DEF CON 31 - Snoop On To Them, As They Snoop On To Us - Alan Meekins

DEF CON 31 - Snoop On To Them, As They Snoop On To Us -  Alan Meekins

Show Video

Wonderful. Thank you.   All right. Thanks for having us. So today's  talk is snoop unto them as they snoop unto you.   I'm Alan Meekins. I go by nullagent on most  social media, Twitter, Musk on, all that good   stuff. You'll find me as sevenbitbyte on GitHub.  My personal website is actually kind of blank,   so I'll try to fix that this week. I've got  a co-speaker, rekchadam, who couldn't be here   today. He's stuck in Tokyo without a passport.  We've got 5@V@g3, our apprentice here today.  

So just quick background, big  robotics nerd, embedded systems,   been playing with Linux since I built my first  computer, really love digital communications,   which this talk is going to touch on a lot  today. I occasionally do, I guess, grownup work,   but these days I am recklessly unemployed and  founder of Dataparty. So we're basically a   hacker collective looking at the intersection of  just media and all the things that hackers love.   So today, the thing that got me started  thinking about this was actually a lot of   police interaction that my co-founder and I  had over the years. He grew up going through   high school getting pulled over by the cops  basically every day. Growing up we were hearing   a lot about no-knock raids. Coming from a hacker's  perspective and seeing things like no-knock raids,  

you kind of start wondering WWLND, what would  Lord Nikon do? So Lord Nikon would probably   take a closer look at the boys in blue and  maybe what they carry and how they operate.   To give you some idea of what the landscape  is like on the digital world of a cop,   they have on the left, the things that  they carry, typically tasers and body cams,   a smartphone, pistol. Things in the middle that  certain companies wish they might carry maybe,   flying drones with tasers on them. And then on the  right, we have all the things that are in their   vehicle, Wi-Fi hotspots, surveillance systems  that can actually do license plate reading. So   they actually do ALPR coming soon on their dash  cams. Of course, they've got a laptop and they   have these weird little boxes called Axon Signal. So if you remember the movie Hackers, one of the  

big things that they talk a lot about is reading  the manuals. So first step was just see what was   out in the open. And so, if you start reading  through the manuals for all of these types of   equipment, you'll see a whole bunch of terms  like Cradlepoint and NetCloud mentioned. You'll   see things like Bluetooth pairing and  you'll see brand names like Axon Signal,   and then occasionally you'll find some really cool  things like, "Hey, this is exactly what an error   state looks like, and here's an exact network  map of what a police car looks like inside."   You keep reading, and before you know it, you find  all sorts of URLs that look tasty and delicious   and could be interesting. So if you ever talk  to public defenders and those sorts of people,   they hear about this thing called,  and a lot of them don't realize that that's  

actually built by the same folks who make the  body cams themselves and all the digital tech.   It all just funnels up to this cloud. So they  typically access it through their agency name   or their city or state or something, and consume content.   And then if you keep reading, you'll start  seeing some interesting things that might   get a hacker's eyebrows open a little bit.  But at the end of the day, the thing that   really caught my eye is that the boys in blue are  actually... Or actually just kept a couple things,   so Wi-Fi access points and fleets and so on, but  the boys in blue are actually the boys in BLE.  

So there's a term that keeps happening a lot  called Axon Signal, and I keep seeing the word   BLE co-occurring with that in the documentation. So just a quick trip down memory lane from DEF CON   is when we're talking about hacking the planet  on the terms of BLE, there's been a great talk   by Freqy at DEF CON 29 where she explained a lot  of basic BLE, the basics of BLE, how BLE pairs,   how it interacts with the host and so on.  It's a great starting point to understand   what might be going on under the hood of some  of these products. If you keep reading further,   you might see some things like Handoff All Your  Privacy, which deals with how Apple has a BLE   protocol called Apple Continuity. You might  also see some things called You Better Secure   Your BLE Devices, which has a lot of parallels  to what we're seeing today. And then lastly,   Mike Spicer did a talk called I  Know What You Did Last Summer.  

