Hi everyone and welcome to track one. The 3 p.m. talk. Today we have our speaker is Ammomra and he is going to speak about how to hack your way out of home detention. Ladies and gentlemen, AmmonRa? >> Can you guys hear me? Okay. >> Louder. >> Can you hear me now? Cool. So you know who we are and you know what this talk is. Standard introduction slides. Some of you know me, some of you don't. I work for a security consultant company. I should probably go over disclaimers but you're all big kids and what you do is your responsibility. I'm legitimately on the system and not just a hacker. Blah, blah, blah, academic use only. Don't be evil. On a more serious note, authorities are very upset when people tamper with their systems. If you do try to use this in the wild, you might be sent to jail for it. So I recommend only doing it in a lab. -- tracking systems. People - reasonably regulate. A couple examples of crimes that have been -- home detention is someone last year in LA received -- for an integration scam. More recently someone hacked someone's email and got some home detention. They tend to be nonviolent, relatively low-risk crimes. If you're a murder you probably won't get home detention. How do these systems work. How do they operate? The goal is to restrict movement of a person who is been sentenced. Instead of being sent to jail they have given some amount of time where they're not (audio blipped). The sort of two general categories of tracking systems, the older generation would have a clip that could transmit a signal to a physical, it was in the home. It was not movable and that would communicate to the monitoring station over a standard telephone wire. Most of these systems are considered legacy. The new systems don't work like this. Because they're legacy systems, they're still widely used. All of the modern ones are phasing into new tracker systems. That system uses GPS. So it doesn't have to be -- uses cell networks. So it's not restricted to wire telephone lines but it still may use a local beacon which we'll look at later in the talk. Is this relevant? Yes. I haven't found recent statistics but from 2012, I found statistics that there are hundred of thousand of people at home on detention. It costs a lot of money to put someone in prison. It's cheaper for the government if they can monitor you within your own home. Obviously I have a device. Now how would I get one? I guess somewhat reasonably the people that build and operate these systems are reluctant to release any information (audio blipped). There is a simple way to get a hold of one, can you guess? You can commit a minor crime. I decided to go a more legitimate route. I found a company that builds these units in Taiwan, I managed to talk them into giving me a sample unit under the preface that I was going to evaluate it for my company. I don't care. I paid quite a bit of money. If you have done business in southeast Asia, there is a fine line between cost of products and bribery, but I have the system, so that's all I care about. Because I bought it for the manufacturer, they're not going to tell me who the customer base is and law enforcement is secret about it. So I don't know where it's used. It could be here. Maybe not anywhere in the states. Someone somewhere is using the system because there is a market for it. I don't know who. Some of the vulnerables are relevant to this system and probably not others. Some are reasonably general issues and probably relevant to other systems as well. I got my hands on it. It's a sample and it didn't come with documentation. I wasn't able to operate it properly. I did a bunch of -- and it used the same code used for tracking cars and I have a manual for that. It's vulnerable to the same flaws. How does this particular system operate? It uses GPS. It has a base unit with -- low frequency or lower frequency beacon and it has a large amount of tamper detection features which we'll look at once we open the case. Battery life is around a week. But you can recharge it on your ankle so someone doesn't have to come and recharge the battery. It communicates in two different modes. Both -- and G -- you can get hit with text messages or a server on the internet. You can remotely reconfigure the device. You can see the commands change, you can for example change the position where the person has to remain remotely. You don't have to necessarily go and update this. Here I have the base unit. We're going to spend a lot of time looking at this. There is not very much in it really. It's a pretty simple system, tamper detection. If you try to open up the case it will send a message which is mediated by the anklet to the authorities. Most of the interesting stuff is in the anklet itself. It's not that much of interest. The Anklet bit that goes on the leg is more interesting. This is what it looks like if we take off the strap. This is the inside. We have a switch, a magnet in the strap. If you remove it, it can detect that and it sends a tamper warning to the people monitoring it. Same with the push pin. There is infrared LED and sensor. This is for tamper detection. How