,999 --> 00:04:10,999
Bad guys.

104
00:04:10,999 --> 00:04:12,083
Right?

105
00:04:12,250 --> 00:04:13,876
Maybe more bad guys.

106
00:04:14,999 --> 00:04:16,542
Prepping for it.

107
00:04:16,542 --> 00:04:17,751
Maybe more bad guys.

108
00:04:20,999 --> 00:04:22,959
(Laughter.) Player two.

109
00:04:22,959 --> 00:04:24,999
So we've got a lot of money on player one.

110
00:04:24,999 --> 00:04:25,999
Who's player two?

111
00:04:27,167 --> 00:04:31,792
Oooh, fucking you and you and y'all.

112
00:04:31,792 --> 00:04:35,959
It's pretty cool.

113
00:04:35,959 --> 00:04:37,959
So in this game, when we start getting into mechanics,

114
00:04:37,959 --> 00:04:41,375
we still need 0 days, because we want to pop things.

115
00:04:41,375 --> 00:04:44,250
We're starting to target people for some reason.

116
00:04:46,083 --> 00:04:50,125
So we still use 0 days, but really that's just the gift wrap.

117
00:04:50,125 --> 00:04:51,999
That is disposable.

118
00:04:51,999 --> 00:04:52,999
No one cares.

119
00:04:52,999 --> 00:04:56,417
Well, a lot of people care and I'm trying to get you to not care so much.

120
00:04:56,751 --> 00:04:59,083
What we really want is we want to get on devices.

121
00:04:59,083 --> 00:05:00,999
That's the only reason we use 0 days.

122
00:05:00,999 --> 00:05:02,375
0 days are not the real point.

123
00:05:02,375 --> 00:05:03,459
They're disposable.

124
00:05:03,459 --> 00:05:05,584
I'm going to spend money on an 0 day to get on your device

125
00:05:05,584 --> 00:05:08,083
to then do something interest.

126
00:05:08,292 --> 00:05:11,083
But because everyone likes to use 0 days ,and I'm saying it

127
00:05:11,083 --> 00:05:13,876
a whole bunch, how much do they cost?

128
00:05:13,876 --> 00:05:14,999
Do they cost money?

129
00:05:15,083 --> 00:05:16,999
There's the Grug, with more money.

130
00:05:17,083 --> 00:05:19,250
And fuck it, more money, right?

131
00:05:19,667 --> 00:05:22,292
So Rick Ross is happy because there's a lot of money.

132
00:05:23,709 --> 00:05:28,417
But I mean, again, it's, you may spend 10, 20, 30, 50K, 500K,

133
00:05:28,417 --> 00:05:32,209
a million on some really sexy 0 day.

134
00:05:32,459 --> 00:05:34,959
Remember that number, a million.

135
00:05:34,959 --> 00:05:37,417
We'll pretend that all 0 days sell for a $1 million.

136
00:05:37,417 --> 00:05:39,209
Every single 0 day is a $1 0 day.

137
00:05:39,792 --> 00:05:43,083
I want to hack all the things ,so I need all the 0 days.

138
00:05:45,751 --> 00:05:48,876
I don't really care about laptops anymore personally.

139
00:05:49,083 --> 00:05:50,667
This is where it's at to me.

140
00:05:50,999 --> 00:05:54,876
It's all mobile devices, it's all cell phones, they have everything.

141
00:05:54,876 --> 00:05:56,542
I can listen to all your calls, I can read all your e mails,

142
00:05:56,542 --> 00:05:58,918
I know exactly where you are.

143
00:05:58,918 --> 00:06:01,999
I mean it's obvious, this is now what used to be our computer,

144
00:06:01,999 --> 00:06:05,083
this is now us in digital form.

145
00:06:05,167 --> 00:06:07,167
We carry them everywhere.

146
00:06:07,167 --> 00:06:08,626
We use them for everything.

147
00:06:09,375 --> 00:06:13,918
Oh, if you're targeting Symbian, 0 days are still worth $1 million.

148
00:06:16,375 --> 00:06:18,751
But fuck it, right, everyone raised their hand, I'm Android,

149
00:06:18,751 --> 00:06:20,083
I'm special.

150
00:06:20,584 --> 00:06:23,626
There's no exploits there.

151
00:06:23,999 --> 00:06:25,375
Sure.

152
00:06:25,375 --> 00:06:29,292
And let's unless, you know, I had money,

153
00:06:29,292 --> 00:06:38,250
at which point so we've got game mechanics for this type of world.

154
00:06:38,542 --> 00:06:42,999
What we're really doing is taking an 0 day, we're jumping on the device.

155
00:06:42,999 --> 00:06:46,751
So what I care about is that kit, whatever that implant is I'm putting

156
00:06:46,751 --> 00:06:50,959
on a device, that is that's where the real money is.

157
00:06:50,959 --> 00:06:52,999
That's what's doing something.

158
00:06:53,999 --> 00:06:56,209
And let your minds run wild, what would you want to do

159
00:06:56,209 --> 00:06:57,999
on someone's phone.

160
00:06:57,999 --> 00:07:00,876
You know, whatever that is, that's what you're doing.

161
00:07:01,751 --> 00:07:05,667
Doing that type of coding is boring.

