Notes from Thotcon 0x0a.

May 15 2019

My notes from Thotcon 0x0a:

Hacking Con Badges for Fun and Profit

  • Given by an EE
  • Badge hacking started with DC23, HHV.
  • Turned his DC23 record-badge into an analog clock.
  • AND!XOR's DC24 independent badge.
  • Maple Mini STM32.
  • Live spectrum analysis of 20-20KHz as an add-on.
  • Mic, pre-amp, FFT running on the uc.
  • Wired into the badge, rock-and-roll.
  • Inspiration and OSINT - look at the badge when it's announced, think about it
  • Get ideas
  • PoC - if you don't have this, you're not going to have anything
  • dev & debug
  • DC25 - NRF52 - 503.party
  • Blow up any images you can and start thinking.
  • BMD-300 module
  • OxVox - synthesizer and firmware for the badge.
  • Thotcon 0x09 badge - Thotcoin miner
  • Arduino to toggle the pin to mine as many coins as possible
  • Spoiler alert: 0 coins
  • ESP8266, similar to the Sparkfun devkit.  Picaxe x4.
  • Rewrote the firmware in the EPROM that holds the coin count and changed the value.  :)
  • Added a speaker and amp, built a CW repeater for morse code.
  • It's not a badge, it's a development board.  Changes how you think about it.
  • Addons - badges for your badges.
  • DC26 shitty add-on connector, four-pin I2C interface, VCC is marked.  Male pins.  0.1" pin pitch.
  • Master badges have female headers.
  • SAO Genie, based on TPM Genie, PoC for I2C sniffing.
  • Badge -> SAO Genie -> Addon to monitor traffic, serial interface to hook to a computer.
  • Destination address, packet contents.  Passthrough, inject, modify, block packets.
  • DCZIA badge - 4x4 keyboard
  • Crappy audio processing unit to make a sequencer or a synth.
  • https://github.com/mediumrehr
  • @mediumrehr

From Dev to Security

  • LilBitEvil
  • Modern webdev is a holy-shit field, with a fucking broken ecosystem.
  • Security isn't really a priority for webdev.
  • Getting features out the door takes priority.
  • Infosec as the Department of NO.
  • Webapps are the new endpoint.
  • Infrastructure's getting harder, so the applications are the target now.
  • From the moment you have requirements, you have to think about security.
  • Dependencies dependencies dependencies...
  • I don't know which Defcon he went to, but that doesn't sound like Defcon.
  • Personal mission for getting into security.  Good luck, man.
  • Try to find a personal niche.
  • You have to have an understanding of how things work for the tools to make sense.
  • Hiding From the Internet
  • Open Source Intelligence Techniques
  • Coming into security from another field can lead to being typecast.
  • Figure out where you can go when you get into the field.  Just because you built webapps doesn't mean you want to do webapp security.  What if you like IR?
  • "Practice makes permanent."
  • Networking is crucial.  And it's hard because many of us are introverts.
  • If you carry yourself with respect, people will respond to you the same way.
  • They're all people.
  • Look for non-trad talent.
  • "Fortis fortuna adjvat."  "Fortune favors the bold/brave."
  • Every company has a gap.  Figure out what it is and how you can fill it.
  • It's easy to get mixed up in bad stuff.  Do the right thing.  People are depending on you.
  • At the very least, you value your bank account.  Advocate for the people who can't protect themselves.

