>>Um [laughs] So yeah Def Con has a long standing tradition and uh ya know if uh- it’s a speaker’s first time on stage, then um they do a shot. So it’s not about uh alcohol although you know [applause] yeah, it’s a- it’s a tradition that’s intended just to honor our speakers and uh Def Con you know from from times of yore so anyway this is Matt Wixy and uh he’s gonna do a shot with us >>Cheers! [applause] [laughter] >>Alright so please welcome Matt Wixey. [applause] [computer start up noise] >>Hello Def Con. Uh. So this is, um, “See no evil, hear no evil- Hacking invisibly and silently with light and sound.” Um. My name is Matt Wixey. I lead the vulnerability research function on, uh, the pentesting team at PwC’s UK. I also run something called The Dark Art Lab which is a research blog looking at the more esoteric aspects of security research. Uh. I’ve been a PwC for about a year. Uh. Prior to that I worked in, uh, law enforcement in the UK for about eight years, uh, leading a technical and research development team. So today’s talk is split into four parts. Um. First I’m going to show you three custom tools I’ve developed to, uh, use light and sound to jump air-gaps. I’m then going to talk about, uh, laser microphones, two different kinds of, uh, infrared motion detectors, and different ways you can disrupt and disarm them. Part three Bantz. Um. I’m not sure if that term’s made out of the UK. Um. But it roughly translates to lulz so it’s kind of stuff I’ve found during the course of research- the term, um, has made me, um, laugh more than anything else. Um. Rather than being kind of practical use. Um. And as you’ll see throughout this talk, that’s quite a l-low bar. Um. But hopefully you guys will enjoy as well. And then I’m just going to sum up and give some ideas for- for future research. So a couple of disclaimers. The views and opinions in this talk aren’t necessarily those of PwC. Um. All the content is for educational purposes only. So please check legislation. Get permission. So on. Uh. This presentation isn’t about, uh, exploiting vulnerabilities per say. It’s about manipulating, uh, the inputs and outputs of a system in order to have a desired effect. Uh. And lastly, I am definitely not an electronics expert or a physics expert at all. Uh. In fact I’ve only been in security for about six or seven years. Uh. My bachelor’s degree was in, uh, English Language and Literature, uh, which has been really helpful. Um. [laughter] So, um. Yeah. So just to give you an idea, um, I kind of regularly still poke myself over resisters and drill myself with soldering irons and, uh, I see magic smoke so much it’s not even magical to me anymore. [laughter] It’s just, uh- it’s just I call it routine smoke. Um. [laughter] So this is where I am on the- on the Dunning-Kruger Curve. If you’ve guys are familiar with this. [laughter] Um. So I don’t want you guys to think that I’m kind of presenting myself as an expert on this stuff. Um. But what I’m going to do at the end of the talk is, uh, put my Twitter handle up and email address. And please do get in touch if you- if you think I’ve got something wrong or there’s something that could be improved or you’ve got any ideas or suggestions. That’d be great ‘cause, um, that’s what Def Con is about at the end of the day. Right? Um. So let’s jump straight into it. So the first thing I want to show you is this. This is an example of Li-fy. Data transmission through lights. Uh. In this case, the data is music. And this is, uh, adapted off of, uh, Schematic on GitHub. And the, uh, the link to that will be in the, uh, references part at the end of the deck. Um. But it’s basically, uh, what we’ve got here is, uh, a phone that’s playing music. The headphone output goes through a breadboard of LED’s which are going to modulate the music data that is going through. And then you have a photo vinod hooked up to a speaker, uh, that’s going to play the music. [music plays] [laughter] Um. Yeah. So that was my impression with that actually worked for the first time. Uh. And then I did the same thing, uh, with infrared LEDs as well. So exactly the same setup. Even the same song. It’s just infrared LEDs instead of white LEDs are modulating. [music] So that got me kind of thinking about air-gaps and different ways you can jump air-gaps. And, uh, I’m going to assume that everyone here is kind of familiar with the concept of an air-gap. Um. There’s been a lot of research on how to jump them. And they all come with caveats. So, um, the first caveat is we assume the attackers have managed to infect at least one host, uh, with a bit- a bit of malware. Um. That the attack has physical or near-physical access to that affected host because we’re talking about quite primitive inputs