Hack The Science Center

just some Logistics stuff so there's going to be talks down here all night so uh 6 30 7 15 8 8 30 when you're not here when there's not talks there's also table set up throughout uh so there's one on on uh hacking power uh your your home power uh meter there's one on Wi-Fi um up upstairs there's lock picking and actually when I'm done here I'm gonna go up to three so if anyone would actually like to do a little bit of soldering actually make one of these and take it home we're going to be having a little bit of Hands-On time up on three so thank you all for coming out please have a seat

nothing too formal here I am going to go ahead and get started then so thank you all again my name is Kevin Cody uh I am a hacker by trade but I like to Tinker with uh engineering stuff and electronics they time that pretty well um so we're gonna be talking about using lasers to see and record sound or how to capture audio using a freaking laser so one thing to know right up front is when you're hearing me talk right now this is this is analog the sound waves are going into your ears through this kind of uh uh sign you know wave like this going up and down now the concept here is we're going to

take and capture those analog sound waves and we're going to turn them into a digital recording but one thing to note right up front is you don't get this nice pretty curve when you are capturing things things in digital digital is zeros and ones right it's either on or it's off so how do we turn that analog sound into something digital that can be recorded right well we only can make marks like this so it's either off it's all the way at the bottom or it's on it's all the way at the top well some really smart folks a long time ago figured out well what if we have that and we use half the power so now we

have on off and half right we have an extra bit of information well we can actually do that quite a lot and you can turn that analog sound wave into something that really resembles that same sound wave but in digital form now one thing to know if you're familiar with digital um uh digital video recording you might be familiar with frames per second right who can tell me how many frames per second can our eye see good 60 frames per second so again some very smart people a long time ago figured out if you take 10 or 15 or 30 or up to 60 still images that are just slightly different one by one and make them go by really quickly

your still images turn into moving photos right and that turns into movies so just to give you an idea this is 15 seconds versus 30 versus 60 versus 120 I'm sorry 15 frames per second right so when you look at the 15 it looks a little choppy right because our eyes are seeing 60 frames per second 30 looks a little smoother 60 looks pretty much perfect between 60 and 120 you can't even tell the difference because our eyes can only see 60 frames per second now you're saying Kevin why are you telling me about frames per second we're here talking about digital mics and audio what are you doing here well frames per second in audio

converts to bit rate folks heard of bitrate before maybe so the higher the bit rate the higher quality the sound is now if we go back to this digital sound wave the bits are represented by these little points so if you think about it if I had on or off or on or half and and off I could only have three tallies across this but the more bits that I break this up to it gets smoother and smoother and smoother until it turns into the 60 frame per second where your eyes can't differentiate that it's not a bunch of still pictures put together and the same thing with digital audio we can turn those bits into

something so smooth you can't tell the difference between analog and digital audio so I promise I'm going somewhere with this let's talk about ears for a second anyone here like an ENT or a doctor I'm gonna butcher this terribly and I apologize just uh internalize my awful uh medical stuff here for a second so we're gonna basically recreate the human ear using these parts here and we're going to capture the audio pretty much the same way the human ear does so this is a photo resistor it's a light sensor again it can sense light being on or off but then it can also change ever so slightly whether the light is brighter or darker and it can add resistance to

the current so you can get a lot of variations there turning lights into ones and zeros or 0.1.2.3.4.5 so this instrument here which is right here I'm going to put it up on the screen so you can see it but this instrument here is acting like our cochlea it's turning the the pressure waves the sound waves into something that's going to be processed by our brain the auxiliary cable which is going to be plugged into my computer this is uh it's going to go to our brain it's actually more of like the nervous system right the nerves send the signal to your brain to be um computated my cup here this is like the ear canal

and the eardrum the sound is going to come into the cup it's going to reverberate just like the sound comes into your ear and reverberates off of your eardrum and your eardrum then or your I'm sorry cochlea takes that uh um the reverberation and turns that into something that our brain computes and turns into sound and the laser pointer is essentially going to be the conduit it's going to be the sound waves going through the air and coming into the cochlea and the computer is the actual brain right the computer is going to take all that data and turn lights into sound just a quick uh run through I said all those things the total cost of

everything but the computer it's like five bucks here right these are very off-the-shelf parts and like I said come up to three when we're all done you can build one of these with me really really straightforward easy to do so without further ado

so what you see here up on the screen is a laser pointed at the cup the cup has a little sequin glue to it it's bouncing back into this photores resistor okay laser cup photoresistor behind the cup as a speaker thank you

it's gonna be hard for you to hear over the music but there's music playing right behind the cup

some recording from the external microphone which is this auxiliary cable going in here now I want you to see it's going to be a little hard to see on the screen but I'm going to shut off the laser and if you look this little thing is not moving it's still playing but this little thing is not moving there's no audio being picked up by anything over here I'm going to turn on the laser Maybe there we go the laser is on and you can see that little thing kind of pulsing so I'm going to hit the record button

the laser is pointed at the cup the cup is reflecting back I'm sorry the laser point of the cups reflecting back into the photo sensor the photo sensors being routed to the computer and the computer is recording this it just thinks it's audio this is a regular microphone an auxiliary cable like before Bluetooth we used to plug into our car before that we plugged into our computer speakers right so I'm going to stop it stop the music it's gonna be hard to hear but I'm gonna hold the microphone up to this I'm going to play back what this just recorded no trickery here

I don't think you're gonna hear it well if anyone if anyone would like to hear it you can come up uh it's just simply not loud enough because of the music being piped through here but essentially it is recording the audio from that here even though no audio is actually being recorded let me see if I can crank this up a different way

yeah it's just not loud enough let me try one other thing here foreign

I could maybe uh

I'm gonna try one more thing here

all right let's try this

if you come up next to the speaker so that's using that's using a laser microphone a laser to intentionally pick up sound waves capture them and record them like a microphone so in reality where does this turn into hacker where how does this this go forward right well if you look at that glass that glass can do the same thing that cup is doing it's reflecting or gathering sound and even though you can't see it it is reverberating a little bit so if you take one of these and shine it at the glass if you look at my chest it's reflecting so I could literally stand over on the other side there take my laser pointer