Adversary Based Risk Analysis

  • CISOs and defense teams making ineffective decisions.
  • Vendors make bad products.
  • Apply more critical thinking.  Use the scientific method, rigorous analysis.
  • Appetite for new theories and perspectives.
  • Understand your org, because that's what you're defending.
  • How it looks to the attackers is what matters.  What do they think about when planning.
  • What kind of IP, what industry, how big a fish are you, public or private, countries you operate in, how valuable the information is (if the value can be known externally).
  • Which adversaries are most likely?
  • Threat intel
  • No data feeds, indicators of compromise, sigs... actionable information about tactics, methods, processes, mechanisms used.
  • Motivation, resources, strategies.
  • It's hard to find because threat intel vendors don't get this stuff.
  • Dossiers about adversaries.  Diamond model: Adversary, infastructure, victims, capabilities.
  • You want to look at the sociopolitical axis (who, why, located) and technical axis (infra, resources, tools, methods).
  • "All attackers are budget constrained."  -Dino Dai Zovi
  • "All attackers have a boss and a budget."  -Phil Venables
  • repeatability - capability to change the target and have the attack still work with the same success rate.
  • scalability - capability to launch similar attacks against multiple targets with minimal additional cost per target.
  • Attackers determine least costly and most valuable attacks based upon complexity of targets, number of targets, required success rate, speed of conversion.
  • Pro attackers work within organizations, with all that entails.  (Exploit their org to bog them down somehow?)
  • No adversary builds a custom playbook for your specific org.  They come up with general playbooks to deploy in the general case.  (Flexible enough for the specific case?)
  • Cyber count: 1
  • Grab the slides for the example dossiers.
  • 6D - detect/deny/disrupt/degrade/deceive/destroy
  • adversary economics - cost == minimum of (cost * success rate)
  • cost factors: expertise, time, money, politics
  • success factors: target commonality, probability, reliability, access
  • What can you do that will maximize the cost for the adversary?
  • "Kill whitehats"???
  • Use common and off-the-shelf stuff?  Their dev cost is too high.
  • Lowest cost for the defenders to implement?
  • Adversary evolution - attackers change tactics in response to what they find.
  • New techniques are developed as the success rate drops.
  • Predict new behavior.
  • "Based upon what they're going to find, this is what we think they'll do."
  • Mail gateways?  New phishing templates.
  • Endpoint protection appears?  Malware gets repacked, customized.
  • Probably won't see honeypots.
  • Rational adversaries will use the most cost-effective playbook to meet operational requirements.
  • (It's the irrational ones that you have to worry about.)
  • Do they change tactics by target to avoid attribution?  Prior knowledge of target?  Are they routinely bypassing COTS defenses?
  • Risk analysis.
  • Common threats vs. costly/unscalable/unrepeatable threats
  • Likelihood vs impact
  • CVSSv3 scores
  • Very few adversaries look for vulns in specific apps because they don't scale.
  • Scalable, repeatable attacks are more likely.
  • In most cases, issues should be scored on likelihood alone.  Treat everything as high impact.
  • Pro attackers often have political constraints.
  • Adversaries don't teach each other.
  • Analyze existing distille dintel.  Analyze research.  Collect raw intel.  Use expertise to build theories.

Hacking While Stressed

  • Dr. Celeste Lyn Paul
  • Human factors of infosec, mostly on the expert side and not the end-user side.
  • Mental health, stress, burnout.
  • What her employer does, required boilerplate, why I didn't present this year...
  • stress - physical and emotional reaction to adverse events
  • acute - temporary
  • episodic - repeated, little time to recover - start of adverse health events
  • chronic - enduring events, no sense of control
  • work-related stress - demanding job, little control, effort/reward imbalance
  • fatigue, frustration (anxiety), cognitive work (effort to use memory)
  • hacking is a set of complex problems that require creativity and planning.
  • unpredictable environments, things never go as planned.
  • high risk/high reward environments
  • Cyber count: 2
  • average tactical op length: 5 hours
  • Formal analysis and study overview...
  • Measure biometrics to gauge stress.
  • When you're under polygraph, you get more stress than you intend...
  • Fatigue and frustration, before and after.  Physical and mental demand.  Time pressure.
  • Operator fatigue increased 16%, frustration increased 12%.  (from baseline)
  • Is that a lot?  Depends on the cirucmstances.
  • Can't eliminate stress.
  • jinfowar.com
  • Self assessments of performance were independent of physical or mental stress.  They did as well as they did regardless of the effort required.
  • The only factor performance was linked to was frustration.
  • locus of control - the extent to which you feel you have control over outcomes
  • Frustration correlated with inverse of control over situation.
  • mistakes are taken as personal failures because they care about the mission
  • stress is self-induced due to buy-in
  • This makes it hard to manage.
  • Cyber is hard.
  • Maslow's hierarchy of needs.
  • if you can't survive, nothing else really matters
  • deficiency needs - if you don't have enough, you are focused on gaining them - everything but esteem (dignity, freedom, acknowledgement, status) and self-actualization (personal growth, peak experience, ambition).
  • Maslow's hierarchy of hacker needs:
    • self-actualization -> mission, personal achievement
    • esteem -> reputation, recognition, respect
    • love and belonging -> camraderie, teamwork, solidarity
    • safety -> authority, policy, support
    • physiological -> equiment, tools, access
  • Stress cannot be eliminated (short of eliminating stressors) but it can be managed.
  • mindfulness.  if you're running hot, have a spotter.  remember that it will be all right.
  • Creature comforts matter.  If you hurt, you can't think straight.  You don't want to be focused on physical problems.
  • Keep an eye on time.  You run down around five hours, give or take.  Take breaks.
  • As a manager, remember who you hired and why.

