00:00:00.367,00:00:03.837
>>Good morning everyone. >>Good
morning. Whoo hoo. >>I see most

00:00:03.837,00:00:08.008
of DEF CON is not here today
because, it is Saturday morning.

00:00:08.008,00:00:11.845
I kinda expected that. So.
Welcome to: "I Fight for the

00:00:11.845,00:00:16.817
Users - Episode 1: Attacks
Against Top Consumer Products".

00:00:16.817,00:00:22.122
I'm Zack, >>I'm Erin >>this is
Erin, she's SecBarbie and we

00:00:22.122,00:00:23.690
always like to start with a
slide of what our credentials

00:00:23.690,00:00:29.029
are. We like to always say:
don't trust a speaker just

00:00:29.029,00:00:30.898
‘cause they are up here. Trust
them ‘cause you validate what

00:00:30.898,00:00:33.500
they're saying. So, instead of
having a long list of

00:00:33.500,00:00:36.737
certifications, things we do, we
like to say judge us for

00:00:36.737,00:00:38.939
everything else. >>We're pretty
smart though. >>So before we get

00:00:38.939,00:00:42.342
started, uh, it's Erin's first
time speaking at DEF CON [crowd

00:00:45.112,00:00:47.180
cheers] and we've been informed
that goons are no longer d-

00:00:47.180,00:00:52.653
allowed to do shots with first
time speakers >>Boo! [crown

00:00:52.653,00:00:55.923
boos] >>So this is Erin's way
of, uh, celebrating,

00:00:55.923,00:01:00.961
congratulations Erin >>I brought
a shot. [applause] >>You want

00:01:00.961,00:01:04.665
the other one? >>Alright,
alright, so, before we get

00:01:04.665,00:01:08.201
started and in all seriousness
this is our, our con speaker

00:01:08.201,00:01:11.505
rule 101 so, both Zack and
myself have been around this

00:01:11.505,00:01:16.209
game a few, few years and what
we see persistently, is

00:01:16.209,00:01:20.314
companies go out and they, they
love to use these conferences as

00:01:20.314,00:01:23.617
great PR hooks so I want to
start out apologizing to every

00:01:23.617,00:01:26.586
single news media outlet that
reached out to us but we learned

00:01:26.586,00:01:30.090
really quickly, years ago, that
as soon as you start dropping

00:01:30.090,00:01:33.160
information - especially when
you have things like "consumer

00:01:33.160,00:01:38.999
product", "IoT" - your talk will
get pulled right away. So,

00:01:38.999,00:01:40.867
you've heard probably very
little about what we're going to

00:01:40.867,00:01:45.272
talk about but we hope to excite
you with a few, uh, I don't know

00:01:45.272,00:01:47.808
names… we're not being very
vague today… >> No we're not.

00:01:47.808,00:01:54.481
>>so, welcome to DEF CON
[inaudible] >>So, what we're

00:01:54.481,00:01:57.217
kinda covering three different
topics today. First is we're

00:01:57.217,00:01:59.753
going to talk about, or I'll
talk about Bluetooth, uh, some

00:01:59.753,00:02:02.189
fun things with that for
Bluetooth low energy. Uh, Erin's

00:02:02.189,00:02:04.424
going to be talking about some
wireless security products, um

00:02:04.424,00:02:06.360
especially on the camera side
... >>Whoo hoo >>... and then

00:02:06.360,00:02:09.930
I'll also talk about on uh,
Windows security side, some fun

00:02:09.930,00:02:12.232
things we found on there. So,
you may be like, this is a

00:02:12.232,00:02:15.202
little ADD this seems a little
odd-ball to be jumping all over

00:02:15.202,00:02:20.107
the place, uh, yeah. It is. Uh,
but having one talk that goes on

00:02:20.107,00:02:23.510
for 45 minutes it kinda gets a
lot of set-up a lot of like,

00:02:23.510,00:02:26.213
okay, well let's talk about
ourselves, we spent five minute

00:02:26.213,00:02:29.149
now uh, let's talk about the
background of this, so like we

00:02:29.149,00:02:31.952
just want to get through it -
we're ADD by nature about the

00:02:31.952,00:02:34.921
stuff we want to look at so, we
figured what better format than

00:02:34.921,00:02:37.424
to just kinda jump through a
bunch of fun topics and do it

00:02:37.424,00:02:41.361
that way. So, first thing:
Bluetooth: um, yes. We have

00:02:41.361,00:02:44.097
another bluetooth talk we've had
a few bluetooth talks over the

00:02:44.097,00:02:48.135
past four days including
BlackHat um, Blue Hydra was

00:02:48.135,00:02:51.204
released this week by, ah
ZeroChaos and Granolocks over

00:02:51.204,00:02:55.342
at, uh, DEF CON 101 earlier, um,
we've got a talk coming up about

00:02:55.342,00:02:57.377
pic, actually it's today, isn't
it? >>Mmm hu >>The bluetooth

00:02:57.377,00:03:00.080
lock picking from a mile away.
That's really cool I do want to

00:03:00.080,00:03:02.215
go see it actually… >> It's the
best track >>... um, and then

00:03:02.215,00:03:05.919
over at BlackHat side there was
a gap proxy tool and a replay,

00:03:05.919,00:03:09.790
um, tool and a kinda fun
bluetooth suite. So why don't we

00:03:09.790,00:03:13.326
have another talk about
bluetooth low energy? Um so, a

00:03:13.326,00:03:16.963
little backstory, uh, I like
magic, I've always been

00:03:16.963,00:03:21.768
fascinated with it. Um, I always
had this dream as a kid to,

00:03:21.768,00:03:24.571
start a magic bar like a themed
kind of magic bar. And yes they

00:03:24.571,00:03:26.606
exist but I it was kinda my
little thing of like being able

00:03:26.606,00:03:29.876
to have fun with that and
there's always the basic rules

00:03:29.876,00:03:33.780
of magic. One: never reveal a
secret. Two: never repeat the

00:03:33.780,00:03:37.150
same trick twice. Three:
practice over and over and over.

00:03:37.150,00:03:41.121
Right? And so one and three we
can get covered but how do you,

00:03:41.121,00:03:44.424
in a restaurant or some other
establishment track, if you've

00:03:44.424,00:03:46.760
shown the same trick to someone
over and over and over? So it

00:03:46.760,00:03:50.831
kinda got my mind going as to
how can you track who someone is

00:03:50.831,00:03:53.900
in any kind of environment. So I
kinda came up with this long

00:03:53.900,00:03:56.937
list of ideas of how you could,
huh, track someone. You know,

00:03:56.937,00:03:58.472
can you get them out of the car
on the way in with a licence

00:03:58.472,00:04:01.575
plate reader, through their
electronic toll collection RFID,

00:04:01.575,00:04:04.611
through bluetooth on their car.
Ah, there was a great talk two

00:04:04.611,00:04:06.947
or three years ago about how the
toll systems are using bluetooth

00:04:06.947,00:04:10.150
to track cars, um, if they come
by foot through, or you're in a

00:04:10.150,00:04:14.054
major metropolitan area where
people aren't coming by car, um,

00:04:14.054,00:04:16.289
could you do it by facial
recognition, voice recognition,

00:04:16.289,00:04:18.091
different ways through their
cell phone, what do they have on

00:04:18.091,00:04:20.794
them, um credit cards - all
these different fun things and

00:04:20.794,00:04:23.830
always the not so fancy ways of
just asking "what is your name?"

00:04:23.830,00:04:26.733
Um, and so I kinda was thinking
about like well, how do you tr-,

00:04:26.733,00:04:29.536
uh, outside of like this from
that application. How do you

00:04:29.536,00:04:33.607
track someone, right? And so, it
kinda came down to these three

00:04:33.607,00:04:36.877
areas of, or four areas of like
well these are the key ways that

00:04:36.877,00:04:40.814
if you could get positive data
that isn't all garbage um, but

00:04:40.814,00:04:44.484
wifi's a little bit of a problem
uh, so, we've gone through the

00:04:44.484,00:04:47.287
wifi tracking thing for years
we've talked about it, about how

00:04:47.287,00:04:49.156
the phones are probing for wifi
and I'm not going to dive too

00:04:49.156,00:04:51.892
much into it but I hate to pick
on Nordstroms because I love

00:04:51.892,00:04:54.327
them, but they were the ones
that called out hard, Home Depo

00:04:54.327,00:04:57.564
was doing it too all of them
kinda stopped this practice but,

00:04:57.564,00:05:01.101
it was a way they were tracking
user behaviour by looking for

00:05:01.101,00:05:05.372
the bluetooth, uh the wifi
probes from your phone. Uh, but

00:05:05.372,00:05:07.774
mobile device manufacturers
caught on to this, they started

00:05:07.774,00:05:12.512
doing randomised MAC addresses
and, they decided that okay,

00:05:12.512,00:05:15.515
only if you connect to a genuine
SSID will I take and actually

00:05:15.515,00:05:18.819
display my real MAC. So, we
kinda take it as a data point

00:05:18.819,00:05:21.855
but we don't trust it now for
wifi as not all devices

00:05:21.855,00:05:24.724
randomise but most kinda do on a
mobile device front now. So that

00:05:24.724,00:05:28.428
leaves us with bluetooth, car
keys, RFID loyalty card. That's