hit it off that glass capture it with a photo sensor and I can record if there's a conversation going on in this room from across there now there is one catch does anyone know what the one catches where this will not work good he said in case you didn't hear double pane windows so if I'm on the outside of this building and it is a double pane window and there's argon gas in between that pane of glass that will actually keep the outside from reverberating so much so if you do have good windows like a lot of The Office Buildings we have around here and whatnot it will keep the corporate corporate Espionage down to a minimum right it's just not

going to work but the interesting thing was I told you all my parts here was around five dollars other than the computer you could actually buy a laser microphone fully um ready to go off the shelf you point it it collects it it records internally for like 100 bucks on Amazon they sell them purpose made for this purpose I don't know what that purpose is maybe corporate Espionage I'm not sure but um yeah are there any questions yes

to repeat the question he asked um so this is a visible laser our eyes can see these uh if you have a security camera at home a ring a nest you might be familiar with those those lights that light up but they don't actually show anything they don't actually illuminate anything they just look red when you look at them in under certain circumstances those are infrared lights and um yes they do make infrared lights they can be picked up similar to this visible laser and as long as it's hitting off of something that's reverberating it will turn that reverberation into sound and if it's reverberating because of noise like voices it will then you could

capture it and play it back as audio so this um oh that's a good question I don't think this would actually pick up uh uh infrared light it is just a light sensor though it doesn't have to be a laser this will also light up if you know if I put my hand over it and then I take it over right it's just going to convert that that resistance into ones and zeros and if those ones and zeros add up to something that looks like a sound wave the computer plays back as a sound wave but that's a good question I'm not sure if infrared light could be captured by this particular photo sensor any other questions

well I thank you all there's lots to see here from our folks here of course the entire science center is open for your perusing so if you have any further questions or you want to get a little bit of Hands-On with this I'm going to be up on three and I thank you all very much all right hello everybody hi uh my name is John zeola nice to meet you all uh welcome to my talk there's not going to be a lot of slides this is going to be a little bit more conversational we are going to be talking about password security for humans right passwords for humans so so again my name is John ziola I am a

local Pittsburgh native I have this company it's called CSO we do computer security stuff for tech companies I also teach classes for a living so if I can't handle this you know I don't know what I'm doing with my life uh and and I do some conferences and stuff all right so how many people have seen something like this before okay cool yeah audience participation we could do this um and of course when you do it it looks just like this right there's like all of these dots like 15 20 30 dots you just keep typing keep typing right and it definitely definitely doesn't look like that under the covers right not no right no we we use letters

uppercase lowercase symbols keep things complicated does anyone know why we do that like what's the point yeah

so so essentially you just don't want someone else to Guess that because if they guess that then they become you right and we don't want them to become you especially if it's your banking website or social media or something like that that would that would not be good so um that's something there's a lot of different terms that you might hear in this field there's like password stuffing so password stuffing means I found your password online somewhere because maybe some other website got broken into and I'm gonna try that password and that email on a bunch of other websites right your Forum some for some video game forum that you did once 10 years ago got

broken into great but if you use the same password there is in your bank guess what once that stuff goes on the internet I'm going to try all of the banks in the US all of the banks in the world with that information I'm gonna see if I can log in as you so that's that's the pitch as to why you don't want to reuse the same password but then like how many how many websites do you have passwords for like does anyone actually know like how many you have or other than just a lot so I I do I I've broken four digits like over a thousand different passwords um because I just log into a lot of

things and make a lot of passwords I don't know what's wrong with me um but how could you like it's very difficult if you try to think of like how would you actually remember all of those passwords so people come up with these like algorithms they're like all right I'm gonna do my dog's name and then the name of the website I'm on and then a number and then an exclamation point at the end so I can always remember what the password is but it's still different for each website not a horrible idea not the greatest idea I'll give you a better suggestion later um let's not let my computer go to sleep here we go

but you know those are the sorts of things that people will do now who who heard about this thing that happened recently oh wow that's awesome wow you guys are like tinfoil hat and everything I love it um so does anyone know what happened or how bad it was it was 10 times worse than how they made it seem essentially yeah yeah it was um there's this there's a tendency for companies to underplay security breaches or compromises this was a case of a breach breach is the worst all right if you want to just equate security thing happening breach worst compromise a little bit less bad breach is the worst thing that can happen that

means that not only were they broken into they were compromised but then something was stolen right it's like kind of two steps we broke in and we stole the passwords and we stole the credit card numbers and we stole you know whatever so what happened so first of all last pass this is a company and their job is to store passwords that's what they do so if you want to log into a thousand different websites you can give all your passwords the LastPass have one really really strong password to unlock LastPass and then you can get access to all of your other passwords to log into all the sites that you go to so when they get broken into that's

really really bad right really really bad I spent like New Year's Eve and in the couple days before that all right which which passwords do I care about if they really broke into this thing what do I do okay I'm going to change my banking password I'm going to change my you know I'm not going to tell you any more than that other sensitive passwords but that's really really bad and this isn't the first time and I'm not necessarily Throwing Shade at LastPass lots of different companies that are tasked with holding on to really sensitive things get broken into I mean this is why I'm employed this is why I have a company right it's it's hard this

is a hard thing to do security is hard so but the point is these companies get broken into and it can be really bad how do we how do we prevent the worst case scenario but before we talk about that that's what we're going to end the talk with we're going to talk about how passwords are actually stored and this is when we're when we're doing things the right way you can do it the wrong way and you're going to say oh your passwords abc123 I'm going to store abc123 in a file right that's bad because someone could find that file and say oh this person's password is abc123 that's not actually how this typically works

normally what happens is they use what's called a hash function that's this blender in the middle here so when you log into a password you type your big long thing in you hit enter it's going to encrypt that information send it to a server and then it's going to perform this hashing function I always think of hashing as like as a blender and I always think of the password as like a sandwich right you've got all your different meats and cheeses and condiments and you put that sandwich into a blender and you blend it now you've got this end result this delicious delicious uh drink here your Blended sandwich um and that's good so if you gave me

another exact same sandwich and I blended it again and I compared the two things they would be that same mixture right but does anyone here think they can make the sandwich from the Blended like output like can you go backwards no you you can't really go backwards you can't reconstruct the sandwich from the drink that's how this works so you give them your password they blend it up and store it and then you give them the password to log in a second time they re-blend it up and compare it and if they're the same they let you in so that's what an attacker has to do right if they compromise if they break into this company and steal what they

