Building Malicious Hardware

put this all together really nice to see besides spreading all across Europe even in the country. I'm Steve. I'm from the from the UK, the the formerly sixth largest economy in the world. And by the time I get back, if I've got euros left over, I'll be on most people who know of me know of me on Twitter or talks. So, um, normally my avatar is naked. Thankfully, I am not. And, um, other than that, I I kind of do pen testing for a living. I've been doing it for 16 years. Uh it's getting to be honest, but um I still find stuff. So it still keeps me busy, keeps I co organized a little conference called 44

comments. um just been running since 2011 and I bought pent testing in a mailing list to try and help people learn how to pent test well because there's a lot of people coming into the market who say I want to be a pent tester and they go off and do it and they go and join large companies that effectively treat them you know like a sausage factory just putting people through and grinding them up and spitting them out. So I try to encourage people to learn to pentest properly. But this talk isn't anything to do with pentesting. This talk is about something that my friends and I do. So a couple of years ago I started looking at the

internet of things. And I like to think of the internet of things as a series of solutions problems. And if you've ever seen the internet things you might have seen problem related internet things. So this for example is smart play. What is smart plate? Smart plate is backed by science. What does smart plate do? It's backed by science. That's all you need to know. Smart plate will tell you what you eat. I have another tool to tell you what I eat. It's called my eyes. These are smart socks. The they actually the smart socks themselves come with a widget that you plug on your phone and there's an app and the socks that you buy from them have got these

little chips that tell them how many times they've been washed. So, they can measure black levels to make sure that you've got properly black socks. They'll tell you when your socks need to be washed and when your socks need to be replaced. Again, eyes. My rule for socks is that if I throw it against the wall and it sticks, it's probably good for another week. If I throw it against the wall and it screams and tries to run away, watch time. And then the final thing I want to show you is um the egg minder whose company named I forget. But the people who designed the egg minder got funding for it and they couldn't find the use

case for it. So they didn't actually know why you would want to have something that tells you how fresh your eggs are in your fridge via an app and send you alerts to say eggs going up. Um and I think it was actually LG ended up buying them and they made millions out. So you look at the IoT market, it's kind of a lot like this. A lot of people selling snake oil all argue that I'll say that their stuff is great without really knowing what value it adds to humanity. But if we look at where if we take IoT aside, we look at what's under the hood. Most of the time you have a widget and that widget is the

device that's built on a system chip module and what we can do is we can do some pretty evil things with system chip modules. So we can take offtheshelf kit and we can take maker kit and we can do some bad things. And this talk isn't really about doing bad things because in my country, aside from having no economy, we also have a set of really bad laws about hacking. And I don't really know about you, but I know I'm the prettiest guy in the world. His face is too pretty for prison. But what if we were to mix hacking and the quality control of the internet thinks, what we could do is we could

create the internet of wrongs. [Music] And this is something I've been exploring over the past couple years looking at IoT devices. And I brought some things today that I've built some out of household objects that you can re re uh re reuse and some stuff that is built using baked kit from scratch. And I I'll walk you through some of these devices and later on we'll do a workshop where we'll we'll go through one class of sort of hardwareish type stuff you can do without actually having to know any electronics. So none of the things that I'm going to talk about today are actually very good. In fact, you may well feel a bit cheated by the end of

this talk, but they are all things that you can pick up without prior knowledge. And if you read between the lines, what I'm not telling you about is the stuff that's actually quite cool that you can do these things. So, I'm going to start with my failed attempt to move to Germany. Now, I imagine there probably not necessarily going to be a huge amount of Germans in this room. Um, but I tried to move to Berlin a couple of years ago and failed miserably, mainly on the grounds that my German is not very good. But while I was flipping between the UK and Berlin, I stayed with my friend D. Now, this isn't DM. This is

a stock photo of that's meant to represent Darm's flatmate. And DM's flatmate, let's call him Mark, um, was a very special kind of pearl of hipster. You see, when I met Mark, Mark had just bought a MacBook and he insisted that Macs were the best thing ever. They were the ultimate personal computer. And you might think, okay, smart fanboy, fair enough. Why? And the answer will surprise you. Because it wasn't the operating system. It wasn't the hardware. It was the fact that he could go and wake up in the morning, bring his laptop to the breakfast table, have his breakfast, check the internet, read Facebook, shut the lid, go to work, come back home, open the lid, and he would be