00:05:28.428,00:05:32.232
kinda the key ideas I was like
um, messing with in my head and

00:05:32.232,00:05:35.335
well, yeah, we could do car
keys. I'm not, great on my STR

00:05:35.335,00:05:38.972
skills, I'm getting better, but
uh, and the RFID loyalty card is

00:05:38.972,00:05:42.709
kinda lame so… let's talk about
bluetooth. I'm not gonna spend

00:05:42.709,00:05:45.212
too much time on bluetooth 101
if you wanta learn more about

00:05:45.212,00:05:47.914
bluetooth and the stacks, there
are plenty of talks about it but

00:05:47.914,00:05:50.217
for those of you who are
catching up with us today um,

00:05:50.217,00:05:53.887
bluetooth classic uses one meg,
one megahertz channels, has 79

00:05:53.887,00:05:57.991
of them for data, one for
broadcast hops at 1600 times a

00:05:57.991,00:06:01.094
second, the MAC address -
effective MAC address, the

00:06:01.094,00:06:04.397
address it uses - uses a, uh,
upper address part and a lower

00:06:04.397,00:06:07.367
address part to make up the
address you only get the lower

00:06:07.367,00:06:11.338
address part in the packets, um
and we all know about this and

00:06:11.338,00:06:13.473
the only thing that's really
using bluetooth now is obviously

00:06:13.473,00:06:18.078
audio devices um, head-,
headphones, bluetooth earpieces

00:06:18.078,00:06:20.947
that kind of stuff but we've
kinda moved to the bluetooth low

00:06:20.947,00:06:25.452
energy or as bluetooth likes to
call it bluetooth smart [sigh]

00:06:25.452,00:06:29.022
smart. Um, and we've talked a
lot about the insecurity in the

00:06:29.022,00:06:32.359
past in other talks. There's 36
channels, they are 2 megahertz

00:06:32.359,00:06:35.762
wide for data, 3 announcement
channels and then the increment

00:06:35.762,00:06:38.832
of rotation of those channels
and the interval all that is

00:06:38.832,00:06:41.701
dictated when it does the join
to the master and what you get

00:06:41.701,00:06:44.738
basically is you have a six byte
address effectively a MAC, we'll

00:06:44.738,00:06:48.875
call it for sake of everyone.
Um, that's used to do an, the

00:06:48.875,00:06:51.978
advertisement and then what
actually connects is a four byte

00:06:51.978,00:06:54.748
access address that is actually
used to communicate for that

00:06:54.748,00:07:00.587
session. Everyone with me so
far? I know it's early but I

00:07:00.587,00:07:03.189
don't want to waste too much
time on bluetooth, so bluetooth

00:07:03.189,00:07:05.191
does have security through, when
we talk about the wifi

00:07:05.191,00:07:09.029
randomisation um, the bluetooth
group actually started that

00:07:09.029,00:07:13.033
randomisation also for it's,
it's addresses in bluetooth

00:07:13.033,00:07:15.669
smart uh, and actually this is
the funny thing they actually

00:07:15.669,00:07:17.704
have an ad up on their site or
not an ad, a blog post on their

00:07:17.704,00:07:20.540
site about protecting your
privacy with bluetooth we've got

00:07:20.540,00:07:22.942
good stuff and they use this
photo of this child walking

00:07:22.942,00:07:26.346
alone, the biggest FUD I've seen
in a long time of scaring you of

00:07:26.346,00:07:33.119
like my kid's being tracked, oh
my god. [theatrical sigh] So,

00:07:33.119,00:07:34.854
like I said there's the access
address, right, that's what's

00:07:34.854,00:07:37.490
actually used in those data
packets um but they change upon

00:07:37.490,00:07:39.626
the disconnect and reconnect
every time a device a device is

00:07:39.626,00:07:42.562
connecting, except for in the
advertisement which is static.

00:07:42.562,00:07:45.198
Um, so long term tracking of
these access addresses isn't so

00:07:45.198,00:07:47.901
reliable uh, obviously with
devices connecting for a long

00:07:47.901,00:07:51.338
time you can track some
behaviour, moving throughout for

00:07:51.338,00:07:53.840
an hour, two hours but if
there's any kind of disconnect

00:07:53.840,00:07:57.043
out of activity they'll
regenerate. So it'll give to you

00:07:57.043,00:08:00.146
good short term tracking but
from a long term perspective you

00:08:00.146,00:08:03.616
can't really track someone with
those access addresses. So it

00:08:03.616,00:08:06.753
got me thinking so we, we've got
randomised addresses on that

00:08:06.753,00:08:09.055
side, we've got randomised
addresses on the access

00:08:09.055,00:08:11.958
[08:08]er and or advertisements
in the access. So, what else is

00:08:11.958,00:08:15.228
there? So, when it comes to
bluetooth it's two different

00:08:15.228,00:08:18.164
kind of profiles. There's the
generic access profile, GAP, and

00:08:18.164,00:08:22.669
the generic attribute profile,
GAT. Um, I'm not going to dive

00:08:22.669,00:08:25.238
too much into these because,
obviously this is not a 101

00:08:25.238,00:08:28.842
talk. Um, but basically the GAP
and GAP profile provide the

00:08:28.842,00:08:31.144
communications standard for
communicating to the device.

00:08:31.144,00:08:33.913
They basically set up the
connect and communicate with the

00:08:33.913,00:08:38.752
services that the device-, the
slave has. So, I started looking

00:08:38.752,00:08:40.920
at these devices to see what
could be tested and obviously

00:08:40.920,00:08:42.589
you go around, you play with the
tools, you're like "okay,

00:08:42.589,00:08:48.128
nothin, nothin, nothin" - I
travel a lot. Um, a- a lot! So

00:08:48.128,00:08:51.731
[laugh] I notice, when I was on
planes, that all of a sudden, a

00:08:51.731,00:08:56.803
lot of devices started showing
up. That's odd. Umm, so normally

00:08:56.803,00:08:58.938
walking around you saw a few
devices and we generally didn't

00:08:58.938,00:09:01.007
know what the behaviour of all
these devices we. We saw certain

00:09:01.007,00:09:04.344
Fitbits and that kind of stuff.
But wha- what's the deal? It

00:09:04.344,00:09:07.814
turns out that, certain devices,
when they are disconnected from

00:09:07.814,00:09:11.184
their phones - or whatever they
are paired to - they jump back

00:09:11.184,00:09:14.888
into advertisement mode. So, uh,
for your simple coding pleasure.

00:09:14.888,00:09:18.958
If it's not paired it goes into
advertisement mode. And again

00:09:18.958,00:09:20.794
this is unique behaviour we
started determining with some of

00:09:20.794,00:09:24.931
these devices. So, can we get
devices to disconnect and

00:09:24.931,00:09:28.435
actually take and start
broadcasting again? Uh, uh the

00:09:28.435,00:09:31.971
answer is, uh yeah. We can. Uh,
it's interesting that you can

00:09:31.971,00:09:35.809
actually jam the 2 point 4
gigahertz range with, uuum, some

00:09:35.809,00:09:40.447
success. Right? Uh, basically
the- using the USRB- P-

00:09:40.447,00:09:44.184
U.S.R.P.B 2- 210, uh you have
about 56 megabits of bandwidth.

00:09:44.184,00:09:47.086
Uh, it's not reliable,
especially it takes a lot to

00:09:47.086,00:09:50.290
drive it, but you can basically
effectively create a 2 point 4

00:09:50.290,00:09:53.827
gigahertz jammer using a SDR, uh
by generating some random data

00:09:53.827,00:09:56.830
noise. We did all this and we
testing it and we noticed by

00:09:56.830,00:10:01.267
jamming the 2 [laugh] those
frequency bands of 200- 2428

00:10:01.267,00:10:05.071
megahertz to 2478 megahertz - so
basically that's 56- 50

00:10:05.071,00:10:09.075
megahertz band… we can actually
take and get the devices to fall

00:10:09.075,00:10:13.179
off and jump back to their
advertisement channels. Uh but

00:10:13.179,00:10:15.648
obviously this depends on the
host. I have to give credit to

00:10:15.648,00:10:18.485
IOS. They have great frequency
hopping and detection. So

00:10:18.485,00:10:20.620
basically the phone detects
"okay I see a lot of jamming,

00:10:20.620,00:10:24.023
I'm going to move to this
frequency band and re-pair" So

00:10:24.023,00:10:28.061
it does have some reliability
but it's a little odd. The other

00:10:28.061,00:10:31.331
way to get a disconnect is by
blasting terminate connection

00:10:31.331,00:10:34.400
packets. This is basically,
effectively the bluetooth

00:10:34.400,00:10:37.437
version of de-auth. Is you look
for the access address and then

00:10:37.437,00:10:40.273
you spoof a disconnect and it
terminates. Now, granted, again,

00:10:40.273,00:10:44.077
limited window and it gets wonky
with some devices ah, we noticed

00:10:44.077,00:10:46.146
some devices don't like to
rejoin after they've been told

00:10:46.146,00:10:48.548
to disconnect. So it's one of
those things that if you are

00:10:48.548,00:10:50.717
trying to track someone it kinda
gets you some good opportunity

00:10:50.717,00:10:52.986
to get an ID from them and get
the connection advertisement

00:10:52.986,00:10:57.257
side but not so much that it's
not going to be noticed. So

00:10:57.257,00:10:59.959
we've all talked about tracking
before, right? So why am I

00:10:59.959,00:11:02.328
rambling about tracking,
tracking, tracking? Well, a lot

00:11:02.328,00:11:05.198
of the talk before has been to-
about "well it's possible".