have what LastPass has they're not done right if the company followed the right practices they're not done they don't just have your password they have to crack your password and that is where you get into this brute forcing approach where you say I'm going to try a then B then C then D and I'm going to try ASDF or QWERTY or one two three four five they're you're gonna try all of those things and they try them with software on the scale of hundreds of billions of times per second which is why you need to have a strong one because if it's only eight characters long I can guess all of the combinations of uppercase

lowercase numbers and symbols for a characters in a given time period it depends on the hashing or algorithm but you could do it you can do it if you if your password's 48 characters it's not happening it's just not happening so the length is really really important and that's kind of what we illustrate with this comic here so in the top we're talking about yes XKCD I know a lot of a few fans in the so Troubadour and three so this is what we've trained people to think they need to write as their password capital T lowercase R zero lowercase U um that is actually kind of easy for a computer to guess and pretty much

impossible for a human to remember so that's that's the opposite of what we want we don't want things that are hard for humans and easy for computers we want to flip that so let's go down to the bottom correct horse battery staple now this is a little tongue-in-cheek this is not technically accurate but it s root Force attack you did A B C D E you know Etc it's going to take you a long time to get correct horse battery stable um so against certain types of attacks it's better so but it's also much easier to remember like how many people have already memorized correct horse battery staple right like you didn't even try and you just memorized it so

the idea is to replace passwords with past phrases start to create a sentence create combinations of words and then another key thing to do I know this is going to come to a big a surprise to much of you most people end their passwords with symbols and numbers don't don't do that just do what other people don't do right so say correct horse 45 battery staple capitalize the Ian horse do do things in the middle that's the that's the key um if you if you put number symbols capitals towards the middle of your password it's statistically going to be more difficult to crack and then just have it to be long enough um focus on it being longer than it being

complicated and these are only for passwords that you need to remember but again if you use a system like LastPass or this other one password dash lane Nord pass whatever there's a bunch of them there are options out there keepass and you can have one really strong password which is what I do I have a password that's about that long takes me forever to type in it is literally I just made a password like the top combined it with a password at the bottom and then mix it up a little bit so it's like you know long but that's the only password I remember every other password I go in and I copy and I paste

it I copy and I paste it and it's it's even longer and it's even more complicated but I doesn't matter I have no clue what it is so if an attacker breaks into a system they got to do this whole blender thing for my passwords that are this long because I made them with a machine but I don't need to remember them anymore foreign now I've got a little audience participation section does anyone want this is local Carnegie Mellon website and we can type in a password here and we can see how strong it is so don't tell me your password or I mean you can tell me my your password oh don't tell me your password but what

would be an example of a strong password something that you could actually remember correct towards battery staple

one five five nine therapy your password appears strong good job yeah exactly so that is and then we can show I think I got it mostly right um this is overly secure is that what you were going for something along those lines um oh okay I thought you meant like not like zero um um but yeah so that's a great example we essentially wrote a sentence and we put some characters in there let's try something else

pretty strong not as strong as what we just had before but notice the difference in complexity we don't have uppercase um we only have lowercase there's no numbers there's no symbols and then you can you can kind of play around let's put something in the middle that makes a nice big jump that's turned us to a capital H that's another nice big jump um but what's really cool about this website is you can see it actually gives you feedback your password's pretty good um if you want to make it better do this do this do this right so I really like websites like this um more to get an idea of what a good password

looks like and to have this intuition about good strong passwords don't actually put your password into it I mean they don't save it but like don't trust them either right just don't put your passwords in there and all right so this is the last slide I have no idea where I am on time oh I'm like perfect great so number one recommendation find a password manager that you like and use it some are some are free and a bit painful to use some cost a little bit of money some cost a lot of money I think uh one password is like the most expensive generally considered the strongest um Dashlane LastPass Nord pass whatever you can Google password manager and you

know find something interesting use those tools to randomly generate passwords so you just remember the one to unlock the safe and inside the safe you store all your other passwords make sure you have unique passwords per site and you can see if you weren't doing number one like number two and number three would be really hard to do like if you're actually going to randomly generate a password and have a unique one per site good luck remembering it just they're not gonna happen the last two are a little bit different so use multi-factor does anyone know what multi-factor is yeah does anyone want to explain what multifactor is foreign yeah

right perfect nice yeah exactly so it's it's two different factors and so the factors are something that you know something that you know is your password right something that you have it might be I've got a little device in my pocket this is one of my multi-factor devices I've got another one plugged in here I've got tons of tons of them is this something I have I don't know what's in this thing but I know it's a secret and I know if someone else has it they have my second factor and then the third thing is something you are something you are as I'm you know fingerprint Iris retina Etc some sort of biometric face ID whatever and so

multi-factor means two or more of those three so something you have I might have a phone and I can press a button on it and something I know like a password or something I am like a picture of my face so it's really important to use multi-factor because that means that the website that you have multi-factor set up for even if you have the right username and password they won't let you in unless you have the other thing the other Factor so someone steals your password online but they don't have your phone they don't have your phone number you can't get the number from your that they texted you okay they're done they don't actually get in to steal anything right

so that that's pretty that's a pretty big deal um you can go a little too far with this as a security person I probably shouldn't say this but like I don't multi-factor everything I multi-factor what matters right because you should see how many I have like four different multi-factor apps that's a multi-factor device I have a multi-factor device here I've got I've got tons of them so there's a limit right things that are valuable and what's valuable is up to you use multi-factor on them and then finally know what your crown jewels are so in the case of LastPass when that was compromised guess why I know I have over a thousand passwords because I had a

look at all of them to know if I cared if it got stolen and I wanted to go log into that website to change it right so like I said I made a list I spent a few hours and I did the most important things and I'm pretty sure that they won't get any of my passwords because they have to break that first password still they're still your passwords didn't get stolen if they were in LastPass the encrypted safe that your passwords are in got stolen and if they crack the safe they get all your passwords but they have to crack the safe right and so if you have a really strong password then you're in pretty good shape I have

a pretty strong password but I also have a tinfoil hat at home so I decided to rotate anything that had to do with money or my reputation all right that's pretty much it but now it's it's open season does anyone have any questions no questions everybody's sleeping yeah

here together

so so the the question statement was you saw something that said four words in a row like correct horse battery staple has become easier to crack why so yes that is true that's why I said that technically it's not as strong as that XKCD shows because that's assuming a brute force and you'd be stupid if you attacked passwords with a Brute Force nowadays instead what what you really do so I do this for a living I get I steal troves of hash passwords from tech companies and then I try to crack as many as I can and then I try to steal everything I can from all of those accounts that's my job right when I have a pile of hashes these