So just a quick refresher on BLE, I'm not  going to go crazy deep on BLE fundamentals,   but A BLE device needs to allow the other devices  that it wants to pair with to know that it's   around. So they send out these broadcasts, these  beacons a lot like how Wi-Fi access points also   beacon out. Typically, you'll find these types  of parameters inside of there, at least a MAC   address. And then basically everything else is  kind of optional, so manufacturer data services,  

products, company, local name, RSSI, possibly  like URLs and additional what are called gap   fields, so additional fields just like this. Of course, you start thinking about if you were   to reverse-engineer or to fingerprint device that  you haven't seen before, say like a cop device,   there might be a whole spectrum of ways that you  might approach that problem. So for instance,   sometimes gap fields come in different orders.  So even two devices from different manufacturers  

might have identical data, but they might put  those fields in different orders. So that might   be a thing that fingerprints or you might go and  try to see if you can find things on   Wigle is a big network of war driving that a lot  of people who are participating in the worldwide   war drive right now, they're currently constantly  feeding Wi-Fi and BLE data into And  

then also I built an app called rfparty, which  is basically like Wigle in your pocket without   a cloud so that you can be entirely off grid, or  you could also go down the decompiled apps route.   So how can we figure out what these police  devices are actually doing? Just as a note,   most of the apps needed to manage these police  devices are actually currently in the Google Play   Store. So you can go download those and decompile  them right now. So without doing all of that crazy   stuff, how do I do this without violating  any kind of permissions or laws or anything?   Go back to reading the manual. So  I keep seeing this thing called  

Axon Signals. So what is  that and what does it do?   Well, it turns out that the devices highlighted in  blue here are actually all Bluetooth-enabled. So   body cams and tasers are designed to basically  interact with one another. When a taser is fired,   certain models can actually send out a Bluetooth  beacon that will notify the body cams and the   surveillance in cars to start recording or to  rather start retaining their recording. Body cams  

also have basically shot spotter technology built  into them after the third generation or the second   generation of those, and they can also detect a  gunfire and trigger a Bluetooth transmission.   And then third to all of this, the pistol holster  itself, there's attachments that can detect when   a pistol's unholstered and again, sends out a  Bluetooth beacon that is designed to trigger the   body cam. The same thing happens on the car  side as well. So again, the blue circles   here are things that are Bluetooth-enabled. So  the documentation indicates that the same Axon  

Signal technology is built into dash cams. How are  those dash cams triggered? They can be triggered,   of course, by everything on the left here,  but they can also be triggered by this little   tiny box at the bottom that detects when  your police lights are falling off of your   fan there, and that will actually detect when you  turn on your siren when you turn on your flashing   lights and send a signal to the recorder as well. And then finally, they have a laptop in the mix   that also takes a Bluetooth dongle. I actually  never fully figured out exactly why that is   because it doesn't seem to actually trigger  much on there. And then finally, things that I  

didn't even feel like digging into, but they have  Cradlepoint Wi-Fi hotspots in there that have all   kinds of interesting things in the documentation  that I don't even feel like touching today.   Yeah. So overall, that's the general architecture  of how Axon Signal works. We went through the list   of devices that's deployed on. Yeah. So where  is it used? Axon has basically their fingers   in every part of police life from how do you  charge these devices at home or in the office,   and also things like interrogation rooms,  all of the systems inside of there. Again,   that documentation was a little bit more locked  down so I don't have as much to share directly   on entry points under those systems. So again, with all of this in hand,  

how do you do analysis on this without having  to interact too closely? Turns out, go back to   reading the manual and there's this thing called  an OUI. There's an OUI for the company Axon,   which was initially Taser International, called  00:25:DF. That is the first three octets of most   MAC addresses in the Bluetooth spectrum. So if  you registered an OUI and you want other people  

to recognize your device over Bluetooth, you're  going to use these in places like potentially   in the MAC address itself or in the manufacturer  data. You can also have a fingerprint in there.   So for my app, rfparty, I actually built a  database of over 4,000 device identifiers simply   by looking at OUI databases and additionally  Wireshark and their database and of course   looking at manufacturer data and just from  analyzing my own devices discovered that   there's a lot of... I'm not sure if things are  always on spec as far as how manufactured data   gets formatted, but there's a lot of interesting  ways to fingerprint your devices just looking at   those. So looking at the Taser OUI, you find  out that they have a particular block size.  