00:11:05.198,00:11:08.568
Okay, well, s- with who, with
what, you know? This is really

00:11:08.568,00:11:12.505
more of an implementation issue.
Um, this is- when it comes down

00:11:12.505,00:11:14.407
to individual devices
implementing it - especially in

00:11:14.407,00:11:18.745
the consumer side - what does
what? Amazon, Best Buy probably

00:11:18.745,00:11:22.181
loves me by now because I just
bought a crap-ton of bluetooth.

00:11:22.181,00:11:24.384
low-energy devices that people
use every day. Um, and we're

00:11:24.384,00:11:26.819
gonna go through th- a few of
them and step: what we tested

00:11:26.819,00:11:29.188
and basically we did a
consumer-report style testing

00:11:29.188,00:11:31.891
against them to see what privacy
information are they actually

00:11:31.891,00:11:36.896
leaking. And we'll start with
the worst. Sorry - need water.

00:11:43.603,00:11:45.572
These guys were on Shark Tank a
while back and you may have

00:11:45.572,00:11:47.941
heard em because it's kind of a
funny idea of shocking yourself

00:11:47.941,00:11:52.145
every time you do something bad.
[laughter] It's also a fun thing

00:11:52.145,00:11:53.913
to shock your friends when they
do something bad and they're

00:11:53.913,00:11:56.749
like" I'm trying to learn..
[inaudible] Stop it!". But

00:11:56.749,00:12:01.020
basically they use a static MAC
address. The MAC address- the

00:12:01.020,00:12:06.025
last four, sorry, 8 bits? 8
bits. 16 bits? 16 bits! Sorry,

00:12:08.761,00:12:12.298
Math is hard. The last 16 bits
of the MAC is in the SSI- or in

00:12:12.298,00:12:16.636
the name of the device. Correct
me on my math. Um, and if you

00:12:16.636,00:12:19.038
don't happen to have the- the
MAC address from the stack MAC

00:12:19.038,00:12:22.241
address or uh, its' name, send a
GAP request to it and it gives

00:12:22.241,00:12:28.147
it to you [laughter] in ASCII to
hex. I do- du- ah. Somebody

00:12:28.147,00:12:31.050
wrote a BAT converter on that.
So, this is super easy to track

00:12:31.050,00:12:33.519
because we have a static
address, never rotates. But like

00:12:33.519,00:12:36.589
I said, they've started
implementing this rotation in

00:12:36.589,00:12:40.727
bluetooth uh smart. That devices
are started taking eh, advantage

00:12:40.727,00:12:43.830
of. But then we have these
devices that are meant to track

00:12:43.830,00:12:47.533
you: um, Tracker and Tile. We'll
talk about Tile next but

00:12:47.533,00:12:50.303
effectively these addresses they
show up in the broadcast address

00:12:50.303,00:12:53.039
as being random uh, and they do
generate a random one because

00:12:53.039,00:12:54.641
the ID's rotate through it. But.
the ID actually never really

00:12:54.641,00:12:58.411
rotates on it,. Uh the MAC
address we've noticed over a

00:12:58.411,00:13:02.548
period of over four months they
never rotate it. They did they

00:13:02.548,00:13:06.119
did but they never rotate it, so
effectively seems as if when the

00:13:06.119,00:13:08.721
device powers on it generate an
new one but if it never powers

00:13:08.721,00:13:11.257
off it never rotates after that.
As well as with these device

00:13:11.257,00:13:15.294
meant to track you - as
community meant to track you so,

00:13:15.294,00:13:17.930
ir-regardless of the MAC address
there use a static ID associate

00:13:17.930,00:13:21.200
in the GAP profile that will
take and actually dis- display,

00:13:21.200,00:13:23.903
in the case of the tracker, the
raw MAC address of the device.

00:13:23.903,00:13:27.306
And it constantly broadcasts
when it's disconnected… Tile's

00:13:27.306,00:13:28.675
the same way, um, the Tile
identifier in GAT is one of the

00:13:28.675,00:13:30.009
services in there, uh again -
static MAC addresses again

00:13:30.009,00:13:31.344
because it does randomise but
never rotates, randomisers on

00:13:31.344,00:13:32.679
boot and it stays connected to a
device but only while the Tile

00:13:32.679,00:13:37.684
app on a phone is open but once
you close the Tile app it

00:13:42.321,00:13:47.326
disconnects. [sigh] Our friends
over at Fitbit, the Fitbit one

00:13:49.896,00:13:52.565
also uses a random MAC address
but after about four months we

00:13:52.565,00:13:55.968
didn't re- notice it rotate at
all. It doesn't rain- remain

00:13:55.968,00:13:58.805
connected to a mobile device at
all. So basically to save energy

00:13:58.805,00:14:00.573
it only connects when you
connect to it and say "hey, how

00:14:00.573,00:14:03.876
many steps do I have? What's my,
my time" all that stuff. But it

00:14:03.876,00:14:06.212
doesn't remain connected so it's
constantly broadcasting as well.

00:14:06.212,00:14:10.583
So thing have started to get
better after this. A little bit.

00:14:10.583,00:14:14.153
With the Withins Active, another
device we tested, the MAC

00:14:14.153,00:14:18.491
address randomises. But it still
advertises the raw MAC address

00:14:18.491,00:14:22.028
in the advertisement data which
broadcasts out. So while the MAC

00:14:22.028,00:14:24.330
address is changing it's
advertising its' real MAC

00:14:24.330,00:14:29.135
address inside the manufacturer
data. Um, okay? That's a

00:14:29.135,00:14:33.706
security choice. >>[laughter]
>>Then the Pebble Steel also

00:14:33.706,00:14:36.509
uses a- another way we can track
the devices is in thier name and

00:14:36.509,00:14:38.945
we've talked about this before
too but has in the name, the

00:14:38.945,00:14:44.050
last - four digits (I'm done
doing math) um, of the ha, MAC

00:14:44.050,00:14:46.686
address and it's random but
still after days of rebooting

00:14:46.686,00:14:50.056
the device and turning it on and
off and losing power it still

00:14:50.056,00:14:54.927
kept the same, static address.
Uh, but advertising as random.

00:14:54.927,00:14:57.897
Again in the device info and GAP
profile it's got the serial

00:14:57.897,00:15:00.099
number of the device and it goes
to sleep every once in awhile so

00:15:00.099,00:15:03.202
it;s not really reliable but
it's a cool choice it also used

00:15:03.202,00:15:06.773
"classic" so we can track its'
lower address too. So,

00:15:06.773,00:15:10.443
interesting choices on how it
connects. The Fitbit Alta the

00:15:10.443,00:15:13.179
MAC address randomises but,
again, like all the other ones

00:15:13.179,00:15:19.485
they stay static for our months,
even after battery loss. Um,

00:15:19.485,00:15:22.622
getting a little bit better this
one doesn't turn bluetooth on

00:15:22.622,00:15:27.160
until you actually turn it on to
sync mode. [sigh] This one has

00:15:27.160,00:15:29.328
the the name- uh the Microsoft
band has the name of the address

00:15:29.328,00:15:32.298
inside of the device name and it
does randomise the MAC. So we're

00:15:32.298,00:15:34.200
halfway there. We got a name
that's kind of static, that's

00:15:34.200,00:15:38.271
what you set it for but the
addresses are rotingatin so… And

00:15:38.271,00:15:39.839
then on the better side of
things of people who actually

00:15:39.839,00:15:42.842
implement security well, we
gotta give credit to Apple they

00:15:42.842,00:15:47.847
rotate their MACs pretty well.
Androidware um, this was on sale

00:15:47.847,00:15:53.152
 thank you Amazon Prime day 
yeah… um but also notice that

00:15:53.152,00:15:55.855
this is really cool on the uh
Androidware watches. Once it's

00:15:55.855,00:15:59.458
connected it stops responding to
broadcasts forever… uh basically

00:15:59.458,00:16:01.861
it'll still randomise, it'll
connect to the device it knows

00:16:01.861,00:16:05.031
but unless you go into the watch
to say "let me reconnect" it

00:16:05.031,00:16:07.233
doesn't respond to broadcasts
anymore. So wha- I have to give

00:16:07.233,00:16:09.902
kudos to them because that the
best we saw of all the things.

