00:00:00.500,00:00:02.703
>>Well good afternoon, how’s
everybody doing? [applause]

00:00:02.703,00:00:07.908
Good? Alright. So for those of
you guys that uh came in a

00:00:07.908,00:00:11.578
little late uh perhaps you’re
still expecting a talk about

00:00:11.578,00:00:13.881
airplanes something that
probably would’ve been pretty

00:00:13.881,00:00:16.683
controversial right? Uh well the
airplane talk is not gonna

00:00:16.683,00:00:21.688
happen um the speaker go- could
not be with us um and uh so so

00:00:24.291,00:00:27.861
luckily though we have something
that is going to be completely

00:00:27.861,00:00:32.499
non controversial given where we
all are and that’s a talk about

00:00:32.499,00:00:38.472
cheating at poker um so we want
to give these guys a big hand

00:00:38.472,00:00:42.976
because [applause] not only is
this going to be an awesome talk

00:00:42.976,00:00:46.914
but they stepped in at obviously
the very last minute and they’re

00:00:46.914,00:00:50.284
gonna put on a great show for
you guys, so let’s give Elie and

00:00:50.284,00:00:55.289
Celine a big hand! [applause]
good luck! >>Bonsieur my name is

00:01:00.060,00:01:03.163
Elie and this is Celine and
today we’re going to tell you

00:01:03.163,00:01:06.566
about our secret Defcon talk uh
for this reason we tried to keep

00:01:06.566,00:01:10.637
it quiet before coming in uh you
can imagine why uh so this is

00:01:10.637,00:01:16.109
our work with with our friend uh
Jean Michel uh during our spare

00:01:16.109,00:01:20.981
time and so try to imagine if
James Bond was cheating a device

00:01:20.981,00:01:23.450
at Poker and I’m not saying he
is but try to imagine for a

00:01:23.450,00:01:27.354
second he will go to the lab to
Q and say hey do you have like

00:01:27.354,00:01:30.257
one of those insane crazy
gadgets and that can cheat and

00:01:30.257,00:01:36.196
see all the card? But well
that’s just a movie right and we

00:01:36.196,00:01:41.201
only have like lame cheating
device. Well a few years back I

00:01:41.201,00:01:45.339
was casually trolling on to the
black market forums into the

00:01:45.339,00:01:48.508
chinese one and a post caught my
attention, I don’t speak very

00:01:48.508,00:01:51.545
well chinese which was about
like a win device and a guy lost

00:01:51.545,00:01:56.016
all his money and he was warning
people and [inaudible] I didn’t

00:01:56.016,00:01:58.318
quite understand it and then
when I tried to show it to one

00:01:58.318,00:02:01.388
of my friends who speak better
chinese, the post was gone and I

00:02:01.388,00:02:04.791
was like okay I must have
hallucinated it was like 2am

00:02:04.791,00:02:08.128
probably not going to happen,
and then it’s sitting in the

00:02:08.128,00:02:13.700
back of my mind and a few months
after I come across this post

00:02:13.700,00:02:16.370
which basically says I’m not
going to read it outloud blah

00:02:16.370,00:02:21.575
blah blah yes those devices, it
is real. I don’t know what it at

00:02:21.575,00:02:25.512
that point is but it is real and
people got ripped out in Texas

00:02:25.512,00:02:28.682
and a lot of people lost their
money but one hundred k and then

00:02:28.682,00:02:32.552
a lot of people got ripped out
and then it kill all crucial

00:02:32.552,00:02:37.024
gaming for poker in Texas. And
at that point I’m like well if

00:02:37.024,00:02:41.028
someone have it in this United
State then I probably can find

00:02:41.028,00:02:45.032
it on the internet and sure
enough I was about to se- to

00:02:45.032,00:02:47.601
find a seller as soon as I knew
what to look for I was able to

00:02:47.601,00:02:50.737
find a seller and the seller
started use this for bargain

00:02:50.737,00:02:53.874
which was only four hu- four
thousand euros, about five

00:02:53.874,00:02:57.377
thousand dollars uh with forty
percent discount right, he he

00:02:57.377,00:03:00.447
try to make you a good price uh
this win device and that’s all

00:03:00.447,00:03:05.619
you get is picture um and so
this is a romanian seller of

00:03:05.619,00:03:07.721
course I knew this thing was
from China because I read

00:03:07.721,00:03:12.025
earlier the blog post, the post
on the forum so we trace it back

00:03:12.025,00:03:14.494
to China and we were able to
find the guy who built the real

00:03:14.494,00:03:18.331
thing who will hopefully sell it
to for us for a cheaper price

00:03:18.331,00:03:22.169
and so we identify the guy, got
into a contact, our a friend of

00:03:22.169,00:03:25.338
ours got into contact with him,
and try to get him to give us

00:03:25.338,00:03:28.842
the device and the guy’s like
sure I give you a good deal I

00:03:28.842,00:03:32.212
give you the device and a bunch
of gizmo don’t worry it’s only

00:03:32.212,00:03:35.348
one thousand five hundred
dollars please wire me to

00:03:35.348,00:03:39.586
western union. [laughter] yeah
and we’re like okay that seems

00:03:39.586,00:03:42.289
absolutely normal I’m going to
go to western union and just

00:03:42.289,00:03:45.158
wire one hundred and five
thousand dollars to China, what

00:03:45.158,00:03:50.163
can go wrong? [laughter] Well we
did it and then we waited.

