00:00:00.901,00:00:04.605 >> Uh, thanks for coming out uh I'm Ash Mastaa Flash, and today 00:00:04.605,00:00:08.108 we're going to cover inexpensive Coordinator GSM anomaly 00:00:08.108,00:00:12.045 detection uh more specifically what that means by inexpensive 00:00:12.045,00:00:14.414 um the whole goal of the project was to come up with something 00:00:14.414,00:00:17.317 that was going to be far less expensive than the production of 00:00:17.317,00:00:20.454 a malicious device. Um coordinated means centrally 00:00:20.454,00:00:23.390 configured you don't have to pull Sd cards on a whole bunch 00:00:23.390,00:00:26.660 of remote sensors and then reconfigure them reborn them and 00:00:26.660,00:00:29.496 get them back out into the field. So simple configuration 00:00:29.496,00:00:32.666 software management was really important and by anomaly 00:00:32.666,00:00:36.870 detection uh specifically what we mean is picking up uh rogue 00:00:36.870,00:00:38.205 BTS' and ISMI catchers. So let's jump in. A little about me I 00:00:38.205,00:00:39.540 started with actually getting paid for technology work around 00:00:39.540,00:00:40.908 2000 and I hopped uh disciplines very few years, kind of change 00:00:40.908,00:00:42.242 focus and now I'm working in R&D for a cloud load work security 00:00:42.242,00:00:43.577 company. And I don't like talking about me so that's where 00:00:43.577,00:00:45.345 we're going to end that. Let's talk about you. Uh so the 00:00:45.345,00:00:50.350 audience I was writing this for has a background in systems and 00:01:06.633,00:01:10.871 network engineering um some interest in GSM threat detection 00:01:10.871,00:01:13.507 but probably not a huge debt. I mean if you got it been great 00:01:13.507,00:01:16.677 but it's not required I'll give you a quick note so we can make 00:01:16.677,00:01:20.881 it through and tin foil hats certainly not required but it's 00:01:20.881,00:01:24.318 not unwelcome so go ahead and put it on now and uh let's 00:01:24.318,00:01:28.088 party. So I said that I'm working R and D now, I really 00:01:28.088,00:01:34.227 love my job and as such I am this has nothing to do with my 00:01:34.227,00:01:36.964 day job so if you don't want this if you do something with 00:01:36.964,00:01:41.535 this and get in trouble I completely disavow whatever it 00:01:41.535,00:01:44.805 is that you do with this so uh yeah and don't talking to my 00:01:44.805,00:01:46.807 boss about this just come talk to me if you don't like it. 00:01:49.810,00:01:52.446 [Laughter] So uh here's what we're gonna cover first off why 00:01:52.446,00:01:56.350 you should care the current threat detection landscape the 00:01:56.350,00:02:00.387 original project goals two iterations of the sensor. And 00:02:00.387,00:02:02.255 the service architecture because it's kind of a split 00:02:02.255,00:02:06.860 architecture set up future plans for the project and that's where 00:02:06.860,00:02:11.064 I kind of beg you for your help and for requests uh uh a nod and 00:02:11.064,00:02:16.470 a hat tip to Prior Art and Q and A. Why should you care? Because 00:02:16.470,00:02:19.473 invasions of privacy are bad even when they're unnoticed. 00:02:19.473,00:02:23.577 Yeah that's true and this all is just kinda.. kind of vague so 00:02:23.577,00:02:28.448 specifically what are we looking at? What's the worst that could 00:02:28.448,00:02:32.152 happen with the compromised cell phone conversation in your CFOs 00:02:32.152,00:02:35.155 office ? Uh it could have a financial impact on the company 00:02:35.155,00:02:38.191 um in the right CFOs office you could even be looking at 00:02:38.191,00:02:41.762 something like insider trading or market manipulation with the 00:02:41.762,00:02:46.700 right phone conversation. So these devices are so small and 00:02:46.700,00:02:49.369 so easy to hide and so inexpensive you know can you 00:02:49.369,00:02:53.807 really trust your ficus adjust your tinfoil hat. [Laughter] Uh, 00:02:53.807,00:02:58.311 on the second side of this is uh with an IMSI catcher can also 00:02:58.311,00:03:02.616 determine uh whether or not a specific person is within a 00:03:02.616,00:03:06.720 domicile so if with one of these devices and could walk outside 00:03:06.720,00:03:09.990 your house and they could get a listing of all IMSI numbers. Now 00:03:09.990,00:03:13.427 IMSI numbers are the ones that are burned into your sim and 00:03:13.427,00:03:16.329 your phone that's attached to your account so that identifies 00:03:16.329,00:03:19.800 you as an individual. Uh if you can take a listing of those from 00:03:19.800,00:03:22.602 everybody inside the house process of deductive reasoning 00:03:22.602,00:03:26.339 you can determine who is home so it's a little bit spooky and uh 00:03:26.339,00:03:31.078 it's not that not that expensive to carry that off. Uh the 00:03:31.078,00:03:37.117 terminology uh baseline for the talk software defined radio uh I 00:03:37.117,00:03:41.321 had one of those in my pocket but I give it away. Uh the uh 00:03:41.321,00:03:43.623 it's using software to perform your signal analysis and uh 00:03:43.623,00:03:50.063 using a typical USB dongle that has a software control tuner and 00:03:50.063,00:03:53.934 in the case of this. We're using the RTL SDR device has a super 00:03:53.934,00:03:59.940 super cheapo like $24 units um ARFCN and absolute radio 00:03:59.940,00:04:02.476 frequency channel number. I may just refer to that as channel 00:04:02.476,00:04:06.012 number from here on out given that this is the GSM in-depth 00:04:06.012,00:04:09.282 talk. Um just because it's easier to kind of wrap your head 00:04:09.282,00:04:13.220 around. Think it is almost like a television channel. Uh CGI 00:04:13.220,00:04:17.891 Cell Global ID is a globally unique identifier for the BTS uh 00:04:17.891,00:04:20.727 that's comprised of a mobile country code, a mobile network 00:04:20.727,00:04:26.366 code location area code and a cell ID. All that comes from the 00:04:26.366,00:04:30.403 BTS and like I said earlier the IMSI is what's burned into your 00:04:30.403,00:04:35.442 Sim and that's what identifies you as an individual as a visual 00:04:35.442,00:04:37.944 aid to kind of wrap your head around GSM addressing in regards 00:04:37.944,00:04:42.415 to the global cell id. Uh every mobile country code has a number 00:04:42.415,00:04:45.452 of subordinate mobile network codes within that you have 00:04:45.452,00:04:48.522 multiple locations area codes and within that you have 00:04:48.522,00:04:53.527 multiple cell IDs. So let's talk about threat