Bluetooth, Bluetooth BLE, and Tracking with Sonar

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success so there's been a lot of changes over the last couple years we gave this talk out at Def Con and after talking to some of the organizers we thought you know it would be good to bring this east coast so Wi-Fi we we run the wireless village so we're kind of involved in this stuff on a pre regular basis wow that's way off the screen hey so who cares about this slide anyway so I do some stuff I've been doing some stuff and Wireless for quite a while we

started the wireless village about 15 years ago at Def Con and it's been going ever since we've been here for four or five years now at this point we do a lot of the conferences local half of what I say is probably gonna be a bunch of bullcrap so you know this is just some stuff that says that what I said is right so thanks to the GDP are we we created this slide more so we created this sticker so we had this sticker all over Def Con this year all your RF belong to us we can hear just about anything RF is so prevalent these days with Bluetooth Bluetooth Low Energy IOT you know Wi-Fi Bluetooth Bluetooth

Low Energy it's literally everywhere but because we've been working with this stuff for so long we've been able to kind of keep up with the times so you see the dongles up here I think we were joking on the way over here we had a suburban full of stuff and I think I counted 87 radios in our car and that was like about almost almost normal for a normal day at work so between software-defined radios Bluetooth radios Wi-Fi radios gosh now ZigBee and we're even dealing with some non Bluetooth and non 2.9 wireless non bluetooth 2.4 gigahertz signals it's just an insane amount of stuff that we have to carry so what we wanted to do is kind of bring

this talk to you guys to show you some of the tools that are out there some new tools that will allow some really really cool capabilities and also kind of just give you an idea of what's going on that we're saying that that's out so Bluetooth and Bluetooth Low Energy ble does anybody understand the difference between the two because most people don't get the difference between the two bluetooth is been around forever since version 1 I don't know if you guys remember those little links of ston goals that they came out with originally has a little antenna on it we've figured out a long time ago that if you take that wire off clip on an SMA cable

solder it to the board we can put a high gain antenna on it we were getting almost a quarter mile with Bluetooth Bluetooth by standard is about a hundred feet so that was cool that was fun you know we were kind of hacking Bluetooth was able to early days get my car to start I had a Mini Cooper that had a Bluetooth radio in it and it actually was tied into the system we were actually able to get it start remotely with the Bluetooth with the Bluetooth radio so early early days of car hacking before Charley you know tried to crash the car into the Michigan Turnpike so Bluetooth Low Energy it's fairly recent recent and upcoming Bluetooth Low

Energy kind of took where Bluetooth was gives you similar range but the power can go four months on a button battery so Bluetooth Low Energy you're going to start finding in watches you're going to start seeing in fitbit's marketing devices are actually the biggest thing I don't know what do you guys if you guys can see it this little guy it's about three quarters high and about the size of a quarter is a Bluetooth low-energy transmitter now we use these for the foxes which I'll talk about in a little bit but marketing companies use these to advertise their websites to give information out this will go directly to your phone your phone will pair to it

and it will actually give you a message on your screen hey you're in Walmart you you know you just recently bought toilet paper so you know you might need some hand sanitizer to you know I don't know some kind of marketing people will come up with something that'll work but this will literally last for three months or four months off a little battery their low power but they react a little bit differently than the way bluetooth does so the air is kind of crazy right now you know there's two point fourth five gigahertz a X 802 11 a X is coming out and they're looking to go from one gigahertz to seven gigahertz over Wi-Fi

we then compare that with 2.4 gigahertz we had to jump out at 2.4 for Wi-Fi and go to 5 gigahertz because the 2.4 space was so polluted so now we're sitting here with Bluetooth Bluetooth devices and Bluetooth Low Energy all polluting the same space so we said you know what this would be really fun to mess with bluetooth is everywhere so when we turn a couple things on if you have a Bluetooth device on we're not gonna do anything to it but leave it on because it'll be funny to see who we can pick out in the audience based on their names there's a couple different radios so up here on this I've got an internal

radio the internal radio is just you know what came with my laptop it's a Bluetooth five I think it's an Intel 8500 card we've got AUD 100 which is an industrial Bluetooth radio this gives us with the right antennas about a half-mile at this point we've got an uber tooth which gives you a little bit better job with with some of the other tools that exist with some of the low-energy but what it does is it actually enumerates out that pollute that low-energy device and gives us more data really really cool especially because of how prevalent it is gosh these screens are horrible yeah so I don't want to read this to you but it's it's a technology that uses 2.4 to

