1 00:00:00,000 --> 00:00:01,999 Hi, everybody. 2 00:00:01,999 --> 00:00:05,999 Welcome 3 00:00:05,999 --> 00:00:07,000 intrusion detection. 4 00:00:07,000 --> 00:00:09,999 This is Scott Fretheim, 5 00:00:09,999 --> 00:00:12,375 we're from LMG Security. 6 00:00:14,626 --> 00:00:15,999 (Applause). 7 00:00:18,125 --> 00:00:21,918 So if your cell phone were hacked, 8 00:00:21,999 --> 00:00:24,999 Probably half of you today 9 00:00:24,999 --> 00:00:27,292 hacked, but you can't tell. 10 00:00:27,292 --> 00:00:28,999 You can pick it up and look at it. 11 00:00:29,125 --> 00:00:30,250 The video that you see 12 00:00:30,250 --> 00:00:34,125 and I don't know why it's not displaying 13 00:00:34,125 --> 00:00:36,876 The video displayed on the screen 14 00:00:36,876 --> 00:00:41,459 a video that's infected 15 00:00:41,999 --> 00:00:45,999 It's sending data out to the Netherlands. 16 00:00:51,999 --> 00:00:55,876 If you were a user looking at this phone, 17 00:00:57,250 --> 00:01:01,709 There's been an explosion 18 00:01:01,709 --> 00:01:04,999 I don't know if you have seen 19 00:01:04,999 --> 00:01:08,375 It was very good, very interesting 20 00:01:08,375 --> 00:01:11,999 the number 21 00:01:11,999 --> 00:01:15,542 between March 2012 and March 2013. 22 00:01:17,083 --> 00:01:19,918 It's teeny, tiny little computers. 23 00:01:20,292 --> 00:01:23,083 They can record you and track you 24 00:01:23,083 --> 00:01:26,459 And they can do anything that you can 25 00:01:26,584 --> 00:01:28,501 This is a screen shot of Tigerbot. 26 00:01:30,918 --> 00:01:34,417 It is record the surrounding audio 27 00:01:34,918 --> 00:01:38,999 It can also track your GPS location 28 00:01:39,584 --> 00:01:43,334 I think it's really cool and sort 29 00:01:43,334 --> 00:01:47,083 because you can have botnets 30 00:01:47,083 --> 00:01:50,417 on normal LANs and soon we're also 31 00:01:50,417 --> 00:01:52,999 of infected smartphones. 32 00:01:52,999 --> 00:01:55,792 When they came 33 00:01:55,792 --> 00:02:00,999 attackers can segment that 34 00:02:00,999 --> 00:02:04,501 So you have nodes communicating 35 00:02:04,501 --> 00:02:07,999 If you have ten infected systems 36 00:02:07,999 --> 00:02:11,250 they are communicating 37 00:02:11,250 --> 00:02:15,834 and that means 38 00:02:15,999 --> 00:02:20,751 An attacker will be able 39 00:02:20,751 --> 00:02:23,417 And they will be able 40 00:02:23,417 --> 00:02:27,999 in and segment them 41 00:02:27,999 --> 00:02:31,792 You can say I have ten infected bots 42 00:02:31,792 --> 00:02:34,250 of Defense building. 43 00:02:34,250 --> 00:02:35,834 I have 20 infected bots 44 00:02:35,834 --> 00:02:38,083 how much do you want them? 45 00:02:38,083 --> 00:02:41,375 Maybe they are worth different amounts 46 00:02:41,751 --> 00:02:46,417 Mobile malware can record surrounding 47 00:02:46,417 --> 00:02:49,999 and send out your contacts list 48 00:02:49,999 --> 00:02:53,292 is something that we 49 00:02:53,292 --> 00:02:56,959 in doing so, they get more lists 50 00:02:56,959 --> 00:02:59,292 the same way the Spam. 51 00:02:59,292 --> 00:03:02,209 We will probably get 52 00:03:03,626 --> 00:03:05,375 You can of course, 53 00:03:05,375 --> 00:03:09,959 and key strokes and control your phone 54 00:03:11,417 --> 00:03:14,501 This is a chart that we made using 55 00:03:14,501 --> 00:03:19,459 of the phone home traffic 56 00:03:19,459 --> 00:03:20,959 This is an infected laptop. 57 00:03:20,999 --> 00:03:23,834 It reflects 58 00:03:23,834 --> 00:03:26,292 to the attacker's system. 59 00:03:26,292 --> 00:03:28,375 This was over a 24 hour period. 60 00:03:28,459 --> 00:03:31,959 All the normal windows traffic has been 61 00:03:31,959 --> 00:03:33,709 home to systems. 62 00:03:33,709 --> 00:03:36,250 Actually, I think first it phoned home 63 00:03:36,250 --> 00:03:37,999 IP addresses. 64 00:03:37,999 --> 00:03:39,792 You can see that little blip there. 65 00:03:39,792 --> 00:03:42,334 And it started talking 66 00:03:42,999 --> 00:03:45,999 The same thing happens 67 00:03:46,209 --> 00:03:47,876 The Android Stels malware. 68 00:03:49,125 --> 00:03:52,292 It phoned home everybody 15 minutes. 69 00:03:52,292 --> 00:03:53,709 So would you see 70 00:03:53,709 --> 00:03:57,751 to this with your smartphone and 71 00:03:58,999 --> 00:04:02,209 Now, on LANs, 72 00:04:02,209 --> 00:04:05,918 the option of inspecting network traffic. 73 00:04:05,918 --> 00:04:07,876 They can make charts like that. 74 00:04:07,876 --> 00:04:09,751 So even 75 00:04:09,751 --> 00:04:14,083 installed on a laptop, we can still tell 76 00:04:14,083 --> 00:04:16,792 on the patterns 77 00:04:16,792 --> 00:04:18,626 on the network. 78 00:04:18,959 --> 00:04:22,292 We don't have that same option 79 00:04:22,292 --> 00:04:25,751 within our enterprises and that means 80 00:04:25,751 --> 00:04:29,542 in meetings having their audio recorded 81 00:04:29,542 --> 00:04:33,209 corporate information on them, 82 00:04:33,209 --> 00:04:34,999 is also true. 83 00:04:34,999 --> 00:04:36,834 You might be sitting 84 00:04:36,834 --> 00:04:40,250 and never know it or having your 85 00:04:40,250 --> 00:04:44,250 the ability to inspect your traffic to tell 86 00:04:44,250 --> 00:04:46,334 an attacker, whether it's 87 00:04:46,334 --> 00:04:48,542 is collecting information 88 00:04:48,542 --> 00:04:50,834 and sending it outbound. 89 00:04:51,167 --> 00:04:53,999 The problem is that cellular traffic 90 00:04:53,999 --> 00:04:58,751 to the key stakeholders who really care 91 00:04:58,999 --> 00:05:01,999 One of the folks in our last talk asked 92 00:05:01,999 --> 00:05:04,999 if their phone was infected 93 00:05:04,999 --> 00:05:09,125 if they were inspecting that traffic, 94 00:05:09,125 --> 00:05:13,292 to be able to chase 95 00:05:13,292 --> 00:05:14,459 Nobody cares 96 00:05:14,459 --> 00:05:16,751 as you do, unfortunately. 97 00:05:18,834 --> 00:05:20,999 So what is the solution? 98 00:05:21,334 --> 00:05:24,999 We propose 99 00:05:24,999 --> 00:05:27,999 Within the past few years, 100 00:05:27,999 --> 00:05:32,626 little femtocell, miniature bay stations, 101 00:05:32,626 --> 00:05:35,999 in places you might otherwise have 102 00:05:35,999 --> 00:05:37,959 They are being marketed 103 00:05:37,959 --> 00:05:40,459 You can get one 104 00:05:40,459 --> 00:05:42,542 Your cell phone connects 105 00:05:42,542 --> 00:05:46,959 across the Internet back 106 00:05:47,125 --> 00:05:49,626 In this case, we were playing 107 00:05:49,626 --> 00:05:51,667 Samsung femtocells. 108 00:05:51,667 --> 00:05:54,667 They are fairly inexpensive this entire 109 00:05:54,667 --> 00:05:58,667 a cellular intrusion detection system 110 00:05:58,918 --> 00:06:01,334 We used both 111 00:06:01,334 --> 00:06:07,751 the SCS 26UC4 and it would probably 112 00:06:07,959 --> 00:06:10,918 Our goal is to enable defenders 113 00:06:10,918 --> 00:06:14,999 to detect when our cell phone 114 00:06:14,999 --> 00:06:17,501 are monitoring our traffic. 115 00:06:20,083 --> 00:06:23,459 So we gained route 116 00:06:23,459 --> 00:06:27,792 and then we modified 117 00:06:27,792 --> 00:06:31,459 so that it started exporting traffic. 118 00:06:31,459 --> 00:06:34,375 And David will go into this 119 00:06:34,375 --> 00:06:36,250 Then we sent it 120 00:06:36,250 --> 00:06:40,209 which embarrassingly only cost us $44 121 00:06:40,209 --> 00:06:44,834 an old dealt Optiplex and it was running 122 00:06:47,292 --> 00:06:50,584 When we infected a phone 123 00:06:50,584 --> 00:06:52,999 Snort would alert on it. 124 00:06:54,959 --> 00:06:57,083 The roadmap today, number one, 125 00:06:57,083 --> 00:07:01,959 through the femtocell modification 126 00:07:01,999 --> 00:07:06,292 We will show you examples 127 00:07:06,292 --> 00:07:08,999 We used some interesting stuff 128 00:07:08,999 --> 00:07:10,834 We will do a demonstration? 129 00:07:10,834 --> 00:07:12,999 Which we actually boot 130 00:07:12,999 --> 00:07:15,417 gets modified in realtime. 131 00:07:15,417 --> 00:07:18,083 And then we'll show you a little video 132 00:07:18,083 --> 00:07:21,501 in which we infected a phone 133 00:07:21,501 --> 00:07:24,959 captured the traffic and used 134 00:07:24,959 --> 00:07:26,999 the alerts pop up. 135 00:07:27,334 --> 00:07:31,125 And then we'll go 136 00:07:31,125 --> 00:07:37,125 and finally Scott and Randi Price did 137 00:07:37,125 --> 00:07:39,876 And she will show how it corroborated 138 00:07:39,876 --> 00:07:43,918 and Scott Fretheim will show how 139 00:07:43,918 --> 00:07:45,959 and controlled it. 140 00:07:45,959 --> 00:07:47,209 We have a lot to cram in here. 141 00:07:47,209 --> 00:07:49,918 There's also 142 00:07:49,918 --> 00:07:50,999 It's 77 pages. 143 00:07:50,999 --> 00:07:52,083 Lots of information 144 00:07:52,083 --> 00:07:55,709 afterwards LMGsecurity.com/blog. 145 00:07:57,959 --> 00:07:59,459 So who are we? 146 00:07:59,459 --> 00:08:00,999 We are LMG Security. 147 00:08:00,999 --> 00:08:03,876 We are a security consulting 148 00:08:03,876 --> 00:08:06,501 We kind of support our research habit 149 00:08:06,501 --> 00:08:08,667 We do penetration testing, 150 00:08:08,667 --> 00:08:11,083 digital forensics and more. 151 00:08:11,167 --> 00:08:15,125 We also teach 152 00:08:15,125 --> 00:08:17,918 And that's where the idea 153 00:08:19,626 --> 00:08:23,125 Mobile network forensics, that's 154 00:08:23,125 --> 00:08:25,584 Let's grab some packet captures 155 00:08:25,584 --> 00:08:27,959 it and write a class about it. 156 00:08:27,959 --> 00:08:30,334 It turns out it was not so easy. 157 00:08:30,334 --> 00:08:33,209 It's really hard to get access 158 00:08:33,209 --> 00:08:34,999 If you have $300,000 to spend, 159 00:08:34,999 --> 00:08:37,999 telecommunications equipment, 160 00:08:37,999 --> 00:08:40,125 for most of us out there. 161 00:08:41,999 --> 00:08:45,125 Our core project team, myself, I'm 162 00:08:45,125 --> 00:08:47,584 consultant and the author 163 00:08:47,584 --> 00:08:50,334 tracking hackers through cyberspace. 164 00:08:50,334 --> 00:08:52,209 David is our lead research scientist 165 00:08:52,209 --> 00:08:55,334 is our certified forensic examiner 166 00:08:55,334 --> 00:08:58,083 of our penetration tester team. 167 00:08:58,167 --> 00:09:01,667 I want to give a big shout 168 00:09:01,667 --> 00:09:04,167 to use some of your items. 169 00:09:08,125 --> 00:09:10,083 This is parts list. 170 00:09:12,834 --> 00:09:14,999 First, you need a femtocell. 