162
00:07:05,667 --> 00:07:09,751
Those are just lame ass developers in cube farms cranking out code.

163
00:07:10,083 --> 00:07:11,999
It's typical software.

164
00:07:11,999 --> 00:07:12,999
It's boring.

165
00:07:12,999 --> 00:07:14,250
It takes dev time.

166
00:07:14,250 --> 00:07:15,417
People have a real job.

167
00:07:15,626 --> 00:07:17,667
But it costs money, too.

168
00:07:17,918 --> 00:07:22,083
Typically it costs a lot more money than an 0 day.

169
00:07:22,083 --> 00:07:25,167
Typically it costs a fuck ton more than an 0 day.

170
00:07:26,459 --> 00:07:28,083
Think about it, right.

171
00:07:28,083 --> 00:07:30,751
If you're trying to do something sexy, a million dollars for an 0 day,

172
00:07:30,751 --> 00:07:32,999
$20 million for whatever you're going to do,

173
00:07:32,999 --> 00:07:35,667
what do you want do you not want to lose, especially

174
00:07:35,667 --> 00:07:39,250
if when you bought that 0 day it's got a shelf life.

175
00:07:39,667 --> 00:07:43,667
What you really, really, really care about is protecting that large

176
00:07:43,667 --> 00:07:48,167
investment, not this disposable thing that you bought that, I mean, you know,

177
00:07:48,167 --> 00:07:52,209
may be around two months, may be around six months.

178
00:07:53,751 --> 00:07:59,751
So we get a little more disturbed, and that's okay.

179
00:07:59,751 --> 00:08:00,751
What do we want?

180
00:08:00,751 --> 00:08:01,792
We want all the data.

181
00:08:03,375 --> 00:08:06,083
That's what your cell phone is, that's what I want.

182
00:08:06,083 --> 00:08:07,083
I want everything.

183
00:08:07,709 --> 00:08:11,751
So we've got all of our players; let's have a game.

184
00:08:12,083 --> 00:08:13,751
Who's gonna win this game?

185
00:08:13,918 --> 00:08:16,083
How long is it going to take?

186
00:08:16,083 --> 00:08:19,626
Very, very, very short, and I wonder who won.

187
00:08:19,667 --> 00:08:20,751
Yeah.

188
00:08:20,792 --> 00:08:23,834
They won, every time.

189
00:08:24,125 --> 00:08:27,459
They it's no one is even remotely capable of writing

190
00:08:27,459 --> 00:08:31,542
the tools right now that detect against advanced things,

191
00:08:31,542 --> 00:08:34,959
because we're not looking at it.

192
00:08:34,959 --> 00:08:38,083
We're still focused on malware and spam and all the boring shit.

193
00:08:38,250 --> 00:08:40,999
So if I'm writing $20 million worth of code, I want

194
00:08:40,999 --> 00:08:43,834
to protect that investment.

195
00:08:44,459 --> 00:08:46,999
I want to protect it lots.

196
00:08:46,999 --> 00:08:48,999
I want to make sure that it's never found.

197
00:08:48,999 --> 00:08:51,667
I want to make sure that it's deep, it's not something that's going

198
00:08:51,667 --> 00:08:54,334
to pop up on McAfee, it's not something that's going

199
00:08:54,334 --> 00:08:56,751
to pop up on the "New York Times" front page

200
00:08:56,751 --> 00:08:57,999
that we found X doing Y.

201
00:08:57,999 --> 00:09:00,999
Like this needs to never, ever exist.

202
00:09:01,083 --> 00:09:04,417
So, again, because we kind of picked on him a little earlier, he,

203
00:09:04,417 --> 00:09:07,709
the Gruck, actually does talk about quite a bit of these things,

204
00:09:07,709 --> 00:09:12,375
at least on the theoretical thing on Twitter, which is always kind of fun.

205
00:09:12,667 --> 00:09:16,334
But what we don't want is we never want our gear to show

206
00:09:16,334 --> 00:09:22,167
up because that will make Rick sad, and we don't want a sad Rick.

207
00:09:22,250 --> 00:09:23,999
We want a happy Rick.

208
00:09:23,999 --> 00:09:26,125
So we're gonna hide.

209
00:09:26,167 --> 00:09:27,626
We're gonna hide deep.

210
00:09:27,999 --> 00:09:29,876
We're gonna have a lot of fun hiding.

211
00:09:31,999 --> 00:09:34,292
Before I move on, one definition, because I just tend to say it

212
00:09:34,292 --> 00:09:37,792
and I've realized that not everyone knows what I'm talking about.

213
00:09:37,792 --> 00:09:41,584
So if I say air to glass (Phonetic), what I mean is I'm coming off CDMA,

214
00:09:41,584 --> 00:09:45,709
GSM, Wi Fi, I don't know, I'm coming from somewhere bluetooth,

215
00:09:45,709 --> 00:09:49,792
outside of the phone, I'm getting on the phone.

216
00:09:49,792 --> 00:09:51,999
Air to glass means I never touch storage.

217
00:09:52,083 --> 00:09:57,459
So I've got an implant, it's in a device, you reboot that device, it's gone, right.

218
00:09:57,459 --> 00:09:58,834
It's got to be reinfected.

