Naughty Toys for Wicked Girls and Boys

Um, hi. I'm Steve Lord. Um, and some of you may have seen me on Twitter. I'll apologize in advance for not looking like my Twitter avatar, but um, most people are grateful that I wear more clothes than my Twitter avatar. And um, in case you don't know me, which is probably most of the people in this room, I' I'd like to just tell you a bit about myself. The obligatory one slide about me. So, um, I test pens at a small but perfectly formed pen testing company and I co-organize a small event called 44CON that a few people turn up to now and again. Um, and I also run a little blog uh, which is a

blog that teaches people how to pentest. But this talk isn't about any of those things. Um, instead this talk is about some of the things that affect us all and will affect us all going forward. And you know, basically I like to think about IoT as a solution in search of a problem. But one of the most important things about IoT is its ability to change lives for good with meaningful things that really matter uh that can really affect people. So you know we have over here smart plate which is backed by science. How does it work? It's backed by science. smart socks because I don't know about you, like many priests, uh I'm not a

priest. They wouldn't let me in. They said I was too corrupt. But like many priests, I always I always feel that you like the really black socks. Not the dark blue ones, but the really dark black ones. And then of course there's the egg minder, the smart egg tray, which is my favorite IoT device. A device so smart that people who made it couldn't come up with a use case for it. but they still managed to sell it to another company who also couldn't come up with a use case for it. And there's something very similar to IoT and it's in this industry and it's a thing that I like to call the cider industrial

complex which is a lot like two guys fighting each other trying to argue the loudest over whose solution is the best. And the reality is that there are actual real threats that are facing us in cyerspace. For example, I'm defending cyerspace now. I have two cans for redundancy purposes. But there are many threats to cyerspace. Cheers. For example, there are bad things in cyerspace, which is good for me because I like bad things. But some of these bad things that we're looking at now are cider weapons that could seriously affect the quality of our cider. But what if we were to mix the cider weapons of tomorrow with the quality assurance processes of the internet of things?

with literally no budget, what could we achieve? And it's an intersection of the two I like to call the internet of wrongs, which are devices that are incredibly petty, but still constitute cider weapons. Now, everything I'm going to do in this talk is crap. in some cases almost literally. But all of the things that I'm going to show you today use frameworks that are pretty easy to pick up and you could easily build your own things. We hardware implants, things to change stuff. And I'm just going to go through some different technologies and talk about some things that have happened in my quest for discovering the journey into junk hacking for bad stuff or the

internet of wrongs. So, I'd like to take you back to uh a happier time for some. A couple of years ago, I tried to move to Berlin and failed. Um, very clearly I'm not Apple bowmy enough. But this is Mark. Well, he's not really Mark. Uh, I've changed names to protect the innocent here. So, let's pretend this is Mark. Now, Mark lives with my friend Vinnie in Berlin. Also not not his real name. I was staying at Vinnie's because I was bouncing back and forth between Berlin. And one day Mark comes back from Paris with a brand new shiny MacBook and he says, "You know, I really like this MacBook. I had a Lenovo. There's

something wrong with it. You know, all I had was like a zillion different variants of Candy Crush and the thing was as slow as a dog and I'd get an hour of battery life out of it. But the MacBook, what I can do is I can leave it on charge overnight. I can wake up in the morning, go into the living room, have my breakfast, nothing plugged in, go home, sorry, go back to my bedroom, close the lid, go off to work, come back from work in the evening, open the lid, and it's got 95% of its battery left. That's why Max is superior. So, after Vinnie and I realized that Mark doesn't understand the concept of

power management, we thought, could we educate him with a practical joke? A practical joke that would go horribly horribly wrong. Now, I took it as an opportunity to engage what I like to call the cider krill [Music] chain. Any resemblance to anything that's been put out by anybody else is purely and totally coincidental. But the cider krill chain consists of sitting on a bench drinking cider watching the thing that you're going to go at. In this case, we didn't need to sit on a bench and we'd already drunk a load of side of me and Vinnie and we decided that what we were going to do was go and do something to his laptop to make the