171 00:09:14,999 --> 00:09:15,999 You can get it used. 172 00:09:15,999 --> 00:09:19,999 The one that we used 173 00:09:19,999 --> 00:09:28,083 We had a dell Optiplex GX260, 174 00:09:28,083 --> 00:09:29,999 Obviously if you want to, 175 00:09:29,999 --> 00:09:32,918 but that was totally fine 176 00:09:32,999 --> 00:09:34,083 We had a hub. 177 00:09:34,083 --> 00:09:35,626 A hub is really nice to have. 178 00:09:35,792 --> 00:09:37,626 It's a real hub, an old hub. 179 00:09:37,834 --> 00:09:40,209 More valuable than switches 180 00:09:40,209 --> 00:09:42,709 on the wire a lot easier. 181 00:09:42,918 --> 00:09:47,501 We have an FTID friend and that lets 182 00:09:47,501 --> 00:09:51,501 on the femtocell and a couple 183 00:09:51,501 --> 00:09:54,626 which we'll talk about today. 184 00:09:56,167 --> 00:09:58,999 So a little introduction 185 00:09:58,999 --> 00:10:01,125 is what we will focus on. 186 00:10:01,459 --> 00:10:04,999 It came to the public attention 187 00:10:04,999 --> 00:10:06,042 So just a few months ago. 188 00:10:06,125 --> 00:10:09,417 And it's distributed by Spam email. 189 00:10:09,417 --> 00:10:10,626 People click on a link. 190 00:10:10,626 --> 00:10:14,999 The one that Dell wrote their paper 191 00:10:16,292 --> 00:10:18,999 So it's distributed 192 00:10:18,999 --> 00:10:20,999 as other malware. 193 00:10:20,999 --> 00:10:23,334 Normally they use 194 00:10:23,334 --> 00:10:27,125 but that doesn't work 195 00:10:27,125 --> 00:10:29,999 They are using 196 00:10:31,375 --> 00:10:34,417 You click on the link and it says, sorry, 197 00:10:34,417 --> 00:10:38,999 of Adobe Flash player to read this file, 198 00:10:40,751 --> 00:10:44,584 And the user walks 199 00:10:44,667 --> 00:10:47,167 Stels is capable 200 00:10:47,167 --> 00:10:51,375 and also filtering and intercepting SMS 201 00:10:51,375 --> 00:10:53,125 This isn't this isn't surprising 202 00:10:53,125 --> 00:10:56,459 since banks started coming 203 00:10:56,459 --> 00:10:58,834 like you go to log 204 00:10:58,834 --> 00:11:02,876 and sometimes it will send you a PIN 205 00:11:03,167 --> 00:11:05,834 If an attacker has 206 00:11:05,834 --> 00:11:08,083 into that web page 207 00:11:08,083 --> 00:11:11,959 in the browser attack and ask you 208 00:11:14,125 --> 00:11:17,209 You type in your phone number 209 00:11:17,209 --> 00:11:19,709 from that point on, 210 00:11:19,709 --> 00:11:21,375 to your phone. 211 00:11:21,375 --> 00:11:24,167 So they can grab those PINs 212 00:11:27,125 --> 00:11:29,959 So they can link them 213 00:11:29,959 --> 00:11:32,459 they gain 214 00:11:32,459 --> 00:11:35,667 can't see some of them, 215 00:11:35,667 --> 00:11:38,417 to if someone is trying to get 216 00:11:38,417 --> 00:11:41,375 because it would be funny for you 217 00:11:41,375 --> 00:11:44,999 a text message with the PIN 218 00:11:44,999 --> 00:11:46,918 trying to log in. 219 00:11:46,918 --> 00:11:48,999 They filter that so you can't see it. 220 00:11:48,999 --> 00:11:51,209 It can make phone calls 221 00:11:51,209 --> 00:11:53,709 to premium numbers. 222 00:11:53,709 --> 00:11:56,834 Again, direct financial incentive 223 00:11:56,999 --> 00:11:59,334 It can also update itself. 224 00:11:59,334 --> 00:12:01,334 Any behavior we don't see 225 00:12:01,334 --> 00:12:04,292 they could totally add tomorrow. 226 00:12:04,292 --> 00:12:05,542 The behavior 227 00:12:05,542 --> 00:12:08,375 change overnight 228 00:12:10,667 --> 00:12:13,584 This is our RF shielded cage. 229 00:12:13,584 --> 00:12:15,250 As we were doing this, 230 00:12:15,250 --> 00:12:18,292 with legal counsel extensively 231 00:12:18,292 --> 00:12:23,167 to make sure that no one else's cell 232 00:12:23,167 --> 00:12:27,083 as they were taking these packet 233 00:12:27,083 --> 00:12:28,292 This device 234 00:12:28,292 --> 00:12:30,876 in our cell phone forensic lab. 235 00:12:30,876 --> 00:12:36,542 We have the only shielded case 236 00:12:36,542 --> 00:12:39,125 David, do you want to talk 237 00:12:42,209 --> 00:12:47,209 DAVID HARRISON: Let's talk 238 00:12:47,709 --> 00:12:50,542 So the RF shielded cage here, 239 00:12:50,542 --> 00:12:53,542 out of an abundance 240 00:12:53,542 --> 00:12:56,999 up accidentally capturing your traffic. 241 00:12:57,250 --> 00:13:02,999 Now, these femtocell can be configured 242 00:13:03,542 --> 00:13:04,999 But in addition, 243 00:13:04,999 --> 00:13:08,626 an absolute guarantee that we wouldn't 244 00:13:08,626 --> 00:13:10,334 that wasn't ours. 245 00:13:10,334 --> 00:13:14,584 So on the side of this box here, 246 00:13:14,584 --> 00:13:17,209 of configurable ports. 247 00:13:17,375 --> 00:13:21,250 The first of which is currently set 248 00:13:21,250 --> 00:13:26,999 a filtered ethernet jack 249 00:13:26,999 --> 00:13:28,999 We then have sorry. 250 00:13:28,999 --> 00:13:30,999 We then have 251 00:13:30,999 --> 00:13:37,250 to the FTID frim that's inside that we 252 00:13:37,626 --> 00:13:42,999 We also added on the instructions 253 00:13:42,999 --> 00:13:46,751 Ramsey, added 254 00:13:46,751 --> 00:13:48,209 GPS in. 255 00:13:48,209 --> 00:13:52,292 One of the requirements is and one 256 00:13:52,292 --> 00:13:56,999 in inside the middle of a hotel 257 00:13:56,999 --> 00:13:59,999 for the femtocell to boot up. 258 00:14:00,125 --> 00:14:03,999 So we had to run a GPS signal 259 00:14:04,083 --> 00:14:09,876 Let's see, so what's our setup look 260 00:14:09,876 --> 00:14:12,999 This is the other side 261 00:14:12,999 --> 00:14:14,999 of those ports. 262 00:14:14,999 --> 00:14:19,834 We have the GPS antenna, 263 00:14:19,834 --> 00:14:26,167 the USB cable running 264 00:14:26,167 --> 00:14:29,250 And then we have 265 00:14:29,250 --> 00:14:35,292 to an HDMI cable where Samsung put 266 00:14:35,292 --> 00:14:40,417 of an HDMI two pins 267 00:14:40,417 --> 00:14:42,626 of the thing. 268 00:14:42,999 --> 00:14:45,334 You can also see we have power 269 00:14:45,667 --> 00:14:47,667 Let's see. 270 00:14:47,999 --> 00:14:50,459 So cellular intrusion detection. 271 00:14:51,083 --> 00:14:55,459 This wasn't originally 272 00:14:55,459 --> 00:14:59,999 we were looking at network forensics, 273 00:14:59,999 --> 00:15:03,083 about the the cellular network. 274 00:15:03,459 --> 00:15:09,250 And it quickly became this big project 275 00:15:09,250 --> 00:15:12,334 So as soon as we did get access, 276 00:15:12,334 --> 00:15:13,626 What can we do? 277 00:15:13,626 --> 00:15:18,542 And we thought, here's something cool, 278 00:15:18,918 --> 00:15:20,626 We can hook it up to Snort. 279 00:15:20,999 --> 00:15:24,083 This is just going 280 00:15:24,083 --> 00:15:28,792 at some level, we assumed at least, 281 00:15:29,083 --> 00:15:31,542 Let's hook it 282 00:15:31,542 --> 00:15:34,999 find, if we can see 283 00:15:34,999 --> 00:15:37,125 and control traffic. 284 00:15:38,834 --> 00:15:41,959 So when we first got root access 285 00:15:41,959 --> 00:15:45,292 will step how we got root access 286 00:15:45,417 --> 00:15:47,999 We hooked up TCP dump to it. 287 00:15:47,999 --> 00:15:50,584 It has a copy of TCP dump. 288 00:15:50,999 --> 00:15:54,083 The box itself 289 00:15:54,083 --> 00:16:00,834 of Linux called Monta Vista and so, like, 290 00:16:00,834 --> 00:16:05,417 It turns out, of course, everything 291 00:16:05,417 --> 00:16:10,083 an IPsec tunnel back 292 00:16:10,083 --> 00:16:16,918 and just running TCP dump gets us you 293 00:16:16,918 --> 00:16:20,250 and not so useful to us. 294 00:16:20,626 --> 00:16:26,501 To step backwards how did we get root 295 00:16:26,501 --> 00:16:29,959 On the bottom, there's an HDMI port. 296 00:16:30,083 --> 00:16:38,375 It has 3.3 volt console access 297 00:16:39,959 --> 00:16:45,083 We hooked that up to an FTDI friend, 298 00:16:45,918 --> 00:16:49,626 It was a $15 part or something. 299 00:16:51,209 --> 00:16:54,334 I got really antsy while we waited 300 00:16:54,334 --> 00:16:58,292 of this and it was right 301 00:16:58,542 --> 00:17:02,250 So I just grabbed my badge 302 00:17:02,250 --> 00:17:06,999 an FTDI connector on, it I ended 303 00:17:07,417 --> 00:17:09,459 It's a little bit 304 00:17:09,459 --> 00:17:11,999 but I thought you would enjoy that. 305 00:17:12,334 --> 00:17:20,083 So as soon as we got console access, 306 00:17:20,083 --> 00:17:25,083 of the stack is a Uboot boot loader. 307 00:17:25,459 --> 00:17:28,709 Samsung has done a bit to modify 308 00:17:34,083 --> 00:17:36,999 You can go to their website 309 00:17:37,083 --> 00:17:43,999 And in the old versions and old being 310 00:17:43,999 --> 00:17:49,709 January or February of this year, 311 00:17:49,709 --> 00:17:53,626 the boot process was 312 00:17:53,626 --> 00:17:56,999 you would type sys return. 313 00:17:57,999 --> 00:18:07,083 The thing is the code for that was 314 00:18:07,083 --> 00:18:09,083 And we actually didn't figure that out. 315 00:18:09,083 --> 00:18:12,209 That was another gentlemen, 316 00:18:12,209 --> 00:18:16,959 in our white paper, linked 317 00:18:16,959 --> 00:18:20,542 So we took that and, okay, 318 00:18:23,083 --> 00:18:30,667 So then we just did init equals NSH 319 00:18:30,667 --> 00:18:39,250 through the boot up process manually, 320 00:18:39,876 --> 00:18:45,667 We then started looking 321 00:18:45,667 --> 00:18:48,292 We saw there's DHCP going on, 322 00:18:48,292 --> 00:18:50,959 about a little bit ago. 323 00:18:51,999 --> 00:18:54,501 And it has IP tables. 324 00:18:54,501 --> 00:18:57,999 It's using that to filter 325 00:18:57,999 --> 00:19:02,792 addresses can connect to some 326 00:19:02,792 --> 00:19:06,334 since we saw TCP dump wasn't 327 00:19:06,334 --> 00:19:10,334 Let's see if we can get access 328 00:19:10,918 --> 00:19:15,999 That was a good enough idea, 329 00:19:15,999 --> 00:19:19,626 on there 330 00:19:19,626 --> 00:19:21,999 of IP tables 137. 331 00:19:22,083 --> 00:19:28,209 No NF queue, no way to copy 332 00:19:28,209 --> 00:19:30,626 There's not even 333 00:19:30,626 --> 00:19:31,959 It's an embedded system. 334 00:19:31,959 --> 00:19:33,083 It's not that surprising. 335 00:19:33,083 --> 00:19:35,334 So he went back 336 00:19:35,334 --> 00:19:38,751 and we really wanted to use NFqueue. 337 00:19:38,751 --> 00:19:42,501 We grabbed the source code 338 00:19:42,751 --> 00:19:45,083 However, it doesn't want 339 00:19:45,083 --> 00:19:47,999 with modern versions of GCC. 340 00:19:49,999 --> 00:19:52,999 So it's really picky 341 00:19:52,999 --> 00:19:56,667 with Monta Vista's armed tool chain. 