219
00:09:58,999 --> 00:10:03,501
If you do something like that, though, you're pretty damn secure

220
00:10:03,501 --> 00:10:05,999
on the protection of your investment

221
00:10:05,999 --> 00:10:08,999
because unless someone can forensically jump

222
00:10:08,999 --> 00:10:13,999
in there and grab things out of RAM, volatile memory before they reboot,

223
00:10:13,999 --> 00:10:15,999
you're safe.

224
00:10:16,083 --> 00:10:18,876
The problem with air to glass is, I mean, you never know when you're going

225
00:10:18,876 --> 00:10:20,584
to lose your implant.

226
00:10:20,584 --> 00:10:21,584
That sucks.

227
00:10:21,918 --> 00:10:24,417
And you've got limited space, right, if you don't want to start interacting

228
00:10:24,417 --> 00:10:27,999
and being obvious that there's something wrong with the phone.

229
00:10:28,250 --> 00:10:32,584
So WarGame one, let's move away from air to glass.

230
00:10:32,999 --> 00:10:37,542
How can I get something on disk and hide it to where no one can find it?

231
00:10:37,999 --> 00:10:40,375
So this is the NANDX Project.

232
00:10:40,918 --> 00:10:44,167
This project was originally funded by DARPA's Cyber Fast Track.

233
00:10:44,584 --> 00:10:46,959
Awesome, awesome, awesome project.

234
00:10:47,167 --> 00:10:48,999
The goal of this was how can I do a proof

235
00:10:48,999 --> 00:10:52,334
of concept for offensive work and then how can we take that

236
00:10:52,334 --> 00:10:54,999
and try to defend against it?

237
00:10:55,999 --> 00:10:57,999
So I'll do my demo.

238
00:11:01,125 --> 00:11:04,209
So I'm going to run the demo twice on video and then once

239
00:11:04,209 --> 00:11:08,292
at the beginning and once at the end of talking about it.

240
00:11:08,292 --> 00:11:12,918
So what we have on the oh.

241
00:11:12,918 --> 00:11:13,999
Is it not showing up?

242
00:11:17,959 --> 00:11:19,167
Cool.

243
00:11:23,083 --> 00:11:27,584
So what this video is going to do, yeah, I'm basically side loading

244
00:11:27,584 --> 00:11:32,292
a kernel module, which we'll talk about and look at source in a second,

245
00:11:32,292 --> 00:11:36,083
but this is going to kill a block on NAND.

246
00:11:36,584 --> 00:11:41,292
So I've got an implant that's actually on disk, it's saved on disk.

247
00:11:41,292 --> 00:11:45,459
Now I'm going to remove that block of memory from the phone.

248
00:11:45,834 --> 00:11:49,792
I can still call in to it, but it doesn't exist.

249
00:11:49,792 --> 00:11:52,125
DD won't pull it, forensics tools won't pull it.

250
00:11:52,125 --> 00:11:54,709
It's just gone from typical devices.

251
00:11:54,751 --> 00:11:57,459
I show this twice because I just really love how sexily

252
00:11:57,459 --> 00:11:59,792
Android crashes here.

253
00:12:00,459 --> 00:12:04,459
So we're side loading kernel module remotely.

254
00:12:05,999 --> 00:12:10,709
And I'm forcing a kernel panic or a kernel thing as well.

255
00:12:10,709 --> 00:12:15,999
And we reboot eventually and the block of memory is just gone.

256
00:12:15,999 --> 00:12:20,918
Now I've got 512K I can play with for as long as I want.

257
00:12:20,918 --> 00:12:23,876
How do I do this?

258
00:12:30,584 --> 00:12:31,918
Sweet.

259
00:12:31,918 --> 00:12:33,959
How NAND works, let's start there.

260
00:12:34,375 --> 00:12:37,792
So NAND is very complicated.

261
00:12:37,792 --> 00:12:40,584
You've got little bitty buckets that hold an electron.

262
00:12:40,584 --> 00:12:43,083
If there's an electron on there, you've got a one.

263
00:12:43,083 --> 00:12:44,918
If there's no electron it's a zero.

264
00:12:44,918 --> 00:12:45,999
That's basic binary.

265
00:12:45,999 --> 00:12:47,542
That's how this hardware works.

266
00:12:48,125 --> 00:12:52,083
EEs decided to say, hey, these little buckets that hold one bit

267
00:12:52,083 --> 00:12:55,083
need to be organized into pages.

268
00:12:55,250 --> 00:12:58,667
Those pages are then logically created into blocks.

269
00:12:58,667 --> 00:13:00,959
Blocks are pretty easy to deal with, it's what you're normally dealing

270
00:13:00,959 --> 00:13:04,083
with if you're writing drivers at a block level.

271
00:13:04,083 --> 00:13:05,999
I mean it's it's easier to latch on to for us

272
00:13:05,999 --> 00:13:09,292
as security and software guys, right.

273
00:13:09,292 --> 00:13:12,751
So block's typically half a meg.

274
00:13:13,375 --> 00:13:17,125
When you wipe a NAND, everything gets set to ones.

275
00:13:17,125 --> 00:13:19,250
The reason everything is FFs is there's an electron

276
00:13:19,250 --> 00:13:21,626
in every little bucket.

