BSidesATL 2015: Hacking 802.15.4 - Thermostats, Security, and More by Ryan Speers

can you hear me am I too loud yeah let me if of those change uh I'm happy I'm not the closing keynote cuz I'd stop you from getting to an after party so I'm very happy that somebody else will have that privilege I thanks dude anytime throw you under the bus uh I am the director of Applied research iic security however you will see the disclaimer slide in a second it says this is not their fault um what I'm going to talk to you guys about today is 02154 it's a protocol uh the low power Wireless although sometimes it's known as Z that's actually slightly different but same purpose put that out there this is going to be very different than I

think most of the talks today it's not endpoint systems it's not windows it's not any of those good Network things that we all might work with in in some of your day jobs but I hope it's still useful I hope it's still at least interesting to you guys uh I'm going to go through this but there's it's sort of a summary it's a survey of this topic uh because I thought at least not the ton of people might have deep experience with it I wanted to sort of give you an overview so as we go through sections please feel free to raise your hand and stop me if you want to discuss more of those instead of me going through the

whole thing and leave us all spinning uh so I'm going to talk about where is this used what the protocol looks like how can you as an individual researcher interact with it or a user of it in your home or or work some really basic attacks uh Network mapping Everyone likes War driving uh and then go a little uh deeper into some of my current research on this uh protocol yada yada yada um so why do we care about this uh these 8315 fors a are used and you see there sort of pitch deck on the right there those are all the cool ways you can use it building automation Smart Energy um but some of these things that

we we have to take away from this is all of these are things that interact with the physical world some of them more than others uh some in critical applications some less so and then proliferation right uh when they talk about their Market sh continually improving that's great news for them we just need to be concerned about the security at the same time so what do we call all of those things on the right those are really attack surfaces for attackers uh that all are tied into this protocol so some devices right if we look back at this screen what are on there building controls Smart Energy some of those things might be home security systems that are starting to be

rolled out uh smart thermostats that allow electrical companies to set Dynamic rates uh a lot of these are are really nice features to the consumer or the business world uh but what does the protocol look like what do you as a user of these devices either at home or in business maybe you want to understand what's happening here and not accept it all at face value so a little bit of the difference right here we have our little modified OSI stack so we can see our different layers I'm going to be talking mainly today for the sake of uh building a basis at the FI and the Mac layer uh so that's technically known as

8021 154 and the higher layers that I didn't sole there are called zigby other things that are built on it 2154 are things like six low pan right so if you guys have looked at IPv6 over uh low power Wireless that's the protocol that does that so in general you can have a bunch of topologies star mesh networks these are really nice ways to to uh build selfhealing systems device classes there's generally three full functionality which is your coordinators trust centers and routers think of things plugged into an outlet and then reduced functionality which are the little door sensors on your security system your motion detector your uh little door lock that for some reason

you want to be able to unlock from your a key fob that talks over this protocol and is Internet connected all of those things are those reduced functionality devices and then very interestingly there is I mean I don't want to uh skip over this there is security baked into this system right uh you have the choice as an implementor of choosing uh confidentiality through encryption authenticity through basically H Max or both uh you have to be careful which one you choose or and you need to choose something and that's sort of where we we see a lot of the implementation weaknesses in this protocol come in uh there's some that are very dangerous to choose together in fact they'll allow a

onef frame denial of service we'll show you how to do later uh there's others that are great uh but even if you read the developer documentation for some of these they warn you that it takes you know 32 or 16 kilobytes of code to implement security and on an embedded microprocessor that's a tradeoff uh to the company so we just need to to take a look at those when we're auditing these just because it uses zigg which is a protocol that does support security doesn't mean the developer chose to enable it or to handle the keys securely so all of us I'm sure or most of us are used to looking at a ipv4 and