and outputs to a system. So we’re talking about like heat, sound, light, um, uh, EM radiation, that kind of thing. And then linked to that, um, the exfiltration of air-gap systems is going to be really slow. Uh. And it’s going to deal with quite small pieces of data because typically we’re talking about two bit channels, um, so high or low states. So this is some of the research that has been done in this area. You guys would be familiar with a lot of this already probably. Um. All the way from Van Eck phreaking back in the 70’s which is EM radiation from, uh, CLT monitors. Um. There’s been some great work done by guys at Bangor University in Israel, uh, on jumping air-gaps. Um. Particularly, uh, using heat. Um. VisiSploit which, um, encoded data as a kind of QR code. Flashed it up on the screen. Um. The attacker would then film the screen, um, and be able to decode it. And Hasan and others in 2013 gave a really good overview of some of these techniques. Um. And one I think that they proposed was using ambient light sensors from mobile devices to be able to control smart phones, um, by flickering overhead lighting. That kind of thing. So the first technique I want to show you is using ambient light sensors. Um. So ambient light sensors are, um, essentially hardware components. They’re found in the frames of laptops, smartphones, monitors, that kind of thing. And they’re normally, um, uh, photoresistors, photodiodes, something like that, that increases or decreases resistance according to the amount of light that hits it. Uh. And the idea there is you just screen write this according to the amount of ambient light. So it’s quite, uh, um, um, benign, uh, thing to have. Um. And you can interact with it programmatically, um, through the Windows API. So, um, my plan was to create a malware that could read in light intensity values from, uh, an ambient light sensor on a Windows workstation, um, and then execute different commands according to the amount of light that was hitting the ALS and the kind of changes in, uh, frequency- oh, sorry- in changes in intensity. So a couple of problems is that, um, you have to try to make this like a covert activity because you can’t just shine a massive flashlight, um, uh, a laptop. And you need some kind of exfiltration capability as well. Right? Because, um, being able to control malware is fine, but for an air-gap system ideally you want to concentrate on, uh, exfiltration. So, uh, I’m going to be brave and try to show you a live demo of this. Ok. So I’ve got a laptop here, um, that’s got an ambient light sensor. The ambient light sensor is just here. And what I’ve got here is an infrared torch. So if I just turn this on, you shouldn’t be able to see anything besides like a red glow. But for unfiltered cameras, um, they’ll be able to see them. So I’m going to run the malware on this laptop and then introduce high values through the ambient light sensor. And that then, uh, pops up a calc on the screen. [laughter] [applause] Ok. So, yeah, in terms of exfiltration, um, optical channels, um, for air-gaps are quite difficult, um, optically. Um. There have been some things suggested so VisiSploit like I mentioned earlier, that relies on the, uh, attacker having a camera, uh, inside what is probably a secure area. So I came up with this instead. Um. So the idea here is that the malware when it wants to exfiltrate data, it will read in a file, uh, convert it to bits, uh, and it will then make very subtle changes in the screen brightness, um, to represent that which then can be picked up by an external sensor. Um. So the easiest way to, um, make screen brightness changes is with WMI. Um. Unfortunately that requires, uh, admin privileges. However changing gamma values and displays doesn’t. So you can use a set device gamma ramp with a Windows API, um, and you can make very, very small changes, uh, in the gamma value of a display. So the- the device I’ve got here, um, is a light to frequency converter. And this is much more sensitive than a typical photodiode or photo sensor. Um. It can actually pick up changes in the bioluminescence of bacteria. Um. It can read light intensity changes through- through your hand. Um. And it’s connected to an Arduino nano here. So what I’ve got here is a, um, the circuit connected with a microsoft SD reader writer module. And I’m just going to do a test of this exfiltration function. So the malware is going to read in a file. And it’s going to make very small changes to the- the gamma value with the display. Uh. What the malware actually does- it takes likes a baseline before exfiltration. Then it makes changes, um, uh, increases or decreases according to whatever. So one over zero. And then after exfiltration’s finished, it will