00:03:53.967,00:03:58.972
[laughter] a lot. And when we
were about to lose hope a

00:04:01.208,00:04:06.346
package arrived and I- yeah we
oh- we have a talk for Defcon!

00:04:06.346,00:04:09.149
We didn’t know it was working
yet but we feel pretty confident

00:04:09.149,00:04:12.752
at this point and so here’s a
demo of what it looked like I

00:04:12.752,00:04:16.756
wish I could give you a better
demo but it’s super small but so

00:04:16.756,00:04:20.560
here is what it look like. So
I’m going to shuffle the card

00:04:20.560,00:04:25.365
and this a fair shuffle no
sleight of hand I promise uh and

00:04:25.365,00:04:30.370
so I’m going to deal two card
I’m going to put a card and here

00:04:34.641,00:04:39.646
it is >>Spade, ace, diamond,
jack [click] >>So, wait what?

00:04:45.619,00:04:49.623
[laughter] yeah, what the hell
is going on? Right? Something is

00:04:49.623,00:04:53.026
reading the card out loud so is
anyone of you out figure out

00:04:53.026,00:04:58.031
what it is? No, okay let’s try
again as you can see the phone

00:05:00.267,00:05:05.272
is gone so we’re going to try
again [cards shuffling] So I

00:05:11.378,00:05:16.383
shuffle and >>Heart two diamond
five [cards shuffling] >>There

00:05:21.955,00:05:24.491
it works! That’s like it really
works and that’s really what you

00:05:24.491,00:05:27.627
see and that’s what a poker
player on the table would see

00:05:27.627,00:05:30.831
>>Diamond, spade >>It doesn’t
miss, it doesn’t misread it’s

00:05:30.831,00:05:36.503
actually extremely accurate. So
that’s the story of this talk,

00:05:36.503,00:05:39.072
we’re going to tell you what the
hell is going on and we’re going

00:05:39.072,00:05:43.677
to tell you walk through about
it so it’s a device of course

00:05:43.677,00:05:47.614
and so the device is this, it’s
a phone or it look like a phone

00:05:47.614,00:05:51.618
it’s here uh for those who can
see it, uh it’s basically like

00:05:51.618,00:05:54.821
look like a legitimate phone uh
we believe it’s actually

00:05:54.821,00:05:58.291
inspired by the Samsung core um
if you compare the two back to

00:05:58.291,00:06:02.429
back it’s almost the same thing.
On the left side you can see the

00:06:02.429,00:06:06.933
Galaxy core on the right side
you can see the uh modified

00:06:06.933,00:06:10.971
device. Um so they have a bunch
of built in security feature

00:06:10.971,00:06:14.507
which make it hard to analyze uh
the first one is they send you

00:06:14.507,00:06:17.811
the activation code separately
and there is no way to activate

00:06:17.811,00:06:21.081
the device without it so they’re
extremely careful which actually

00:06:21.081,00:06:23.250
speak a lot about how
professional they are price

00:06:23.250,00:06:27.020
comes from a super as well. Uh
they have remove ADB and any

00:06:27.020,00:06:30.457
debug mode so it run on android
but you cannot run ADB you can’t

00:06:30.457,00:06:33.727
have it in debug mode and they
actually prevent you to take any

00:06:33.727,00:06:37.063
screenshot by simply removing
this ability to make sure you

00:06:37.063,00:06:40.934
can not extract screenshot of
the poker player or the poker

00:06:40.934,00:06:44.838
video player analyzer as they
call them- call it. So a few fun

00:06:44.838,00:06:49.309
facts uh looking at it uh it’s a
custom rom uh chinese four point

00:06:49.309,00:06:52.879
two two uh it’s also using clone
devices from Samsung uh the

00:06:52.879,00:06:55.882
cheating hardware is complicated
and from the UI it’s a

00:06:55.882,00:06:58.918
complicated secret uh you can’t
see it you can’t probe it so if

00:06:58.918,00:07:01.354
you don’t know what you’re
looking for it’s just a phone

00:07:01.354,00:07:03.590
and so it’s really really
resilient to like someone

00:07:03.590,00:07:06.393
telling you you’re cheating, you
hand over your phone, there is