TCP frame right I throw this up here just to give you an idea of what these look like they're not too different right you have your frame control field this is like your headers all your bit mask s what am I sending sequence numbers addresses oo an optional security header because can be zero length we wouldn't want to force you to use security here uh your payload and your check sum which is a non- cryptographic uh check sum just for radio collisions and you start to see those yellow arrows which are showing the interrelationships between fields and there's a lot of interesting inter relationships between fields in this protocol that you have to get right both

as a device implementer but also if you're trying to attack it you have to be careful about forging frames that are are valid you can't just choose one of these right hex editing a frame and uh be fine sending your attack it may just fail the protocol spec so how many people in here have used scapy before or scappy whatever you want to call it um familiar with it what type of protocols have you done on it IP TCP it be okay well thanks for using the did you write your own or did you download our thank you did you push the code back no please not yet I will thank you I yes so I'm I'm glad people are using it so

what I was getting at with that is we have published 0254 and zigg bindings for scappy and we would welcome anyone improving them and sharing that back if you're able um and then that's just because all of those relationships are tough right and I'm not saying we got them all right in that first implementation uh but trying to to use those to explore and parse or to attack this protocol I started off building these frames by hand in a hex editor and that turned out to be a really dumb idea um because of all these inter relationships okay this is a review slide I assume so let's go through this quickly who's like done Wireless attacks

on 8 or to 11 or yeah so you want to be able to see the packets sniffing you want to be able to send your packets injection you want to be able to play with those tampering uh you start getting into some interesting stuff and of course this is not endorsed and you should make sure that you can legally do any of this right interfering with other transmissions so jamming uh and we see at least in my audits I've seen more and more people put in uh jamming detection as a countermeasure if you do this the SEC the next one down comes into play Collision uh sometimes called reflexive jamming so you can do jamming where

you're constantly transmitting right I'm just flooding your Channel with noise traditional like military way of interfering with adversarial radios or you know your old 80211 attacks right like good luck accessing that hot spot because I'm filling the air with noise but people have started implementing to notice that and report that especially in security systems that they want to know if somebody's flooding and going to break into the house so then you get into only jamming when you want to collide with a specific frame that you want to stop from getting to the intended recipient then the last four is sort of routing attacks almost at the higher level I'm going to go through most of

these fast because they play into zigby are more than 80215 for exhaustion wearing out the battery is one way to do exhaustion when you talk on low powered devices uh this is somewhat practice in about one to two days you can kill some devices depending on your attack that may be okay may not be another exhaustion is using up somebody's entire memory table because they don't check their bounds on their memory tables not saying people don't do that but if they did you know you might want to fill up their limited memory on a small microprocessor unfairness greed homing misdirection black holes this is messing with the routing protocols in these attacks uh flooding desynchronization

this is again messing with the router's uh tables basically their internal State they don't do a lot of checks so let's start off by just saying you want to see the packets you want to start I am going to Hope at this point I've given you some reason to either fall asleep or say that I'd like to at least learn how to play with this protocol and I'm not offended if either um so seeing the packets and being able to send them you don't have have an ethernet adapter you can't just plug into your laptop and start doing this so we need to get some fun things out there's a variety of Hardware options uh

there's positives and Min uh positives and negatives to all of them uh some of them are Hardware from companies like atmail sort of development boards uh packet analyzers meant to to work with sort of proprietary software for looking at these uh Arduino clones or go all the way a software defined radio with usrp um if you have the money and a stack of devices to do that um old research boards that are spread around universities to go look for them in some Halls if you're nearest campus and you might find some that have been abandoned those are the ones in the middle here so if you see those make great attack platforms uh if you can acquire them

um but you know when we went through all of these and working for about three years of research on on these these platforms a while ago I sort of grew to a point where there were limitations on each that were running into penetration testing because none of these frankly were ever designed to be a hacking platform right there's many legitimate uses for them so I'd like to say there's also a legitimate use to this I'm sure there is I didn't design it for that I designed it for the legitimate use of people like yourselves understanding what's going on in their networks without relying on vendage tools without relying on what somebody tells you in a piece of documentation is

the case so this is a board it's a beta board it's open source because um legitimate uses include you could add expansion boards and use this as a development board uh less legitimate uses are you can you know we optimized things to have onboard storage right so if you want to throw this over a fence and capture packets having a pretty good microprocessor so you can do processing on on the board passing that directly USB if you're lazy in like python uh like me uh having a radio font end that has an extremely lowlevel radio chip there so that you can play with stuff like we'll talk about at the end of this talk that many of the other boards just