passwords I'm not going to try a b c d e what I do do is I guess every single character that's seven digits so if it's seven digits or less I'm gonna crack it period because I'm going to literally just try all of them but then once you get to eight and up I change my tactics entirely I'm I look there's actually algorithms for keyboard patterns because I know humans are human right and we've got hands so I'm looking for things that are easy to type on a keyboard so going across QWERTY asdfgh you know etc those are things that I that I program into a computer to try extremely quickly same thing with with going vertically on

the keyboard one q a z Etc I'm gonna try those two I'm gonna do the same thing but with shift held down right I'm thinking about things that your hands can actually type and then I'm going to think about things that are easy for you to remember that's my next stage so I'm going to do a dictionary attack I'm going to take one word and I'm gonna have a modifier at the end so I'm going to say every word in the English dictionary and then I'm going to do um all the numbers one through 999 and I'm going to add some special characters in there at the end and if that doesn't work I don't keep guessing things I'm

not you didn't put 50 numbers at the end of a word right you put another word or you get two words and then a number so I move on I move on to two words and then a numbers three words and then some numbers and then I start getting and then I'll start thinking like okay maybe this is a really Savvy person word number word number word pass you know whatever word you know I'm trying to get rid of the completely randomly generated thing so if you randomly generate your passwords I'm never gonna crack that if it's more than eight characters I'm just never gonna get there that's it's a it's a waste of money because it cost me

forty dollars an hour per server to crack these things so I'll spend 100 bucks 200 bucks but I'm not spending a hundred thousand dollars you know who will spend a hundred thousand dollars nation states other countries so that's that's another that's all we care about but that's a whole other level of concern but yes to answer your question the way that I'm actually going to crack your password I'm going to think like you did and I'm going to turn that into an algorithm and I'm going to have a password do it 400 billion times a second yes

yeah that's a great question so why don't vendors uh limit the amount of attempts so many of them do not all of them do even if they did that only comes into play if I'm trying to log into the website as you so if I try to log in as you gotta try one two three I'm locked out I have to wait five minutes but what actually happened was I didn't go in through the login field I connected to your server over here and I dumped a file with all of these secret things in it and now I've got it on my server I don't have to wait for anything I could do it 800 billion times a second

and like it's it's just a file it's just it's just data it's just a hash that I'm trying to turn back into I'm trying to figure out what information turns into this using a hashing algorithm so yes that's a great idea but it just it just doesn't always apply if I if I did what's called SQL injection I can inject a command into a server and have it give me all of the passwords it stores and then I take that on my server and I walk away nothing you can you have no control anymore that's why they use hashes because they're assuming you're going to steal the information now I want to make it hard after you've stolen

it because there's nothing else you can do other than make it hard to decrypt but that but that's an awesome point yes

yes so how has Ai and machine learning affected this world so my world is generally software so it's completely disrupted everything and it's crazy um specifically to passwords though um there are becoming um the algorithms that we make to figure out what's normal for a human yeah thanks guys um used to be thought up by people and now they're just being followed up by AI so there is a competition at the like World Series of hacking called Defcon out in Las Vegas every summer and over the last I'd say three years the winners of that are starting to use like AI these generative models to create the algorithm and then they're running the algorithm to hack to break

the the passwords so it is getting better at finding the right way to get the highest percentage of cracks on the other side of the fence like it's a whole nother talk I've actually given talks before about like machine learning and Ai and like I also I actually mostly help people defend I don't break into places all the time I break into people I break into companies to inform them what their gaps were and then we try to fix them like the point is not to break in and say haha I stole your thing like it's to say like great I figured this out someone else could too let's fix this here's the ways that you could have stopped me

let's pick the easiest one do that first and then let's do the second one and then the third one then the fourth one right and that's where machine learning AI is becoming really useful it's taking in all this information logs about activity and things that are happening and it's saying um this looks bad it's kind of like fraud detection except it's with different bits of information and you can say this person they're they're acting kind of weird I'm just gonna stop that right but in reality like like a human if a human was on the other side looking at the logs it's just scrolling and scrolling it's too fast you can't possibly decipher what's going on but AI

machine learning can and they can identify patterns and they can put things into clusters good cluster bad cluster bad clusters we stop good clusters we allow and then they make mistakes they stop good people they allow bad people through so you fall through other mechanisms but it's definitely interesting to see one of the things I like about AI machine learning is explainability you can sometimes ask a model why it made a decision and why it made a decision can be very surprising um one of my favorite examples is if you're using machine learning to just to identify what a picture is and the picture has a um like a husky looking dog kind of wolf-like and it's outdoors

and it says that it's a woof you'd say I bet you it's because it looks like a wolf and if you tell the machine learning to say why you think it's a wolf it actually says because there's snow on the ground and it's cold and it's an outdoor picture like and then there's a little bit of like feet right it's not like the face it's not these other characteristics all kinds of weird things it's like oh obviously yeah I did it right it looked at the wolf and it was a wolf like no it looked at snow and feet what that is so weird I don't understand you like overlords please don't yeah but yeah it's disrupting everything as

well awesome any other questions great well thank you everybody if you have more questions I'm going to be up on two doing like card skimming stuff too so if you want to come talk about that happy to talk about that or anything else security so thank you all hey evening everyone how are you doing today evening whatever it is cool uh so I'm doing can everyone hear me okay I can't I can hear myself and I talk loud or is it better with the microphone sorry about that this is a microphone um that's the other poor guy he's over here he's like stop doing that [ __ ] man knock it off hold it at one spot knock

it off uh all right so I'm here to give a little talk about uh electric vehicle charging infrastructure work um and it's a kind of a fun little title avoiding electrocution I mean that's sort of like lizard brainy most of us won't roll up to a charging thing open up the cabinet and open and then start playing around and I would but I've electrocuted myself many many a time so I want to break this down this particular discussion is really going to focus on the thing that you pull your car up to you know we have three major components to it you have the cloud infrastructure you have the network transport all the ones and zeros and