00:07:06.393,00:07:08.895
absolutely nothing to see, it
operate like a phone, it can

00:07:08.895,00:07:11.831
make phone call, it have however
many apps you want, your

00:07:11.831,00:07:14.868
facebook snapchat all works
perfectly so it’s really hard to

00:07:14.868,00:07:19.005
know if it is exist and the
funny story is we also found a

00:07:19.005,00:07:22.175
lot of code who actually phone
home to China not sure why he

00:07:22.175,00:07:27.480
need that so we are on the side
of the backdoor. Uh so how does

00:07:27.480,00:07:28.815
it really work? Well in James
Bond movie it would work like

00:07:28.815,00:07:30.150
this first [inaudible] man would
put his glasses and it would

00:07:30.150,00:07:31.518
just work magically um I wish it
would work that well but no.

00:07:31.518,00:07:38.024
That’s not how it works. The way
it works is you have a pack of

00:07:38.024,00:07:43.029
card and take I’m going to give
you multiple option to get any

00:07:46.333,00:07:49.035
type of card including Bicycle
from the Uni- for the United

00:07:49.035,00:07:53.006
States also the one popular in
China Macau, Hong Kong and so

00:07:53.006,00:07:54.774
forth so you could choose the
type of card you want and it

00:07:54.774,00:07:58.945
will mark them for you. And the
device itself has a bunch of

00:07:58.945,00:08:02.649
interesting electronic embedded
to it um the first thing they

00:08:02.649,00:08:06.486
have is infrared leds uh which
going to an- an a black and

00:08:06.486,00:08:12.225
white camera so the infrared led
will go, what should infrared uh

00:08:12.225,00:08:16.563
light choose the side of the
device because the side of the

00:08:16.563,00:08:20.667
device is actually modified to
allow infrared to go through.

00:08:20.667,00:08:24.504
The infrared will eliminate the
side of the poker player and as

00:08:24.504,00:08:27.907
a result what you will see is
the ink is made to absorb the

00:08:27.907,00:08:31.711
infrared so it will see those
dot- black dot markings and

00:08:31.711,00:08:34.047
that’s what the camera is
capturing so basically what it

00:08:34.047,00:08:37.350
do is they use infrared
absorption to mark the side of

00:08:37.350,00:08:41.254
the deck that’s b- b- basic
underlying principle. Um here is

00:08:41.254,00:08:44.257
an exposed view so that as you
can see here, you probably don’t

00:08:44.257,00:08:48.094
realize it, but the device is on
and if you squint really hard

00:08:48.094,00:08:52.832
you can see three purplish dots
on the right side this is also

00:08:52.832,00:08:57.771
led, LED sorry, and if you turn
off the light you see the LED um

00:08:57.771,00:09:01.708
because we took it with a camera
and we see on- UV filter off, uh

00:09:01.708,00:09:04.711
sorry the RF filter off and you
can see clearly the three le-

00:09:04.711,00:09:09.416
LED which are embedded in the
side of the poker player and if

00:09:09.416,00:09:13.052
you can get an idea it’s very
very small it’s here impossible

00:09:13.052,00:09:15.722
to know if you don’t know what
it is so again speak a lot about

00:09:15.722,00:09:18.792
the quality of the construction
and the professionalism of this

00:09:18.792,00:09:24.264
kind of device which really
clearly show this is not a

00:09:24.264,00:09:26.699
homemade or like a low profess-
it’s probably very

00:09:26.699,00:09:28.902
professionally made and for- and
they probably make a lot of

00:09:28.902,00:09:32.939
money out of those so here’s an
exposed view so I tear it apart,

00:09:32.939,00:09:37.477
open, and what you can imagine
here is you see probably a

00:09:37.477,00:09:39.813
orange square this is like
custom hardware they actually

00:09:39.813,00:09:43.583
backed into the phone uh here’s
a better view so you have the

00:09:43.583,00:09:48.421
camera as I mentioned which is
here then you have a custom chip

00:09:48.421,00:09:52.025
which under the AV both the
audio and the video which is

00:09:52.025,00:09:55.228
separate from the phone and then
bridged back to the phone and

00:09:55.228,00:09:59.332
then here’s from the top view uh
you can see the three LED that I

00:09:59.332,00:10:03.603
mentioned earlier and you can
see on the right side there is

00:10:03.603,00:10:08.975
two dots which are basically the
out for RF and bluetooth and

00:10:08.975,00:10:12.812
we’ll see how else it be used in
a- in a few second and so all of

00:10:12.812,00:10:18.151
those are connected to a um
simple uh antennae which go

00:10:18.151,00:10:21.521
around the co- the back of the
phone to export to a better

00:10:21.521,00:10:24.824
reception. So now Celine is
going to walk through how the