two point four eight five gigahertz it's again very very prevalent the problem we have is the Bluetooth special-interest group is what runs it not the I Triple E so Bluetooth kind of goes off in all these weird tangents which is great but it's not standard across the board so one radio may go a little you know thirty feet another radio and another device might go a hundred so the standard we have to actually play with a little bit to get some direction finding what all of this is rolling up to is going to be how to track devices so we're trying to figure out different ways of doing this based on weird standards that alter so it's everywhere

and it's unmonitored how many of you have Bluetooth IDs is with you alright oh really who makes it okay cool we'd love to talk to you because Bluetooth monitoring is really really hard and Bluetooth monitoring is hard because of the way Bluetooth pairs so Bluetooth Low Energy on the other hand actually runs a little bit differently but is the radios are incorporated into the Bluetooth devices on the actual laptops your you know your speaker's your headphones your car's those kinds of things all running like these different frequencies within the same space with different profiles so a couple years ago actually I think it's been two years now Rick Farina zero chaos one of our partners in the wireless village

developed this little called blue Hydra who's used it who's used okay so this will be a new tool for you it is on his github page zero chaos blue Hydra it is incorporated into pen two which is the operating system we use for our capture the flags but what blue Hydra does is something really cool it actually takes the airspace that it can see and puts just in fact distance vectors based on power into your screen so you know how far our device is away from you now this is going to work with Bluetooth Low Energy and Bluetooth and it's going to use either one of these radios and kind of bounces back and forth for you when

you kick it off you kind of get a you get the splash screen and I they did something earlier to make it a little bit easier to see wow that's perfect there we go if you can you roll it forward or is it locked in

hey there we go awesome hacking the con whoo all right so it's going to give you a whole a whole bunch of labels so it's going to give you whether it's classic whether it's classic 4.0 Bluetooth low-energy or low-energy 4.1 which is a newer version of Bluetooth Low Energy so instead of talking about it I'd much rather show you so hopefully this one there we go so we kick off blue Hydra the [Music]

all right so within the space that we're seeing right now and the colors are a little off they're not sure if the camera is going to see it you've got a whole bunch of devices going off the screen let's say slim there we go there's one so slim has a laptop if slim wants to raise their hand and let us know who that is that would be kind of cool and maybe fun but these devices are actually beaconing out based on your friendly name of your device the fact that it's Bluetooth classic is going to come into play a little bit later so we'll keep an eye on that video camera is here there's a Mevo I think that's

this guy over here somebody's carrying a tile around if I own paws this we're gonna scan back again some EMA core devices some of the marketing somebody's wearing a charge there's anonymous going across on their smartphone so you kind of get the idea this is up in the air this is data that's going across and in testing this tool we were actually testing at a coffee shop and I live up in Baltimore one of the people that was actually running for Congress had their phone paired to their name Tesla also paired to their iPhone paired to their Bose headsets very very vain person because every single device they had was in their name so what up to him and I said

hey sir you know just FYI do computer security do a lot of stuff in the RF and wireless space you know I could track you like to your bedroom right now he's like what are you talking about I showed him what I was well he had no idea well that kind of leads us to where this problem starts to exist tracking a human based on their digital persona is getting easier and easier and easier because of all these devices when we take their Bluetooth persona and we take their Wi-Fi persona their beacons that are coming out of their phones and their laptops and everything else and then we use something like wigle online where we can actually go on and say hey

you know what wiggle net I want to know what's in the to 164 - zip code and I want to know what's on Main Street well all of a sudden these names pop up or I want to search based on an SSID or a wireless friendly name for you know governor blah blahs you know by well you can get addresses for people you can do reconnaissance on people and places online before you've ever even seen that RF signal so RF used to be you had to be in that space and that's what we all loved about is you had to be fairly close but didn't have to plug in now we can actually go online and track

some of this stuff so with this tool blue Hydra you run it when you try to stop it

live demos on stage always work and it's always a V that's the fun part so in this case what I did was I put no info in if I just run blue Hydra by itself it's going to scratch off scroll across the screen it's gonna scroll in green across the screen and not be very visible to anybody so that's not helpful whatsoever

all right so let me let that sit for a second as they start to go out of green they'll start to come up onto the screen so what we're seeing here isn't too helpful whatsoever here we go now they're starting to pop up so what it ended up doing is it comes up green green means it was just seen it then goes to yellow yellow means hey it's been out for a couple seconds or more and then it goes to white when it starts to timeout I have this in speed mode so it's just rolling throw them as quickly as it can now what I can also do with this is set filters up set filters to