342 00:19:56,999 --> 00:19:59,083 Now, that encountered 343 00:19:59,083 --> 00:20:01,959 which was that Monta Vista doesn't 344 00:20:01,959 --> 00:20:05,417 despite everything being GPL licensed. 345 00:20:05,417 --> 00:20:07,999 They don't openly distribute that. 346 00:20:07,999 --> 00:20:12,999 They only distribute their tool chain 347 00:20:12,999 --> 00:20:17,918 however, one of the customers 348 00:20:17,918 --> 00:20:23,709 the OMAP series of boards, 349 00:20:23,709 --> 00:20:27,999 So the OMAP, 350 00:20:27,999 --> 00:20:34,709 uses the same version 351 00:20:34,709 --> 00:20:37,292 The chip set in here is actually 352 00:20:37,292 --> 00:20:41,417 is a very similar Texas Instruments 353 00:20:42,751 --> 00:20:49,042 You can grab the tool chain 354 00:20:49,042 --> 00:20:52,125 We used that to then build 355 00:20:52,125 --> 00:20:56,292 all of the dependencies 356 00:20:57,999 --> 00:21:01,999 And what NFqueue does, 357 00:21:01,999 --> 00:21:04,542 it pulls packets out. 358 00:21:04,542 --> 00:21:11,250 It routes them with the rule in IP tables, 359 00:21:11,999 --> 00:21:17,083 Then you have a user space program, 360 00:21:17,083 --> 00:21:21,167 mark it as do whatever you want 361 00:21:21,167 --> 00:21:22,999 You can modify it, send it back. 362 00:21:22,999 --> 00:21:26,083 In this case, we are just marking it 363 00:21:26,083 --> 00:21:30,292 Sending it back and then sending 364 00:21:30,292 --> 00:21:33,999 will then pipe 365 00:21:33,999 --> 00:21:35,959 in a minute. 366 00:21:36,834 --> 00:21:40,584 Oh, yes, here's 367 00:21:40,999 --> 00:21:42,999 Kernel modules. 368 00:21:44,542 --> 00:21:46,083 IP tables. 369 00:21:46,083 --> 00:21:48,792 So we wrote 370 00:21:48,792 --> 00:21:52,083 compiled statically 371 00:21:52,083 --> 00:21:56,334 the packets out of the queue, 372 00:21:59,083 --> 00:22:03,501 This is an ARM926EJ processor what 373 00:22:03,501 --> 00:22:10,999 rather than dealing with cross compiler, 374 00:22:13,125 --> 00:22:19,709 You don't want to cross compile 375 00:22:21,083 --> 00:22:25,292 So the Netcat, we wanted 376 00:22:25,292 --> 00:22:27,999 as quickly as possible. 377 00:22:27,999 --> 00:22:29,375 It doesn't have much power. 378 00:22:29,375 --> 00:22:30,626 It's a pain to work with. 379 00:22:30,626 --> 00:22:35,459 Word to the wise, if you do this, there 380 00:22:35,459 --> 00:22:37,375 to sig term. 381 00:22:37,626 --> 00:22:44,083 Don't run ping, without a count 382 00:22:44,125 --> 00:22:48,999 I was like, oh, my God, I really want 383 00:22:48,999 --> 00:22:52,459 as possible, send it to Netcat 384 00:22:52,459 --> 00:22:55,918 of our processing 385 00:22:55,918 --> 00:22:58,250 that old Dell Optiplex. 386 00:22:58,250 --> 00:23:02,459 So we can see on the other end, 387 00:23:02,459 --> 00:23:08,999 a Netcat listener which pipes 388 00:23:08,999 --> 00:23:14,375 program that leverages Skapy 389 00:23:14,375 --> 00:23:19,999 as a hexadecimal stream 390 00:23:19,999 --> 00:23:23,999 which we then write to a file. 391 00:23:23,999 --> 00:23:27,999 And hey, lo and behold, 392 00:23:28,167 --> 00:23:30,334 And then we looked at that traffic. 393 00:23:30,334 --> 00:23:31,334 (Laughter). 394 00:23:31,334 --> 00:23:33,167 And let's let Sherri talk about that. 395 00:23:33,167 --> 00:23:36,250 SHERRI DAVIDOFF: It took us 396 00:23:36,250 --> 00:23:39,876 to get to this point where we had traffic. 397 00:23:39,876 --> 00:23:41,417 We were a little bit slowed down. 398 00:23:41,417 --> 00:23:43,834 We started the project in August and 399 00:23:43,834 --> 00:23:46,542 all of this and we were just 400 00:23:46,542 --> 00:23:50,918 and start collecting packets when 401 00:23:51,125 --> 00:23:54,417 We had to break back into the system. 402 00:23:55,959 --> 00:23:59,999 We did figure out how to do that 403 00:23:59,999 --> 00:24:01,876 By the time we were able 404 00:24:01,876 --> 00:24:03,792 it was around May. 405 00:24:03,999 --> 00:24:07,542 When we finally got it, it was beautiful! 406 00:24:07,999 --> 00:24:11,167 So this is the first 407 00:24:11,167 --> 00:24:13,834 to show you 408 00:24:13,834 --> 00:24:16,083 hierarchy summary. 409 00:24:16,417 --> 00:24:20,709 You can see here, this is just 410 00:24:20,709 --> 00:24:23,751 There's 82.04% 411 00:24:23,751 --> 00:24:29,250 normal traffic that you might expect 412 00:24:29,250 --> 00:24:34,167 So NTP, SNMP, DNS, that kind of stuff. 413 00:24:34,167 --> 00:24:38,542 You scroll down, okay, you start 414 00:24:38,542 --> 00:24:39,709 That's .21%. 415 00:24:39,959 --> 00:24:42,999 I was pretty intrigued 416 00:24:42,999 --> 00:24:47,959 in there and then we start getting 417 00:24:47,999 --> 00:24:48,999 There's GRE. 418 00:24:48,999 --> 00:24:51,584 So that's used 419 00:24:51,584 --> 00:24:56,125 from the femtocell 420 00:24:56,542 --> 00:25:01,751 And then you see I don't know 421 00:25:01,751 --> 00:25:03,999 in PPP in GRE. 422 00:25:04,417 --> 00:25:05,417 Okay. 423 00:25:05,417 --> 00:25:06,417 I can handle that. 424 00:25:06,459 --> 00:25:07,999 Here's the next screen. 425 00:25:07,999 --> 00:25:08,999 (Laughter). 426 00:25:08,999 --> 00:25:12,167 All right. 427 00:25:12,167 --> 00:25:16,999 So we have TCP IP within IPv4, 428 00:25:17,083 --> 00:25:21,292 So this is where your web traffic lives 429 00:25:22,375 --> 00:25:26,209 In some cases Wireshark can dissect 430 00:25:26,209 --> 00:25:30,542 of the higher layer traffic 431 00:25:30,584 --> 00:25:37,584 You see TCP in IPv4 and PPPE 432 00:25:40,999 --> 00:25:42,083 (Laughter). 433 00:25:47,834 --> 00:25:50,459 I don't know how far this rabbit hole 434 00:25:50,459 --> 00:25:52,709 Just kept going and going and going. 435 00:25:53,751 --> 00:25:57,209 So David didn't believe that this was 436 00:25:57,209 --> 00:25:59,417 DAVID HARRISON: I just figured it 437 00:25:59,417 --> 00:26:01,792 in Wireshark or something. 438 00:26:01,792 --> 00:26:02,918 SHERRI DAVIDOFF: So 439 00:26:02,918 --> 00:26:04,584 of these packets. 440 00:26:04,584 --> 00:26:05,584 This is an example. 441 00:26:05,667 --> 00:26:13,999 This is data in data in TCP in IPv4 442 00:26:13,999 --> 00:26:18,999 in PPP in GRE in IPv4 in a frame. 443 00:26:18,999 --> 00:26:21,999 DAVID HARRISON: Keep in mind, 444 00:26:21,999 --> 00:26:25,417 in iSEC tunnel and goes back 445 00:26:25,417 --> 00:26:30,375 SHERRI DAVIDOFF: And I know 446 00:26:30,375 --> 00:26:32,999 on another phone. 447 00:26:32,999 --> 00:26:35,250 AUDIENCE MEMBER: It sounds 448 00:26:35,250 --> 00:26:36,999 DAVID HARRISON: Dr. Seuss, yep. 449 00:26:36,999 --> 00:26:42,999 SHERRI DAVIDOFF: Here's 450 00:26:43,876 --> 00:26:46,459 We will not dig into this stuff too much. 451 00:26:46,459 --> 00:26:47,876 It seems to be used 452 00:26:47,876 --> 00:26:50,292 between the femtocell and Verizon. 453 00:26:50,292 --> 00:26:52,999 So it will go out and this 454 00:26:52,999 --> 00:26:54,959 It will enter a password it 455 00:26:54,959 --> 00:26:58,292 down some configuration files, 456 00:26:58,292 --> 00:26:59,250 So I just thought that was kind 457 00:26:59,250 --> 00:27:01,417 the reconstructed stream here. 458 00:27:04,626 --> 00:27:09,459 The phone does mobile handset 459 00:27:11,999 --> 00:27:15,083 We were able 460 00:27:15,083 --> 00:27:17,999 So that means that any time 461 00:27:17,999 --> 00:27:21,334 we have a little smart alert that pops up. 462 00:27:21,999 --> 00:27:24,125 The string that 463 00:27:24,125 --> 00:27:25,999 with is "welcome 464 00:27:25,999 --> 00:27:28,083 something, something." 465 00:27:28,667 --> 00:27:30,542 So you can tell as soon as there's 466 00:27:30,542 --> 00:27:32,999 to your femtocell, which is kind 467 00:27:32,999 --> 00:27:35,501 if you deploy it on your home network. 468 00:27:35,999 --> 00:27:40,999 And it can only to specific phones, 469 00:27:40,999 --> 00:27:44,999 if you are inspecting traffic, of course. 470 00:27:45,459 --> 00:27:50,626 So we also wrote 471 00:27:53,751 --> 00:27:56,083 Our efforts 472 00:27:56,083 --> 00:27:59,959 by the fact that Verizon doesn't seem 473 00:27:59,959 --> 00:28:01,876 of the standard. 474 00:28:01,876 --> 00:28:02,876 So we had to go digging 475 00:28:02,876 --> 00:28:06,375 out exactly which version 476 00:28:06,959 --> 00:28:10,125 This is an example 477 00:28:10,125 --> 00:28:12,999 dissecting an set up A9. 478 00:28:12,999 --> 00:28:15,834 So that's used to set 479 00:28:15,834 --> 00:28:18,250 to transfer user data. 480 00:28:18,250 --> 00:28:20,417 And this is available on Sourceforge. 481 00:28:20,417 --> 00:28:22,250 As soon as we get to a clean network, 482 00:28:22,250 --> 00:28:24,999 of us is home, we will upload this stuff. 483 00:28:28,667 --> 00:28:32,918 We ended up examining 484 00:28:32,918 --> 00:28:36,250 and that's 485 00:28:36,250 --> 00:28:42,292 Android.Stels actually transmits signals 486 00:28:42,292 --> 00:28:45,083 So we wanted to pull 487 00:28:45,083 --> 00:28:48,542 and figure out how 488 00:28:48,626 --> 00:28:50,999 There were two kinds 489 00:28:50,999 --> 00:28:54,709 and Wireshark was dissecting them 490 00:28:54,709 --> 00:28:56,751 This was a default version of Wireshark. 491 00:28:56,751 --> 00:29:01,083 There was GRE type 8881, which 492 00:29:05,083 --> 00:29:08,083 This was used 493 00:29:08,125 --> 00:29:11,999 Wireshark didn't dissect this 494 00:29:12,209 --> 00:29:17,083 However, there were also GRE 88D2 495 00:29:17,083 --> 00:29:20,292 and Wireshark did decode more. 496 00:29:20,292 --> 00:29:21,999 It could get all the way up to TCP. 497 00:29:22,501 --> 00:29:25,417 It didn't get the HTTP in most cases. 498 00:29:25,792 --> 00:29:30,834 When we looked at first in Wireshark, 499 00:29:30,834 --> 00:29:35,667 and there was no matching outgoing 500 00:29:35,667 --> 00:29:38,918 to dissect with our eyeballs. 501 00:29:38,918 --> 00:29:41,751 That was a bit of a pain. 502 00:29:41,751 --> 00:29:46,584 I think I have to step down to be able 503 00:29:46,584 --> 00:29:50,083 DAVID HARRISON: Sorry, 504 00:29:50,125 --> 00:29:59,959 SHERRI DAVIDOFF: Okay. 505 00:29:59,959 --> 00:30:01,709 So here you see can everyone hear me. 506 00:30:01,876 --> 00:30:06,999 Here you see an GRE8881 packet 507 00:30:06,999 --> 00:30:09,999 dissects as far as that PPP. 508 00:30:09,999 --> 00:30:12,250 It doesn't dissect the IP or the TCP. 509 00:30:12,250 --> 00:30:16,334 So we started looking a little further 510 00:30:16,834 --> 00:30:19,626 Anybody in our network class 511 00:30:19,626 --> 00:30:21,125 the 4500 is? 512 00:30:21,999 --> 00:30:24,459 This should AUDIENCE MEMBER: 513 00:30:24,459 --> 00:30:27,000 SHERRI DAVIDOFF: Yes, it's start 514 00:30:27,751 --> 00:30:29,918 It's IPv4. 