00:10:24.824,00:10:27.460
user experience look like and
how you use the app that they

00:10:27.460,00:10:33.099
actually embed into the phone.
>>Hi, can you hear me? Ah, can

00:10:33.099,00:10:37.537
you hear me? Yes, so I’m Celine
and so I’m going to show you how

00:10:37.537,00:10:42.542
the poker player application
works. [inaudible] okay, it’s

00:10:46.246,00:10:52.719
back, so this is a screenshot of
the device where you can see the

00:10:52.719,00:10:57.924
android app menu and can you
spot in this screenshot which uh

00:10:57.924,00:11:03.096
app is used to control the
device? [inaudible] I can’t hear

00:11:03.096,00:11:07.967
you [inaudible audience
response] no so the app used to

00:11:07.967,00:11:13.940
control the- the device is this
one, the game app [laughter] and

00:11:13.940,00:11:18.211
so what you do is you click on
the icon start the app and the

00:11:18.211,00:11:22.749
first screen uh you’ll see is
the login screen so uh the user

00:11:22.749,00:11:27.820
name is hardcoded and there’s
only one it’s the admin and so

00:11:27.820,00:11:32.358
as mentioned earlier by Elie the
password was sent to us um

00:11:32.358,00:11:35.628
separately from the device so
you type in your password click

00:11:35.628,00:11:38.498
on the sign in button and then
you access the main screen- the

00:11:38.498,00:11:41.434
main app screen, but don’t worry
if you forgot the password or

00:11:41.434,00:11:46.272
you don’t have the password
there is uh a backdoor password

00:11:46.272,00:11:51.711
that we found out [laughter]. So
when you login the main app

00:11:51.711,00:11:57.350
screen contains uh six options
slash screens so the first one

00:11:57.350,00:12:02.956
uh is the game hall it contains
a list of all the gametypes

00:12:02.956,00:12:06.726
supported by the device. The
second one is purchased uh it

00:12:06.726,00:12:13.132
contains um all the gametypes
you already purchased so that’s

00:12:13.132,00:12:17.170
the one you can use uh the
upgrade screen is used to buy

00:12:17.170,00:12:22.208
more gametypes common game is
the list of game types you

00:12:22.208,00:12:26.179
purchased and with a small
explanation about how the app

00:12:26.179,00:12:31.217
will behave depending on the
game type system info is not

00:12:31.217,00:12:35.088
relevant doesn’t contain any uh
useful information and the last

00:12:35.088,00:12:38.758
one is settings it allows you to
configure the how the device

00:12:38.758,00:12:44.430
will work. So this is a
screenshot of the game hall so

00:12:44.430,00:12:48.434
as you can see there’s uh
hundreds of game types that

00:12:48.434,00:12:52.171
covers a lot of use cases so
this is another indication that

00:12:52.171,00:12:55.808
people behind this device are
running a real uh lucrative and

00:12:55.808,00:13:02.015
professional business. So now if
you want to use uh the device to

00:13:02.015,00:13:06.886
cheat uh you go to the first
purchase screen uh on this

00:13:06.886,00:13:10.089
screen there is on top you can
see that uh we have three

00:13:10.089,00:13:14.694
credits and we use two of them
to buy two gametypes and we have

00:13:14.694,00:13:20.099
one remaining credit um notice
that the the poor spelling in

00:13:20.099,00:13:25.204
English that means this device
is mainly targeting the Asian

00:13:25.204,00:13:28.207
market and they didn’t spend a
lot of time uh English

00:13:28.207,00:13:32.412
translation so in our demo we
use uh the second game type

00:13:32.412,00:13:37.116
that’s du- the number two read
the card directly so it’s going

00:13:37.116,00:13:41.020
to read the card directly so you
click on it and then the app is

00:13:41.020,00:13:44.123
going to show you the setting
screen you can configure a

00:13:44.123,00:13:49.128
number of players, you can
configure um um input and output

00:13:51.698,00:13:56.035
methods so Elie is going to
detail those methods later in

00:13:56.035,00:14:00.006
the talk you can also configure
the device to repeat

00:14:00.006,00:14:03.609
continuously the reading of the
card or just do it once so if

00:14:03.609,00:14:07.380
you want now to use the device
you just uh hit this top button

00:14:07.380,00:14:12.185
on this screen and then you get
the main game screen so what you

00:14:12.185,00:14:16.422
can see on the top of the screen
is a live capture of the hidden

00:14:16.422,00:14:21.494
infrared camera here and so when
the cards are face down on the

00:14:21.494,00:14:26.065
table the back appears on the
left part of the screen where

00:14:26.065,00:14:31.070
the up symbol is uh below that
you can see uh how many players

00:14:34.273,00:14:39.979
uh are playing you can see uh
what is the game type used so we