return it back. So you might be able to see that, um, the very kind of slight changes there. Um. But from the attacker’s point of view, it’s actually quite obvious whether it’s, uh, a one or a zero being transmitted. And then what you can then do is demodulate the data and retrieve the original bits. And, uh, that’s not particularly covert. Kind of just plunking a breadboard down to a screen so this is a more, uh, covert application. Um. So what we have here is the same, uh, light sensor, light to frequency converter, an Ada Fruit Flora board, so an air conductor with a conductive thread. And then you have, uh, the same SD writer as well. Um. So the idea is you can exfiltrate data or an attacker can exfiltrate data just sitting in front of a screen and wearing that tie. So the second thing I want to show you is Dreadphone. Uh. So Dreadphone is commander control using near-ultrasonic sounds. So by near-ultrasonic, uh, what I mean is sounds that are, uh, typically not able to be heard by most adults. Um. So the theoretical range of human hearing is 20 hertz to 20 kilohertz. In practice, most adult humans can only hear, um, up to about 16 kilohertz. So 16 kilohertz to 20 kilohertz is like near-ultrasonic. At most, adults can’t hear that. It’s perfectly within the capabilities of a normal, uh, laptop soundcard, uh, speaker or microphone to transmit and receive audio, uh, in that range. So there’s been previous research on this. Uh. Toftsed and others and Hanspach and Goetz did something similar. Uh. One problem they’ve come across, uh, is this. So this is, uh, a recording of near-ultrasonic sounds being played. [computer audio] So while you can’t hear the tones there, what’s actually happening is that there’s electrical discharge on the soundcard, uh, which makes those kinds of clicks and pops. So, um, what I did with Dreadphone was I pre-prepared 16 wav files. Uh. Each one represents a different ultrasonic tone, uh, in increments from 18.5 kilohertz up to 20 kilohertz. So 16 in total. Each one representing a hex, uh, character. Um. I applied multiple fade-ins and fade-outs to those. Um. So it kind of smooths the, uh, the input into the sound card. And then amplified it. You end up with this. So this is Dreadphone running on two laptops. Um. This is the victim. And the attacker is here on the left. So, uh, this is monitoring the- the microphone input. So what the attacker is going to do here is just tell the victim to pop calc, um, which means it’s going to send a sequence of those pre-prepared wav files and the victim then, um, executes that. [laughter] [applause] Ok. So the- the next thing, um, is exfiltration. So this is, uh, a txt file. [laughter] It, uh… So Batman would be a really good movie if Bruce Wayne was actually true to the type and communicated with people at 45 kilohertz. Um. [laughter] The attacker’s going to exfiltrate this, uh, this txt file. So it’s just going to send the exfiltration message. And I’ll stay with the attacker here. And what you’ll see is a different tone start to come back. Now there is a case study of this technique being used in the mode Um. I haven’t gotten a copy of the malware so I haven’t been able to verify it. But BadBIOS. You guys heard of that? Um. So that, um, whilst infected the BIOS, um, of machines it also communicated with other infected hosts… uh, there you go um using near-ultrasonic tones. [applause] So, um, Dreadphone is fine for like small bits of data and small strings and stuff like that. But if you want to exfiltrate, um, uh, more content, say images for instance, you’re a bit more limited. But you can actually use a technique that’s been used in popular music before. Um. And it involves spectrograms. Uh. So a spectrogram is a visual representation of the frequencies in a piece of audio. Um. And, what the, uh, what these musicians have done is they’ve read-in an image file. They’ve iterated through the pixels, got the pixel values, and then they’ve written out, uh, frequencies, uh, to a wav file that corresponds with those pixel values. And when you view the audio as a spectrogram, uh, you end up with, uh, an approximation of that original image. Uh. So in this case you have a face on the left and a cat on the right. So these are both, um, uh, examples from popular music. Uh. So… Let me try another demo. So let’s say I have an image like this that I want to exfiltrate. This is a spectrogram tool that does that. So it reads in the image and then you can specify a minimum and a maximum frequency. So I’m staying with, um, near-ultrasonic again. If I generate that, it writes out a wav file. If I try and play that wav file, you shouldn’t really be able to hear anything unless you’ve got really good hearing or are younger than I am. So