Good morning everyone. I see most of DEF CON is not here today because it is Saturday
morning. Can't expect that. So welcome to iFight for the Users. Episode 1 attacks against
top consumer products. I'm Zach. This is Erin. She's tech Barbie. And we always like to start
with a slide of what our credentials are. We like to always say don't trust the speaker just
because they're up here. Trust them because you validate what they're saying. So instead of
having a long list of certifications, things we do, we like to say judge us for everything
else. So before we get started, it's Erin's first time speaking at DEF CON. And we've been
informed that goons are no longer allowed to do shots with first time speakers. So this is
Erin's way of celebrating. Congratulations Erin. I brought a shot.
Alright so before we get started and in all seriousness this is our our con speaker rule 101.
So both Zach and myself have been around this game a few few years. And what we see
persistently is companies go out and they they love to use these conferences as great PR hooks.
So I want to start off by apologizing to every single news media outlet that reached out to us.
But we learned really quickly years ago that it's not always a good idea to use a PR hook. So we've
learned that as soon as you start dropping information especially when you have things like
consumer product, IOT, your talk will get pulled right away. So you've heard probably very little
about what we're going to talk about but we hope to excite you with a few uh I don't know names.
We're not being very vague today. We're not. So welcome to DEF CON. Okay so we're kind of
covering three different topics here today. First is we're going to talk about or I'll talk about
Bluetooth uh some fun things with that for Bluetooth low energy. Uh Aaron's going to be talking
about some wireless security products uh especially on the camera side. And then I'll also talk
about uh on Windows security side some fun things we found on there. So you might be like this is a
little ADD. This seems a little oddball to be jumping all over the place. Uh yeah it it is. Uh
but having one talk that goes on for 45 minutes it kind of gets a lot of set up. A lot of like
okay well let's talk about ourselves. We spent five minutes now. Um let's talk about the background
of this. So we just want to get through it and we're kind of ADD by nature about the stuff we want
to look at. So we figured what better format than to just kind of jump through a bunch of fun
topics and do it that way. So first thing Bluetooth. Um yes we have another Bluetooth talk.
We we've had a few Bluetooth talks over the last four days including Black Hat. Um Blue Hydro
was released this week by uh Zero Chaos and Granolocks over at uh DEF CON 101 earlier. Um
we've got a talk coming up about picking actually it's today isn't it? The Bluetooth lock picking.
Uh from a mile away. That's really cool. I do want to go see it actually. Um and then over at
Black Hat side there was a gap proxy tool and a replay um tool and a kind of fun Bluetooth
suite. So why do we have another talk about Bluetooth Low Energy? Um so a little back story.
Um I like magic. Uh I've always been kind of fascinated with it and I always had this dream as
a kid to start a magic bar. Like a themed kind of magic bar. And yes they exist but it was kind of
my little thing of like being able to have fun with that.
And there's always the basic rules of magic. One, never reveal a secret. Two, never repeat the same
trick twice. Three, practice over and over and over. Right? And so one in three we can get
covered but how do you in a restaurant or some other establishment track if you've shown the
same trick to someone over and over and over? So I kind of got my mind going as to how can you
track who someone is in any kind of environment? So I kind of came up with this long list of
ideas as to how you could track someone. You know can you get a
car on the car on the way in through a license plate reader, through their electronic toll
collection RFID, through Bluetooth on their car. Uh and there was a great talk two or three years
ago about how the toll systems are using Bluetooth to track cars. Um if they come in by foot
though or you're in a major metropolitan area where people aren't coming by car um could you do
it by facial recognition, voice recognition, different ways of their cell phone, what do they
have on them, um credit card, all these different fun things. And then always the not so
fancy ways of just asking what is your name. Um and so I kind of was thinking about like well how
do you tr-
outside of like this from that kind of application, how do you track someone right? And so it
kind of came down to these three areas of or four areas of like well these are the key ways that
if you could get positive data that isn't all garbage. Um but WiFi is a little bit of a
problem. Uh so we've gone through the WiFi tracking thing for years. We've talked about it about
how the phones are probing for WiFi. I'm not gonna dive too much into it but uh I hate to pick on
Nordstrom's cause I love them but they were the ones who got called out hard. Home Depot was
doing it too. All of them kind of stopped this practice but
it was a way that they were tracking user behavior by looking for the Bluetooth or the WiFi
probes from your phone. Uh but the mobile device manufacturers caught on to this, they started
doing randomized MAC addresses and they decided that okay only if you connect to a genuine SSID
will I take and actually display my real MAC. So we kind of take it as a data point but we don't
trust it now for WiFi as not all devices randomize but most kind of do on a mobile device
right now. So that leaves us with Bluetooth, car keys, our mobile devices. So we're kind of
trying to figure out how we're gonna use the RFID loyalty card. That's kind of the key ideas I was
like messing with in my head. And well yeah we could do car keys I'm not great on my SDR skills I'm
getting better but uh and the RFID loyalty card is kind of lame. So let's talk about Bluetooth.