and detection. So 00:04:57.264,00:05:02.202 we'll go over… first a drink of water. Uh, malicious devices how 00:05:04.571,00:05:07.574 you know that these malicious devices are in place and what's 00:05:07.574,00:05:13.213 currently on the market to detect them. So Hacked Femtocell 00:05:13.213,00:05:16.116 is a trusted part of the providers network we saw some 00:05:16.116,00:05:20.220 really good talks and Defcon 21 about you know hacking uh 00:05:20.220,00:05:25.125 hacking femtocells for the purpose of honest ideas and also 00:05:25.125,00:05:30.430 for some nefarious purposes with a hacked femtocell you can 00:05:30.430,00:05:33.900 gather IMSI's and you can also record phone calls and SMS 00:05:33.900,00:05:39.439 traffic uh that are going across it. Your phone has no idea if 00:05:39.439,00:05:41.942 it's good or evil your phone is just going to attempt to attach 00:05:41.942,00:05:48.081 to it. And Evil BTS BCS. Um Evil Socket had a great blog post on 00:05:48.081,00:05:53.920 how to build one for very very cheap and ham hands for scale 00:05:53.920,00:05:56.623 this is the size of the SDR that's necessary to build a um 00:05:56.623,00:05:59.426 you can kind of see how this could fit could kind of see how 00:05:59.426,00:06:05.665 it could fit in your ficus right? So and that's the largest 00:06:05.665,00:06:07.934 device the system so that coupled with the raspberry pie 00:06:07.934,00:06:12.505 three you could build an evil BTS and record phone and SMS 00:06:12.505,00:06:18.478 traffic. Again this is the same case with the with the femtocell 00:06:18.478,00:06:20.513 your phone doesn't know if it's good or evil is just going to 00:06:20.513,00:06:24.784 try and talk to it. That's a GSMN thing. So indicators of 00:06:24.784,00:06:28.788 attack how do you know when something weird is going on? Uh 00:06:28.788,00:06:31.992 ARFCN and remember thinking like a TV channel all of a sudden if 00:06:31.992,00:06:34.694 the channel goes loud over threshold this is something you 00:06:34.694,00:06:38.298 determined by a short period of observation. Uh so you can set 00:06:38.298,00:06:39.633 up a threshold gets over that arson outside a fart out of 00:06:39.633,00:06:41.001 forecast you can use here's…spoiler alert I'm using 00:06:41.001,00:06:43.203 graphite and part of this graphite has Holt Winters 00:06:43.203,00:06:47.107 algorithm built in. So that you can have a confidence band 00:06:47.107,00:06:49.743 overtime and so if something is typically low but all of a 00:06:49.743,00:06:54.748 sudden gets a little bit louder it may not be a threat to you 00:07:00.086,00:07:03.957 but maybe something nearby um a channel suddenly getting louder 00:07:03.957,00:07:06.459 may indicate that someone nearby is trying to broadcast on the 00:07:06.459,00:07:12.932 same channel. Uh unrecognizable global cell ID uh there are 00:07:12.932,00:07:17.971 databases you can download with the GPS coordinates and all the 00:07:17.971,00:07:21.608 all the metadata for the cell global IDs and it's useful for 00:07:21.608,00:07:24.077 determining your location if you don't have a GPS chip you can 00:07:24.077,00:07:29.482 kind of make that determination based on where the tower is. Um 00:07:29.482,00:07:33.453 gratuitous BTS Re-Association this is something that you would 00:07:33.453,00:07:36.623 determined by observing the behavior of a cell radio and if 00:07:36.623,00:07:39.092 all of a sudden you have a stationary radio that starts 00:07:39.092,00:07:43.129 associating to another BTS for another bunch of other BTS's 00:07:43.129,00:07:47.267 typically for us for a standard or a um stationary radio you're 00:07:47.267,00:07:49.502 not and see a lot of that behavior if you're walking 00:07:49.502,00:07:51.905 around supposed to happen like that with your cell phone but if 00:07:51.905,00:07:54.441 it's sitting in one place you really shouldn't be popping 00:07:54.441,00:07:59.012 towers a whole heck of a lot. And if you have the GPS location 00:07:59.012,00:08:04.718 of the tower by the cell global ID and BTS um is broadcasting a 00:08:04.718,00:08:07.954 cell global ID of something that should be let's say in Orlando, 00:08:07.954,00:08:11.257 if that cell shows up in Vegas either someone's absolutely 00:08:11.257,00:08:14.627 awful at their job of configuring BTS's or it may be 00:08:14.627,00:08:20.333 something malicious. So current detection methods uh pony 00:08:20.333,00:08:23.670 express and bestial networks have an offering of which this 00:08:23.670,00:08:29.242 is a subset. Um open source options uh Fake BTS is really 00:08:29.242,00:08:32.779 cool project it served as the original inspiration for this 00:08:32.779,00:08:35.849 it's a collection of shell scripts that use Wireshark and 00:08:35.849,00:08:39.152 air probe and Kalibrate to make a determination as to whether or 00:08:39.152,00:08:43.857 not you have to malicious nearby cells. Uh the android IMSI 00:08:43.857,00:08:47.460 catcher detector is software that you install on your phone 00:08:47.460,00:08:50.330 itself and interact with your cell phones radio to determine 00:08:50.330,00:08:55.101 if there's any sort of anomalous behavior and femto catcher is 00:08:55.101,00:09:00.206 very close and functions to the android IMIS protector but it's 00:09:00.206,00:09:02.842 specifically for catching femtocells and it's really only 00:09:02.842,00:09:07.847 effective for phones on Verizon wireless' network. The original 00:09:10.417,00:09:14.554 project goals um it's Vegas I think it's okay to ask what you 00:09:14.554,00:09:20.427 can get for hundred dollars. [Laughter] >> Woohoo! >> So that 00:09:20.427,00:09:22.762 was the goal is see if I can get a target price under hundred 00:09:22.762,00:09:27.634 dollars for the first iteration uh I wanted to low footprint for 00:09:27.634,00:09:31.971 the raw materials I wanted it to be at least as small as this and 00:09:31.971,00:09:37.076 uh functional targets I want to be able to um pretty much use 00:09:37.076,00:09:39.446 the indicators of attack as symmetric on whether or not it 00:09:39.446,00:09:44.684 will be successful detecting uh rogue BTS' and centrally manage 00:09:44.684,00:09:47.887 software and configuration that was really important to me 00:09:47.887,00:09:51.357 because I have really big hands and it is such a pain to 00:09:51.357,00:09:55.929 actually get those microSD cards into the right slot in a 00:09:55.929,00:09:59.032 raspberry pi. And I have lost so many and gotten so frustrated 00:09:59.032,00:10:01.801 having to crack the case back open to