BG - NSA Playset - Bridging the Airgap without Radios - Michael Leibowitz

up welcome to the breaking ground track uh if you are not here for the breaking ground track you are in the wrong place uh or maybe you uh are just here because you work for the NSA and you are interested in what's going on uh we have uh the NSA playet uh being presented being presented by uh Michael libowitz uh Michael uh who is known as root killer on uh Twitter has done a hard time in uh real time an old school computer engineer by education he spends his a championing product security for a large Semiconductor Company that shall remain nameless previously he developed and tested embedded hardware and software clicked that's got to be bad

kerning clicked around no I clicked around with strap-on boot ROMs mobile apps office suites and written some secure software uh that's that's which is quite an accomplishment uh on nights and weekends he hacks on electronics writes bside cfps and contributes to the NSA playset so let's see what it's all about put your hands together for Michael lewitz hello hello all right so this is uh the NSA playset Bridging the air gap without radios and uh as I think he just said I'm Mich lioz and uh it's more or less what he said uh my day job is in product security and then the rest of the time I fruit around with electronics um and uh I work for a large uh a large

multinational corporation that I won't name but you can probably figure out and uh of course what I say here is not the words of my employer or the views of my employer don't be confused so uh let's talk about the ant catalog uh the ant catalog was uh is is a is a literal C catalog that that the NSA makes uh from their Taylor Deus uh operations uh group and basically it is a catalog that other government agencies can buy from uh to purchase uh malicious uh implants or software to you know exploit uh bad people or you know hackers or basically un not um and this was leaked in 2013 I I think something like that

um and so this is an example of uh one item there's you can look at the whole catalog there's a bunch of different things with funny names each one has a funny name um a sort of description of what it is in this case it is a listening device uh that uh if you haven't seen Mike osman's retr Flector talk uh you really should this is a a active retr reflector and um I think that that what is most amusing about the ant catalog is you know like any real catalog there's a price at the bottom right there it is uh 30 bucks which is a pretty good deal uh a lot of the catalog

stuff is kind of expensive um and so you know the NSA playet is like well why why should they have all the fun so we're basically recreating and and reenvisioning the tools of the catalog to in in an open way whereas they do it in secret uh we do it in the open and we try to make things easy to use and easy to learn from and hopefully this makes you know the world a more secure place or at least hackers to have more fun and we have a website and uh this one isn't updated but uh this project is on the on the website but I haven't uh updated the information yet so last year uh Josh dco presented

Chuck Wagon and Chuck Wagon um is a implementation or a a sort of parallel implementation of the wagon bed platform and the wagon bed platform is a platform that is in the that is not a ant catalog entry but several of the ant catalog items say that uh they support wagon bed hardware and basically the wagon bed Hardware is a series of Hardware implants that they uh you know they put into a computer and it talks over uh in this case ITC back to the infected computer and then forms some sort of outof band network uh for command and control purposes um and so uh in this case it uses a beagle bone and the ITC

bridge is over is over VGA and it um uses a GSM modem for the out of bam radio uh and if you haven't seen Josh from last year's Defcon you should it's also pretty good so um while I well I wasn't thinking about the ant catalog I was thinking about uh the internet of things and how how how funny the internet of things were was and how it's going to be really hilarious to have a whole bunch of small devices with tiny tcpip Stacks in them that were written yesterday and billions of them um and and uh you know my company was also really interested in in the internet of things and and so last

year at CES um maybe it was the year before he uh he he got on stage and he demoed a smart shirt it was a a shirt with electronics in it and I don't know I I don't really I didn't really watch a demo but it thought it said smart shirt and internet of things and I thought that's freaking hilarious and I thought okay well before we get into that let's talk about the internet of things and and and and radios and radio technology and so I know this talk is about without radios but a lot of the internet of of things is built upon uh six low pan and uh or or uh 02154 and I and I think that