515 00:30:29,918 --> 00:30:31,792 You will probably only see 4 or 6 there. 516 00:30:31,792 --> 00:30:36,999 The five represents the length, 517 00:30:37,417 --> 00:30:41,209 In this case, that's a 20 518 00:30:41,209 --> 00:30:44,584 of service field which you see 00. 519 00:30:44,584 --> 00:30:46,999 Any time you start looking 520 00:30:46,999 --> 00:30:51,209 you think maybe that's an IP packet 521 00:30:51,542 --> 00:30:53,999 We saw indeed it was. 522 00:30:53,999 --> 00:30:54,584 You could see 523 00:30:54,584 --> 00:30:56,709 the destination IP address. 524 00:30:58,000 --> 00:31:01,876 For a ninja duck, what is hex 50. 525 00:31:03,501 --> 00:31:06,999 AUDIENCE MEMBER: 80. 526 00:31:08,709 --> 00:31:14,167 SHERRI DAVIDOFF: David, 527 00:31:14,167 --> 00:31:16,876 This was traffic that should be 528 00:31:16,876 --> 00:31:19,083 I'm not sure why Wireshark can't pick 529 00:31:19,083 --> 00:31:21,834 It can't get very far 530 00:31:21,834 --> 00:31:26,334 And then here's the 88d2 packets 531 00:31:28,083 --> 00:31:30,083 There's the IPv4. 532 00:31:30,083 --> 00:31:33,999 So it actually got it that time 533 00:31:33,999 --> 00:31:37,167 You can see inside, 534 00:31:37,167 --> 00:31:40,999 right here, HTTP, and higher layer stuff. 535 00:31:40,999 --> 00:31:42,209 It didn't get that far 536 00:31:42,209 --> 00:31:46,667 but it was useful that it could dissect 537 00:31:47,999 --> 00:31:52,999 So here's some threat indicators that 538 00:31:52,999 --> 00:31:55,999 for the Android Stels malware. 539 00:31:57,125 --> 00:32:03,167 You can see that it so Android.Stels has 540 00:32:03,167 --> 00:32:05,417 that are known. 541 00:32:05,667 --> 00:32:09,167 There's 31.170 something, something, 542 00:32:09,167 --> 00:32:13,999 actually and then the other one 95 543 00:32:13,999 --> 00:32:15,999 There's also 544 00:32:15,999 --> 00:32:19,375 is typically distributed, a flash player. 545 00:32:20,999 --> 00:32:24,584 And there's two domains that are 546 00:32:24,584 --> 00:32:29,083 the free IZ.com one and 547 00:32:29,083 --> 00:32:30,125 And those are 548 00:32:30,125 --> 00:32:32,083 into our Snort alerts. 549 00:32:32,999 --> 00:32:38,999 Here's some Snort alerts we used 550 00:32:41,626 --> 00:32:44,083 We put the IP addresses in here. 551 00:32:44,083 --> 00:32:46,751 You can't just look for an IP address 552 00:32:46,751 --> 00:32:50,250 like for an IP address in an IP packet 553 00:32:50,459 --> 00:32:53,083 Snort can't dissect 554 00:32:53,083 --> 00:32:56,292 You have to look at it 555 00:32:57,501 --> 00:33:01,167 Hopefully that will pop 556 00:33:01,334 --> 00:33:03,918 Sometimes this can be fragmented 557 00:33:03,918 --> 00:33:07,083 but we found this actually worked most 558 00:33:08,918 --> 00:33:11,459 Same thing here, 559 00:33:11,459 --> 00:33:14,209 we have to look for it as a string 560 00:33:14,209 --> 00:33:17,417 because these are longer, 561 00:33:17,417 --> 00:33:19,959 up across multiple packets. 562 00:33:20,250 --> 00:33:23,083 We saw, in particular, 563 00:33:23,083 --> 00:33:27,167 containing this these domains, 564 00:33:27,167 --> 00:33:31,083 the domain was broken 565 00:33:31,083 --> 00:33:35,667 would show you there was I'm sorry, 566 00:33:35,667 --> 00:33:39,999 an alert on the response and not 567 00:33:41,918 --> 00:33:44,209 And then if you want to detect 568 00:33:44,209 --> 00:33:46,876 we can take a snippet of the binary 569 00:33:46,876 --> 00:33:49,501 on that and that worked really well. 570 00:33:49,999 --> 00:33:51,959 You can see 571 00:33:51,959 --> 00:33:54,792 themselves, you can see when 572 00:33:54,792 --> 00:33:56,375 Player update. 573 00:33:58,334 --> 00:34:01,250 So now we are going to do 574 00:34:01,626 --> 00:34:04,292 In our lab, I was the attacker. 575 00:34:04,834 --> 00:34:07,667 And the attacker can be any phone 576 00:34:07,667 --> 00:34:10,250 an AT&T smartphone that we used 577 00:34:10,250 --> 00:34:12,999 from our Verizon phone and 578 00:34:12,999 --> 00:34:15,667 we sent a nasty text message. 579 00:34:15,667 --> 00:34:17,501 And David was the victim. 580 00:34:17,501 --> 00:34:19,083 DAVID HARRISON: Sad day. 581 00:34:19,083 --> 00:34:19,999 SHERRI DAVIDOFF: So 582 00:34:19,999 --> 00:34:23,999 a Verizon Android smartphone 583 00:34:24,250 --> 00:34:27,501 So now, let's switch over to our box. 584 00:34:27,501 --> 00:34:31,083 DAVID HARRISON: This 585 00:34:31,083 --> 00:34:34,209 SHERRI DAVIDOFF: Yes, we 586 00:34:35,334 --> 00:34:37,542 We need our lab coats hold on. 587 00:34:37,626 --> 00:34:40,334 DAVID HARRISON: Safety first. 588 00:34:40,709 --> 00:34:41,999 That's mine. 589 00:34:45,292 --> 00:34:47,417 Who buttoned this thing? 590 00:34:49,167 --> 00:34:51,626 Someone is trying to sabotage me! 591 00:34:58,999 --> 00:35:01,667 Sorry for switching, engineer. 592 00:35:01,667 --> 00:35:02,667 I know it's a pain. 593 00:35:02,667 --> 00:35:03,999 I used to do that for a living. 594 00:35:03,999 --> 00:35:05,459 SHERRI DAVIDOFF: Sorry. 595 00:35:10,709 --> 00:35:13,375 DAVID HARRISON: So all right. 596 00:35:13,375 --> 00:35:16,999 As soon as you okay. 597 00:35:16,999 --> 00:35:17,999 Yeah. 598 00:35:17,999 --> 00:35:19,626 We have this here up on the screen. 599 00:35:19,626 --> 00:35:21,083 I will restart this femtocell. 600 00:35:21,083 --> 00:35:24,125 Don't worry, we are not setting 601 00:35:24,125 --> 00:35:26,999 So if you have an Android phone 602 00:35:26,999 --> 00:35:31,834 As soon as we plug it in here, we 603 00:35:31,834 --> 00:35:35,999 if you could see it, 604 00:35:35,999 --> 00:35:40,542 modified by Samsung here 605 00:35:40,542 --> 00:35:43,459 into the command prompt. 606 00:35:44,959 --> 00:35:46,834 And let's see. 607 00:35:46,999 --> 00:35:48,542 So 608 00:35:48,542 --> 00:35:51,999 DAVIDOFF: Going through our script. 609 00:35:51,999 --> 00:35:53,209 So onand boot. 610 00:35:53,209 --> 00:35:58,125 DAVID HARRISON: So onand boot 611 00:35:58,125 --> 00:36:04,501 because the chip set on there uses 612 00:36:04,501 --> 00:36:07,918 proprietary to Samsung. 613 00:36:09,999 --> 00:36:15,167 Here we see we now dropped 614 00:36:15,167 --> 00:36:20,375 up because we didn't actually run 615 00:36:20,375 --> 00:36:23,250 SHERRI DAVIDOFF: Now we are 616 00:36:23,459 --> 00:36:25,999 DAVID HARRISON: Most of this 617 00:36:26,417 --> 00:36:29,792 There's a couple 618 00:36:29,834 --> 00:36:35,083 There's one S70 app that actually starts 619 00:36:35,083 --> 00:36:38,334 for the cellular traffic. 620 00:36:39,292 --> 00:36:41,751 And so we're choosing 621 00:36:41,751 --> 00:36:43,834 to do before we run that. 622 00:36:44,584 --> 00:36:48,999 Another thing that's a quirk 623 00:36:48,999 --> 00:36:52,876 is accessible until you run some 624 00:36:52,876 --> 00:36:57,709 because of the way ONAND works, 625 00:36:57,709 --> 00:37:01,584 of different blocks and block devices. 626 00:37:01,584 --> 00:37:03,542 SHERRI DAVIDOFF: Extract RFS.SH. 627 00:37:03,584 --> 00:37:09,999 DAVID HARRISON: What we do 628 00:37:09,999 --> 00:37:15,209 and sim linking them in the file. 629 00:37:15,334 --> 00:37:20,834 So for instance, /ubin contains lots 630 00:37:20,834 --> 00:37:23,999 but that's not mounted 631 00:37:23,999 --> 00:37:27,250 of these init scripts, rfs.sh. 632 00:37:27,999 --> 00:37:31,375 So let's see, what are we seeing here? 633 00:37:31,918 --> 00:37:35,209 SHERRI DAVIDOFF: Now we are 634 00:37:35,209 --> 00:37:38,167 and then we'll set up networking. 635 00:37:39,083 --> 00:37:41,459 The reason we set up networking 636 00:37:41,459 --> 00:37:44,542 to download those extra binaries that 637 00:37:44,542 --> 00:37:46,792 and we need to copy over. 638 00:37:46,792 --> 00:37:50,125 DAVID HARRISON: Fortunately there 639 00:37:50,125 --> 00:37:51,125 FTP is there. 640 00:37:51,709 --> 00:37:55,083 We will use that to connect. 641 00:37:55,083 --> 00:37:57,626 That's the address 642 00:37:59,834 --> 00:38:05,876 Going to say CD 643 00:38:05,876 --> 00:38:10,999 The binaries we are downloading are 644 00:38:10,999 --> 00:38:16,375 the kernel modules, 645 00:38:16,375 --> 00:38:25,918 into NFqueue and a binary for Netcat, 646 00:38:27,999 --> 00:38:32,083 We won't keep copying 647 00:38:32,834 --> 00:38:35,083 So we will run that script. 648 00:38:35,083 --> 00:38:36,375 It is going to print 649 00:38:36,375 --> 00:38:37,999 can see them. 650 00:38:38,167 --> 00:38:41,417 SHERRI DAVIDOFF: We are inserting 651 00:38:41,417 --> 00:38:43,792 DAVID HARRISON: Order 652 00:38:43,999 --> 00:38:49,125 SHERRI DAVIDOFF: We will start 653 00:38:51,459 --> 00:38:53,999 DAVID HARRISON: These two 654 00:38:53,999 --> 00:38:57,417 they are something Samsung put 655 00:38:57,417 --> 00:39:00,999 They just automatically configure 656 00:39:00,999 --> 00:39:05,083 and this usually takes a couple 657 00:39:05,083 --> 00:39:06,999 It sets up and tears down. 658 00:39:07,083 --> 00:39:12,083 It grabs like NTP and tears 659 00:39:12,083 --> 00:39:15,999 up its final connection. 660 00:39:17,751 --> 00:39:19,999 So next. 661 00:39:19,999 --> 00:39:23,083 SHERRI DAVIDOFF: So then we kill 662 00:39:23,083 --> 00:39:28,792 the SSH and then we start 663 00:39:28,792 --> 00:39:32,999 So at this point we are waiting 664 00:39:33,083 --> 00:39:36,999 So as soon as I collect the traffic 665 00:39:36,999 --> 00:39:38,999 over to the SIDs. 666 00:39:39,125 --> 00:39:41,999 So press enter to input pockets 667 00:39:44,334 --> 00:39:48,792 DAVID HARRISON: It's really 668 00:39:48,792 --> 00:39:51,292 for that netcat tunnel. 669 00:39:51,501 --> 00:39:55,125 Otherwise, you will have 670 00:39:58,918 --> 00:40:02,834 SHERRI DAVIDOFF: Then you hit 671 00:40:02,834 --> 00:40:04,999 the rule routing. 672 00:40:06,999 --> 00:40:11,459 We wouldn't always want to start 673 00:40:11,459 --> 00:40:12,999 Sometimes we were just working 674 00:40:12,999 --> 00:40:16,959 and it can take a few minutes 675 00:40:17,125 --> 00:40:20,584 Now, if you look at the size 676 00:40:20,584 --> 00:40:24,209 that's increasing and that's what you 677 00:40:24,209 --> 00:40:27,292 When you make a call, it 678 00:40:27,292 --> 00:40:30,375 DAVID HARRISON: It can take 679 00:40:30,375 --> 00:40:35,417 It requires a correct GPS lock 680 00:40:35,417 --> 00:40:37,125 it likes. 