get my and I didn't even 00:10:01.801,00:10:04.137 want to screw around with that I want to be able to drop this 00:10:04.137,00:10:07.941 thing under a desk up behind a ceiling tile. Pretty much 00:10:07.941,00:10:10.009 wherever you might find a malicious device I wanted to 00:10:10.009,00:10:13.580 drop this thing so that you could get good local coverage 00:10:13.580,00:10:18.585 inexpensively and not have to touch it again. In the process 00:10:20.653,00:10:26.893 of this I collected a lot of hardware I had a raspberry pie 00:10:26.893,00:10:28.795 two, a logarithmic antenna, a couple of logarithmic antenna, a 00:10:28.795,00:10:33.299 couple odroids, a C-1 plus, an XU4, a galas of red and blue and 00:10:33.299,00:10:38.171 green, and orange LED. An intel NUC and Intel Edison, a GSM 00:10:38.171,00:10:43.109 modem a handful RTL-SDR devices I didn't really need all the 00:10:43.109,00:10:45.912 stuff but when you get locked into a serious hardware 00:10:45.912,00:10:49.215 collection the tendency is to push it as far as you possibly 00:10:49.215,00:10:54.220 can. [Laughter] [Clapping] So that brings us to SITCH. The 00:11:02.195,00:11:05.265 situational information from telemetry and correlated 00:11:05.265,00:11:09.202 heuristics and I definitely started with the acronym side of 00:11:09.202,00:11:11.504 that before I came up with the words to match. [Laughter] So 00:11:11.504,00:11:16.509 this is the first iteration of the sensor. The I had an RTL-SDR 00:11:20.113,00:11:23.349 device I wrote a rapper in Python to get that into 00:11:23.349,00:11:27.854 structured data using Kalibrate and all of that feeds into the 00:11:27.854,00:11:33.927 main process um also running GPSD to pull uh accurate GPS 00:11:33.927,00:11:37.530 readings from GPS dongle using locks dashboard to forward 00:11:37.530,00:11:39.866 Scanlock since we have an instruction format pretty easy 00:11:39.866,00:11:42.368 to drop the file and logstash picks that up and shoots it off 00:11:42.368,00:11:47.340 to logstash elastic search stuff.. in the cloud. And um I 00:11:47.340,00:11:52.512 was using a tool, a python tool called graphite send to send all 00:11:52.512,00:11:57.250 the stuff over an open VPN channel up to a graphite 00:11:57.250,00:12:00.753 instance for tracking time series measurements which was uh 00:12:00.753,00:12:04.891 it was effective enough. I uh I talked to Verizon into sending 00:12:04.891,00:12:09.295 me a femtocells up in my apartment and then we started up 00:12:09.295,00:12:11.164 I mean they never really consistently start up at the 00:12:11.164,00:12:13.433 same speed. Sometimes you'll be waiting for 40 minutes for to 00:12:13.433,00:12:17.503 get a GPS fix but when it does go live it's pretty plain to 00:12:17.503,00:12:22.075 see. Um…Honestly this graph is a little bit smooth out it's only 00:12:22.075,00:12:24.243 spikier than this, I went back in history in graphite and 00:12:24.243,00:12:26.546 graphite had already kind of smoothed things out for me but 00:12:26.546,00:12:30.216 it's very clear very apparent when the stuff goes live because 00:12:30.216,00:12:33.152 it gets very loud and your phone attaches to it and then ta-dah 00:12:33.152,00:12:39.492 you're on the part of Verizon's trusted network. So remember 00:12:39.492,00:12:44.263 that slide earlier here it is in table form so these are our 00:12:44.263,00:12:48.468 functional targets. ARFCN over threshold is a big yes as well 00:12:48.468,00:12:51.771 as our outside forecast but the tool were using called 00:12:51.771,00:12:56.509 Kalibrate. What it does it produces a list of channels 00:12:56.509,00:12:59.979 nearby channels and get your power rating is typically used 00:12:59.979,00:13:04.917 for picking up for determining o'clock offset because your 00:13:04.917,00:13:09.055 devices are notorious for being Drifty and the RTL-SDR devices 00:13:09.055,00:13:12.125 are especially notorious depending on temperature so 00:13:12.125,00:13:14.460 those are the since you actually can get away with running those 00:13:14.460,00:13:19.165 things with the lids close to get way way too hot. Um and the 00:13:19.165,00:13:21.100 price was hundred dollars like it was right about hundred 00:13:21.100,00:13:25.071 dollars not counting the case I mean the case was necessary for 00:13:25.071,00:13:28.775 the trip out here but just the rock components you can get for 00:13:28.775,00:13:31.477 that hundred dollars and it's it's pretty effective the 00:13:31.477,00:13:34.881 problem is you're looking at about seven minutes worth of 00:13:34.881,00:13:39.385 resolutions. So it takes seven minutes to scan 850 MHz GSM 00:13:39.385,00:13:43.489 using a raspberry pi two and you can actually have kind of a 00:13:43.489,00:13:46.626 pretty important conversation. Less than you know in less than 00:13:46.626,00:13:51.264 seven minutes so good first iteration I was thinking uh I 00:13:51.264,00:13:55.868 got this actually happened after I submitted my CFP I was able to 00:13:55.868,00:13:59.372 kind of prove what I was thinking and um so this is 00:13:59.372,00:14:01.974 likely late April and I was thinking ah I could kind of roll 00:14:01.974,00:14:03.943 with this, just write on this and everything would be fine and 00:14:03.943,00:14:08.514 cool. And uh then I started looking at the source code and I 00:14:08.514,00:14:12.285 was really really not happy with it. [Laughter] It was pretty 00:14:12.285,00:14:14.320 horrific and that's just not me being self conscious, there were 00:14:14.320,00:14:19.092 a few problems with this. So what's wrong with mark one? 00:14:19.092,00:14:23.329 Um…Mainly single threaded and when you're pulling data from 00:14:23.329,00:14:25.364 two separate devices you can end up with some interesting 00:14:25.364,00:14:28.801 situations if you got to wait on your GPS to get fixed and then 00:14:28.801,00:14:33.906 you do your seven minute scan of 850 MHz GSM then it's it's this 00:14:33.906,00:14:38.377 sort of additive problem. Uh it's uh you can really end up 00:14:38.377,00:14:40.913 with something ridiculous long scan times especially if you're 00:14:40.913,00:14:45.251 in or trying to get a GPS fix. Another thing I didn't like is 00:14:45.251,00:14:47.487 that they were two secure channels for delivering 00:14:47.487,00:14:50.256 information that's it's inefficient is just more crap to 00:14:50.256,00:14:53.559 manage and I really wanted to reduce those 2 to 1 encryptor 00:14:53.559,00:14:59.999 channel. So I'm gonna start the demo and I'm gonna start early 00:14:59.999,00:15:03.970 in the