there's a lot of confusion about what that is and and how and what that means and and I'll tie that back into this in a few moments but so you know there's lowan and then there's six lowan but you know the traditional radio topologies for these low power networks doesn't really work uh because uh these devices are supposed to be you know powered on with a watch battery for month months or years and so uh it turns out that the traditional Network topology that we use or network networking techniques that we use for say like Wi-Fi don't really work in that situation so what they basically do is they do schedule transmission uh because it turns out that the reception is more

power expensive than the reception and so uh they they communicate in short bursts and uh but the radios aren't very powerful so you know how how does this work how do you get a large Mo of uh of operation of uh nodes so you know you maybe this guy maybe one can only reach a few but but the other can't be reached so you know we need we need a mechanism to uh to communicate node to node we need Mesh networking where we can go from node to node to node to node and finally to node so um so this is sort of a bsides to bsides talk so for Portland bsides last year I I saw this uh internet shirt that

that uh that our CEO had made and I thought well that's silly we should make internet hats we could make thinking caps and we should make them for bsides I don't know if you can see it but there's a tiny little b-sides logo there it turns out it's hard to make a circuit board that that will fit on a hat that doesn't Bend um and so uh I made a in collaboration uh with uh with Joe Fitz uh I made the Badges and and we decided we you know what does it mean to have a a an internet hat um obviously it should do some thinking for you but really wanted to turn this into a game uh for

bide so it would be like a a laser tag game you push the button use Ab a hacker but uh then that became sort of uh a question like you know each node would have an IPv6 address and uh you know which you know which hacker am which hacker am I zapping I don't know you know is it that guy is that guy I don't know your IPv6 address so we thought okay we need to we need to zap that very particular hacker um and so uh I got some cheap um cheap infrared infrared LEDs and the consumer uh consumer infrared these uh little photo transistors uh just like they used in in television remote controls and uh

put them on the board and and this is a hacker conference so I couldn't just be like laser tag like boom boom you know your Zapped um it had to be it it had to be something a little more clever this otherwise someone would just come in and zap everybody so I thought okay well how are we going to do this so it'll send a zap with a knots and then the other guy will reply with a with another thing and then it will all go together and now I need to have like data transfer because with the remote control it just like sprays it's just like okay Channel up and then the TV says okay you probably

didn't just hit it three times in 10 milliseconds so so I'll just take one of those um but that wasn't going to work for us so what I did is I made a little tiny packet system you know sends a few bites it has a little packet in it with like a message You' been Zapped who Zapped you and the knots and when I first tried this out the thing that uh struck me was that the range was really spectacular like I wanted it to be you know from one seat to the next like zap zap but it was more like from one seat in the back to zapping everyone in the room uh and I was like wow that that

that's amazing and then I started thinking like maybe I don't need this IPv6 radio at all maybe I can do this all with you know some fancy with some fancy infrared and I thought you know maybe maybe this could be maybe this could be a really a really neat way to to devise a hardware implant you know this is pretty small I could probably make it a little smaller and then we could um and and then we can add this to play set and so I DED up this idea so I said okay so here's the way it works I get the hacker and he delivers the hacks to the victim but this time we want to deliver

the hacks without radios and you know to some extent this may be seem see a seem a little bit like a hattick but you know there are radio they're What I Call Radio hostile places or heavily mon either heavily monitored radio places where um new networks are detected and monitored uh there are companies out there that make little SDR products which you know you can put in your server room and make sure that uh the radios that it sees are consistent with a pattern of normal use uh presumably to uh detect things like uh a Chuckwagon implant or similar with with an with an orthogonal radio um and then they're places of course that are like

you know where radio waves just don't go well like there's no cell reception you know deep deep underground uh you know like stuck net or something like that where the air gap was uh you know where the where the air gap was jumped and and I couldn't think of like I didn't have any sort of imagery of like uh you know an underground nuclear facility but this was like kind of as close as I could get they conveyed I think the same idea so basically what we want to do is we want to um you know we don't want to be right there delivering the hacks because that sounds scary we could get caught uh we

