DefCon 23: Presentation notes

Aug 20, 2015

Here and behind the cut are the notes I took at DefCon 23. They are necessarily incomplete because they're notes, and I refer you to the speakers' presentations and eventually video recordings for the whole story. Applied Intelligence: Using Information That's Not There - Michael Schrenk
  • Knowing your operations and resources
  • More effective and efficient
  • Competitive intelligence
  • What's happening outside of your business
  • Know your competitors and markets
  • Collect, analyze, and apply external data
  • There is a professional association of people who do competitive intelligence
  • Applied intelligence is actionable and changes what you do
  • Most is useless unless you develop it
  • Overcollection is a big problem, and is done out of obligation ("Getting everything means you're doing it right.")
  • Analytics != intelligence
  • Data doesn't always change what you do
  • Aggregate data can be used to make projections about what might happen
  • Information that isn't there is metadata
  • Metadata describes data, provides contect for information
  • Parametrics must be collated and created
  • Embedded is user created, like image and document headers
  • Example: Tony Blair's Iraq dossier was plagiarised from a UK grad student, discovered because the student's word processor left evidence in the document's metadata
  • Example: The existence of Google Drive was accidentally leaked in the presenter's notes in a Powerpoint presentation published by Google
  • How the NSA uses parametric metadata: Phone number, timestamp, duration, identity of who placed the call
  • Any Android app or Perl script can do this
  • Establishes call relationships, which can then be profiled
  • Anomalies and outliers are identified
  • Burner phones are identified as oddities
  • Phone call patterns can be correlated to other events
  • NSA goes three jumps out to find people of interest
  • Telephony metadata is more rich than actual recordings of phone calls
  • OPSEC - review day to day operations, see what intelligence an adversary can collect
  • Employment postings imply strategic plans (filling work roles to accomplish specific tasks)
  • Social media: People leak EVERYTHING
  • Order fulfillment: feedback from a vendor and tracking tells much
  • Online stores reveal pricing strategies, what you do and don't stock
  • Procurement patterns leak financial health; so do cheque numbers (the rate at which they increase shows how much you buy and how fast)
  • Regulatory: Financial, court filings, variances
  • Sequential numbers are a huge threat
  • Unique values are needed
  • Exposes a little bit of the database schema from its indices
  • How the US government almost left an entire generation fall prey to identity theft:
  • Social Security Numbers have the format area-group-serial
  • Between 1935 and 1972 SSNs really were sequential
  • If the Social Security Administration hadn't stopped issuing sequential SSNs in 1972, by 1986 (when all dependents had to be issued SSNs) families would have had runs of SSNs
  • Find a dependent, see if there were any siblings, guess their SSNs
  • When you die, your SSN gets published as D-tagged (meaning, the issuee is deeased)
  • Bubble or bad month?
  • Older numbers were sequential
  • Find the orders that were close together which had sequential values
  • Last order number in October - last order number in September == number of orders from competitors
  • What else can we learn?
  • What do you know?
  • Major privacy problems for sellers of unique items: Real estate, vehicles, original art, first editions, auographs
  • Automatically collect inventory of competitors by what they have for sale
  • diff their inventories a few days apart
  • Protection: search for something we sell
  • Look for stuff getting dumped, buy them to manipulate the market and protect our investment
  • Buying underpriced items to add to our inventory and then selling at our usual price