presentation because it takes it um this stuff is kind 00:15:03.970,00:15:07.140 of bandwidth dependent so uh I'll explain a little bit more 00:15:07.140,00:15:12.145 about that. Check this out. Is this thing on? Alright so this 00:15:17.183,00:15:23.089 has got a RTL-SDR device uh GSM radio, it has a raspberry pi 00:15:23.089,00:15:28.094 two, and uh just some stuff to support it. And this things 00:15:32.231,00:15:35.468 being provisioned from zero using the uh orchestration stuff 00:15:35.468,00:15:40.473 I was talking about. Looking for lights. There we go. Alright so 00:16:03.262,00:16:08.167 while we're waiting on this thing, uh what it's doing is 00:16:08.167,00:16:11.804 there's a… the service that I'm using to orchestrate what I'll 00:16:11.804,00:16:15.708 loosely call firmware although maybe we'll have a discussion on 00:16:15.708,00:16:18.344 the actually what firmware is later. Um I want to call it 00:16:18.344,00:16:22.181 firmware just a bunch of Python code. The um what actually sits 00:16:22.181,00:16:26.085 on the device there's a service called resin and uh resin has 00:16:26.085,00:16:29.622 built an image to put on your raspberry pi that runs docker. 00:16:29.622,00:16:33.259 Uh I think, I can't remember the linux version that that's based 00:16:33.259,00:16:36.395 on. I'm not gonna promise something up here. But what it 00:16:36.395,00:16:42.034 does is it dials home to the service and it pulls docker 00:16:42.034,00:16:45.571 images of whatever you command. So basically what you doing. 00:16:45.571,00:16:48.474 This is what your deployment pipeline looks for using uh 00:16:48.474,00:16:54.213 SITCH and resin. So, what you have your actual user effort is 00:16:54.213,00:16:57.550 you do a git commit of your code you do get pushed to resin's 00:16:57.550,00:17:01.120 repository, everything below the orange bar is all managed by 00:17:01.120,00:17:05.224 resin. If your bill completes uh and I'd like to mention that if 00:17:05.224,00:17:08.094 you do not do unit testing you were going to hate your life you 00:17:08.094,00:17:11.230 will pull your eyeballs out of your head because it takes a few 00:17:11.230,00:17:14.634 minutes and it's almost like a python but now I have to compile 00:17:14.634,00:17:19.272 it and wait and wait so um get good at unit testing and then 00:17:19.272,00:17:23.276 make that part of your commit. Um the commit hook will run a 00:17:23.276,00:17:26.512 docker build on your code and if you build a successful, it will 00:17:26.512,00:17:31.083 accept the commit and moves the image into resins registry. And 00:17:31.083,00:17:35.154 then your device will it pulls like every minute to the resin 00:17:35.154,00:17:37.490 service and we have a new container image it just pulls 00:17:37.490,00:17:40.526 down your container image and restarts and you don't have to 00:17:40.526,00:17:43.095 touch the thing to do software updates which is really nice if 00:17:43.095,00:17:46.532 you're sticking these things up in attics, all over the place. 00:17:46.532,00:17:51.537 So as far as server-side software goes um we've talked a 00:17:55.274,00:17:57.777 lot about what's actually running on the sensor and what's 00:17:57.777,00:18:01.080 running on the service side um most people in here if you're 00:18:01.080,00:18:03.582 SysAdmin you're probably familiar with Logstash, 00:18:03.582,00:18:07.587 Elasticsearch and Kabana. It's a great fantastic open-source tool 00:18:07.587,00:18:11.490 and it's super versatile it's a part of this as well as using 00:18:11.490,00:18:17.530 carbon graphite for time series uh database and for statistical 00:18:17.530,00:18:21.968 calculation and I'm using Tessera because as much as I 00:18:21.968,00:18:24.170 love Graphite, Graphite's graphs are really not pretty, you need 00:18:24.170,00:18:29.342 to have something to go on top of it. And um graphite beacon is 00:18:29.342,00:18:33.079 probably the simplest tool I found for just measuring and 00:18:33.079,00:18:36.182 looking for things outside abounds on graphite it was so 00:18:36.182,00:18:38.551 nice to somebody didn't over engineer something. It's 00:18:38.551,00:18:40.519 something simple, you configure it, set it up and fire it off. 00:18:40.519,00:18:45.791 Um so that's what I chose. Vault is a really cool tool from um 00:18:45.791,00:18:50.529 Hash n Corp, and um what it does is does secret management so you 00:18:50.529,00:18:55.101 can load Certs you can load credentials in there and you use 00:18:55.101,00:18:57.837 and we have the keys for accessing those loaded up into 00:18:57.837,00:19:00.506 environment variables in the device itself. So you can do 00:19:00.506,00:19:04.043 your credential rotation against Vault and then you just bounce 00:19:04.043,00:19:06.846 your whole application you know through the resin user-interface 00:19:06.846,00:19:08.981 and every thing comes back to get his credentials and all 00:19:08.981,00:19:14.654 those credentials are written on the sensor to a um to uh RAMdisk 00:19:14.654,00:19:17.289 so if somebody does jerk the power, it's at least a little 00:19:17.289,00:19:20.693 more difficult I know you know with the physical contact all of 00:19:20.693,00:19:22.662 your security should be considered null but at least it 00:19:22.662,00:19:26.298 makes little bit more difficult to uncover your uh your crypto 00:19:26.298,00:19:30.903 material. Resin is the service I used to manage the software and 00:19:30.903,00:19:33.606 slack is where the notifications come out. You know because at 00:19:33.606,00:19:36.342 least you can do it over IP and you're not relying on SMS when 00:19:36.342,00:19:41.347 may or may not be you know a friendly area. So on the service 00:19:49.822,00:19:55.394 architecture side um the first thing the information hits in 00:19:55.394,00:19:57.496 the inbound information processor what that is in this 00:19:57.496,00:20:02.301 case is uh logstash. Uh document retention everything stored in 00:20:02.301,00:20:06.505 structured data and elastic search and the web-based portal 00:20:06.505,00:20:11.911 is kind of a combination of Kabana and Tessera. Uh the time 00:20:11.911,00:20:15.014 series databases graphite and analysis and alert generation 00:20:15.014,00:20:20.019 right now are shared by graphite I'm sorry that other tool, 00:20:26.926,00:20:31.464 graphite beacon…[laughter] and some stuff that's coming 00:20:31.464,00:20:33.499 directly out of the sensor. The sensor is actually smart enough 00:20:33.499,00:20:35.835 to do some alerting on it's own. And that stuff is caught by 