want to deliver the hacks through the tubes to an implanted machine that then relays our hacks from node to node to node much like the Mesh networking to go from to to span a long distance with with with a mesh Network and so I mean obviously this requires each node to be implanted but that might not be actually that difficult if you think about so let's talk about VGA um this image I thought was absolutely hilarious uh because uh I don't know if you guys can see it but like the little the little dots the little arrows that like tell you what what wire is what just tell you what color it is so like this one really just

says blue and and then like this one says small red that was like tremendously helpful and if you look at VJ if you look at VGA pinouts um around you know if you just sort of randomly look for them there are so many okay this red green and blue and then there's hyns and vsync which basically if you don't have that nothing works at all and then there's these other stuff and like you know here they're like okay that's all ground or these are reserved or they're not connected or they're not used or they're deprecated or whatever um but you know actually there's a uh there's an ITC bus that goes through there and this is

something that happens in VGA this is something that is uh present in DVI and in HDMI and it's you know just keeps going and going and basically uh when you plug your computer into a monitor and it knows like okay this is a and what kind of uh what kind of what kind of uh resolutions and modes the monitor supports and the size um there's a little prom in there there's a little prom you know somewhere in your monitor that and that's the DDC prom and basically you read this formatted information which go D the computer reads this information called ID and then it and then it parses uh this this block and then that's how it

decides what to do uh usually it's uh the kernel or some or some pretty low-level component that does this parsing um which is you know nothing could go wrong there uh there there were I think some some some a few years ago some some good bugs found through fuzzing of edid and uh you know my favorite is uh yeah my size is negative one um and so ITC is um I talked about ITC before but what is ITC ITC is or sometimes called a two wire bus basically is literally two wires and itpc is is under underrated uh I think but is a multimaster multi- slave bus so essentially uh you can have uh you know

one master so in this case the BGA adapter is the master and then there's the DDC prom which is the slave and then you know you're free to hook up other things there so you know there's like you know maybe like a malicious implant in there and it can be either master or slave now this topology looks a little wonky because if the host is the master and the implant is the master and the DDC is the only slave then there's really no fun that can be had uh but actually if you just go poking around on the ITC bus of your display adapter you'll see like a few different things there um inside you know inside the

monitor inside uh or if you have a a uh display adapter you can see things inside there and they they will happily take commands from you um oh and and i2c is uh also interesting in that ITC has destructive Collision or non-destructive collisions so uh if you want to be the DDC prom and say like my size is negative one and there is a DDC prom already uh basically whoever says zero first when the other guy says one wins and the other guy will shut up uh so all you have to do is say you know say zero early in the earlier in the edid struct than he does and you get to control what the edid struct

says so let's talk about uh cir con consumer infrared so I alluded to earlier how uh consumer infb Works how IR remote controls work uh basically they have a modulated signal and this uh signal is modulated usually about 38 khz um and then you can see the uh here there's the modulated signal that goes uh and then the receiver automatically demodulates that and turns it back into normal wave and the graphic looks kind of weird because I ripped it off and inverted it and didn't clean it up well um and so one of the things about the the differences between consumer infrared and uh and era um the infrared data something something so a while back

before Wi-Fi became became popular there was a there was something called era there was an ERA Consortium and uh people put little LEDs and receivers and laptops and calculators and crap and uh it could go like four megabot and you could like put the computers next to each other and send crap and it was cool and uh one of the things that I first thought first looked at when doing this was like why would you just do this with era because that's fast and good for data transfer and one of the things that uh ero was the trade-off for era was that they made it such that range was not very good so it it's designed to hit

something very specific at a short range you don't want to be like blasting bites to everybody in the room but TV remote controls do they want to send you know off off walls off off ceilings and uh you know send to something that's far away and so that's why I I went with consumer infared although there was somewhat of a trade-off in terms of bambo which we'll talk about later so then there's uh serial communication and so this is uh this is U the art format and I don't know how many of you are familiar with this so I'll just sort of go through it real quick so uh the A is for asynchronous U