Cracking Cryptocurrency Brainwallets - Ryan Castellucci

  • Don't use them.
  • Start with eight (8) diceware words
  • Cryptocurrencies: Control of the private key == control of the linked funds
  • Brainwallets use a passphrase to deterministically generate the private keys and associated public addresses (the idea being, if it's really hard to guess the passphrase, it's really hard to recreate the private keys and gain access)
  • Encrypted wallets give better security, deniability under the Fifth Amendment
  • Weak passphrases are easily guessed
  • Guess and check against the blockchain
  • Naive brainwallet algorithm: sha256(passphrase) == private key
  • Generate ECDSA public key from private key
  • version byte + ripemd160(sha256(computed ECDSA public key)) == public address
  • Brainwallets turn the blockchain into a public password hash database
  • No salted passwords
  • The hashing algorithms are not slow enough to deter cracking
  • And, there's money at stake!
  • Hash passwords and passphrases, compare to known cryptocurency addresses
  • 10,000 guesses/second easily
  • Feed the cracker wordlists, password leaks.... and holy shit.
  • One wallet was broken with 250 BTC in it
  • Sent a fraction of a Bitcoin (0.31337 BTC) to the broken address, then send them back to a vanity address
  • The TX output went somewhere else (change address)
  • Big and old outputs take priority over smaller or younger transactions
  • Sent all BTC back from the change address
  • The target just didn't notice
  • The target was a miner in the DeepBit mining pool before it went offline
  • The pool owner got in touch with the target
  • Hilarity ensued.
  • Smart people can pick bad passphrases, too
  • How many people understand how effective cracking tools are?
  • Brainflayer - An open source Bitcoin brainwallet cracker
  • Requires libsecp256k1
  • For 1,000 instances, costing about $175us you can check 9 trillion passphrases in one hour
  • Bad guys will use someone else's Amazon EC2 account so they don't have to pay for it
  • Approximately 80 million Bitcoin addresses are historically known
  • Bloom filter to check them all simultaneously (no match, probable match)
  • A slower check finds and weeds out false positives, of which there are approximately one in 380 million
  • Can crack multiple blockchains simultaneously
  • Brainflayer uses a 512 megabyte Bloom filter
  • Addresses are already hashed so they only need to be bitsliced
  • Leaked wordlists make it easy
  • Passphrases take a little work: Lyrics, Wikiquote, Project Gutenberg
  • Normalize raw data, clean everything up, algorithmically generate variations
  • Electrum seems to strongly generate a twelve (12) word passphrase that seeds deterministic generation of an encrypted Bitcoin wallet
  • Encrypted paper wallets
  • Passphrase strength
  • Computer generated random numbers - count the bits to determine strength
  • People are a lot harder to quantify the entropy of
  • Dropbox's zxcvbnm seems to do pretty well
  • Microsoft determined that the average user's passphrase has about 40 bits of entropy
  • Key stretching with algorithms like scrypt, bcrypt, sha512crypt (which isn't SHA-512), pbkdf2, ...
  • Users don't care because they don't notice, crackers will cry
  • It's hard to get past something taking one second without running into UX problems
  • Another approach is to split the inputs, which would take hours for a user to recover their wallet. Crackers, on the other hand, would be fucked.
  • There appears to be roughly six active brainwallet crackers right now
  • They are employing sophisticated techniques and are competing with one another
  • Botnets appear to be in use
  • They are also lookin for brainwallets that use multisignature addresses
  • They seem to have huge rainbow tables
  • To be effective they must be actively monitoring transactions on the Bitcoin network
  • 64 billion hashed passphrases can fit on a $120us 4 terabyte hard drive
  • There is evidence that suggests that there are 100 billion passphrase rainbow tables in the wild
  • Pretty much every wallet involving song lyrics and common wordlists is emptied immediately
  • Cryptomnemonics are the way to go

Do Export Controls on “Intrusion Software” Threaten Vulnerability Research? - Tom Cross and Collin Anderson

