Announcer: And so, right now we're going to open up track two, our 11:00 o'clock slot with Maggie speaking about GFCI's and girl fault interrupted. [Applause] Maggie: I'm glad I don't have to stand behind that. So, hello DEF CON. If you are here to see sparks and smoke, you've came to the right talk. I'm super excited to be here to talk to you guys about something that I tripped over, pun intended. [Inaudible.] But first, let me tell you a little bit about myself. My name is Maggie Jauregui and I have about three years of security experience. The first two at Intel in Mexico doing security validation for the graphics driver on the software side, specifically for DirectX 8, 10 and 11. For the past year, I've been working in the U.S. doing software security validation for wireless innovation applications. This is my fourth DEF CON, first time speaking, super excited. I come from the most incredible country in the world and if you haven't been there, you really should. Bucket list it at some point. The most amazing people, food, everything and I'm having a hard time figuring out why I ever left. I got an incredible education as well. I got to participate in math tournaments where I was named fourth best in the country two years in a row and first and second best in highly script date a couple times. When I'm not doing techy stuff, I do more artsy stuff. A couple of disclaimers: Everything I do, research, images, here is my own and in no way, shape or form does it represent anything on the side of my employer's past, present, or future. Like I said, my experience was mostly software so this business is something I've been looking at for a few months. I don't claim myself the GFCI queen of the world so if you have corrections, or suggestions or ideas, I'd be super happy to talk to you guys about them. There's a small part of me, or maybe not that small part of me, that loves that I can start my first DEF CON talk ever with: So I was doing my hair the other day . . . [Audience laughing] 'cause I was going to go out on a date and this guy thought we would save millions communicating through RF. So we bought a couple walkie-talkies and enough batteries until kingdom come and we hadn't really synced as to when to use them. So I was doing my hair to go out and I thought I heard something in the other room, someone speaking through the radio. So I ran over there and I talked through it. "Hello, hello, is anyone there?" Nothing. So I come back to the bathroom and I click the call button to make it buzz on the other side [makes buzz noise] and when I do that, the GFCI of my hair dryer on the wall vibrates viciously out of control -- horrible sound, then a spark and smoke. So, my jaw dropped. I was like, "Oh my god, you've got to see this." And, yeah, for some reason I thought my hair dryer was dead so I went and got another one and tried the same thing. And it worked as well. But devices keep working after you disable the GFCI. It's only the GFCI that I get to effect. So then we needed supplies. Where can we get a whole bunch of hair dryers and stuff? So thank Goodwill for all the materials for the presentation. We got a couple of GFCI sockets, an antenna, and more decent radios. I studied for my radio license. I got my call name and all. [Applause] And then I started thinking, why would this matter or how do these devices interact with us on a day-to-day basis? Because don't get me wrong, if someone can DOS even temporarily my hair blow drying ability in the morning, to me that is an extremely high severity vulnerability but I wasn't sure that the rest of the world would see it that way. So where are these things? One of the people that we worked with suggested I look into AFCI's as well. That kind of put the picture together. Because in your house, your outlets, your electricity is basically either protected by GFCIs, AFCIs, sometimes both. So, I really focused more on GFCIs and I'll tell you guys why in a second, but we do go over a little bit of AFCI vulnerability towards RF as well. Why are these things there? They serve two different purposes. GFCIs intend to protect you from electric shock. They have to do so in a really quick manner. I think they have between 25 and 40 milliseconds to stop because when the body comes in contact with from five to 30 million amps, then that's when your heart goes into metrical shock and that's when ventricles instead of contracting the way they normally do, they just spazz out. Whenever it senses that the electricity -- if you think of the circuit as water and what comes in has to go somewhere, so it has to return. If not the same amount of current that's coming in is coming out, it detects there's a problem. It has to be really specific and really quick. That's what GFCI's do. AFCI's on the other hand are trying to keep your house from catching fire. It's basically like worn out old cables, if there's a spark anywhere, AFCI's are the ones that are supposed to find it. They do so by analyzing the wave form of the alternating current. So it has to be smooth and it's a much more complex little piece of equipment than a GFCI. So, code requirement. Every year the National Electrical Code deliberates where we need what. GFCI's are needed anywhere where people can come into contact with both electric equipment and water. So, your bathroom, pools, hot tubs, kitchens, laundry areas, anything above grade level, unfinished basements or garages. Whole bunch of stuff. And AFCI's pretty much protect everything else. They do overlap in a couple things, I think the kitchen