WUDS You Say SmartAssPhone?

Everybody awake after lunch? No. All right. I heard somebody's awake. All right. Let me start my presentation now. It's called Would You Say? Uh smartphone. strike out the uh ass there. That was just for a little bit of humor. Maybe wake you guys up, too. All right. Who am I? Uh my name is Frank. Some of you probably know uh me or don't know me from uh last year or previous events around the Charleston area. Charleston is uh spoke there a couple times. Live in the uh Columbia area. Uh currently work for Qualace. Qualus is a sponsor besides a lot of other security events. Do a lot of good um community support, hacker support, research support. So uh I encourage

everybody to uh check out the company and what we do. I'm currently the uh director of web app security. So basically my entire life lives breaking people's web apps uh or trying to protect them or both. Um, so for work, what I, you know, obviously I do some security research, mostly web- based, um, vulnerabilities and those kind of things. Um, I'm into basically all geeky, nerdy things. Uh, it um, and for fun, I do a lot of the same. Uh, I like, you know, hacking, breaking, fixing things. As a father and a husband, I have plenty of things to, uh, fix as well as break, uh, get, you know, away from my day job. uh like security

research of course I perform it almost all the time uh and as with anything else you're doing something you're love you love and that's your job it helps uh and helps you excel as well do like motorcycles fishing and anything that gets me outside so if you saw my talk from last year uh it was called social insecurity so I like to take a little bit of a privacy aspect as well as being able to do some things for good and evil um and trying to work that in. Now, it is coming soon. We have it on the archive list here. Um, we got a couple of of them up there. I think Andrew, Evan, and I are still waiting for our

talks to be posted, but we'll try to get that up there. But, uh, the talk I did last year centered around geoloccation of anything social. So it was using social media and things like that and then using geoloccation uh to aggregate those sources to be able to see uh you know highlight on a map a specific area um and be able to look at all tweets, Facebook posts, four square check-ins, anything like that from anywhere in a specific source. And again I I I demonstrated how to people can use that for things that are good as well as well as uh evil tactics. And I'll try to do the same with the system that I'm going

to discuss today. So, everybody's probably wondering or not wondering if you're familiar, uh, what what the hell is WDs? What is it? What's WDs? WDUs is an acronym for Wi-Fi user detection system. So, by a show of hands, is anybody familiar with WDs? Two, two people. Okay. Um, so what we'll do here is we'll start with a little bit of history. Um, first off, my slides are not as amazing and exciting and uh collage uh as Jason's or some other speakers. Uh, but uh I will do most of my talking. Uh, I have a short slot here, so I've cut my slides in half. Um, so I'm going to make a lot of assumptions about wireless and uh 802.11

knowledge. And if I make those assumptions incorrectly, feel free to catch up with me after the talk. So we'll start with some Woods history. um like basically I'm going to give you a little background of how this idea developed um and how it became you know from a conception to an idea uh to an actual program and what the best part about this is is it all started at Bsides. Um so it all started in an arena just like this and in a room just like this. Um of course it involved zombies, right? Zombies are cool. Was anybody here at Bides Augusta? Okay. So, does anyone recall Tim Fowler's talk when zombies attack the airwaves? All right. So basically

how this whole idea of woods was born was Tim gave a talk about a zombie apocalypse and being able to use the airwaves to track zombie populations to be able to send emergency messages to do a lot of different capabilities using wireless and cellular data. um that is publicly available that's out there broadsp spectrum anything um I think it was 2.4 four and above um that he was being able to use that stuff. Now, I encourage everybody to take a look at when zombies take to the airwaves. Um this was probably one of my most favorite besides talks in the last couple years. Uh this it is a long talk. Um it's going on uh it's you know

it's it's it's a pretty long talk, but the content's definitely worth it, so be patient. So what happened was it started with zombies and it evolved to a more descript zombie. So Ryan Wilson was sitting next to Tim Tomes. Um does anyone here familiar with Tim? All right, great. So Tim Tom lives up in the upstate uh Landmaster 53 as he's better better known. Um Ryan came up with the idea sitting next to Tim and said, "Hey, um why don't we come up with something using the same kind of technology that uh that the zombie airwaves talk was talking about, but let's try to use it for detection in perimeters." And uh Tim said, "But that's a great idea."