specific targets if I have them and start tracking that way this is all just Bluetooth that's in space of these radios right now when we sit over in the in the village it's even crazier what's interesting though is you'll see occasionally you'll see a range come up see this guy's on there we go so on the right hand side there's a range button point oh six meters that's this little guy here that's this little device it gives me the manufacturer name the RSSI are the power and then tells me a range well it actually takes the range of the device based on the power that it's transmitting from based on the Oh UI based on the MAC address and it will

give you a distance vector away from that now this gets really cool because now we can not only target something hey somebody's in this room but somebody's in this room and their 0.06 meters from me well there's there's not much in there so you can start tracking we play a Bluetooth version of capture the flag and a wireless foxhunt with exactly these tools to get people to start saying hey by the way if you've got devices on you they're not going to be as secure as you think even if the device is completely locked down because it's beaconing out and we have tools to start seeing this this makes it fun for us makes it really hard for the

contestants because unfortunately when they're out in all this space they're running around they're trying you know the Fox is trying to run away from them they're trying to chase it and they're in between all these you know big bodies of water which does Haribo ten uation to radio and you can't catch it as easily so this is a game that we play if you're interested in it stop by the village we can show you a little bit more how to do it but this is one of the tools that we use zero did an amazing job setting this up and it works really well again it's on Penn to buy by default and it's on github as well let's

see oh there we go alright so that's blue Hydra something new though it's layer 2 is an interesting beast layer 2 is interesting because it's dealing a physical layer well Bluetooth works at the physical layer too just like Wireless does so we're always dealing with MAC addresses so I was kind of thinking through this it's like hey layer 2 is kind of cool who's heard of layer 2 ping l2 ping networking guys Telecom okay so l2 ping goes across layer 2 on Bluetooth using the physical layer to attach to a device that has an open socket it was like that's kind of neat but what can we really do with this so we got to talk in

and I was like hey Rick what can we actually accomplish with this I'd like to start tracking something it's like well l2 ping is actually used in in blue Hydra to do some of the some of the vector testing but it's really just there as another check it's like hey is it there yep it's there ok cool so this is just the man page from l2 ping but as we're reading through it it's like huh so I can tell l2 pane to go out to go out of a specific radio so if I have HCI 0 which is typically your internal bluetooth ok that's neat but what if I start sticking external Bluetooth radios or

something that's gonna advertise itself as Bluetooth ok cool we can add this in packet size packet count and not so big ping flood huh if we use attack F in this we can now flood that device and start getting data back ok this is kind of cool so I'm driving down the road and I'm thinking huh we can track this huh crap oh that's right so Bluetooth uses a master slave connection so you have your master device which is the device connecting to the peripheral then you've got the peripheral well the peripheral actually takes the MAC address of the master device when they connect which doesn't allow you to track the peripheral anymore huh so it kind of disappears but

we still have you know we still have some information what we found was the only time these devices come into blue Hydra is when they're in pairing mode so if you have your phone and the use case we use and we absolutely love is we were you know on a train and everybody gets on the train who takes the metro or the train some time we're in DC right everybody does they pop out they sit down on the train they grab their bag they throw their headphones on they pair their headphones and they start riding and you know they fall asleep and nobody talks to anybody anymore it's you know really cold world but they pair with their radio so it's

like cool okay so during that pairing we're able to see the device neat that gives us a little bit of information gives us the MAC address of the Bluetooth and/or the Bluetooth Low Energy or Bluetooth device that they're connecting to this is cool but it really doesn't solve our problem because when Bluetooth isn't pairing it is dead silent it does not talk whatsoever in fact when unpause that and it's huge my Apple watch use the Bluetooth radio I use an Apple watch for a very specific reason a because my wife is an absolute Apple fanboy and B because it's actually a really comfortable decent watch what we found is there also a heck of a lot

more secure than Android watches and the reason behind it is the Apple watch doesn't pecan out ever so you will not see my Apple watch pop through this screen unless I do something to it to make it pair well Apple watches fitbit's all kinds of things like that are interesting to watch because in many cases they're named the same as the person using it so this one says Rick's Apple watch I mean it there's very little places to change that the Garmin's and some of the others will either say they're a Garmin or if they're paired to another types of phone and the phone has the right name it's going to give up that person's name so

it's like huh maybe we can figure out a way to get some information so I was driving down the road taking my kids to a swim meet because they swim and it means I'm in the car literally all the time and we had this idea I was like hey dude listen we need to come up with a way to track phones I deal with some folks that need to track people on a relatively regular basis and phones are the biggest problem because happily or sadly everybody carries a phone people use burners people use repeat phones people use phones that aren't as available as you know maybe they're you know another device that they might have