and laundry area. Other than that, the general living areas, the family rooms, dining rooms, living rooms, bedrooms, sunrooms, any other room. I live in Oregon. I need some. Okay. This is how GFCI's work. Their little diagram. And it's really quite simple. It's a little transformer and there's a magnetic core, the toroid, and so you -- and there's an insulated copper wire that goes around them and that's just a general normal transformer. Through it go the wires, the hot wire on the way out and the neutral or the hot wire on the way in and the neutral on the way out. According to the right hand rule, if the currents are going opposite directions and they are the same magnitude, then they should cancel each other out. There should be no current in that wire. If it detects a small current in that wire, then it's calibrated specifically to 3 or 5 milliamps, then the solid state circuitry will inform the shunt trip to open the circuit and it will save you from electrocution. Pretty simple electro-mechanical. So, here it is. Right hand rule, going one way, going the other way, they should cancel each other out but there's also -- if you notice in the little toroid there's two, the hot and the neutral, and there's an extra one with a test button. So if you push the test button, it will enable that third line, which will imbalance it and trip it. It will cause a trip. That's what you're supposed to do to test if the GFCI mechanism is actually working. I recommend for people to test it often. How many of you test your GFCI's often? Very good. I'm super impressed. Cool. Okay. Inside there is something called a solenoid. Oops. This thing that says "shunt trip used to open circuit," that's what this solenoid is. And there's the coil that goes around the transformer then coils around this little thing and inside it is like a Silverbullet that moves in and out and there's a spring. So as long as the power's connected, the spring keeps the bullet inside. If it notices -- if it gets the signal that there's a little current there that shouldn't be, then the bullet comes out and pops the reset button, opening the circuit. This is the thing that we cause trouble with with RF, so that's why I'm going into it. [Inaudible] Like I said, we're analyzing wave forms and making sure that they are smooth. It's a lot more complicated as it does thermal checking and it does, I think, also some of them do ground fault and the wave form analyzing and something else -- power surge. You're dealing with much higher voltages and it's a little more scary. So now, some demos. I start with the less impressive one. Just so you know. This is just a regular GFCI plugged into a wall where this is close range. So we're pointing at it, putting it nearby with either a radio or the antenna and this is what happens. [Loud Buzz.] You should be able to see some smoke. But it might not be too noticeable. You see some? [Chiming sound] There you go, a little bit of smoke. This is the first one. This one we get a spark. These are both closed. The little box is closed. Then I open it up so we can see what's actually going on inside. This one we can start to look through. [Buzzing] You saw? That blows it up. That's pretty much it. This is the socket, also close range. You should look at the lead in the corner. There you go. That's all. Do it from the side. Do it from the back. Now across the wall. Okay, confession time. We were testing these things. First thing I did after testing the 90-degree built into the plug GFCI was try to find them around the house. So I tested the bathroom ones, the kitchen ones and then other people's houses, friends of course, with their consent. [Audience laughing] Because I consider it like lock picking. It must be the same. You know, If you do your own, if you buy things to break them apart, then it's okay but you're not supposed to go messing around with people. That's not why you get a radio license, no. So, but yes, at some point testing one of the sockets on the wall, we heard a distant vibration somewhere else and we were like, "what's that?" It was something in the neighbor's house. So we stopped immediately but we realized we could do it across the walls, too. Radio on one side, GFCI on the other. Bad filming. Little delay. [Buzzing] Basically the same. Now remote. We got it up to about three or four yards depending on the device. Yeah, it really depended on the device. Some of them needed to be really close, some could be a little further. I did get recommendations from people to use a bilateral amplifier or you can use a huger, bigger antenna with a tripod, but you know you got a lot of wattage and it becomes scary and a little more terroristy. With this little thing, I was affecting my neighbors. You know, I didn't want to figure out, I don't know, that I could fry a chicken with it. It wasn't really the point. There. So doing different pulses. And actually it would burn up. You can kind of see the button move there. So this is the cool one. Try to see if you can notice the button flying out. [buzzing] [Laughter] [Applause] This is when you open the GFCI. When I got here for real, so yeah, first thing -- [Laughter] -- I swear everything works if you go check, everything works. I just had to check to see if they were vulnerable, everything is vulnerable here. The sockets, the hair dryer, everything. I just tested them. Then I wanted to show my dad, "Look, here's what I do." I said, "I'll film it, what the hell." With this one, you get the flying piece of component like flaming out of it, it almost