bits and Bobs move through and then you have the actual thing that it uh that it attaches to um all right so safety um I mean glad I got at least four five laughs maybe maybe six you guys need to have more drinks I thought it was more entertaining than this wait do you see these like tired ass memes that I put up here it's gonna it's gonna be brutal so but no joke safety is third as Illustrated this by the way when I was Googling these images I saw that I almost peed my pants laughing it was like look at the dude he's hanging a sign that says safety thinks safety and he's straddling thing but anyways with

this if I can't say one thing if you're going to go and open some of these things up anything with electrical voltage in it just be careful look for big fat wires that have big screws on them and plastic shielding and don't touch that because the the power you think about you have a car you plug something up to something for what 30 minutes 20 minutes an hour maybe these these high capacity ones and you can now project this giant piece of metal for hours at a time you can imagine the amount of power that exists in there so if you do start playing with it please be careful because you can get you can actually get really hard

all right so the specifics of this and while you're probably all sitting here is how can we screw with this what can we do to steal electricity steal gas or do we want to like what are the different attack surfaces and things that we can do so that shiny box that you go and you plug your car into has a bunch of components in it in each component will have a certain thing that you can do with it so in my world the operational Technologies are ICS world we call that an HMI that's that screen that you tap on that you know the gas stations now are selling ads to you those things oh by the way those if it

has buttons the bottom two buttons touch them at the same time then go up another it'll enter the maintenance mode so if you don't want to listen to the advertisement there just start doing different two button combinations and it'll it'll do off you may be able to get to the point where you can change the gas prices with a one two three pin number or four one two three four pin I'm not saying do it or don't do it I'm just saying if one was to do it you might be able to change to zero dollars yeah they don't exactly so here people don't like changing the defaults people are lazy so we're taking advantage of

that so you have that HMI you have that interface screen something you can do with that you know hackers everywhere are going to do something you have your commodity compute so sadly that ad thing isn't going anywhere it's going to get more prevalent so because it generates money so people are going to need that commodity compute device in order to um display Those ads get the ads downloaded show them whatever it is if there's some way you can interface with it that kind of thing so probably something we can screw with there the next is the actual controllers oh that just changed um the actual control in itself that might be known as a PLC to some people

programmable logic controller we're going to have the electric meter itself so that is the device that measures the amount of energy going past so it knows how much to bill you or how much gas you're putting into your electric car um the charging cable itself there's protocols and information that fly around on there you probably all ordered like Tesla you know it's super famous you just go up you plug into it the car ride talks to the controller it identifies what car it is it says hey you got the free plan here's all the electricity you want or no it's time for you to start paying for this so there's an opportunity on the cable and the

final kind of area is the actual payment mechanism itself um so here audience participation where do you want to start which one of these do we want to hack first down the list I like this do you all do you alphabetize your OCD to CDO no I'm just kidding I'm just playing man all right so what do you think how can you you got the touch screen there so think you're at your gas station normal gas station or any kind of kiosk kind of thing What mechanisms do you think you can use to manipulate any ideas any guesses maintenance yep yep so what I would encourage you to do is get up to that screen and start

touching places so a programmer is going to be I don't want to say lazy because they're not lazy they're smart people they work hard but they're going they're on it I I this is being potentially recorded I have to behave myself they are going to focus on the things that to be operational to do their job so if you're doing EV charging somebody's going to show up they're going to do some kind of selections around their car or something like that they're going to need to pay for it that's where all that energy is going to be so they will hide obscure things to make their life easy even even easier or for technicians so that's security by

obscurity if you've heard that before that's that maintenance mode so I've rolled off to that HMI that interface screen and just start tapping it do swipes this and just start doing things eventually something will happen that was unexpected and when that does happen put it on the take a picture put it on Twitter and go from four followers like I have to seven followers um and then you do that enough and maybe I'll get to 10. so I'm not on together I am on Twitter but I'm not on Twitter anyways so that's probably the most thing there's not really a whole lot more I think you could do because that's going to be reasonably locked down or

you would expect it to be where outside of maybe deliberately entering maintenance mode you can vandalize it I guess maybe you could put another capacitive that's kind of fun another capacitive touch screen on top of it to do sooner like a pseudo credit card skimmer type thing so you know as people are tapping maybe you get them to enter their email or something like that or a PIN number to something I guess maybe I don't know anyone have any other ideas that's all I've come up with there you go yeah display your own ads political messaging I mean it was pretty divisive Community right now so you could piss people off or not or whatever

you want to do exactly so I'm going to skip commodity compute because I think that for are there a lot of security people or computer people kind of in the audience or is this yes no mixed bag do we want to do a kind of like a how about this if you're a computer nerd awkwardly stare at your own shoes and if you're not then continue to make eye contact with me all right we're good we're good have you guys heard the joke about an extroverted um computer person versus an introverted one in the difference an extroverted one stares at your shoes so so I'm going to skip over the commodity compute because that's that's exactly

what you would expect you're going to be running some kind of operating system you're going to have a whole bunch of googleable metasploitable whatever's going on in that commodity compute device the PLC so this is the ICS World anyone here ics-ish OT I think one of you guys are I got the feeling from that all right we have one ish person so these are this is the controller so it uses something called ladder logic where it's a series of steps that make things happen so it'll be like um you connect your cable in and when a voltage is detected on a certain pin then do some other action and when that does that then do another action and it

runs down through and it is the interface between it's a cyber physical interface between our world our physical world and the computer world if you will so that PLC that programmable logic controller that's the device that does that interfacing for us so if you have something that receives physical inputs does something with code and then does something else with it what do you think you could manipulate there you can change your inputs you can change the code or you can change the outputs so inputs I mean if anyone stopped by My Little Hardware hacking demo over here that's kind of where we were talking about changing what that controller is expecting or doing something so if it

says hey I'm expecting a a voltage signal from a whatever and if it's greater than 12 volts do this and if it's less than 12 volts do something different well what if you hook up like 400 or send a signal of like 450 volts maybe there's a math thing in there it says if it's 12 volts then or if it's over 12 subtract the number from 12 and then use that output well if you put 450 in and you subtract 12 from 450 you now have a negative number it's going to confuse that output so you can manipulate those inputs you can also manipulate the code that's what the hardware hacking demo is about pulling

that memory image off and then putting on your own any way you really want and then the final thing is manipulating the outputs don't really know how you do that but you probably figure out a way electric meter so if you're really trying to steal your gas this is probably one of the areas you're going to want to hit on because if that electrical meter isn't metering what it's getting then okay well I get free electricity so you could open up the box cut the wires twist them together what's up Dan oh is it that bad well now I feel like it's too loud down here up here can I do this okay I'm sorry

before yeah hold on there we go thank you thank you thank you um so that electrical meter there's going to be some kind of data signal probably or something like that so that's a good opportunity right there to go into this big silver shiny box we know nothing is going to be encrypted because it's 2023 and why the hell would we encrypt stuff because that's I mean it's lizard brain I mean honestly how many people here would walk up to a box open it up while it's energized and start [ __ ] around with it I mean honestly huh we got one two but you do it professionally like you know how not to electrocute yourself