some of you might be able to hear it. Um. But if I view that in a spectrogram, you can recover, uh, the original image. [laughter] [applause] Now the- the, um… There are tools out there already that will let you do this. So Coagula, Spectrology, that kind of thing. Uh. What spectrogram also does is it let’s you merge your secret file with a legitimate audio file. So, um, in case you have got your kind of younger people working environment that are able to hear that. Um. So I’ve got a normal, uh, wav file here. [music plays] So it just plays kind of ordinary music. And I can merge my secret file with that. And that writes me out a new wav file. So if I play that, um, you just hear the ordinary music. You can open that merge file and still recover, uh, the original image. [applause] Ok. So in terms of mitigation for this kind of stuff and jumping air-gaps in general. You’re looking at things like TEMPEST standards, um, removing and disabling ambient light sensors if they’re not required or covering them up. Um. Privacy filters for laptops do a really good job of muting, uh, screen brightness changes. Um. And in terms of the ultrasonic stuff, um, you can look at things like white noise or ultrasonic detectors. Um. But ultimately, uh, if you’ve got any kind of input and output to a system that’s not necessary or not integral to the operation of that particular piece of equipment, um, you’re probably better off just disabling it. So part two. Uh. Surveillance and counter-surveillance. Um. So first thing is a laser microphone. Um. Just a quick hands up, who’s heard of a laser microphone before? Ok. Quite a few people. Um. So, uh, for those of you who haven’t, I’ll just quickly explain what it does. So imagine that you’re doing, uh, surveillance on a group of people across the street from you. And those people are behind a window. Um. Let’s say the- the glass is soundproof so you can’t hear anything. Um. Let’s say they’ve drawn the curtains so you can’t video them and do lipreading. And assume you don’t have any bugs or anything in the room. What you can do is use a laser microphone. So you shine a laser at the window and you capture the reflective beam with a photodiode or a photosensor. So what’s happening is as those people in that room are talking, the air is vibrating. It makes the glass in the window vibrate. Which makes your reflected laser beam shift slightly. And as that moves across the surface of your photodiode, it of course shifts in voltage which can then be converted back into sound. Uh. So on the right here I’ve got a really cheap laser module, um, that’s hooked up to an 8 volt battery. And on the left I have a photodiode. Um. This is actually adapted from a circuit that did something else. Um. The output goes through a 3.5 millimeter audio jack. So, uh, to demonstrate this… So I have the laser. I’ve got the listener hooked up to a speaker. Uh. The laser is firing at a, uh, phone that’s playing music very, very quietly. Taped to the back of the speaker is a bit of reflective material. And at the moment, there’s a bit of obstruction between the reflected laser beam and the listener. If I remove that… [music begins to play] So um… [laughter] [applause] So that obviously like a really cheap, a really simple sort of model. And, uh, that only cost like 25 pounds, the whole kind of setup. Um. If you obviously had a bit more of a budget, you could use like interferometry. Um. You could experiment with using infrared lasers to make it more covert. Um. ‘Cause nothing says “I’m using a laser microphone” like shining a really highly visible laser. Um. [laughter] You can kind of filter interference use [mic crackles] kind of stuff as well. Ok. Um. So moving onto sniffing, analysing, cloning infrared. So, um, I imagine a lot of people here will have done, um, or will have experimented with, like, cloner replay attacks using a, uh, SDR with RF signals. And infrared’s very similar. Um. So with infrared signals, assuming that like fixed codes- they, uh, will use things like byface market coding, manchestering coding, that kind of thing as well. Uh. They use a carrier wav. Um. Normally 38 kilohertz but it can be other frequencies as well. So we need a way to listen to the signal. Uh. Then a way to analyze it and then a way to replay it. Uh. And if you guys are interested in infrared, there’s a really great talk, um, from Def Con in 2005 by Major Malfunction. He found a way to compromise hotel payment systems by messing around with infrared, uh, TV remotes, uh, in hotel rooms. So the first thing you could do is just use an RTL-SDR. So these things still have an infrared sensor in them, um, that you can actually use to sniff infrared signals. Um. It just returns you like the raw post data so it’s