Um, I'm gonna look into that and kind of Woods is born. Uh, Woods was born but reborn from a great idea. Uh, awaken from the dead of course using zombies and zombies is going to be my theme for a little bit here. So, essentially what I'm going to show you is how to just use a normal w uh Raspberry Pi, a wireless card, and any smartphone. And from there, you're going to be able to be able to easily build uh anything from a burglar alarm for your home or proximity anywhere you want want it. uh you can make it into intrusion detection and not like an a standard IDS signature that you'd think of from an

IDS box, but more of a physical proximity detection. Um we're going to be able to do automatic notification right out of the box and that will be sending you SMS, emails, however you want to receive these alerts. And you can also automate things with this. So you can automate anything from machine guns to cameras to anything that you could think of um in order to use the detection. And with my talks I try to stay on the theme of good and bad. So last year uh again I talked uh about how to use geoloccation and social media for good and bad. And this year we're going to do the same for this. So, we're going to get into a

couple texty slides for a little bit and then we'll get back into some pictures and then back some more text. So, we'll try to break it up for you. So, let's look at the approach. So, the approach basically is Wi-Fi probe requests, right? So, it's a great source of information again um that you can read from personal electronic devices. Everybody that I know uh carries some kind of mobile def phone that has Wi-Fi on it. um you know anything from your generic uh phone that you get from Walmart uh you know even a lot of prepaid phones and those kind of things will have Wi-Fi capabilities when a uh a Wi-Fi this is a very important thing to to mention here

when a Wi-Fi connected device travels out of a range of a connected AP the device automatically sends probe requests looking for APs that it was uh previously connected to. So what does what does that give us? Right? So the minute you walk away from your home and say that you know maybe you named your home network your last name uh family network or whatever as soon as you leave there and you go into a public place you're automatically sending probes out from your Wi-Fi device looking for those APs that you were previously connected to. Now that information is public. There's companies out there that are commercially selling systems like this. So, if anyone's familiar with Uklid, um

there are they are a system out there and they publicly sell solutions that monitor people walking in and out of any environment, office environment, retail environment, etc. Tells you how many times these people have returned, their frequency of visitation, and they're aggregating that data on you. you are giving the them that data publicly. This is all legal. That it's exactly what they're doing. So they're telling you, hey, customer A comes in here once a week. I know because I have their MAC address. I have their networks. I can it's a unique identifier for their device that they're coming in and out of your establishment or or your work or your home. So the application of this

technology basically from a physical context uh is fairly simple. using a white list. So we have imagine a text file or a config file with uh whitel lists of MAC addresses that should be within near proximity. So um I know that in my house I have five or 10 uh MAC addresses that I trust that are okay to be in my house. Now if I if anything does not fall within that white list and falls within my range that I'm detecting with my wireless card, it's going to automatically send me alert. And again with tuning, this creates a circular barrier and anytime anyone crosses that barrier, it's going to send me an alert or shoot them dead

on my door or whatever I feel like doing. Okay, so possibilities to this are kind of endless. So after the presentation, think about what I'm going to show you and after I'm done, I'm going to ask a question and whoever could come up with a best use case uh that I like the best that is totally non-scientific method. I'm going to give away a um an Amazon Fire TV. And this is courtesy of Wallace, but I'm going to give it away to the person who comes up the most creative use for the uh test case that I'm going to show you. So, how to go about this? How to approach this? Well, Python, of course,

we'll use Python. Why will we use Python? Because it's probably one of the only languages that I can write. And so, I didn't write this. Tim wrote almost all of this. Um, I will come straight out and give Tim all of the credit. Uh, but when it comes down to editing the core or or doing anything in Python, it's one of the only languages that I can use um that's not web- based or, you know, I'm not a really good developer, so that's what I use. I'm not saying that good developers don't use Python. I'm just saying I I use it for automation and I use it frequently, so it's easy for me to understand. So, I'm glad that Tim

decided to do that. Anyone wants the source code to this? Tim wrote it. You can get it here. I'll make my presentation available. Everyone will have it. Um, you can see I don't or you can't. It's kind of small. Uh, but basically you're you have his repository here. You get the prerequisites. It's a fairly easy install if anybody's halfway proficient um with any Linux environment or familiar with using any Raspberry Pi device. Um, it does not require a webcam, so on Linux it probably will work. Um, so that's the go. And again, Tim writes some great stuff. All the credit to Tim. I tried to get Tim here today. He told me he could come and then

he had some real uh hectic travel schedule and he has a family as well, so he couldn't make it. Um, so it's me. Uh, Tim's projects, check them out. Uh we have the reconng framework everyone's probably the most familiar with. We have peeping tom honey badger um which is another kind of like a push pin type of thing which we we can use for geoloccation. It's not as gooey friendly as the solutions that I've uh demoed last year but these are all some great things. Okay so enough crushing on Tim. Um we do have Jason here so we have enough man crushing going on here. We got uh Drama Sack Llama there. And uh instead of Dave's wife, we use Dave's

