PG - Breaking the Bodyguards - Chrissy Morgan

hi guys nice to see you can hear me all I care yeah brilliant awesome right so I'm Chrissy Morgan and today I have around 20 minutes to give you an overview of what frontline operatives need to consider when they're meeting their adversary's because the reverser ease now we'll be using tech against them because no longer is it a matter of catching bullets you will have all these technical attacks coming forwards and the problem is some of these guys don't even know with any of this stuff why what's out there so some of you may know me from Twitter and I do a lot of research in different areas take part in have run some CTS and

some awards and stuff and also I run the collab which is a hardware hacking based workshop I teach people how to build their own hacking tools and part of that is because I like exploring technical attacks and then with that technical surface I like to use that in a physical realm so it can turn into a physical attack now how many of you here have taken part in a physical penetration test can you put your hand up cool oh wow those of you that's awesome how many of you take part in like social engineering gigs that sort of thing it's all tied in right cool all right how many of you hacked a bodyguard okay cool

now the thing is right you may have done it and not even realized because we're taught to blend in we're taught to keep our heads down look out for our client and a lot of people kind of don't realize that they're there now believe it or not I used to be a bodyguard and one of the things that we're tall is not to assume anything by what we see so that's one take away like you to take today is that you know you have something is a threat you're looking at and you don't think it's a threat and that's just because you're looking at as well it's just not soaking in we're taught not to take for granted

what we can see but the problem is body guys are taught to look out for things that they can see but what about this stuff we can't see what about the technical attacks the hackers they're not taught how to defend against that so I'd like to speak about operational security with you today and basically who is involved and what is they do and then I'll follow up with some example tax so first up in operation who do we have so many operations will be different but you'll always have a VIP they can be called a client or a principal and they will have protection because there's either an active threat against them or as a precautionary measure you then have

your bodyguard who's also known as a close Protection Officer a personal protection officer and they will be with the client during the waking hours and it's a one-to-one protective relationship you also then have the protective team and their job is to provide backup to the bodyguard and they may also have duties such as looking after friends relative partners in a more of a backup sense and the an outer core then we have residential security now residential Security's to provide inner perimeter protection and they will give backup to everyone else as well but they can also take part in the household management and day-to-day running of a mistake for example and they work in partnership with the perimeter security

guys now they're your general security guides they'll be looking at CCTV access control systems that kind of thing and then you have security operations which is the brains of everything and that'll be run by a security company now traditionally what they'll be is the hub of communications but with that they're also carry out other tasks like recruitment for example and they'll work hand in hand with third parties that they bring in and third parties could be security drivers surveillance guys there's a lot of different third parties who are involved in the whole process but that's generally on an ad-hoc basis so what protections do we have in place we have CCTV and fence access control

and alarms and predominately that is controlled by residential security perimeter and security operations let me have penetration tests protective in cancer surveillance and also tired to call counter-surveillance sweet so it's called TCS em and they're looking for listening devices bugs that sort of thing and that is predominantly carried out by third parties are involved then we have background in diligence checks training and awareness and lastly information security protection which is part of the area that I'm involved in so some of the research that I undertake and look into is asking questions like what happens if you take away the protections what happens if you change the target no longer you target in the VIP you're now targeting the bodyguard

and the protection team so I have a case study security keV now he is Ed Sheeran's bodyguard and I have a lovely relationship online it's bright it's beautiful it's a lot of comedy value but what's happening with security care he's now actually become a public figure in his own right he has now got over a million followers on Instagram unfortunately for security care what else he has online is his personal details so I was able to within 15 minutes get his full name address all previous addresses date of birth things like that now that gives us an idea of what else to account for and start to build a picture around keV his work life

in his personal life and unfortunately for keV because he's a UK citizen back in the day before the internet blew up we would all register companies and it looks like what he's done is registered his company with his business address now that was fine back then but 20 years later you've now got everything accessible to everyone and the problem is what you need to do with that is if you're an attacker look out for that kind of information and figure out how can you turn that into a physical attack a lot of think she can do is I've got mobile phones and mobile phone numbers people give them out freely unless five is someone normal but if

yours curity operative what you can do is you can use app analytics so there's a an app called agent for whatsapp messenger and we all do it so look at your online usage so to see when you're a line and when you're offline and whatsapp is very very like much use throughout the industry in the physical world prolifically but I can find out if someone's on shift or not on shift their sleeping patterns or routines from that then you also have stuff like grab a thigh so you could send them a link and then you might be able to find out general location of where they are you've also got people who've claimed that they can figure out the location