is for Universal uh basically you can connect two computers they different together and they don't have to share a clock this is great because R2 uh R2 infrared devices also don't share a clock and this allows us by encoding a Serial protocol to synchronize to synchronize the uarts together um and basically there's a there's a start bit there data bits and there's optionally a stop bit it's not too exciting um and then when you modulate it together with the 38 khz signal so here it is from my logic analyzer you can see basically the modulated uh data on the top and then the reive demodulated data and the decoded data um so the sort of interesting thing about

this if you look at the previous slide is that the idle state is up and then in this Slide the idle state is down so you have to invert the transmit uh in order and the and the receiver will invert the reception the reason you have to do that is if you leave Idol high and you're encoding all the time you're just spraying nonsense everywhere and nothing else can communicate but this leads to an interesting problem so uh this is sort of another picture of the uh another picture of the Ard encoding but um and what you can see is there's you know the bits 1111 and then zero what happens if you make all the bits all the data bits zero

then you just have basically the start bit and then seven bits uh or eight bits of Silence so you have the start bit seven bits of Silence start bit seven bits of Silence it turns out that and this is a problem that that radios sometimes share too uh there's been a problem radios is that if you are transmitting with long delays you lose synchronization between them and this is something that I I have somewhat struggled with um there are a number of different techniques to avoid this uh so one is you can do bit stuffing uh every n number bits you stuff a one or you can do bite stuffing a number of bites you

stuff you you stuff a nonzero or you can do Flags like hdlc where like if you say this number of zeros in a row I actually give you all ones but if you want that then there's an escape and so I use uh I use bite stuffing but uh it kind of works and kind of doesn't work but then I discovered if you just compressed all the data you have very few use zeros um so this is basically the underlying packet format so basically this works like a uh a Mac and then a higher level so basically you have the implant running the mac and then it transmits the packets and manages the uh Communication channel and then you have

the software on on the host that kind of processes that and like does stuff so uh there's 128 by packet and so we have a source a destination a type and then hops which I'll talk about in a moment and then stuff and a CRC so and it's a 16bit CRC so you kind of know that you've got something that probably wasn't corrupted but the world is a kind of noisy place and one of the things about um one of the things about about this is is you're constantly kind of receiving spous garbage and again radios have the same sort of trouble so um basically the receive apparatus uh has a a a sort of

guard a guard uh sequence that if you don't if you don't output that it decides uh this this is this is just random garbage and then once you pass that it decides okay you we're now receiving a packet and there's a a leader to establish synchronization and then you know but how do how do we do this meshing um so in in six L pan it's really complicated there's a neighbor Discovery and then there's uh the sort of optimal route calculation and and then and then there's you know different kind you know choosing different kinds of routes to avoid congestion and some some radio some radios have coordinator roles and and that coordinate this and some radios

don't and uh I didn't do any of that so basically uh there's a there's a flag for hops in in the struct there's a four four bits for that and if uh this packet is not for me and it's less than 50 hops okay we just increment the Hops and send it along um this is like more or less the approach there actually a naive bug in this approach that if you have two things right next to each other they both reply at the same time and obliterate each other's Transmissions so you you wait a random amount of time this is kind of similar to Ethan that actually you wait a random amount of time and then uh you transmit

and if someone else has transmitted that hop before you you basically give up and say well someone else did it so I wanted to make a a easy to use uh play play setable I made I made a yeah I made a word I wanted to make uh a easyto use hardware and software platform that that I could hand over to people such as yourselves to start hacking on it and playing with it it had to be you know small cheap easy fun and and I guess corollary to cheap was widely available and um I chose a AVR platform uh which you may may seem familiar to you from uh there in the Arduino platform and uh the you know