they're not always carrying their laptop they're not always carrying their tablet those people have does anybody not have a phone on them right now we're doing this whole security conference thing leave my phone at home and turn off all electronics okay everybody probably has their phone with them because that's how you're on discord and slack and terminal and work and everything else that you're doing it's like huh a phone is a pretty standard thing on a person well cars are now becoming a lot neater too because cars have Bluetooth in them cars have Bluetooth denim because a lot of states regulated that you have to have some sort of hands-free device in order to drive and talk on the phone

everybody talks on the phone all the time so we're like okay so we got a car we got a phone those are two really really nice things to start adding to our dossier of tracking so blue sonar happened we called it submarine initially because what it's doing is it's using a layer to ping to validate that a device exists what we found that was really interesting is every device with a Bluetooth radio that's on will answer a ping if it is pinged the thing about that for a second your computer has to be on a network it always has a wireless radio but doesn't always on the network you can't ping your wireless radio externally but

we can ping every single Bluetooth device that exists if we know the MAC address and we get the MAC address a couple ways we can get it when somebody is pairing and that's you know part of the reason we can also get it when we scan an area over time when a device comes on Bluetooth radio beacons out when something pairs it beacons out they pair when people get in their cars they pair when they get home and it connects to their smart home their hub they're their speakers they're so knows whatever it is it pairs every time that screen comes up for Bluetooth so if somebody who goes to turn their Bluetooth off it

still pops up broadcasting out the Bluetooth because the manufacturers of these devices want life to be easy for you they want you to be able to say I want to connect to this and when I open up my Bluetooth I want it to connect and it will do that for you well that's kind of a problem and it's a problem because now we have that bit of information so as soon as it stops pairing it goes silent and you can't see it well again talking about my Apple watch jump that's still flying let's kill that guy

why not taping me I'm not dating there we go alright so what I did was I set up this device or this this demo with my watch and I did my watch for a really interesting reason for demo purposes it does a really good job so blue sonar is looking for my watch and I'm wearing my watch now if you notice there is e or the power rating is getting bigger as I'm moving away it is sensitive enough that I can start moving my watch in any direction and it's going to alter the power rating almost immediately so as I start to walk away it gets bigger as I get closer it gets smaller put this visualization in with

the with the hash marks or the pound sign to kind of give you a better representation but as you're tracking someone you're literally tracking them down to the I'm up on top of you with this device and this is just off the internal radio if I go to one of the other radios I can start tracking people from in this room if I put a panel antenna on this I can track people within the hotel now Bluetooth device that's on you all the time that is now fully trackable it gets a bit scary so there's some use cases on this that we can talk about on stage and there's some use cases that we can talk about other

places but let's just talk about it in terms of security of yourself that device that you're carrying has a MAC address that is standard that you can't alter in most devices you can change your MAC address it's got the ability to answer to a ping whether or not you want it to or not so one defense against this those of you that have Android devices if you go into developer mode you have the ability with your Bluetooth radio to actually say I only want to make X connections at a time and those X connections could be 1 2 20 whatever it is typically about 7 is where you start to degrade some signal but you can

actually alter it so that if you know you have headphones and you have a car I'm only going to allow that device to connect to two devices and it won't answer the ping alternatively if you are super super scared of being contract taking this tool and using it to your advantage so what we found is if you have a Raspberry Pi with a battery pack and you run a script against yourself running it on a continuous basis you basically hold up all of the sockets that are available for paying and your device isn't trackable I don't necessarily love this as a solution I think it's it's pretty dirty I don't think it's it's extremely easy and who's

gonna always remember to grab a Raspberry Pi start a script stick it in your bag and carry it with you turning bluetooth off does fix this problem I have with that answer is we've been saying that for 10 years and nobody listens so why is anybody gonna listen now so if you have people that you work with that you're trying to protect now let's forget about yourself because you know we're all at a security conference so we're all over paranoid and you know we patch all of our stuff and we turn our radios off when we're not using them and do all these things that we tell people to do this gives you really no

you don't at all you sure oh all right [Laughter] having the ability to give people an example of this is going to give you the ability to get some awareness out there there's never been that we've seen in the industry a reason that people should absolutely turn things off we tell people all the time you have wired headphones turn your Bluetooth off when you're on a plane a plane is a big metal tube with signals bouncing around and there's hackers on a plane anybody heard of that before okay right so you have three hours or if you're flying across country six hours with a laptop and the internal radios you get some hackers that know what