completely undecoded. Uh. But you could do that. You could use a dedicated infrared receiver component like Arduino and then you can use the IRLib library. And the nice thing about this library is if it’s one of, um, kind eight or nine popular consumer protocols, it will actually tell you what protocol it is and decode it for you. So then this is the standby signal for my, uh, TV remote. So it tells me it’s using the NEC protocol and then tells me what the value, um, of that code is. And then you can also use the listener, um, for that laser microphone. So that will do it as well. [computer noises] And then you can expect the- the- the- inspect the signal visually which is quite nice. In terms of replaying it, if it’s a known protocol like NEC or something like that, you can just play it back. Um. So in this case I’ve used the IRremote library. Uh. You can just play it back with a normal consumer protocol. Uh. Like RF, however, if it’s unknown, um, then you have to replay the raw array, um, that you’ve managed to sniff. So applying this practically, um, to, um, motion detectors. So the testing I’m going to talk about is a passive infrared motion detector. So these have a passive infrared sensor in them that respond to changes in infrared radiation, ie. uh, body heat. So there was a talk, um, at BlackHat 2013 USA by Porter and Smith where they talked about different methods to defeat physical security and they mentioned passive infrared sensors. Uh. And you can do things like move really slowly so the changes in body heat aren’t registered by the sensor. You can, um, coat yourself in a reflective material. Not the most practical approach but, uh, it works. Um. Or you could overwhelm the sensor with heat so like a flame. Um. So I think in their talk, they used a lighter to do it. So here’s an example of a passive infrared motion detector. Um. So the gray sphere on it, that’s the actual sensor itself. Uh. The red window to the top, that’s actually the receiver for that remote control. So the remote control is used to arm or disarm the main unit. Um. Quiet-wide I’ve used infrared to do that. I don’t know, um, as opposed to RF. Um. And then on the right is a circuit board I can use to do a simple clone to replay attack. Uh. I just clone the disarm signal, uh, from that remote. [alarm noises] So it’s now on. They’re just tested works. And then I can use my evil device to just clone the disarm signal. And that’s now disarmed. So there’s nothing kind of particularly innovative or interesting about that. It’s just the normal clone and replay attack. I suppose the one thing that is interesting it’s infrared. Um. But there’s two big flaws in this approach. And the first is how do you get the disarmed signal in the first place? Assuming it’s- because, you know, it’s infrared. You have to be quite close to it. Um. So you’re stuck with having to like, um, have a device in the vicinity or steal a remote somehow and capture the signal. And the second problem is how do you get close enough to disarm it once you’ve got the disarm signal, um, without setting off the main unit. So I bought nine of these. Um. They’re manufactured by the same manufacturer but sold under the, um, different brand names. And I captured the signals from the remotes. And here are the signals from the first six. [laughter] Ok. So straight out of the box, um, regardless of what main unit the remote was first used with, it will arm and disarm any main unit. So here’s all nine. [laughter] So I just picked the remote up. [video playing] [laughter] And then pick another one up and I can disarm all of them. [laughter] [applause] So I’m almost like embarrassed to present that at Def Con. [laughter] Now, so that’s the first problem taken care of. How do we get the disarm the signal. Second problem: how do we get close enough to the main unit to disarm it without setting it off. Here’s the first solution. [laughter] Um. So this is a Drone to clone to pwn. This is, um, the disarming circuit powered by the drone’s internal USB port. The reason you can use a drone is ‘cause the lithium battery in it doesn’t get hot enough to set off, um, a motion detector until it’s been in the air for about 45 seconds. [laughter] So here’s the alarm in the foreground. You can see I’ve dressed up for this video. So if I arm this and then try to walk up to it, it detects me. So you’ll shortly see that my drone piloting skills are about on a par with my fashion sense. [laughter] Ok. So we’re going to fly the drone over and it won’t set it off, but it will disarm it. [laughter] [applause] Ok. Second solution: Phone to clone to pwn. So. Um. This is using an AdaFruit GSM break up board. Um. This is heavily based on, uh, Samy Kamkar’s ding dong ditch or digital