this works is there's a piece of fiberoptic cable that runs around the strand. If ewe take bolt cutters and try to cut it, it will disrupt the signal and the signal will be interrupted. The battery, the SIM card and some kind of [indiscernible]. I haven't tried reprogramming it. We open up like the circuitry and we can see what is in it. We have an off the shelf -- cell network nodule. We have a standard -- image which is used to store settings and locations when logging is turned on. There is a vibration mode. So you can automatically trigger alerts, so if someone is not somewhere they're supposed to be or leaves an area. You can make the anklet vibrate. We have a micro processer. This is off the shelf. I'm not sure if you noticed but you will see this module on the base unit as well. There is no identifying information on it. So I don't know if it's custom built or off the shelf. But it's obviously used for the local low frequency radio transmissions. I don't know any more about it than that. We have a GPS module that is pretty standard. When the device is operating there is a large round of settings and stuff you can change. These are the most interesting ones but it's not an exhaustive list. I won't go over them in detail but you can change the user name and pass ward or the coordinates where it must remain and all other kinds of features. So that's enough for now about the security of this system. As we know it communicates over the cell network. In this case [indiscernible]. Being investigated a lot by other people in the past. It's encrypted so you can't just view traffic sent over the air. Will is a secret key in the SIM card. It's a well-known issue that the reverse is not true. A SIM card for a cell phone does not usually verify the communication with the network. That means it's possible to [indiscernible] a cell phone network. You can -- on the fly once the SIM card is -- the SIM card does not know it's own phone number. This is relevant to what we'll be talking about. I have a RF, this is a -- radio. I'm not going to go into that. Suffice it to say it allows me to receive and transmit within the cell network frequencies. The FAVGS (ph.) is an open source -- it allows Java script and can change how the network operates. If you -- this is publicly available information, the country number of the network, you can spoof that network. It's illegal to do this but from a technical point of the view it's not hard. I have a DIY cage here. One is that I need to block some of the signal because my transmitter is not very powerful. If I block some cell phone signals, the devices might switch to my fake network. And it's illegal to transmit without a license and I don't want to go to jail. As I said there are two different modes that this anklet operates in. It's not encrypted so you can interfere with this. I haven't been able to do this because I -- GPIs on the RF but there is nothing to stop you from doing it. If it's in [indiscernible] mode it's more difficult but it's not impossible. So let's assume that we have a fake network and the device is authenticated to it. When it receives a status update about where the person is, we can see that message. Let's look at what the content to have status updates are. The user name. This obviously (audio blipped) update. This is a major issue because now we can just capture the user name and replay it. We only need to get the pin before we have full control of the system. (audio blipped) GPS coordinate that is quite easy. The last part is the -- but it's not a signature. So we can recalculate the -- we don't need a key for that. The final part of the message appears to be [indiscernible] I haven't found documentation about what it is. I can guess some of it or derive some of it. But we don't have to. This is a message relayed to the base station, the charging status is here. Things it might include but I'm not sure how much battery is left. [indiscernible] It's possible to -- information from a text message. Everything is a single -- I'm sure you received messages from a company name. The senior information is just a string. It's not forced to be a cell phone number. People have set up fake cell phone networks without much regulation -- local cell phone and pass it to the local carrier and it has to transmit this information. So they can send anything they want. You can fake a single number. They cost a small amount of money but it's easy to do. If you want to spoof a number you have to know what number you want to spoof. The SIM card only has a unique identifier, not the cell phone number. It's possible to get the cell phone number. You can pull out the SIM card and place it in our control and send ourselves a text message. If we open it, it's going to send a warning, right, so we can't do that. A naïve solution is to wrap it in aluminum foil and block out the signal so it can't see the tamper detection. The designers thought of this and if it can't see the signal it writes it to memory and sends the message as soon as it can. The trouble is it -- [indiscernible] the network, message delivered. It doesn't do an