caught my dad's shirt on fire. So, for the demos later, we have a prepared goon. [Buzzing] Male Voice: It's smoking. Wow. You're lucky it didn't get me. [Laughter] [Inaudible] [Applause] Maggie: So, this is what a fried GFCI looks like. The solenoid. The encapsulation of the wire on the solenoid melts out making it not a solenoid anymore, so it's not a GFCI anymore. That's why it stops working. The device keeps working because what we do is that -- let me go back to the diagram of the solenoid. Here. We get the bullet to move, because it's expecting -- okay. Maybe I should go back to where we were. Sorry about that. The reason why I didn't try with bigger things is because of the wattage and because it was scary. But we did notice people who have done this before. There was a Youtube video. I thought that would be good enough instead of me trying to jump onto my house and install this huge thing. [Applause] Okay, cool. So, I didn't make this myself so I can't vouch for its validity but it's pretty cool. They have an antenna on the top of another house. They are pointing it at the circuit breaker, the AFCIs. Male Voice: [Inaudible] There's an antenna right there above the tree I think. Black pole, radio antenna. Maggie: It's this antenna on the top of a house and it's pointing to the circuit breaker of a different house. [Inaudible] Cool, that's good enough. So they pointed it at the circuit breaker of a different house. This is what happens. [Video -- Audio inaudible] Really slow video. Male Voice: You can stop packing the wireless for just 2 minutes please. [Laughter] Maggie: Okay, so you see, you see? So it bounced a whole bunch. AFCI's are also vulnerable to RF, you just need much lower frequencies and bigger antennas that are much more expensive and scarier so I didn't do that. Male Voice: Seems like a logical breaking point. You guys know the drill. A round of applause for our first time speaker. [Applause] Cheers. Maggie: Cheers. [Applause] Male Voice: To DEF CON. Maggie: To DEF CON. So I can't guarantee there wasn't someone back there sparking the wires making these things trippy. We're kind of trusting these Youtube people but there's also, you know, the national association -- Male Voice: This is really cool. Maggie: Thank you.[Laughter] So, I did find a letter from the National Association of Amateur Radio, kind of apologizing, because the amateur radio enthusiast's neighbors were complaining that their AFCI circuit breakers were being tripped. And they did work with Levatron to make a better breaker that would withstand that kind of frequency. So what's going on? Like I said, I only did the directional antenna, that's kind of where I stopped. The fundamental thing that I'm doing is extending the electromagnetic field that comes from the radio directionally and that is captured by the transformer which creates a current that flows through that wire. And then it makes it believe that there's a ground fault but it doesn't -- it thinks -- what? Yeah. Oh yeah, we weaponized it. Pepper laser. When I did this my antenna wouldn't work because there was so much metal in the hair dryer that it messed up my electromagnetic field. [Laughter] I can't say much about my antenna.[Applause] This is about as much as I can say about my antenna. [Inaudible voice in audience] But look at it now. Okay. So now, resonance. Wires or antennas. We are antennas and things resonate to a certain frequency. Like if you grab a tuning fork and you hit it against your leg and then put it up against a guitar, the string of the note that is tuned to the same note as the fork will vibrate. Only that one. Things are tuned to resonate to a certain frequency, that's how radios work too. You modify the metal inside, the amount of twists and the width of it determine what frequency it vibrates to. Things are made to work at a certain frequency. I think for 120 volts it's like 60 hertz all around. So we're talking about possibly a distant cousin harmonic that the devices are capturing. And I can do two things. I can either do what I showed you guys where, I should do both -- I can either trip it, meaning it was on and now it's off, but I can click the reset button and it will work again. I don't ruin the GFCI mechanism. Or, I can melt it and it will never work again. It's just hard wired. So, that leads me to believe that the different materials and the different designs are either capturing, like resonating exactly to a harmonic that it is expecting or just something annoying and not quite enough to move the bullet all the way through. So, yeah, this is what it looks like on the inside. These are the components that this one, the FCR, we'll talk about it a little bit more. That's the one, this one and probably the C4 are the ones that shoot out. This will be the transformer that's capturing and this is the solenoid that melts. I have to go back to the other picture to show you from before. This. So, the bullet usually gets the signal it's supposed to and goes all the way through. When I'm giving it kind of a weird frequency that it's not used to and it's way smaller than what it expects, instead of 60 hertz, it's a lot more, so it moves. Like a little bit forward then back, a little bit forward and back. It's alternating. So it does this and that's what causes the vibrating sound [buzzing sound] and things like this are only supposed to work for so long. Like when you buzz someone into a building, the thing is meant to just be a shunt trip, right, you click it and then it's opened and the person walks in. If you stand