Arduino platform is is definitely easy uh it's apparently so easy the kids can do it um a lot of people uh look down their nose at Arduino and and I kind of look down my nose at Arduino for a long time but actually uh Arduino is pretty great because really it's GCC C++ a a and a library that works pretty okay and if you don't like it you can throw it out so um I think that when you look at how to use Arduino like uh this is kind of what you expect to see but actually you can really just use you know make make install you know all these sort of tools like a real hacker and a real

editor you don't have to do that so let's talk about the the hardware so the hardware needs to be really small in fact uh this is a a good time to show how small the hardware ought to be so basically the idea is to put it inside a VGA connector so one like this and uh with a u you know with a VGA cable hooked up to it and in there this one is closed up with wire sticking out instead of VGA cable um and it's got to have room for the VGA guts plus uh a tiny little circuit board that's like this big which you can't see but that's kind of the point you know it's

little so I needed something to be fairly fairly simple so that I could make it small and basically this is as simple as I could get it and and perhaps no simpler in fact I made it a little too simple with the first iteration and that bit me in the ass so I made a second iteration um so there's the microcontroller over here you can see my mouse moving oh good there's the microcontroller over here the 18 megga 328 the crystal the receiver a transmitter and a big fat LED and then a uh a 2 megabit prom so that you can stage uh stage downloads or uploads or exploits and then I made a board and the

board the first board this isn't the first board I made the first board I made was really really tiny and uh I discovered it was really hard to work with a really really tiny board so uh so a friend of mine said you're a dumbass just make it bigger and then cut it in half when you're done so I I I took his advice and so basically there's the microcontroller there's a capacitor the receiver um the LED and some other garbage uh this is where you hook it up to the VGA port uh and then the debug connectors for making things nice and easy and a bunch of blinking lights and then the green part that's the part where you cut

it in half and uh when you're ready to implant it so the idea is that it's easy to play with so there's one that's uh you know ready to be play with you can hook it up to uh the in circuit programmer it has a little Ur connector like ouros do and you can talk to it Etc and then there's a jumper here for i2c and then um and that's neat and you know they they're like uh this big in reality and then you cut off this cut off this part here and then they become you know as big as that one I showed earlier and basically this fits damn near exactly into the uh shell for

the VGA connector and then you plug it into your computer and then you then you then you have fun um so before I get to that uh and and and when I say fun sometimes it's fun sometimes it's really frustrating it turns out that when you uh that that when you goof around on the i2c bus uh some BGA controllers are like ah I'm not going to talk to you anymore I'm going to turn this bus off and then you have to reboot the computer and that kind of sucks so uh so what is a faraday cage so I wanted to show like you know this goes through without radio waves goes through radio wave radio denied areas and uh um

so I made a faad cage which blocks all of the radio Communication in or out and I and I thought this was a great idea and then I realized that my connection to this is over Wi-Fi which means I'm stupid um so I have my little my little tiny Faraday case which I built out of like picture frames and uh and copper sheets I made I got on Amazon and um you know like 1:00 a.m. last night everything like was basically working and then like by 700 a.m. nothing freaking worked anymore um so oh and also your TV if you if you're if you're in the Tuscany your your uh the monitor the TV in your hotel

room will respond to i2c but you cannot get it to display but you can still fruit with the ROM on it um so I have a I have a computer in here I guess you can't see that I have Z Whopper the Whopper you know some place something a computer and a and a hardened uh radio radio Place deep deep underground controlling nuclear missiles or something and then I have uh this is my breadboard version because remember I told you before nothing worked and uh it hooks up over the VGA port and you can talk to it um of course I can't talk over that VGA port because I'm using it but that's okay because I can talk to

it over ITC as or over um USB as well

so um this is the fair day cage and and I expect some people in the back can't see that so I took a picture of it in my hotel room uh but what if you want to go like what if it's not like you know going between like two things that are kind of next to each other or a string of things like deep deep underground and some secret facility what if you just want to go like from you know the parking lot to uh the victim and so uh in that case you use lasers and it turns out you can shine a DOT on the ceiling uh through a window and you can Flash the laser pretty fast you can

