Exploring the wireless world of Sydney - Ed Farrell

[Music] hi my name is Farrell and for those who who haven't met me um I've been uh in cyber security now since about 2000 and 9 permanently but no it's great to be back here at um uh UTS so for those of you unaware this is where roxcon was held back in the day um Dan will never get to roxicon at all yeah a couple of us did so great to be back here and thanks for besides Sydney for uh for actually uh hosting it here uh QR code for the slides just to save you on constantly taking photos throughout my talk um I like to keep all my talks and uh things uh open and uh and free and

accessible for everyone so uh look today um I'll just go through a bit of an overview why I'll then kick through some of the more theoretical pieces and uh considerations when you're doing uh exploration of Wireless Technologies and then a couple of projects I've done here in Sydney and elsewhere that should take us through to 35 minutes it's a very tight time frame to be talking about what is a very expansive topic this is a setup I'm building out for a software defined radio CTF uh as well which I'm going back home to tonight to to work on before anyone asks yes I am injured um uh this was courtesy of a combination of e-scooters and magpies in Canberra uh

everything everything in this country is trying to kill us yes but I've also got a little demo on my shoulder as well uh which I'll talk through a little bit later as we go through so this is me I've been pen testing here for about 12 years I started my own business uh seven and a bit years ago which was an awesome idea um only because I don't know what I'm doing six weeks out and I've been able to have a really good existence between uh when I started and now um but you know it's been a bit of a tough time but we're in a great space and it's let me do cool little research

projects like this um outside of that I like just doing other little random cyber security consulting jobs as well I also lecture at the Australian Defense Force Academy as an industry fellow specifically in Wireless Technologies so why have I gone down this talk um the first one is um is I don't think this is an area we play enough in uh in our day-to-day lives or in a lot of our uh cyber security activities in this country um and I think one of the points that I always find is we keep seeing a lot of our approaches to cyber security turning into the big four Consulting yeah we'll just we'll drive a spreadsheet and talk

about crown jewels assessments and charge you fifty thousand dollars to tell you what you already know which is a really good lead into my first point Wireless uh some of the wireless topics I talk through has actually been really good exploration and understanding the Technologies and the systems that we have out there and so for me um you know as a cyber security professional I'm here because of my desire to learn and the approach I have for curiosity so this is a domain that is awesome and Rich for that sort of exploration if this is something that you're really Keen to to look at um uh it's also relevant to us because we do live in uh what David kilcullen

refers to as Urban literals which have really sophisticated uh intersections of the digital physical and social environment and this uh the fact that wireless is often at some close proximity does play into that especially from a risk standpoint um and to that there's also a lot of complexity in here as well um so and and hopefully that will become evident as I start talking through some of the projects there's some things I I work through um my intent here is that you leave here with ah here's some cool things that I need to start looking at or some ideas or some projects I can start playing with if you leave here with uh that as

uh your exit I have achieved my uh my job today I've also just put on here uh two interesting images courtesy of some quick Googling from last night uh the top one is the layer 2 electronic warfare system uh that's currently employed by uh the Russian army in the Ukraine although its employment has been quite limited the bottom one uh was a screenshot uh that was associated with uh some jamming that the um that Ukrainian citizens were doing against the Russians as well so I think uh it's interesting if you look at say Eric hasselton's book he talks about how um the electromagnetic spectrum is actually well understood in Central Europe I don't think it's something he

highlighted that the Americans aren't pretty good at it and I think for us as Australians it's an area and a domain that we need to start breaking into a little bit more so I will start off with the legal piece now firstly I'm not a lawyer but here are some broad guidance uh to actually have yes don't jam and don't be an absolute nuisance um and even if it isn't legal sometimes jamming or overwhelming a network just is an absolute pain um also if you have a look at the variation between the radio communications Act and the Telecommunications Act technically it's also illegal to do interception on uh telecommunications so things when I talk about say poxag that is technically

kind of falling into a gray area so um I think my guidance really is come back to Wheaton's law and just common sense and you know it don't be a nuisance and don't do this to ingratiate yourself because you have come here to cosplay as a hacker um so that being said if you do go through your standard formed penetration testing process you have your commissions uh you have a signed agreement from an asset owner that has given you permission to attack go for it but be be conscious of what I call fracture side which is to say you are operating in a space where you don't have as much control over where your signals are necessarily going