power savings fail in a way that would cause hilarity. weaponization. So, we need to develop a cider weapon, which is hard when you're drunk. If you've ever tried cooking when you're drunk, you try writing code when you're drunk, and you try building hardware when you're drunk. Delivery, which was relatively easy because we were already in Vinnie and Mark's flat, and we already had access to Vinnie Mark's Wi-Fi network, and we already had physical access to Mark's laptop for most of the day. But exploitation was potentially quite difficult because we didn't know Mark's password and he's the kind of fidious person who would have chosen a good one mainly because I went and pawned him a

few weeks beforehand when he said, "I bet you can't hack into my email account." Installation, the deployment of the package onto the device. Well, that's going to be potentially shaky. And this is where we were too drunk to carry on with the cider krill chain C2 command and control. Yeah, grossly went wrong there. This was the fatal flaw. Um, and actions on objectives, which is in sort of layman speak is a way of saying did we get the effect that we wanted to achieve. So we thought about some different ways that we could do some stuff to play with um Mark's laptop. We thought maybe we could hack into his laptop itself, do some extra school, extra cool elite stuff on

OSX. No one ever hacks OSX. It's got to be secure. And then we thought, maybe you might notice that. Maybe you might find something like caffeine installed and remove it. So what if we took apart his laptop and then disconnected different bits responsible for power saving and then we're like, well, that could cause some permanent damage. If you've ever tried opening a MacBook without the right tools, you can also make it very difficult to reassemble. And I didn't want to pay for MacBook. So in the end, we went for wake on LAN. Now, every Mac has support for wake on LAN. Not every wireless network has support for wake on LAN. And the reason for this is the way that Wake on

LAN works. It's a very simple protocol. And in Mac world, all you do is you just send a datagramgram uh that's UDP with a destination port of nine. You send it to the broadcast IP and MAC address. There's a sync stream in the payload at the start. There's just a load of and then the target MAC address 16 times. Quite why it's 16 times, I don't know. It's just something to do with the spec. But realistically, if you look at Apple Remote Desktop, which is the Apple admin utility, it's not just remote desktop. This is the type of packet that it would send out. And you'll be able to see up here, you can see the sync

stream. You can see the MAC address repeated. It's just a single datagramgram. It's really easy. It's really lame. It's really weak. So, this is going to be a great practical joke. The plan in simple is that we just go and send wake on land packets to his laptop and it will just stay awake. The battery will run down. What could possibly go wrong? And you will be surprised. O viewer. Now, because I was bouncing between London and Berlin a lot, I didn't want to take a lot of stuff. So, I had with me a MacBook and I didn't feel it was appropriate to take out a MacBook with a MacBook. Um, but I also had an

Arduino and a TI CC 3000 uh Wi-Fi shield. So, if you want to build one of these things, you need an Arduino Uno R3, which is about £850 off Amazon. You can buy them for cheaper from AliExpress. And you'll need a TICC 3000 shield, which is about 30 quid. But realistically, if I was to do it again, I would use a completely different set of microcontrollers, probably an ESP 8266. Um, which is a much lower cost package that has Wi-Fi built in. And this is what it looks like. Uh, which is actually I fished it out this morning. Uh, that's what it looks like. And the software that we use is the Arduino IDE which you get from

arduino.cc. There's multiple versions but the CC version is the genuine support. Uh the Adafruit CC3000 library and you're good to go. Of course, if you were to use your own wireless device, you probably use an ESP 8266 or would wire it onto an Arduino now because it's cheaper and you wouldn't need that CC3000 library. Instead, you need to communicate with the ESP. So, if you've never used Arduino before, hands up everybody who's used Arduino. Quite a mix. Yeah, that's good. Cool. Fair old amount of you. Arduino uses a uh simplified superset of C. So, it's C all the way down. And then there are extra things to handle things like string handling and stuff that's

generally considered quite hard for beginners. And there are two main functions in what's called an Arduino sketch. that is an Arduino program. The first one is called setup, which is where you set all the bits up. You set your pins to be input or output and then how they're going to communicate with the other bits like this Wi-Fi module. And then you pass over to a loop function which is just something that loops around continuously. So the code is relatively simple. All all it is is in fact I may have even nicked this from a sample thing and bastardized it for my own means. I don't know. It's quite a while ago, but you just define various