they're doing and get a little bored over that six hours weird stuff starts to happen I mean side dragon flew a plane sideways apparently and the FBI met him at the gate you know it's you know open Ethernet ports by the way that whole story is mostly fake not completely fake and he did try and disclose that but what we're trying to do here is we're trying to disclose a vulnerability in a in a in a an entire suite of tools that there really isn't a lot of mitigation on now to that end if you are fantastic anybody clicks their Bicks on a regular basis to test it make sure it works yeah still right with those things

this is a really nice tool to add to your arsenal having the ability to track someone to a place if it's within your rules of engagement that is less protected than where they work if you can get approval to do it we've gotten approval quite a few times in recent years on getting CEOs in play CIO CFO CTOs that kind of thing heads of heads of networking heads of administration those to be able to say hey you know what your vulnerabilities extend well beyond just the workplace they extend back to those people's you know residence houses again everybody gets a little you know touchy feely about that I don't want them coming to my house well do you think the bad guys

care if you want them coming to your house I mean I always have been a bit paranoid and we were setting up the capture the flag about five or six years ago actually Justin in the back the room was sitting in my kitchen with me and we were testing the the capture the flags well next thing I know I find out there was a pizza car out front and we got pizza and I looked outside of the pickup truck I was like eh whatever I'm gonna live on the cul-de-sac turns out it was one of the contestants from the capture the flag sitting outside expecting us to be setting things up and he got it and he did amazing we

ended up having to flip the keys that morning so that they couldn't you know win based on just sitting there and collecting handshakes so to think you may not get followed isn't exactly a viable solution these days because all of us have something interesting to give up to someone else and we're probably not as protected at home as we probably think we are one of the use cases we use with this and I'll let your imaginations kind of run is there's a building or a compound or a fort or a set of fences and inside of those fences are some people that we want to get access to well we don't know who's in the building

because you know we don't have global surveillance all the time and they've got underground entrances into the building but we want to know who's inside so what we do is we scan across and we look for Bluetooth devices we look for Wi-Fi devices we look for probes then we go up the road a little ways where we one of those vehicles may leave and we turn on blue sonar based on those MAC addresses and we wait for that device to get close to us we now can get a picture of and/or talk to and or do whatever you guys you know can decide how that wants to work without ever breaking a single law because sniffing Bluetooth hasn't

been deemed illegal yet sniffing cell phones is but I can still track you on your cell phone without breaking any laws sniffing Wi-Fi and this sort of illegal thanks to Google but we're not breaking anything we're literally just using layer two to find a device so there's a lot of places where this could be really helpful we do run this as one of the foxes we've got a samsung galaxy that we run throughout the building people need to look for and that is a completely unmodified fully patched regular fully working Samsung device that is on but nothing else and they are able to track it pretty quick almost faster than some of the other Bluetooth

devices so again we're going to write security down as an answer but we're gonna actually talk about it in different terms this is kind of creepy if somebody wants to find you you know everybody's got their own internal use cases some people don't want to be found by other people whether it be you know an X you know boyfriend girlfriend friend you know ex customer X something you know there's all kinds of reasons that you want to make sure that things are things are you know protected from your perspective so that's blue sonar blue sonar is really powerful it isn't like I said it's in pen too it's also available on github it is extremely

powerful and it will track anything you tell it to track within the tool I just wanted to kind of show a couple things because there are some options here which is different from some of the other things we run just runs with blue so you've got some options here so you can specify a target which obviously we're gonna want to you tell it how much you want it to sleep so let's say that you have a long-term thing that you're trying to find letting it sleep for a seconds okay letting it sleep for like a quarter of a second means it's probing constantly it's ping flooding the air which is how that tool part of the Tool

Works and it gives you as much information as you can get you can tell it which device you wanted to run off of within your system whether you want to run HCI 0 HDI 1 2 3 4 or 20 we had a contest that we ran down in North Carolina and somebody had one of these 10 port hubs full of USB devices sniffing multiple MAC addresses simultaneously they ended up knocking it out of the park with like 6 devices in 15 or 20 minutes we were working that outside on a 40-acre plot with houses and housing and buildings and all kinds of things and they were able to just clear the place for very very quickly you can tell it to sleep

between things so let's say you want to be quieter for whatever reason you need to it'll sleep for you and then for both mode which actually