00:14:39.979,00:14:44.751
used the ten sixteen which is
the read card directly um just

00:14:44.751,00:14:49.756
below uh you can see uh if you
are using any haptic feedback

00:14:52.125,00:14:57.964
devices and what it’s- what it’s
status and finally um the

00:14:57.964,00:15:04.203
important information is uh the
result of the reading so there’s

00:15:04.203,00:15:08.341
two players the- the app is
reading that the next two card

00:15:08.341,00:15:12.378
on the top of the deck will be a
six of hearts and eight of

00:15:12.378,00:15:17.383
diamonds. So now just a few fun
facts about the app so we found

00:15:19.485,00:15:22.855
out the backdoor password so
this password when you have it

00:15:22.855,00:15:29.595
you can access any devices and
by analyzing the game app we

00:15:29.595,00:15:33.633
found out that the interesting
part of the code um that

00:15:33.633,00:15:37.203
controls the input and output
devices and does the card

00:15:37.203,00:15:41.808
recognition is not in the app
it’s in a kernel module so now

00:15:41.808,00:15:48.114
Elie’s going to talk about how
the card markings is done.

00:15:48.114,00:15:52.385
>>Oops okay so Celine just show
you that the app should read the

00:15:52.385,00:15:57.156
marking but the key question is
how does the marking come into

00:15:57.156,00:16:00.159
the card in the first place uh
because obviously if you were to

00:16:00.159,00:16:05.031
have a bad deck or a deck who
doesn’t fit legitimate in the

00:16:05.031,00:16:07.934
hand people will be suspicious
right again this is for real

00:16:07.934,00:16:12.171
cheating so what they do is when
you order the device they ask

00:16:12.171,00:16:14.974
you which type of card you want
I order Bicycle because that’s

00:16:14.974,00:16:19.111
the most one we use in the
United States and that's what

00:16:19.111,00:16:23.416
you receive as you can observe
uh it’s wrapped up so if you

00:16:23.416,00:16:26.953
were to actually hand it over in
a poker game it will look like

00:16:26.953,00:16:31.991
normal okay deck of card that
would open the peep sign is

00:16:31.991,00:16:36.162
sealed on so how do they get a
card in What happened is they

00:16:36.162,00:16:38.965
resealed it and put a card they
open the card up usually for

00:16:38.965,00:16:44.103
marking by opening the bottom of
the the deck but when you open

00:16:44.103,00:16:47.006
the deck you mi- if you don’t
remove the transparent sleeve

00:16:47.006,00:16:49.642
then you won’t see that so
that’s very clever of them and

00:16:49.642,00:16:52.712
then you have the card um if you
manually inspect the card then

00:16:52.712,00:16:55.314
if you want to look at them up
close you’re welcome to after

00:16:55.314,00:16:58.851
the talk to do that uh it’s
really hard to even feel it or

00:16:58.851,00:17:03.322
see it it’s actually literally
le- uh regular bicycle card that

00:17:03.322,00:17:07.793
it probably uh bought and then
marked and so as Celine

00:17:07.793,00:17:12.965
mentioned uh the only difference
is under infrared the- light you

00:17:12.965,00:17:16.369
will see the marking so the
regular card appear like this on

00:17:16.369,00:17:19.071
the right side which is
basically just blank whereas the

00:17:19.071,00:17:22.074
marked card has this absolution
ink which will mark those dots

00:17:22.074,00:17:28.281
um each card name and number
would have a different distinct

00:17:28.281,00:17:30.783
pattern which repeat multiple
time over the card for

00:17:30.783,00:17:34.086
redundancy and because it’ll
know how uh how what is the

00:17:34.086,00:17:36.522
angle exactly right they want to
be angle proof as much as

00:17:36.522,00:17:40.026
possible we then found more
devices which are more expensive

00:17:40.026,00:17:42.361
and we ran out of money uh we
have two camera one on each side

00:17:42.361,00:17:45.264
to actually increase the angle
of vision to make it more robust

00:17:45.264,00:17:49.368
and so you have something which-
and then you have short black uh

00:17:49.368,00:17:52.738
long black uh basically zero and
one and that’s how it will marks

00:17:52.738,00:17:56.242
the card um and then they have a
bunch of functions uh here’s one

00:17:56.242,00:18:00.880
where basically the upper si- um
the lower- the upper digit of

00:18:00.880,00:18:04.584
the number uh for the quarter
and then the lower digit is for

00:18:04.584,00:18:09.288
the number this is why the- they
always say diamond or heart six,

00:18:09.288,00:18:14.360
uh club uh four because it first
reads the uh suit and then they

00:18:14.360,00:18:20.700
read the value of the card um
but short of that I mean no

00:18:20.700,00:18:24.470
device no James Bond device
would be complete if it doesn’t