at 95%. And the reason for this is that he had a Lenovo that just had a ton of crap oil on it and drained his battery. So DM and I tried convincing him that power management is actually a thing, and he was having none of it. So we kind of thought if he doesn't understand power management, can we educate him through the means of a polite practical joke? So as I was flipping between the UK and Berlin quite a bit, I um I came back over to Dar's place and I brought with me some toys and I said, "All right, okay. Well, there's there's lots of things we can do. We can go and take

his MacBook apart. We can go and try and do something to some of the chips on there uh and do something cool. Or we can install a UEFI binary that will have key logger on it and we can reconfigure it so that whenever we enter certain keystrokes it shuts the computer down or it will turn off power saving or it'll do something cool. And we kind of thought if we open up a MacBook and it breaks it's not a very good practical joke. So then we thought why don't we go and put some malware on the device you know and then that way wherever he goes what we can do is we can just have it

randomly do stuff to switch off. And again if we kind of screw that up that's not really a nice thing to him. So in the end we decided to go and look at wakeon lab. So wake lab is a very simple protocol and somehow despite there being a standard for it most people don't adhere to it. So what you have is you have what the concept of something called a magic packet and there's wake on land and wake on wireless land and various forms of wake on this and that but OSX in particular requires that packet to be on UDP49. It's a very simple datagram. you send it to a broadcast IP and MAC address um with a

stream of FS at the start and then the target MAC address you want and the actual Wi-Fi card on the device at the other end picks this up not the operating system because the operating systems turned off or the main call turned off and this is what the packet looks like in wire shark. So you can see it's actually there's nothing particularly spectacular to it, but I just thought, well, I had an Arduino with me and I had this little um CC 3000 uh Texas Instrument Wi-Fi breakout and I thought it would just be a good excuse to use that. I kind of thought if we go and start sending way requests to Mark's laptop after he's gone to work, then

obviously it will die before he gets home. So to make something like this, you're going to need an Arduino Uno. Uh you can use a nano, you can just use an Adel chip if you prefer, but probably if you're going to do something like this from scratch, you want to use an Arduino Uno if you're going to do it using an Arduino. I would, if I was going to redo this, I would use an ESP 8266 chip and put Wi-Fi on it. But you can get an Arduino Uno for about €10. um and the TICC3000 shield because when it comes to Arduino, every device that you add onto it has its own set of libraries and its

own way of doing things and it's not always the same. Um but that's about €35, which is why if I was going to do this again from scratch, I'd use an ESP because about 5. Um and that's what the device looks like when it's powered on. and you want to go and produce the software, then all you need is the Arduino ID and the Adafruit CC 3000 library. Um, again, different devices, different hardware addons, different Arino shield and all that things in um at different libraries. If you've never used Arino before, it's basically uses a superet C um to kind of make it a bit more friendly. And there are two main functions. There's the setup function

which is where you generally configure your hardware, your pins and what you're doing in there. And then there's a loop function which unsurprisingly loops. So this is the code and the code's available on my GitHub which I probably should have put a link to GitHub and a mult. I'll just walk through some of this stuff. So what we have here is we have our C headers at the top and all uses. We set up the pins for the shield and then we have the basic Wi-Fi network password which is and the security type in the setup part what we do because the CC3000 is designed for building the IoT devices. Um, it expects to have an active point set up with an

app on it. You connect to its Wi-Fi network, put in the details, it saves a profile, restarts the device, connects to the network, which is a common IoT pattern. So, we don't want to do that. We're going to get rid of all connection profiles that are there, and then connects to the Wi-Fi network. And then in the loop function, uh, because I'm a pretty terrible programmer, I branch everything out of those functions. Uh, Wi-Fi It's just print some details values debugging and wing is the the full thing in effect. So you've got your sync stream target MAC addresses. The CC3000 library has some really weird stuff in terms of the format that it expects. So

you can't just use straightforward, you know, um static socket functions or anything like that. And then um we connect, we put the packet, we send it, that's it. So far so good, right? So very simple wake on land sender sends wake on land every few seconds. Mark goes to work. Flat stays awake. He comes home. Flat's dead. Me and D have a little chuckle. And then we tell him that thing. And the reaction we kind of expected from was something like that cuz he really hated that and he really loves his man. Unfortunately, life has a habit of getting in the way of things. So, I didn't get this working until the day before I was heading back to the UK, and

I was supposed to come back two weeks later and stay over at DMS again. The week after I left, D had a family emergency and had to go back to the UK. And Dom and I sort of didn't really see each other for about 6 months. In the meantime, this thing was going off in D's flat, keeping that MacBook awake. So, what happened? Well, Mark went to the Apple store and he said, "I have a problem. My laptop keeps dying on me." So, the Apple store took a look and they said, "We can't find a problem with it. Seems fine here." So, Mark went home and his MacBook died. Couple of weeks later, getting found out when it goes to the end of the

store and says, "I have a problem. My MacBook keeps dying." So, they're like, "Okay, all right. I'll keep it overnight. See how it does." Right? So, they keep it overnight. Sure enough, power saving kicks in. Mark comes back the next day. There's nothing wrong with your MacBook. Mark goes home. MacBook dies.