I've never blown fingernails off or anything like that but I've gotten a good shock before so opening that up you know it's not encrypted you're able to sniff signals off of the different components and you could say hey I want to tell the the PLC that the amount of energy that the meter read was one kilowatt but instead I pulled you know I have all my friends lined up and we're just we're looting scooting this thing man I mean everybody's charging off of this all for free um I'll skip the charging cable right now honestly because I have no idea what those things are about like I'm getting into it a little bit but it's so wild

Westy um I know there's data connections and I'm sure you can spoof it and stuff like that but whatever the final one is the payment mechanism so let's be real most people that would do something like this not as a hobby or probably trying to steal something let's just be honest so if you get into that same Silver Box we know that the commands are unencrypted you're going to have a PCI DSS payment card infrastructure data security standard um you're going to have a device there that is rigorous and there's no way that you're going to be able to cheat the bank I mean you can try if you want but that's way over my pay grade however

between that PLC it's getting the the reading from the meter saying hey individuals used 197 kilowatts of power energy has been transferred that PLC is going to receive that value it's going to process that and then it's probably going to do an API call at that payment device and say hey um 179 kilowatts cost I don't know 12 bucks it will then send the signal over to the API saying hey is this individual cool for 12 bucks worth of whatever it reaches out to the bank the bank says well if it's my account it says it depends on what day it is but it'll reach back and probably say yep you're good for 12. and then that payment card

API is going to give a thumbs up signal unencrypted in clear text back to the PLC to say yep you are good to give that person 12 worth of electricity so the there's an attack mechanism there where you could just connect some wires to that sniff that traffic so legitimately charge a couple of things see what packets are going back and forth and then replay that so maybe you charge it for one dollar simple attack charge you for one dollar and then on the return API call back to the PLC you send that packet back and say yeah this guy's good for one dollar well now you got one free dollar worth of stuff or if it's a

simpler thing it just says yes it's good to go it sends a one then you know well all I have to do is steal all the electricity I want is to cut that wire connect my device to it so that when that the signal goes this way you pick that up and then you send the one back regardless of whether it's approved or denied make sense how am I doing on time all right I have six minutes so I kind of got through the very very high level of what I wanted to do where do you all want to go more jokes because I'm out I'm out I am I have two cats uh two

espressos before I got here because they said I had like five minutes on that and 20 here so I just talked really really fast and move around but what do you want to know I'm sorry both teams it's gonna say so what's after the end time what's actually The Next Step so does it work here there we go uh so what's after the endpoint then is the network infrastructure to move to the cloud service change there we go so you got to talk see as I use some pretty old tired jokes I only got two laughs this time I failed um exactly old man yells at the cloud so to answer your question from the end point

there's going to be a network layer so it's either going to be cellular over Verizon or Vodafone or something like that that is then going to talk to probably a cloud infrastructure so evgo or Tesla or whomever it happens to be that's where all the brains are occurring that's so they can push updates they can distribute those advertisements they can do Telemetry on the health of the the charging stations themselves all kinds of things like that and in that cloud how many people here are like kind of application hackers or Cloud infrastructure hackers yeah so what do you do with the cloud what do you do with the cloud when you want to manipulate stuff

uh probably the best way you can do the best thing you can do is to break the networking connection first yeah and get it on your own network because then you can just run your own small little Cloud on your own Hardware so if you can get it connected through your own secured virtual Network then you can run it straight back to a computer you have even on it like at home or something like that run your own cloud yeah so you create your own private cloud and put up obscene pictures or politically divisive messages or whatever you want to do with it I guess anybody else want me to hand the microphone to them I'm trying to find a

way to get people to not look at me I'm doing a pretty good job buy shoes these are new my wife got these for me she's like oh you're doing this nice little talk do you want new shoes I'm like well I guess and uh the first thing I did was step in a giant puddle of Mud and she's like kind of fashioned like about fashion and stuff like that it's just like you're a [ __ ] numbskull like why how did you how did you make a 20 feet without ruining your shoes okay any other questions so I would say go out there have some fun with it you can do this at gas

stations start going into those maintenance interfaces be semi mindful of like laws and getting in trouble like I mean let's be real the dude that's or the whoever's working behind the counter probably if you're in the maintenance interface isn't going to come running out and like fly tackle you and like call the police because you can just say I look oh this is that from my perspective stupidity people are so cool with dumb people so if you just go up and you're doing something and like they come over like what are you doing be like I it was talking to me and I just started pushing things and I got here and and then I saw this and I kept

touching it I'm so sorry they probably won't arrest you yeah but if you keep going to the same gas station and doing it over and over and over again then they will arrest you and in Pittsburgh you'll probably make the local news because we don't have a lot going on all right yeah

that's exactly right and not get in trouble yes yeah that's the difference I mean for me at least so I do this professionally but the difference between like somebody who is 13 years old in their mom's basement that kind of profile and somebody who works like with the military or some of the higher end stuff it really is just about being quiet you know it's the techniques are very similar but when you have somebody that's been doing it for 20 years you just don't you don't do an nmap capital A and then run like you know uh slash 16 or something you don't really do that anymore it's more it's slower it's more dedicated um but with like this kind of stuff evci

and all the whole operational Technologies ICS be as loud as you want no one is watching they'll tell you they're watching but they're the cameras that don't even look like cameras that they're no one's watching just don't get electrocuted please that was the title of my talk don't get electrocuted I'm sorry yes or the cameras are on they are recording it but the dude is stoned and doesn't care yeah all right so joke aside does anyone want me to pick anything apart with uh the minus one minute that I have cool that's all I have thank you for attending [Applause] and well I uh you know I I mentioned the gentleman over there about alphabetizing