  • Dual-use technologies: Stuff that can be used for military purposes as well as civilian purposes, like very precise GPS and crypto
  • Multiple countries, bilateral agreements to prevent the exportation of stuff
  • 2013 - some controls on intrusion software
  • All signatories are compelled to implement these restrictions
  • BIS trying to implement (i.e., enforce)
  • Right now, it is open for comments
  • Member states dictate license policies as they see fit
  • There is a difference between Wassenaar language and the implementation controls
  • There are different classes of implementation controls
  • Export is controlled by the US Department of State with ITAR
  • Dual use technologies are export controlled by the US Department of Commerce
  • EAR - Export Administration Regulations
  • Intrusion software falls under these regulations
  • There are still export controls on crypto even though it seems like we won the Crypto Wars
  • Entities still get prosecuted, for example, a subsidiary of Intel in 2014
  • You still have to ask, but the answer is usually "yes"
  • Daniel J. Bernstein vs. the US Department of Justice
  • When publishing source code, you have to send the BIS a link to it. Most people don't.
  • License Exemption ENC: Linking to other people's crypto libraries is exempt (note: I can confirm this, Project Byzantium retained a lawyer who said the same thing)
  • In the corporate world, deals trump export controls and people who raise the issue get ignored
  • Businesses regularly ignore these regulatory landmines
  • In the late 1980's, India tested a nuke
  • They wound up on the Denied parties list which made them persona non grata for lots of potentially sensitive technologies
  • In 2007 India did something (I don't know what) which got them removed from the denied parties list and they immediately started contacting everybody that froze them out and started making overtures
  • IP network surveillance systems
  • Orignially a French idea
  • Post-Quadaffi Libya, French companies sold Libya entire surveillance centers in toto
  • Deep packet inspection: There aren't many products at this time but that's going to change
  • The Wassenaar Arrangement rules have lots of Boolean operators which are critical to understanding its implementation correctly
  • If something is generally available it can't be controlled. For example, if you can buy it at your local computer store or check it out of Github.
  • Off the shelf stuff
  • Intrusion software: software designed or modified to evade detection or defeat protective countermeasures
  • Extraction or modification of user data
  • Modification of execution paths to allow the execution of externally provided instructions
  • Intrusion software itself is not export controlled
  • Technology for the development of intrusion softare, like technical data, technical assistance, and blueprints
  • Full disclosure and open source are not subject to EAR
  • 15 CFR 734.3 - Stuff that's publicall disclosed
  • Vulnerability research - disclosure to a vendor?
  • BIS doesn't know, they keep waffling on this
  • They seem to assume that when a security researcher discloses to the vendor, the vendor will disclose everything publically. This isn't usually the case. It's pretty rare, actually.
  • Coordinated disclosure and bug bounties do seem to count for the purposes of EAR
  • Training and classes count, with the exception of private training sessions.
  • OCONUS travel doesn't count as long as you're not planning a trip to give crypto software to whomever you'll be meting
  • ICE breakers - weaponized exploits - definitely count
  • Disclosure of exploitation capability or research to cow-orkers that are foreign nationals is considered an ITAR and WA violation. It's a USian idiosyncracy of their implementation of the Wassenaar Agreement.
  • Debuggers and exploit generators, if specifically designed for the purpose of exploit development are covered.

Machine vs. Machine: Inside DARPA’s Fully Automated CTF - Michael Walker & Jordan Wiens

  • http://ccdemo.cloudapp.net
  • Machine learning
  • DARPA's Open Grand Challenges (X prizes, basically)
  • Cyber Grand Challenge
  • InfoSEc as adversarial contest of the mind, like checkers, chess, or go (on a 9x9 board)
  • 1970 - the ACM created an all-computer chess league
  • Cellular automata on a 19x19 board (10^76 possible configurations)... there are roughly 10^84 atoms in the universe...
  • Poker with multiple opponents
  • Model player vs. player interactions that don't involve the player
  • Operating with incomplete information
  • Non-zero sum game - lose once and you're done
  • Capture the Flag - Multiple opponents comprised of 15 large-ish teams
  • Defense - live detection and patching of vulnerabilities
  • Offense - Steal flags from everybody else
  • Referee of the competition randomizes network connections so you can't precisely target who you're running
  • Conversely, you don't know who's running your part of the CTF network
  • If you put your CTF network into autistic mode you lose
  • Move as fast as you can
  • All new protocols are developed, so using existing protocol dissectors doesn't work
  • Binary reverse engineering of everything
  • Write your own scanners
  • Figure out what the other side has...
  • The search space of CTF is virtually infinite
  • Synthesize logic to interact with unknown target software
  • https://github.com/cybergrandchallenge
  • http://repo.cybergrandchallenge.com/
  • DefCon CTF: 10 challenges, 48 hours around the clock
  • DARPA's CGC cluster was able to win 131 in 24 hours straight
  • Was able to synthesize proof of vulnerability in 73% of target software
  • Input and logic of exploit
  • Can synthesize fixes with some preconditions
  • Was able to patch 100% of 590 known bugs in the corpus
  • (dixie-flatline.darpa.gov)
  • Novel VR software to visualize the execution of software in memory
  • Hilbert curve to maintain temporality and locality of code path execution
  • Can display the execution of software over time without needing the source code or even looking at the assembly language
  • The code path shown in the demo was generated and submitted by the project
  • Probably the tightest binary patch it knows how to write