Apparently in the first sort of month he went back and forth a few times and pissed off the app store um England quite a lot. So he went back and he said, "Look, I'm really serious about this. This keeps dying on me. What are you going to do about it?" And they're like, "We've had it overnight. Nothing's gone wrong. Where did you buy it from?" I said, "I bought it in Paris." It's like, we'll go to the Mac store in Paris and get them to look at it. Now, I don't know if you guys have spent any time in Berlin, but it's a long trip to Paris by train and it's quite expensive and it involves two of the worst rail

networks in Europe. So, Mark went to the Apple store in Paris and he said, "Uh, excuse me. my magnet doesn't work. And they went, "Sure, sure. Okay, let's have a look." All right, it doesn't look like there's anything wrong. I tell you what, we'll keep it in overnight. Mark stayed at a youth hospital that night, not expecting to stay overnight, went back the next day and it was fine. So, 6 months after we have that in there, I go back and stay at um Mark sold the MacBook. I noticed the he had a doubt. So, I'm like, you got a deal? And he's like, "No, no, I got a deal." I'm like, "What happened?" He's

like, "Oh, the backup was really shit." And I'm

like "Yeah." And then went and um promptly took the unplugged it from from Dream. So, some lessons learned from this whole thing. First of all, the CC300 series modules are really expensive. it's not worth leaving them somewhere for 6 months. Uh secondly, there's some sort of moral kind of thing I guess we could learn from all of this, which is that we should only use sort of, you know, malicious stuff for good. And if only I'd actually implemented some sort of command and control, I could have shut this off from back in the UK. Um so that's the that's that's the story of the first device. I'm going to talk to you a bit about something that happened to me in

Cape Town. Well, not even to me in Ktown. It happened to my friend. I was flying out to K to go and see some friends and they're really, really cool guys. Uh Nikki and Eddie. Really good friends of mine. Uh this obviously is not Nikki and Eddie, but two people from Stockton. So they're they're pretty chill guys and and they live in this apartment block in K area called Newlands and they have really really really crappy upstairs neighbors. Um, and while I was on the flight over, they were out in the garden with my girlfriend chatting away. And um, all that happened was they were chatting about 8:00 in the evening. They're not being particularly loud or

anything, just chilling out. Um, and the upstairs neighbors started shouting from the balcony from inside their apartment with the windows open. Eddie is the dude. Edd's the guy. Ed is the man. and repeating this in kind of a really weird and sinister way. So when I got off the plane and fly out there, I thought everything was fine. By the time I'd landed, there had been a fight. There had been all kinds of stuff going on. So, you know, these are the takeaways of what we can learn from Eddie's neighbors about Eddie that he is the dude, the guy, and the man. And that they kept repeating this over and over. So I said to Eddie, "All right, okay. So how can

we [ __ ] with these guys? One option would be because I had Pi Zero on me uh is to go and write some code to deal with anyone connecting to the neighbor's Wi-Fi. That would work. And then I remembered that I I'd come back from New Zealand uh where I did a talk at Kiwicon about a thing called the Thunderblade that I built. So a Thunderblade is basically just a Raspberry Pi with a bit of Python code that will automatically deal based on DNS keywords. There's nothing particularly special to it, but it's it's a nice little thing to put together in an afternoon. And the whole thing was the particular hipsteresque words when you see DNS packets going along go

people. So we uh we pass DNS packet. This is the dacket library rather than scaffy. Anyone here use scaffy? Anyone here find it rather big and rather slow? Yeah, on a low powered device it's really tough to use scanty for anything practical. Deep packet on the other hand is super duper quick but obviously not as good for packet analysis of scampy and I as evidenced by the fact that I did write some packet but it didn't really work very well. So I just used shout out to play. So, I kind of thought I could build a Thunderbolt and just have it so that instead of listening for requests, it just looks at whoever's on on Jeff's network upstairs and feels

anyone who's on it. But then, as Eddie reminded me, I have a face that's too pretty for jail. So instead I said why don't we build a device which I'm going to call purple mainly because at least neighbors are and what I used was I used this which is a nocu device uh ESP 8266 chipset on there cost about a euro €2 for the the chip which is one or this is a very basic breakout board called the SP15 for a known MCU. Um just get it program the Arduino IDE and stick a battery pack on it. So what comes out of the box quite clearly crack open radio 211 and the process that I decided to

use was to abuse some of the um some of the functionality in the ESP to algorithmically generate SSIDs consisting of Jeff's demand dude for guy plus an ID that's chosen at random two-digit ID and broadcast them every 250 milliseconds. Because while obviously doing something malicious would be bad like the or people just insulting people over Wi-Fi SSIDs doesn't really break the law does it? So I'm going to go and switch this thing on. And if you go on Wi-Fi, you should demo smiling on us.