don't allow you to do because if you're staying within the protocol spec you should never need to do that but that's no fun uh having either an internal or an external radio so that say you were legally allowed to do J in uh or we're doing it in a controlled space you could do some antenna boosting and uh interfere with packets so this goes through some of the architecture of that board um I'm not going to read it to you you're all capable of reading or I've already bored you anyone have any questions about that so far what I've discussed either the motivation or the fact that you can't plug in to the air with USB or ethernet

okay cool I'm glad we're there is everyone still awake there's beer in the back you should grab some and drink it makes my presentation more exciting ran out oh well that's your personal problem oh yeah sorry this is an app emote um this is the version four this is a beta board I I refuse to release it not as beta because sometimes you have to try to boot it up twice for it to work I'm not a PCD designer that's probably why um little inside scoop there's going to be a new version that's a lot smaller a lot cheaper and a little less flexible that may work better for some people coming out soon they're all sitting in

my lab trying waiting to be soldered to see if they even work but this is an app OTE you can go I'll give you a link at the end of the talk where you can find this the documentation and source code and board designs on GitHub if you need one you can come talk to me because trust me it's a pain to solder by hand uh so I've stopped doing that and just have manufacturing houses make them but the goal is to get this out into the hands of people at a relatively low cost to allow them to play with wireless on their own and see it does that answer all right so now I have one of

these things I've chosen one of those boards I plug it in what do I do what's the first thing I'm sitting at home I'm interested in seeing if I have zigg in my house um killerby is a framework uh that's also online it's on Google code but I will soon be moving it I guess that's no longer supported should have moved it a long time ago I didn't have time to move it from last night until today so it'll get done um but these are it's a python library that interacts with a lot of different types of those boyss it was started off back in 2009 or so by Josh Wright um who then handed it off to me

and we've made a lot of changes to make it more interoperable between Hardware interfaces and add some features uh so let's just talk quickly about what these tools do my goal here is to not teach you how to use each of them I'm not going to read you help files from a command line the dash flag is probably a good place to get started and complain if it's not clear because that's my fault but zbi is hey tell me which Hardware interfaces I have plugged into my computer right make sure they're there ZB dump is like um you know TCP d right except for zigg ZB wi shark is like wi shark except it is it just takes the zigby packets and

feeds them in there ZB stumbler we're going to get to and take a deeper dive into in a few slides but this is uh sort of like your Kismet in active mode right how do I go out and ping for networks and get a list of the networks BS that are out there in my environment so I break those down because if I'm doing an attack on a new system and just getting started right the first thing the these are sort of the groupings of things I do right make sure I have devices plugged in and that I'm not you know being dumb make sure that I can see frames and find the network and then go into the other

tools don't skip right to the last ones because you'll start emailing me and wondering you know why it's not working you might need to know the channel of the network first and that's what the other ones can help you with so ZB find is sort of for War walking I want to walk around with a laptop and find the node hidden in a ceiling tile ZB replay sort of like TCP replay right the names are not supposed to be trick questions the names are supposed to recreate what we're all used to for TCP and IP but deal with a different network stack so those are some tools but killerby really is not meant to be used from a list of

tools at the command line those are there to get you started really the idea is to give you the power to script up your own attacks so let's take a look at just how one of those works right so ZB stumbl what did I tell you it did yeah find find networks right net stumbl type things so uh just like in 80211 82154 needs to be able to find its Beacon find its routed and so what it does is it has this network reconnaissance it sends out a beacon request frame it gets back a beacon fairly standard handshake pretty diagrams out of their documentation all great uh it discloses things that are useful to us like the network

identification uh the extended Network identification which is the MAC address of the coordinator so you can now know uh just like with traditional Mac addresses what vendor made this which might tell you what system you're looking at information about the security modes stuff that we probably aren't even interested in um so how do you do this you use ZB stumbler because you are lazy but what is that actually doing how would we do this by hand and that's simply that we could come into the scapy module which is probably looking somewhat familiar uh to you so it's called ZB scapy at the command line uh and let's go ahead and build if you guys are familiar with scapy this is make me