unless you've got a faraday cage so be mindful that you could accidentally hit a neighbor whilst you're doing things so there's a lot of planning and thinking to go through this um I would also suggest talking to lawyers uh before doing any sort of execution so why is this relevant to us as cyber security practitioners so let's come back to the OSI model for those of us that are studying undergraduate degrees or we've gone through undergraduate degrees or at least got through the first year before they dropped out and uh decided to come into cyber security um the fiscal and data link layer is uh where Wireless Technologies operate for us so at the physical layer where being

able to transmit and then at a darling play we're able to organize uh in some semblance what we're transmitting in a way that can be encodable or decoded from a transmitter or receiver beyond that we have the rest of our models such as routing the application layer and then beyond that all that fluffy stuff that involves spreadsheets and thought leadership um but the the point forward for me is what is cyber I put cyber about here we are an intersection between these environments our job is to actually understand what that intersection is so this isn't just purely computer security or I.T security or info security we are looking at all these Concepts merging together for us I think through uh what

it is we're talking about um but it's also just an Avenue for us to explore and understand and learning office space makes us better as professionals so uh what is the Spectrum when we start talking about the Spectrum this was a really cool diagram that came from rodent Force which I just ordered a couple of weeks ago that actually highlights all of the communication stands that are relevant some of the work that might come in a working through but the spectrum is a part of the broader electromating Spectrum which starts at zero Hertz at 300 gigahertz um for us uh I'm interested in about 70 megahertz three gigahertz when I'm trying to do any sort of interception or

understand what's happening out there but what the spectrum is is if you look at light the Spectrum you're able to see what's coming on screen here we talk about uh the electromagnetic spectrum it's things that we can't necessarily see with the eye but because we're able to manipulate with say Nintendo whatever that just gets sent through there as well but when we talk about these bands as well we also have some bands irrelevant to us such as the ism ones 433 to 435 megahertz in Australia 960 into 928 then you've got 8 weapon Wi-Fi and also 811 AC at type 100 gigahertz in terms of some of the tools that you may want to be looking at when you're

exploring in this space um I see a lot of people get very obsessed and hot and bothered about Wi-Fi pineapples I push people away from them um not because they're bad or anything but I come back to what I said before where we're here to learn and I think if you've got a clicky clicky UI um you're not learning it's like calling yourself a pen tester when all you're doing is running nessus um good I'm in the right crowd um but my point here is uh you know actually go down and break through what it is you're actually working through so I mean if you have a look at the device I've ripped up here it's simply a a

Raspberry Pi 3 on board I've got uh one of these little RPL scr cards that you can pick out of Dick Smith I've got an even smaller one I've got an even cheaper USB adapter for uh Wireless sometimes you may need a Bluetooth adapter but in this case I'm just using the onboard Bluetooth also got some other kit on here as well so I've got a NATO 2154 adapter courtesy of Texas Instruments um but you know just to get started a a cheap RTL Str dongle uh if you're just doing sort of standard uh exploration of the ultra magnetic spectrum is usually enough but even just some simple Wi-Fi cards as well also helps if you are

leveling up you can spend that extra money on a hack RF or an alpha card especially if you're doing things like injection or you're looking to transmit but you know to get started you really don't need that much in terms of just some cool tools and things to play around and do a bit of research on there's tons of code that you can copy and execute as root from GitHub great idea um but no seriously a couple cool little uh pieces of software that you can use to start on your journey so Kismet and the aircraft suite are pretty stock standard Trader to 11. you've also got the article SDI blog as well which takes

us through a few little projects due for our ex radio for your software-defined radio or another one there's also really cool Ado called my map that I came across which really helps just visualize and understand uh what you're looking at if you do need the QR code for slide deck latest get some of these references hit me up mapred is an awesome database of every uh Apple registered device for um for someone that's actually gone out and purchased uh a license to transmit over radio um and then outside of that yeah this is just there's heaps of other tools that you can go around and uh Google for um I'm not going to talk about power

line of sight and antenna theory in much detail only to say that uh if I have a simple uh antenna sticking up like that what I can do uh is I can collect based on a a circular propagation whereas if I've got a directional antenna I could only look in one particular direction which can also help us when I start talking through the 802 11 stuff of being able to discover and pinpoint say where a particular device is um line of sight uh so right now um I've been doing captions on and off all day with my shoulder if I go into the bathroom uh it is pretty it's pretty much um uh all Concrete in there so I won't