277
00:13:22,751 --> 00:13:25,334
Then when you're actually writing data to NAND,

278
00:13:25,334 --> 00:13:28,083
you start popping electrons off.

279
00:13:28,083 --> 00:13:33,250
You get a zero, so you kind of sculpt your data in NAND.

280
00:13:34,083 --> 00:13:39,999
But that's trapping individual electrons is hard, right?

281
00:13:39,999 --> 00:13:41,709
So the hardware wears out.

282
00:13:41,709 --> 00:13:42,834
It dies over time.

283
00:13:42,834 --> 00:13:45,125
I'm taking advantage of that the same way that the designers

284
00:13:45,125 --> 00:13:48,167
of the hardware take advantage of that.

285
00:13:48,167 --> 00:13:50,375
What they do is they know it's going to die.

286
00:13:50,375 --> 00:13:54,125
They know it's going to die after 10,000 to a million writes,

287
00:13:54,125 --> 00:14:00,083
that little bucket, so they build in tools to gracefully fail.

288
00:14:00,667 --> 00:14:03,834
They have a threshhold of I can detect so many bits aren't

289
00:14:03,834 --> 00:14:06,999
writing what I want them to, once I go past that threshhold,

290
00:14:06,999 --> 00:14:10,626
that block is marked bad, it's never used again.

291
00:14:10,999 --> 00:14:13,792
The kernel doesn't see it, the driver doesn't see it,

292
00:14:13,792 --> 00:14:16,792
it's just there's a bit that gets flipped saying I am bad

293
00:14:16,792 --> 00:14:19,209
and it's never touched again.

294
00:14:19,209 --> 00:14:21,792
Anything that goes through the driver, the very first thing

295
00:14:21,792 --> 00:14:24,999
in the driver code goes, is this block bad?

296
00:14:24,999 --> 00:14:29,751
If it's marked bad, the driver just says, no, it's not there.

297
00:14:29,751 --> 00:14:35,999
So that's handled in the bad block table, which is typically stored

298
00:14:35,999 --> 00:14:39,292
on NAND itself, right.

299
00:14:39,292 --> 00:14:40,959
So NANDX has a table somewhere saying you can trust

300
00:14:40,959 --> 00:14:43,667
this block, you can't trust this block.

301
00:14:46,083 --> 00:14:49,292
In NAND there's two types that we see.

302
00:14:49,292 --> 00:14:51,417
Typically we see managed NAND, which has a little embedded controller

303
00:14:51,417 --> 00:14:53,584
where all that logic goes.

304
00:14:53,999 --> 00:14:58,459
On some NAND, like Sony phones, that's actually built into the kernel.

305
00:14:58,459 --> 00:14:59,792
The kernel deals with it.

306
00:14:59,999 --> 00:15:04,959
For how NANDX works, it's really irrelevant where that code is.

307
00:15:04,959 --> 00:15:06,834
The code that's open source on GitHub is attacking

308
00:15:06,834 --> 00:15:10,542
the raw NAND just because it's easier to stand kernel NAND, everyone kind

309
00:15:10,542 --> 00:15:12,584
of gets that better.

310
00:15:14,751 --> 00:15:16,375
Raw NAND has a very complicated driver

311
00:15:16,375 --> 00:15:18,584
because it's got to do all this wear leveling and

312
00:15:18,584 --> 00:15:21,834
all this bit checking and ECC values and whatnot.

313
00:15:22,250 --> 00:15:25,292
Wear leveling is proprietary and closed and we don't really care

314
00:15:25,292 --> 00:15:26,999
about for this.

315
00:15:26,999 --> 00:15:30,667
I go into way more detail in other talks, so if you are interested in this deck,

316
00:15:30,667 --> 00:15:32,459
it's also online.

317
00:15:32,834 --> 00:15:35,876
But we're going to attack the MTD subsystem, which

318
00:15:35,876 --> 00:15:39,999
is like this super epic massive driver for Linux that a ton

319
00:15:39,999 --> 00:15:42,834
of things are run through.

320
00:15:43,083 --> 00:15:45,375
I'll attack it again in a little bit.

321
00:15:45,375 --> 00:15:50,667
But for NAND, it manages how everything is working.

322
00:15:50,667 --> 00:15:54,209
So we can get into that driver and start arbitrarily saying this block

323
00:15:54,209 --> 00:15:57,167
is bad, but go ahead and let me write data to it,

324
00:15:57,167 --> 00:16:01,834
go ahead and let me read from it again, let's just make sure no one else can

325
00:16:01,834 --> 00:16:03,125
but me.

326
00:16:03,626 --> 00:16:04,709
Can we do that?

327
00:16:04,709 --> 00:16:05,709
Yeah.

328
00:16:05,709 --> 00:16:06,709
Thanks.

329
00:16:06,834 --> 00:16:09,999
So if I went in to hide a NAND in general, you know, once you kind

330
00:16:09,999 --> 00:16:13,083
of figure out blocks get marked bad and then they disappear, yeah,

331
00:16:13,083 --> 00:16:15,999
I can do that at a shit ton of levels.