concatenate a a together basically make me a beacon frame set it sequence number say that you care about uh security uh set the address this is not how to send out the Beacon request this is how to forge a beacon coming back you would change this to Beacon request and then not set those I apologize uh then you go and you say I want a hardware interface and I want to send that frame out this is the sort of crafting the beacon manually um you'd actually send a beacon request and then you'd sniff to get back the beacon response and parse that out does that make sense everyone feel like there's like two if you wanted to go home and do this

and you plugged in your magical Hardware interface what's the First Command you'd run or that I'd suggest you want I can't control it yeah ZB right to see what hard interfaces and then ZB stumbler or ZB dump or ZB wiri to see what's coming on the networks great all right I had to put this in Everyone likes War driving so

I thank you all to whoever is having fun with my computer right now the security team is sitting in the audience uh can you guys fix that yeah thanks okay forgive me for that you can take my laptop back tonight and do

post all right so let's try this again uh like an 802 who's done an 821 W Drive he's like played with KM gra some stuff through great awesome this is fairly standard my point here being it's not that different it's a different protocol attack surface that just hasn't been exploited as much it just hasn't caus in the mainstream with tools and ability to go ahead and explore it from an attacker perspective so War driving helps you understand prevalence recommend that administrators who use these system understand their attack so right that's all those nice defensive bullet points about why this is good um a few things to know as as opposed to Wi-Fi you really have to uh

monitor on multiple channels this is a low power wireless network which means it's not spewing YouTube video packets all over like you're used to in Wi-Fi and you do want to try to elicit a response from the nodes uh to see where they are because they will just they're trying not to talk to save battery so say you walk around or this one is on road so you go and you collect a lot of samples then we can make a pretty graph and and do some argis interpolation on the signal strength values there and so now all I've proved is you can make a purple and blue map which means nothing except if you overlay and

start to notice this dense blue area in the bottom and I call it out uh here is when you look at the utility diagrams for this area for this town there's actually uh underground tunnels that are used for Steam moving Steam from building to building and those are uh all of the steam pipes are controlled with a215 for hardware and saers so uh deeper blue stronger signal interpolation even though we didn't walk over those areas uh per se you now start to see when you do the math and you see that that uh there's at least some semblance I'm not saying it's perfect of being able to find where things are especially underground this is tough to

do all right some attacks I told you you have to be careful about your security modes got to not just choose them randomly so one that they present is AES CTR mode um great AES fips validated good encryption cool probably great this didn't have any authenticity on it though so it's just encryption fine maybe I don't care about authenticity if you're designing a crypto protocol I suggest you do but if you don't for some reason some people chose this and then they shipped devices with it but the issue was Access Control was just based on the sending address which is two bytes and you can just sniff those because they're not protected and data protection was on a group level and so

they have a table in memory of who is the sender and who's the receiver and what key should be used and then they had sequential freshness because they didn't want replay attacks but they just store that in that that wasn't authenticated in the frame right so does anyone see an issue with this okay so this like no surprise here right so this was an old attack right 2006 it was originally discussed publicly um if you don't validate your decrypted payload to see if it makes sense then I can put anything in that and then I can mess with your frame counter to be all fs and then you take that blindly and you put it because of the flow in the

protocol and you store that off in your counter and then the next legitimate frame comes and guess what it's going to be less than all fs and so you start rejecting thing great I now have a onef frame denial of service so we want this to be possible to do so let's take a look at some code that does this um this is the idea that you have a database this is some old code zv Forge I don't use this in my attacks anymore I think it's still up in in the source control you want basically through sniffing the network you can build a model of it and the current state of the network so that you know different

devices you can pull off that current state why is this important all you really need is a sequence number you could guess that it's only a one bite field but let's just try to do it nice and easy we're then going to go ahead and create a frame using that information set our addresses to the Target that we want to attack and then here's where the actual attack is for weaponization right we say we want to use security we set that frame counter to be the maximum integer it isn't unsigned we say that we're using the key indexing mode uh so so sorry to explain this one more step it has a key index which is so that you can roll Keys