taxi

so it's flying through and the watch isn't even able to keep up with the amount of pings that it's throwing at it and this is giving you all the information as you go now you can still see the bar which is why we did the red and white because as soon as it goes all red you can't really see it anymore this can be helpful if you're doing any type of troubleshooting or you're really trying to get a good distance vector for yourself at the end it tells you what the minimum and the max is on rating was zero when I was like literally right up on it negative twenty nine when I pulled it back so very capable very fast tool

because all it's doing is using internal tools that most Linux distributions already have so that's one thing now what I'm about to show you isn't brand new and I apologize for that but the implementation of it is absolutely amazing and I don't think a lot of people know about it who has actually heard of Mouse jack read about it okay who's done it okay most people haven't because a flashing the firmware on these radios was a royal pain in the butt getting the radios was even more difficult until recently but on top of that it wasn't well known now what Mouse Jack does is it allows you to take over any device running a wireless mouse and

keyboard that's within a list of vulnerable devices those vulnerable devices are most Logitech anybody ever use a Logitech mouse or keyboard yeah Microsoft and Dell okay hey there's other wireless mice and keyboards out there but not a ton so what we found is with with with this it was a very difficult tool to use but we love RF we love doing radio frequency work so I was like let's figure it out so Rick and again zero chaos guy that writes pen two can't give him enough love or credit and he would be here but he's at home at some sort of breakfast with Santa or something this week I don't know he was like you know what

let's make this easy so he took mouse Jack and he implemented it directly and append to again pen two is a live distribution you can pull it down online you can run it as a live CD you don't have to install it gentoos tough to use anybody that was in the class yesterday it took us a little while to get everybody up to speed we talked learning curve is angled this way most learning curves were this way it's kind of a backwards learning curve you got to go backwards forget everything you know and then start moving forward but for specific tools it does a great job typing Mouse Jack from a root terminal tells you the firmwares that are

supported Nordics Emeka semiconductor bootloader the crazy radio PA firmware RF storm research and logitech basic dongles so the unified dongles that logitech sells can now be flashed directly out of pen two with one click of a button so basically you install the bus you don't you put it into your USB port Mouse Jack Logitech install and it will flash that device for you so we don't have to go through any firmware any crazy updates anything anything outside of just running a command also implemented recently was jacket jacket is a tool that will allow you to take over a mouse and keyboard while it's running any mouse and keyboard we run hardened pen to updating the

kernel on a regular basis and making massive modifications to it regularly we were testing it yesterday in class before the class started he made no asabi he's in there with this stuff I was like I did here give me a favor plug my mouse in for you it's like all right he had the slides up that we were doing I just ran literally an open notebook start new page with a with a ducky script ducky scripts for those that don't know hack v wrote a ducky language years ago that is basically kind of a combination of really ugly Perl and some basic and some you know some ways of interpreting you know commands in pretty

pretty daran friendly usable language and I love you Darin I and it'll just take those scripts so the ducky script I had was literally open up a notebook and say hello world well I'm watching his screen the slides that I was working on he was working on two new slide opened up it typed hello world hardened Gentoo with slides open and it started running into it now that means that studio s open terminal X term sudo su ssh reverse shell back to whatever and give me a port and a screen on that device would just be as easy as him using that mouse for me so completely implemented in depend - fully functional and jokingly tested I was

carrying around a Windows machine just so that I could do the testing on this turns out I don't even need to do that it works on Macs Linux and windows and anything that will run the mouse driver now that being said this is what happens when you do it so instead of actually C talking about it let's try it you got it screen somewhere that's just you this one CD

jacket tack reset so when you type and reset if you know how to type reset what it does it puts the radio back into a default mode if you just run the script and you run it again and run it again it's already in an injection mode so if you reset every time it seems to work better to ducky all right is this gonna be green again that would be really sad if it was okay cool so I have this plugged in as it turned on there we go all right so it's already picking up now this might be me it might not be I actually don't know but it's gonna scan out for anything running a wireless

mouse and keyboard now this is using the crazy PA radio with a 2.4 gigahertz like five and a half dbi antenna so it's getting some decent range so let's just hit control C and it's going to say what you can't read here select all or select what happened oh it stopped that stinks see live demos never work

what happened here

hence why we never do live demos

it's falling out for some reason okay so live demos fail awesome I didn't abort to the demo gods properly but what it's going to do and what it typically does and I need to figure out why it's not working oh it's probably cuz it's on it it's on the same computer that's why anybody have a computer I won't do that to you because I actually don't know what its gonna do on on a device that's not one that's preset on this one it's going to go out and it's going to do implement that command on that device like I said with a Windows device on this separate system it's gonna actually pop it into a terminal

