All right so these guys are going to do some really cool shit they have really big piece of wood in here that does a lot cool shit. So we are going to do a Q and Amic. After we are going to take them to the hall way if you have questions after that. So with that the floor is yours. >> Is not working. Hello. Good after noon everybody. All right does anybody in the audience, do you like Hynes movies. Yeah cool, how many like surveillance cameras? Everybody who cheered is a fed. So my name is Eric. By night we turn into hackers and our most resent project was working on surveillance. Hopefully -- if you are not here to see that you should probably stay any way because you'll hurt my feels if you leave. Today in this talk we are going to talk about a few different view things. We are going to move along to -- my after that we are going to look how we made a piece of hardware. Once we have control of that data we conclude what network -- and then we are going to talk about the software stalk. Decodes those layers. And then hopefully throughout this entire talk where he going to be running live demo. Cool prior art. So we did extensive research before and after embarking on this project. Jus TV -- printing it out and taping the camera. This seemed a little too low tech for us. This type involved take your highest teem hacker guy, telling to find the either net cable. We found number -- on the right is a little bit more realistic example. This is national treasure. We create our own device as close to the Moe vies to see how practical this attack really is. This is the system we are trying to attack. Start with a surveillance camera. We don't care what is connected there. As long there is an E connect table. So up on stage let me show what we have here. Over here we have the vault that we are going to try to break into here. Here we have the surveillance camera. Is connected via either net through this long coil through the security guards computer. Which has gone to sleep. And so let me real quick. This is up to date. You can see the security guard camera. Pretty much live there is a little delay. I cannot still the money from the vault because they'll come arrest me. By the way. The rest of the demo is to aid in presenting this. The picture from using another cam are. A little bit silly I know but it helps to show we really don't need cable access. Just one either net able. All right so what's inside the E connects cable. Any cat 6. You're going find with 4 twisted pairs. There a lot various interest -- 100 bases T. These two are quite simple in the way they work. They use only 2 of the 4 pairs to send data. They device which one is going to talk. This the neat because you can just sort off top in the middle of the cable. Alligator -- now split tile. Now the wire are twisted together to minimize interfere -- receive. Now I is an these network have a termination resistant around them. This prevents reflection and loads the cable. A very nice way that makings all happy so if you sort of blindly. You are -- which is going to heavily degree the signal and cause data lost. So the possible to tap -- with another internet card which is a little bit invasive -- we want to be a little bit more update. So in 1999 gigabyte introduce, they have to be at least current gigabit internet. They use all 4 pair to send data in all at the same time. Doesn't get mixed up? Yes it does. Here's how it works. What I do I write the data I want to send into the line and read back when I see on the line subtract out what I know what I send and the result is what the other person send is pretty clever. I certainly don't know the way the only way to read the data is to become one of the ends, that is if you are in the middle of the cable you need to cut that cable, add your own network and now basically become the ends of e -- now there is a lot of different 10 base -- either -- I don't want to implement these proto calls. Namely the people who make network interface cards and so in order to insert myself into the middle of this cable I really don't know to learn how internet works just a way to reroute where the signals are going. Take the cable is and change the of the data. He is known expose the 4 twisted pair. Green, brown, and blue. So the device that we made to redirect the flow of the data is call it had tap port. I can show you on the camera too. This is the tap port. Now the tap port has a lot of cool features. Hate has 8 lashes relay. Which is use the reroute the signal? These are 1 gig -- only use -- 125. 16 pun connecters. And to connecting to medal inside. You don't need to break the connection. On the board there are several traces where the flow -- just like these -- this is cool because if you attach our board and you're a cable network -- we were not able to get our hands on these. Nobody new had one but we feel that we strongly believe that this board would be basically invisible to a cable tester. It will show up without very much dis -- lastly, USB you can connect it to a come and -- can you control the routing from across the internet. With your victims network cables and stuff. So let's take a quick look at what Zach has been doing over here. What he has done he is working on slicing the cable into the tap board. Using the punch line tool. What he is doing displacing the wire, making electrical connections to the board without interrupting the data that is send. You can see the time stamp up there still. So far we have not interrupted the camera feed. Now by default or let me start. There are 4 parts. Device under test A and test B. Passive configuration. Now the way that you attach to this tab board is first of all is slicing your own man in the middle. Tap A and tap B. Then -- and you remember the UT be are connected together by default sol what have you done is two possible signal paths. By punching down the Ethernet. This means you can remove one of them cut the twisted the pair leaving the signal routed. You can do this without ever interesting the signal. Zach is finish punch the UTA and UTB the camera feed is still going. Can you waive your hand in front it. Now we are going to start to remove this cable. Tap port so let's look at the video. You can see the time stamp still ticking away. Almost done. No disturbance yet. Again, video. And there we go we completed remove the middle of the Ethernet