00:20:35.835,00:20:39.238 logstash. It kicks it out straight to slack. Um like I 00:20:39.238,00:20:42.575 said, an external alerting service is slack and there's a 00:20:42.575,00:20:47.413 user. So the Intelligence Feed uh if you're going to make a 00:20:47.413,00:20:52.218 determination on the location of all of these GSM towers you 00:20:52.218,00:20:54.453 don't want to do your own site survey and then compile your own 00:20:54.453,00:20:56.122 database, you're you really kinda wanna look and see if 00:20:56.122,00:20:59.992 somebody has already done that. The open cell ID database is out 00:20:59.992,00:21:04.230 there and it's super useful. The only thing it didn't contain 00:21:04.230,00:21:07.032 that I really wanted was the carrier name because you can 00:21:07.032,00:21:11.704 make that determination using the MCC and MNC parts of the 00:21:11.704,00:21:16.775 cell global ID. Uh so thank God for Twilio and their free 00:21:16.775,00:21:20.346 pricing API because you can just pull all of that stuff down API 00:21:20.346,00:21:24.316 key is free and the way that this works is it's all….because 00:21:24.316,00:21:26.418 once you start using docker for something you'll want to use it 00:21:26.418,00:21:29.488 for everything! [Laughter] And um so I had this docker 00:21:29.488,00:21:32.625 container that I can run as a job and it goes out it pulls 00:21:32.625,00:21:35.027 down the open cell ID database, it merges that with information 00:21:35.027,00:21:39.331 on the Twilio pricing API and it throws this stuff out into files 00:21:39.331,00:21:42.501 based on MCC. The reason that sliced up is because that 00:21:42.501,00:21:45.538 database file is so huge that you want to have this kind of 00:21:45.538,00:21:49.642 broken up and knowing the company country that you're 00:21:49.642,00:21:53.245 operating and you should be able to determine the global country 00:21:53.245,00:21:55.581 codes that you need to be downloading for so it reduces 00:21:55.581,00:21:59.685 the download size. But truth in advertising is as much as I want 00:21:59.685,00:22:03.656 this live demo to work, it is a lot of information and maybe or 00:22:03.656,00:22:06.158 maybe it won't be able to download everything in time. If 00:22:06.158,00:22:09.395 it doesn't I've got a got a video and I'm sure this probably 00:22:09.395,00:22:12.565 wouldn't be the first time a live demo fell over at DefCon. 00:22:12.565,00:22:17.503 [Laughter] So… >> Drink. >> Drink. >> Ah, if you insist. >> 00:22:17.503,00:22:22.875 Oh that's boring!Wait a minute, no no no. >> Keep going. >> 00:22:22.875,00:22:28.280 Continue. We'll fix this. >> So let's talk about, the Mark II 00:22:28.280,00:22:31.450 sensor and uh kind of the improvements I wanted to make 00:22:31.450,00:22:36.322 before I showed anybody this.. this ugly baby of mine. So 00:22:36.322,00:22:41.126 there's a component uh the SIM 808 collector. Uh that interacts 00:22:41.126,00:22:45.731 with the GSM modem to actually function and some in a way 00:22:45.731,00:22:48.667 that's somewhat similar to the way the android IMSI catcher 00:22:48.667,00:22:52.104 detector works. Uh by interacting with your phone's 00:22:52.104,00:22:58.811 GSM component so the um so everything that you see in green 00:22:58.811,00:23:02.414 is its own thread off of the main process so that way you can 00:23:02.414,00:23:05.084 you can concurrently run collections against your GSM 00:23:05.084,00:23:08.420 modem as well as your RTL-SDR device so that you don't have to 00:23:08.420,00:23:11.323 wait seven minutes and then do it you know, it's just so… I 00:23:11.323,00:23:15.261 decided to forgo all of that everything that you see in blue, 00:23:15.261,00:23:18.097 is a first in first out buffer so all of this scan information 00:23:18.097,00:23:21.033 goes into the enrichment buffer in the enricher thread picks it 00:23:21.033,00:23:24.536 up and enricher thread compares that against the enrichment 00:23:24.536,00:23:28.140 database that you pulled down based on the MCC file. Yes the 00:23:28.140,00:23:31.910 mcc file that comes down all that stuff gets shoved up into 00:23:31.910,00:23:34.713 AWS. it doesn't have to work like that, it'd be simple enough 00:23:34.713,00:23:38.917 to tool around and work off of an HTTP server but AWS was just 00:23:38.917,00:23:44.356 easier so that's what I did. In the emitter can emit straight to 00:23:44.356,00:23:48.894 scan logs which are picked up by logstash forwarded or you could 00:23:48.894,00:23:53.132 point it off to um the logstash server itself. I felt a lot more 00:23:53.132,00:23:55.134 comfortable having it work with logstash forwarder because 00:23:55.134,00:23:57.236 logstash forwarder can run it's own buffer if you end up with 00:23:57.236,00:23:59.705 loss of communication. It just seemed like the smarter thing to 00:23:59.705,00:24:03.142 do to just not have everything just pipelined up in memory on 00:24:03.142,00:24:05.911 one of these small little devices. And everything goes up 00:24:05.911,00:24:09.381 to logstash over that single channel no longer using open VPN 00:24:09.381,00:24:10.716 and logstash has some great output plugins that you can use 00:24:10.716,00:24:12.051 to take that structured information that's coming in and 00:24:12.051,00:24:18.791 spit it right out to graphite so I coalescing as you pass was 00:24:18.791,00:24:23.796 super super that just makes things seem simpler to me. So 00:24:29.268,00:24:32.805 this is kind of a block diagram of what goes on inside the 00:24:32.805,00:24:38.944 sensor. Uh for a Kalibrate scan everything goes um it goes into 00:24:38.944,00:24:42.448 the enricher thread or enricher thread picks it up from queue 00:24:42.448,00:24:46.719 and um it can fire alerts on its own um picked based on the 00:24:46.719,00:24:49.621 threshold that you set in the environment variables and resin. 00:24:49.621,00:24:51.223 Resin is the service that manages it, pushes out 00:24:51.223,00:24:54.193 environment variables for running your program um so you 00:24:54.193,00:24:57.663 can set the device specific threshold depending on where in 00:24:57.663,00:24:59.331 the building it is. Because you don't want to set the same, I 00:24:59.331,00:25:03.369 mean that's, that wouldn't work. Um and it also sends individual 00:25:03.369,00:25:07.439 events or individual structures for arson metadata and the 00:25:07.439,00:25:09.908 original scanned document containing your timestamp all 00:25:09.908,00:25:13.746 that other good stuff. Gets a little more interesting when you 00:25:13.746,00:25:17.616 start pulling from the SIM 808 module which is your GSM modem. 