open it up and go from there so this is what the screen looks like when it works properly it'll actually and this may not actually be this device it'll actually lot label it as a logitech hid device it gives you the packets that it's running it gives you the information those packets can actually be replayed which is another script you can run basically replay it's gonna then send the attack to that address which is the MAC address of the USB and then it's going to run the attack in this particular instance that was the one we ran against wasabi and it did take well it's a really really cool implementation it's not a new tool I'm not in any way saying that

this is new or invented by us in any way shape or form but it was implemented in depend tube very recently and it works really really well so if you don't want to go out and buy a new dongle and you already have a USB device on a Logitech device you have the ability to use that right away right out of the box now that being said you will lose the ability to use that mouse and keyboard but if you already know its vulnerable do you really want to keep it anyway so RF hunting and tracking so we take all this information and we put it into a big package and that big package is this

particular target you know if you get your documentation you take your notes this particular target has these radios these wireless keyboards these MAC addresses and we put that into a script so what you end up doing is you pull up to whatever your target is you've got your laptop your Raspberry Pi whatever it is that you're using is your attack machine in your bag you've got a phone SSH tin to it you've got all your stuff prease ready to go you're clicking it off your phone you could be sitting in the lobby of the place that you're working with or against and start running these attacks but you need to make sure that you're using absolutely the right radios the

right antennas and the right configuration and setup the only way to do this is to test your equipment this is my little soapbox and you guys are here and not everybody's leaving so I'm going to tell you about it testing your equipment is so vital right Osaka testing your equipment before you get to a conference so what we find is people come into the conference we set up the wireless capture-the-flag to allow people to have a shooting range to have a target to have a target set to test all this stuff what they end up doing because everybody's always prepared for these kinds of things they show up that day they're still loading the operating system they just bought

new radios they just bought new antennas they have no idea what they do they're getting results and like I don't know if this is right or wrong what we recommend people do is they actually test their equipment the best way that we have found to test your equipment is outside in a known environment typically like a football field or something that's labeled and marked you stand at one end with your radios with your antennas with your configurations and setups you put a router or something at the other end a Bluetooth device or router a keyboard and mouse whatever it is you're testing and you stand in a hundred yards away you get a reading you walk up to 95

yards away you get a reading they're already marked for you it's easy and you take those readings and you write them down anybody ever do any shooting like sniper shooting you have a dope scope book right where you actually have all of your data windage time angle you know whatever it is humidity wind all of these things go into play well if you're doing this and it's something that you enjoy and or want to do professionally it's really helpful to know how your equipments going to react so you get that information and now all of a sudden you know with this radio and this antenna combo and this laptop I can get a quarter mile away from a target

and still get really good data or I know with this setup I've got to be literally right on top of them and sometimes that's better than having that distance and standoff so you go through this you get your power readings with whatever tool you're running with you know the example of arrow dump and then you take really good notes and you hold on to those notes and you label your antennas there's a guy that that we had a talk on at depth it was an actual absolute abomination but the talk itself brought out some really good information one of which was there was a guy who actually names every one of his radios he names every one of

his antennas now his names were kind of silly and pretty funny and I don't know that they're you know good for public consumption but he knew exactly what radio did what with what antenna and what setup in one configuration down to what hub he was using based on the power that was coming out of that hub and the measurements and everything else that guy was able to target within feet of most of his targets and again when we're dealing with this type of stuff you know you don't want to necessarily let's say you have a ducky script that's gonna do a reverse shell back to you and you have a target you know what you're looking

for well you don't want to send it to the wrong person you don't want to send it to the you know the admin when you're going after the sysadmin you know you don't want to send it to the wrong person because you're looking for specific data so having this kind of information in the targeting distance is huge when you're doing Direction finding again I still believe it and I say it anybody that's heard me speak has always heard me say this so I apologize for those that have heard it direction-finding is the single most important tool and/or capability you can have in wireless whether it is RF from a software defined radio perspective 2.4 gigahertz radios 5 gigahertz Bluetooth

whatever have you having the ability Direction fine means from defensive you can find a rogue access point you can find a loud talker you can find somebody on your network I was called up to a place in New York it was like the size of all three of these rooms together cubes I'm sorry tables not even cubes lined up it was a it was a code factory literally they were just building out code 400,000 square feet of people just sitting and there was a rogue device they called me up like we can't find it we have no idea what to do so I did some stuff pulled out some data found where roughly you know within this much space where the