eventually when this Frame counter does fill up and then it has a frame counter so the idea is you fill up the the four byes of frame counter and then you to the next key right and so we just say both have been totally used up because we're lazy and we don't want to have to deal with repeating our attack and then we send it and so this uh luckily is not being used in any devices that I know of that I have personally held in my hands on the market today I'm sure it's being used somewhere um and I'm sure the old systems that used to be shipped haven't been replaced yet because when you do critical

infrastructure you don't replace your systems often so that's one thing to look for that's one way that you can use the killerby and scapy tools to do that attack another one is disassociation fames uh actually if you read the the D Tree which is a a good company that explains a lot about uh how zigg works and helps people implement it in their guide to zigg they have the nice note I didn't have space to put on this slide but it just reads very nicely 02154 disassociation f fres are not protected under authenticity okay so that should be an issue right uh that either doing a targeted frame based on recon or just flooding the network with disassociation

frames going back to 80211 attacks these same things just repeat themselves today in this protocol last attack I'm going to go through quickly is uh reflexive jamming doing constant jamming is boring because it takes no skill in my opinion and people are starting to look for it so if you want to do covert operation of your jamming if you want to not use up all of your battery power trying to kill somebody else's and not be attaching car batteries to your attack platform which takes a lot of power conversion to work with a 5 board um then you might want to do jamming reflexive jamming so say if you look at the protocol you could mess

with acknowledgements you could mess with the actual data frames but what if you think about something uh like a protocol that sends a heartbeat frame to make sure it's still connected and the device hasn't been stolen and smashed with a hammer and then another frame to communicate the really important data so the heartbeat let's say happens every minute and the really important data happens when you break into somebody's house or a business or a power plant has an issue okay now what would be an issue if those are two different lengths specific specifically if they were vastly different lengths anyone have an idea you can tell them apart right they can be encrypted all you want they can be well protected

under all of the zes that we're very happy as in the protocol they can be signed with hm but if they're different lengths and I experiment with this system then you're going to start to see the differences there so one attack I would suggest you turn your attention to if you don't like playing with AES at a low level is looking at something like this so we uh when I've implemented this before uh and one of the reasons we use the radio chip on the app OTE we do is we have access to a hardware interrupt line the second a frame starts coming in if my important data frame is longer than my heartbeat frame then let's wait

a certain number of milliseconds and then send out a blast of short energy so we see a frame start coming in we get a gpio line High on the hardware we start a timer that we accurately tune and then we blast out some data what's the idea here right your short heartbeat frame skips by your longer data frame gets uh a collision so let's take a look at some frames uh these frames are all 13 bytes uh let's see it's just a beacon frame so this one's actually um fairly standard I didn't have any on ND frames to show you if the attack that I described is possible so Beacon frames yay uh you'll see that when we activate the Jammer we

start to get frame check suares right and this is just a wire shark output of the packets and so what happens if a device gets frame check some are like a commercial device not a sniffer we're using in promiscuous mode what is likely why do you think they even check the checks do they check the checks likely to discard the packet right does that seem like a fair assumption I I will tell you that it is typically a fair assumption if you guys don't believe me I I encourage you to go check it um so now they're dropping the frames because they look like it was radio noise collided you could do two things at this

point you could Forge an acknowledgement if you don't want the sender to keep doing it or you could just keep jamming it if you're lazy either of those will probably have your desired effect any questions on that um you said you tried it withr what Sr did you complaining about I did I say I tried this one with an SDI yeah I guess I did huh um so this was on usrp2 uh Ed research box um I have not tried it on uh like blade or hackrf uh the you know you could you could do this right you could push it down into the fpga uh the issue is we were have having with this being such a short time frame

if we were being lazy and pping it back to the computer host computer to make the determination and then send out the jam you just host interrupts on the computer weren't working fast enough so pushing into the fpga you'll have absolutely no problems right and you'll have a lot better time than we are having on microcontrollers probably um what is the millisecond time difference that you have to uh so it's based on the length of the frame the tightest I've gotten on an is 72 milliseconds I think uh and that's because of the tone around time between TX and RX or RX and TX in the uh on the radio chip we could put two radio chips