your OCD but uh yeah yeah the alphabetizing your OCD I'm kind of like that sometimes so I feel you man I feel you all right cool well if you have any questions I'm going to be doing I think the Little Hardware hacking thing over here for probably another uh maybe about another 45 minutes or an hour so if you have any questions I'll hang up here for a minute or two until everyone funnels out thanks all

hi everyone thank you for waiting for me I think I just have to find a little control to play um to start my recording and then I'll I'll we'll get we'll get started

you great uh so thank you I'm gonna talk about wireless security my name is Chris I'm a Pittsburgh native Chris tomay I um spent some time in the area excuse me I'm a Pittsburgh native uh left for New York I went to college and said too good for Pennsylvania and here I am coming back right uh so uh here I am uh kind of uh back from engineering and and back from uh you know my uh attempts at uh going out of the area security and Pittsburgh have uh gum banded me back and so uh all of these things have kind of congealed into all of the uh wireless security and uh security information security elements

um that that I use every day it's a microphone quality good enough should I go for a handheld uh okay so we have a lot of uh do's and do Nots and I didn't want to go into that I wanted to go into why and why do we want to uh do our Wi-Fi with a particularly strong password and I'm gonna conduct a really um straightforward and simple attack because the point here is to show how how easy it is to attack so my Wi-Fi is out there at my table I am not attacking anyone else's Wi-Fi I uh specifically am going to kind of go into kind of what is what is Wi-Fi and I I know a lot of

this is really hard to read but the words are not important they are to distract you while I do my demo so I the the government calls Wireless emanations and in the 1990s it was a big problem and and now now Wi-Fi is here and it's everywhere so if we if we adopt their language and we looked at but look at what our uncontrolled emanations are um we we might want to have a look at um a tangible waveform of Wireless so let's pull up a visualization

and we have a a bunch of Wi-Fi in the area uh here's a really straightforward um uh visualization of of what Wi-Fi do we have in the area anyone see any Wi-Fi uh that is what Wi-Fi looks like I picked this random Channel out of you know a pretty strong assumption that I would see something and here is a target I could attack that that's 316 megahertz and uh I can I can deep code it and I can replay it but I can't do all the fancy things that I can do on Wi-Fi this is a more challenging signal and so Wi-Fi as public and as well known as it is we can do a lot more

um off-the-shelf stuff and um off the shelf to the point that we call it a script Kitty like a child could run this script and uh sure enough just a couple of keystrokes uh will show um an attack on these these waveforms

I love my little poem by the way

all right uh was supposed to tell you why you came uh so here I am I'm going to show you the RF uh that was it uh we just looked at a standing radio frequency um electromagnetic uh energy um and I want to get into our our basic uh wireless network this is your home Wi-Fi this is wireless access point uh we're going to go through two uh types of attacks they are trivial they're they're very easy and should be done in about five minutes each so uh please bear with me while we go through those uh examples and then I'm going to go right in the grad school I know I promised on LinkedIn this would not be

grad school I lied we're going to see why and um it all comes down uh to some some mechanisms that we prefer not to really think about um so our Network diagram as I mentioned it's just going to be a home Wi-Fi setup just like I have at the table and I would like to um say that this is all well and good for kind of general purpose Communications um hard to see my example there but I have a little gift card so we can eavesdrop on valuable information like your gift card so that that is the point that I wanted to really bring home that I can use automated tools to capture your password and with that then

decrypt your valuable data pretty clear wrong

a couple of little tools allow us to use cheap Hardware not just any hardware but not special not expensive maybe fifty dollars

okay so we're we're going into mode where I can see your Wi-Fi um we looked at a a waveform and that's fun to know that they they exist Among Us the waveforms um and why is security the way it is and um apologies for the small text but again just to kind of distract you uh all of these acronyms of fail I'm calling them are are all the ways that we tried to implement security and had an unfortunate uh outcome and I can mention that this was um the the industry trying to do better than what the national government the federal government wanted to do they wanted to have an NSA prescribed encryption mechanism uh they didn't quite get that

um and so instead we have this um just waiting waiting for my VM to deal with its uh USB uh i o problems uh there we are um so Wi-Fi came out in 1997 uh this is what's called Wireless and equivalency protection uh web right so this is where you can um just gather a bunch of data and and get to the key and so super easy uh script Kitty attack over here I thought it was in monitor mode

the attack has started so a little bit of text there a couple of little commands this is not hacking right I am not I'm not hacking uh the most challenging thing in the world here

[Music]

um so this VM is going to need a reboot um so we will get back to um what what happened since 1997 and and why did it go the way that it did and wireless devices weren't as powerful as they you know are now uh resource constraints are a big problem uh now we have the same thing coming back with iot devices getting back on the on our networks when we thought that all of our devices could be uh powerful enough to exchange a strong key we do have mechanisms out there that are that are safe um diffie-hillman key exchange that we use to exchange keys on the internet comes to mind but not all devices can do

that and in 1997 they were not doing that so we had to put in the web key ahead of time and the key wasn't the problem it was trying to avoid the problem so they were trying to avoid the problem of a long lasting bitstream and the weak crypto behind it and in that attempt and the they implemented uh the vulnerability and we're going to use that now it's it's the leakage of the initialization vectors into the crypto algorithm and and they tried to fix it uh by changing a bunch of keys and it the you know the story gets worse from there um the the second crack we're going to do is going to be a WPA a modern

Wi-Fi and that is still um the the race to the bottom that is the denominator that all networks are weakened by is that this 2004 vulnerability it's still a problem I can still get your password by eavesdropping it over the air

okay let me get my USB device ready for a tackage good

okay see if this works this time a little bit of uh hacking involved right it doesn't always go as smoothly as we want but uh if it were perfectly um straightforward it just wouldn't be any fun at all another question

and um the WPS mechanism that I have over here uh push button for a PIN number to join your network um see how it just keeps getting worse as we go down and what's that that bottom line uh something really recent with eight zeros the password was eight zeros um these These are actual vulnerabilities that were implemented and um for this reason I I only recently recommended wpa3 okay so now we can

okay so 1997 network is there as web uh number three I'm not hacking here people this is script I'm not doing anything I'm going to press number three right oh man