00:25:17.616,00:25:20.686 Uh the enricher thread gets it does a comparison against the 00:25:20.686,00:25:23.489 enrichment database which is kind of sizable but it does do a 00:25:23.489,00:25:25.924 little in memory caching for a little while just so you don't 00:25:25.924,00:25:29.461 have to keep hitting this for everything that comes through. 00:25:29.461,00:25:34.433 And it can set it can do alerts on changes in the primary cell 00:25:34.433,00:25:38.437 global ID. It can do alerts on the cell global ID not being in 00:25:38.437,00:25:41.940 a database and it can also do alerts on the cell global ID not 00:25:41.940,00:25:44.209 being in range based on the geolocation coming down through 00:25:44.209,00:25:49.181 the feed. Um what I kind of want to draw your attention to this 00:25:49.181,00:25:51.517 this calculation is actually happening on the raspberry pie 00:25:51.517,00:25:54.787 so the idea is that you should be able to stand the stuff up 00:25:54.787,00:25:59.391 and um have a fairly small computer overhead compared to 00:25:59.391,00:26:01.460 some other services because a lot of the computes happening on 00:26:01.460,00:26:04.630 the device itself uh so doing stuff like geospatial 00:26:04.630,00:26:07.065 calculations, stuff like that you don't have to do all that 00:26:07.065,00:26:11.103 stuff because the um something I failed to mention earlier. 00:26:11.103,00:26:15.040 Remember I said that there's about a seven minutes delay on 00:26:15.040,00:26:19.645 getting results with an RTL SDR device when you throw one of 00:26:19.645,00:26:24.483 those little GSM devices into engineering mode it's every few 00:26:24.483,00:26:30.022 seconds you get a list of all of your nearby cells by preference 00:26:30.022,00:26:34.159 according to the GSM so the RTL-SDR device is more of an 00:26:34.159,00:26:37.763 objective observation. I see these channels, here's the power 00:26:37.763,00:26:41.033 but you're interrogating the GSM modem actually tells you what it 00:26:41.033,00:26:44.470 prefers so the stuff that's a little more GSM heavy of why do 00:26:44.470,00:26:46.905 I prefer this tower over another, take care of all of 00:26:46.905,00:26:50.742 that. And you can just query the GSM modem and ask it what do you 00:26:50.742,00:26:54.413 prefer the most? And you can tell when your primary changes 00:26:54.413,00:26:58.350 and you cut the resolution from around seven minutes down to 00:26:58.350,00:27:04.823 just a few seconds. Woo! [Cheers] So this is what you 00:27:04.823,00:27:10.529 see. In slack when uh you know after the thing gets started and 00:27:10.529,00:27:15.834 gets warmed up. Uh these alerts are for things like you know not 00:27:15.834,00:27:21.206 being in the feed database, other stuff like that, and you 00:27:21.206,00:27:25.077 also get alerts for um for graphite beacon when you have 00:27:25.077,00:27:27.513 problems with anomalies being detected when things fall 00:27:27.513,00:27:30.415 outside of the forecasted expectation for your time series 00:27:30.415,00:27:36.522 measurements. So here's where we return to the demo and see if 00:27:36.522,00:27:42.427 these things are actually going to behave for us so I don't 00:27:42.427,00:27:47.099 think I get a drumroll up here but it's uh I hope you can um 00:27:47.099,00:27:52.104 the anxiety is palpable. Woohoo! I just trucked this over there, 00:28:01.647,00:28:06.318 sorry, this is…Somebody told me not to do it like this. If I had 00:28:06.318,00:28:11.423 had enough sense to listen. [Laughter] What? Alright. >> 00:28:11.423,00:28:16.428 it's just Jack Daniels. >> Yeah? thanks. [Laughter] >> 00:28:25.437,00:28:29.441 [Indiscernible comment from audience.] >> Where did you go? 00:28:29.441,00:28:32.878 Alright so. >> Keep going… [indiscernible comment from 00:28:32.878,00:28:34.880 audience] [Laughter] >> Here in a minute, I'm gonna have me some 00:28:34.880,00:28:38.817 Jack Daniels and then I know I just need to walk off stage. 00:28:38.817,00:28:43.522 [Laughter] Let's try mirroring. For the win. Alright, can you 00:28:43.522,00:28:48.527 see that? >> yeah! >> Woo! >> Okay! So it actually was able to 00:28:50.829,00:28:55.500 download all of the feed database and everything… I'm 00:28:55.500,00:29:00.639 gonna take a drink. [Cheering] Live demo y'all. [Laughter] >> 00:29:00.639,00:29:04.810 No patron for you. >> No.. no we don't want that. [Laughter] 00:29:04.810,00:29:09.715 Alright so. This is what it looks like in resin. And with 00:29:09.715,00:29:14.152 resin you can um actually okay truth in advertising one of 00:29:14.152,00:29:17.489 these [laughter] I plugged in in the speakers greenroom just 00:29:17.489,00:29:19.825 because I was afraid it wouldn't have enough time to download all 00:29:19.825,00:29:23.261 of the things and the one that I plugged up a few minutes ago, 00:29:23.261,00:29:29.501 let's see how far along is. This one's called Misty Mountain 00:29:29.501,00:29:34.673 isn't that beautiful ? Okay so, yup still downloading. Uh 00:29:34.673,00:29:37.743 depending on bandwidth, I mean it could take a little while 00:29:37.743,00:29:41.013 with the initial download so you got a couple minutes at the 00:29:41.013,00:29:44.549 beginning when you pop in the SD card it reformats it to work 00:29:44.549,00:29:47.619 right for uh for resin's operating systems and then it 00:29:47.619,00:29:49.888 dials home to resin's service and it starts pulling your 00:29:49.888,00:29:53.792 docker image down. Um this is actually a lot smaller. 