I'm not gonna spend too much time on Bluetooth 101. If you want to learn more about Bluetooth and
its stacks there's plenty of talks about it but for those of you who are catching up with us today
uh Bluetooth Classic uses 1 megahertz channels, has 79 of them for data, 1 for broadcast, hops at
1600 times a second. The MAC address, effective MAC address, the address it uses, uses a uh upper
address part and a lower address part to make up the address. You only get the lower address part
in the packets. Um and we all know about this and the only thing that's really using Bluetooth
now is obviously audio devices, um headphones, Bluetooth ear pieces, that kind of stuff. But
we've kind of moved a lot more to this Bluetooth Low Energy or as Bluetooth likes to call it
Bluetooth Smart. Smart. Um and so we've kind of moved a lot more to this Bluetooth Low Energy or
as Bluetooth likes to call it. And we've talked about a lot about the insecurity in the past at
other talks. It's 37 channels, they're 2 megahertz wide for data, 3 announcement channels and then
the increment of rotation of those channels and the interval and all of that is dictated when it
does the join to the master. And what you get basically is you have a 6 byte address,
effectively a MAC we'll call it for the sake of everyone, um that's used to do it in the
advertisement and then when it actually connects a 4 byte access address that is actually used to
communicate for that session. Everyone with me so far?
I know it's early but I don't want to waste too much time on Bluetooth. So Bluetooth does have
security though. When we talked about the WiFi randomization, um the Bluetooth group actually
started a randomization also for its, its addresses in Bluetooth Smart. Uh and actually this
is the, the funny thing they actually have an ad on their site, or not an ad, a blog post on their
site about protecting your privacy with Bluetooth. We've got good stuff. And they use this photo of
this child walking alone. The biggest FUD I've seen in a long time scaring you of like my kid's
being tracked. Oh my god. So like I said there's the access address, right? That's what's actually
used in those data packets. Um but they change upon the disconnect and reconnect every time a
device is connecting except for in the advertisements in which it's static. Um so long-term
tracking of these access addresses isn't so reliable. Uh obviously if a device is connected for
a long time you can track some behavior moving throughout for an hour, two hours. But if there's
any kind of disconnect activity it'll regenerate. So it gives you a chance to see if it's
a good short-term tracking. But from a long-term perspective you can't really track someone with
those access addresses. So it got me thinking. So we, we've got randomized addresses on that
side. We've got randomized addresses on the access, around the advertisements and the access.
So what else is there? So when it comes to Bluetooth there's two different kind of profiles.
There's the generic access profile, GAP, and the generic attribute profile, GAT. Um I'm not
gonna dive too much into these because obviously this is not a one-on-one talk. Um but basically
the GAP and GAT profile provide the communication standard for communicating to the device to
basically set up the connection and actually communicate with the services that the device, the
slave has. So I started looking at these devices to see what could be tested. And obviously you go
around, you play with the tools, you're like okay, nothing, nothing, nothing, nothing. I travel
a lot. Um a lot. So I've noticed when I was on planes that all of a sudden a lot of devices
started showing up. It's odd. Um so normally walking around in the middle of the night you
saw a few devices and we we didn't really know what the behavior of all these devices were. We saw
certain Fitbits and that kind of stuff. But what what's the deal? So it turns out that certain
devices when they are disconnected from their phones or whatever they're paired to, uh they
jump back into advertisement mode. So uh for your simple coding pleasure, if it's not paired, it
goes into advertisement mode. Uh and and again this is unique behaviors we started determining
with some of these devices. So can we get devices to disconnect and actually take and start
broadcasting again? Uh the the answer is uh yeah, we can. Uh it's interesting that you can
actually jam the 2.4 gigahertz range with uh some success, right? Uh basically using the USRB,
USRPB210, uh you have about 56 megahertz of bandwidth. It's not reliable, uh especially it
takes a lot to drive it. But you can basically effectively create a 2.4 gigahertz jammer using
a SDR uh by generating some random data and all. So we did this and we tested it and we noticed,
by jamming the those frequency bands of 200, 2,428 megahertz to 2,478 megahertz, so basically
that 56, 15 megahertz band, we can actually take and get the devices to fall off and jump back to
their advertisement channels. Uh but obviously this depends on the host. Uh I have to give
credit to IOS, they have great frequency hopping and detection. So basically the phone detects,
okay I see a lot of jamming, I'm gonna move to this frequency band and repair. So it does have
some reliability, but it's a little odd. So, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
uh, uh, uh, uh. The other way to get them to disconnect
is by blasting terminate connection packets. Uh this is basically effectively the, the
Bluetooth version of the yeah is you look for the access address and then you just spit
that disconnect and it terminates. Now, granted again in limited window and it gets wonky
with some devices, uh we know some devices don't like to re-join after they've been told to
disconnect. So it's one of those things that if you're trying to attract someone it kinda gives
you some good opportunity to get an ID from them and get the connection to the advertisement
side. But not so much that, it's not gonna be noticed.aten to the models off the prod together,
So, we've all talked about tracking before, right? So, why am I rambling about tracking,
tracking, tracking? Well, a lot of the talk before has been about, well, it's possible. Okay,
well, with who? With what? You know, this is really more of an implementation issue. Um, this
is when it comes down to individual devices implementing it, especially on the consumer
side, what does what? Amazon and Best Buy probably loves me by now because I just bought a
crap ton of Bluetooth low energy devices that people use every day. Um, and we're going to go
through a few of them and see what we tested and basically we did a consumer report style kind of
testing against them to see what privacy information are they actually leaking. And we'll
start with the worst. Sorry, I need water. These guys were on Shark Tank a while back and you
may have heard them because it's kind of a funny idea of shocking yourself every time you do
something bad. Um, it's also a fun thing to shock your friends when they do something bad and
they're like, oh, I'm trying to learn good behavior. I'm trying to learn good behavior.