data was pulled out this little tiny log log antenna that was you know highly directional walked up to the seat where I thought it was the guy was with me is like there's no way you did this I tapped him on the shoulder said are you carrying a MiFi with you guys like oh yeah yeah the Wi-Fi here is horrible I have to use it it's like here's your device they walked out they confiscated it they walked out apparently that guy was stealing code so it worked out well but it's not a skill that everybody can just do walk into a space like this and you know find a sockos radio and keep picking on her

because we pick on her all the time but find the device that she's using finding a rogue access point that's broadcasting out you are SSID at work could be helpful it could make you kind of kind of important around there so the best way to do it Stu radios it can be done with one two radios is ideal one with the directional antenna one with an omni antenna you stand in a space and you literally walk in a circle as you're going in that circle when the directional has the same power rating change as your omni you're facing the right direction now the numbers are going to be off you're gonna have a stronger signal with your directional

than you are with your omni when you're when you're on the right vector but as soon as you have that you now know okay I need to walk in this direction and I'm about I don't know a hundred yards away based on my signal so I put the Omni down and start walking well as soon as that signal changes I know that I need to change my vector it's very similar to following a compass you tell people that are in the woods trust your compass well in this case trust your radios trust the output but only when you know what the outputs going to say and you know that it's predictable for you so once the power setting gets into like

the neg 30s and this is again with the tool called error dump which I can show if we have time at the end but once you get to about negative 30 from an RSS I our power rating you're within touching range now it might be you know this much space here but you're able to get close enough up that you can actually then really start to judge then you get the crappiest absolute worst craptastic antenna you can find told wasabi this he ended up taking a BNC connector solder or silicone in a paperclip and putting it on his radio well it takes the ohm weight it takes the load off of your radio but you've

got to be within feet of what you're looking for to find it so the best stuff is nice initially but then you get down to the crappiest stuff you have or the lowest power so that you can get close enough to actually start seeing things then once you're operationally close to the target touch destroy gather information do whatever it is you need to do your next steps are going to depend on what you're trying to do while is targeting with highly directional is very similar to being a sniper so you have somebody that's helping watch you have your system you have your vector and you have your target and you start moving in from a

distance wireless and RF to targeting is very difficult you literally have to have lasers and or GPS is to do it but with the right team with the right views with the right scopes you can actually get wireless to 3 miles we did a line-of-sight contest to Def Con guys it was like DEFCON 11 or 12 and the group that won rented a hot-air balloon flew it over the horizon and made a wireless B shot and actually got pings across I think it was like 25 miles it was insane but they understood Wireless enough to know that they had to get above the horizon they had to get outside of the fade and Fresnel zones

and they made the shot it worked again I keep going back to it because it's important go out try it if you've got radios with you go do it pen paper radio laptop endpoint target see what you can find have fun these are our coins we've been doing coins for a couple years we are giving out coins to the winner of the wireless capture-the-flag we are also doing a black badge this year again for b-sides thank you besides so if you win black badge lifetime admission I think somebody in the audience may have won another the same person I've been picking on Misaka take a bow all right sit back down oh you already did

and we've got some really cool sponsors that sell a lot of the really cool stuff that we sell that we that we show they've got some amazing equipment simple Wi-Fi and some of the best antennas out there hak5 thank you you know Penn - and all the others so that's what I got any questions yes huh

it is only pinging if there were a Bluetooth intrusion detection system that was functional and worked well it would see the pings it wouldn't look a whole lot different than the heartbeat threshold that a device would have if it's connecting to something else yes you would be relatively vulnerable if the right instrumentation was in place somebody back there said they have an IDs for Bluetooth I'd love to see it but again it's be curious to see what it looks like in that in that place but I have not seen one yet yes

I am a hundred percent not a lawyer from from the way that I've read the I Triple E standard and the laws as they stand there's no you're not recording data you're not intercepting data and you're not doing anything encrypted or unencrypted huh

so Google got in trouble for doing location with Wireless and collection correct in that particular instance again I would talk to your local lawyers because every state has their own laws if you're passive it's hard to do anything wrong it's not a I'm not saying it's legal it's hard exactly if you're doing this professionally again we always have a very very very detailed rules of engagement with everything we're doing and we get permission down to literally I might pick up somebody's personal device if I'm doing something we're not gonna use it but we might pick it up and you know we have to absolutely yeah that get-out-of-jail-free cards important especially when you know jail exists the black helicopters do exist

now picking up passive signals is really hard to do by anything so you know as long as you're not transmitting and you're not injecting and you're not trying to decrypt usually you're okay it depends on the jurisdiction did I skirt that question well enough any other questions that don't involve a lawyer they might have to call one in a minute cool thank you [Applause]