681 00:40:37,125 --> 00:40:39,501 So it can establish 682 00:40:39,501 --> 00:40:43,292 will sit and think, sometimes 683 00:40:43,292 --> 00:40:47,042 will actually have the connection 684 00:40:47,042 --> 00:40:50,459 SHERRI DAVIDOFF: So then, 685 00:40:50,459 --> 00:40:55,999 set up, you can use this tail command, 686 00:40:55,999 --> 00:40:58,834 So Snort is reading 687 00:40:59,125 --> 00:41:01,125 And we have uploaded 688 00:41:01,125 --> 00:41:03,918 on there and you can see it loading. 689 00:41:03,918 --> 00:41:06,999 Commencing packet processing 690 00:41:06,999 --> 00:41:08,083 DAVID HARRISON: Yep. 691 00:41:08,083 --> 00:41:09,876 SHERRI DAVIDOFF: Now we 692 00:41:09,876 --> 00:41:12,667 we show you us actually infecting 693 00:41:14,584 --> 00:41:17,999 We were hoping to do this here, 694 00:41:17,999 --> 00:41:19,375 So we will talk you through it. 695 00:41:21,292 --> 00:41:24,459 So you just watched us start up Snort. 696 00:41:24,999 --> 00:41:27,459 And here's what our screen looks like. 697 00:41:27,459 --> 00:41:29,250 DAVID HARRISON: KBM button. 698 00:41:29,250 --> 00:41:33,083 SHERRI DAVIDOFF: Good. 699 00:41:33,083 --> 00:41:34,083 Okay. 700 00:41:34,083 --> 00:41:35,083 So you just watched us start 701 00:41:35,083 --> 00:41:37,083 the full screen looks like. 702 00:41:37,083 --> 00:41:39,834 In the top left, 703 00:41:39,999 --> 00:41:43,209 That second window down there 704 00:41:43,209 --> 00:41:46,999 to the console point on the femtocell. 705 00:41:47,709 --> 00:41:51,834 Here, if I hit play you will see you 706 00:41:51,834 --> 00:41:55,667 of that increase over time, 707 00:41:55,667 --> 00:41:57,209 down there. 708 00:41:57,209 --> 00:42:00,999 Now this is a phone starting 709 00:42:00,999 --> 00:42:03,999 This is recorded using that audio 710 00:42:03,999 --> 00:42:04,999 And this is David. 711 00:42:04,999 --> 00:42:07,083 DAVID HARRISON: Compressed 712 00:42:07,083 --> 00:42:12,417 SHERRI DAVIDOFF: This is David, 713 00:42:12,751 --> 00:42:15,959 We are watching for Snort alerts 714 00:42:15,999 --> 00:42:21,083 As the phone starts up, boom, 715 00:42:21,083 --> 00:42:25,125 welcome to welcome to the network, 716 00:42:25,125 --> 00:42:27,626 We know that there's a new phone 717 00:42:29,083 --> 00:42:32,751 So jumping ahead a little bit, 718 00:42:32,751 --> 00:42:34,292 David, you got a text message. 719 00:42:34,375 --> 00:42:37,083 Someone says, hey, check this out. 720 00:42:37,167 --> 00:42:39,083 It was sneakynet.com. 721 00:42:39,459 --> 00:42:44,918 And we will go poor David 722 00:42:44,918 --> 00:42:46,667 Now usually you will see this be 723 00:42:46,667 --> 00:42:48,834 with the Stels malware. 724 00:42:50,959 --> 00:42:53,999 That actually said we 725 00:42:55,334 --> 00:42:57,834 So this attacker was more creative. 726 00:42:57,834 --> 00:43:01,501 It said, you would like some candy 727 00:43:01,626 --> 00:43:03,375 DAVID HARRISON: I love candy. 728 00:43:03,375 --> 00:43:04,334 SHERRI DAVIDOFF: And as soon 729 00:43:04,334 --> 00:43:06,667 the malware started to download it. 730 00:43:10,250 --> 00:43:14,501 Detected that binary just based 731 00:43:16,459 --> 00:43:18,999 So now the user installs it. 732 00:43:19,834 --> 00:43:22,999 It always boggles my mind that this 733 00:43:22,999 --> 00:43:26,792 users know they have to download 734 00:43:26,999 --> 00:43:28,209 We try to train them. 735 00:43:31,083 --> 00:43:33,999 And here's David installing the update. 736 00:43:33,999 --> 00:43:37,167 Now it warns you that this this malware 737 00:43:37,167 --> 00:43:40,167 permissions to make phone calls. 738 00:43:40,209 --> 00:43:41,999 DAVID HARRISON: Whatever. 739 00:43:44,083 --> 00:43:46,459 Who actually reads all of that stuff? 740 00:43:46,584 --> 00:43:49,501 SHERRI DAVIDOFF: Yeah. 741 00:43:49,626 --> 00:43:51,626 Now the application is installed. 742 00:43:52,667 --> 00:43:54,751 And funny, 743 00:43:54,751 --> 00:43:57,999 your Android version does not support 744 00:43:57,999 --> 00:43:59,542 Set up is canceled. 745 00:43:59,542 --> 00:44:01,125 So the user will say, damn it. 746 00:44:01,709 --> 00:44:02,999 Sorry, darn it! 747 00:44:04,083 --> 00:44:07,626 And I guess Flash Player hasn't been 748 00:44:07,626 --> 00:44:10,501 So the application which appeared 749 00:44:10,501 --> 00:44:15,918 but it is still running as we will see 750 00:44:15,918 --> 00:44:18,375 I believe it takes, was it 60 seconds? 751 00:44:18,375 --> 00:44:18,999 DAVID HARRISON: Yes, 752 00:44:18,999 --> 00:44:20,999 to the first connection of CNC. 753 00:44:22,834 --> 00:44:26,876 There you go, 754 00:44:26,999 --> 00:44:29,209 To the user, I zoomed in here. 755 00:44:29,250 --> 00:44:31,626 It doesn't look 756 00:44:32,626 --> 00:44:37,999 But here you see possible CNC server 757 00:44:37,999 --> 00:44:42,667 in the United States, 31.170.161.216, 758 00:44:42,667 --> 00:44:45,375 from the infected client. 759 00:44:45,375 --> 00:44:47,542 That's 760 00:44:47,542 --> 00:44:51,999 using HTTP post messages 761 00:44:51,999 --> 00:44:57,167 allow us to tell specifically when it's 762 00:44:57,167 --> 00:44:59,209 We will show those here 763 00:45:00,626 --> 00:45:02,999 And I believe we are seeing multiple 764 00:45:02,999 --> 00:45:05,667 because of the way that we are sniffing. 765 00:45:05,667 --> 00:45:07,375 So that's something that we might want 766 00:45:07,375 --> 00:45:10,417 so that we are only seeing one copy. 767 00:45:10,667 --> 00:45:13,584 We are sniffing on all the interfaces 768 00:45:17,999 --> 00:45:19,292 Okay. 769 00:45:19,834 --> 00:45:22,417 So here, again, that phone 770 00:45:22,417 --> 00:45:26,667 And every 15 minutes it sends 771 00:45:26,667 --> 00:45:30,709 First time it happens it sends 772 00:45:30,751 --> 00:45:34,876 That system in the United States, 773 00:45:34,876 --> 00:45:37,918 change the CNC server address. 774 00:45:37,918 --> 00:45:41,999 So next you see it start talking 775 00:45:41,999 --> 00:45:45,918 right here, that's based 776 00:45:46,167 --> 00:45:49,999 That 95 IP address said remove SMS 777 00:45:49,999 --> 00:45:53,375 So whatever SMS traffic was being 778 00:45:53,375 --> 00:45:58,417 it's removing those filters and now 779 00:45:58,417 --> 00:45:59,417 That's nice. 780 00:45:59,417 --> 00:46:00,834 And then you saw a wait 900. 781 00:46:00,834 --> 00:46:02,167 Let me back up here. 782 00:46:03,584 --> 00:46:08,083 We saw a wait 900 command 783 00:46:08,083 --> 00:46:11,751 that's 900 seconds or 15 minutes. 784 00:46:11,959 --> 00:46:15,334 So then we look this run 785 00:46:15,334 --> 00:46:18,083 every 15 minutes 786 00:46:18,083 --> 00:46:20,375 the post command 787 00:46:20,375 --> 00:46:25,542 the server would respond back and say, 788 00:46:25,542 --> 00:46:28,125 So not a whole lot was happening right 789 00:46:28,125 --> 00:46:30,999 over and actually intercepting things. 790 00:46:32,083 --> 00:46:34,584 Any questions on the demo so far? 791 00:46:36,584 --> 00:46:38,083 Anything you wanted to add? 792 00:46:38,083 --> 00:46:39,667 DAVID HARRISON: A question? 793 00:46:39,667 --> 00:46:40,999 AUDIENCE MEMBER: Good. 794 00:46:40,999 --> 00:46:41,999 AUDIENCE MEMBER: If you are not 795 00:46:41,999 --> 00:46:44,626 and you have an Android device that 796 00:46:44,626 --> 00:46:48,417 through Wi Fi, let's say, 797 00:46:56,334 --> 00:46:59,751 DAVID HARRISON: Some 798 00:46:59,751 --> 00:47:05,792 It uses also some SMS messages that 799 00:47:05,792 --> 00:47:07,918 That's true of a couple of different bots. 800 00:47:07,918 --> 00:47:10,501 There's some that use exclusively SMS 801 00:47:10,584 --> 00:47:13,459 This one you would still see 802 00:47:13,459 --> 00:47:16,999 would you still see that over Wi Fi. 803 00:47:17,125 --> 00:47:19,626 SHERRI DAVIDOFF: Yep. 804 00:47:19,626 --> 00:47:21,792 So let's dig into Stels 805 00:47:21,792 --> 00:47:24,667 through this a little more slowly. 806 00:47:26,375 --> 00:47:28,083 All right. 807 00:47:29,999 --> 00:47:32,709 So here you see 808 00:47:32,709 --> 00:47:33,834 Hey, check this out! 809 00:47:33,999 --> 00:47:36,083 Sneakynet.com and here's welcome 810 00:47:36,083 --> 00:47:37,959 like some candy? 811 00:47:38,292 --> 00:47:43,709 And unfortunately David clicked 812 00:47:43,834 --> 00:47:48,209 We saw this first alert in there, 813 00:47:48,417 --> 00:47:49,083 There was an alert 814 00:47:49,083 --> 00:47:51,334 name, flashplayer.Android.update.apk. 815 00:47:56,083 --> 00:47:58,250 If you yourself were 816 00:47:58,250 --> 00:48:02,125 could you see this alert pop 817 00:48:03,209 --> 00:48:04,999 And here's the I think I will have 818 00:48:04,999 --> 00:48:07,667 down there again so I can see this. 819 00:48:07,999 --> 00:48:08,999 Sorry. 820 00:48:08,999 --> 00:48:09,999 Sorry, sound guys. 821 00:48:19,584 --> 00:48:20,999 All right. 822 00:48:20,999 --> 00:48:22,999 So here you see the Android file name. 823 00:48:22,999 --> 00:48:25,459 It's actually part 824 00:48:25,542 --> 00:48:26,999 The HTTP get. 825 00:48:26,999 --> 00:48:29,834 So it's buried 826 00:48:29,834 --> 00:48:32,999 did not dissect this 827 00:48:32,999 --> 00:48:36,083 of the 8081 RDE packets 828 00:48:36,083 --> 00:48:38,999 and that correlates 829 00:48:38,999 --> 00:48:42,083 Flashplayer.Android.update apk. 830 00:48:49,584 --> 00:48:53,584 The second Snort alert was first 42 831 00:48:53,584 --> 00:48:56,083 we saw the first 42 bytes come 832 00:48:56,083 --> 00:48:58,584 up multiple times actually. 833 00:48:58,999 --> 00:49:01,250 Here it is in Wireshark. 834 00:49:01,999 --> 00:49:05,542 Now, because this was coming 835 00:49:05,542 --> 00:49:08,834 an inbound instead of an outbound, 836 00:49:08,834 --> 00:49:13,167 Wireshark actually dissected it 837 00:49:13,584 --> 00:49:17,542 We saw the TCP and it didn't get 838 00:49:17,542 --> 00:49:21,083 of the Android Stels malware, 839 00:49:21,083 --> 00:49:23,709 a Windows executable file. 840 00:49:26,083 --> 00:49:30,167 So then you saw the Flash player 841 00:49:30,167 --> 00:49:32,667 It means it's safe and really 842 00:49:32,667 --> 00:49:37,999 on to the phone, and David used 843 00:49:37,999 --> 00:49:41,083 Here's a clearer version 844 00:49:41,542 --> 00:49:44,167 Do we want to allow this application 845 00:49:44,167 --> 00:49:47,834 read your contact information, 846 00:49:47,834 --> 00:49:50,876 to send out the contact information. 