Hey, what, what, stop it. Um, but basically they use a static MAC address. The MAC address,
last four, sorry, 8 bits, 8 bits, 16 bits, 16 bits, sorry, math is hard. Last 16 bits of the MAC
is actually in the SSI, er, in the name of the device. Correct me on my math. Um, and if you
don't happen to have the, the MAC address from the static MAC address or from it in its name,
send a GAT request to it and it gives it to you and it asks you to hex. Uh, so, uh, so, uh, uh, uh,
somebody wrote a bad converter on that. So, this is super easy to track because we have a static
address. Never rotates. But like I said, they've started implementing this rotation in
Bluetooth smart. The devices are started taking advantage of. But then we have these devices
that are meant to track you. Um, tracker and tile. We'll talk about tile next. But, uh,
effectively these addresses, they show up in the broadcast as being random. Uh, and they do
generate a random one because the, uh, IDs rotate through it. But, the ID actually never really
rotates on it. Uh, the MAC address we've noticed over a period of over 4 months, they never
rotated. Said they did, but they never rotate. So, it effectively seems that as the device
powers on, it generates a new one. But it never powers off. It never rotates after that. As well
as with these devices meant to track you, it's meant to, as a community can track you. So,
here regardless of the MAC address, there's a static ID associated in the GAT profile that will
take and actually just display in the GAT profile. So, it's a static ID associated in the GAT profile.
So, in the case of the tracker, the raw MAC address of the device. And it constantly broadcasts
when it's disconnected. Tile's the same way. Um, the tile identifier in GAT is, uh, one of the
services in there. Uh, again, static MAC address effectively because it does randomize, but
never rotates. Uh, it randomizes on boot. And it stays connected to a device, but only while the
tile app on a phone is open. Once you close the tile app, it disconnects. Our friends over at
Fitbit, the Fitbit One also uses a random MAC address, but after a while, it automatically
connects to a mobile device. It doesn't remain connected to a mobile device at all. So,
basically, to save energy, it only connects when you connect to it and say, hey, how many steps do I
have? What's my, my time? All that stuff. But it does remain connected, so it's constantly
broadcasting as well. So, things have started to get better after this. A little bit. Uh, with
the Withings Active, another device we tested, the MAC address randomizes, but it still
advertises the raw MAC address in the advertisement data which broadcasts out. So, we're
trying to make sure that the MAC address is real. So, while the MAC address is changing, it's
advertising its real MAC address inside the manufacturer data. Uh, okay. Uh, that's a security
choice. Then the Pebble Steel also uses, uh, another way we could track the devices is in
their name. And we've talked about this before, too, but it has in the name the last four
digits. I'm done doing math. Um, of the MAC address. And it's random, but still after days of
rebooting the device and turning it on and off and losing power, it still kept the same static
address. Uh, but advertising it as random. Again, in the device info in the gap profile, it's
got the serial number of the device, and it goes to sleep every once in a while, so it's not
really reliable. But as a cool choice, it also uses classic, so we can track its lower address,
too. So, interesting choices in how it connects. The Fitbit Alta, the MAC address
randomizes, but, again, like all the other ones, they stay static for four months, even after
battery loss. Um, getting a little bit better. Uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
this one doesn't turn Bluetooth on until you actually turn it on to sync mode. This one has the
name of, or the Microsoft band has the name of the address, uh, inside of the device name, and it
does randomize the MAC. So we're halfway there. We got a name that's kind of static as to what
you set it for, but the addresses are rotating. So, and then on the better side of things, the
people who actually implement security well, we gotta give credit to Apple, they rotate their
MACs pretty well. Androidware, um, this was on sale, thank you, Amazon Prime Day. Hey. Um,
but also notice that this is really cool on the, uh, Androidware watch is once it's connected, it
stops responding to broadcasts forever. Uh, basically, it'll still randomize, it'll connect to
the device it knows, but unless you go into the watch and say, let me reconnect, it doesn't
respond to broadcasts anymore. So I have to give kudos to them, because that's actually the best
we saw of all the things. iOS devices as well like to broadcast some Bluetooth low energy noise.