00:16:11.938,00:16:14.874
IOS devices as well like to
broadcast bluetooth low-energy

00:16:14.874,00:16:18.744
noise uh, they do randomised
through and advertise they are

00:16:18.744,00:16:21.180
an iPhone, iPad etc, but that
MAC address randomised

00:16:21.180,00:16:24.784
consistently so while it's being
used in [laugh] fun apps,

00:16:24.784,00:16:28.154
including Safari, we noticed,
um… take that one on for size

00:16:28.154,00:16:32.191
and think about that… it does
randomised quickly and randomly

00:16:32.191,00:16:34.727
so there's not and trackability
on the actual iOS devices , we

00:16:34.727,00:16:36.863
noticed. So we have to give
kudos to these three for doing

00:16:36.863,00:16:38.698
it right, the rest we kinda went
through quick because we're

00:16:38.698,00:16:42.001
doing it consumer report style
and what we were gonna do is we

00:16:42.001,00:16:44.103
were gonna release a tool with
this to kinda track all these

00:16:44.103,00:16:49.842
things. Fuck you Zerocast, he
kinda beat us to the punch and

00:16:49.842,00:16:52.912
got a better tool out so I just
said: " No, bravo, we- we'll

00:16:52.912,00:16:57.016
just do it on that side and
point over there because…"

00:16:57.016,00:16:59.118
[sigh] they did a great job on
that. So the Pony- uh Pony

00:16:59.118,00:17:02.755
Express crew released this ouh…
was it Thursday at 101? >>Yes

00:17:02.755,00:17:04.557
>>I think probably posted it
three days before then, four

00:17:04.557,00:17:07.326
days before then so, um this is
definately a great tool to look

00:17:07.326,00:17:09.695
at for tracking those things. It
doesn't, I don't think it

00:17:09.695,00:17:12.732
supports GAT yet, but I'm sure
it will soon, if I have a few

00:17:12.732,00:17:15.368
more minutes to tweak some code.
So where do we go from here with

00:17:15.368,00:17:18.004
all these devices? We complain
about them all and I spend 15

00:17:18.004,00:17:20.873
minutes rambling about this Um,
we really need to start testing

00:17:20.873,00:17:22.642
more of these devices to
determine what s the

00:17:22.642,00:17:24.510
implementation issues with them
instead of just like "well it's

00:17:24.510,00:17:27.680
a problem". With these new IOT
things it's obviously a problem

00:17:27.680,00:17:30.249
across the space and we all can
complain about IOT this and iot

00:17:30.249,00:17:34.086
that, um so we're throwing up
oh, I forgot to actually commit

00:17:34.086,00:17:36.422
this this morning ah [laugh]
throwing up on Github uh,

00:17:36.422,00:17:38.291
basically a repository that
everyone can submit pull

00:17:38.291,00:17:41.527
requests to that as you test a
device and say "hey I looked at

00:17:41.527,00:17:44.330
this and it does this, this,
this behavior" and we'll have a

00:17:44.330,00:17:46.999
little checklist of things that
we are looking for EWe can all

00:17:46.999,00:17:50.069
kinda source together as to: "
hey, here's how this specific

00:17:50.069,00:17:53.372
device behaves here's a
checkability of this device" not

00:17:53.372,00:17:56.008
that it's possible not tha- to
fool people with FUD, FUD, FUD,

00:17:56.008,00:17:59.745
but that it's actually possible
or uh, that it's possible for

00:17:59.745,00:18:03.783
this device, this
implementation. Long story short

00:18:03.783,00:18:06.552
when MAC addresses are random
look for things that aren't

00:18:06.552,00:18:08.821
involved in the MAC, which
include; not actually

00:18:08.821,00:18:13.292
randomising them, the, uh GATs
leaking serials and the device

00:18:13.292,00:18:16.862
names you can knock a device off
bluetooth, uh, by using either

00:18:16.862,00:18:19.231
the deauth packets or by
actually broadcasting on the 2

00:18:19.231,00:18:23.903
point 4 gigahertz a lot of
noise. Um, certain frequencies.

00:18:23.903,00:18:26.072
And when the standard, while the
standard of bluetooth is great,

00:18:26.072,00:18:28.407
supports a lot of cool stuff,
uh, these devices aren't

00:18:28.407,00:18:31.344
implementing it. Alright I'm
going to switch it on the Erin

00:18:31.344,00:18:35.648
who's going to talk more about
the home security side.

00:18:35.648,00:18:38.351
>>Alright this is the squirrel
part of our talk. [applause]

00:18:38.351,00:18:41.187
Squirrel [applause] Oh he’s not
done, he has to get back up

00:18:41.187,00:18:43.623
again don’t you guys don’t do
that to him. [laughter] Just

00:18:43.623,00:18:46.692
give him a minute. [inaudible
talking] right ya right you’re

00:18:46.692,00:18:50.896
gonna ya don’t don’t feed the
ego. Not yet. Later, later.

00:18:50.896,00:18:53.633
[laughs] Alright so we’re gonna
talk a little bit about consumer

00:18:53.633,00:18:59.405
wireless camera and office
security. So before we get into

00:18:59.405,00:19:02.508
this we’ve had lots of talks
about uh wireless CCTV all this

00:19:02.508,00:19:04.777
kind of stuff so let’s uh chat
about what we’re not gonna talk

00:19:04.777,00:19:07.980
about. We are not gonna talk
about weaker default passwords.

00:19:07.980,00:19:11.484
You guys have Google you can use
it yes everybody with the

00:19:11.484,00:19:14.587
exception of maybe 10 percent of
people still use all of these

00:19:14.587,00:19:19.525
congratulations. We're also not
gonna talk about IP weaknesses

00:19:19.525,00:19:23.095
but if you wanna make your uh
network even more insecure, this

00:19:23.095,00:19:26.298
guy on Youtube can actually help
ya out and tell you exactly how

00:19:26.298,00:19:28.634
to route it to the external
internet if you really want to.

00:19:28.634,00:19:33.239
Good times. I mean it was
helpful it was his intent. We’re

00:19:33.239,00:19:37.176
also not gonna talk about
deauthing 101 um everybody has

00:19:37.176,00:19:41.113
Google download Calle use some
Google fill and you can figure

00:19:41.113,00:19:44.483
out yourself how to buy the
cards that’ll work and deauth it

00:19:44.483,00:19:48.487
yourself so. >>Hint! >>Hint.
[laughter] Also we’re not gonna

00:19:48.487,00:19:52.892
talk about Showden. It’s awesome
not this talk though. Go have

00:19:52.892,00:19:55.227
fun with it and I wanted to put
a slide up and say we’re also

00:19:55.227,00:19:57.830
not gonna talk about Pokemon Go
cause it’s almost as fun as

00:19:57.830,00:20:03.502
Showden but [inhales deeply] So
uh so who cares about the CCTV

00:20:03.502,00:20:07.940
cameras and the security. Well
ya know what? It grinds my

00:20:07.940,00:20:12.745
gears, I care because these
camera companies are selling it

00:20:12.745,00:20:17.216
as security devices. Not all of
em most of em are selling

00:20:17.216,00:20:23.456
security. [clears throat] So
that got me to thinking, ya

00:20:23.456,00:20:29.328
know, what if? What if these
were used as security devices.

00:20:29.328,00:20:32.098
Well I wanna be a bad guy and
for anybody that knows me knows

00:20:32.098,00:20:35.234
that I have a little problem
when it comes to automobiles. I

00:20:35.234,00:20:40.906
like them a lot. >>[laughs] >>So
uh so step 1 in my little mental

00:20:40.906,00:20:43.542
process when I was thinking
about these cameras was was

00:20:43.542,00:20:46.645
kinda getting into the mood. So
I wanted to channel my inner

00:20:46.645,00:20:53.052
sway and think about hmm if I
had this this absolutely amazing

00:20:53.052,00:20:56.088
warehouse full of Ferrari’s that
was protected by these security

00:20:56.088,00:21:02.495
cameras what would I do? This
also plays into homes and stuff

00:21:02.495,00:21:05.064
but I find Ferrari’s to be a lot
more fun than thinking about the

00:21:05.064,00:21:08.501
homes right now. So the first
thing I would do, get into the

00:21:08.501,00:21:12.271
mood. Second thing I would do,
I’d get some information.

00:21:12.271,00:21:15.441
Information’s are pretty easy to
find. Especially you know we

00:21:15.441,00:21:18.611
have this technology here I’m
gonna use that really loosely

00:21:18.611,00:21:20.212
everyone in this conference
we’ve been talking about war

00:21:20.212,00:21:25.684
driving for freakin years decade
almo wow decades wow that’s old

00:21:25.684,00:21:28.721
anyway. >>That’s old >>It’s old.
So some people call it war

00:21:28.721,00:21:30.756
driving, in this case we’re
gonna call it target

00:21:30.756,00:21:35.427
identification. So with that you
can drive around because these

00:21:35.427,00:21:38.130
devices are lovely and like to
tell you who they are all the

00:21:38.130,00:21:41.267
time and in their MAC addresses
you can actually tell who

00:21:41.267,00:21:44.236
they’re from. So you can go on
to the ni the nice little

00:21:44.236,00:21:47.773
Google’s help us out again and
identify who exactly these

00:21:47.773,00:21:51.043
cameras belong to or you can
actually just look for the cu

00:21:51.043,00:21:53.145
cute little stickers that come
with the cameras that say hey

00:21:53.145,00:21:56.715
you’re on camera and some of em
even have the brand name on em

00:21:56.715,00:22:02.254
even easier. So with that I’m
thinking about where the attack

00:22:02.254,00:22:06.292
goes. So obviously we’ve had
many talks that have talked

00:22:06.292,00:22:10.462
about um wireless deauthing and
what not. So let’s take that a

00:22:10.462,00:22:14.500
little bit of a step further.
This talk was kind of composed

00:22:14.500,00:22:17.670
with the idea that let’s find
out what these cameras actually