be able to identify or collect things outside here when I'm in the facilities and I think some of us have also had issues with getting cell uh with getting mobile telephone reception in here as well uh it's not China it's just the fact that um yeah it's radio waves need to actually push through the environment here and that's not going to necessarily be uh be achievable um if you need any more guides around Bluetooth or 80254 I'll have my contact details at the end of this talk um I can flick you in the right direction so what are some of the things that I've been going through and checking out in Sydney so 80211 stock standard Wi-Fi uh is

you know it is I think what we always look at when we start talking about wireless security or Wireless cyber security uh more often than not we'll go yep it's WPA2 that's all we need to know right um the the thing is that there's also what I said before about this intersection between Wireless technology and uh our physical in our social environments so things that I like to look for in the 80211 space is can we start doing what we would call pack a life analysis within an environment hypothetically uh if you have an 802011 system that is Mission critical and has a high availability requirement being able to do a walk-through talk through what a

general service condition would do to it's always interesting but I'm also a big fan of doing Discovery so um this is me in a room with uh sorry in a um uh in an office with a client of mine where we were using a directional antenna uh to pull out and hunt for um 802 11 access points that weren't authorized this was one that was beatening out of uh an audio visual system that was completely unauthorized that allowed us to break into the AV system and there's other cool ones that were found out as well so uh We've identified um on some of our wireless pen tests uh for example building management systems uh where Engineers leave the BMS uh with

a an access point and a default password that we can just break into um alternatively you've also got um just stuff that it staff have spun up for for their own uh use as well to bypass any internal restrictions on the wireless network client devices are also interesting and I think this is something that when you especially when you talk to network Engineers about pen testing wireless networks there is an obsession with focusing on the access point when client security is still an important thing so um if a client is connecting to a rogue access point in the case of WPA true Enterprise with username and passwords that does actually allow us to extract the username and a hash that password

anyone who used the edge Rome Network at all yeah yeah a couple years so this was actually a really big problem with edge around back in a couple years ago I think they've fixed it uh if not um uh okay uh but um big problem that you used to have right is uh if you just spun up a rogue access point called edurome and people would just use and you were just using an Android phone that hadn't been patched it would automatically connect to that Network without verifying the certificate of the access point or you could at least fake that certificate so people uh being tested for Wi-Fi would click through and just give you their username and

password um clear text Communications are also still a thing as well um so not only does that enable access but it also allows you to do capture in that space as well uh 80211 has also got all these other weird standards coming up so 8011 ax is something I haven't had a look at about this time last year I was having a look at 80211 ah which is where they've gone from the stock standard 2.4 gigahertz at 5.8 gigahertz as frequencies into 916 to 928 megahertz which means that suddenly you can punch up by about 400 500 meters I did a wireless wardrobe in Sydney and uh to my disappointment I couldn't find any address from an ah access points or

clients um however it was really cool because we're able to build out um a just a simple c2x fill with our pies uh using this and would bypass all of the um uh all the other detection mechanisms um but yeah I think for me when we do a lot of our wireless pen tests um a lot of the defaults aren't actually with the protocol itself it's often with how it's actually configured and implemented so you know guest networks that allow you to to route to server subnets uh clients that are horribly insecure um all the way through to so I think the WPA tool Enterprise stuff I'm seeing out there now is is starting to level up

um but even just things like War driving the city and working out what is around it also just it's cool which is a good lead into my next project which was at a 2154 so I think zigbee uh and uh half a dozen other protocols that use this so it's the intent with 802.154 is it's a low power protocol that's uh focused on all OT related uh activities so this was a project I did back in 2018 um I presented a Defcon on this one where I had a uh a USB hub with 16 of this these Texas Instruments uh dongles monitoring each of the uh 2.4 gigahertz channels trying to work out um trying to just capture every single

pack of Bitcoin the problem with 802154 is it's transmitting about once every five seconds or so which if you're using say a standard Wi-Fi so one of the the concepts that's always existed with say standard Wi-Fi dongles is uh your channel hop uh you know once every couple of seconds which means that there's a very good chance that you're actually going to miss what's happening which I that's kind of why I come back and talk about you know don't rely purely on tools that you're uh that you're buying off the internet um you know going through that Discovery process was really insightful for us in terms of understanding how the protocol works because there's every chance that