Uh, they do randomize, though, and advertise that they're an iPhone, iPad, et cetera, but that MAC
address randomizes constantly, so while it's being used in fun apps, including Safari, we
noticed, um, take that one on for size and think about that. It does randomize quickly and
randomly, so there's not really any trackability on the actual iOS devices we noticed. So, we
have to give kudos to these three doing it right, the rest we kind of went through quick,
because it's kind of the consumer report style, um, and what we were gonna do is we were gonna
release a tool with this to kind of track all these things. Fuck you, Zero Chaos. He kind of beat
us to the punch and got a better tool.
So I just said, nope, bravo, we'll, we'll, we'll do it on that side and point over there,
because they did a great job on that. So the Pony, uh, Pony Express crew released this, uh, was
it Thursday at 101? I think he posted it probably three days before then, four days before then,
so, um, this is definitely a great tool to look at for tracking those things. It doesn't, I don't
think it supports GATT yet, but I'm sure it will soon if I have a few more minutes to tweak some
code. So where do we go from here about all these devices? We complain about them all, um, and I
spend 15 minutes rambling about this. Um, we really need to, we really need to, we really need to
start testing more and more of these devices to determine what's the implementation issues with
them instead of just like, well, it's a problem. With these new IoT things, it's obviously a
problem across the space and we've all complained about IoT this, IoT that, um, so we're throwing
up on, oh, I forgot to actually commit this this morning, uh, throwing up on GitHub, uh,
basically a repository that everyone can submit pull requests to that as you test the device and
say, hey, I looked at this and it does this, this, this, this behavior, and we'll have a little
checklist of things we're looking for, that we can all kind of source together as to, hey, here's
how this specific device behaves, here's the trackability of this device, not that it's
possible, not full, fill people with fud, fud, fud, fud, uh, but that it's actually possible, or
that it's possible for this device and this implementation. Long story short, uh, when MAC
addresses are random, look for things that aren't involved in the MAC addresses, which
include not actually randomizing them, the, uh, gaps and gats, leaking serials, and the device
names. You can knock a device off Bluetooth, uh, using either, uh, the deauth packets or
actually broadcasting on the internet. Uh, so, uh, so, uh, so, uh, so, uh, so, uh, so, uh, so, uh, so,
uh, so, uh, so, uh, so, uh, so, uh, so, a lot of efforts, and 2.4 gigahertz, a lot of noise, um,
certain frequencies. And when the standard, while the standard of Bluetooth is great, supports a
lot of cool stuff, uh, these devices aren't implementing it. All right, I'm gonna switch it
over now to Erin who's gonna talk more about the home security side. All right, this
is a Squirrel part of our talk. Squirrel, oh, he's not done, he has to get back up again, don't
you guys, don't do that to him, just give him a minute. Right, yeah, right, you're gonna, yeah,
don't, don't feed the ego, not yet.
later, later. Alright, so we're gonna talk a little bit about consumer wireless camera and
office security. So before we get into this, we've had lots of talks about uh wireless CCTV,
all this kind of stuff, so let's chat about what we're not gonna talk about. We are not
gonna talk about weaker default passwords. You guys have Google, you can use it. Yes,
everybody, with exception of maybe 10% of people, still use all of these, congratulations.
We're also not gonna talk about IP weaknesses, but if you wanna make your uh network even more
insecure, this guy on YouTube can actually help you out and tell you exactly how to route it to
the external internet if you really want to. Good times. I mean it was helpful, it was his
intent. We're also not gonna talk about de-auth-ing 101. Um everybody has Google, download
Kali, use some Google Foo and you can figure out yourself how to buy the cards that'll work and
de-auth it yourself.
Hints. Hints. Also, we're not gonna talk about Shodan. It's awesome, not this talk though. Go
have fun with it, and I wanted to put a slide up and say we're also not gonna talk about
Pokemon Go, cause it's almost as fun as Shodan, but. So uh, so who cares about these CCTV
cameras and the security? Well, you know what? It grinds my gears. I care. Because these camera
companies are selling it as security devices. So I don't care about the security, I care about the
security. Because not all of them, most of them, are selling security. So that got me to
thinking, you know, what if, what if these were used as security devices? Well, I want to be a bad
guy, and for anybody that knows me knows that I have a little problem when it comes to
automobiles, I like them a lot, so uh, so, step 1 in my little mental process when I was thinking
about these cameras was was kind of getting into the mood. So I wanted to channel my inner sway
and think about hmm if I had this this absolutely amazing warehouse full of Ferraris that was
protected by these security cameras what would I do? This also plays into homes and stuff but I
find Ferraris to be a lot more fun than thinking about the homes right now. So the first thing I
would do, get into the mood. Second thing I would do, I'd get some information. Information is
a pretty easy to find. Especially you know we have this technology or I'm gonna use that really
loosely. Everyone in this conference we've been talking about war driving for freaking years
decade almo- wow decades. Wow that's old. Anyway it's old. So some people call it war driving in
this case we're gonna call it target identification. So with that you can drive around
because these devices are lovely and like to tell you what's going on. So you can drive around
and tell you who they are all the time and in their MAC addresses you can actually tell who
they're from. So you can go onto the nice little Googles help us out again and identify who
exactly these cameras belong to. Or you can actually just look for the cute little stickers
that come with the cameras that say hey you're on camera and some of them even have the brand
name on them. Even easier. So with that I'm thinking about where the attack goes. So
obviously we've had many talks that have talked about.