847 00:49:50,999 --> 00:49:53,959 It had full Internet access 848 00:49:53,959 --> 00:49:57,999 on the smartphone and services that 849 00:49:57,999 --> 00:50:00,999 So it can call premium numbers 850 00:50:00,999 --> 00:50:05,751 to premium numbers and it can read 851 00:50:05,792 --> 00:50:08,209 Do you want to install this application? 852 00:50:08,209 --> 00:50:09,209 Why, yes, we do. 853 00:50:09,292 --> 00:50:11,334 Application installed. 854 00:50:12,209 --> 00:50:14,709 Here's what it looked 855 00:50:14,709 --> 00:50:16,334 on the desktop. 856 00:50:16,334 --> 00:50:18,999 Then we get this message saying your 857 00:50:18,999 --> 00:50:22,334 update, setup is canceled and then, 858 00:50:22,334 --> 00:50:25,125 it was still running in the background. 859 00:50:28,584 --> 00:50:30,459 Your mic is not on, David. 860 00:50:30,459 --> 00:50:33,999 DAVID HARRISON: Honestly, 861 00:50:33,999 --> 00:50:38,999 the malware authorities, oh, 862 00:50:38,999 --> 00:50:40,834 We don't have to make it look pretty. 863 00:50:40,834 --> 00:50:43,417 They just put a white screen with text 864 00:50:43,417 --> 00:50:46,167 SHERRI DAVIDOFF: Yeah. 865 00:50:46,167 --> 00:50:50,125 So, again, the user cannot tell that 866 00:50:50,125 --> 00:50:52,375 This is invisible to the end user. 867 00:50:53,042 --> 00:50:57,501 And while this is going on, we saw 868 00:50:57,501 --> 00:51:02,292 and we were alerting on that IP address, 869 00:51:02,292 --> 00:51:04,501 inside the packet. 870 00:51:04,751 --> 00:51:09,501 Here you can see here you can see 871 00:51:09,501 --> 00:51:12,083 So before it starts talking 872 00:51:12,083 --> 00:51:15,209 it has to do a DNS request 873 00:51:15,209 --> 00:51:16,999 a DNS request. 874 00:51:16,999 --> 00:51:22,083 And in the request it was broken 875 00:51:22,417 --> 00:51:26,709 It's interesting that Wireshark actually 876 00:51:26,709 --> 00:51:29,292 We see PPP and IP and then UDP 877 00:51:29,292 --> 00:51:32,292 the highest layer protocol, DNS. 878 00:51:32,999 --> 00:51:35,876 So a challenge to the audience, I 879 00:51:35,876 --> 00:51:38,626 if you fix those protocol dissectors. 880 00:51:39,459 --> 00:51:45,209 It's totally worth it and we saw 881 00:51:46,667 --> 00:51:49,667 Here's fragmentation, 882 00:51:49,667 --> 00:51:52,959 something, the rest 883 00:51:54,999 --> 00:51:56,125 Okay. 884 00:51:56,125 --> 00:51:58,125 So here is an HTTP post. 885 00:51:58,417 --> 00:52:01,999 This HTTP post message 886 00:52:01,999 --> 00:52:04,709 and control traffic. 887 00:52:04,709 --> 00:52:05,999 This is what 888 00:52:05,999 --> 00:52:08,250 like when it's talking 889 00:52:08,250 --> 00:52:10,292 in the Netherlands. 890 00:52:10,584 --> 00:52:13,709 So you can see here PPP Wireshark 891 00:52:13,709 --> 00:52:16,459 but you can see post/data/php. 892 00:52:17,501 --> 00:52:19,999 This was broken 893 00:52:19,999 --> 00:52:24,167 and I had to reassemble them manually, 894 00:52:25,083 --> 00:52:27,459 Here's the first half of it. 895 00:52:27,459 --> 00:52:28,459 It's pretty long. 896 00:52:28,584 --> 00:52:31,792 It has that unique multipart boundary 897 00:52:31,792 --> 00:52:35,959 aabo3x and that's pretty easy 898 00:52:35,959 --> 00:52:37,083 You can see that to Snort. 899 00:52:39,417 --> 00:52:42,083 And you can tell 900 00:52:42,083 --> 00:52:45,834 to the attacker, and 901 00:52:45,999 --> 00:52:49,792 Information about the phone, 902 00:52:52,375 --> 00:52:55,999 Also the name bot ID and some other 903 00:52:55,999 --> 00:52:57,999 the manufacturer. 904 00:52:57,999 --> 00:52:59,959 So it sends a bunch 905 00:52:59,959 --> 00:53:02,209 the bot sends a bunch 906 00:53:02,209 --> 00:53:06,834 to the attacker every 15 minutes 907 00:53:06,834 --> 00:53:10,292 And we can see that happening here, 908 00:53:10,292 --> 00:53:14,999 I alerted on the string bot ID and 909 00:53:14,999 --> 00:53:17,334 in an HTTP post. 910 00:53:19,751 --> 00:53:22,250 Here's the server's response. 911 00:53:22,250 --> 00:53:24,083 So the server is going 912 00:53:24,083 --> 00:53:27,375 and start sending commands 913 00:53:27,375 --> 00:53:29,167 It's just it's a very simple thing. 914 00:53:29,167 --> 00:53:32,250 We actually there's no authentication 915 00:53:32,250 --> 00:53:34,083 and the server. 916 00:53:34,083 --> 00:53:37,167 We have seen malware more complex 917 00:53:37,167 --> 00:53:40,083 when I think it was 918 00:53:40,083 --> 00:53:42,459 we had authentication. 919 00:53:42,834 --> 00:53:46,792 So here, IP, TCP, HTTP, 920 00:53:46,792 --> 00:53:49,334 the HTTP this time. 921 00:53:49,334 --> 00:53:51,667 This is an incoming message 922 00:53:51,667 --> 00:53:53,876 in the Netherlands. 923 00:53:54,125 --> 00:53:57,667 And here's if you reassemble it, 924 00:53:57,667 --> 00:54:01,417 Remove all SMS filters true, okay. 925 00:54:01,417 --> 00:54:02,417 Wait 60. 926 00:54:02,417 --> 00:54:05,709 So it's telling it only wait 60 seconds 927 00:54:05,918 --> 00:54:08,999 And then it changed the server address. 928 00:54:08,999 --> 00:54:10,584 So that's kind of cool. 929 00:54:10,584 --> 00:54:12,999 Scott will talk to you 930 00:54:12,999 --> 00:54:15,083 It can send lots of other commands 931 00:54:15,083 --> 00:54:18,083 Pretty much anything in this let's see, 932 00:54:18,083 --> 00:54:19,999 Pretty much anything 933 00:54:19,999 --> 00:54:23,626 the server can tell to send 934 00:54:23,626 --> 00:54:28,626 It can tell it to delete an SMS, 935 00:54:28,626 --> 00:54:35,792 out to the attacker, or update itself, 936 00:54:35,792 --> 00:54:38,417 It can make phone calls 937 00:54:38,709 --> 00:54:40,999 Where were we? 938 00:54:40,999 --> 00:54:41,999 Okay. 939 00:54:41,999 --> 00:54:43,250 So remove all SMS filters. 940 00:54:43,250 --> 00:54:44,417 We put some of those commands 941 00:54:44,417 --> 00:54:47,626 will alert individually an each 942 00:54:47,626 --> 00:54:49,417 You will have a log 943 00:54:49,417 --> 00:54:51,584 if you set it up this way. 944 00:54:53,584 --> 00:54:56,834 And then again, 945 00:54:56,834 --> 00:54:58,959 we then saw 946 00:54:58,959 --> 00:55:02,083 for the new server name 947 00:55:02,083 --> 00:55:04,167 to go along with it. 948 00:55:05,876 --> 00:55:08,834 So the bot sent a post 949 00:55:08,834 --> 00:55:13,167 over the Netherlands and it received 950 00:55:13,167 --> 00:55:17,459 This time, that second server said, 951 00:55:17,459 --> 00:55:20,999 So instead of telling it wait 60 seconds, 952 00:55:20,999 --> 00:55:23,751 every 15 minutes this would still be 953 00:55:23,751 --> 00:55:27,292 if you were watching your traffic 954 00:55:27,626 --> 00:55:30,584 Every 15 minutes is still pretty noisy 955 00:55:30,584 --> 00:55:33,999 But the attacker could tell it wait 956 00:55:33,999 --> 00:55:35,792 for a month. 957 00:55:35,792 --> 00:55:37,834 And that would be a lot harder 958 00:55:38,999 --> 00:55:40,999 So here's a screen shot. 959 00:55:41,626 --> 00:55:46,667 Our cellular intrusion detection system, 960 00:55:46,792 --> 00:55:48,999 We alerted on the initial infection. 961 00:55:48,999 --> 00:55:50,334 We alerted 962 00:55:50,334 --> 00:55:52,999 the bot made to the attacker. 963 00:55:53,167 --> 00:55:56,083 And you can use this same method 964 00:55:56,083 --> 00:56:00,999 in your environment, whether you are 965 00:56:02,999 --> 00:56:04,999 So now Randi Price is going 966 00:56:04,999 --> 00:56:07,834 about the device forensic analysis. 967 00:56:19,209 --> 00:56:20,999 (Inaudible question). 968 00:56:32,459 --> 00:56:37,751 Were you able to see SMS going 969 00:56:37,751 --> 00:56:40,501 Were you able to inspect it 970 00:56:40,501 --> 00:56:40,501 Did you set maybe 971 00:56:40,501 --> 00:56:41,834 or DAVID HARRISON: Ah. 972 00:56:41,834 --> 00:56:41,834 SHERRI DAVIDOFF: So 973 00:56:41,834 --> 00:56:44,083 to see SMS messages and set 974 00:56:44,083 --> 00:56:46,792 We do have SMS I'm sorry, 975 00:56:46,876 --> 00:56:48,876 We do have SMS traffic. 976 00:56:48,876 --> 00:56:50,751 We haven't really had too much time 977 00:56:50,751 --> 00:56:52,334 the next step that we are going 978 00:56:52,334 --> 00:56:54,501 around with when we get home. 979 00:56:54,709 --> 00:56:57,999 I'm hoping Tom Ritter 980 00:56:57,999 --> 00:57:00,999 DAVID HARRISON: The thing 981 00:57:00,999 --> 00:57:06,792 but it's reverse 7 or something like that, 982 00:57:06,792 --> 00:57:11,999 As far as the C & C, we will get to that 983 00:57:11,999 --> 00:57:15,250 RANDI PRICE: After capturing traffic 984 00:57:15,250 --> 00:57:17,626 device forensic analysis. 985 00:57:17,999 --> 00:57:21,999 The forensic analysis corroborated 986 00:57:22,209 --> 00:57:25,999 We took a physical extraction 987 00:57:25,999 --> 00:57:28,834 with the UFED 988 00:57:28,834 --> 00:57:30,999 MEMBER: Can't hear. 989 00:57:30,999 --> 00:57:32,083 RANDI PRICE: Okay. 990 00:57:32,083 --> 00:57:33,083 Sorry. 991 00:57:33,083 --> 00:57:37,334 Please note is that better? 992 00:57:37,334 --> 00:57:38,334 Okay. 993 00:57:39,999 --> 00:57:45,083 Please note that the infecting and 994 00:57:45,083 --> 00:57:50,709 with an RF shielded test enclosure, 995 00:57:52,959 --> 00:57:54,167 Okay? 996 00:57:56,417 --> 00:58:01,375 The cellebrite physical analyzer was 997 00:58:01,375 --> 00:58:07,209 The malware scanner identified four 998 00:58:08,375 --> 00:58:11,834 The cellebrite looked 999 00:58:11,834 --> 00:58:14,999 as Android Trojan fakeapp.k. 1000 00:58:17,167 --> 00:58:20,417 And we should the SHA1, 1001 00:58:20,417 --> 00:58:22,999 the SHA1 matched 1002 00:58:22,999 --> 00:58:26,999 for the Android Stels malware recorded 1003 00:58:26,999 --> 00:58:30,999 in the Trojan malware analysis report. 1004 00:58:34,125 --> 00:58:37,999 We found a file called Stels settings 1005 00:58:37,999 --> 00:58:41,709 to contain malware configuration 1006 00:58:41,751 --> 00:58:43,959 As you can see 1007 00:58:43,959 --> 00:58:45,999 is assigned a bot ID. 1008 00:58:46,083 --> 00:58:49,959 This allows the bot herder 1009 00:58:49,999 --> 00:58:54,167 The server listed is the command 1010 00:58:54,167 --> 00:58:57,459 the bot where to phone home to. 1011 00:58:58,125 --> 00:59:00,999 The period value of 300 seconds 1012 00:59:00,999 --> 00:59:04,083 is the initial phone home interval. 1013 00:59:04,083 --> 00:59:06,834 This tells the bot 1014 00:59:06,834 --> 00:59:17,709 SCOTT FRETHEIM: Thank you. 1015 00:59:17,709 --> 00:59:18,709 All right. 