00:18:24.470,00:18:26.872
have a bunch of bells and
whistles right so we let’s look

00:18:26.872,00:18:29.709
at how you actually interact
with the thing right because

00:18:29.709,00:18:32.645
even if you have it it’s really
hard to use by itself so they

00:18:32.645,00:18:36.716
bring you a few things the first
thing they have is a remote and

00:18:36.716,00:18:39.285
the remote will do two things
for you, A it will allow you to

00:18:39.285,00:18:42.188
change dynamically and silently
the number of player at the

00:18:42.188,00:18:44.991
table because people can come
and go as I see people leaving

00:18:44.991,00:18:48.894
the room, bye bye, and then the
other one is uh we have the

00:18:48.894,00:18:52.164
sound on and off so assuming
that people are talking to you

00:18:52.164,00:18:56.802
you don’t want to get caught you
can turn off the poker player um

00:18:56.802,00:18:59.805
we looked into it with Jean
Michel and it’s basically a

00:18:59.805,00:19:03.876
standard 2FSK FSK modulation so
there are three common one for

00:19:03.876,00:19:08.647
the sound on off one for a- inc-
incrementing the player, one for

00:19:08.647,00:19:12.084
discriminating, it’s on the
eight hundredth uh mega

00:19:12.084,00:19:15.755
frequency so it’s under F uh
release it to gem release it

00:19:15.755,00:19:18.591
also to impersonate so you can
probably change the volume at

00:19:18.591,00:19:23.162
will if you know there is one in
the room um and then in the app

00:19:23.162,00:19:25.131
configuration you can always
usually choose between the

00:19:25.131,00:19:29.902
speaker and the headset so the
headset is composed of two part,

00:19:29.902,00:19:34.340
the first part is this thing
which is a remote and so the

00:19:34.340,00:19:37.410
remote have the volume button
which is to increase or decrease

00:19:37.410,00:19:41.347
the sound of the bo- of the
earpiece and then on and off

00:19:41.347,00:19:45.684
button. Can any one of you can
guess what is the uh lanyard

00:19:45.684,00:19:50.690
for? Come on, be creative. Nope
it’s just to- it’s just to hang

00:19:54.360,00:19:58.464
onto your neck, sorry.
[laughter] So yeah that’s the

00:19:58.464,00:20:03.002
necklace uh and so what it does
actually is this is connected to

00:20:03.002,00:20:06.038
the phone in bluetooth but the
earpiece you have in your ear is

00:20:06.038,00:20:10.042
so tiny they couldn’t fit the
bluetooth emitter so this thing

00:20:10.042,00:20:13.412
would basically be a bridge
which will do bluetooth to the

00:20:13.412,00:20:18.317
phone up and transfer it into RF
so you have analog analog RF

00:20:18.317,00:20:23.556
into your ear so again very easy
to eavesdrop with uh any SDR uh

00:20:23.556,00:20:26.058
if you know what to look for and
it’s very very tiny it has a

00:20:26.058,00:20:29.795
tiny battery and a when you have
it on on you it’s very very

00:20:29.795,00:20:33.299
impossible to tell uh they also
have another cool very co- very

00:20:33.299,00:20:36.902
cool device which is a haptic
feedback so the idea here is

00:20:36.902,00:20:41.006
again a bluetooth P4 uh they
call it a P4 one and you saw on

00:20:41.006,00:20:44.310
the screen before that it’s
disconnected or connect and what

00:20:44.310,00:20:48.881
it does is it have a bunch of uh
vibrators that you would put

00:20:48.881,00:20:53.452
either on the arm or on your leg
and each of them will vibrate to

00:20:53.452,00:20:56.922
tell you who is going to win who
is the second one who is the

00:20:56.922,00:20:59.792
third one and so forth so it
will bring in sequence and so

00:20:59.792,00:21:01.594
you can have this haptic
feedback if you don’t like to

00:21:01.594,00:21:04.930
have an earpiece. Hey I think
they have a lot of customers so

00:21:04.930,00:21:08.300
you know they try to accommodate
everyone uh needs um for those

00:21:08.300,00:21:10.870
who don’t really look like they
even have a sneaky displayed

00:21:10.870,00:21:13.105
here where so basically what
happened is when you read the

00:21:13.105,00:21:16.442
card it switched the minutes and
the second to the first winner

00:21:16.442,00:21:19.612
and second winner so you can
just look at the- the time on

00:21:19.612,00:21:24.617
your phone and like ah yeah all
in. [laughter] um the most funny

00:21:27.520,00:21:31.991
part of the device was the
wireless camera and so you can

00:21:31.991,00:21:35.728
activate the wireless camera
again from the UI and it come

00:21:35.728,00:21:39.532
package as a car key there are
many many other option for you

00:21:39.532,00:21:44.637
uh they also offer watches, uh
belt, shirt, and a bunch of