Um wireless de-offing and what not. So let's take that a little bit of a step further. This
talk was kind of composed with the idea that let's find out what these cameras actually do.
Let's find out what happens when they get de-offed. Let's find out do they notify, do they
recover. So in the attack we're gonna be thinking about the fact of how long it would take an
intruder to get into a facility, a building, a house, what not. So we're gonna be thinking about
what they would have to do ahead of it. How long they would have to de-off the cameras and
could they make it away clean so to speak. So that being said you know we're not gonna talk about
point of entry and what not like Zach said earlier. There's a wonderful uh bluetooth lock
talk and so I'm assuming some of these homes that have these lovely uh camera systems also have
the bluetooth locks and we can do a whole bunch of fun things with that as well. So the attack.
So in the attack.
We're gonna talk about which cameras are weak. So in order to do that we had to just like Zach go and
buy a whole bunch of cameras. But you know since we this is DefCon and you know we're
progressive these years I wanted to make sure that we had diversity. So we have lots of
different cameras that we tested. Lots and lots of them from different manufacturers of
different sizes. So we went from the big guys to small guys. And then we went from the big guys to small guys to the
that's them. So which one of them are not saying they're a security camera was my
question. I showed you guys earlier all the articles and what not. So how many actually uh
say they do security? All but two. So there are two really really I'll say forthcoming
companies that don't claim to be security cameras they're just like hey we're this this is
what we are. Good for them. So what was tested? So we did a little bit of everything so
obviously we want to know what the offline time was we want to know if it does any kind of
notifications so if you get bumped offline network interference what not what's the
threshold of notifications? Is there any type of cached video on the device? So if it's
knocked off how you know what what amount's gonna actually store locally before we have to
recover? What if there's any type of wired network options if there's any type of SD options
on the device itself for local storage? Type of power? Kinda was curious whether it was battery
or wired obviously points of failure there. Additional equipment needed for the function of
cameras? Not all of them are just stick up. And any other performance observations? So
because we were actually being pretty pragmatic about how this was done we actually had a test
procedure so you know at zero stopwatch starts at about a minute in we did a targeted deauth
attack. About every 30 seconds we were waving our hands for motion recognition because some of the
cameras did require it. And at about 10 minutes into the attack we did the targeted deauth
ending so we terminated it and we gave it about 5 minutes from there to see when it would come
back online on the network. So this is my high tech setup. It's pretty impressive. So we have
the uh the timer, whatever camera was being tested at the time, the iPad with the camera app so
we could vis- actually visually see what was going on with the camera, when it was gonna recover
and obviously a whole bunch of other things. So that's kind of what we were doing. So we
had a bunch of uh air replay fun going on right there. So that being said, I like to always
prove my work like in my good old math classes. And live demos never work so. And live
demos never work so for you guys I want you to know I spent many a weekends with my GoPro
taping these lovely things. But I fast forwarded them for you. So this is your drink break.
Anyone who has coffee or anything, have a nice drink. Take a second. So I'm gonna take a
sip. Yeah there's about like 2 minutes and I fast forwarded the crap out of these and split
screened them. So uh yeah. You get the idea. So now the results. Kuna. I love this little
Kuna device. It was a kickstarter actually. Um as were a few of these. But the cute thing was
the Kuna device eh it kind of did what it said it was gonna do. Not quite security. You know
it recovered after about a minute 30, a minute 40 after the DLT. It recovered after about a minute
and a half ended. The positives. It's a light. If the camera doesn't work you got a front
light. Yay. Another positive. It's wired. There's no way around it. There's no battery
powered. It's it's hard wired. Um the negatives. Only if the app's open are we getting
notifications. Uh one of the other negatives or positives depends how you look at it. It had
this really cool uh pardon me. The clanking is killing me. It had these cool status lights.
At the bottom of the light. Which were super helpful and I appreciate the developers that put
them on there because you know it's supposed to help out the consumers to let them know if it's
paired and what not. Or if it's online. That's always a good one for an outside security light
to have it flash red. So one of the things we learned from the deauth attack is after uh 10
minutes of it being online uh deauthed it kind of just doesn't recover. Uh before that if you cut
it a little bit early it'll do the the minute 40 recovery. But you let it go longer it kind of
falls over. So in the testing you know these are consumer products. We did a few rounds of
testing and found these things out. Well like I told you about these cute little status
lights. I was googling you know for the point of this talk and trying to see if I could find
you guys a pretty picture because I actually didn't fly to Vegas with a picture of the bottom
of the the status lights. And I come across this. On their website. It's a picture of a
deauth. They actually do tell you, good to them, that it will fall over and not recover and you
have to reset up the wireless camera after 10 minutes of deauth. So let's just say
hypothetically you have one of these lights out in front of your house. You lose power for more
than 10 minutes. You forget. Your your light's useless. You know. So I would love to talk to
someone who's doing the IOT monitoring of things. There's your uh your start for your little
project because these are some of the things that we're going to be talking about in the future.