security settings for the network you're going to connect to. And then you tell the CC 3000 to delete any save profiles so it doesn't connect to the wrong network. And then tell it to connect to yours, get an IP address. It's all fairly simple. And then in the loop, all I did was I had a little Wi-Fi status thing that would feed me an update over serial because the connection kept dropping. a problem that was easily solved by um moving the Arduino from the top of Vinnie's bed to the bottom of Vinnie's bed. And then you're pretty much good to go. The actual code itself is tiny. It's really easy to build something like this. Realistically, you could probably

do this in a lunch break, but because Vinnie and I were drunk, it took us most of a day. Uh and then the next day, actually, a load of stuff didn't work. So, by the time I'd got it finished, Mark had already gone to work. His laptop was there, but I had to go and get a flight. The resulting packets looked like this. And Vinnie and I looked at it, and we thought, well, there's no real way to tell other than the fact that Mark's MacBook's on, but we've pushed a button on there to switch it on, so we can't tell. I've got to go to the airport. Packets look okay. I'll be back in 2 weeks. That'll be fine. It

should be great. And the kind of reaction we were hoping to get from Mark was something like

this. It's a great great practical joke. Nothing could ever go wrong. The problem with this is I'm a douchebag. So you remember that cyber krill chain bit, that C2 bit? I had no way to shut this thing off because I thought the obvious way to shut it off would be to unplug it. After all, it'll be back in two weeks. So that first week, Mark went to the Apple store, saying that the power management on his Apple sucks. The Apple store had a look. They couldn't find the problem.

So Mark went home and his MacBook was still messed up. Mission accomplished, right? Our cider weapon is successful. Then Vinnie's had a family emergency and he had to go back to England for the family emergency. So two weeks later, I go back to Berlin and I stay somewhere else and Vinnie and I forget about this device. In the interim, Mark went to the Apple store. He said, "My MacBook is kaput." The Apple store kept the MacBook overnight. It was 100% charged when he left. The next day he comes back. It's about 95% charged. It's all working. He's like, "Great. This is fantastic. I'm going to head home." So he went home, got the MacBook, came

back

home. The following week, Vinnie's still in England. He goes back and he says, "Um, my MacBook is Sakaput." And they said, "Well, we've actually taken a look at it twice. There's nothing wrong with it. can't really do anything about it. And there was a back and forth and apparently Mark was getting further and further exasperated with this. And in the end, Mark went to the Apple store and they said, "Because we've had it overnight and found nothing wrong, we can't swap it out. We can't give you a refund because it's all working. But if you were to go to the Apple store that you bought it from, then you'll be able to go and possibly convince them because they

won't know that we've kept it overnight. So Mark went to the Apple store in

Paris. and he said, "ExcuseB, excuse me, my MacBook doesn't work." And they said, "No problem. We'll keep it overnight." So, he got a hotel and they kept it overnight. Sure enough, it was fine. Mark went home. Six months later, I went to Berlin and I stayed at Vinnie's. And I walked into the living room and Mark's there and he doesn't have a MacBook. And I said, "What happened?" And he said, "Well, you know, Steve, ever since you came last time, my MacBook's been totally on the fritz. It just doesn't work. The battery life is terrible. So, I had to sell the MacBook to some other um suspecting chump and I bought a [ __ ]

Dell. And there are some important takeaways from this. Firstly, CC 3000 shields are expensive. I think there's a moral question somewhere in there. I have trouble distinguishing it. But realistically, we should only use cider for good, not for evil. And we should always remember the cider kill train cruel chain. Cuz ultimately, if there was a way to remotely switch this off, if it was pinging a box I own, there was a chance I could have remembered and gone, "Oh shit." But I couldn't. And consequently, someone got a very, very good price on a MacBook. And uh poor old Mark uh yeah got a lot of suffering for it. But I learned some important moral lessons about not doing bad things from