00:29:53.792,00:29:58.930 originally I tried doing this with Gnuradio and oh my god that 00:29:58.930,00:30:03.001 thing is a monster so you start dealing with image sizes over 00:30:03.001,00:30:07.939 two gigs and raspberry pies struggle with it. Um, it is my 00:30:07.939,00:30:10.475 hope that someday that I can get Gnuradio trimmed down enough 00:30:10.475,00:30:15.881 because I think that especially the uh Gnuradio GSM project uh 00:30:15.881,00:30:18.650 Peter Krysik put that together so if you're looking for 00:30:18.650,00:30:22.187 something fun to play around with I highly recommend that I 00:30:22.187,00:30:24.022 was hoping to get that originally worked into this but 00:30:24.022,00:30:26.191 I think arms gonna have to get a little more powerful with the 00:30:26.191,00:30:28.927 stuff that you can buy off the shelf before we'll actually be 00:30:28.927,00:30:33.799 able to get Gnuradio working at least the way that I need for 00:30:33.799,00:30:36.568 for this project. But check out your GRGSM if you have a minute 00:30:36.568,00:30:40.338 it's it's some awesome stuff. Now let's go back to the working 00:30:40.338,00:30:45.343 sensor. Alright so it the start up process you see download the 00:30:49.481,00:30:53.351 application. Installing the application um pulls everything 00:30:53.351,00:30:58.790 down from the uh from the feed.You get your secrets from 00:30:58.790,00:31:03.762 uh from vault. Yeah this was started up just fine. Ah man, 00:31:03.762,00:31:08.533 that's great. [chuckle] >>[Woo!] >> It's not that, I thought that 00:31:08.533,00:31:11.937 it would really not work but superstition. [Laughter] You 00:31:11.937,00:31:14.506 know the same reason you don't do uh do a change window on a 00:31:14.506,00:31:19.010 Friday afternoon. [Laughter] So Tessera we'll see what that 00:31:19.010,00:31:24.015 looks like let's see if we have anything for Defcon yet. And we 00:31:26.318,00:31:30.622 do have a little bit. So these are time series measurements and 00:31:30.622,00:31:34.126 it honestly looks little ugly this is probably do to my 00:31:34.126,00:31:39.798 configuration of graphite. Um let's find a resolution that 00:31:39.798,00:31:42.734 looks decent. There we go. That's a little bit better and 00:31:42.734,00:31:47.606 you can see the uh the channels that are being tracked by arson 00:31:47.606,00:31:49.908 and this is kind of the RX Level. This is the measurement 00:31:49.908,00:31:55.313 that's produced by the cell radio itself. Uh here's the yeah 00:31:55.313,00:31:56.982 this is the whole winners anomaly stuff. This stuff 00:31:56.982,00:31:59.117 doesn't get really interesting until you actually have a 00:31:59.117,00:32:02.788 measurement period by which you can start to look at uh uh 00:32:02.788,00:32:04.790 because Holt Winters is super cool you can probably do this 00:32:04.790,00:32:06.958 with Standard Deviation but I warlike Holt Winners, that's a 00:32:06.958,00:32:09.795 bigger word right? [Laughter] And it's free. It's already 00:32:09.795,00:32:14.466 baked. There's another buzzword if anybody's playing bingo. Um 00:32:14.466,00:32:17.102 so Holt Winters is super cool, and that it takes seasonality 00:32:17.102,00:32:20.972 into it. So if you not that you ever see this in the real world 00:32:20.972,00:32:26.478 um but uh but if you have like if Monday afternoon is really 00:32:26.478,00:32:30.282 hot. It will accommodate for that, you just have to let it 00:32:30.282,00:32:33.518 see a MOnday afternoon or else you get that. So we're eve 00:32:33.518,00:32:36.688 tracking the affinity which looks like it may have made a 00:32:36.688,00:32:42.027 change. That's interesting isn't it? Uh so the cell made an 00:32:42.027,00:32:44.729 affinity change shortly after coming online which is pretty 00:32:44.729,00:32:49.734 cool from arson 182 something higher than that. Oh, 238. Ah 00:32:54.840,00:33:00.178 that's cool. Anyway, we're all kind of discovering this. I was 00:33:00.178,00:33:02.414 honestly I was pretty afraid of turing this on at Defcon and 00:33:02.414,00:33:04.916 blowing up the service by throwing so much information 00:33:04.916,00:33:09.921 into it but it's behaved surprisingly well. So let's see 00:33:14.226,00:33:19.231 and here is my Kabana server, so no results yet and that's 00:33:21.600,00:33:26.605 because my time range is crap. Alright. There's that. Let's 00:33:34.512,00:33:40.619 trim that down a little bit to two hours and there you can see 00:33:40.619,00:33:46.057 we started getting stuff coming through. And scans of all type 00:33:46.057,00:33:47.692 and this is all structured data so if you want to build 00:33:47.692,00:33:51.263 something on top of it just to interrogates elastic surgeon 00:33:51.263,00:33:54.266 pull these results out, go nuts. All the stuff is gonna be 00:33:54.266,00:33:57.903 released open-source after the talk so I hope that somebody out 00:33:57.903,00:34:00.338 there enjoys this thing after how much time I sent doing it. 00:34:09.915,00:34:15.587 [Laughter] [Cheering, clapping] >> Yes. >> Yeah. >> So let's 00:34:15.587,00:34:22.227 return to the demo, see if I can figure out this mirroring thing 00:34:22.227,00:34:29.200 again. Alright so summary of Mark I and Mark II 00:34:29.200,00:34:33.805 functionality. Um so like we discussed earlier, uh ARFCN over 00:34:33.805,00:34:36.641 threshold outside of forecast work great with the first one, 00:34:36.641,00:34:39.110 it was just really slow to return results. Seven minutes 00:34:39.110,00:34:41.112 you've already told him you're your stock trading tips and 00:34:41.112,00:34:45.383 somebody else has them too. Um, with the mark two we hit all of 00:34:45.383,00:34:48.720 our objectives. Um ARFCN over threshold, knows how to forecast 00:34:48.720,00:34:51.523 of course because we were still using Kalibrate. Um and 00:34:51.523,00:34:54.326 recognized cell global ID, able to pick that up and gratuitous 00:34:54.326,00:34:58.630 BTS re-association able to pick that up as well. Uh BTS detected 00:34:58.630,00:35:02.067 outside the range, it can do that as well um and the price 00:35:02.067,00:35:08.940 was hundred and 50 bucks so considering that um this if you 00:35:08.940,00:35:10.976 buy this at list price [indiscernible] they've got a 00:35:10.976,00:35:13.511 great deal in the vendor booth you should all going by what 00:35:13.511,00:35:15.480 these, they are so expensive and they got a great deal running 00:35:15.480,00:35:20.819 the vendor but they didn't say that. [Laughter] Um, but um with 00:35:20.819,00:35:24.756 one of these um… yeah I think you're looking at maybe around 00:35:24.756,00:35:29.728 600 $650 with this, a raspberry pie, a GSM radio, you can build 00:35:29.728,00:35:36.101 a EVIL BTS for about hundred and 50 bucks you can build a um 00:35:36.101,00:35:39.204 sensor to detect one of these things around so the original 00:35:39.204,00:35:43.308 goal of having something that was easy to the deploy you know 00:35:43.308,00:35:45.443 something I mean you just pop the SD card in and make sure 00:35:45.443,00:35:48.513 everything plugged up, you ship it out, plug it up wherever and 00:35:48.513,00:35:52.117 leave it alone. Let it collect it's stuff. Uh to have it less 00:35:52.117,00:35:58.523 expensive then the uh the evil devices, um I'd… I'd call it a 00:35:58.523,00:36:05.196 win. >> Yup. >> So. There's that. Uh going forward. This is 00:36:05.196,00:36:08.199 what I'd kind of like to do with it. Automatic device detection 00:36:08.199,00:36:11.269 something I shield