00:22:17.670,00:22:22.007
do. Let’s find out what happens
when they get deauthed. Let’s

00:22:22.007,00:22:27.012
find out do they notify? Do they
recover? So in the attack we’re

00:22:29.315,00:22:32.551
gonna be thinking about the fact
of how long it would take an

00:22:32.551,00:22:37.656
intruder to get into a facility,
a building, a house, what not,

00:22:37.656,00:22:40.759
what they would have to do ahead
of it, how long they would have

00:22:40.759,00:22:44.129
to deauth the cameras and, could
they make it away clean so to

00:22:44.129,00:22:48.133
speak. So that being said ya
know we’re not gonna talk about

00:22:48.133,00:22:50.736
point a entry and what not like
Zack said earlier there’s a

00:22:50.736,00:22:54.106
wonderful uh bluetooth lock talk
and so I’m assuming some of

00:22:54.106,00:22:56.208
these homes that have these
lovely uh camera systems also

00:22:56.208,00:22:58.210
have the bluetooth locks and we
can do a whole bunch of fun

00:22:58.210,00:23:03.148
things with that as well. So,
the attack. So in the attack

00:23:06.352,00:23:09.622
we’re gonna talk about which
cameras are weak. So in order to

00:23:09.622,00:23:11.991
do that, we had to just like
Zack, go and buy a whole bunch a

00:23:11.991,00:23:16.395
cameras but ya know since we
this is Defcon and ya know we’re

00:23:16.395,00:23:19.932
progressive these years, I
wanted to make sure that we had

00:23:19.932,00:23:25.204
diversity. >>[laughs] >>So we
have lots of different cameras

00:23:25.204,00:23:29.742
that we tested. Lots and lots of
them from different manufactures

00:23:29.742,00:23:35.547
of different sizes. So we went
from the big guys to small guys

00:23:35.547,00:23:39.318
that's them so which one of them
are not saying they’re a

00:23:39.318,00:23:42.254
security camera was my question
I showed you guys earlier all

00:23:42.254,00:23:47.626
the articles and what not. So
how many actually uh say they do

00:23:47.626,00:23:52.631
security? All but 2. >>[laughs]
>>So there are 2 really, really

00:23:55.634,00:23:58.137
I’ll say forth coming companies
that don’t claim to be security

00:23:58.137,00:24:01.373
cameras they’re just like hey
were this, this is what we are

00:24:01.373,00:24:06.779
good for them. So what was
tested? So we did a little bit

00:24:06.779,00:24:08.781
of everything. So obviously we
wanted to know what the offline

00:24:08.781,00:24:10.716
time was, we wanted to know if
it does any kind of

00:24:10.716,00:24:13.185
notifications. So if you get
bumped offline, network

00:24:13.185,00:24:16.655
interference what not what’s the
threshold of notifications. Is

00:24:16.655,00:24:19.792
there any type of cache video on
the device? So if it’s knocked

00:24:19.792,00:24:22.261
off how you know what what
amounts gonna actually store

00:24:22.261,00:24:25.731
locally before we have to
recover? What if there’s any

00:24:25.731,00:24:29.935
type of wired network options,
if there’s any type of SD

00:24:29.935,00:24:33.939
options on the device itself for
local storage? Type of power

00:24:33.939,00:24:36.608
kinda was curious whether it was
battery or wired obviously its

00:24:36.608,00:24:39.511
points of failure there.
Additional equipment needed for

00:24:39.511,00:24:42.448
the function of cameras, it’s
not all of them are just stick

00:24:42.448,00:24:46.685
up and any other performance
obfer servations. So because we

00:24:46.685,00:24:48.754
were actually being pretty
pragmatic about how this was

00:24:48.754,00:24:52.257
done we actually had a test
procedure. So ya know at 0

00:24:52.257,00:24:55.227
stopwatch starts at about a
minute in we did a targeted

00:24:55.227,00:24:58.464
deauth attack. About every 30
seconds we were waving our hands

00:24:58.464,00:25:00.532
for motion recognition cause
some of the cameras did we

00:25:00.532,00:25:04.770
required it and about 10 minutes
into the attack we did the

00:25:04.770,00:25:07.306
targeted deauth ending. So we
terminated it and we gave it

00:25:07.306,00:25:10.309
about 5 minutes from there to
see when it would come back

00:25:10.309,00:25:15.748
online on the network. So this
is my high tech setup. It’s

00:25:15.748,00:25:20.386
pretty impressive. So we have
the uh the timer, whatever

00:25:20.386,00:25:23.889
cameras being tested at the
time, the ipad with the camera

00:25:23.889,00:25:26.425
app so we could vis actually
visually see what was going on

00:25:26.425,00:25:29.228
with the camera. When it was
gonna recover and obviously a

00:25:29.228,00:25:34.099
whole bunch of uh area play fun
going on right there. So that

00:25:34.099,00:25:37.002
being said, I like to always
prove my work like in my good

00:25:37.002,00:25:41.607
ol’ math classes. >>And live
demos never work so. >>And live

00:25:41.607,00:25:44.476
demos never work so for you
guys, I want you to know I spent

00:25:44.476,00:25:48.080
many a weekends with my GoPro
taping these lovely things but I

00:25:48.080,00:25:50.516
fast forwarded em for you. So
this is your drink break, anyone

00:25:50.516,00:25:53.819
who has coffee or anything have
a nice drink, take a second.

00:25:53.819,00:25:58.824
>>Aaah >>Ya there’s about like 2
minutes and I fast forwarded the

00:26:03.762,00:26:09.701
crap outta these in split screen
and so uh ya. You get the idea.

00:26:09.701,00:26:15.641
So now the results. Kuna
>>[laughing] >>I love this

00:26:15.641,00:26:19.144
little Kuna device it was a
kickstarter actually um as were

00:26:19.144,00:26:23.348
a few of these but the cute
thing was the Kuna device eh it

00:26:23.348,00:26:25.984
kinda did what it said it was
gonna do not quite security. Ya

00:26:25.984,00:26:29.788
know it recovered after about a
minute 30 a minute 40 after the

00:26:29.788,00:26:34.193
deauth ended. The positives,
it’s a light. [laughter] If the

00:26:34.193,00:26:37.796
camera doesn’t work you gotta
front light yay! [laughter]

00:26:37.796,00:26:39.698
Another positive it’s wired
there’s no way around it,

00:26:39.698,00:26:43.569
there’s no battery powered it’s
it’s hard wired. Um the

00:26:43.569,00:26:47.973
negatives only if the app’s open
are we getting notifications. Uh

00:26:47.973,00:26:51.043
one of the other negatives or
positives, depends how you look

00:26:51.043,00:26:55.514
at it. It had this really cool
uh pardon me, [clanking] the

00:26:55.514,00:26:59.384
clanking is killing me.
[laughter] [thud] It had these

00:26:59.384,00:27:02.988
cool status lights at the bottom
of the light. Which were super

00:27:02.988,00:27:05.958
helpful and I appreciate the
developers that put em on there

00:27:05.958,00:27:08.360
because you know it’s supposed
to help out the consumers to let

00:27:08.360,00:27:13.565
em know if it’s paired and what
not or if it’s online. That’s

00:27:13.565,00:27:16.068
always a good one for an outside
security light to have it flash

00:27:16.068,00:27:19.671
red. [laughter] So one of the
things we learned from the

00:27:19.671,00:27:23.509
deauth attack is after uh 10
minutes of it being online uh

00:27:23.509,00:27:28.680
deauthed, it kinda just doesn’t
recover. Uh before that if you

00:27:28.680,00:27:31.850
cut it a little bit early it’ll
do the the minute 40 recovery

00:27:31.850,00:27:35.787
but you let it go longer it
kinda falls over. So in the

00:27:35.787,00:27:37.689
testing you know these are
consumer products we did a few

00:27:37.689,00:27:41.059
rounds of testing and found
these things out. Well like I

00:27:41.059,00:27:44.730
told you about these cute little
status lights I was Googling ya

00:27:44.730,00:27:46.899
know for the point of this talk
and trying to see if I could

00:27:46.899,00:27:49.535
find you guys a pretty picture
because I actually didn’t fly to

00:27:49.535,00:27:54.239
Vegas with the picture of the
bottom of the the status lights

00:27:54.239,00:28:01.013
and I come across this. On their
website they actually do tell

00:28:01.013,00:28:04.917
you, good to them, that it will
fall over and not recover and

00:28:04.917,00:28:07.753
you have to re setup the
wireless camera after 10 minutes

00:28:07.753,00:28:12.357
of deauth. So let’s just say
hypothetically you have one of

00:28:12.357,00:28:15.827
these lights out in front of
your house, you lose power for

00:28:15.827,00:28:20.933
more than 10 minutes, ya forget,
your your light’s useless ya

00:28:20.933,00:28:23.702
know so. I would love to talk to
someone who’s doing the IOT

00:28:23.702,00:28:27.105
monitoring of things there’s
your uh your start for your

00:28:27.105,00:28:29.274
little project because these are
some of the things you should be

00:28:29.274,00:28:32.678
looking for. So because of
timing I’m gonna try to go

00:28:32.678,00:28:35.480
through these a little faster.
The uh media has this cute

00:28:35.480,00:28:39.985
little Blink wireless HD
monitoring and alarm system. The