that exercise which which helped me a few months later when tragedy struck in Cape Town. I went off to Cape Town to go and see some friends. And as I left to board the flight, everything was great. They were just chilling out in the garden. By the time I arrived, there had been some weird passive aggressive stuff going on and nearly a full-scale fight requiring the cops to turn up. So, these are my friends Nikki and Eddie. Of course, it's not really Nikki and Eddie. It's actually stock footage. And um and this is their neighbors who I'm going to call Jeff and Grags. Again, not their real names. So Nikki and Eddie and their friends were just chilling out in their

garden in their apartment. And um they were just chatting away. It's about 8:00 p.m. It's not particularly late. They're not chatting particularly loud. They were planning on have having a bri, but they never actually got round to it. And then their neighbors, their upstairs neighbors started saying something strange and almost that strange kind of weasly thing. And rather than just saying, "Hey guys, you're a bit loud. Could you turn it down?" What they came out with was well bags apparently said Edd's the dude. Edd's the guy. Edd's the man. In a kind of rhythmic chant and then a few minutes later they did it again. Edd's the dude. Ed is the guy. Ed is the man.

Now, I don't feel my life often resembles the League of Gentlemen, but in this case, it did. And I arrived the next day, and there was nearly been a full-blown fight and what have you. So, I said to Eddie, "All right, realistically, how can we mess with the neighbors? I learned an important life lesson earlier in Berlin, and I think we can operate here." And then I remembered I'd come back from a from a conference in New Zealand at Kiwic Con where I'd shown a thing about how to go and deoff people, particularly hipsters, from coffee shops. It's a problem that massively affects Wellington and Melbourne. There's an absolute hipster plague there. But I thought, why don't we just take the code

that I did before and modify it? Rather than doing selective deing based on keyword, we just deth everyone on the neighbor's Wi-Fi network. And I called it Thunderblade, although the register called it a selfie slayer. And that's basically all there is to it. And realistically, to build one of these, you just need a Raspberry Pi such as an AB or a zero or two or an equivalent, a micro SD card. Uh you did require a USB hub for configuring because of the, you know, you need a keyboard and mouse and what have you until recently when with the zero you can actually just connect over serial via USB. And um I use this TPLink WN722 Net N

wireless card because they're bloody good and they do decent injection and a USB power bank. So I'll just show you the code for this because originally I wrote the code using Scrappy. Hands up anybody who's ever used Scappy. Excellent. Hands up anyone who's ever used Scappy for something at production speed on lowowered hardware. Nope. It doesn't work. It's um it's really really great for analysis, but because of the layering and the splicing, there's huge amounts of objects flying around in memory and it it involves huge amounts of context switching to get the stuff out of it. So, it slows down. So, I found the DPKT uh Python library which was massively quick and just converts pretty much

packets into Python objects and that's it. So, I would suggest that if you're looking at doing something, it's worth checking out and having a look. The one thing that didn't work with this in DPKT was actually disassociating clients. And that wasn't because DP DPKT is no good. That's because my Python sucks. So you can see here for the original code for Kiwicon, we have a series of target keywords and that we're filtering on UDP port 53 for DNS. So we just ripped that out. Um, but we have a thing about doing some sniffing, seeing what's going on. We're going to pass any packets that come in, see if they match our targets, and kill. So, we just replace that pass

packet section and say if it's from my our BSS ID of interest is in there, then kill the packet. And then because my um DPKTD code was terrible, um I basically just shell out to air replay. What could go wrong, right? But there was one small problem with this which Eddie pointed out and I'm glad to have a moral guide in my friend Eddie. South African jails are not fun places to be. So I decided that maybe the thing was a step too far. But what wasn't a step too far was a project I like to call pupole. Now, if anybody here speaks Africans, they may know what that means, but I'd just like to talk about what

goes into a pupole. First, what you're going to need is an ESP 8266. So, this is a a MacBook keyboard at the top. That's a NodeMCU on a mini breadboard. At the bottom, there's a um what is it? It's a ESP01. So this is um the node MCU on the breadboard. It's pretty small. This is actually the ESP01. Uh they cost about a pound these ones or the ESP12. Uh the node MCU is about 5 quid. And basically it's a programmable um MCU with uh an IP stack and Wi-Fi built in. And you just need one of those, the Arduino IDE, the extensions installed to be able to program for the ESP2 ESP 8266, and a big battery pack to