and solve that do ayotes and solve it so generally that that works as you saw with some 12 byte frames it is uh successful even at that length of a Target frame any other questions okay uh I want to go a little bit down into the file level because all of this Mac stuff is fun and and I trust that with the foundation of the Mac level you guys can go up and and play and research with the network level uh but I want to give you some idea of some of the stuff myself and my other colleagues are looking at in the F right now um and sort of two attacks on this or two at

least areas of Interest so we showed you those protocol diagram sort of like what people tell you is what's actually on the wire that's the total lie about what's actually on the wire right so that was all up here that was this this section but to actually get your transmitt and to have this uh be picked up by another radio radios have to synchronize clock Cycles so that they're in step and so forth and they have to know to start listening so you have this Preamble a start of frame delimiter which is a fancy magic bite and the L for the frame so you know how long to listen for and so what I uh take my word for

these are all zeros this is an A7 and that's the length one by length of the frame uh in 80215 and4 Spec what if we think about throwing another logical five frame inside the data payload of a five frame and why I say this is if you go to a usrp you can go ahead and control whatever you like but if you're using a commodity radio you may not have often won't have control over every chip every nibble of data being set out on the radio waves so this is sort of we we're looking for a poor man's way to inject on commodity hardware and this was research uh we call packet and packet uh

Travis Goodspeed Serge brus myself and some other people did back in 2011 something uh but basically what you do is because there's no noise whitening because there's no complex uh radio encoding Happening Here is we just take the outer frame and we shove it inside right and so now we have the outer frame that the radio transmits like it usually should and then we start with a new Preamble a new starter frame delimiter the length of the packet and then our packet and so that's packet inside a packet right not the most cre name so should this work what do you guys think1 double culation yeah um yep similar to that this exact thing is a

little different VLAN hopping Works whereas this technique on uh ethernet would not typically work although an Italian research group took our paper and did make it work with special Hardware on ethernet um so yeah pack and pack as sc's been applied it's a little different than VL hopping but same concept right and so typically that should just be the payload that is the payload of the frame at least that's what the protocol tells us but what if a radio doesn't hear that because that that happens right in radio there's errors or there's a collision or there's noise introduced and so with some uh amount of regularity actually you will see the inner frame be interpreted and

captured by a device instead of the outer one uh just as a matter of of radio noise playing into it and what's interesting here is when you combine this to with another uh piece of research to make it more uh reliable so packet in packet is nice we can have fine grain control inside the packet we did some work uh the research group I used to be a part of and then uh myself and my company working with them on how do we get individual uh radio chips not at the firware level not at the software level but at the actual chip level how does it State machine work and so we read through a lot of really boring State

machine diagrams and a lot of ones we couldn't get access to we postulated about and then you look at the fact that you let's just take my word for it if we can make a packet such that some radios receive it the outer packet and others don't then we have some control of doing a WI inas so think if your wi System is using one type of radio chip to listen right and your target system that you're trying to protect is using another type of radio chip uh then if we can find a way to have that the wiid systems radio chip not even process it as a valid packet not even think there was a packet there

but your actual Target system does we've now done a wids evasion and gone in against your target system only the the firmware on your wig system doesn't even know there was a frame there so there's a bunch of techniques I'm going to talk about one briefly 3 minutes left here uh and we'll take some some questions um is fonan Notch we gave names to mountains that we liked uh so here's again what I talked about uh all zeros and then A7 uh in the frame and so what we did is say what if like we actually put FS there instead of what we were supposed to and these should be building the other way I thought I fixed

the automation but I guess PowerPoints reboot changed it so fodi and Notch is actually try with all zeros try with two FS here try with two FS here with two you know and keep adding as you go through and what does this do to a radio what does it do to its ability to recover from this at the very State machine inside the hardware and so if we run a th and thousand iterations quite a few times because we were sort of surprised at this result we kept running it um is okay if I run all zeros first of all this this radio trip should have caught all of them ideally right so this just

shows you that radio chips aren't always picking up everything but if we start adding 1f this radio chip set in it standard mode on the configuration here is now not picking up any of those sort of surprising it's obviously very attentive to the spec and it State machine whereas this one's more permissive in fact we kept running this so many times because we couldn't believe this Tri right and this is off of one run but I think we've run this experiment in multiple different geographies like what is going on with the air here right this does not make sense so I'm acknowledging that and I would encourage anyone who wants to to help me run more iteration because this