you guys from was all the environment 00:36:11.269,00:36:14.272 variables you have to configure some of them you want to have to 00:36:14.272,00:36:17.909 configure you know like what what is you know the… the key to 00:36:17.909,00:36:20.645 retrieve all my information from Vault right? You don't want your 00:36:20.645,00:36:24.215 search just hanging out there so so there's that I'd like to 00:36:24.215,00:36:26.451 device and service heartbeats because right now that's 00:36:26.451,00:36:29.921 something that you just have to infer because uh you'll start 00:36:29.921,00:36:35.360 getting graphite alarms. Um but it's really something you have 00:36:35.360,00:36:38.029 to infer like to get more specific with that. Uh Gnuradio, 00:36:38.029,00:36:41.599 like I said earlier I would love for Gnuradio to be the core of 00:36:41.599,00:36:46.304 this if I can figure out a way to make it run quickly. And uh 00:36:46.304,00:36:49.574 honestly to run at all on a raspberry pi because um running 00:36:49.574,00:36:52.877 that sample rate and doing GSN processing is uh is pretty 00:36:52.877,00:36:56.714 intense. Um but if you do go through you SDR, then not only 00:36:56.714,00:36:59.984 GRGSM but you can start playing around with ADS-B broadcast from 00:36:59.984,00:37:05.490 aircraft uh looking up FPV.. FPV drones all sorts of fun stuff 00:37:05.490,00:37:07.926 and maybe if running connectors for Ubertooth One and YARD Stick 00:37:07.926,00:37:11.563 one because those are you know, those are some kind of fun 00:37:11.563,00:37:13.965 things play around with and if you can just if you never have 00:37:13.965,00:37:16.568 to touch nothing except installing hardware, hmm why not 00:37:16.568,00:37:21.573 right? So here's a hat tip and thanks to our Prior Art. Uh DIY 00:37:23.808,00:37:26.978 Cellular IDS and traffic interception remote mobile 00:37:26.978,00:37:30.748 cloning with a compromised femtocell. Uh that serves as the 00:37:30.748,00:37:34.185 original inspiration that kind of got me thinking in this 00:37:34.185,00:37:37.856 direction because you can get femtocell for 250 bucks or you 00:37:37.856,00:37:40.992 can social engineer one out of Verizon for.. I've been with you 00:37:40.992,00:37:43.461 guys for so long, if that, if that argument has never worked 00:37:43.461,00:37:46.397 before. It worked for me. I've been your customer for so many 00:37:46.397,00:37:50.835 years and I have crap reception in my little apartment. Um so 00:37:50.835,00:37:56.474 250 bucks or 600 bucks uh it's it's pretty cheap to be able to 00:37:56.474,00:38:00.979 do some some positively evil things. And last year, DaKahuna 00:38:00.979,00:38:03.448 and Satanklawz put on a great intro to SDR and the Wireless 00:38:03.448,00:38:07.685 Village. It was a 101 track that uh that I really enjoyed. And 00:38:07.685,00:38:10.355 kind of sent me down the road of trying to figure this problem 00:38:10.355,00:38:15.360 out. Uh fake BTS is served as the original functional 00:38:15.360,00:38:18.329 inspiration for this kind of the interaction between wireshark 00:38:18.329,00:38:21.933 and air probe and unfortunately it's a little too intense to run 00:38:21.933,00:38:25.103 on arm so that's why I kind of had to write my own little hat 00:38:25.103,00:38:29.841 together thing. And How to build your own rogue GSM BTS for fun 00:38:29.841,00:38:33.311 and profit. Simone Margaritelli, thank you. If Evil Socket is 00:38:33.311,00:38:36.281 here, I want to buy you a beer, if you're not, I owe you one. Um 00:38:36.281,00:38:39.851 it was really well, well-written blog post on how to simply set 00:38:39.851,00:38:45.223 up an evil BTS using one of these and raspberry pie three 00:38:45.223,00:38:50.228 and a battery pack and GSM radio and that helped me to kind of 00:38:50.228,00:38:56.167 quantify the price and the footprint and ease of access for 00:38:56.167,00:39:00.371 parts. So thank you evil socket that was that was a huge help 00:39:00.371,00:39:02.707 for this talk and getting me a really good sol… solid target to 00:39:02.707,00:39:08.213 shoot for. Thanks, uh Gnuradio, is you know and much as I wish 00:39:08.213,00:39:09.981 it could have made it in here, it actually worked pretty well 00:39:09.981,00:39:13.017 on the Intel NUC but those things are kind of pricey. You 00:39:13.017,00:39:17.355 are not gonna beat anybody on price using Intel NUC. But uh 00:39:17.355,00:39:21.025 Gnuradio runs pretty well on that for this purpose and Krysik 00:39:21.025,00:39:24.896 was really helpful helping to get up to speed on the GSM stuff 00:39:24.896,00:39:29.200 and Kalibrate uh Kalibrate is the core of this. And without 00:39:29.200,00:39:32.003 Kalibrate it really probably wouldn't work very well so hat 00:39:32.003,00:39:36.174 tip and thanks for all the prior art and thanks to all these 00:39:36.174,00:39:39.711 fools. John Menerick, made a not small investment in test 00:39:39.711,00:39:42.046 hardware, he was one of my first beta testers so John if you're 00:39:42.046,00:39:46.484 out there thanks bunch, maybe not. Uh Gillis Jones, super 00:39:46.484,00:39:50.655 helpful great advice. Uh Christian Wright and Dave 00:39:50.655,00:39:54.893 Doolin. Suffered through this thing.. [Laughter] And uh there 00:39:54.893,00:39:56.361 were a lot of silent contributors who didn't 00:39:56.361,00:39:59.264 necessarily want to be associated with the Defcon talk 00:39:59.264,00:40:02.634 but I don't know why. [Laughter] I have no problem with it but I 00:40:02.634,00:40:06.471 got a really use.. really useful information on uh GSM networks 00:40:06.471,00:40:09.374 from some uh really helpful people in background. Anyway, um 00:40:09.374,00:40:14.379 we can do Q&A now or we can take it off stage. >> Are you gonna 00:40:18.182,00:40:22.253 release the open source? >> Yup, I'm gonna release it as soon as 00:40:22.253,00:40:26.224 soon as I get to a reasonably secure network… [Laughter] And 00:40:26.224,00:40:28.259 the uh… >> [Indiscernible comment from audience.] >> Uh on 00:40:28.259,00:40:31.429 your DefCon CD, there's a white paper with the link in it, 00:40:31.429,00:40:34.866 alternatively my handle is Ash Mastaa Flash, check me out on 00:40:34.866,00:40:38.836 Twitter and um I'll post there and I may see if I can get 00:40:38.836,00:40:40.838 squeeze an email through in full disclosure as well. 00:40:44.676,00:40:47.912 [Indiscernible comment from audience.] Ash Mastaa Flash. 00:40:50.081,00:40:54.018 [Laughter] >> Two, A's.Alright, thanks a whole bunch everybody. 00:40:56.955,00:40:58.923 [Applause]