Remote exploitation of an unaltered passenger vehicle - Charlie Miller and Chris Valasek

  • The paper dropped the day after DefCon, with tools
  • Public Service Announcement: Stop saying "unhackable." You just look like an idiot.
  • Wi-fi vectors, cellular access...
  • Head unit payload
  • Flashing the CAN chipset remotely
  • Remote attack surface is amazing
  • Bluetooth, telematics over cellular, wi-fi, RFID chip in the key, TMPS, remote keyless entry, ...
  • Brace yourself, apps that run on your computer's head unit are coming.
  • Inject exploit, communicate with the CAN
  • The CAN protocol needed to be reverse engineered, so they wrote a sniffer to facilitate this
  • Sending arbitrary CAN messages
  • Used a 2014 Jeep Cherokee as their testbed
  • Ripped apart the Uconnect 8.4AN RA4 unit from Harman Kardon, found a cellular radio on board
  • 32-bit Texas Instruments ARM CPU running QNX
  • Didn't have to jailbreak anything to exploit, but it was for the basic research
  • Ultimately, the most straightforward means of exploitation is sticking a USB key into the head unit
  • The testbed in question has a wireless access point built into it for the passengers which costs $35us/month to enable
  • Protected with WPA2
  • Automatic WPA2 password generation seeded with the time the car was first started at the factory
  • Determine when the car was first started, which means between 7 and 15 million guesses (which takes about an hour)
  • Time is synched from the cellular net
  • Uses the Sprint PCS data network for connectivity
  • Requires a Sprint phone to get access
  • Defaults to 01-01-2013 at 00:00:00 hours GMT
  • There are only 10-20 possible passwords used. Ever.
  • Runs D-Bus on port 6667/tcp
  • Allows anonymous interaction
  • Used D-Feet to connect to and browse the services D-Bus offered
  • Nothing really exploitable here, but there didn't need to be.
  • Lots and lots and lots of remote interaction through car-side Lua scripts that were riddled with remote command line injection bugs. So many, in fact, they gave up looking for them.
  • D-Bus runs as root. You should be crying now.
  • There is even a method call named Execute that will run any shell command you give it. As root.
  • And they have netcat installed. Which you can run as root.
  • The currently active internal environment can be manipulated remotely.
  • They were able to remotely disable all physical controls inside the car
  • The services running on the car are bound to all of the network interfaces, including the IP address of device ppp0, which is the Sprint data network interface
  • They bought a cellular femtocell from Sprint
  • Contacted the RPC interface over cellular through it because it thought it was a 'real' Sprint cellular tower
  • They were able to jack the Jeep at a distance of 30m
  • (Jailbreaking the femtocell was necessary to get telnet access)
  • Nationwide access to all the cars. All of them.
  • They then massscan'd the entire Sprint cellular data network (21/8 and 25/8)
  • They were able to query the VIN of each IP address to see if it was a car... wait, what?
  • Query the GPS coordinates of the VIN and you know where the car is
  • 18 vulnerable models manufactured since 2013
  • Their analysis showed that there are approximately 1.4 million vulnerable vehicles on the road right now.
  • Figured out how to relay arbitrary CAN messages from the OMAP chip to the V850 chip through an undocumented serial line on board the card
  • Nice airgap, Chrysler.
  • "You know CAN message #5? Send one."
  • Downloaded the V850 chip's firmware
  • No code signing, so you can write your own and the V850 will accept it just like it'll accept the manufacturer's
  • Reversed the firmware, wrote a backdoored one, and got the car to reflash the V850 chip
  • Patched the SPI parser to jump to their own code at the very end of the firmware which would let it accept arbitrary CAN messages across the serial line
  • The firmware also happens to be full of remotely exploitable memory corruption vulnerabilities that are exploitable
  • Oh, and you can reflash the v850 chip remotely, i.e. over a network connection
  • It took a couple of months to pull that off
  • The head unit goes dark for about 30 seconds, then comes back up
  • They can alter the dashboard's readouts to display arbitrary values (for example, you're driving 40 miles per hour but the speedometer says you're in park and going 0 miles per hour)
  • Jam the door locks open or shut, lock or unlock the doors, disable or jam the brakes...
  • Knock the engine control unit offline
  • Impersonate the ECE
  • Send messages!
  • Steer the car remotely
  • They were able to parallel park solely by exploiting the vehicle's onboard computer
  • This no longer works because Sprint blocked port 6667/tcp on their data network
  • Additionally, those 1.4 million cars have been recalled