00:28:39.985,00:28:42.154
Blink is totally cute I will
give it credit that with

00:28:42.154,00:28:45.591
movement it will recover in
about about 9 seconds. It does

00:28:45.591,00:28:50.228
have a onboard about 10, 5 to 10
second video recording. Um it’s

00:28:50.228,00:28:52.464
clip based though none of this
is persistant recording it’s

00:28:52.464,00:28:56.268
just clips. Uh the cute thing is
it’s easy to mount, it does

00:28:56.268,00:28:59.738
continue doing the clips.
Negative ya know it does require

00:28:59.738,00:29:02.641
a base station, it is battery
powered, there is no option for

00:29:02.641,00:29:08.714
uh SD, there’s no wired option,
it is what it is. Amcrest which

00:29:08.714,00:29:11.350
I had never heard of this until
lu again let’s look at Amazon

00:29:11.350,00:29:13.118
and find out what the best
selling wireless camera on

00:29:13.118,00:29:18.223
Amazon is, it’s this one I don’t
know how. Anyway >>It’s cheap

00:29:18.223,00:29:22.194
>>It is cheap, it is cheap but,
you would think that maybe nest

00:29:22.194,00:29:25.397
would >>[inaudible words]
>>Anyway uh so recovery’s in 2

00:29:25.397,00:29:28.166
minutes not a bad little camera.
It keeps about 10 seconds

00:29:28.166,00:29:31.269
onboard storage that does have a
wired option for wirele for

00:29:31.269,00:29:36.675
wired network not wired power um
it does have wired power and

00:29:36.675,00:29:39.177
there is an on off switch on the
unit. Not overall a bad camera

00:29:41.747,00:29:44.282
[inaudible crowd voice] [clap]
Somebody like that? [laughter]

00:29:44.282,00:29:47.853
Yay Amcrest! Anyway D Link
[sigh] we love D Link just for

00:29:47.853,00:29:49.688
the purpose that they don’t
actually claim to be a security

00:29:49.688,00:29:53.358
camera. They’re like hey we’re a
netcam we’re cool like that. I’m

00:29:53.358,00:29:56.795
like alright so on the positive
it does have an SD option.

00:29:56.795,00:29:59.431
Negative there’s uh there’s no
actual wired option for the

00:29:59.431,00:30:03.835
camera itself. It recovers after
about a minute after the deauth.

00:30:03.835,00:30:07.372
No movement’s required for that
one actually. So Netgear cute

00:30:07.372,00:30:11.309
little Arlo’s. I love these
Arlo’s. They recover after about

00:30:11.309,00:30:14.279
45 seconds, they’re versatile
cause they have a cute little

00:30:14.279,00:30:19.317
magnet that’s how they attach
and they have a sticker. So

00:30:19.317,00:30:23.555
remember to the war driving
[laughs] plea ya put no no let’s

00:30:23.555,00:30:26.124
not put the sticker up and say
it’s not even bad that it’s a

00:30:26.124,00:30:28.994
sticker it actually just tells
you what it is. So you have a

00:30:28.994,00:30:31.730
few options when it comes to my
little putting on my sunglasses

00:30:31.730,00:30:35.600
and being sway and breaking into
my little Ferrari warehouse for

00:30:35.600,00:30:40.138
these. These are great I can
just gr deauth it, go grab em

00:30:40.138,00:30:44.643
all put em in my bag, throw it
in the Ferrari and drive out. So

00:30:44.643,00:30:46.978
so again it requires a base
station, it is battery powered,

00:30:46.978,00:30:50.582
there’s no SD or onboard
storage, again no actual wired

00:30:50.582,00:30:52.918
option for the camera itself
because again pops on a little

00:30:52.918,00:30:57.322
magnet battery powered. Here
we’re getting into the fun ones.

00:30:57.322,00:31:01.460
So the Logitech the Logi Circle
oh sorry. >>No no we’ve got

00:31:01.460,00:31:05.097
we’ve got >>Alright we gotta run
>>15 minutes >>I never thought

00:31:05.097,00:31:06.898
that okay well anyway
>>[inaudible words] [laughs]

00:31:06.898,00:31:09.601
>>Alright ADD theatre here. Logi
Circle, Logi Circle recovers in

00:31:09.601,00:31:14.272
about a minute 30 um it does do
some uh constant push

00:31:14.272,00:31:17.309
notifications. Negatives has on
off switch on the unit again

00:31:17.309,00:31:20.512
magnet, can grab it throw in my
bag in the Ferrari outta here.

00:31:20.512,00:31:24.916
No SD or onboard storage, no
wired option. Belkin, my little

00:31:24.916,00:31:28.620
buddy I’m gonna give you like
one more second he recovers

00:31:28.620,00:31:32.157
after I call it the negative 10
seconds cause it does have an

00:31:32.157,00:31:34.326
onboard buffer. So the nice
thing is it does come back

00:31:34.326,00:31:37.062
pretty quick so the onboard
memory does recover it I dunno

00:31:37.062,00:31:39.131
if that was intentionally or
network inter interference based

00:31:39.131,00:31:41.500
because they don’t actually tell
you on their website in

00:31:41.500,00:31:44.503
marketing that they do that at
all. They also don’t tell you

00:31:44.503,00:31:47.839
that they’re a security camera
either yay Belkin. Um there’s an

00:31:47.839,00:31:50.709
on off switch on the unit and we
did find inconsistent push

00:31:50.709,00:31:53.779
notifications through the app so
that doesn’t help you too much.

00:31:53.779,00:31:58.049
Samsung recovers up to 10
seconds if there’s immediate

00:31:58.049,00:32:02.053
movement. Downside to that one
not immediate movement eh until

00:32:02.053,00:32:05.857
the cat walks through. So
positive SD option there is a

00:32:05.857,00:32:08.693
wired option to it. Uh the kinda
negative is they’re kinda

00:32:08.693,00:32:12.197
working out their cloud option.
There isn’t one at there wasn’t

00:32:12.197,00:32:15.267
one for our camera there was for
other cameras and so that’s

00:32:15.267,00:32:18.570
that’s forthcoming and the SD
storage only is on downloadable

00:32:18.570,00:32:21.907
through the app download the
clip to the SD directly it’s not

00:32:21.907,00:32:25.844
permanently it’s not running a
constant cache. [inhales] So the

00:32:25.844,00:32:29.981
Canary all in one security
device. Canary’s awesome on

00:32:29.981,00:32:32.083
their recovery if there’s
immediate movement again please

00:32:32.083,00:32:34.920
have your cat running through
after a burglary. [laughter] So

00:32:34.920,00:32:39.324
uh again the deauth attack
there’s a qu very quick recovery

00:32:39.324,00:32:42.894
2 seconds. There is a wired
option there’s notifications the

00:32:42.894,00:32:46.998
sad part to the notifications is
it takes 30 minutes so it has to

00:32:46.998,00:32:51.203
be offline for 30 minutes and
that’s kinda not enough uh

00:32:51.203,00:32:54.639
because the other side a that it
has to be offline consistently

00:32:54.639,00:32:58.376
for 30 minutes we did try an
attack where we deauthed it for

00:32:58.376,00:33:00.712
about 10 minutes brought it back
deauthed it 10 minutes brought

00:33:00.712,00:33:03.448
it back you can pretty much do
that for awhile. So the

00:33:03.448,00:33:08.987
negatives uh movement is re
required for recovery. Nest,

00:33:08.987,00:33:14.192
nest. [laughter] not dropcam
nest anyway recovers after 20

00:33:14.192,00:33:16.928
seconds uh Nest is actually
pretty good I’m not gonna I’m

00:33:16.928,00:33:20.365
not gonna beat them up too bad.
I I hope that we see better

00:33:20.365,00:33:25.136
things coming from them in the
future. It does keep between 30,

00:33:25.136,00:33:27.706
30 seconds and 4 minutes of
cache. We were finding

00:33:27.706,00:33:30.508
inconsistencies through the
testing of that just because we

00:33:30.508,00:33:34.980
did everything at uh 720p but it
seemed that lighting, any other

00:33:34.980,00:33:37.749
um ambient movements were
causing that to change and

00:33:37.749,00:33:41.553
fluctuate. There are push
notifications for activity uh

00:33:41.553,00:33:44.022
they’re pretty consistent so
that’s definitely a positive. No

00:33:44.022,00:33:48.894
SD option, no wired option. So
[sighs] >>[exhales] >>I know

00:33:48.894,00:33:52.564
>>[laughs] >>I’m going I’m going
away so very fast >>Ya we have

00:33:52.564,00:33:56.101
10 minutes left >>Oh shoot. Uh
bad guys won’t put in the effort

00:33:56.101,00:33:57.936
ya right. Bad guys are putting
in the effort to do some of

00:33:57.936,00:34:00.405
these attacks. We’re not talking
about it to consumers so then

00:34:00.405,00:34:03.174
what cou should consumers
actually do? Uh wired’s better

00:34:03.174,00:34:05.644
than wireless, uh verify and
understand the limitation of the

00:34:05.644,00:34:08.413
products like Zack said we’re
trying to put together a

00:34:08.413,00:34:11.016
database so that way everybody
in this room can also contribute