1016 00:59:18,709 --> 00:59:19,876 Good morning, DEF CON! 1017 00:59:19,876 --> 00:59:21,626 AUDIENCE MEMBER: Good 1018 00:59:21,626 --> 00:59:21,999 SCOTT FRETHEIM: I'm super stoked 1019 00:59:21,999 --> 00:59:23,417 at 10 a.m. 1020 00:59:23,417 --> 00:59:24,417 on a Saturday. 1021 00:59:24,417 --> 00:59:27,626 I I'm going to happen down here 1022 00:59:29,083 --> 00:59:32,459 AUDIENCE MEMBER: (Inaudible). 1023 00:59:32,459 --> 00:59:34,125 SCOTT FRETHEIM: Stronger ones. 1024 00:59:34,125 --> 00:59:35,125 All right. 1025 00:59:35,209 --> 00:59:38,876 So because of the research that Randi 1026 00:59:38,876 --> 00:59:42,999 to determine the way that Stels 1027 00:59:44,709 --> 00:59:47,501 We knew the address 1028 00:59:47,501 --> 00:59:50,083 We also knew kind 1029 00:59:50,626 --> 00:59:53,083 So let's be a man in the middle. 1030 00:59:53,459 --> 00:59:55,083 When you want to do man 1031 00:59:55,083 --> 00:59:56,876 I had to set 1032 00:59:56,876 --> 00:59:58,999 the traffic back through there. 1033 00:59:59,709 --> 01:00:02,834 So enter Burp suite professional. 1034 01:00:04,125 --> 01:00:07,083 To set this up, we had to tunnel 1035 01:00:07,083 --> 01:00:11,417 through Burp suite and we were looking 1036 01:00:12,999 --> 01:00:16,626 Just to be sure, that I was getting 1037 01:00:16,626 --> 01:00:18,667 the Android device. 1038 01:00:19,209 --> 01:00:22,292 What I do mobile Android testing. 1039 01:00:22,292 --> 01:00:27,999 I take a rooted device in order to get 1040 01:00:28,125 --> 01:00:30,999 Perhaps Stels is using two forms 1041 01:00:30,999 --> 01:00:33,584 seeing that encrypted portion of that. 1042 01:00:33,959 --> 01:00:36,834 Doing that on an Android phone 1043 01:00:36,834 --> 01:00:37,999 You have 1044 01:00:37,999 --> 01:00:40,209 packet to the device itself. 1045 01:00:40,584 --> 01:00:43,125 But to do that, you have 1046 01:00:43,626 --> 01:00:46,834 You have to use an outdated version 1047 01:00:46,834 --> 01:00:48,999 I think I was using 0.98. 1048 01:00:49,375 --> 01:00:51,292 I think that shifted 1049 01:00:51,292 --> 01:00:54,751 is the virtual machine I set 1050 01:00:54,999 --> 01:00:57,751 You have to create 1051 01:00:57,751 --> 01:01:01,250 of the subject line of the certificate, 1052 01:01:01,250 --> 01:01:03,999 to that and install that 1053 01:01:03,999 --> 01:01:08,375 down into the system directory 1054 01:01:08,999 --> 01:01:11,167 To do, that you have to have root 1055 01:01:11,667 --> 01:01:13,999 Once I had root, I launched it. 1056 01:01:16,417 --> 01:01:18,459 And now we can see 1057 01:01:18,459 --> 01:01:21,751 through that phone, if it's 1058 01:01:21,751 --> 01:01:24,667 just a mobile banking app, I can see 1059 01:01:24,667 --> 01:01:28,083 through and actually intercept that 1060 01:01:28,626 --> 01:01:31,375 In this case, I didn't have to end 1061 01:01:31,584 --> 01:01:34,999 All the traffic was going over port 80, 1062 01:01:34,999 --> 01:01:37,501 and let's take a look here. 1063 01:01:37,501 --> 01:01:39,083 We turn on intercept, of course. 1064 01:01:39,501 --> 01:01:44,999 So what I saw was, I will show you, 1065 01:01:45,250 --> 01:01:48,167 So it's not listening on that, 1066 01:01:48,501 --> 01:01:49,999 It's saying wait 60. 1067 01:01:49,999 --> 01:01:52,334 It is telling it to wait 60 seconds 1068 01:01:52,334 --> 01:01:54,999 set the command and control filter. 1069 01:01:55,999 --> 01:01:58,209 I wonder if it's going to be this easy. 1070 01:01:58,209 --> 01:02:00,417 All I had to do was replace 1071 01:02:00,417 --> 01:02:02,709 with a server that my own 1072 01:02:02,709 --> 01:02:05,083 will be calling back to me. 1073 01:02:05,501 --> 01:02:06,999 I did that. 1074 01:02:06,999 --> 01:02:08,834 I told it to wait 60. 1075 01:02:08,834 --> 01:02:14,125 I set the remove all SMS filters true 1076 01:02:14,167 --> 01:02:16,667 Sure enough it worked 1077 01:02:16,667 --> 01:02:19,375 instead of the all C & C server. 1078 01:02:19,501 --> 01:02:23,751 The server I set 1079 01:02:23,751 --> 01:02:25,083 It would get a 404 error. 1080 01:02:25,125 --> 01:02:27,834 When the bot actually received that 404 1081 01:02:27,834 --> 01:02:29,584 out and then you have 1082 01:02:29,584 --> 01:02:32,999 until you can actually start 1083 01:02:33,083 --> 01:02:34,999 I thought this is kind of troublesome. 1084 01:02:34,999 --> 01:02:35,999 It. 1085 01:02:35,999 --> 01:02:37,999 Take me way more time 1086 01:02:37,999 --> 01:02:39,667 I continued to keep intercepting 1087 01:02:39,667 --> 01:02:43,999 to wait 60 or wait 5 or 30, depending 1088 01:02:44,083 --> 01:02:47,125 I found out when I tried to wait 2 1089 01:02:47,125 --> 01:02:49,375 fast, it would eventually time 1090 01:02:49,375 --> 01:02:51,334 between 5 and 15 minutes 1091 01:02:51,334 --> 01:02:54,417 out again and that was even less 1092 01:02:56,417 --> 01:02:59,334 You can also adjust it for, you know, 1093 01:02:59,334 --> 01:03:03,375 if you want to take a break and go 1094 01:03:03,375 --> 01:03:04,918 I found that pretty helpful. 1095 01:03:05,999 --> 01:03:07,999 So controlling Stels. 1096 01:03:07,999 --> 01:03:09,626 I wanted to see 1097 01:03:09,626 --> 01:03:13,083 to export that contact list 1098 01:03:13,334 --> 01:03:14,876 And sure enough, you can. 1099 01:03:15,083 --> 01:03:18,999 I just had to set send contact list true, 1100 01:03:19,459 --> 01:03:21,083 And 60 seconds later, 1101 01:03:21,083 --> 01:03:23,792 out that contact information 1102 01:03:23,792 --> 01:03:26,125 of the page here, I actually got 1103 01:03:26,125 --> 01:03:29,083 off of that device and you can read that. 1104 01:03:29,083 --> 01:03:31,834 It sent it right back to the attacker 1105 01:03:31,834 --> 01:03:34,876 command and control server, 1106 01:03:34,876 --> 01:03:37,250 in my device and 1107 01:03:37,250 --> 01:03:39,751 servers to infect more phones. 1108 01:03:40,083 --> 01:03:43,626 I find this really helpful if you are 1109 01:03:43,626 --> 01:03:43,792 I don't know how many of you have 1110 01:03:43,792 --> 01:03:45,667 to manage IT where you are from. 1111 01:03:46,334 --> 01:03:50,626 If you have a device on your network, 1112 01:03:50,626 --> 01:03:54,417 because we have 1113 01:03:54,417 --> 01:03:57,584 to find that device, 1114 01:03:57,584 --> 01:04:02,626 and you can't gain access to it 1115 01:04:02,709 --> 01:04:04,501 Using this method. 1116 01:04:04,501 --> 01:04:06,375 We never even touched the device 1117 01:04:06,375 --> 01:04:08,999 off the head of the snake, so to speak. 1118 01:04:09,167 --> 01:04:10,999 If the attacker 1119 01:04:10,999 --> 01:04:12,751 with that device, the attacker 1120 01:04:12,751 --> 01:04:15,667 to steal that data this buys us a lot 1121 01:04:15,667 --> 01:04:16,999 down, get 1122 01:04:16,999 --> 01:04:19,626 and get that virus cleaned off of there. 1123 01:04:21,167 --> 01:04:23,709 SHERRI DAVIDOFF: Nice. 1124 01:04:25,250 --> 01:04:27,334 Thank you, Scott! 1125 01:04:28,999 --> 01:04:32,417 So that pretty much concludes our 1126 01:04:32,417 --> 01:04:35,083 As you saw, we were able to infect 1127 01:04:35,083 --> 01:04:37,083 as a demonstration. 1128 01:04:37,083 --> 01:04:40,709 We detected the infection 1129 01:04:40,709 --> 01:04:46,083 and no agent was actually needed 1130 01:04:46,083 --> 01:04:49,918 We could have shut this down remotely, 1131 01:04:49,918 --> 01:04:54,999 This was all for $285 and a little bit 1132 01:04:55,999 --> 01:04:58,375 And, of course, if you wanted 1133 01:04:58,375 --> 01:05:00,250 you certainly could. 1134 01:05:00,250 --> 01:05:01,959 Again, here's the parts list. 1135 01:05:01,959 --> 01:05:04,083 All you need is a femtocell, 1136 01:05:04,083 --> 01:05:07,999 whether it's a laptop or 1137 01:05:07,999 --> 01:05:11,375 is, a hub or 1138 01:05:12,375 --> 01:05:14,542 Thank you all so much. 1139 01:05:14,542 --> 01:05:16,375 We will take questions, 1140 01:05:16,375 --> 01:05:18,667 a little bit closer up, 1141 01:05:18,667 --> 01:05:20,626 to be in afterwards? 1142 01:05:20,626 --> 01:05:22,999 We will tear 1143 01:05:22,999 --> 01:05:24,417 So feel free to come visit us. 1144 01:05:24,417 --> 01:05:25,751 LMGsecurity.com/blog. 1145 01:05:25,751 --> 01:05:26,751 (Applause). 1146 01:05:26,751 --> 01:05:27,751 Questions? 1147 01:05:27,751 --> 01:05:30,083 DAVID HARRISON: Anyone have any 1148 01:05:30,083 --> 01:05:33,459 AUDIENCE MEMBER: Can you put 1149 01:05:33,459 --> 01:05:33,459 SHERRI DAVIDOFF: It's 1150 01:05:33,459 --> 01:05:34,459 for the paper. 1151 01:05:34,459 --> 01:05:35,709 It's up there right now. 1152 01:05:35,709 --> 01:05:35,709 AUDIENCE MEMBER: (Inaudible 1153 01:05:35,709 --> 01:05:35,709 the malware defect it it's actual 1154 01:05:35,709 --> 01:05:35,709 DAVIDOFF: Can you make phones 1155 01:05:35,709 --> 01:05:36,709 instead of a tower? 1156 01:05:36,709 --> 01:05:37,876 DAVID HARRISON: No. 1157 01:05:37,876 --> 01:05:38,876 No. 1158 01:05:38,876 --> 01:05:38,876 No if I'm right, can you can could 1159 01:05:38,876 --> 01:05:39,876 on a CIDS system? 1160 01:05:39,876 --> 01:05:40,999 At this point, probably. 1161 01:05:40,999 --> 01:05:40,999 You could certainly design one 1162 01:05:40,999 --> 01:05:44,709 or someone or maybe even just modify 1163 01:05:44,709 --> 01:05:44,709 Right now, you can see if you have 1164 01:05:44,709 --> 01:05:44,709 you will see it pops 1165 01:05:44,709 --> 01:05:45,999 connected to a femtocell. 1166 01:05:45,999 --> 01:05:47,083 It's in our white paper. 1167 01:05:47,083 --> 01:05:50,709 And if you download our paper, you 1168 01:05:50,709 --> 01:05:50,709 (Inaudible question) DAVID 1169 01:05:50,709 --> 01:05:52,667 SHERRI DAVIDOFF: Which phone 1170 01:05:52,667 --> 01:05:52,667 AUDIENCE MEMBER: The 50 phones 1171 01:05:52,667 --> 01:05:55,501 DAVIDOFF: For Android Stels, it was 1172 01:05:55,501 --> 01:05:55,501 When it communicates 1173 01:05:55,501 --> 01:05:56,751 here's my phone number. 1174 01:05:56,751 --> 01:05:59,751 DAVID HARRISON: We can see 1175 01:05:59,751 --> 01:06:02,375 And I want to say that we can see 1176 01:06:02,375 --> 01:06:02,375 SHERRI DAVIDOFF: We can see 1177 01:06:02,375 --> 01:06:05,999 number out to Verizon to register 1178 01:06:05,999 --> 01:06:05,999 I'm not sure how programmatically, like, 1179 01:06:05,999 --> 01:06:06,999 is to find that out. 1180 01:06:06,999 --> 01:06:08,292 But theoretically, sure. 1181 01:06:08,292 --> 01:06:10,999 You could also figure out a way 1182 01:06:10,999 --> 01:06:11,999 Yep? 1183 01:06:11,999 --> 01:06:14,250 AUDIENCE MEMBER: You said you 1184 01:06:14,250 --> 01:06:14,250 Can it spoof saying it's 1185 01:06:14,250 --> 01:06:14,250 in airplane mode 1186 01:06:14,250 --> 01:06:14,250 DAVIDOFF: That's a great question, 1187 01:06:14,250 --> 01:06:14,250 in airplane mode this particular 1188 01:06:14,250 --> 01:06:16,167 with root access to your device could. 