cable. [ APPLAUSE ] >> So what do we do know that we slice the middle. Well first let me talk a little bit more how it works. This tap board has cool features. It has fail safer. The cable looks identical how it was before. But the board suddenly loose -- this board has a fail feature. What's going to happen is that blue light to blink. If that's what you want. Another cool feature of the tap port. The tap port is tamper evident there is an excel roomer. This will detect if the board is jostle or otherwise disturb. So with we have a short little program here. But of course you can actually connect this to something that phones home because sometimes I imagine you may be using this board in a critical application where is very important that you have not disturb it. This gives you a piece of mind. The cop per as they were the original cable. We want it to be to connect -- tap A and tap B. This the sort of critical step. This is where; take control of the Ethernet cable so this is going to cause a little bit packet loss. But we found it doesn't cause TCB connections to drop and it causes very minimal interrupt to lower level traffic. So let's show that right now. We are going to run this command. Flip the relays and switch the boxes. So let's do that. Let's show this board. You with see -- actively tapping the traffic and the guard computer went to sleep. But if we that's up to date. You can see that camera feed is still ticking away. So brine is giving thumbs up. Now we have complete control over the network cable. [ APPLAUSE ] >> With that I'm going to hand the mic to Zach here. >> Great. I guess -- now we have basically complete control. Wait. Great. Now we have complete control over the traffic going between the camera and our security guard computer. We are really close to being to -- before we get into that. How the video is trance mitted. So sort of like obvious things do, to record all the traffic that is going through the cable and same set of hack over and over. That doesn't work it turns out there is sequence number and things that involved in the data. Also there is might be traffic going on and or security guards can access -- either way we heed the examine our video data. So the video is encoded with -- code, just dump over the network is wrapped up -- is this better? Great. Okay. So the video is not just the H 264 packet is not dumped over the network. Which is wrapped IPP 4 if you are in 90 and then wrapped in Ethernet so in order to understand what it is we need to decompose all these packets? We build our own man in the middle stance. Like 2 face network stat and able to decodes all these proto calls that we need to do video looping and a few other and divine the be a trance present as possible. TCP stuff because the way that imbedded device might look a little bit different and we want our attack to be as undistinguishable as possible. Because we have done this wire trick. We do not need additional traffic to the network and letting them someone is try together do put a man in the middle attack. That we can use to filter data or run things through FMM peg or make loops that are video streams. This is really useful to just make cool applications using this stack. So let's take a look how we might use lens in a different example from video. Let's look how we might implement extension. So the way that it works you're reading tech news and are terribly boring. Cloud with my butt /PAEUB it will be worth reading. So normally this is done in your browser and is all nice but. So let's take a look at our software. We are going to need to decode, Ethernet and TCP and HTTP so we can exact just the body on after HTTP request. From there, yeah, okay. From there we are going to take the body of an HTTP request and run it through the layer that replaces everything with cloud with butt. Pretty simple. So now if we have this stacks set up when we -- >> I'm almost there. >> When he we have this stack up. If the security guard lab top trying to open up -- we'll see something a little bit different. >> Maybe, the internet here has been a little bit flaky all day I blame the internet. >> Not our fault at all. >> There we go [ APPLAUSE ] >> Some really great ahead lines here. Okay. So we can do this to modify. This just shows we can modify TCP streams on your fly. Now we can use this to make camera loops. So to loop video is little bit more complicated than ETP request. RTP real-time proto call. It involved a few other things. Session data and playing -- unrelatetive and just sort of tells you some encode information, things we don't actually care ability. And finally we have RTP and this is the meat we care about. RTP is the H 264 data we want to loop. So here you can see this is like a graph of all the layers that we have to decode everything in a video session. In RTP session. So we have the UDP layer which in this video filters out the traffic -- and H 264 stream that we can pass out. Peg is really great, we're going to use it a lot because it lets perform a lot of trance formation. We can do looping like cool color effects or you know maybe something really -- when it comes down to live stream. This is live. But if we can do that we really can loop video. So all we need to do is just record some of this L 624 data. And then we're going to -- use FM peg and then we'll take the stream. And forge packets to look like they're from the camera. And then when we have that the security is just going to show our loop and we can do whatever we want after wards in front of the states. Whatever that would be. Probably very legal. Okay so we are just going to demonstrate that here. We are using that same set up I just show. We have going to start recording some video. Of course some packets. So we recorded our loop. Know we are going to actually loop this video and we're using a slightly different set up here. Is actually looping if we look at our security guard camera. >> You can see. >> So if you put your hand in here is not showing here and if you paid careful attention time stamp. The time stamp will go in circle. Yup [ APPLAUSE ] >> So yeah that's pretty great. But we can do one better. So that pesky time stamp it would be nice we could generate that. Where she data the camera is still streaming data to our box we are just throwing that out. But if we use FM peg -- like nothing else important in there. Pace