ding dong ditch if you’ve seen that. Um. Some slight modifications. So obviously it uses infrared rather than RF. Um. It also doesn’t use Interrupt. It just uses a time loop and it deletes text messages off the SIM card, uh, once they’ve been read. So the idea here is you would hide this or pay someone to hide this near an alarm, um, during the day when it’s deactivated. Then after hours when the system is on, you can just send a text to a number containing a certain string, and it will then disarm it. Ok. So as usual the first thing I’ll do is arm the, uh, main unit and then just test it. [alarm beeps] Ok. And I’ll just look quickly at the Arduino sketch, um, which is just checking for new messages every five seconds on that SIM card. So I’m now going to send a text to the number that’s on that SIM card. And in this case, the string, uh, sketch you’re looking for is “new phone who dis.” [laughter] [alarm beeps] [applause] And then just looking at the sketch to just to make sure it reads the, uh, text message and sends a signal and then deletes the message from the SIM card. Now you could combine both of those together and do Phone to Drone to Clone to PWN. Um. [laughter] But that would just be absurd so I haven’t done that. Ok. Um. The next kind of motion detector is this. So this is active infrared motion detector. So the idea here is you have two components: a transmitter and receiver. And the transmitter is constantly sending a pulse of infrared signals, uh, to the receiver. And if the beam’s broken… [alarm beeps] then the alarm sounds. And if you continually move the transmitter, away… [alarm beeps] …then the alarm would just continually sound until you clone the signal from the transmitter and just put it right next to the receiver. [laughter] Ok. Uh. So in terms of mitigation for these kinds of attacks. So for laser microphones, um, you can get devices that vibrate the glass on windows, um, to try and disrupt laser mics. I’m not sure how effective they are. But things like wire screens and coverings on windows. Um. As you’ve seen with the, um, infrared torchlight is you can detect the infrared light if you’re using an unfiltered camera. So you can use that to detect infrared lasers. Um. Double-glazing or curved glass can cause issues with laser mics. Um. As can other environmental conditions like, uh, rain and snow and that kind of a thing. Um. In terms of alarms, ideally you want to try and disarm the physical keypads. Um. Not that that’s perfect, but it’s better than remotes because the signals could be sniffed. Um. And if you do have to use remotes, you want to go for ones that use, like, tried and tested, encrypted rolling code algorithm. Um. And that are paired uniquely to a device. You wouldn’t think you’d have to say that explicitly, um, but yeah. Ok. So, uh, last part is bantz. Um. So the first thing I want to show you is speech jamming or delayed auditory feedback. Um. So this is a technique that’s been around since the 50’s. It’s actually, um, originally used to help people who stutter. Um. The idea is you introduce a latency between someone, um, speaking and them hearing themselves speak. And when, uh, used with people who stutter, it, um, enables them to speak more clearly. If you use it on people who don’t have a stutter, it dramatically inhibits their capability to speak. Um. And it causes, like, mental stress. Safe to assume. Um. Researches in 2012 who came up with, like, a hardware version. Um. I built a software version called doubleSpeak. And I tested it out some- on some colleagues because I didn’t want to look stupid myself. So. [laughter] So what these guys are doing is they’re reading a paragraph, uh, from a website about delayed auditory feedback, uh, while my tool is running on the laptop and they’re wearing a pair of headphones. >>Delayed auditory feed-feedback, also called delayed side tone, is a type of audi- auditory feedback -back that consists of extending the time between speech and auditory s- perception. >>Delayed auditory feedback, also called delayed sidetone, is a type of audi- aud- auditory fee- feedback -back that consists of extending the time between the speech and the auditory per- perception. [laughter] >>Delayed aud… itory feed.. back, also called delayed sidetone, is a type of alted- alteuditory feedback that consists of extending the time between speech and auditory percep… tion. [laughter] >>when hear his.. voice in headphones a fract- come of a sec ond later. Some DAF devices are hardware. DAF computer software is also available. Most delays produce a noticeable effect are between 50 to 200 milliseconds. DAF usage with a 175 millisecond delay has been shown to induce mental stress. Surely this is stressful. [laughter] So, um, on the