there and you push it, it will melt. It's not meant to withstand long periods of time. So, when we keep annoying it for long enough, it overheats and melts and it stops working. Okay. I was just admiring my GFCIs. The ones that are vulnerable and the ones that are not. The top ones are susceptible to my attack, the bottom ones aren't. Can anyone guess or see anything that is different between these two things? [Inaudible voice in audience.] Yes. The transformer on the bottom ones is definitely larger and has more turns. There's also a little chip in there, in the top ones. This is that chip. I couldn't find these, the actual ones that I had physically. I found a data sheet for one of the patents and I'll show the patents that I found that are vulnerable and ones that are not. That patent led me to a number piece and I went to go see that but the ones that I had in my hand were not that number. The data sheet that I found supposedly does protect against... The reason why I think its vulnerable is because sometimes cheap Chinese electronics will count both positive and negative current, so it's adding up slowly but it measures that there's more and more current coming through there. If it's only measuring the positives, like it should, then it will never get to the threshold that it needs. Right? So, what I think is that this little chip is -- we couldn't find the data sheet for it anywhere -- is counting both the positive and the negative impulses of the frequency that I'm sending and therefore conducting the current. If it just looked at the positive, then it wouldn't happen. In the case of the FDR's, one of the ones that jumped up in flames, and it was very, very simple and I've calculated when the gate gets a little signal. It's really low. I forget what it was, but a tiny amount of amps, then it will connect them. So, if it notices a little current there, it will activate the shunt trip. So, it connects to the solenoid and the little ceramic capacitor also had a chunk of it jumped out. And these explode from overheating, overcurrent or short circuit, in this case, I'm thinking overheating as we saw. It melts. The GFCI power outlets -- really the most I could get out of them, the ones built in the wall. The house where I live is 17 years old and the bad patents that I found are about 15 years old, so it makes sense. But the newer ones that I got at the store, I could trip them but I couldn't melt them. And these have a centric transformer coil which was a different thing that I didn't see anywhere else. The patents, the bad and the good, it seems like there's kind of an equal amount of yes' and no's but if you look at the count that I found, there is a really popular bad GFCI out there. 1999 patent, so it's fifteen years old and I found in it a whole bunch of things and across-the-board in a lot of different brands. I'm not naming brands but pretty much all of them. They are all Chinese, pretty much. Yeah, this was my bag coming in. I was worried that TSA would - [Laughter]-- ruin my presentation but they didn't. Other cases in which it might be a bad idea, some people don't even know that their stuff is connected to a GFCI. I saw people online saying, "For some reason if I trip this button the lamp outside will shut off." It's like, what? So, if you get a GFCI outlet, the top two screws are to plug into the wall, the hot and neutral and the bottom two you can connect to other plugs or appliances and it will make them part of the circuit so they're also GFCI protected or vulnerable. Relevance, why could this matter? Well RFI could be just accidental, that you live near a radio station or an amateur radio enthusiast or it could be intentional. It's wireless and fingerprint free. Although I did read that devices have very specific frequency so they could do forensics and match the signal, the bad signal to the device but I didn't get into that. And that was one of the things that kind of annoyed me from my talk. I found it was either just annoying, trolling, where someone is making their guacamole and I'm like, "ha, now you can't," or potentially super serious things where it would matter, like someone who lives alone and is elderly and depends on a breathing machine or overnight hemo-dialysis or depends on a machine somehow. That would be bad if they could trip the switches somehow. Male Voice: Hospitals. Maggie: Yeah, hospitals. I tried not to get into that because this is my first talk and I don't want to anger the wrong people. There are medical grade GFCI's but I didn't look into them. Also hospitals should have a whole bunch of other things to protect them, right? So, if someone attacked their AFCIs for blackouts, they're prepared for that, they're staffed and there's manual overrides. So they should be good but, yes, in public places, it could matter. Just recently there was a GFI news article about an eight year old boy in Lake Carrow in Texas who died, electrocuted, because of a GFI malfunction and it was hard wired. I mean, it was burnt, it didn't work but it was on. It burnt on. And he was in the water for a total of 15 seconds I think before he was pulled out. And the city said that the city limits changed and that's why they hadn't originally checked for everything to be up to code standards. So, that's an example of when it could matter and for the most part, it won't matter. It's kind of like a life insurance. I mean -- well I guess we're all gonna die someday -- but you might never need it. I don't know that my life has been saved by my hair dryer countless times but