So they've basically allocated 16 million MAC  addresses that will be prefixed by this OUI.   So since we're talking about broadcast protocols  in Bluetooth, a lot of people are very accustomed   to when devices are paired. When devices are  paired, the broadcast will stop. But there's   a growing number of protocols being released  lately, which rely entirely on the broadcast   capability and basically none at all on the  direct connection. So some examples are COVID   exposure tracking has a fairly cryptographically  secure approach to fingerprinting a person and   then fingerprinting or, sorry, having a secure  database of exposures that's managed by your   local authorities, and then you go and prove it. And then eventually the other people who basically   have been around you are essentially war driving  when it comes to COVID exposure tracking. They're   slurping up all these BLE broadcasts and they're  saving the ones that have the correct fingerprint   for this protocol, and they're remembering  all the public keys of the people around them.  

So COVID exposure tracking is another  great example. It's one of the most   pervasive Bluetooth broadcast protocols, but  now it's kind of winding down. So if you look   at Wigle data and if you do your own stumbling  and whatnot, you'll see that the COVID broadcast   have reduced substantially over time. But Apple Continuity on the other hand is  

basically second, this is my personal ranking, as  far as total traffic that I see. Apple Continuity   has a lot of interesting things that it does.  Again, the app that we built called rfparty,   we parse all the sorts of things that  hand off all your privacy discovered,   so things like AirPlay IP addresses. Yeah. Your  iPhones are currently beaconing your IP address   in BLE constantly. You can get information  like whether or not the person's on the phone,  

whether or not they're looking at a video, if it's  their primary iCloud device. So these broadcast   protocols have a pretty pervasive impact on your  personal privacy and how trackable you are in   public and public spaces and governmental spaces. And then finally, we have a really new broadcast   protocol that's coming online next month called  DroneID. So DroneID will also operate primarily  

in Wi-Fi, but there's capabilities to do it in  BLE, as well in Bluetooth. I suspect part of   the reason is that the BLE hardware might be more  lightweight, more ready to be embedded than some   of the Wi-Fi equipment to put on smaller drones.  And so, again, on rfparty, we're expecting to   be able to parse that type of data. So finally,  Axon Signal. Axon Signal fits into this patchwork   of prevailing and existing broadcast protocols. So taking our understanding of broadcast protocols   and everything we found in the manual, let's see  what we can find. So if you go to Wigle right now   and type in 00:25:DF, you'll find on the left  we have the locations of police departments,   say, in the San Francisco region. On the right,  we have the Wigle map of where 00:25:DF returns  

have been heard, and it corresponds pretty  closely and of course it's clustered along   highways that cops probably patrol. So  there's a decade or more data in Wigle.   If you run these queries, you're going to  see that there's a worldwide footprint that   you guys in this audience have been collecting  and putting on Wigle. So that's pretty dope.   So what can we do with this and what are  the other ways that we can detect this? So   rfparty could hypothetically, allegedly detect  these sorts of things. I can't demo that sort of   thing. Unfortunately, I haven't been contracted  by any police departments to actually do any   pen testing on them. So if you know any, let us  know. We'd be happy to help you figure out how to   improve this. But for a demonstration purposes,  it also turns out that GoPro video cameras have  

a broadcast protocol that they implement. So  I took my GoPro and essentially assumed, "Hey,   let's treat the GoPro like a body cam and  see what that might look like in rfparty."   So here we have rfparty of public space. I  verified that my wireless connections are   enabled on the GoPro. At this point forward, the  GoPro will actually beacon so that my phone can  

manage it. The other interesting thing to know  about GoPros and their broadcast protocol is that   the protocol does not stop when the GoPro has been  turned off. The screen is off, but the packets   continue to be emitted, and that MAC address,  as I've observed on my GoPro, never changes   over the course of years. So when I put out my  GoPro into Wigle, I didn't see anything lately,   but that's probably changed this weekend if I  accidentally turned on my wireless connections.   And so, if you had a continuous monitor running  and when you searched, if you search for the   right parameters, so in rfparty where you're  looking for the name of a GoPro, what we'll   find is the first ping that we receive will show  up on the map as a dot. If you click on that dot,   you can see all of these packet information,  all the service information. I've blurred out  

because of course, this is all my actual personal  MAC addresses here. We're able to then see where   we've crossed paths with that particular device. And so, here I am walking through a park. These   are my GPS pings in this ghostly white. And then  at the end, I'm going to run the query again   and boom, I've discovered that, hey, I initially  saw the GoPro somewhere around here, and then its   final location was somewhere over here. There's  a number of queries that we support like duration  