00:34:11.016,00:34:13.752
to what they’re finding on their
own. Nobody’s talking about this

00:34:13.752,00:34:17.122
to consumers. This is our
consumer disclosure to sa tell

00:34:17.122,00:34:19.491
consumers this is what you’re
putting in your house to protect

00:34:19.491,00:34:22.093
yourself. Let’s be let’s be
smart and understand what we’re

00:34:22.093,00:34:24.996
doing. These cameras do have
unintended great uses like real

00:34:24.996,00:34:27.999
estate ye anybody selling your
house in here? I feel put one a

00:34:27.999,00:34:30.502
these cameras that has the voice
listen to what the potential

00:34:30.502,00:34:34.306
buyers are telling you. Anyway,
I’m out I went too long. Thank

00:34:34.306,00:34:39.311
you >>Woo! [laughter] [applause]
>>I have 10 minutes to do a

00:34:44.282,00:34:46.217
whole topic. Uh one thing I
wanted to reiterate about Erin’s

00:34:46.217,00:34:48.253
side that I don’t think she uh
really announced and made

00:34:48.253,00:34:50.655
everyone truly clear on that I
thought was great. Um so all

00:34:50.655,00:34:52.991
these cameras basically you do
the Wifi deauth on and they’re

00:34:52.991,00:34:55.427
offline and Erin is there any
cache recordings for the

00:34:55.427,00:34:57.095
majority of these cameras or
which ones have cache

00:34:57.095,00:34:58.430
recordings? >>[laughs] Very few
I don’t have a mic on >>Oh her

00:34:58.430,00:34:59.764
mic’s not working she said very
few sorry. Um >>Very few like

00:34:59.764,00:35:03.435
>>But Ya so like I I know that
the nest camera was 30 seconds

00:35:03.435,00:35:08.673
or thir 30 seconds to 4 minutes.
>>No actually 4 minutes was the

00:35:08.673,00:35:10.675
most >>4 minutes was the max so
basically once you deauth these

00:35:10.675,00:35:12.677
cameras they’re offline they’re
not seeing any movement they’re

00:35:12.677,00:35:15.347
not seeing anything so if you
wifi deauth them guess what? You

00:35:15.347,00:35:17.482
have no recording and there’s no
cache recording on most the

00:35:17.482,00:35:20.385
devices the one’s with SD card
options do. So I have to talk

00:35:20.385,00:35:22.287
about Windows for consumers I
have 10 minutes >>go go go

00:35:22.287,00:35:24.489
>>We’re gonna get through this
fast and the teleprompter’s

00:35:24.489,00:35:26.891
gonna try to keep up with me
good luck have fun. Um

00:35:26.891,00:35:28.660
[laughter] so lotta people are
buying Windows devices

00:35:28.660,00:35:30.829
especially with Windows 10 these
are tablets we have fun with

00:35:30.829,00:35:33.832
them. Um and we’re not gonna be
talking about OEM devices with

00:35:33.832,00:35:35.900
all these custom configurations
cause the duo security crew they

00:35:35.900,00:35:38.770
did a great job on that. Uh but
we tell users all these things,

00:35:38.770,00:35:41.039
patch your device, install anti
virus, use HTTPS, use a password

00:35:41.039,00:35:43.141
manager, watch out for
suspicious downloads, uh don’t

00:35:43.141,00:35:45.276
use suspicious wifi, pick a
strong password [sniff] all of

00:35:45.276,00:35:49.147
these are great things. Oh it’s
gonna get faster uh >>[laughs]

00:35:49.147,00:35:52.317
[crowd laughter] >>Reading
[laughs] >>[laughs] >>Sorry

00:35:52.317,00:35:55.787
gotta keep going. These are all
great things we need to keep

00:35:55.787,00:35:57.422
telling users but these are
things that are not gonna stop

00:35:57.422,00:35:59.624
this so back at Defcon 20 I gave
this talk about anti >>slow down

00:35:59.624,00:36:01.659
>>arm relaying >>[laughs] >> I
don’t have time to slow down

00:36:01.659,00:36:04.829
>>[laughs] >>I have probably 20
slides to go um back at Defcon

00:36:04.829,00:36:06.665
20 I gave this talk about anti
arm relaying. You can watch it

00:36:06.665,00:36:08.466
on Youtube or all the other
places that it’s up there. The

00:36:08.466,00:36:11.269
old focus was about relaying
NTLM network authentication to

00:36:11.269,00:36:13.471
corporate accounts. We were
focusing on corporate corporate

00:36:13.471,00:36:16.207
corporate and focusing on
internal attacks. For those of

00:36:16.207,00:36:19.077
you who are just joining us
today Windows uses NTLM for some

00:36:19.077,00:36:20.979
network authentication it does
use Kerbusch as well but it uses

00:36:20.979,00:36:23.948
NTLM for hashings and MD4 of the
password. Uh but it’s also used

00:36:23.948,00:36:25.617
for network authentication and
signing of network

00:36:25.617,00:36:28.887
authentication at some points.
NTLM network authentication is 2

00:36:28.887,00:36:31.690
flavors version 1, version 2 uh
basically it has a client say

00:36:31.690,00:36:34.292
hey what's up do you support
this? Yup here’s my challenge

00:36:34.292,00:36:38.997
and here’s the uh the hash of
the hash have fun. Um [crowd

00:36:38.997,00:36:42.534
laughter] Microsoft recommends
uh to switch over to Kerberos an

00:36:42.534,00:36:47.539
and describe [laughs] Love you
[clapping] [crowd laughter] I I

00:36:47.539,00:36:51.342
hope that shows up in the video
some how. Um and by the way

00:36:51.342,00:36:53.178
Windows auto authenticates the
thing so how does Windows auto

00:36:53.178,00:36:56.448
authenticate? It [laughs] uses
uh we’ve talked about Wpad

00:36:56.448,00:36:59.017
there’s now W another Wpad talk
there’s been 2 other Wpad talks

00:36:59.017,00:37:01.352
about all the fun things that
were there but with Wpad Windows

00:37:01.352,00:37:03.455
auto authenticates with NTLM in
some things Windows 10 does this

00:37:03.455,00:37:06.191
last but Chrome still does it.
Um there’s other ways to get

00:37:06.191,00:37:09.260
users to auto authenticate with
things um it’s not just Wpad you

00:37:09.260,00:37:12.797
can also use injection of UNC
pass into HTTP traffic if your

00:37:12.797,00:37:15.667
on out rogue access point uh
certain file formats support UNC

00:37:15.667,00:37:17.936
pass and third party
applications that don’t use uh

00:37:17.936,00:37:22.574
proper cores uh ya. I won’t name
names. Um but for a while we

00:37:22.574,00:37:23.942
talked about this on the
corporate side the corporate

00:37:23.942,00:37:25.977
side the corporate side on the
internal attacks but was it

00:37:25.977,00:37:28.913
internal only? Defcon 20 talked
about how to exchange web

00:37:28.913,00:37:30.515
services while also
[incomprehensible words] But

00:37:30.515,00:37:32.117
this is still a huge issue. Now
I’ve talked about corporate

00:37:32.117,00:37:34.419
corporate corporate we never
really talk about cracking these

00:37:34.419,00:37:36.121
hashes which are possible and
we’ve always said it’s possible

00:37:36.121,00:37:38.556
to crack em. We’ve never talked
about the implications of em. Um

00:37:38.556,00:37:40.658
so for corporate sides we can to
VPN access shared point shared

00:37:40.658,00:37:42.894
passwords all that fun stuff but
what about personal users? We’re

00:37:42.894,00:37:44.696
talking about fighting for the
users. Things that were gonna go

00:37:44.696,00:37:48.032
and defend against them. Um so
what what if they have a shared

00:37:48.032,00:37:49.801
password for certain accounts?
What if they’re broadcasting

00:37:49.801,00:37:51.669
these things? What about local
file sharers? What about those

00:37:51.669,00:37:54.072
things? So we’ve talked about
this for years for Windows XP,

00:37:54.072,00:37:57.275
Windows 7, then Windows 8 came
along and Microsoft decided to

00:37:57.275,00:37:58.810
introduce a thing called
Microsoft accounts. On my

00:37:58.810,00:38:02.046
Microsoft accounts they included
logging into your Windows device

00:38:02.046,00:38:06.718
yay. I have a 1 minute demo
video because demos rock.

00:38:06.718,00:38:08.720
[sighs] This is the point where
I actually have to wait the full

00:38:08.720,00:38:11.956
minute. >>Zack attack >>So we
launch a rogue HTTPNSMB server

00:38:11.956,00:38:15.426
in a tool called Zack attack
yay. There’s [inaudible voice]

00:38:15.426,00:38:19.597
an update soon. [laughter] Um
use MBN as broadcast we set the

00:38:19.597,00:38:23.134
options to broadcast to this
device that has a rogue HTTPNSMB

00:38:23.134,00:38:28.139
service. Exploit we wait. This
is real time by the way. Bleep!

00:38:31.943,00:38:36.214
[laughter] If you notice this is
a Microsoft account with an

00:38:36.214,00:38:38.316
email at Outlook dot com address
yes it’s a fake email that we

00:38:38.316,00:38:42.053
set up for this and [laughs]
There goes the auth we run an

00:38:42.053,00:38:44.189
OCL hash crack crack the
password we get the password of

00:38:44.189,00:38:50.128
hunter tubing. Wow no one got
that. You guys are all noobs.