Things you should be looking for. So because of timing I'm going to try to go through these a
little faster. The uh media has this cute little blink wireless HD monitoring and alarm system.
The blink is totally cute. I will give it credit that with movement it will recover in about
about 9 seconds. It does have a onboard about 10 5 to 10 second video recording. Um it's clip
based though. None of this is persistent recording. It's just clips. But the cute thing is
it's easy to mount. It does continue doing the clips. Negative. It's a little bit of a
you know it does require a base station. It is battery powered. There is no option for uh SD.
There's no wired option. It is what it is. Amcrest which I had never heard of this until
look again let's look at Amazon and find out what the best selling wireless camera on Amazon
is. It's this one. I don't know how. Anyway. Uh it is cheap. It is cheap but you would think
that maybe Nest would. Anyway. Uh so it recovers in 2 minutes. Not a bad little camera. It
keeps about 10 seconds onboard storage. That does have a wired option for wired network not
wired power. Um it does have wired power. And there is a non off switch on the unit. Not
overall a bad camera. Somebody like that? Yay Amcrest! Anyway. D-Link. D-Link we love
D-Link just for the purpose that they don't actually claim to be a security camera. They're
like hey we're a net cam. We're cool like that. I'm like alright. So on the positive it does
have an SD option. Negative there's uh there's no actual wired option for the camera itself. It
recovers after about a minute after the D-Auth. No movements required for that one actually. So
Netgear. Cute little Arlo's. I love these Arlo's. They recover after about 45 seconds.
They're versatile cause they have a cute little magnet. That's how they attach. And they have a
sticker. So remember to the wardriving. Please yeah put no. No let's not put the sticker up and
say. It's not even bad that it's a sticker. It actually just tells you what it is. So you have a
few options when it comes to my little putting on my sunglasses and being sway and breaking
into my little Ferrari warehouse. For these. These are great. I could just D-Auth it. Go. Grab
em all. Put em in my bag. Throw it in the Ferrari and drive out. So. So again requires a base
station. It is battery powered. There's no SD or onboard storage. Again no actual wired
option for the camera itself. Because again pops on a little magnet. Battery powered.
Here. We're getting into the fun ones. So the Logitech. The LogiCircle. Oh sorry. Alright we
gotta run. I never thought that. Okay anyway. Alright. ADD Theater here. LogiCircle.
LogiCircle recovers in about a minute 30. Um. It does do some uh constant push
notifications. Negatives. Has on off switch on the unit. Again. Magnet. Can grab it. Throw my
bag in the Ferrari. Out of here. No SD or onboard storage. No wired option. Belkin. My
little buddy. I'm gonna give you like one more second. He recovers after. I call it the
negative 10 seconds cause it does have an onboard buffer. So the nice thing is it does come
back pretty quick. So the onboard memory does recover it. I don't know if that was intentional
or network interference based because they don't actually tell you on their website and
marketing that they do that at all. They also don't tell you that they're a security camera
either. Yay Belkin. Um. There is an on off switch on the unit and we did find inconsistent
push notifications through the app. So it doesn't help you too much. Samsung. I'm gonna give you a
long. Recovers after 10 seconds if there's immediate movement. Down side to that one. Not
immediate movement. Eh. Until the cat walks through. So positive SD option. There is a wired
option to it. Uh the kind of negative is they're kind of working on their cloud option. There
isn't one. There wasn't one for our camera. There was for other cameras and so that's that's
forthcoming and the SD storage only is on downloadable through the app. Download the clip to
the SD directly. It's not permanently. It's not running a constant cache.
So the canary. All in one security device. Canary's awesome on the recovery if there's
immediate movement. Again please have your cat running through after a burglary. So uh again the
deauth attack. There's a very quick recovery. 2 seconds. There is a wired option. There's
notifications. The sad part to the notifications is it takes 30 minutes. So it has to be offline
for 30 minutes and that's kinda not enough. Uh because the other side of that. It has to be
offline consistently for 30 minutes. We did try an attack where we deauth it for about 10
minutes. Brought it back. Deauth it 10 minutes. Brought it back. You can pretty much do that for a
while. So the negatives uh movement is required for recovery. Nest. Nest. Not dropcam. Nest.
Anyway. Recovers after 20 seconds. Uh Nest is actually pretty good. I'm not gonna I'm not gonna
beat them up too bad. I I hope that we see better things coming from them in the future. It does
take 30, 30, 30 seconds and 4 minutes of cache. We were finding inconsistencies through the
testing of that just because we did everything at uh 720p but it seemed that lighting, any
other uh ambient movements were causing that to change and fluctuate. There are push
notifications for activity. Uh they're pretty consistent so that's definitely a positive. No SD
option. No wired option. So. Huh. I know. I'm going. I'm going. I'm going. Okay so very fast.