All right. So, the demo go smiling. You should start to see SSID popping up. Now, a funny thing about the way Wi-Fi SSID broadcasts work. I had to put a delay in because only one device can talk on one channel at a time. And if you don't put a delay in, it floods that entire channel, thus blocking anybody from using it.

So why is this particularly better? So the ESP 8266 uses a thing called the Espress if SDK uh which is integrated into our if you set it up correctly and for about a euro we can do all kinds of naughty packet injection with the Wi-Fi send packet for you. the people who invented the tool set for realized that some people are starting to abuse this and took it out. But the answer is just to use an old version of the SDK. And what I'm not going to show you today is something I did with two ESPs, partly because it's a bit unstable and flaky and partly because it's it would probably be illegal. Um, which is two of

these things. So for two euros, you have one ESP8266 device that scans for Wi-Fi connections and you have another one that sends DOS. But what you can also do is you can also use DOTS to reset the WPS lockown on some routters. There's a thing in WPA called Michael which says if there's loads of authentications and association failures kicking in then just basically shut down. So some lessons learned the ESPH266 The platform is certainly cheap, but it's not necessarily reliable. The SDK has a lot of memory leaks. There's you you generally have to write code for a reset situation. Um, it's a platform. It's 3.3 volts when a lot of the stuff that I use is 5

volts. Um, so I end up always having to do stuff either on a Raspberry Pi or having to do stuff where I have to use Z to draw voltage. and babys are [ __ ] So, meanwhile in the UK, anybody here ever played with STRs? RTL STRs. Yeah. So, um, if you've ever done any radio stuff, you'll find that normally what you do is you have a giant antenna out the garden and then you'll have a piece of coax cable running all the way into your house and you'll have what's called a shack, which is basically a man cave radio here and using a series of connectors, you plug it into the radio and you do radio stuff. Problem with

this is that the cable attenuates the signal. So, you end up with signal loss because of the cable going from the antenna to your device. So, a while ago, I thought, well, okay, why don't we use a cheap TV stick with a cheap pocket router and stick that right by the antenna and then stream stuff over wireless instead. And thus, I built this. This is um a device that I have in my living room, just plug into the TV area because TV is terrible. Um, and I got a plane flying over there. So, what's it made of? Um, it's made of a pocket router called a GLE 646A. Um, this is a GLE AR150, which is

the device that replaces it. And, uh, it's about 20 and

Oh, there's a there's also an STR at the other end which is just a straight TV stick which is about sort of 5 to€10. The GLRnet comes from a family of routters that use the AR 933X chipset, which is really, really handy for doing things like Wi-Fi and stuff, but it's also a very well doumented chipset that a lot of opens supports that is created. There's also a chipset that's becoming popular. So for example this device which is about20 um the HU range of devices they use the 5350F Ring chipset which is um slightly odd compared to the AI30 but starting to become more prevalent not very good for Wi-Fi but is very good for battery life.

So, if you want to build a Wi-Fi SDR, and in the workshop, that's what I'm going to show you how to do and walk you through. Um, you install some OpenWRT firmware, you install some extra packages, and then you set up a command called RTLTP to listen on the socket, and then you connect your over Wi-Fi. I was going to do an SDR demo. Actually, I will do

That's good. You'll get to see it when we um when I do the workshop later. But what I can do is I can go into my home system.

Hallelujah.

All right. So, what I've got on here is the device [Music]

itself from the other side of Europe. I'm not going to be able to do the straight RTL stream over over this connection, but I'll show you what it looks like in the workshop. Um, what I can show you, I come over here is the planes that are flying over my house at the moment.