00:38:50.128,00:38:52.397
[crowd laughter] I love you I
love you. We go ahead and go

00:38:52.397,00:38:56.701
into Microsoft dot com. This is
the Microsoft account. This is

00:38:56.701,00:38:58.770
the account used to login to the
machine. We log in with that

00:38:58.770,00:39:00.638
Microsoft account the password
we just cracked from a network

00:39:00.638,00:39:07.612
broadcast authentication
request. We copy we paste copy

00:39:07.612,00:39:11.282
and paste come on real time
>>You can’t have a video demo

00:39:11.282,00:39:13.952
fail >>sign in. Come on get
there I have 10 er 5 minutes

00:39:13.952,00:39:18.957
left. We’re logged in yay! So
what does that mean? [laughter]

00:39:22.026,00:39:23.661
[applause] I don’t have time for
applause. First off Mooby said

00:39:23.661,00:39:25.864
that I have to release an
update. Uh yes Zack Attack’s

00:39:25.864,00:39:27.699
getting an update for Zacks who
can’t code good and wanna learn

00:39:27.699,00:39:30.468
to do other stuff good too. Um
yes I have to post that but ya

00:39:30.468,00:39:34.172
there is cool new things with
web hooks and with um uh the

00:39:34.172,00:39:35.807
Microsoft accounts that we’ve
added in there but yes sure

00:39:35.807,00:39:37.609
enough your Microsoft account
that your losing using to login

00:39:37.609,00:39:40.011
into those machines, to log into
your Windows 10 devices it’s

00:39:40.011,00:39:42.680
using your Outlook, Gmail,
Hotmail all those fun emails you

00:39:42.680,00:39:45.083
use it’s actually broadcasting
those across the network. So

00:39:45.083,00:39:47.118
what at a minimum it’s
information disclosure of the

00:39:47.118,00:39:50.555
user information but we this is
the first time offline password

00:39:50.555,00:39:53.524
attacks are valid over a network
thing. Yes it’s worked on some

00:39:53.524,00:39:55.827
bad services before but never in
this thing. So what happens when

00:39:55.827,00:39:57.495
you crack someone’s password?
You get in their Microsoft

00:39:57.495,00:40:00.498
account what’d you actually get?
You get their uh date of birth,

00:40:00.498,00:40:03.134
you get there zipcode, you get
their billing information, you

00:40:03.134,00:40:05.203
get the last 4 of their credit
card numbers for all the billing

00:40:05.203,00:40:07.805
things attached to their
Microsoft account and yes these

00:40:07.805,00:40:10.408
things are sensitive. This is a
2012 article from this a

00:40:10.408,00:40:14.479
reporter who got completely
poned um but basically someone

00:40:14.479,00:40:15.813
got ahold of one of his
accounts, got the last 4 of his

00:40:15.813,00:40:18.383
credit card and used that to pay
to do all his things. You also

00:40:18.383,00:40:25.223
get their search history
including things well [crowd

00:40:25.223,00:40:27.225
laughter] [applause] >>[giggles]
>>This is a libertarian noob who

00:40:27.225,00:40:30.161
wants to commit first degree
murder. [laughter] Um [laughter]

00:40:30.161,00:40:31.863
and if you’re a heavy Microsoft
user using your Microsoft

00:40:31.863,00:40:33.631
account not just on your thing
but for all the things. You’ve

00:40:33.631,00:40:36.701
got your onedrive all your
freakin files, your emails,

00:40:36.701,00:40:38.803
you’ve got remote file access to
the systems if you have it

00:40:38.803,00:40:41.639
enabled. You’ve got wifi sense
that fun thing to share

00:40:41.639,00:40:44.442
passwords if it’s enabled
obviously but yes from a network

00:40:44.442,00:40:47.045
broadcast thing, from sniffing
someone on the same wifi access

00:40:47.045,00:40:50.181
point. No! offline crackings not
original but it’s the original

00:40:50.181,00:40:53.351
application of this. [sigh]
We’ve used our offline passwords

00:40:53.351,00:40:55.420
before and but we’ve never had
it to where it’s harvestable

00:40:55.420,00:40:58.856
from a LAN before. So what we’ve
told users, patch your devices.

00:40:58.856,00:41:00.792
Yes it’s still important but it
doesn’t matter for this. Install

00:41:00.792,00:41:03.261
anti virus yes some ha uh host
intrusion detection is ubs

00:41:03.261,00:41:06.597
detect de default challenge just
change it. You’re cracking it

00:41:06.597,00:41:09.000
anyways you’re not using a
rainbow table. Um by default

00:41:09.000,00:41:11.869
uses NTLMV2 so it doesn’t
matter. Use HTTPS only well

00:41:11.869,00:41:13.671
[inaudible word] you’re gonna
hit HTP man point and Wpad

00:41:13.671,00:41:16.808
broadcast don’t care. Um user
password manager helps but

00:41:16.808,00:41:19.243
doesn’t actually help if you’re
cracking this helps with other

00:41:19.243,00:41:22.080
accounts. Don’t use er
suspicious downloads doesn’t

00:41:22.080,00:41:24.649
apply to this whoops. Um don’t
use suspicious wifi. Seriously,

00:41:24.649,00:41:28.786
we tell people this why don’t we
just protect em. Pick a strong

00:41:28.786,00:41:31.222
password that doesn’t mean
something. [burps] What we

00:41:31.222,00:41:33.257
should we should never tell
users just use a random VPN

00:41:33.257,00:41:35.126
service cause that’s a horrible
freakin idea to trust traffic

00:41:35.126,00:41:36.894
with someone else but for some
reason we think that’s a good

00:41:36.894,00:41:39.397
idea to tell people. Um what we
need to tell em. Pick a strong

00:41:39.397,00:41:41.632
password, enable 2 factor
authentication. Yes in Microsoft

00:41:41.632,00:41:45.103
it takes over 10 steps to take
and enable 2 factory

00:41:45.103,00:41:47.305
authentication including and
adding device passwords to all

00:41:47.305,00:41:50.575
your devices. Oh my God it’s
painful. Um >>Mm Hmm >>You need

00:41:50.575,00:41:52.577
to use unique creds per site.
Yes it’s important so if someone

00:41:52.577,00:41:54.379
gets one cred they’re not in
above it, and maybe avoid

00:41:54.379,00:41:56.714
Hotmail and, Outmail and all of
onedrive for a little bit until

00:41:56.714,00:41:59.050
you can take and use a local
account. How do we fix this?

00:41:59.050,00:42:01.886
Disable NTLM off uh ya that
kinda sucks telling users how to

00:42:01.886,00:42:04.255
disable NTLM off but that's one
ways to fix it. The other thing

00:42:04.255,00:42:06.791
is just don’t use a Microsoft to
login into account to login into

00:42:06.791,00:42:09.227
your system use a local account
instead. So TLDR gotta stock

00:42:09.227,00:42:11.162
Windows laptop, attacker on the
same network, uses a Microsoft

00:42:11.162,00:42:13.498
account to login, you’re poned.
Alright I have 3 minutes

00:42:13.498,00:42:15.466
starting with the issues. Uh
fixing distracted devices what

00:42:15.466,00:42:18.169
we talk about with bluetooth.
Can we track and monitor for

00:42:18.169,00:42:20.138
certain implementations. Wifi
security cameras, you deauth em

00:42:20.138,00:42:22.607
they’re off the network, there’s
no recordings and some don’t

00:42:22.607,00:42:24.809
give notifications. A few give
notifications after 30 minutes

00:42:24.809,00:42:27.779
and there’s very limited caching
on most devices except for the 2

00:42:27.779,00:42:29.914
we pointed out. Considering
Windows laptops are constantly

00:42:29.914,00:42:31.849
giving creds for offline
cracking this is the first time

00:42:31.849,00:42:33.684
we’ve seen that theirs can
actually be offline cracking as

00:42:33.684,00:42:35.553
those kinda things. I wanna
acknowledge these people for

00:42:35.553,00:42:38.456
doing some cool things Moobix,
fuck you and end of line.

00:42:50.701,00:42:52.036
[laughter] [applause] [cheering]
[laughter] 2 minutes remaining

00:42:52.036,00:42:53.504
we’re gonna go ahead and post
the slide [laughs] I’ll slow

00:42:53.504,00:42:56.040
down. We’ll post the slides up
there um we’re gonna go ahead

00:42:56.040,00:42:58.042
and I dunno where we could take
Q and A because we’re right up

00:42:58.042,00:43:00.645
on the time. Uh we’ll we’ll see
where can we do Q and A? Right

00:43:00.645,00:43:03.981
to the side, outside?
>>[inaudible talking] >>We’ll go

00:43:03.981,00:43:06.584
outside >>We have 2 minutes so
we’ll have to go outside. Ya uh

00:43:06.584,00:43:08.753
we’ll take it outside uh so the
next track can get in here.

00:43:08.753,00:43:10.321
Thanks everyone for coming we
appreciate you guys coming out

00:43:10.321,00:43:12.323
to make Defcon great again.
Thanks for coming out.

00:43:14.759,00:43:18.629
[applause] [whistling] >>Wooh!
[applause] >>excellent.