Yeah. We have 10 minutes left. Oh shit. I'm going. I'm going. I'm going. I'm going. I'm going. I'm
going. Shoot. Uh bad guys won't put in the effort. Yeah right. Bad guys are putting in the
effort to do some of these attacks. We're not talking about it to consumers so then what
should consumers actually do? Uh wired's better than wireless. Uh verify and understand the
limitations of the products like Zach said. We're trying to put together a database so that
way everybody in this room can also contribute to what they're finding on their own. Nobody's
talking about this to consumers. This is our consumer disclosure. Just tell consumers this is
what you're putting in your house to protect yourself. Let's be, let's be smart and
understand what we're doing. These cameras do have unintended great uses like real estate.
Anybody selling your house in here? I feel, put one of these cameras that has the voice. Listen to
what the potential buyers are telling you. Anyway. I'm out. I went too long. Thank you.
I have 10 minutes to do a whole topic. Uh one thing I want to reiterate about Erin's side that
I don't think she uh really announced and made everyone really clear on that I thought was
great. Um so all these cameras basically do the
Wi-Fi deal off on and they're offline and Erin is there any cash recordings for the majority of
these cameras or which ones have cash recordings? Very few. I don't have a mic on. Oh her mic's not
working. She said very few. Sorry. Um but yeah so like I I know that the next camera was 30
seconds or 30 seconds to 4 minutes. No absolutely 4 minutes is the max. 4 minutes is the max. So
basically once you deal off these cameras they're offline. They're not seeing any movement.
They're not seeing anything. So if you Wi-Fi deal off them guess what you have no recording and
there's no cash recording on most of the devices. The ones with SD card options do. So I
have to talk about Windows for its consumers. I have to talk about Windows for its consumers. I'm
going to go. I have 10 minutes. We're going to get through this fast and the teleprompter is
going to try to keep up with me. Good luck have fun. Um so a lot of people are buying Windows
devices especially with Windows 10. These are tablets. We have fun with them. Um and we're not
going to be talking about OEM devices with all these custom configurations because the Duo
security crew they did a great job on that. Uh but we tell users all these things patchy
device, install anti-virus, use HTTPS, use a password manager, watch out for suspicious
downloads, uh don't use suspicious Wi-Fi, pick a strong password. All of these are great
things. Oh it's going to get faster. Uh. Reading. I'm going to go ahead and
keep going. Sorry. Gotta keep going. These are all great things we need to keep telling users
but these are things that are not going to stop this. So back at DEF CON 20 I gave this talk
about NTLM relaying. I don't have time to slow down. I have probably 20 slides to go. Um back
at DEF CON 20 I gave this talk about NTLM relaying. You can watch it on YouTube or all the
other places that it's up there. The old focus was about relaying NTLM network authentication
to corporate accounts. We were focusing on corporate, corporate, corporate and focusing on
internal attacks. For those of you who are just joining us today Windows uses NTLM for some
network authentication. It does use Kerberos as well but it uses NTLM for
hashing. It's an MD4 of the password. Uh but it's also used for network authentication and
signing of network authentication at some points. NTLM network authentication has two
flavors. Version 1, Version 2. Uh basically has a client say hey what's up? Do you support
this? Yup here's my challenge and here's the uh the hash of the hash. Have fun. Um.
Microsoft recommends uh to switch over to Kerberos. Indescribable. Love you.
I hope that shows up in the video somehow. Um. And by the way when I was talking about
Windows Auto-Authenticates a thing. So how does Windows Auto-Authenticate? It uses uh we've
talked about WPAD this is not another WPAD talk. There's been two other WPAD talks about all the
fun things out with that. But with WPAD Windows Auto-Authenticates with NTLM and some things
Windows 10 does this less but Chrome still does it. Um there's other ways to get users to
Auto-Authenticate with things. Um it's not just WPAD you can also use injection of UNC pass
into HTTP traffic if you're on a rogue access point. Uh certain file formats support UNC pass
and third party applications that don't use uh proper cores. Uh yeah. I won't name names.
Um but for a while we talked about this on the corporate side, the corporate side, the
corporate side on the internal attacks. But was it internal only? DEF CON 20 talked about how
exchange web service is also vulnerable. But this is still a huge issue. Now I've talked about
corporate, corporate, corporate. We never really talked about cracking these hashes which are
possible and we've always said it's possible to crack them. We never talked about the
implications of them. Um so for corporate sides we can do VPN access, SharePoint, shared
passwords all that fun stuff. But what about personal users? We're talking about fighting for
the users. Things that we're gonna go and defend against them. Um so well what if they have a
shared password to certain accounts? What if they're broadcasting these things? What about local
file shares? What about those things? So we've talked about this for years for Windows XP,
Windows 7. Then Windows 8 came along and Microsoft decided to introduce a thing called
Microsoft Accounts. On Microsoft Accounts they included logging into your Windows device.