end-to-end trip. If you have a fake network, it can say the message is delivered fine (audio blipped) (lost audio connection). -- take control of the device. Is it possible, so the pin must be four characters. It cannot be longer or shorter. It's only letters and numbers. No special characters. We have a bit over a million and a half possible pins. I haven't been able to get these - but you can get 30 messages a minute. That's just about 40 days. So that's a really long time. But you're sitting at home on home detention, so what else are you going to do? Option No. 3. A tool for tracking -- communication. A guy much smarter than me has done research in this and he released this tool. Basically it allows you to capture -- off the ear and in certain circumstances decrypt that. You can -- messages and the cell network will believe it came from the device because it has the same key. You can fool it -- control and it will appear to come from that SIM so you can get the number that way. The downside to this is you can want intersect a block, when there are status updates, because it's not on your network. I haven't done this because I have one SDR but I think it's possible to place the device with one SDR in a cage and have another SDR outside the cage. And decrypt the traffic on the fly as it flows through and filter out messages that you want to block. The key to use -- quite often, every 15 minutes. If you can swoop an incoming message, then you can get the pin number and have control of the device. You will probably have to wait a long time because it won't be updated frequently. So you and the judge may have different definitions of alcoholics anonymous. What we're going to be doing is, you have the number. You have a -- cage and we're going to Spiff (ph.). We get the status messages that the device is sending. Replace the location information. Reencode the message. Send it to a spoofing service and you see that the message has been changed. Because it's encoded it's difficult to see that it's changed. So I put together a Google map that will show us which points were received by my cell phone. In this case it's pretending to be the monitored section by the authorities and which sections are caught on the spoof network. Here is the map. So if we look at, I have a phone here, here is the message, it has three messages that I sent earlier today. I have a script which will kick the messages on the phone (keep) and just lay them on a map. These green points are messages that were delivered to the monitoring station in this case. We're going to start running -- this is the telephone network basically. And we have a script which will search through all the messages that it sees and then also describe them on the map. They will be described in red. Because I have this case open, it's going to beep because it thinks I'm tampering with it. Now we're going to place this inside the cage with the transmitter. And -- this might take a minute or so to start. But we should start seeing network information. So that's bringing up the radio, wants us to wait for the device to authenticate to it. So it can take a few minutes. Not a few minutes but it's configured to receive a status update around 3 times a minute. So we don't have to wait too long. As you can see it's information about the low level network events. We should see here soon the caution of one of the status updates. Yep. So -- well, let me see if we can scroll up. Just here. This is the content of one of the messages that it's seeing. Let's look at the map. So as you can see we have some red points. The green points are what's showing up on the phone. The red points are faked. We should see all of these. Let's see ... We're going to have a point there. Let's just kill the screen. Thanks. As you can see ... Basically we're faking points. Normally what you want to do is fake points that show you being at home when really you're at the pub or somewhere. But in this case we are not doing that. We're just going to fake that we are next door. Because I can't leave and fake me being here. Okay. No thank you. Sorry. Sorry. I'd rather not drink. So the base unit. >> You don't get out of this. >> Yes, I do. >> You're going to force me to drink? >> It's water. >> Welcome to DEFCON. >> Thank you. Okay. So the base unit. Why would it have this unit? It has GPS locator. The reason is that GPS is quite expensive in terms of battery power and it's not particularly accurate indoors. Most of the time you're going to be at home near a base unit. So it can save a lot of power by transmitting a local signal. When it takes that signal, it doesn't need a GPS fix. This transmits around 344 megahertz. You can see on the right-hand side side of the screen that, it's an actual sample I captured from this device. It transmits every 10 seconds. This is interesting. It transmits a static message. It doesn't change, well it does change if you power on or off the device. It doesn't change during the operate. So you can just retransmit it. I don't know if it's unique to the device. Record it. Retransmit it. So this has been kind of cool from an academic