Radio Frequencies All Around Us: What Data Are You Leaking and What Is Done With It?

here's Kia with radio frequencies all around us thank you for coming to this last talk this will be a talk about radio frequencies as well as what data are you leaking and what is done with it my name is Kia I've been working in information security for about two years working in various aspects of penetration testing both web applications as well as infrastructure looking at network monitoring device configuration as well as various types of assessments previously however I was a public school teacher as well as digital filmmaker I also made websites for people and gradually went further down into the stack and went back to school in that process played with raspberry PI's and built different devices and learned

about the different sensors that can be plugged into him as well as how easy it is to make these devices as well as collect various types of data what will be covered in this talk a brief look at radio frequencies and how they transfer data looking at the proliferation of IOT devices because these are the devices that are really using leveraging RF and looking at the data that's being transferred from a security perspective three different IOT devices will be compared a children's toy an adult toy and a medical device a digital stethoscope these are really they're transferring data that really should be secured because it is our personal data how I got interested in this I may have

participated in wardriving competitions associated with DC the DC seven one nine folks and in that process of passively listening to picking up information data wireless access points and seeing how much information was transferred learning about the encryption potentially what you shouldn't do but potentially cracking it if you have permission so that got me and this sort of rabbit hole of RF and IOT devices so radio frequencies RF it's data that's traveling through the air and in a nutshell it's essentially using modulation to send digital bits either ones or zeros you can think of it almost like a frisbee or something that's being transported through the air and it is a lot of it is done in plain text so this

is the data that we're dealing with for this talk we are looking at Wi-Fi and Bluetooth this is part of the frequency allocation of the radio spectrum and main IOT devices are using mainly bluetooth in the 2.4 spectrum or Wi-Fi which is also in the 2.4 as well as 5 but understanding that with this proliferation of IOT devices the there's there's a lot of saturation within that 2.4 gigahertz range so this there are millions of IOT devices I was surprised in looking into this there are at the recent CES a lot of these types of devices were revealed so there's a Wi-Fi connected oven light bulbs that you can control using a slightly vulnerable protocol ZigBee I you can use them to a

mobile device to open up your garage to access your home via camera look at what's in your refrigerator potentially they are also toys that are listening in on your environment they range from dolls to spinners to things that you can put inside of your body so IOT devices like toothbrushes are entering the market where it's gathering how the child is brushing for how long brushing is done what temperature your mouth is as well as Jude Heart implants controlling somebody's heart to other adult toys last year at Def Con it was gold Fiske and flower follower did a great talk on we vibe and looked at the data that was being transferred these I looked for

recent statistics because I've seen a broad range of different ones and essentially the consumer market if you look here they it's really a large portion of all of the IOT devices that are coming into our homes potentially right now we have five to seven million devices and looking at a definition they're essentially devices with sensors that connect communicate with and transmit information to other devices and send that data through the internet this allows us to do really fantastical things so for example the average person can get any sort of mobile device and say check if the house is being vacuumed via Wi-Fi very important smart tools power tools are being used to sync wirelessly and allow somebody to do

their record or bookkeeping online baby cameras allowing people to check on their babies but potentially these are all Internet connected devices is this secure what could possibly go wrong and another duality is when you talk to manufacturers there's a tremendous desire to push these products on into the market and capitalize from them so they do want to give the guise that they are secure and they make it very easy to set up so this is you may have heard of cloud pets this is from their website two weeks ago you know they still have built-in security and it says parents can choose who can message send message to their child and approve every message sent to the device however earlier this

year somebody said hey at cloud pets somebody named sa sending message it's to my child to my child's cloud pet and the app won't let me block him please help so somebody from the outside is reaching into the person's house and has taken that control however security is important and so here's another device d-link makes routers as well as other IP cameras and so they also have very easy to secure however also earlier this year the FTC filed one of its first complaints this is currently being settled it's a lawsuit that is continuing so why are these security issues why are these issues coming up so very briefly in getting into this and I want to move

through this really quickly Wi-Fi is plaintext data so this is a scan of a coffee shop I'm really amazed with what you can see when you scan a network and so I do it quite quite frequently people have their names of their laptops sometimes when you might be wor driving or just passively collecting information about wireless access points people have named their access point their address or their last name so this is something that you should really watch out for this is data that's easily leaked and you may have heard of show Dan which is a search engine for the Internet of Things so anything that is IP connected can be searched for on show Dan so this can

include baby cameras or toys or even control devices that may be within the infrastructure of power plants if they haven't segmented their network or potentially hospitals so this looks at what these three devices have in common as IOT devices become more and more place I wanted to know how they treated personal information as well as more about how they worked so Barbie Barbie on Amazon it's a toy for children she listens to a child's conversation sends it to a server and then that server processes it and responds to the child I mean this is all happening very quickly and it's sort of it's it's very interesting in that she does use the home access point the