So this is this is in a cell probably not incredibly interesting, but when you combine it with something like this what you have is you have a portable device that you stick a cheap TV stick on and you can use to monet planes within a range of around 150 km so this is London this is Dorset which is about say 150 km away that's Oxford which is about maybe around something like 80 to 100 km from Portal maybe a bit more so all of this area of the south of England is stuff that you can currently that is far away. That's a jum but we can see quite a large range of planes and what we can do because we

can get the identifiers for these planes we can see where these planes have been before and what they've done. So if you were an enterprising person perhaps talking to journalists about perhaps saying flights by certain people within the European Union who've come to negotiate perhaps a particularly bad deal for Greece. You could, hypothetically speaking, build one of these devices and then go and leave it anywhere within 150 kilometers of the airport and then pick it up when the battery comes out and start tracking where these flights have come from and which flights travel has been taking. Uh because the European Union does use its own chance of playing. But that's an exercise left for you because I'm too pretty for jail.

So why is it a wicked toy? Well, that's the obvious reason, but also there are things that we can do. we have the full power of of the SDR with us, which is not that great a radio, but it's cheap. So, other expansions you could do, you could take a um DS1307 realtime clock, for example, plug that into the GPIOs, probably not on the HOU because it's all surface mount, but certainly on something like the AR150. Having a real clock source on the device allows you to do interesting things with GSM. So you could use this to stream GSM decodes over to a more powerful system to go and maybe do something like cracking 851 if one was

so inclined. That's just there's also a package called Multimon. Multimon is well it's not a package that's a package itself but Multimon is a tool that decodes lots of different frequencies and lots of different ranges. So you can pick up things like shipping. You can track ships that are going through the same way you can track stuff in the sky. You can also do things like has anybody here ever heard of poxag. Okay. So poxag is the packet protocol that's used for pages. Um if any of you guys have seen the little chunky things from the '9s where they have a little LCD display and you ring a number and leave a message and the

message goes out to the device and vibrates. That's how IT support calls used to be done. People still actually use them all across Europe. Um, in the UK, decoding pox hat is a criminal offense. I am not in the UK. I don't know about the laws in Greece, but that law doesn't apply everywhere. And in places where it hasn't applied, you get to see some really interesting pages because a lot of automated systems use them. You get everything from out printer messages to I think the best one was um I saw a series of pages once about a woman who this appeared to be some sort of call out thing for the doctor and it was like this woman's

panicking and all the rest of it because her cat's not well and you know all this all this panic and drama and it's like yeah you know need to get an ambulance defibrillate needed all this sort of stuff and then it's like oh it's a cat but you also get a lot more main systems putting stuff out as You could use a 4G dongle on a on a device as well. Uh so for some for something like the HOU that only has one USB port, that's no good. But on other devices where you've got two USB ports, go and use a 4G dongle to go and stream the upload file for NTP sync. So if you

have some processing and de modulation and decode on the device itself and then stream the content up, you're going to have a much better time than trying to stream the raw signals up. Um, and you could use a micro SD card for data logging. So that HU that I showed you any good for that sort of stuff. But this one is a HOU trip Mini that's also running OpenW. I think I've got a camera firmware on here or something like that. Um, but basically this has a smaller battery and it has a little micro SD card slot on the side. So again, you can have it right to a micro SD card and just do your model and pick it up later

on after it's done and replace it with something else. So to recap, um these toys are all technically cyber weapons. They are all technically um governed by the Wasabar engine. You might be surprised, but um they are even though they're crap. And the reason for that is they can still cause damage to things. Um and if you read between the lines of what I've been showing you, there are obviously cool things you can do with these bits of hardware. But hacking cheap hardware is a lot of fun. And um just because It's cheap doesn't mean that it's useless. So, I was going to show a final toy, but I'm not. I I haven't actually got the kit

with me, so there's no point showing things. Um, but I'd like to thank uh Adah Fruit, without whom I would not be doing horrible things with electronics. Um, and Kryptor Thor, who's a guy who wrote some of the some of some some similar code for Wi-Fi, which where I got the idea from and I stole some of this code as well. I'd like to thank Greg and Olga for having me Yoda and also Costa and all the concrete as well. So, thanks very much for having [Applause] me. Any questions at all? Y so I did a similar talk to this at B size London and then I pushed the code out and then I wrote a blog post about

it and then my former friend arm went and pointed at it and said you remember that time with your MacBook it wasn't me it was him all along. I was like, "Holy shit." But uh yeah, so he found out um last week and apparently he's not very happy, but I'm unlikely to see him again. Probably not if I'm around. Any other questions? Any questions about any of the technologies that show you? All right. Well, if you do have any questions, come and have a chat with me. I don't bite hard. And I'll be doing a workshop later on where I will actually show you how to compile your own firmware and push it on the device to do

so. And I'll just walk you through the process that I go through. So, thanks very much for having me, guys.