based on the mobile phone that you have or like the the number so we've established that stuff online can be quite dangerous and one of the things that I found was Ed Sheeran's house and his home address and from that I could have a look on Google Maps and I was able to see what kind of alarm system and CCTV cameras I could see a nice high level view there I could see what vehicles were here also fence and entry and exit points also a little gap in the fence so it's quite interesting but these are old pictures and I would still need to go and survey the property to go and make sure that

this all still stands however what actually happened is the Sun newspaper did the job for me so what we can see here now is that we can actually see there's a security camera pointed at the gates he's improved the gates and the fence in all around the property so that's good but I can see a load of vehicles and different types of cars and I've got a lovely 360 degree of the property I can I mean this sort has he been taken by a drone so I could probably carry out some form of drone attack and also what I was able to find mister building schematics and not only that ed has been quite vocal online

about the actual building plans so one of the things he did stay with that he has built a underground tunnel that goes through his pub he he has his own pub and he would write and the thing is he has a tunnel and that goes to the house and he's made it so you can look down the tunnel now what I would be thinking with an attacker mindset what can I do with that he has already stated online that his wife and him do not drink at the same time so if it's in the pulp where's his wife could it be that he's in the pub the the doors are all locked everyone's partying in the pub she's in the house

alone you know that makes her a target now so thinking around what they've put out there the sort of scenarios that's possible so technical vulnerabilities and bringing them through to annotate physical attack and here are some examples so if I was to leave the pentest partner guys at its house for a little while I'm pretty sure that they're going to end up finding something now cyber Gibbons who is one of their researchers he was able to find that he could attack alarm systems and what you do he could malformed packets and then that would take the alarm system offline and then you'd have to go and physically reset it now what we're looking for here is just enough time

enough distraction on the team so then you can carry out an attack so stuff like this would work he could block the signals on the remote for it and he could also do a replay attack so he could disarm it now you can mess around with the security guard all night doing this I mean finally at some point they're going to turn the thing off aren't they because their client is having a go at them owning up Meo so it's good you know things like this could have mattered affect car hacking now car hacking has massive physical implications we can buy a car fob Jamal really cheaply online and all I'd need to do is distract the team the driver

whoever else who's around this vehicle for short period of time now n bus and D bus which is entering and exiting the car is one of the most vulnerable points in an operation so you could distract them just for a split second and this is the Ukrainian Prime Minister here getting attacked and what we see is the assailant get hold of one of the bodyguards and end up spraying him in the face as well or you could just carry out embarrassment know your security team couldn't get you in your car it happened to Theresa May the security operative couldn't open up the door the next thing we have is Theresa main struggles with another exit little

things but it all adds up so what if you haven't got a target what if you don't know bodyguard team or you don't have a high like VIP to attack you can go out and find them and how would you do this well activists have put top 100 lists out online of top targets who are companies pharmaceuticals banks hedge funds as you can see I'm probably on a hit list now for just viewing this thing but it gives you all the details in all the places and this is like the West End of London and this is all you would need to actually start a campaign next up so you don't want to go and hit one of the

harder targets like a bank or one of these organizations because they're going to have a good stronghold of security you could go and hit one of the hotels instead now here's a map of all the four-star and five-star hotels and they would be considered a softer target to go in approach so what would you do if you go to a hotel what would you do you could set up a Wi-Fi attack quite easily get someone any uneducated guest to join your access point the guys on the ground they're doing rst duties and it's not just in the home but it's also when there are ways to win the hotels you'll find them parked outside or sat

outside the the rooms on the whole wing and you know sooner or later they could join to your network it's game over you can also carry out access control attacks now I create the person pwnage here just so I could have a remote way of collecting data and details of cards so then I could go in ahead and clone them because they're going to assume or suspect a big bag but they're never gonna suspect purse and I could leave that anywhere also you have proxmark 3r DV 4 which has now had an upgrade with battery pack so you could have that in the palm of your hand we'll pass any of the team or go

into the elevator with them or anything and then you'll have the card details once again so you can identify could either math identify targets that will be very specific and get someone that way and it's very easy to get into this so I started with Arduino and RF 5 to 2 board and I teach like the $20 you can get a kit to do that and I teach that sort of stuff in this area so carparks why would a girl want to hang out in a car park a reason being is because when I was doing my research I realized that for Bluetooth devices you need to capture it from it connecting and disconnecting and that's where you can

pick up the details and a car park I thought would be a brilliant place to be able to do that if you is there for long enough you'd be able to pick up the different devices that used and this is the same area of West London we've got all the embassies and all the big businesses and stuff like learn the car parts around it you can pick up routines perhaps the different devices used if you've got enough time and you know connection you can get to it you could get get reversed back into the phone you know there's loads of different attack surface when it comes to Bluetooth and one of the things that I was looking out