you know have we skipped over that we probably would have um yeah God yeah no this is there's nothing here and it's um you know it therefore it's secure um which you know no pen tester uh with the CH has ever done that before so um so 802154 a couple of cool things that we started seeing so if you have a look at the map that uh we've got here from our 2018 research if you focus in on some of these areas these are actually new buildings that have been built uh in 2018 so barangaroo um over on Pitt Street there was a new hotel that just got constructed so a lot of the deduction that we had around this

was okay these are new buildings with new fancy OT in the case of some of the um uh the hotels it looked like they had Hotel locks as well and so this kind of comes back to I think a curious thing that I'm sure is all relevant for us inside security um it's often what we don't know uh that's going to cause this risk so what is the system that we're not tracking what is the technology that the marketing team decided to spin up because they had a wonderful idea and then decided not secure it properly and so being able to do this sort of Discovery is great because it sounds okay well here's a

whole heap of technology that we weren't thinking about that uh we now need to start tracking a little bit better um other thing as well in this space is uh if you also have a patch management policy that says these devices need to be patched within 48 Hours more often not you will also find that the technology is associated with this can't be patched hard and fast so that's another curiosity you have as well especially as you're introducing some of this technology into your organization so what about Bluetooth um I've always found Bluetooth a little bit harder and it's also usually quite specific to a project or a night of a research so for example the skoda that I

decided to go falling off uh on a couple of weeks ago that resulted in said injury there is an interface from your phone to that scooter to have a couple of unlock mechanisms um there's also say for example the watch that I'm wearing has a another Bluetooth interface on it that talks to my phone um so each of these devices are in fact beaconing out at various stages and we're able to identify those beacons but being able to capture actually requires us to capture the pairing mechanism it's a little bit harder um and if you don't do that initial capture then because the frequency hopping it's a little bit hard to uh to also discover relative to say 80 to 11

Direction finding these devices there's really not as much kit out there yet it's something that I'd be really Keen to to work on if I've got some time um it's a little bit hard but certainly not not impossible then you have also if you are interacting with these devices what can you do things like Bluetooth locks for example can you unlock or unlock we've also done a site survey with one of our customers recently where they didn't realize um that the Carver locks that they were using also had a Bluetooth interface uh that no one actually told them about um esp32s are also cool for this uh you'll see here for the um uh for the covert Safe app uh one of the

ways I did my research on the Bluetooth interfaces for this was just took a rooted Nexus phone um and just stuffed around with it to actually turn it into a war driver to see if we could actually do unique mapping and identification of people uh using the covert Safe app um amongst a few other really cool little discoveries I did I've got a couple of write-ups on that as well if you're if you're interested I think the big one for me with that app was that it worked about 60 of the time um just because it you know Bluetooth is hard um that being said another cool piece of research in this space uh Richard Healey

and Bluetooth skateboards and uh being able to cling hipsters offset skateboards um trunk Radio Networks um so I will sort of urge caution on this one um just because we are we've done some active research we're not active research we've been actually researching the space uh in Sydney uh and I won't go into any detail on it this is a pie that we used to have in our office that we set up to do uh capture and dump of a bunch of trunk Radio Networks in the city these are critical infrastructure networks that were all right these are online has anyone actually thought through the security risks associated with these um so a truck radio network think uh you've

got your radio you're now able to communicate data and voice over it um problems you have there though is you've still got your layer one jamming your tax so for example this is critical infrastructure associated with a budget mining sites up in Queensland and the rail networks uh to transport uh raw materials to the ports um what happens if we Jam that network is that a safety system um does management suddenly Panic thinking oh my God China how does that play out um that being said heaps of these are also in Sydney I won't go into the Sydney details uh just because um as I said I we've looked at them and I'm just I'm

really reluctant to break out of what I've just sort of highlighted there is they exist there might be a point of curiosity to go into cellular cellular networks as well uh is another space so this was uh using a blade RF where we decided to go and use a tool that got published by the electronic Frontiers foundation for discovery of um of cell towers uh within Sydney using a process called trial adoration where it would say Okay cell tells it we know that cell towers are baking out on these uh specific frequencies so I had to rebuild a bunch of configurations Based on data from map rad to actually establish what were the Nolan's frequencies that the

um that the major internal Communications providers were using and then work out what's actually out there um reality is that 4G 5G we're not going to be in a place where we're going to be doing a person in the middle attacks but we can at least Discover cell towers work out what's happening in the environment what was really cool with this project was we then decided to correlate what we had known was true and accurate in map rad and what were the registered self-housing frequencies correlated with the data set that we'd collected and it was curious to note that there were probably two or three cell towers that hadn't actually had their frequency registered so you know I'm immediately