332
00:16:15,999 --> 00:16:18,542
I can do that at the file system, but then the file system has

333
00:16:18,542 --> 00:16:22,417
like trailing pointers and stuff to data that just got removed, which

334
00:16:22,417 --> 00:16:25,999
is why you see that horrible crash on screen.

335
00:16:26,125 --> 00:16:28,999
MTD subsystem is much lower.

336
00:16:28,999 --> 00:16:29,999
It's clean.

337
00:16:30,083 --> 00:16:32,834
I forget the actual number of lines of code that I had to change,

338
00:16:32,834 --> 00:16:35,375
but it was like 30, something like that.

339
00:16:35,375 --> 00:16:36,375
Like it was tiny.

340
00:16:36,999 --> 00:16:38,999
And then I've got fault control.

341
00:16:39,417 --> 00:16:40,999
So it's in Android.

342
00:16:40,999 --> 00:16:41,999
It's also in Linux.

343
00:16:41,999 --> 00:16:46,083
So any device you see that's running Linux or a Linux variant

344
00:16:46,083 --> 00:16:51,292
or pseudo based off Linux, start thinking schema.

345
00:16:53,083 --> 00:16:55,999
Everything that's running the hardware is susceptible

346
00:16:55,999 --> 00:16:58,125
to this type of attack.

347
00:16:58,125 --> 00:17:00,375
Everything that is running software pseudo based

348
00:17:00,375 --> 00:17:03,334
on this code is also susceptible.

349
00:17:03,918 --> 00:17:08,751
When I started the project, I expected full hardware.

350
00:17:08,751 --> 00:17:11,834
I didn't have to do that, I just had to buy a shit ton of phones.

351
00:17:11,834 --> 00:17:14,542
I bought a ton of phones, started playing with them.

352
00:17:14,542 --> 00:17:18,083
I found one that had full MTD, like the whole NAND was basically

353
00:17:18,083 --> 00:17:20,083
managed by MTD.

354
00:17:21,999 --> 00:17:25,834
There was no I was like, sweet, this is really easy to code on.

355
00:17:26,501 --> 00:17:30,999
I created a couple unit tests because that's what you do, right.

356
00:17:30,999 --> 00:17:34,083
So I created a unit test that basically just killed,

357
00:17:34,083 --> 00:17:38,918
arbitrarily read and wrote data to a block of NAND, marked it bad,

358
00:17:38,918 --> 00:17:44,959
checked that nothing else could see it, and then read and write again.

359
00:17:46,959 --> 00:17:50,834
Yeah, so the code was ungodly simple.

360
00:17:50,834 --> 00:17:53,709
And if you are actually interested in how I'm pulling it off,

361
00:17:53,709 --> 00:17:57,375
I spent more time writing notes in the source code that I checked

362
00:17:57,375 --> 00:18:00,999
in to GitHub than I actually did the coding.

363
00:18:01,083 --> 00:18:05,999
It's I tried to just walk line by line of exactly how everything works.

364
00:18:05,999 --> 00:18:09,876
But in a nutshell, I'm grabbing a block, I'm erasing it, writing dead beef

365
00:18:09,876 --> 00:18:12,999
all over it, I'm making it disappear from the system,

366
00:18:12,999 --> 00:18:16,667
writing dead beef again and then reading it back out just

367
00:18:16,667 --> 00:18:18,876
to kind of show that we've got full

368
00:18:18,876 --> 00:18:20,999
arbitrary control.

369
00:18:22,083 --> 00:18:25,876
Oh, and for the demo, then I'm doing a double release

370
00:18:25,876 --> 00:18:30,876
on the driver just to force a reboot of the phone because when I do that,

371
00:18:30,876 --> 00:18:34,375
then it reads back the bad block table from NAND and

372
00:18:34,375 --> 00:18:36,918
the thing disappears.

373
00:18:37,999 --> 00:18:42,792
So the demo that I have the video for kill block 37, just kind

374
00:18:42,792 --> 00:18:47,667
of arbitrarily picked that block, that's where a system or, yeah,

375
00:18:47,667 --> 00:18:52,542
Android.settings is stored, so it's no longer there.

376
00:18:52,542 --> 00:18:55,792
That phone is I've got it with me if anyone wants to play with it.

377
00:18:55,792 --> 00:18:56,792
It's quirky.

378
00:18:57,167 --> 00:18:58,626
But, yeah.

379
00:18:58,626 --> 00:19:01,999
So I can take data, it's gone from the system and yet I can still

380
00:19:01,999 --> 00:19:04,876
arbitrarily read and write.

381
00:19:04,876 --> 00:19:08,125
I took these phones after I did this full factory reset,

382
00:19:08,125 --> 00:19:11,709
dead beef is still there, you know.

383
00:19:11,999 --> 00:19:13,999
DD, didn't see dead beef.

384
00:19:13,999 --> 00:19:15,999
Ran mind tools, saw dead beef.

385
00:19:15,999 --> 00:19:18,459
Another factory reset, you know, throw other RAMS on there, do

386
00:19:18,459 --> 00:19:22,083
a whole bunch of things, the phone is completely stable and it's just dead

387
00:19:22,083 --> 00:19:23,999
beef all over it.