face of it, that doesn’t seem to have much practical application to security. Um. One way that we came up with that you might be able to use it is, um, say you’re on a network and your goal is to kind of sow disruption and discord but in a very subtle way. You could find out when a very important conference call is taking place and use this. And kind of affect the decision outcome of that conference call, um, without kind of having to do anything, um, too blatant. Ok. Uh. Next thing: demotivating malware analysts. So, um, this is inspired by Christopher Domas who’s speaking, uh, tomorrow I think. Um. And he came up with this awesome thing in, uh, 2015, um, which was he created fully functioning malware which when looked at in a disassembler in the flow graph, represents an image, um, under his control. So he can basically choose the image that a malware analyst has to stare at all day long. Um. Which is awesome. So I used my, um, spectrogram tool to come up with something, uh, similar, albeit a lot cruder. So let’s say you’ve got malware and when you run it, it plays really weird music like this. [screeching computer noise] So the first thing you do is disassemble it. In this case it’s dot net so it’s very easy. And you look at what’s causing that sound. So in this case, it’s a wav file, um, that you can then extract from the, um, main binary. And you’re playing that wav file and trying to think what is this? Is this some kind of encrypted communication? Is it trying to exploit something? What is it? And you spend ages and ages looking at it. Until eventually it occurs to you to look at it as a spectrogram. And then you see something like that. [laughter] [applause] Ok. Uh. Do we have any Gilmore Girls fans in the room? [Cheers] Ok. So, um, to give you a bit of background on this, my wife is a huge Gilmore Girls fan. Uh. She watched it all when it first came out. Um. They streamed it like two years ago and she’s watched- since then, she’s watched season one to season eight… I- I’ve lost count. In that time, I’ve gone from passive indifference thinking, you know, “this is ok but I can’t really see the appeal” to kind of active loathing of this program. [laughter] So I came up with, um, Kill More Gilmore which I think on reflection is probably the best thing I’ve ever done. Um. So Kill More Gilmore is, uh It comes- it’s two parts. It’s a Python script and an Arduino device. Now the Python script uses, uh, an open source music recognition library called Deja Vu, um, which is on GitHub. Again, the- the link will be, uh, at the end of the talk. Um. And what Deja Vu does is it lets you write mp3 files to a database and it fingerprints them, um, I believe using a fost furat. And it then compares audio coming into the microphone to what’s in the database. So my Python script here is comparing audio coming into the microphone, uh, to the database. And if it gets a match for the Gilmore Girls theme tune, it sends a serial byte, um, it sends a byt, sorry, over the serial port to the connected Arduino device, which clones the power off signal for my TV. [laughter] [applause] So, um, I have a video of this. Unfortunately because of possible copyright issues, I’ve had to mute it. Um. But after the talk if you, um, look at my Twitter feed, I’ll upload it somewhere, um, with the full audio so you can see it. Ok. So this is like the pre-credit sequence so there’s no music yet. Um. So what the script’s going to do, it just listens to ten seconds and it will conclude that the-the Gilmore Girls isn’t playing at the moment. [laughter] Ok. And then the theme tune starts. [laughter] [applause] Ok. And, uh, the last thing I want to show you is this. So this is AstroDrone. So this is using, uh, echolocation jamming against ultrasonic altimeters in drones. Um. So I’ve demonstrated it with a Parrot, um, just ‘cause I had one handy. Um. It’s not picking on Parrots specifically. Other drones with ultrasonic altimeters will be vulnerable to this as well. So the idea with an ultrasonic sensor is it uses echolocation. Alright? So you have a transmitter that sends out ultrasonic pulses at a particular frequency, they hit an obstacle, get reflected back to the receiver. And based on the width of the pulse that comes back, um, the navigation board can infer how far away it is from the obstacle. So when you do this with drones with ultrasonic altimeters, ‘cause it’s used on the bottom of the drone to figure out how close it is to the ground. Eight times out of ten it launches it upwards at quite a frightening pace. Um. Two times out of ten it tries to sink through the floor because you’re making the drone think it’s either at maximum or minimum altitude. So, um, there’s a talk last year at Def Con by Liu and others