Flash if you buy one that can Flash they basically sell in in two ways in this sort of laser the 5 khz one and the 100 khz one you want the 100 khz one um and then you flash it at 38 khz and you can receive it projects a uh ever widening dot on the ceiling at a fairly high intensity and and you can go pretty long distance with it and then you need telescope on the other side um so yeah you know with freaking lasers okay so this is the part where I where I attempted demo I tempted demo to a computer in a faraday cage connected over Wi-Fi so let's see if that works so I

have like two lids open sure I'm running screen uh oh a I can't

type tors

slow hey okay

or t

slow this is like the time where like people laugh at me and say like you should have had this set up beforehand but but but those people are wrong [Laughter] we we we'll just do it right here okay so here we're communicating with the uh with this device and we can or and so this is some uh sort of ping pong test code so you can send packets and there it sent a packet and then on this side I can do

and so this is going to be a challenge because the ceilings in here are kind of a lot higher than they are like in a normal office or in my hotel room or other places

so oh that's really lame all right let's let's point it downward and then back into relaying and I sent it from this one to another one that isn't it so it's like basically they're ping ponging it back and forth and you can see there it got to hop 15 too many Hops and it eats it well okay so that was cool so now let's see if we can do this uh through the Faraday cage

indeed and this is like the okay let's see if we can make the Faraday G cage stay together I may have to hold it in

place all right with oh oh okay just don't touch it no nobody touches it should be fine and then if any luck like nothing happens oh my God something happens what a we got a gap in the we got a gap in the fair day cage the signals are leaking through Tor can get through Jesus that's lame uh but we can turn the Wi-Fi off let's see I can't turn the Wi-Fi off and switch to the to the other window all right well okay we're in a fair day cage and pretend like radio waves don't go through oh wait aha I know how to do this it's Tethered to my phone I can fix it

all right you just turn the uh phone into airplane mode and then at least it's in a radio denied Place airplane mode okay so now right but here we are over here and then Che angly bits and so like from here to here let's see if it works nope but if I aim it downward which is pretty lame and I can't type wow yay okay everyone [Applause] clap we're sending these datas through the faay cage which isn't a good faay cage but I turned off the radio so they can't talk anyway um and so that's sort of my test code and I have um I have a commanding control console that um does well it works but something else

doesn't work and I'm not sure what that is but basically

ah what oh it's saying I can't find can't find the device well anyway that demo fail but basically uh I have a utility and you could say run a remote command and then the implant side um waits for the remote command and it uh sends back an acknowledgement and then streams all the data back like a CNC console you think should work and then um I'm working on the part where send them receive files back and forth uh but sort of the cool part about this is it it it does do it over the mesh transport so I can like do it to multiple computers and um which works in the lab um and [Music]

um I can I have a layer that I can build in there for reliable transmission so this transmission is not like TCP it's not like reliable if packet goes missing a packet goes missing which uh would really suck if you're like grabbing their company confidential data and then uh you know like the first part that you desperately need is missing so uh it turns out that uh implementing reliable transmission is not that hard because you can basically do the exact same thing that six Lan is doing you can fragment the IPv6 packet up into 128 128 byte subpackets and then you can build a sequence number around that and then you can build up an IPv6 interface

um through that and uh so that's sort of well you know un all this and then uh and then that's sort of the next step is to build to build it such that it is a orthogonal uh IPv6 thing so then I can have you know the internet of implanted things so uh that's the

show if you have questions I'll do my best to answer them yeah will you unmute the mic or if you have questions we have mic set up here in the middle then I can sleep and drink beer it's the red it's the red one there yeah number

four oh come on there was like a a faraday cage V Hive of death and and and we have no questions there are no bees in the faay cage anymore all right well thank you very much thank you all right please uh pick up on your way out if you're leaving and uh our next talk is not scheduled until uh like