was the Apple earpods now if these headlines are anything to go by they're not as secure as we think they are and a lot of the guys who work on the ground they can be materialistic so they're going to want to have the best and the latest tech and of course having a headset earpiece is going to be operationally good for them because it keeps her hands-free so looking at this stuff here I was thinking okay so how can I attack this surface what can I do so maybe some of the guys can't afford the official Apple earpods and they'll go ahead and they'll get the cheaper headsets so went and bought one online and I started doing some stuff we have

the micro bits now unfortunately that only picks up the lower range with a Bluetooth low-energy but with the ESP 32 s at the moment I'm working with the Bluetooth API to there do some sniffing I can do spoofing quite easily without a pin needed as well so I can sit there just pretend it's their device that they want to connect to connects to me instead okay so operational weak spots there are lots but I've only got time to go over communications because that's one of the main things that you could do to attack an inter flight interfere with an operation so what do we have we can use all sorts of stuff for for evil but

communications we have mobile applications phone email social media and radio so first up social media now if I was to attack a team what would I do I mean everyone leaks information but I would actually target the bodyguard and it would be an intelligent intelligence gathering exercise or I could send malicious links and why because physical security guys do recruitment on social media so it's an easy target there's also communication and people love to update their followers and what they're doing so you could actually probably intercept and get in even before they're on a live operation and this is an example so here is a job that's been posted out and what they've done they've

used the tiny URL link and the guys are expected to click on that link to find out more information or take you through to a website now luckily enough that's through to a legitimate website but it has been shown that with some of these shortening services you could hijack the links so there you go you've just hacked a bodyguard also some of these people even if you have a low profile their friends aren't that great you've got people who are tagging other operatives in these posts so now I know that they're a security officer who's you know good for PSD duty but this guy here he's actually just posted his whatsapp number online call me tell me details

okay so email email everyone knows about phishing easy thing to do and it's a really effective way to do it because if it was me I'd hit a third party's say for example you pretend you're electrician and company or something like that you could then get into a property or if you wanted to mess with the operations you could pretend to be one of their partners or clients who are involved in an operation and it's a really good way of doing it because then you actually establish a mid to long-term foothold and you just wait you wait to the right time and then you can make action and do something even if it's just changing the details it would

be effective in you know attacking perhaps phone so if I was to attack a team I'm wanting to murder the client I would go ahead and carry out a German attack I would take out all communications around the area because I don't want you calling for backup and it's quite easy to do for a thousand pound I can buy one of these devices with 16 antennas that takes out everything it's beautiful but it's extremely dangerous then we have mobile applications so it actually probably be a little bit more sinister and a little bit more low-key on this oh it specifically concentrate on perhaps targeting the live location because the guys on the ground News live location to

send back to operations and just let them know where they are in what they're doing at all times so what could we do with that we could falsify the information and carry out a kidnap and we can do this with hardware and software or malware but Ling hung here she has a GPS device that can mess with the GPS coordinates we also have ESP 26 and those guys they're intentionally they created an art studio and in that you could go into the studio and you'd be like you were walking into Ecuador if you looked at your phone location and that's because it messed with the Wi-Fi location on your phone if you have Wi-Fi location details set to check for the

nearest Wi-Fi point then it will mess with your signal and they had everyone looking like they were living in Ecuador so radio now a lot of people think about bodyguards and then they think about having the earpiece in the year and they were all how like have their communication now that's kind of slowly phasing out we're more going towards using phones for example but with radios it's still used permanently especially in events and what I do is I would intercept the device I would monitor communications and perhaps block them and how could and how would I do that I would use the tech that's out there already we have loads of stuff that works with radio as we

know but one of the other things I could do is look at security care for example he has got loads of photos of him online with his radio yes sure I could have it and I could struggle in with it because it's wrapped around his neck I'm not going to do that what I did is I recited a reverse engineer and look at the making the model based on the photos then I was able to see what Wi-Fi connectivity it had it if they had any Bluetooth if it had any other sort of technology included in the encryption type it's only a matter of time before I can then start reverse engineering it intercepting these communications and if

he does if he is using all those sort of features I mean if he's not there is stuff like mobile repeaters that help do the job for you and also SDR radio there are also people who have got programs that will go and crack encryption and the confidentiality of your communications is down to your encryption at the end of the day so final thoughts it's a large attack surface and the guys out there on the ground don't exactly appreciate or know about it so a lot of what I do is go out there and teach them and tell them and show them practically demonstrate with very low tech stuff that I've showed today you know it's very 101 I mean if I

can do it's something notebook for $20 guaranteed there's going to be a lot of guys out there with a lot more money than me you can do it a lot better as well and lastly please don't go out and hack the bodyguards [Laughter] thank you very much [Applause]