00:21:44.637,00:21:47.773
other, we got the car key one
because it was easier to tear

00:21:47.773,00:21:52.578
apart and so the car key looked
like this uh it will look like

00:21:52.578,00:21:56.615
almost like a real key again uh
here’s an exposed view on how it

00:21:56.615,00:21:58.684
works so now that you know how
it works here’s an exposed view

00:21:58.684,00:22:02.888
on when you use the car key uh
you put the deck in front and

00:22:02.888,00:22:07.793
then you can see on the the app
>>Diamond Five, Diamond Queen,

00:22:07.793,00:22:10.496
>>So you see it and you see the-
the deck going back and forth on

00:22:10.496,00:22:14.800
the screen of the phone and so
you can do it again uh an

00:22:14.800,00:22:20.472
interesting quirk that we found
is as you can se- hear >>Plum 6,

00:22:20.472,00:22:23.943
Diamond king >>They call clubs
plump because there’s a

00:22:23.943,00:22:27.279
tradiction- there’s a trans-
literal translation in English

00:22:27.279,00:22:30.115
so we betted just like something
with any bad translation

00:22:30.115,00:22:32.418
software and it’s like well it’s
plump when [laughter] it’s

00:22:32.418,00:22:36.722
actually club but oh well that
one of the funny quirk about it

00:22:36.722,00:22:42.161
uh and so the key again have the
same principal they have LEDs

00:22:42.161,00:22:46.165
behind the plastic which will
let the infrared go through uh

00:22:46.165,00:22:49.501
here’s an exposed view uh this
time you have two LEDs and the

00:22:49.501,00:22:52.738
camera is just next to it so
here’s when I tear it apart uh

00:22:52.738,00:22:55.975
what you see is the hidden
camera on the left side the

00:22:55.975,00:23:00.079
battery they give you two a-
this thing is like sucks so much

00:23:00.079,00:23:02.781
power that I was really
surprised when I looked at the

00:23:02.781,00:23:04.783
device there was a ton of
background service I’m like what

00:23:04.783,00:23:08.420
the hell is that it’s called MKT
uh hit and I’m like what the

00:23:08.420,00:23:11.257
hell turmoil sorry I’m like what
the hell is that and then I look

00:23:11.257,00:23:14.894
it up and basically they have a
kernel module who checks the

00:23:14.894,00:23:17.796
temperature of the phone and
will shut it down before it

00:23:17.796,00:23:22.334
explodes so you know it doesn’t
want you to die but this thing

00:23:22.334,00:23:26.071
basically is so power angry you-
that they had to put this system

00:23:26.071,00:23:28.641
in place and the same thing
happened for the key, the key

00:23:28.641,00:23:32.511
got really hot and a battery
which is a eight hundred uh

00:23:32.511,00:23:35.648
milliampere will last you
probably thirty minutes so you

00:23:35.648,00:23:38.851
have another one so you go to
the bathroom, open your key,

00:23:38.851,00:23:42.521
plug the battery in, you go
back, right, to the poker game,

00:23:42.521,00:23:44.990
every thirty five minutes uh
that’s basically what you have

00:23:44.990,00:23:47.826
to do uh here’s the exposed
view, you see again the camera,

00:23:47.826,00:23:52.831
um you see the camera, the two,
uh LEDs and they all attach uh

00:23:55.467,00:23:59.305
this is- you have a small
antennae and you have a MCU 8051

00:23:59.305,00:24:02.908
which controls it uh we were
able to find uh to find it

00:24:02.908,00:24:05.911
online except there is no data
shit so we basically had to do a

00:24:05.911,00:24:10.015
guess work when we were looking
at the uh transmission and so we

00:24:10.015,00:24:12.952
were using a software designed
radio to actually try to

00:24:12.952,00:24:15.754
understand how this thing were
transmitting images in the idea

00:24:15.754,00:24:19.391
of can we jam it? Can we replace
it? The answer is yes to both uh

00:24:19.391,00:24:24.029
actually it was really hard for
us because we realized this is

00:24:24.029,00:24:30.302
not digital. It is literally a
image and so we were looking at

00:24:30.302,00:24:34.473
that were image to the two hu-
two thousand four hundred

00:24:34.473,00:24:40.379
gigahertz band like wifi and we
think it’s pall or NT- NTNC but

00:24:40.379,00:24:44.049
we really bad at it I mean
[indiscernible] Jean Michel and

00:24:44.049,00:24:47.453
me are really accustomed to do
with analog with more like a

00:24:47.453,00:24:50.055
digital kit so it was really a
surprise really hard for us to

00:24:50.055,00:24:54.526
figure out how to do it but yes
with no more SDR you are able to

00:24:54.526,00:24:58.364
jam the thing and to replay
measures at will so you can