it's nice to know maybe I did need it and then it was there for me. You know? It's one of those things that when you need it, you really need it. So, yes, our solutions are testing often. Make sure that button pops up the reset and just reset it again. Updating to newer patents, the newer devices should be better. They would all kind of be vulnerable but to different frequencies. The newer ones are vulnerable to lower frequencies like they are supposed to, the 60 hertz. The thing that kind of shocks me is that we've known about this for a long time. And it's been fixed for a long time. So why is it that everything I buy and everywhere I go I can do this? We should know better, right? Male Voice: Could we get a recall for some of these products? Maggie: Yeah and I will talking to some of these and saying, "Hey." I'm guessing older patents mean cheaper in mass production. Maybe in a hair dryers, maybe it doesn't matter but what if, you know? Also if you have a loved one who's home alone or yourself who depends on an electrical appliance being on, just make sure you have other options like a power generator, batteries, or a manual override so you have wiggle time to react. And another thing that we thought was to do a little fair day cage grounded encasing covering the thing that should also be a solution. Now I need my lovely assistant so we can do some of these things. Okay. For my first trick --[Laughter] [Inaudible voice in the audience.] What? Computer Voice: Frequency Closed. Maggie: So, the power outlets we only found that we could do from really close by but then we thought wires are antennas too and they will conduct an electro-magnetic field. If you do it through the wire, like maybe thinking across the wall, you could potentially get to it. There we go. That's one. [Applause] And now. These two. Now hair dryer, live from track 2. Alright. I opened these up so we could see something interesting. Male Voice: Why are you standing back there? Buzzz. Maggie: Get a camera. Male Voice: Are those electronics I've got on me? [Laughter.] Maggie: Should we... [Inaudible voice in audience.] If the device is on while you're interfering with it, it will turn off but then you just unplug it, re-plug it and the device works. Should I plug this in? Male Voice: Yeah, hold on. [Random Noise][Inaudible] Maggie: I have to reset it. These have not been tampered with, I just opened them up. I'm trying to get a camera so you can see it. I don't know if it will be big enough. We have someone ready with a cup of water just in case. Nothing has ever happened, although it was a close call. Male Voice: Something has to break. Maggie: We sacrificed the PCB and countless hair dryers for the demo gods. You know how it is. Male Voice: Plugging in the camera does help. Male Voice: It is plugged in. I swear. Maggie: Nope. We can just do it here. Male Voice: Here you go. Maggie: Oh cool. No. Okay. Male Voice: I think we're doing it live. Maggie: Doing it live. Male Voice: Hold it up to the mic, then they can hear it. Male Voice: Don't point it at me. Maggie: I need another mic that's not on my face. [Laughter[LW1]] And you can -- this is one of the more sensible ones. You could probably do it from a bit. Do the laser, there's a purple laser. Male Voice: How many hands do you think he has? Maggie: Sorry. [Clicking Noise.] If we do it from closer, maybe we'll get it faster. Male Voice: I swear to god this is not a hold my gear moment.[Laughter] Male Voice: There you go, it's smoking! Male Voice: We have magic smoke.[Applause] Male Voice: Wanna do the other one? [Inaudible] Maggie: And yeah, I could show, maybe... [Hair dryer noise] Still works. We could do another one. You guys want to do another one? [Applause] Last one. I swear. We have like 6 more. By the way, I thought to make it interesting whoever tweets me the coolest or most bizarre thing that you could think of that would be bad that could be done with this by like 4:00 p.m., I'll get you just off the plane from Mexico Also Anjo tequila and I'll give it to you later at the Rio somewhere for your Saturday night partying needs. [Applause] So tweet me maybe.[Laughter] Male Voice: There you go. You all ready? [Buzzing] Maggie: Better. [Applause] Thanks to awesome co-workers and friends who've helped me, given me ideas. We've got a cute little blooper. Where'd the antenna go? Oh no! [Laughter] Yeah. Proxy is famous now. That's about it. If you guys have questions or something, I think I have a couple seconds. Male Voice: If you have any questions, there is a Q & A mic right here. Come to the mic. Male Voice: KD5QLN. Have you tried other frequencies besides UHF like 2 meters? Maggie: Oops, I didn't hear that. Male Voice: Have you tried other frequencies besides UHF like 2 meters? Maggie: 2 meters? Male Voice: Like 120 megahertz? Male Voice: Anything besides 2 meters? Male Voice: She's doing UHF. That's 420. Maggie: No. Male Voice: 120 megahertz I could probably do it. Maggie: We tried the range of the radio. Not much more. Male Voice: Okay. Male Voice: More questions, come up to the mic. Male Voice: This is sort of a shameless plug. You have your technician's license? Maggie: Yes. Male Voice: You should show up tomorrow at noon and get your general or your extra. We're doing amateur radio exams across the hall at the Krypto Privacy Village. Maggie: Awesome. Male Voice: Yeah, if you guys want to do this.[Applause] Male Voice: Any more questions? Maggie: If not, you can catch me later. I hope to meet you guys at a party or hallway near you. Thank you. [Applause]