that over our video and so when we put that loop together the time stamp will still be going up. And so Eric set this up now. >> Is a little off screen but is there. >> The time stamper is sticking up. Great. And if you notice Eric is at work you know braking into the -- and nothing the showing up. [ APPLAUSE ] >> The time stamp is still going and we have all the money. So greet yeah. So where do we go from here. Now that we run away with our cash. What else can we do with our box. One thing, there is no encrypt shun going on in here. However I'm not particular concern ability well implement SSL. Is a really hard problem so we are glossing over that? Besides that this tap port we -- for sending data HDMI. We just have not come up with any good use with man in the middle at HDMI but maybe you have something in mind. We also have a cool, handful of other demos that are unrelated but we figure they were fun application so why not make them. All right so we loaded up this web comic which may look a little familiar to some people and so a fun thing with this web comic have you some people using your internet, why not just flip all our imagines over HTTP so their experience is really flowing and trust me having use the upside down internet. You don't know what's going on. Is really hard to use. So we basically have some clockwork -- HTT approximate and flip it and before sending it to the browser. >> This one is taking another second to work. >> We are having demo problems. Blame it on the internet which is a hard thing to rely on. >> Does anybody know any jokes. >> Okay we are going to try that one again because we had internet issues. >> There we go. >> Okay, yeah, so here. The imagines are flipped upside down. And so, you know -- one of these things -- there we go. Is near. >> Oh my god. Stop being clever. >> But somebody is live editing the TCP screen. So we have another layer, we have another program set up but basically lets up edit save TCP screens live. So. >> There you go. >> Open up the real editor like -- and you can add expert thing to the HTML. Yup. So you can just open up them and once you write out the file. It send to the computer. This doesn't have any practical purpose other than making yourself cooler but that's -- basically we have some more demos coming up. We have all the source for our project up on gig hash, the hardware. And get hub and you should get hub if you want to reach us and contact us. But yeah. So we have some extra demo using the video again. So the thing about -- you want to switch back? So yeah. You rob the safe, taken all the goods out. Gone on the clean get way. And you just want to go back and rub it in. Well, when we robbing the safe we were recorded so we can play it back later. And so now they go try to chase you now and stop the robbery while you are 100 miles away and they're wondering what's going on. [ APPLAUSE ] >> That's the end of our clock. That's the bases of what we wanted to talk about. So if anybody has any questionings it will be great. How much processing power that is the attack computer -- >> You want to answer that? >> You should answer that -- I'm going to set this up. >> Can you hear me? We have not tried running this on a pie, is not very -- which is not 64 big. Is nice a platform to work on fiscally -- >> How frame work or -- >> We built our own. Sorry ab. We built our own frame work. Because we wanted to be able to mimic how I they are end of the connecter would handle the TCP screen. >> The only piece in here that leaves any sort of evidence is that re -- so my question is possible to set the nicks on your type site to be appropriate con figure rate. Probably not, tell me why. >> If I go back a bunch slides I was going to talk about this but Zach goes too fast as punch down the table. But what happens, tap A and tap B are connected together. This is to -- some other path way what sort of the proto/KAL you're dealing with. Pairs and -- you can con figure that on the nicks that you are going -- that way -- we sort of rain of time. But we feel like the hardware support is there and we are very -- as you flow the switches. [ APPLAUSE ] >> Is always worth knowing that you can throw the switching in such a way that you can -- pass the connections if that's what you are into. >> All right so when you are not injected power to pigtail how well does it handle -- there is a little handshake. >> I am not honestly don't know about PO and that handshake. I know if you are using without any additional data. If you -- can you figure out which side is giving power connect using -- and then add your PO injector on within of the tap nick and when the relay switch gives powers just a very small -- >> So -- you should be able to leave those clams all the way through. >> Definitely that will certainly work. I have heard there are a lot of standards -- >> Is either 4 -- so I guess you kind of but -- >> Sorry. This is -- the other gentlemen asked. As is currently running -- is that happening in real-time. >> We pretend to the Mac addresses of the 2 devices. We are able to spoof Ethernet pass that look like they're coming from those mac addresses. >> That is so well done. Really cool. >> Thank you. >> If you are leaving, please do not go out that side of the room goes out through the back. Your right is no your left is yes. Blah blah. >> So you guys clearly rehearse this and it was well presented. Now one question, having it so well rehearse and how many times have you done this and how fast can you do it we need to know so you can tell the team. >> This is the fastest we have ever gotten to it. >> There was some adrenaline involve. >> Is worth noting that you know animals were harm in the making of this talk but many Ethernet cables were. >> -- leave it untouched. >> Actually make little boxes that just have the same punch down connections and when you cut the wire, leave enough that you can repunch them down and you then cut out our board. So is totally possible to remove from our Ethernet cable without disturbing it. >> I was wondering is the tap port compatible with the Ethernet. >> The short answer is yes. If you add your own PO injector on the proper side. Interesting. As it is now, we can't is power over USB because the tap port doesn't work without a host computer to feed it off from. >> Great that's it. >> Thanks a lot for coming. >> Thank you.