388
00:19:23,999 --> 00:19:26,918
I've got like a quarter of the NAND that's just dead beef

389
00:19:26,918 --> 00:19:29,083
and nothing sees it.

390
00:19:29,626 --> 00:19:30,626
That's pretty fun.

391
00:19:37,501 --> 00:19:42,501
(Applause.)    JOSH "m0nk" THOMAS: So since I'm running a little fast, one

392
00:19:42,501 --> 00:19:47,542
of the other fun things you can do with this is I'm making drives disappear

393
00:19:47,542 --> 00:19:52,918
half a meg at a time, and after half a meg I'm forcing a reboot.

394
00:19:52,918 --> 00:19:53,999
But you don't have to.

395
00:19:53,999 --> 00:19:56,501
You can just disappear the drive under the OS.

396
00:19:56,626 --> 00:19:59,667
You can disappear the whole damn drive and nothing can

397
00:19:59,667 --> 00:20:02,876
recover that that device at that point.

398
00:20:02,876 --> 00:20:03,876
It's just gone.

399
00:20:03,876 --> 00:20:07,542
When you start talking cell phones, it's like, dude, that fucking sucks.

400
00:20:07,542 --> 00:20:10,751
That's like 600 bucks, it's inconvenient, you get pissed off.

401
00:20:10,751 --> 00:20:13,000
If that's SCADA, like that gets scary real quick

402
00:20:13,000 --> 00:20:15,751
because it's remote.

403
00:20:15,751 --> 00:20:17,417
I don't care if it's remote.

404
00:20:17,417 --> 00:20:19,667
I mean, and it's not patchable.

405
00:20:19,999 --> 00:20:22,000
You can't recover because there's no drive there,

406
00:20:22,000 --> 00:20:25,250
like the hardware goes Mo dude, there's no storage space left

407
00:20:25,250 --> 00:20:27,250
and it's just dead.

408
00:20:27,250 --> 00:20:28,999
You've gotta replace the device.

409
00:20:29,000 --> 00:20:30,000
So ...

410
00:20:32,083 --> 00:20:33,542
yeah.

411
00:20:35,918 --> 00:20:38,167
So that was the first cool.

412
00:20:40,501 --> 00:20:41,626
Yeah.

413
00:20:41,626 --> 00:20:44,042
And it's all on GitHub if you want to read about it.

414
00:20:44,375 --> 00:20:46,000
I've got links, but it's basically my name

415
00:20:46,000 --> 00:20:47,959
and then NANDX.

416
00:20:47,959 --> 00:20:50,876
I've got a paper that goes into great ridiculous detail

417
00:20:50,876 --> 00:20:54,501
on how NAND works and then a bunch of source code and

418
00:20:54,501 --> 00:20:57,999
the presentation and it's out there.

419
00:20:58,375 --> 00:21:00,375
There's no fix that I can see.

420
00:21:00,375 --> 00:21:03,292
So since this is kind of an offensive for defensive type of a talk,

421
00:21:03,292 --> 00:21:06,918
if you can think of a better way to protect against this, I'd love

422
00:21:06,918 --> 00:21:09,250
to hear it, I really would.

423
00:21:09,751 --> 00:21:12,209
Because it's based off an assumption that

424
00:21:12,209 --> 00:21:15,501
the guys that originally sat down with pen and paper

425
00:21:15,501 --> 00:21:18,501
on a napkin and figured out how NAND would work,

426
00:21:18,501 --> 00:21:22,876
they made an assumption that it had to fail, and I mean, the hardware

427
00:21:22,876 --> 00:21:24,918
is based on that.

428
00:21:24,918 --> 00:21:26,999
The hardware is built on that assumption.

429
00:21:26,999 --> 00:21:28,250
The software on top of it is built on that assumption,

430
00:21:28,250 --> 00:21:32,709
and there's nothing that can keep me from taking advantage of that.

431
00:21:32,709 --> 00:21:37,083
So as long as there's NAND around, we can hide and we can hide deep.

432
00:21:37,083 --> 00:21:39,250
None of our tools can pull it out right now.

433
00:21:40,999 --> 00:21:43,667
Any tool that you can start kind of thinking

434
00:21:43,667 --> 00:21:48,375
about how I could protect against this starts failing real quick.

435
00:21:49,083 --> 00:21:52,959
Yeah, I can wipe everything on boot that's in a bad block table.

436
00:21:52,959 --> 00:21:53,959
Mmm, not really.

437
00:21:54,083 --> 00:21:56,667
You can't validate that since blocks do go bad,

438
00:21:56,667 --> 00:22:00,542
how do you validate that you wiped it or not?

439
00:22:00,542 --> 00:22:03,999
I mean, and if I'm at that low of a layer, I can just block it anyway.

440
00:22:04,709 --> 00:22:06,626
So and that was NANDX.

441
00:22:08,584 --> 00:22:11,709
Second project I'm working on is clock clocking beats.

442
00:22:12,083 --> 00:22:16,918
What this is looking at, it's like, okay, I'm hidden on disk, that's cool.

443
00:22:16,918 --> 00:22:18,584
I still have to run at some point.

444
00:22:18,792 --> 00:22:21,584
I want to be able to run and never have a user be able

445
00:22:21,584 --> 00:22:24,334
to tell that something is going on.