IMSI Catchers Demystified

  • cell site simulators/fake base stations
  • used by LEOs, military, PMCs
  • extreme secrecy - federal cases have been scuttled rather than divulging information
  • sometimes called Stingrays - this is one brand name made by Harris
  • IMSI - International Mobile Subscriber Identifier
  • unique IE for a SIM
  • IMEI - unique ID for cellphones
  • GSM to LTE based
  • lots of speculation
  • collect IMSIs of people in an area (at protests)
  • localize phones, figure out locations
  • content interception(?) (can certainly be done, Kraken is OSS)
  • remote exploitation of baseband bugs?
  • used in highly adversarial enironments
  • about a decade ago, DHS/FBI has been giving them to local LEOs for domestic use
  • foreign (counter)intel?
  • abuse and mass surveillance
  • criminal use
  • network interference
  • RCMP acknowledged that they use them, and confirmed that they interfere with e911 (five minutes at a time, two minute cooldown)
  • US senate wrote to the FCC about them, the FCC said they're used "in coordination" with the FBI, which doesn't have to comply with FCC regs, so fuck off and it's up to the FBI to do NDA stuff.
  • DHS was asked about foreign IMSI catchers in DC metroplex, and was it reported.  they confirmed "anomalous activity" but did not attribute it to IMSI catchers or entities.  DHS claimed that they have no technical ability to detect them, please give us more money to do it.
  • year-long pilot to look for IMSI catchers
  • anomalous activity was detected near "sensitive facilities" but can't attribute it and a few were actually real cell towers
  • legal framework is claimed to be the same as pen registers, trap-and-traces
  • pen registers don't count as 4th Amendment searches
  • no warrant required - third party doctrine
  • ECPA requires a court order - relevant to an ongoing criminal investigation
  • trap-and-trace records origins of incoming calls
  • usually lumped together with pen registers
  • wiretaps intercept content, not signalling traffic or metadata
  • is a search, does require a warrant
  • "Triggerfish"
  • capable of intercepting signalling and comms traffic, requires a warrant legally, so configure Triggerfish so it doesn't record comms content
  • some jurisdictions require warrants
  • even with a warrent, can you interfere with cellular?
  • Comms act of 1934 (47 USC)  - not really
  • section 2.807... US government is exempt
  • manufacturers got state governments to send form letters to the FCC that authorize sale to local governments.  FCC listened.
  • many of the documents you have to submit are public, so they wind up on the FCC website.  manufacturers got them to keep those docs secret, citing that they'd only be sold to LEOs and FBI coordination would be required.
  • FBI coordination letters may as well be more boilerplate.
  • NDA with FBI, FBI authorizes purchase, lots of interesting stipulations...
  • stipulations boil down to "STFU," including "Did you even use this at all?"
  • the FBI can ask you to drop the case rather than turn over evidence garnered from stingray use.  and this has happened multiple times.
  • Florida - ACLU sued Sarasota PD over public records requests - ACLU won - US Marshalls seized all of the records they were supposed to get - "federal property, not subject to public records laws, fuck your court order"
  • probably not collecting identifiers of all users in an area because they can subpoena tower dumps from cell providers (Carpenter vs. US)
  • probably not intercepting content, CALEA
  • easier, cheaper, more reliable
  • content interception requires a warrant, anyway
  • carriers can (ab)use e911 for localization
  • GSM - RRLP
  • UMTS - RRC
  • LTE - LPP and SUPL
  • can LEO demand active application rather that handing over records?  unknown.
  • Roximity, now something else, can query network providers for cellular locations.
  • LEOs use and abuse this (LOVEINT, stalking)
  • IMSI catchers cannot be used for precise location.  cellular coverage is cell-based (duh).
  • direction finding works for finding the right front door to kick in
  • all cell sites are connected to a central switch, calls are handed off when moving between areas.  phones have to tell cells when they transfer, but not every time.
  • GSM fundamentals..
  • fun fact: GSM has to account for the speed of light (Timing Advance).
  • mobile stations (phones) scann channels, lock on and synch to Base Transceiver Stations, adn receive System Information messages
  • Random Access Requests
  • Harris is the msot prominent vendor - the actual Stingray
  • Some data has been leaked, but not much.
  • Triggerfish is an analog device, probably does content interception.
  • Triggerfish had a jack for direction finding output.
  • Gossamer - portable, hand-held IMSI (and t-IMSI (temporary) catcher, can do a DoS against phones to block calls, can DF.
  • There is a TDMA Stingray, too.
  • Kingfish - man-portable, Bluetooth palmtop with a gargoyle rig.
  • Amberjack DF antenna ($38k?!?)
  • Harpoon - power amps
  • Hailstorm - Stingray + LTE
  • Wire the modules together, start sniffing.
  • Only one publically known photo of everything wired together.
  • Leaked price sheet states some of the capabilities
  • "collection"
  • Software manuals leaked and published by the Intercept in 2016
  • iDEN
  • "gemini mode" - DF and localization?
  • "GSM Interceptor"
  • survey mode - passive collection
  • logging - passive logging (paging, too?)
  • registration - IMSI, TMSI, IMEI collection
  • MSDF - Mobile Station DF - phone phone continually transmits
  • RayFish...
  • LTE requires redirection/downgrade to GSM or UMTS (and Hailstorm)
  • Gun Max - company that asked them for a price quote
  • gave price specs for what that they wanted the IMSI catcher to do... hfs.
  • Similar concepts apply to CMDA, UMTS, and LTE
  • Find the strongest cell, parse neighbor list, find weakest neighbor
  • You want your cell to be the strongest cell
  • Wireshark has dissectors for the protocols
  • Broken call setup.  Silent call.  Keep engaging on control channels.
  • Accidentally building IMSI catchers in the 900MHz band
  • Finding IMSI catchers is a matter of broadcast channel anomaly detection
  • Warsharing == Wardriving + Ridesharing
  • USCIS building in Seattle
  • SeaTac Airport
  • Asking phones to transmit at an unusual power level, unusual cell reselection history
  • SeaGlass app - ported OsmocomBB to Android, in the Play store, need a Motorola C139 phone
  • seaglass.cs.washington.edu