thinking is this um is this someone uh you know setting up for uh an unauthorized caption with heroic cell shower you know what's going on here other curious one was over at Wentworth Park someone had a um a default config on a known package built and it was just broadcasting in the same frequency space as all the cell as all the other Telco providers and doing so from an unauthorized standpoint so yeah people were just creating their own self hours for Fun and Profit probably not profit so what are some other cool projects you've got um so uh there are a heap of gadgets that you have around your house so think of temperature sensors

um the blinds to your you know if you've got those electric blinds that you can get from Ikea they also run on um an on off keying they use on off King at 43 to 435 megahertz your garage remotes as well home alarm systems um also operate in the space if you ever come to my post grad course at the Australian Defense Force Academy I take you through a a risk with a static key getting transmitted by a home alarm system as well as the sensors associated with that home alarm system which would be great for a nuisance factor or being able to arm or disarm set home alarm system uh you can also uh capture aircraft

flying overhead and transponder messages coming off those aircraft uh the maritime environment around Sydney uh ships have what's called AIS which is automatic uh ship identification so being able to pick out what's going on uh those vessels and where they're navigating to its Chronicle poxag's another one I do put an asterisk on on pox sack so this was a research project I did do in 2014 uh where we were able to identify change control numbers uh into Data Centers which uh back then was usually the only way you got authenticated as yes you're allowed to enter this data center and there are also you know things like URLs and credentials getting communicated in clear text

um I did that uh you know with this mindset of cool let's actually discover and actually help people I'm not sure if anyone was tracking but I think about 2020 some kid over in Perth uh decided to publish it out to the internet because as I said he was cosplaying and cyber security and you know 15 year old Elite person downloading code on the internet that's nice to you um so yeah that was kind of a bit of a it was a bit of frustrating thing because hey here's a place where we can actually do some good instead someone's just decided to make make quite difficult for all of us um uh Laura is another place I'm now

starting to play with is uh as well uh both in terms of things like just being able to create secure messaging um via a little esp32s space and satellite is another place I'm going to start exploring um once my arms are functioning again um and and restaurant Pages they're there it's nice but um yeah it's they're another place where you can be in nuisance so you can also see on the bottom right here that's a star like satellite terminal uh just as an example decked so these are the old cordless phones transmitted about 1.9 gigahertz um right yeah being able to incept off those or even the old baby monitors is another place drones is another area

that you might be able to play with as well both in terms of uh drones having control functions getting transmitted uh over um over radio but also the inputs and the sensors for drains so things such as GPS can you throw a GPA can you throw a drone uh of course this really cool research done out of the University of Texas around that but even look around that city right um this was a photo I took in probably a few days ago uh can anyone see the antenna here all right that is probably a really terrible image but there is an antenna on this traffic light system what does that look like and has someone

actually thought through you know has someone actually thought through uh the you know the uh the attack vectors around all right if I sent through a go green signal to All of the Lights could I create Havoc because hey I'm just here for the kicks um there's also you know I talked about at the start of the build the the cities we are living in are these really complex Urban littorals uh what happens if we start throwing things off like airports or railway lines or or you know Traffic Control Systems how does that play out um cranes and other Maritime vessels as well could also plant this so yeah a couple of cool uh little areas for us to

be thinking about um so folks that's it we've got about five minutes to spare I'm happy to uh to open up to questions but uh thanks for attending um and yeah enjoy the rest of these sides

the question zero does everyone want to go to lunch say again um interesting you've still got to establish line of sight and if you also remember if you've got your two antennas right you know can they at least isolate that point-to-point link I mean Tetra as well is also meant to have point-to-point links but um the one that we did research here on in Sydney it was just emanating everywhere so we're still able to capture it so you know still come back to encrypting your links um but yeah it's it's thing yeah thank you anyone for any more yeah but back there say again what does what do the pie so the pie is running Kismet I

have an rclstr uh that is I have an article SDR that's looking for devices communicating 433 to 435 megahertz I also have uh the Texas Instruments uh cc2531 that's uh trying to see if there's any um uh networks in range I've also got just a simple USB dongle collecting on 2.4 gigahertz so funny Mac addresses popping up there plus there's also Bluetooth as well on board the pi itself so cool thank you all right everyone's going thanks guys and girls foreign