I didn't set the channel Okay small amounts of hacking but once I set the channel then the attack should be successful

when the script goes wrong

this one should do it

physical Channel 40. okay so here's the magic and now here's this magic and I don't see the warning that I had before and I'm gonna start the attack

okay here we are network three

so I do need a client to connect over there and I am so here here's the um the leakage um starting to leak uh so in order to get uh adequate activity on the network I'm going to go ahead and download a big file of stolen passwords from a tiny server that I have on my table

exactly

foreign

okay so our numbers are finally starting to go up we're trying to get 10 000 of these thingies and how do we get them um so hacking uh is some of the thing that we're doing and uh that was it so um we just gathered uh all of the initialization vectors necessary for a 1997 style attack um okay so you see the password sorry the text is a little bit difficult to view uh but it's just my tiny awesome company um I planted this password this wasn't a compromised password but um you can see it and um this was with 1997 security that actually that that password is more secure than the WPS pin that followed it

in the 2006 line over here where you where you press a button um and and that that is really not recommended um so your emanations are uncontrolled your wireless is out there I have a big dish antenna over there uh to exemplify that the wireless is you know uh from a very long distance and that's like a 30 mile dish um that that I can carry in one hand um so a little bit of alignment and you could um get to the signal um you could do what I you could do what I just did from Miles Away um but you know that was weak encryption so let's try stronger encryption we have changed it the computers have figured

this out and they they have uh changed things and so we're going to have to encrypt our data and we're going to have to lock it up and in security we talk about locks as Keys we don't really talk about the lock the encryption algorithm that should be well known that should have a lot of eyes on it so that the vulnerabilities are picked out before it goes live um so we're not actually talking about in the encryption algorithm that will do fancy stuff to come up with a key and I just wanted to exemplify what is the key and it is this comparison operation of taking the data and mixing it with a key

you need a one for one you can't encrypt data without going through this xor operation very very close to the end whether uh it's a chained Cipher or some other you know you'd use the leftover data and call that the data modulus this left over that chain it to an industrialization Vector on another block whatever at the very end you're running through an xor operation so you need key you need lots of key and you need to create key all the time with every single bit of Wi-Fi that is being made and so the keys expanded over and over and over and over to meet this Criterion so we have locked it the lock is high high quality right we

got rid of that one from 1997 we're now using like Advanced encryption standard federal government made it it's pretty good quality and um we need key data we need key material to encrypt your data and so so that's the problem so we're not breaking encryption here we are telling humans the the computer is telling you to make a key because the computer is a machine and it can't it knows that right um Let me let me switch my Wi-Fi uh security for a new attack

okay uh fast forward to 2018 let's say uh 2018 security is now being broadcast for my table over there and um uh this is the modern attack where we can steal your password out of the air because that's how they implemented it they had to do it that way or so they thought um so your computer is a machine and it can't generate a password so it puts it on you and how's that going um so I I joke that the only thing more terrifying than a Central Key Management Authority is having everyone in charge of their own keys and so here's where we have uh that that going on um there's my attack Network I'm going

to go ahead and select attack number two um the point is that this is easy and anyone can run the same attack have to join thank you

okay so once we have a client then we can

then then we can attack it um so there are definite requirements for every type of attack um usually a Wi-Fi network has someone using it um and it connects you to something my little example doesn't have all of those things so stand up stand by

foreign

okay running that one more time I I joke that machines are harvesting us for our chaos but uh it is true that uh they can't do it so them shifting it onto US is kind of part of the problem here um

I rushed that real quickly um if this doesn't need any love and attention then we'll be able to get to the the final attack which I think is fun and cute

uh well switching modes sometimes messes with uh the hardware and tell it to get into the right mode again

okay channel 40 and then we can attack Channel 40.

but going back to the slide I I hope to make the example that the predictability of this string of key data is really going to make your encryption or break your encryption if anyone can predict your key then the key is not not uh resistant to attack okay well we'll run through one more little reboot of this little device because it is not finding it

uh so I wanted to show the example of what is valuable over here which is um some Communications are not that valuable and what we talk about in security a lot of times is knowing your family jewels or your crown jewels what is sensitive to you what is valuable to you um this is right after the holidays so if any of us were using gift cards um shopping at the last minute ADHD using gift cards this stuff is kind of relevant and so during those times when your other sensitive data is being transmitted over over a sensitive over a hostile Network this is where we need to apply cry cryptographic controls and so now you

have a hostile Network before your internet or let's say you know one that is vulnerable to to being attacked so if you had an attacker on your in your vicinity or within you know the radius of your antenna you you could be attacked and if anyone remembers the the Cantina days you could take a Pringles can and you can take tin foil my my little um I I play about uh foil is a thing that I definitely use back in you know 2000s and uh thankfully I have better equipment now but it doesn't take that much if you wanted to all you need is a length of wire cut to a fraction of the wavelength and that's an antenna it's

you know very straightforward um again physics uh plays into it okay so this is a fun attack where it goes through a bunch of passwords

for the demo I made the password at the very end of the list so I'm going to change that so bear with me with me for a second but does anyone want to see a list of passwords that is very easy to submit to Wi-Fi it is really fun

tomorrow

um so real quick uh passwords this is one super small list of of things that I might have you know used as a password back in 1997 or might have derived my current password from from that um

I broke my neck on a Kawasaki motorcycle anyone have uh motorcycle in their lives um this is not my password but wow that might straight that might uh yeah be close to home for for some of us so let me feed my password

and run a run an attack

okay set the channel um Channel hopping sounds like a great idea but it messes everything up and Hardware sometimes doesn't like to be switched frequently

so I was really hoping that in 2023 we were not going to have to have such long passwords but the problem exists still that the password is easily captured okay uh so let's do a modern attack um okay this is the password guessing so we can't crack the the crypto the way that we did with the old attack we're going to attack the humans and that is the password that you created when you were late for a zoom meeting so you were late you made a password you didn't want to forget now it's out there and and let's see what happens uh need a client

I just stole the password and so this is the attack now uh so the the the fancy part um happens very quickly the password was captured in a fraction of us of a second as a encrypted hashed value and this is a known Cipher Tech Cipher attack because we know what the hash algorithm is and having stolen that key um as a hash I then tried every hash password in that list and it found it and it's highlighted and so this is why you still need a secure password in 2023 even if you have web 3 or excuse me wpa3 the current latest iteration of the latest Wi-Fi I could still name my Wi-Fi your same name and the phone will your

phone the client device will attempt to connect to it so an impersonation attack still will take the password out of the air and I can use this with this and I can decrypt your data I can decrypt it and uh that's it I'm running this running the demo over and over at the table but uh that that's wireless security uh in my My Demo questions