446
00:22:24,334 --> 00:22:26,375
You know, I mean, obviously you like don't want your thread showing

447
00:22:26,375 --> 00:22:28,375
up and things like that.

448
00:22:28,667 --> 00:22:29,792
That's great.

449
00:22:29,792 --> 00:22:32,250
But what if I want to go deeper?

450
00:22:32,459 --> 00:22:35,292
What if I want to make sure that the kernel just has no fucking clue that

451
00:22:35,292 --> 00:22:37,209
anything is running?

452
00:22:37,292 --> 00:22:40,751
What if I want to make the kernel have no ability

453
00:22:40,751 --> 00:22:42,999
to even see that?

454
00:22:42,999 --> 00:22:45,834
So clock clocking beats is looking at taking

455
00:22:45,834 --> 00:22:50,459
a running operating system and slightly tweaking the processer

456
00:22:50,459 --> 00:22:54,834
by overclocking it and then outside of full kernel space,

457
00:22:54,834 --> 00:23:00,125
like in hardware damn near, I'm injecting a second process.

458
00:23:00,125 --> 00:23:01,999
It's a thread that runs outside of the kernel that I

459
00:23:01,999 --> 00:23:03,834
manage myself.

460
00:23:04,751 --> 00:23:06,999
That thread runs my kit.

461
00:23:06,999 --> 00:23:11,375
So no tool that you would write that's running in kernel space remotely has

462
00:23:11,375 --> 00:23:15,834
permission to even see me, like I just don't exist.

463
00:23:16,125 --> 00:23:18,876
I can reach in, but it can't reach out because it doesn't know I'm there

464
00:23:18,876 --> 00:23:21,542
and it has no ability to know I'm there.

465
00:23:22,834 --> 00:23:25,459
That project is at the very beginning and it will be

466
00:23:25,459 --> 00:23:28,667
on GitHub, I promise, as soon as I'm done.

467
00:23:29,083 --> 00:23:30,209
Wow.

468
00:23:30,209 --> 00:23:31,751
I'm going to finish so early.

469
00:23:34,083 --> 00:23:35,459
Burner.

470
00:23:35,459 --> 00:23:36,999
This is the really fun one.

471
00:23:37,083 --> 00:23:39,918
So, like I said, I've got 20 million invested

472
00:23:39,918 --> 00:23:43,999
in whatever kit I'm shoving on to a device.

473
00:23:44,125 --> 00:23:46,959
I'm actively monitoring that.

474
00:23:46,999 --> 00:23:48,876
I know it's getting ready to get found.

475
00:23:48,876 --> 00:23:50,417
I know that it's going to my phone's going to be

476
00:23:50,417 --> 00:23:54,459
in someone's hands that's going to do a forensic deep dive.

477
00:23:54,459 --> 00:23:57,209
Maybe I don't have all that much faith in NANDX anymore.

478
00:23:57,209 --> 00:23:59,876
Maybe someone has figured out how to get rid of it.

479
00:23:59,876 --> 00:24:01,083
Maybe there's other tools.

480
00:24:01,584 --> 00:24:05,501
I want to make sure that nothing that I have on there gets out.

481
00:24:05,542 --> 00:24:09,999
So I want to set the phone on fire remotely.

482
00:24:10,083 --> 00:24:11,626
Fuck it, why not, right?

483
00:24:11,626 --> 00:24:15,834
(Laughter.)    JOSH "m0nk" THOMAS: So and I want to do this

484
00:24:15,834 --> 00:24:18,250
all from a kernel.

485
00:24:19,542 --> 00:24:22,999
This will be this project will be on GitHub probably

486
00:24:22,999 --> 00:24:25,999
within about a month and a half.

487
00:24:28,125 --> 00:24:32,751
I really wanted to demo it, but I swear to God it's the lamest demo ever.

488
00:24:32,751 --> 00:24:35,999
It's like side load kernel module, phone turns off.

489
00:24:35,999 --> 00:24:37,250
Like that's it.

490
00:24:37,250 --> 00:24:38,250
Right.

491
00:24:38,250 --> 00:24:40,375
It's hard to show it, it never boots again.

492
00:24:40,375 --> 00:24:41,792
What it does internally is I'm playing

493
00:24:41,792 --> 00:24:44,876
with all the voltages that run internal to the phone,

494
00:24:44,876 --> 00:24:48,334
so I can target specific pieces of hardware, like the chip or

495
00:24:48,334 --> 00:24:52,083
the NAND or the base band, and just start dumping a lot of power

496
00:24:52,083 --> 00:24:54,292
to them and fry them.

497
00:24:55,626 --> 00:25:00,542
And this seems to universally work on almost every Android phone I've

498
00:25:00,542 --> 00:25:06,250
poked at in the run time of this project, which is pretty much probably what you

499
00:25:06,250 --> 00:25:08,792
have in your pocket.

500
00:25:08,999 --> 00:25:13,792
So I can attack and kill your phone dead, make sure that it

501
00:25:13,792 --> 00:25:16,375
will never turn on.

502
00:25:16,375 --> 00:25:19,459
The only way to ever pull data off of it at that point would be to take it apart,

503
00:25:19,459 --> 00:25:22,083
desolder the chips and like put the NAND in a reader,

504
00:25:22,083 --> 00:25:25,918
like maybe you can find me then, but that's that's it.