face because I didn't have permission on that one. So, all right. So, the first thing we do is we we download the config on the Pi. Um we download the files and we get the setup. So, you can see here we have the prerequisites. Prerequisites are really easy to install. Everything should work um kind of out of the box. Um, there are some caveats that I will get to and some things that I ran into when I was building this um, for my own devices that I will hopefully help you um, not run into the same hurdles or speed bumps that I ran into. So, everything on this page fairly straightforward. However, uh, we look at the

configuration files. Now, the configuration files for this are extremely important. The most important thing to look at here is the white list. The white list for your MAC addresses. If you live in a city um where you have tons of neighbors in a very close proximity, it's not the best solution. If you live out in the sticks or you live uh you know even with a decent amount of space between your neighbors houses, it works really well. But at the same time, MAC addresses and whitelists um are need to be configured there. Uh obviously, this is just your standard configuration file. Um but everything on nothing in this file should be pretty much default, right? So

you're going to have to go through these options. You're going to have to make changes. I guarantee you. Um I tried not to and it never worked. So you're going through here. Definitely need your interfaces, need your whitelists, of course. Um most important part is your whitel lists, your signal strength and alerts. So alerts. So do we want to send M SMS alerts? Do we want to send email alerts? How do we want to configure alerts? Everything in alerts is configurable. If you don't like this, tweak the code. The code's there. It's in Python. You can fix it. anything that you want to say, if you want it to show up differently, if you want it to

automatically generate something different, if you don't want an SMS, if you want additional information, all of that stuff is there. You can put in an SMTP gateway, you can put in your username and password. Obviously, there's a Gmail one in there. Um, most people probably have a Gmail address. Uh, Pushover. So, Pushover is an app that you can get for your smartphone. It has an API. You can automatically use this to configure your alert system and get your a and get your flows directly into uh your smartphone to be able to pull that information in as well. There's probably a whole lot more um API uh value with push with um with pushover. I just didn't get that

far, so I'll be honest. So, here's a picture of my setup. It's fairly basic. Um my desk is a little bit messy. So, you'll see two things here of interest. One thing of interest to note is that you see a USB hub connected to the Raspberry Pi. Um, using this system, I highly recommend not using two different wireless cards, one to get out to your gateway and one for your proximity. Um, it can be done. Uh, it it proves difficult. Um, I recommend using a hard code hardcd Ethernet connection. uh and then obviously maybe an alpha card or something similar uh for your for your monitoring signal. Now, one other thing to note here is you'll see two antennas

there. So, the first antenna is the the the shorter stock antenna that comes with the Alpha, and that antenna actually works quite well and and is plenty strong. If you live somewhere uh pretty remote, you can use the additional antenna setup. If you live in a city uh where you where you need to pull in that band from additional distance, it's it can work. If you live in a city, obviously don't use it. Um I live in a suburb area and this smaller uh was just fine actually for this setup. So what it looks like, again, if you're familiar with Tim, some of this content is his and he knows I'm doing this, so we're good. But we have a real

quick, right? We set our our circle limit. We set how far we want the signal to go. Whitel listed devices within your house, your driveway. Uh your neighbors, if they're close enough, you can whitelist them. If not, you maybe know when they crossed the perimeter. Getting that circle there correct is very important because if anyone crosses that circle, that's the threshold that's going to send it off. Again, 50 cal machine gun, just a trail cam or just a text message. Really up to you what you do with it. Is everybody thinking because they want the Amazon Fire TV? No. But we'll try. All right. How can you use this for good? How can you use this for bad? Well,

let's start with the good. Everyone carries a mobile phone, including criminals. Criminals will probably not turn off their Wi-Fi if they're breaking into your house. Um, they may, but they probably won't. same thing that was assumed by zombie attacks. And from the zombie airwaves talk, you you saw that the the assumption was that the zombies were dead people and therefore their phones were still on them. And so the zombie apocalypse, uh I read a good tweet the other day, totally off topic here, uh from a mortician who said he just ties all dead people's uh shoelaces together before he puts them in the ground so that way if there is ever a zombie apocalypse, it'll be fairly hilarious.

Uh, so if you don't if you don't have a mortician that ties the dead people's shoelaces together before they're buried, maybe you need something like this. But so alerts fairly self-explanatory. Okay. In addition to alerting the presence there, uh, WDs logs timestamps and probe packet request data. Do you remember what I said was included in that pro probe uh, packet request data? Yeah. So we can take the MAC address. We can we can look at these SSIDs. We can say, "Hey, this person committing this crime was was uh connected to this Wi-Fi at this time. Here's their MAC address." Okay, we use something like Wiggle. Oh, look where this SSID is. There's no saying you weren't there. You will get

prosecuted. You will lose. The cops will win. Okay, that's how we can use it for good. Notifications. Maybe somebody is babysitting home alone at your house. You tell the babysitter, "No having your boyfriend over." Well, all of a sudden, you know, your kid's bedtime's at 9:00. Well, 9:25 rolls around and the babysitter's boyfriend happens to walk through your property line or the circle that you sent uh that you set for your proximity, automatically alerting you uh via text, hey, this person's MAC address has crossed over. This is the name of the device. This is the APS they were connected to. You know the guy's name or last name or you may not. You may say,