wireless access point this has been tested by other people and those results are available on online but I wanted to try it out so do check it out if you're interested in this so as you're signing up for it the parent potentially is asked to enter in personal information so it does ask for the child's birthday you can choose different holidays you see that she does get a MAC address because she's getting an IP she's a network and I was fascinated by in working in InfoSec and you write your you look and you've identified the vulnerabilities and then you create a report it's often assumed that the client is going to move on all of those suggestions so one of the

things that was found was that Barbie is an open access point with a very predictable name and I was surprised to see that this was still a vulnerability she is I shouldn't say she it's really it so it is transferring data using a TLS encryption and previously she was using just regular encrypted unencrypted HTTP so that was an improvement looking at the privacy policies and what happens to the data along with recording a child's voice and sending it to a server and they have the rights to keep it you know do analytics on it make their their product better and its really toy talk that's supplying the the the going through the recordings that barbie is is

saying back to the child I was fascinated to see that they get to they can keep store process your personal information in the United States but that can also that they have the right to also put it take it transfer it to other countries so we're going to move on to the next device by bees is an adult toy it's geared toward women it uses Bluetooth low-energy to pair the peripheral device to the central device which is the iPhone I was fascinated with this because it's a mobile app that is a social network so it allows people to you invite them to this network and let them control it from wherever they are on in the world

so as you're signing up for the app she's sitting on the couch and it says distance doesn't matter so working in InfoSec this is a little bit concerning because it's anybody on the internet who can get to this so I thought I'd sign up for it but this is essentially how it works the the partner the person whoever wherever they are in the world you can see that there's chatting going on so they're exchanging pictures they're chatting and then it will send it'll go through the internet and they could be like sorely making like finger patterns and that is sent to the vibrator at the other location so they're using the open Network and then they that once they're

inside of the with in close proximity to the device then sends that command via bluetooth what could go wrong so privacy is important this is something that very personal information is being transferred and so when I got this app I was like do I want to sign into Facebook no you don't so went through the signup process and it wanted access to all of my contacts which I was like no and then it wouldn't work so let me back up a little bit I set up I wanted to see what this traffic was like so I set up a Bluetooth sniffer and simultaneously set up men in the mellah proxy so I could see the Bluetooth

traffic as well as the traffic that the iPhone or the the personal device was sending so none of it wouldn't actually connect to create a an account with the proxy so I had to like take it all apart go back and it's still wanted to access all of my contacts which when it does that it overlays itself over like starting from the alphabet like there are kids in there and there are co-workers in there which it's like who do you want to invite and it's really scary because you might touch the wrong part of the screen so I was like okay let's try it out be really careful this next screen is the privacy settings so you can change the

password the password there wasn't any need for it to have any sort of password complexity you could turn on security which essentially allowed you to set a four-digit code for the pairing process and this last one it says enable analytics and so analytics was on by default I really didn't want that and so I turned it off the Bluetooth the Bluetooth connection that was actually sending encrypted commands so that was good I went through the process I mean part of it is plaintext communication so it is broadcasting its name because you want to find it and pair with it however man-in-the-middle proxy even while analytics was off every time something happened action occurred or your partner sent you a chat request

flurry of information was was sent from the device and so in looking at it I was like that I turned it off so these are all just so these are in addition to the regular analytics that the devices is is taking and sending to its own servers because oh I didn't tell you about this there's also a this app allows you to download books from their site and so it reads the audio and as you're listening to it then it sends out vibrations according to the story so I was like this is a really fascinating application in looking at these there was a lot of information that was being sent times were being logged there were so some of it is like

okay this person is using this device implicit logging was on here's Google Analytics and I it was tracking everything similar to when you put any sort of application within a any sort of web application that that's being browsed so I thought that if I turn it off then all of my actions we're not being sent however that was definitely not the case and so looking at their privacy policy it said you know we use an information for analytics to help us deliver and improve our products and services and manage our business if you do not wish to participate in improving the app you may opt out by disabling the analytic function from the settings screen so they had a page on their

website about privacy and that security is important to them and please let them know if you find any vulnerabilities so on two days ago on July 24th I wrote them a letter saying oh and I also slightly took a look at their website and sort of scan it but just on a very superficial level and even though they say that they're using SSL to encrypt all of your traffic they were sending they were not making all of their website it calls for their assets their images and so those were loading via regular HTTP so if anybody's looking at that traffic you know exactly what the person is looking at so I sent that information along with oh hey and by the