1189 01:06:16,167 --> 01:06:16,167 DAVID HARRISON: It would be 1190 01:06:16,167 --> 01:06:16,167 for the malware authors 1191 01:06:16,167 --> 01:06:17,876 a theoretical barrier to that. 1192 01:06:17,876 --> 01:06:17,876 AUDIENCE MEMBER: How did you 1193 01:06:17,876 --> 01:06:20,250 through SHERRI DAVIDOFF: That 1194 01:06:20,250 --> 01:06:21,584 DAVID HARRISON: Yeah. 1195 01:06:21,584 --> 01:06:24,292 SHERRI DAVIDOFF: I think 1196 01:06:24,292 --> 01:06:24,292 AUDIENCE MEMBER: So what was 1197 01:06:24,292 --> 01:06:25,918 since the first one got fixed? 1198 01:06:25,918 --> 01:06:28,918 And how much does the sheilding 1199 01:06:28,918 --> 01:06:28,918 SHERRI DAVIDOFF: The shield 1200 01:06:28,918 --> 01:06:32,125 depending whether or not you want 1201 01:06:32,125 --> 01:06:33,459 Yeah, they are real nice. 1202 01:06:33,459 --> 01:06:35,125 Tell them that you saw it over here. 1203 01:06:35,125 --> 01:06:38,584 AUDIENCE MEMBER: And what 1204 01:06:38,584 --> 01:06:41,584 DAVID HARRISON: That 1205 01:06:41,584 --> 01:06:43,167 Other people published that one. 1206 01:06:43,167 --> 01:06:44,709 You should be able to find it. 1207 01:06:44,709 --> 01:06:44,709 (Inaudible question) AUDIENCE 1208 01:06:44,709 --> 01:06:45,709 in IP tables. 1209 01:06:45,709 --> 01:06:45,709 Do you have any plans to, I don't know, 1210 01:06:45,709 --> 01:06:45,709 instead of running through Netcat 1211 01:06:45,709 --> 01:06:46,709 HARRISON: Right. 1212 01:06:46,709 --> 01:06:47,999 SHERRI DAVIDOFF: Yes. 1213 01:06:47,999 --> 01:06:50,876 AUDIENCE MEMBER: I hear Snort 1214 01:06:50,876 --> 01:06:52,999 DAVID HARRISON: That would be 1215 01:06:52,999 --> 01:06:52,999 We are running 1216 01:06:52,999 --> 01:06:52,999 is the exact AUDIENCE MEMBER: So 1217 01:06:52,999 --> 01:06:54,751 we can probably help you with that. 1218 01:06:54,751 --> 01:06:56,125 DAVID HARRISON: I figured. 1219 01:06:56,125 --> 01:06:57,751 SHERRI DAVIDOFF: Awesome! 1220 01:06:57,751 --> 01:06:57,751 DAVID HARRISON: We would 1221 01:06:57,751 --> 01:06:59,999 to run it more smoothly 1222 01:06:59,999 --> 01:06:59,999 AUDIENCE MEMBER: About 1223 01:06:59,999 --> 01:06:59,999 through your devices, the devices 1224 01:06:59,999 --> 01:07:01,209 in the network traffic? 1225 01:07:01,209 --> 01:07:04,626 SHERRI DAVIDOFF: There 1226 01:07:04,626 --> 01:07:04,626 I believe that Tom Ritter got his traffic 1227 01:07:04,626 --> 01:07:04,626 like to sit down and compare 1228 01:07:04,626 --> 01:07:05,626 to do it. 1229 01:07:05,626 --> 01:07:07,167 We have just done it this one way. 1230 01:07:07,167 --> 01:07:07,167 DAVID HARRISON: Like we said, 1231 01:07:07,167 --> 01:07:07,167 you are seeing it after it passes 1232 01:07:07,167 --> 01:07:07,167 all encrypted, and if you pull it 1233 01:07:07,167 --> 01:07:07,167 before it gets passed 1234 01:07:07,167 --> 01:07:07,167 all unencrypted and it doesn't have 1235 01:07:07,167 --> 01:07:09,667 The magic was bypassing 1236 01:07:09,667 --> 01:07:13,083 AUDIENCE MEMBER: I'm saying it 1237 01:07:13,083 --> 01:07:13,083 If you have' device saying so basically 1238 01:07:13,083 --> 01:07:14,959 to you don't need to (Inaudible). 1239 01:07:14,959 --> 01:07:14,959 captured here, versus the traffic 1240 01:07:14,959 --> 01:07:14,959 up to say AUDIENCE MEMBER: 1241 01:07:14,959 --> 01:07:14,959 DAVID HARRISON: So 1242 01:07:14,959 --> 01:07:14,959 are we seeing a difference 1243 01:07:17,417 --> 01:07:20,083 DAVID HARRISON: A wireless 1244 01:07:20,083 --> 01:07:21,876 AUDIENCE MEMBER: No, a device. 1245 01:07:21,876 --> 01:07:21,876 DAVID HARRISON: Oh, oh, so 1246 01:07:21,876 --> 01:07:22,999 on the Android device. 1247 01:07:22,999 --> 01:07:24,459 SHERRI DAVIDOFF: Oh, yeah. 1248 01:07:24,459 --> 01:07:26,083 DAVID HARRISON: We tried that. 1249 01:07:26,083 --> 01:07:28,459 We just wanted access 1250 01:07:28,459 --> 01:07:30,083 So we were like, oh, that's easy. 1251 01:07:30,083 --> 01:07:31,083 Tried that. 1252 01:07:31,083 --> 01:07:31,083 Didn't work 1253 01:07:31,083 --> 01:07:31,083 of the network traffic back out, 1254 01:07:31,083 --> 01:07:34,584 all of that SHERRI DAVIDOFF: We 1255 01:07:34,584 --> 01:07:34,584 DAVID HARRISON: It goes straight 1256 01:07:34,584 --> 01:07:37,209 captured by software you put 1257 01:07:37,209 --> 01:07:37,209 So SHERRI DAVIDOFF: Also, 1258 01:07:37,209 --> 01:07:38,709 up your IDS that way anyway. 1259 01:07:38,709 --> 01:07:38,709 If you have an infected system, 1260 01:07:38,709 --> 01:07:39,709 traffic you see. 1261 01:07:39,709 --> 01:07:39,709 So really, you want it 1262 01:07:39,709 --> 01:07:40,792 that's not infected. 1263 01:07:40,792 --> 01:07:40,792 AUDIENCE MEMBER: Is the list 1264 01:07:40,792 --> 01:07:43,999 to the femtocell, is that controlled 1265 01:07:43,999 --> 01:07:43,999 DAVID HARRISON: I want 1266 01:07:43,999 --> 01:07:43,999 it's managed through, like, 1267 01:07:43,999 --> 01:07:43,999 so you register the femtocell, go 1268 01:07:43,999 --> 01:07:47,667 I want these devices that I own that are 1269 01:07:47,667 --> 01:07:50,501 So and then it passes that 1270 01:07:50,501 --> 01:07:50,501 It would be really great 1271 01:07:50,501 --> 01:07:50,501 core network so that they so that 1272 01:07:50,501 --> 01:07:52,250 about who connected to femtocells. 1273 01:07:52,250 --> 01:07:55,584 Because these things have been 1274 01:07:55,584 --> 01:07:57,834 The original malware came 1275 01:07:57,834 --> 01:07:57,834 It would be great 1276 01:07:57,834 --> 01:07:57,834 about what when you were 1277 01:07:57,834 --> 01:07:57,834 and so 1278 01:07:57,834 --> 01:08:00,375 whether or not they hooked 1279 01:08:00,375 --> 01:08:03,167 So SHERRI DAVIDOFF: Can we get 1280 01:08:03,167 --> 01:08:05,751 DAVID HARRISON: This sounds 1281 01:08:05,751 --> 01:08:06,751 Okay. 1282 01:08:06,751 --> 01:08:07,751 Other questions? 1283 01:08:07,751 --> 01:08:08,751 Yeah? 1284 01:08:08,751 --> 01:08:11,292 AUDIENCE MEMBER: What 1285 01:08:11,292 --> 01:08:13,501 SHERRI DAVIDOFF: We have not 1286 01:08:13,501 --> 01:08:13,501 Honestly, we are not 1287 01:08:13,501 --> 01:08:14,501 a consulting firm. 1288 01:08:14,501 --> 01:08:14,501 And yeah, we wanted to put this 1289 01:08:14,501 --> 01:08:14,501 to make a ton 1290 01:08:14,501 --> 01:08:15,667 is Verizon here today? 1291 01:08:15,667 --> 01:08:17,709 Is anyone here from Verizon 1292 01:08:17,709 --> 01:08:18,709 Just curious. 1293 01:08:18,709 --> 01:08:19,709 Yes? 1294 01:08:19,709 --> 01:08:22,792 AUDIENCE MEMBER: I wonder what 1295 01:08:22,792 --> 01:08:24,626 SHERRI DAVIDOFF: Great question. 1296 01:08:24,626 --> 01:08:24,626 I think the first thing that comes 1297 01:08:24,626 --> 01:08:24,626 will be giving people the ability 1298 01:08:24,626 --> 01:08:24,626 right or text messages, 1299 01:08:24,626 --> 01:08:24,626 people are already using the Internet, 1300 01:08:24,626 --> 01:08:25,626 and Google voice. 1301 01:08:25,626 --> 01:08:25,626 So your phone calls are already going 1302 01:08:25,626 --> 01:08:25,626 to be no issue 1303 01:08:25,626 --> 01:08:26,626 in that traffic. 1304 01:08:26,626 --> 01:08:27,999 I think it's pretty similar. 1305 01:08:27,999 --> 01:08:29,999 We have been DAVID HARRISON: 1306 01:08:29,999 --> 01:08:30,999 This one is now on. 1307 01:08:30,999 --> 01:08:32,209 SHERRI DAVIDOFF: Okay. 1308 01:08:32,209 --> 01:08:35,584 We have been represented 1309 01:08:35,584 --> 01:08:35,584 If you are careful to restrict access 1310 01:08:35,584 --> 01:08:35,584 capturing packets and call content 1311 01:08:35,584 --> 01:08:38,999 then they didn't see any issue with it, 1312 01:08:38,999 --> 01:08:38,999 DAVID HARRISON: Also keep 1313 01:08:38,999 --> 01:08:38,999 I would be way more concerned 1314 01:08:38,999 --> 01:08:38,999 to get malware on my device 1315 01:08:38,999 --> 01:08:42,083 to my phone calls that way than there's 1316 01:08:42,083 --> 01:08:46,125 That's a concern but between the two, 1317 01:08:46,125 --> 01:08:46,125 SHERRI DAVIDOFF: And in terms 1318 01:08:46,125 --> 01:08:46,125 modifying the open source piece 1319 01:08:46,125 --> 01:08:46,125 modifying standard open source Linux 1320 01:08:46,125 --> 01:08:47,584 the proprietary software. 1321 01:08:47,584 --> 01:08:47,584 DAVID HARRISON: That's 1322 01:08:47,584 --> 01:08:49,792 in the GPL licensed stuff that's 1323 01:08:49,792 --> 01:08:49,792 That was 1324 01:08:49,792 --> 01:08:50,792 and thought about. 1325 01:08:50,792 --> 01:08:54,083 SHERRI DAVIDOFF: And we also 1326 01:08:54,083 --> 01:08:56,709 We chose to take another route 1327 01:08:56,709 --> 01:08:58,083 DAVID HARRISON: Question? 1328 01:08:58,083 --> 01:08:58,083 (Inaudible question) DAVID 1329 01:08:58,083 --> 01:09:01,334 like legitimate apps, 1330 01:09:01,334 --> 01:09:03,751 I haven't looked at a wide variety 1331 01:09:03,751 --> 01:09:03,751 But some probably would 1332 01:09:03,751 --> 01:09:04,751 like, there's. 1333 01:09:04,751 --> 01:09:04,751 AUDIENCE MEMBER: (Inaudible 1334 01:09:04,751 --> 01:09:04,751 would love 1335 01:09:04,751 --> 01:09:05,751 sending back. 1336 01:09:05,751 --> 01:09:08,501 SHERRI DAVIDOFF: We looked 1337 01:09:08,501 --> 01:09:08,501 If you play 1338 01:09:08,501 --> 01:09:09,918 we have some of that stuff. 1339 01:09:09,918 --> 01:09:09,918 AUDIENCE MEMBER: (Inaudible 1340 01:09:09,918 --> 01:09:09,918 was a great article 1341 01:09:09,918 --> 01:09:12,918 they are looking at 20 or 30 apps 1342 01:09:12,918 --> 01:09:15,459 Caller IQ, you would be able 1343 01:09:15,459 --> 01:09:15,459 You would really be able 1344 01:09:15,459 --> 01:09:17,667 to send information 1345 01:09:17,667 --> 01:09:17,667 I think we have to wrap 1346 01:09:17,667 --> 01:09:18,999 for questions after this. 1347 01:09:18,999 --> 01:09:20,375 We have business cards here. 1348 01:09:20,375 --> 01:09:22,083 We have some other swag by the door. 1349 01:09:22,083 --> 01:09:22,083 So feel free to talk to us after the talk 1350 01:09:22,083 --> 01:09:23,751 if you have any more questions.