"Hey, who's this strange person on my property 20 minutes after my kids are in bed?" Babysitters being naughty. You can snap pictures automatically. You can have the guy shot on your step. However you want to use it. So, machine guns, alerts while committing crimes, privacy invasion, yes. Is it legal? Yes. that information you're giving out to everybody every time that you walk anywhere with your wireless device. I'd really like to do a follow-up talk to this. Um, time is running a little bit short. So, I will just give you a preview of uh what I did last year again with the social media and geoloccation. I will take this to the next level uh when we talk about

wireless and the amount of information that you are publicly providing so that you don't think people or the NSA are stealing things from you even though they probably are but it's data that you're freely giving out and as long as you know that and what you can do with it the bad people can do that with that as well. So, trail cams, IP cams, surveillance, machine guns, trip wires, bad babysitters, delivery men, I don't know. Um, good, bad, indifferent. So, somebody give me a good idea or something that they they thought of that is able to use a system like this in the most creative way possible. Does anybody have any ideas? Okay, go ahead.

a bunch of systems are address what they're shopping for us. Yep. And Uklid actually sells technology to do that which is scary. Next automatic doors

Okay, that's good. So the thing with

detour put it in an app that people can download updates and then you walk around and broadcast. So system basically has the same person and every time somebody downloads the app and gets all that data from Now you're basically flooding the system with false information and the data makes no sense. So hacking the company that's hacking your Wi-Fi. Got it. And so I have a system that okay I want if anybody has access to something like that. Cool. I like that. Mother-in-law detector. Yes. All right. We're getting good. That's a good one. That goes along toward the lines of the bad babysitter, right? So, mother-in-law detector. Yeah. You could automatically foot in the ass on the front doorstep.

That'd be

great. Another good idea back there. Sure.

That way I get a little text message on my phone. Yeah. How about employers monitoring bathroom time for employees? Right. That's another thing to go. Jason

I like that. Yeah, I have uh I have three daughters. So, yeah, I like that a lot. All right, one more. Parking explain

parking. Okay. All right. So, I have to give away the Amazon fire and it's probably going to go to the mother-in-law detector. Everyone had really good ideas. I told you that this was non-scientific and I might or might not be going from personal experience. My wife's sitting up there in the right, so sorry, but uh that's going to be the winner. Come on down. [Applause] Hey, last connected at Staples hotspot. Well, who is this? Well, this just happened to be a delivery person. Good to know. What I wanted to get to was beyond text alerts here. So, I wanted to basically tell you what the challenges were that I ran into. Biggest challenge, densely populated areas, RSSI threshold

and whitelist. Tune them. Do it. Um, rural areas. Great. Okay. Who's ever worked with a Raspberry Pi? Has probably I I don't know why. This is probably the third project that I did. However, set the keyboard. Has anyone have their ass kicked by this the first time they touch the Raspberry Pi? Nobody. Okay. All right. So, essentially, if you have your keyboard layout as the Raspberry Pi Pi comes to you, basically all of your function keys will not work. your shift shift keys above your numbers. Uh-uh. Try to type an at sign. You're going to get a per uh a quote. Setting the keyboard map layout. I wasted a good hour of my time until I remembered, holy cow, this

thing's not from the US. I probably need to set the keyboard to US. Config and tweaks and alert setups take a little bit of time. Um, I had to mess around with some of the SMTP settings before I got this to work successfully. So, in conclusion, probably the best presentation ever, but thank you for your time. And if anybody has any questions, even geniuses do ask questions. And I did assume a lot on the 80211 in the wireless. Um, but does anyone have any specific questions? I have like two minutes. There you go. Yes. Yes. Scap is not used because it pegs the processor of uh on the Raspberry Pi. Now, is there a way to use Scapey

without pegging the processor at 100% on the Raspberry Pi? Probably, but I'm lazy and Tim found the best way to do it. So, uh PCappy Yep. Anybody else? Okay. My information's here. My email address, Twitter. You probably see my tweets from Bides. I don't use my real name on Twitter. There it is. IRC, Free Node, ISSA, LinkedIn, pretty easy to find. If anyone has any comments, questions, or qual web app talking OASP, I do a lot with, so come chat or not. Um, and without further ado, we're going to have a great keynote by Kismanthia. All right. Thanks, guys.