way your analytics if you turn it off it's actually tracking the whole time like it makes no difference on your application so he responded very early this morning at about three o'clock and said oh thank you for sending it we are taking a look at it the other device I'm going to go through it really quickly sorry I think I'm running out of time this is the echo device it digitizes the heart rate and it sends it via bluetooth to a smart device it says on their website that it is HIPAA compliant sharing this device is currently used in hospitals if you go to their website you'll see a list of the people who endorse this device and it

says right underneath it bring in a second opinion by texting or emailing a quick recording to somebody and if you look at anything having to do with HIPAA there are about 18 psi identifiers and so I was really interested in this I got the the app set up an account you need to create a pin it's a four digit pin that pairs with a device and in loading my app I did I didn't purchase this device because it's about $200 but I wanted to see how this worked for a brief moment as we're signing up it says getting like something like thanks for your patience getting your patient getting your patients data so it seems

as if it's reaching back to a database getting ready to present me with something and I'm not a doctor it turns out that the information that they get this is taken from their privacy policy the different types of information that they get they can store it on your mobile device as well as in their secure database which we don't know maybe it is secure I hope it's secure and payment processor database so it's also PCI that that you're concerned they get the name address email phone other demographics like record ID of the patient date of birth gender payment card information associated billing address heartrate along with other personal biometrics like a mobile device accelerated or data

average heart rate location of the body where the house sign is taken local time timezone and geographic location of the heart sound so in looking at the types of patient data that's collected out of the 18 pH I personal health information indicators they are collecting everything except social security number and driver's license information who is responsible for this according to their policy the user whoever is using it is fully responsible for it for following all laws that regulate storage transmission and disclosure of any patient data through use of the software if the user becomes unable to comply then they just shouldn't use it so essentially they've transferred all of that risk to the either doctor or

institution that is using it and they tend to get very excited because it does improve the level of care that they can give to patients looking at data transfer and what they can do with the data I found it really fascinating and that they could also transfer this data that they get in whatever country to any other country for processing and for because they're getting tremendous analytics about people so it could be transferred to a country that may not have the same data protections so what do all these devices have in common hello Barbie female vibrator and a medical device they're all IOT devices they all take different types of personal data depending on the sensors

that are on the device they all have web sharing apps so either the parent can send the voice of their child Barbie to other people the person using the adult toy can invite other people or the doctor whoever is using the digital stethoscope can send it to other people to take a look at it or get a second opinion Barbie and echo can potentially transfer the data outside of this country don't know about the vibrator so the data that's being 'late while it depends on a lot of things and a lot of things need to be secured as there's a proliferation of IOT devices so the security of the IOT device itself the security of the home and the networks

that are used with the mobile device the security of the mobile or web application how it's designed security of the actual mobile device that's the controller for the peripheral IOT device the privacy policy of the devices and the overall security of a network or the cloud where it's being hosted or potentially hosted in another country I want to thank you all for coming to this talk because it is one of the last talks of the day I want to say thank you to my mentor J Radcliffe for providing his mentoring services thanks for your patience do you guys have any questions raise your hand if you have a question what hardware did you use I'm

sorry what hardware did what hardware did you use in your analysis so when I was for which part for wardriving of her proxying or for sniffing the device I played with uber tooth as well as in trying to set it up with the plugins with kismet and Wireshark and ended up using blue fruit from Adafruit and using Nordic RF and the integration in with Wireshark an early version of Wireshark men in the middle proxy was used as well as just other web web tools to look at their website any other questions so I'm guessing you've heard about the cloud pets breach earlier what are your thoughts on some of the other information that might be leaked like

this how they might be storing say five bees or any other kind of device that might be rather personal how do you think this is going to be handled in the future like what do you think is the right way to deal with this so I do I need to repeat the question or is it cool is everybody here yeah so with the cloud pets their database was totally exposed like it was internet accessible there was no authentication that was needed their whole database was just out there I mean those types of I I hope that it doesn't happen but I suspect that there's a lot of information that is simply from working with different

products within their development cycle and so you get access to networks and as you're doing your exploratory work sometimes you do come across those databases that are exposed so then you can quickly talk to the client and say hey we need to talk right now we need to figure out what we need to do to fix this but that's not always the case because there's there's this big push to get all of these devices to the market but there's nobody watching really there's the FTC is doing doing work and good work but there's there's nobody there there are different industry groups that have come together like for example there's the Bluetooth SIG but those are just small aspects of a very

large of much larger thing for lack of other words for the IOT world I hope that we can come together to figure out something some bodies that can look over this I mean I hope that more devices are pen tested before they get to the market

yeah and sometimes their website isn't even up like something so so these consumer devices are hitting the market and thank you for coming I've been given that yeah sorry I let you go over with questions but thank you today we're gonna get started in just a few minutes