505
00:25:27,751 --> 00:25:29,999
So now we've hidden, right.

506
00:25:30,417 --> 00:25:33,584
Like I feel good that with those three projects together

507
00:25:33,584 --> 00:25:38,999
you're probably not going to find any code that I'm running at all.

508
00:25:39,417 --> 00:25:41,167
How do we combat against that?

509
00:25:41,167 --> 00:25:43,292
Like us as users and hackers?

510
00:25:43,292 --> 00:25:46,083
Like how do we make sure that shit that's that deep just doesn't happen

511
00:25:46,083 --> 00:25:47,501
to us?

512
00:25:48,292 --> 00:25:50,751
I'm open sourcing everything.

513
00:25:50,959 --> 00:25:53,999
Like that's my solution is at least if I can think of these,

514
00:25:53,999 --> 00:25:55,999
someone else can.

515
00:25:55,999 --> 00:25:58,999
If I can open source them, hopefully at least we start talking about it,

516
00:25:58,999 --> 00:26:02,292
maybe we start looking for things like this and at that point we're

517
00:26:02,292 --> 00:26:05,501
at least a little we at least know where to look for security,

518
00:26:05,501 --> 00:26:08,209
because we're not right now at all.

519
00:26:08,999 --> 00:26:11,501
And maybe it will make us work a little harder.

520
00:26:11,959 --> 00:26:15,501
So I felt pretty good about this.

521
00:26:15,501 --> 00:26:17,209
I was like, yea, I'm awesome!

522
00:26:18,250 --> 00:26:20,584
And that's pretty much it for me.

523
00:26:20,584 --> 00:26:22,999
I'm ungodly early, but I'd love questions.

524
00:26:22,999 --> 00:26:23,999
(Applause.) None?

525
00:26:23,999 --> 00:26:25,709
Someone ask me a question, please.

526
00:26:25,709 --> 00:26:27,083
(Laughter.) What's up, man?

527
00:26:27,083 --> 00:26:28,083
(Inaudible).

528
00:26:28,083 --> 00:26:28,083
JOSH "m0nk" THOMAS: So could a phone manufacturer, or anyone really,

529
00:26:28,083 --> 00:26:30,834
write a driver that just wrote 0s to every bad block?

530
00:26:30,834 --> 00:26:33,667
That answer is most definitely yes, but it doesn't work.

531
00:26:33,667 --> 00:26:36,751
The reason it doesn't work is hardware tends to fail, right.

532
00:26:36,751 --> 00:26:36,751
So you cannot rely on that bucket having or removing

533
00:26:36,751 --> 00:26:38,125
to electron once it's failed.

534
00:26:38,125 --> 00:26:38,125
So if I've got this low level of code, I don't have to store data in all 512,

535
00:26:38,125 --> 00:26:38,125
maybe I just hand pick 10 bits per half a meg, at which point it's going

536
00:26:38,125 --> 00:26:40,334
to look like typical failure, but it's not.

537
00:26:40,334 --> 00:26:40,334
And I'm I'm at a lower level than your driver

538
00:26:40,334 --> 00:26:41,667
is running at that point.

539
00:26:41,667 --> 00:26:42,999
So it's erase condition.

540
00:26:42,999 --> 00:26:42,999
But we can talk more because I see confusion

541
00:26:42,999 --> 00:26:45,375
and disagreement on your face, which is awesome.

542
00:26:45,375 --> 00:26:46,375
What's up?

543
00:26:46,375 --> 00:26:47,375
(Inaudible).

544
00:26:47,375 --> 00:26:47,375
JOSH "m0nk" THOMAS: His question was, who calls

545
00:26:47,375 --> 00:26:49,751
into the NANDX blocks after I've wiped them.

546
00:26:49,751 --> 00:26:49,751
At that point, I've got the ability to store a large block of code

547
00:26:49,751 --> 00:26:50,751
on the device.

548
00:26:50,751 --> 00:26:50,751
I'm not necessarily hooked in to things, but now I have I have everything that

549
00:26:50,751 --> 00:26:51,751
I need to run.

550
00:26:51,751 --> 00:26:51,751
So all I need is one little like air to glass thing that then jumps back

551
00:26:51,751 --> 00:26:52,751
in and calls my code.

552
00:26:52,751 --> 00:26:52,751
I don't have to that way I'm not having to fight

553
00:26:52,751 --> 00:26:55,667
like over the wire to hide 2 megs of kit that I can pull down.

554
00:26:55,667 --> 00:26:58,999
I can store it on disk and then arbitrarily call it remotely still.

555
00:26:58,999 --> 00:26:59,999
So ...

556
00:26:59,999 --> 00:27:02,292
Actually I'm just going to like answer, so ...

557
00:27:02,292 --> 00:27:03,292
(Inaudible).

558
00:27:03,292 --> 00:27:05,125
JOSH "m0nk" THOMAS: (Inaudible).

559
00:27:05,125 --> 00:27:05,125
So anything that is NAND based, based on that same core assumption

560
00:27:05,125 --> 00:27:07,083
that we need to be able to (Inaudible).