Yay! I have a one minute demo video because demos rock. This is the point where I actually have
to wait the full minute. So we launched a rogue HTTP and SME server in a tool called
Zack Attack. Yay! There's an update soon. Um we used MBNS broadcast. We set the options to
broadcast to this device that has a rogue HTTP and SME service. Exploit. We wait. This is real
time by the way. If you notice there's a Microsoft account with an email at outlook.com address.
Yes that's a fake email that we set up for this and there goes the auth. We run an OCL hashcat,
crack the password, we get the password of hunter2bang. Wow no one got that. You guys are all noobs.
I love you. We go ahead and go into Microsoft.com. This is the Microsoft account. This is the
account used to log into the machine. We log in with that Microsoft account and the password we
just cracked from a network broadcast authentication request. We copy, we paste. Copy and paste.
Come on. Real time. Sign in. Come on get there. I have ten or five minutes left. We're logged in.
Yay! So what does that mean?
I don't have time for applause. First off Mubix said that I have to release an update. Uh yes
Zach Attack is getting an update for Zachs who can't code good and want to learn to do other stuff
good too. Um yes I have to post that but yeah there is cool new things with webhooks and with
um uh the Microsoft accounts I've added in there. But yes sure enough your Microsoft account that
you're using to log into those machines to log into your Windows 10 devices it's using your
Outlook, Gmail, Hotmail, all those fun emails you use. It's actually broadcasting those across
the network. So what? At a minimum it's information disclosure of the user's information. But we
this is the first time offline password attacks are valid over a network thing. Yes it's worked on
some bad services before but never in this thing. So what happens when you crack someone's
password? You get in their Microsoft account. What do you actually get? You get their uh
date of birth. You get their zip code. You get their billing information. You get the last four of
their credit card numbers for all the billing things attached to their Microsoft account. And
yes these things are sensitive. This is a 2012 article from this a reporter who got completely
pwned. Um but basically someone got a hold of one of his accounts got the last four of his
credit card and used that to pivot to all his things. You also get their search history
including things well. This is a libertarian noob who wants to commit first
degree murder. Um and if you're a heavy Microsoft user using your Microsoft account not just all
your things but for all the things. You've got your OneDrive. All your freaking files. Your
emails. You've got remote file access to systems if you haven't enabled. You've got wifi sense
that fun thing to share passwords if it's enabled. You've got your phone. You've got your
password obviously. But yes from a network broadcast thing from sniffing someone on the
same wifi access point. No offline cracking is not original but it's the original application of
this. We've used it for offline passwords before and but we've never had it where it's
harvestable from a LAN before. So what we've told users patch your devices. Yes it's still
important but it doesn't matter for this. Install antivirus. Yes some uh host intrusion
detection system detects the default challenge. Just change it. You're cracking it anyways.
You're not using a rainbow table. Um by default it uses NTLV2 so it doesn't matter. Use HTTPS
only. Well you're gonna hit HTTP endpoint and WPAD broadcasts don't care. Um use a password
manager. It helps but doesn't actually help if you're cracking this. Helps with other accounts.
Don't use or suspicious downloads. Doesn't apply to this. Whoops. Um don't use suspicious
wifi. Seriously. We tell people this. Why don't we just protect them. Pick a strong password.
That doesn't mean something. Well we should we should never tell users just use a random VPN
service because that's a horrible freaking idea to trust traffic with someone else. But for
some reason we think that's a good idea to tell people. Um what we need to tell them. Pick a
strong password. Enable two factor authentication. Yes in this case it's not a good idea to
Microsoft. It takes over ten steps to take and enable two factor authentication including
adding device passwords to all your devices. Oh my god it's painful. Um you need to use unique
credits per site. Yes that's important so if someone gets one credit they're not gonna be
public and maybe avoid hotmail and outmail and all of one drive for a little bit until you can
take and use a local account. How do we fix this? Disable NTLM auth. Uh yeah that kinda sucks
telling users how to disable NTLM auth but that's one way to fix it. The other thing is just
don't use a Microsoft log in account to log into your system. Use a local account instead. So
TLDR. Got a stock Windows laptop. Attack around the same network. Use a Microsoft
account to log in. You're pwned. Alright I have three minutes. Summary of the issues. Uh
fitness tracking devices that we talked about with Bluetooth can be tracked and monitored for
certain implementations. Wifi security cameras. You deauth them. They're off the network.
There's no recordings and some don't give notifications. A few give notifications after
thirty minutes and there's very limited caching on most devices except for the two we pointed
out. Consumer Windows laptops are constantly leaking credits for offline cracking. This is the
first time we've seen that there's gonna actually be offline cracking against those kind of
things. Wanna acknowledge these people for doing some cool things. Mubix fuck you and end of
line.
Two minutes remaining. We're gonna go ahead and post the slides. I'll slow down. We'll post the
slides up there. Um we're gonna go ahead and I don't know where we can take Q and A because
we're right up on the time. Uh we'll we'll s- can we do Q and A? Right to the side? Outside?
We have two minutes so we'll have to go outside. Yeah. Uh we'll take outside uh so the next track
can get in here. Thanks everyone for coming. We appreciate you guys coming out to you. Make
DEF CON great again. Thanks for coming out.