Hacking Non-Connected Cars

  • connected cars are hackable.  this is not news.
  • 4g, 5g, wifi, Bluetooth, GPS
  • critical car systems (like steering) are hooked to accessible networks.
  • but what about unconnected cars?
  • physical port into the CANbus network - OBD2 port
  • some cars, when you plug in even a passive sniffer, freak out.  dashboard locks up.
  • uh-oh.
  • have to disconnect the car battery to cycle power on the softlocked CPU.
  • 2006 to today
  • obd2 diagnostic port used by mechanics
  • inside the cabin, usually near the steering wheel
  • pinouts are googlable
  • other protocols than CANbus are used and found
  • internal network is based on bus topology
  • L1 protocol designed specifically for use in very EM noisy environments
  • CAN-H and CAN-L signals.  as long as the two signals are equal and opposite, it's a clean bit.  seems easy to filter noise out of, too.
  • CAN frame layout...
  • CANbus network protocol analyzer software... Wireshark probably has a dissector.
  • CANspy - platform for auditing CAN devices
  • there are several tools for doing this
  • just don't use ELM327 - it's a diagnostic tool not a sniffer, it's cheap, it sucks
  • while sniffing, do something in the car (turn on the headlights) and watch all the traffic that results.  very chatty - who knew it was so busy?
  • dashboards today are much closer to demos than actual displays anymore... sheesh.
  • CAN frames can be injected as well as passively monitored
  • invented a physical hardware implant for backdooring cars
  • PIC uc programmed for CAN, transceiver
  • GSM modem for remote control via SMS commands
  • "The Bicho" (Spanish - little insect)
  • https://github.com/UnaPibaGeek/thebicho
  • visual CAN frame builder and transmitter, C++
  • builds raw CAN frames - hex values get serialized
  • doesn't seem to support commands of the form "turn on the headlights"
  • can spoof SMS origin :)
  • "STOP" command can be remotely disabled :)
  • "Kill ECU" command does what it says on the tin - holy fuck
  • opencandb.net