Looping Surveillance Cameras through Live Editing of Network Streams - Eric Van Albert & Zach Banks

  • Prior art
  • Tape a picture over the camera lens
  • Read TVtropes
  • Display <- ethernet -> device <- ethernet -> camera
  • Ethernet cable: Four twisted pairs
  • 10 and 100 base T: Two pairs carrying data, one pair for negotiation, one unused
  • If you patch into the line, you add load and degrade the signal
  • Gigabit Ethernet uses all four pairs of wires for simultaneous bidirectional transfer
  • Active attack required to not mess up the traffic
  • Become a network node doing a man-in-the-middle
  • Strip the cable's sheath to expose the pairs
  • Developed their own tap board to make this possible
  • Eight double-pole-double-throw latching relays with a switching time of 1 gigahertz (fast enough to use on Gigabit Ethernet)
  • Punchdown connectors that don't cut the wires
  • Impedance matched traces
  • USB powered and controlled
  • SSH controllable(!)
  • Your attacking machine gets patched into the third side of the active tap
  • Punch the wires into the appropriate positions on the tap board
  • Cut the wires in the middle, so everything gets routed through the tap board (this is the default mode)
  • Failsafe - will fail closed, a big capacitor will provide enough power to cause the relays to cut back to "I'm not here" mode
  • Tamper evident - onboard accelerometer will detect the board moving and do something programmable
  • Switcing to active mode will cause a short blip but TCP traffic streams won't even break
  • Complete control over the OSI stack
  • Software needs to suss out the video stream from the securicams
  • Ethernet -> IPv4 -> UDP -> RTP -> H.264
  • LENS - Live Editing of Network Streams
  • MITM stack written in Python
  • Forge packets in realtime to preserve traffic streams
  • Allows for adding additional layers to filter data, namely, turn a video stream into a loop
  • Looping video involves monkeying with the RTP stream
  • RTSP: stream session data - TCP
  • RTCP: CODEC info - UDP
  • RTP: video data - UDP
  • ffmpeg can edit video streams
  • Looping, masks, transforms
  • Record a few seconds of RTP
  • Use ffmpeg to make a video loop
  • Forge a network traffic stream that looks like it came from the camera
  • The timestamp will go in circles (00:00:01.. 00:00:02.. 00:00:03.. 00:00:01..) unless you generate your own to account for this
  • Use ffmpeg to merge the original stream's timestamp pixels with the looped video to hide the loop
  • Extend to HTTPS, USB, HDMI, ...?
  • Crypto would have to be MITM'd, which should be easier because SSL/TLS in embedded systems generally sucks
  • Use ImageMagick to run transforms on images
  • Live-edit TCP streams...
  • https://github.com/ervanalb/lens
  • The attack computer's specs don't need to be very much. They used a Chromebox.
  • The MAC addresses on either side are automagickally spoofed

Hacking the Human Body/brain: Identity Shift, the Shape of a New Self, and Humanity 2.0 - Richard Thieme