point of view, but, let's look at how we can actually use this in the real world. I mentioned earlier, if you tamper with a system and are caught by the police, they will be very upset and you can be sent to jail. If you tamper with the system that is not yours, someone else may go to you and they might come and get you in retaliation. So don't use it. So what you can do is -- transmits a signal. We can look for that. But it's obviously not a -- [indiscernible] in the range of someone's house. So you need special equipment to find it. It might be easier to find where someone lives. If you find them you can easily jam all of the signals from this device. It's cheap to buy this equipment from China. You could maybe -- this is very maybe, I think it would be hard but not necessarily impossible to perform the attacks remotely. If you sat outside the house in a van you might be able to do it. Can you make money from the system? That's the obvious question. To our advantage if someone tampers with the system or breaks the terms of the home condition, they are usually set to jail. The sentence is usually an alternative to a short time in jail. Could we blackmail them and make it look like they're tampering with their system and get them sent to jail? Maybe but I think it would be difficult. A viable option would be to build a device or service that can - alongside the tracker and performs these attacks automatically once they leave their home. That is feasible. I haven't done this obviously because that would be [indiscernible]. The final option is maybe you would be able to find someone who hates the person on home retention and get them to give you money to tamper the system and get that person sent to jail. So finally, there are issues with these systems. We like to think they're secure because they're part of the justice system but they're not perfect by a long shot. Some of the things that I found with this system can be easily fixed. There is no reason not to fix these issues. Authenticate the, like, tracker and the monitoring station. Not just one way. Encryption. People rely on encryption but it's been well phone for a long time it's not safe. So people shouldn't rely on that. They shouldn't retransmit the user names. Those are easily fixed. No excuse for that. Some of this stuff is very hard if not impossible to fix with this design. Jamming of the system and finding out where the users are. It's impossible to fix them. [indiscernible]. Yes. Given how poor the system is, it might be possible to -- [indiscernible] packets. I don't know, I haven't tried that but it would be cool to look at. The flash memory is a standard chip. You can dump the code from that. You can potentially reverse engineer it and look for bugs or vectors in the system. It would be difficult to write any simulator that you put in the phone that would pretend to be the input. You can spiff the GPS location and it would think it's in a different location. Someone is talking about that now in another room. There is a better talk happening, why are you here? Questions? I don't know how much time we have. Do you have any questions? Yes? So this particular unit or home detention systems in general? It was just a thing where I said I wonder how secure the systems are and I thought that would be a cool project so I bought one. Anything else? I spent a thousand dollars on hardware. Yes? I don't know for sure. When I was researching manufacturers I found a half dozen each with a few different models of tracker. So I estimate on the order of a dozen. But I don't think it's that many. Anybody else? Yes? Like I said people are cage y about the information on these systems. They won't tell me who the customers are or which system they use. So I can't find out where things are used. So the question is, if we can replay -- from the base station, why don't we do that? It's easier than trying to attack the cell network communications. The reason it's only sometimes it's useful. So the device can be configured to always check the GPS location or configured to only check when it's not in the home and you don't really know without testing it whether it's in one of those two modes. If it is, this is easier but you don't know that. Anybody else? You're asking is anyone interested in building better systems? No. None of the manufacturers or anyone have talked to me about it. I don't really care, that's their problem. Yes? The IR detention device? Sorry? So it's just an LED as far as I know and it transmits a signal of some kind. Originally a detector fed through a fiberoptic through the band. If you cut that, the light is disrupted and it won't reach the receiver so it will receive an alert. That is how tamper detection works. Possibly. With my skill level, I could. But there are people who are tamper with -- cables so I think that is plausible. Is that everybody? Yes, I did read about that. I know for G Ss used in a number of countries. This is not one of their devices but I wanted to try to get the device but I couldn't get them to give me one. Is that everybody? Cool. Well, thanks for coming. ...(applause)...