against, uh, about ultrasonic attacks against autonomous cars, against TESLRs. Um. So this is a similar technique albeit, um, a lot cruder. Um. So first thing I used was this. So this is an animal repellent alarm. So, um, you put this in your garden. Um. The idea is that you have a passive infrared sensor. When it goes high, it sends out an ultrasonic tone to scare away dogs and cats, that kind of stuff. When you fly a drone over it… [drone noises] So you noticed that the drone became like completely unresponsive to commands. It just refused to land. And in that case, uh, with a broken drone. [laughter] So, um, that was kind of the first part of this. And then I thought, well, let’s try to expand that. So rather than having the drone fly directly overhead, can we come up with something that detects, um, drones in multiple directions and sends out a more powerful signal. [laughter] So, um, that’s a colander, um, ‘cause I- I ran out of money. Um. And you have, uh, four, passive infrared sensors. There’s two Arduino unos, um, underneath. Uh. And eighteen ultrasonic transducers connected to it. So, um, infrared’s one option and then I also used acoustic signatures with the Deja Vu library again. So I recorded the sound of a drone flying, um, and then compared the microphone to it. Um. And that works just as well. I just don’t have time to show it. But, uh. Let me show you this one. So. [drone noises] Ok. Um. So. We are not doing further research on that in the moment and trying to, um, test it against different drones, different, um, kinds of, um, environmental conditions, different kinds of echolocation, that kind of a thing. Um. So. Um. You could use this as essentially like as a drone repellent. If you wanted to, uh, you could use it as a personal drone repellent as well. [laughter] [applause] Ok. So I think I have about five minutes left so I’m just going to do a really quick summary. Um. If I don’t have time for questions, um, then I’ll take them in the hall afterwards. And you can email me or whatever. So this is an overview of the research I’ve done on light and sound. Um. And you can, um, interpret this in two ways. You can either look at it and think, uh, “Yes. He had a really careful and comprehensive research plan.” Uh. Or “it’s something he coupled together this morning to give his talk the illusion of structure.” Um. Either one of those is good with me. Um. But they all kind of do fit into each other. So as an attacker, um, using light and sound for attacks, um Pros are they’re great for any, uh, environment that uses physical security devices. Particularly infrared stuff. Uh. Any environment where there’s air-gap systems. They’re really difficult to detect and to defend against. Um. And they leave very little trace. And you can, uh, as you’ve seen, uh, do this stuff on the cheap, um, a lot of the time kind of at home. And test it out. Cons are you need proximity, um, to the systems you’re attacking obviously. Um. Subject to environmental interference particularly things like laser, microphones. Um. And the range and power of your solutions are very much going to depend on the resources that are available to you. So in terms of mitigation, um, definitely the first step is knowing these techniques exist and knowing they’re out there. Um. And the inputs and outputs can be manipulated. Um. So ideally if it’s possible or feasible, you looked up block those inputs/outputs completely. Um. If you can’t, you’d have like a reliable failover. Um. And lastly, yeah, clone-and-replay attacks and, you know, jamming, that kind of thing are as much applicable to light and sound as they are to, um, any other kind of technology. So ideas for future research, um, exfiltration via infrared, uh, is something I’ve wanted to explore. Acoustic keylogging which has been empirically proven to work. Um. But I’ve yet to see like an automated practical solution for it. Um. More work on LiFi and some more work on drone repellents as well. So hopefully, in terms of how you feel about this talk, uh, you’re more on the left, uh, than on the right. [laughter] Um. So, um. Um. So just to wrap up. Um. The music credits that were used in this presentation were Royalty free or creative commons so thanks very much to those people for putting that music out there. Uh. References. Um. I’ll let you guys go through that on your own time. Uh. So yeah. So that’s my email address and my Sorry. That’s my email address, my twitter handle. Um. So please do get in touch if you have any suggestions, comments, um, feedback, generally criticisms, anything like that. If I’ve got anything wrong during the talk or presentation, you can just keep that to yourself. Um. Um. [laughter] Yup. So that’s it from me. Thank you very much. [applause]