is crazy but we've gotten these results time after time somewhere in this ball part two FS we're still doing well the fs is still somehow better than protocol compliant and then all FS okay thank goodness we acknowledge that that's not supposed to happen right so this is interesting what if this was my target device and this was my WID system and I was sending frames formatted in this way so some interesting uh stuff to play with more there and so let's take two packet captures right just to show this again so this is a ZB wire shark produced capture and I've overlaid one of the fields because wire shark just doesn't seem to show me the FI layer

when I turn that on um so overlaid what the Preamble we were sending on each of those frames that we correlated it back to and we see we're pretty reliably seeing a mix like like we talked about from the before slot uh previous slide now let's line that up and show you that same pcap up top and then at the same time the exact same frames being transmitted to two devices the same distance away in the same environment what the appy mode saw this is the cc2420 chip so at chip chipcon chip which Texas Instruments so now I see sequence number one and then six right so like this is where yeah six and 11 lining up and we see like you can see

here right I hope you believe me at this point there's frames that the other ones not seeing coming through that's all that I have for you guys today as part of this overview um what I want to point you to is because I didn't want to give you the Google code link given that's all going to move tonight tomorrow some the time uh there are links on the on the top page that will point to the rate uh code repositories for all of this um everything we can is released open source and then I thought you guys deserve something fun today so uh thanks to one of our guys who stayed up uh through the night and just finished it

about two hours ago we have a version of Ki Linux customized to be bootable off a drive pre-loaded with killerby and optimized for your use so if you want to get started on this don't have a Linux laptop uh I want to be able to play around with it right supposedly works crossplatform but if you email me that it doesn't work on Windows my my response might be that I'm not going to spend too much time looking into that and I apologize for that but that would require me booting into Windows um which is fine so uh I am not posting the link to the iso up here because it's going to kill my bandwidth but if uh you guys

want it if you guys would like to play with this I would like to make it available to you uh to do beta testing with that you're going to find issues so come see me I'd love to point you to it and get you access to that you can throw it on the thumb drive boot it up and you'll have all the tools pre-installed and if not then it's client's fault any questions we have about 8 minutes before I get run away so the

FRS that in because they reliably responds that way likees

the I wouldn't want to say that a vendor would do something like that but I don't know right what I will tell you is when we look through all of their documentation there was nothing that caused us to think this was intentional or this was published as how it would but I you know the the isotope fingerprinting research we have Franconia Notch and about four others that we've gone out and there's a technical paper published on the comparisons between them and when you start we looked across six different types of devices and using a combination of two of those techniques you can reliably B who you're talking to say if you do that not to slip something past a

WI is but just to see who sends you an acknowledgement frame saying they got your packet now you're doing active host fingerprinting right or the equivalent to that what we'd call that with nmap and so that's interesting um I think there's a lot more research that can be done at that level I want to thank uh ionic security and my applied research team for putting up with me helping on this as well as Travis Goodspeed Sergey brus and many other people who have worked with me over the years on uh the zig B and 8215 for research any other questions did any of those chipsets talk about their don't care conditions in the state machine because that will you can

get into some dangerous situations with having don't care conditions existing in a state machine that can put you out of an expected uh sequence like that yeah what was interesting is when we went back and looked at some of these State machines after looking at these results we're like okay we could see how this would happen right we see where in the state machine lines happening but there wasn't in any of the state machines that I can remember and please check me on this none that I can remember did I see like this will fail out in these conditions and that is expected right so there was a lot of empirical testing to figure out

which of these uh we came up with the ideas of what to try not based on a spec sheet or looking at those truth tables in those uh what truth tables in the in the state machines yeah so they didn't uh have any but we you know basically the table I showed you was sort of all resulting yeah and so we just were taking pieces of white paper and scribbling in what we could control and then ran iterations for a few nights and figured out what was actually useful a lot weren't yeah did you have a question over there I thought I saw a hand you okay all right Ryan thanks very much