00:24:58.364,00:25:00.933
clearly defend against uh-
yourself against this thing if

00:25:00.933,00:25:03.302
you play poker against more
cheating by just jamming there

00:25:03.302,00:25:07.039
uh poker player um if you don’t
like volkswagon they actually

00:25:07.039,00:25:12.077
offer you nice options to
customize [laughter] attention

00:25:12.077,00:25:16.648
to detail again. Um so that
leave us with a few open

00:25:16.648,00:25:19.685
question that we don’t have a
good answer uh the first thing

00:25:19.685,00:25:23.856
is this is a most sophisticated
che- cheating device we’ve ever

00:25:23.856,00:25:27.593
seen and we’ve ever heard of and
it begs the question of how they

00:25:27.593,00:25:31.697
created it and it’s a lot of
work right you have to rehouse a

00:25:31.697,00:25:33.866
normal phone add the log that
it’s running to do a lot of

00:25:33.866,00:25:36.802
progroma- uh programming I mean
they have a kernel module in C

00:25:36.802,00:25:41.707
who do e measure condition,
manage multiple perfects and we

00:25:41.707,00:25:44.576
don’t know if it it’s either
attack which has been used

00:25:44.576,00:25:48.847
before by casino we heard uh if
you look it up uh some casino

00:25:48.847,00:25:54.219
have this technique in the
1980’s 1990’s of having some

00:25:54.219,00:25:57.456
sort of camera to catch people
doing card counting so maybe

00:25:57.456,00:25:59.725
that come from there or they
actually build it and in that

00:25:59.725,00:26:02.761
case there’s a large honorable
market that we don’t know of but

00:26:02.761,00:26:04.930
it’s really interesting to know
who might be on such a device.

00:26:04.930,00:26:09.234
Uh the second thing i- is we
don’t believe it’s actively used

00:26:09.234,00:26:11.603
in casino because casino have
professional deters so it’s

00:26:11.603,00:26:13.906
really hard to use those kind of
deck we believe it’s more for

00:26:13.906,00:26:17.810
background- background playing
or among friend so it begs the

00:26:17.810,00:26:22.714
question of who is buying it and
who is basically ripping who?

00:26:22.714,00:26:26.785
And finally in terms of enough
it’s not like you can’t really

00:26:26.785,00:26:30.756
go buy at Office Depot uh
infrared ink you’re like oh can

00:26:30.756,00:26:33.392
I get some infrared absorption
ink? And they will look at you

00:26:33.392,00:26:36.662
very funny there is only very
few places who actually sol-

00:26:36.662,00:26:39.731
sell those so how they get their
hand on it and how they create

00:26:39.731,00:26:43.368
the marking process is there
something we haven’t much enter

00:26:43.368,00:26:48.006
about so a few take aways um yes
just one device exists, it’s

00:26:48.006,00:26:50.809
really hard to find but actually
you can get lucky and get one

00:26:50.809,00:26:54.012
it’s not ex- ver- it’s pretty
expensive but you can get one uh

00:26:54.012,00:26:56.215
crimeware can be super
sophisticated you know we have

00:26:56.215,00:26:59.318
heard at Defcon again and again
about the NSA playset but

00:26:59.318,00:27:03.322
apparently the mob boss have
well the equivalent and it just

00:27:03.322,00:27:08.060
we haven’t looked at it just yet
and finally uh it did require a

00:27:08.060,00:27:10.362
lot of skillset to be able to
actually prepare this

00:27:10.362,00:27:13.632
presentation and we had to go
from hardware analysis to

00:27:13.632,00:27:17.636
software analysis to re- RF
analysis so we want to se-

00:27:17.636,00:27:20.906
basically acknowledge and thank
our co conspirator who only just

00:27:20.906,00:27:24.376
want to be named by this name uh
Pixel helped us with the

00:27:24.376,00:27:27.513
hardware analysis and Vivi was
the person who was able to get

00:27:27.513,00:27:33.252
it out of China um so big thanks
to them um so thank you very

00:27:33.252,00:27:36.889
much for attending, I know that
was not a talk you expected but

00:27:36.889,00:27:41.894
thank you [applause] we will
happily take questions if you

00:27:44.696,00:27:49.501
have any and uh if you want to
know more we’re going to put the

00:27:49.501,00:27:52.271
slides online just follow us on
Twitter and we’ll make them

00:27:52.271,00:27:56.575
available, thank you. >>Very
cool >>Thanks man >>Very cool,

00:27:56.575,00:28:01.046
congratulations that was
wonderful >>Woo! >>If everybody

00:28:01.046,00:28:05.017
could please not, if you’re
walking out the back door stop

00:28:05.017,00:28:08.654
that. Please exit out these
doors towards where I am

00:28:08.654,00:28:12.591
pointing. To your left.