  • Biotech is accelerating along with hardware
  • Frame the human condition differently
  • Humans as open systems of information and energy
  • The intersection of infosec space
  • "Humplings" - people who live in the middle (the "hump") of the bell curve
  • Memories as proteins... alterable
  • (Fascinating - I haven't heard of this! Also mentioned by Rudy Rucker in Saucer Wisdom back in 1994)
  • 3D printed heart valves, trachae, bladders
  • You can't grasp the totality of what's happening because there is too much to grasp
  • Projects in military and intelligence
  • Networked amateurs - biohacking is hacking
  • Advances don't help people, but confer advantages on the people who created them
  • "Bad intentions drive innovation and application."
  • Governments do not have the internal capacity to forsee and react to weaponized innovation
  • Identities are a function of boundries and personal boundries are fading
  • The Society of Mind by Marvin Minsky
  • Automatic integration of new agents and inputs
  • We don't refer to the Net today, we just use our interfaces to it and think nothing of doing so
  • We unconsciously filter out our infrastructure
  • No context, just content
  • The tricky part is processing the data
  • DARPA's cortical modem (and another) (obH+ Magazine article)
  • Argus II retinal prosthetic by Second Sight to replace damaged vision
  • (note: There was somebody walking around at DefCon with an Argus II implant!)
  • Gene therapy
  • Inducing tetrachromacy?
  • More receptors in the retina
  • No appreciable neurological differences between tetrachromats and trichromats
  • Practice using this ability!
  • There may be many out there but we just don't know it
  • (note: people with nonstandard sensory modalities often have no idea that other people "aren't like me" until it specifically comes up in conversation)
  • Biomimetic robots
  • Electric telecontrol of insects
  • Sheep whose livers are 80% human
  • New kinds of blood cells
  • Mice whose brains are 1% human (try 50% human!)
  • Genetic chimaere (including natural genetic chimaere)
  • DARPA RFIs and RFPs are great sources!
  • Brainnets
  • Could we use brainnets to augment ourselves? (spoiler alert: Yes!)
  • "We have no allies, we have no friends, only targets."
  • Biology is technology
  • Bioelectricity to manipulate the body
  • Regenerative medicine (also, this)
  • Internal microbiomes are as individual as fingerprints
  • Recording and uploading memories (proof of concept in rats)
  • Recovery of lost memories by restoring access
  • Guided memory formation
  • Selective memory targeting (and this)
  • Thync
  • (note: and Foc.us!)

REpsych: Psychological Warfare in Reverse Engineering - Chris Domas

  • Anti-reverse engineering techniques: Encryption, obfuscated code, anti-debugging, some combination of the above
  • `objdump -d -Mintel a.out` - disassemble base executable
  • The MOV instruction is Turing complete
  • mov destination_address source_address
  • That would be really hard to make sense out of, no?
  • Domas wrote a C compiler that only generates MOV instructions
  • How would an experienced reverse engineer approach such an executable?
  • "Nope."
  • Code doesn't have to be hard to reverse, you just have to make them give up
  • Psychological warfare
  • Influence the reverser as they read the code by sending messages, like strings hidden in the code
  • Manipulating the entropy of the binary
  • Manipulating the displays of visual reverse engineering tools
  • Unfortunately, most people won't see it and people reversing the binary won't care
  • Target the RE tools, like IDA Pro
  • Manipulate the control flow graphs algorithmically
  • After too many late nights the CFGs sometimes start looking like things...
  • Send a message through the CFG!
  • Draw pictures or text?
  • Draw regular horizontal rows using switch statements and orphan JMP instructions that go to the same place
  • Draw vertical lines with any non-branching code
  • Combine the two, make an Etch-A-Sketch in IDA Pro!
  • IDA triese to align blocks in neat rows by also minimize branching distance
  • Hours of tinkering couldn't make it work
  • We have control over the rows, but IDA Pro controls the columns
  • Force IDA Pro to keep everything in place, i.e. a tightly woven CFG
  • Nodes in the CFG make pixels
  • Delete arbitrary nodes/pixels
  • Turn the CFG into a dot matrix display
  • The presenter was dead set on having a perfect CFG to draw upon
  • That idea ultimately didn't pan out, either, but it lead to something that did
  • Nodes that are "on" have code in them, nodes that are "off" don't, but they're all still in the CFG
  • That seems to work
  • PoC: Draw a circle
  • "Off" still needs two lines of code/instructions
  • Reduce imact of these two lines, increase content
  • Vector multiplication instructions did the trick!
  • Add a junk code generator
  • Bitmap to %ASSIGN converter
  • We have pixel values!
  • Draw a smiley face!
  • To make this work we need to have a single column down the left-hand side that is always on
  • The REpsych toolchain
  • Generates assembly that forms images in control flow graphs
  • A bitmap-to-assembly converter
  • Skull and crossbones, fat kitteh, trollface, an upraised middle finger...
  • The reverser is forced to stare at your embedded message
  • Crush their souls.
  • "DESPAIR."
  • "SPOILER ALERT: YOU FAIL."
  • "THIS GETS WORSE AND WORSE UNTIL YOU DIE."
  • Go grayscale!
  • Embedded selfie!
  • Embedded QRcode!
  • Goatse!
  • PoC demonstration: Creepiest. Malware. Ever.
  • Scans the hard drive of the analyst for images.
  • Rewrites itself to embed one of the images chosen at random to mess with the analyst.
  • Load the malware, run it, it already has a breakpoint set, it doesn't look like it did anything, look at the call flow gra-... oh, fuck.
  • It pre-ses a breakpoint for reversers, just to call their attention to it.
  • When the malware rewrites itself based on your personal files, it might be time to find a new line of work.
  • Doing this required 14 lines of assembly language and 328 preprocessor macros