and triggers that are coming soon and alerts and  that sort of thing, but you could imagine that if   this were, say, a body cam, so this is more of  a simulation of if I were wearing a body cam...   We actually have more data points along the  way, it just doesn't render it on this screen.   But you could imagine that you yourself could  monitor for your own devices or in the case of   cop detectors, or as far as in the terms of Axon  Signal, this essentially demonstrates an idea that   there might be a way to detect cops. And so, if we switch back,   cool, what does this enable? So specifically at  Axon Signal, apps like rfparty and Wigle enable us   to potentially do things like proof of body cam.  So what's proof of body cam? If you read back on   some of those no-knocks that I mentioned, and if  you read the news in the last couple of years,   you'll find out that sometimes police departments  can be cagey to release potentially damaging body   cam footage, right? It's kind of hard to compel  them because they kind of like to beat around   the bush of like, "Hey, we're not sure if anyone  was there with a body cam. We got to check our  

records." They can really slow-walk things.  So if you had a way to say, "Hey, I know this   MAC address was in the vicinity. I know this MAC  address was at a particular event or a particular   occurrence of a potential police misconduct,"  you can more directly light of fire under their   butts and more legally be able to specifically  inquire about that information in court, right?   Other things that hackers probably think  about. There was a competition, I think,   at Black Hat and DEF CON many years  ago, it was like over a decade ago,   where people were competing to make kill switches,  computer kill switches. So you hit a button and   termites your hard drive, or hit a button, the  hard drive catches on fire or various things,   right? So you can imagine if you're a very  enterprising hacker, you might have a cop   alert in the Bluetooth spectrum that could  trigger those sorts of things. Of course,   knowing things like RSSI and receive signal  strength that correlated with these devices,   you can very tightly detect the distance that  a cop is to your computer and the computer   could self-destruct automatically, poof. You could do things like identifying specific  

cops. So a lot of cities activists will file cases  that will eventually put cops on something called   the Brady List, so basically a list of unknown  police misconduct and bad behavior, bad apples,   if you will. You might want to get an alert if  you're dealing with a bad apple, or you might   want to know, "Hey, I didn't catch that guy's  badge number, but turns out I had Wigle running."  

Now you can go dig through that  database, dig through your own logs,   and now you know their MAC address, and you  might be able to subpoena for the rest of the   information. And then the other interesting  thing that organizations like ACLU and EFF   currently monitor are things like surveillance. So where does Axon Signal factor into all of this?   If all of these body cams start doing facial  recognition, for instance, so these body cams   actually have 4G LTE connections and they actually  can live stream video at any moment and that's...   I'm not even talking about the cloud this year,  but there's a huge question about what's the   prevalence of this technology, especially as we  understand more and more about these features,   especially like the license plate reader being  embedded directly into the dash cam. What if that   license plate reader technology gets embedded  into body cams? There's not even a slippery   slope. It is a Homer Simpson falling down a ski  mountain worth of interesting problems here that   we might want to understand as civilians or civil  liberties how prevalent these technologies are.  

So finally, tools like rfparty, we are  absolutely inspired by these types of questions,   and we really want to enable other people to  be able to experiment and learn about these   devices. Of course, if cops are trackable,  we're very trackable as well with things like   our GoPros and our Apple Continuity. How do we  verify that any of those devices are actually   in airplane mode? If you read the instructions for  iPhone, it says turn off the Bluetooth connection,   turn off airplane mode. There's not really  a great way for an ordinary person to  

verify that. What we're also pointing out  here is that every device, not just AirTags,   every device is an AirTag, right? So we actually  need a way to detect all Bluetooth devices. We   don't need one-off solutions that only work on  iPhones and then take three years for Android   to catch up and then leaves everyone who  runs Linux completely in the lurch. We   actually need a solution for everyone and for  every possible device. So that's the talk.   Here's some tools. So the biggest tools  are used here were the PDF viewer.  

The second most used tool was an OUI  database, and then finally   And then some other super handy tool is nRF  Connect. nRF Connect is the only multi-platform   Bluetooth scanner right now that's allowed,  because they're actually allowed on the Apple   Store. Apple doesn't really allow hacker  tools in their App Store, however, they do   use the Nordic semiconductor Bluetooth chips.  So somehow Nordic got an app in their store.   Yeah. So we're building this thing called rfparty.  It runs on Android and then it's on Mac, Linux,  

and Windows coming soon. And then finally, we have  some open hardware as well. And then all of this   is open source. You can get it on the App Store  and help us get home. Party on, everybody.

2023-09-23 01:55

Show Video

Other news