Knocking my neighbor’s kid’s cruddy drone offline - Michael Robinson

  • The neighbor's kid creeps on me with his drone at night, and it's really obvious what he's doing
  • Everybody is trying to regulate UAVs
  • Most restrict government or commercial use (the FAA)
  • Non-commercial hobbyist use is largely unrestricted
  • Some known no-fly zones: Washington, DC; five mile radii around airports; military bases; launches from the land of national parks (though flying over national parks is legal); temporary flight restrictions and disasters; stadiums; presidential visits
  • Maximum of 400 foot flight ceiling
  • No weapons
  • Must be within line-of-sight at all times
  • 16 states have their own laws
  • Can you force a drone down?
  • The Parrot Bebop Quadcopter is a flying wireless router!
  • GPS/GLONASS navigation system on board
  • If its altitude is above 10m it is supposed to automatically return home
  • If its altitude is 10m or less, it goes to 10m and returns home
  • (note: wait... so how does it fly? gotta see the latest revision of the slides, that doesn't make sense.)
  • If it has no command-and-control signal for 30 seconds, it goes home
  • Used a Wifi Pineapple to sniff the drone-iPad link
  • Deauthentication attack to disconnect the iProduct from the drone so it'll go home, and instead it landed and powered down
  • While connected to the drone, NMap it and it has FTP and telnet running
  • FTP in (no login required) and you are dropped to a directory on the SD card where the videos and thumbnails are kept
  • Replace the videos... what could possibly go wrong?
  • Telnet in, you'll find a three year old busybox and it drops you to a root shell. Again, no authentication required.
  • There are a few shell scripts in /
  • One of them is called "shut down"... and it crashes the drone! Literally. The motors shut down and it dropped like a rock.
  • What about simultaneous connections to the same drone?
  • Deauth one and you get into a race condition to be the next one to connect
  • The next to connect will have bad telemetry, in particular an incorrect altitude reading
  • The Sky Controller bundle is its own wireless access point, too, so now there are two deauth targets to pick from.
  • Disrupting GPS is highly illegal to do
  • The authorities will probably not catch you if you do it fast, and only once, because the amount of potential damage seems very small
  • (note: if you want to find out how to do this you can research it yourself. I don't need to get my lawyer to sign off on this blog post.)
  • If the drone can't get a GPS lock it'll just hover where it is, being blown around by air currents until it runs out of power
  • Its starting point does not update
  • Introducing a strong magentic field in the vicinity of the drone did nothing
  • What about a bigger drone, like the DJI Phantom 3?
  • It's capable of geofencing, has a 2km range, uses GPS and GLONASS for navigation, and it's very sensitive to EMI and requires regular recalibration
  • You cannot issue updates to the drone
  • Doesn't use wifi
  • If you disrupt GPS, it goes into drift mode
  • The control app has a database of fly-safe and no-fly areas called .flysafeplaces.db
  • This database is very detailed and editable. Oops.
  • The video feed on board goes out when the on-board navigation system goes out
  • In a good wind, the drone could crash
  • In the presence of a strong magnetic field it can't get a compass lock and will refuse to launch
  • Seed hard drive magnets around your property?
  • Could probably spoof GPS coordinates with the right equipment