power it off. So now we know what goes into a Pole, what comes out of a Pole. Now, I know what you're thinking. And if you're thinking what I'm thinking, you're one sick puppy. But if you're not thinking what I'm thinking, then maybe you are. The answer is crap over 802.11 because the ESP 8266 has a fantastic function in earlier versions of the SDK that allow us to go and send raw frames. Now, I don't know about you, but something that costs £1 and lets me send raw 802.11 frames has my interest. And the poop pock is pretty simple. We're going to algorithmically generate SSIDs saying that Jeff is one of the man, the dude, or the guy with an

ID and we're going to broadcast them at a reasonable rate. You can't broadcast them too quickly because you'll take up the whole channel and then nothing else on that channel could transmit, but that's not what this is about. I mean, you could create something that did that very easily, but that's not what I'm demonstrating here. Um, but effectively the reason we have the extra ID on the end is that um, if you just have Jeff's the man, Jeff's the dude, Jeff's the guy, it doesn't matter if you channel hop or if you change BSS ID or SSID or anything like that. Some of the operating systems that you will encounter will have this appear once.

So, you'll get a total of three networks. by putting an ID on the end that's randomly generated. Each one of these can generate up to 256 different SSIDs that will all show up in the list, giving us a grand total of 768 reasons why you should not call Eddie the man, the dude, or the guy. So, I'm going to show you the code u which unlike the other stuff I've actually got with me. So, let me see. Oh, I don't want to pop that there. that will spill everywhere. Um, let me see if I can bring this up. Um, there we go. I'll pop this over here. So, I'll just do you a bit of a

walk through what the code's about. It's not very hard. Actually, most of this stuff came from um elsewhere. So, see if I can embigen that. No. Okay. So, what we've got over the top is we have a basic header that says we're looking at the ESP stuff. Then we have um random generator, usual bits and pieces. That's the structure of the wireless beacon frame for broadcast that we're going to put out. Um that's the setup part for it. Uh, and then down below here, we construct the packet and then we construct the insult and then we send it all out and then we wait a bit and that's all it is. It's really, really, really, very, very simple. Now, assuming

that this doesn't cause my MacBook to reset when I plug it in. Okay, there we go. And I'll just fire up. Oh, no, wait. Have we got that? No. There we are. I'll just fire up in SSID, which of course is an essential tool for saving cider

space. Go away.

There we go. See what we can pick up. There we go. So, Jeff's the dude. Jeff's the dude. Jeff's the guy. If I go over here, it's a bit lame and it's a bit weak, but the thing that I probably wouldn't want to show you for risk of centra over something like W was or anything uh would be that all of the code here is just as easy to integrate into the ESP 8266 to do deorth attacks. And if you were particularly malicious, one of the things that you'd be able to do would be to have one ESP 8266 listen and then another one do the transmit. So you have one that just scans for things that are

connected and then you send the des the other way. So I've done this because I've slowed it down. Although the original device that I built wasn't slow and it had the side effect of causing minor problems with network stability. But I'd learned from Berlin. Always have a way to switch it off. So why is this a wicked toy? It's a bit of a lame thing. Oh [ __ ] I better unplug that. Um, but we have the Wi-Fi send packet freedom command and we have raw injection for a pound. Can implement dorth with two devices. And we can also implement a Michael failure. So the WPAT kit process has a counter measure called Michael where if it receives too many um

authentications it will shut down the wireless part of the AP which was for some reason a security feature. But it has the added side effect on some routters of um or some APs of resetting the WPS timeout lock so that you can brute force WPS. So, some lessons learned from this device. ESP 8266 is good and cheap, but not exactly what we'd call reliable. Uh, it has a tendency to leak memory. It's not particularly well, if you find yourself coding on one, you'll find yourself coding functions to handle resets fairly often. It's a fiddly platform because it runs at 3.3 volts um, and has a limited input current. So you end up inevitably if you want to

hook it up to USB having to go and do something either with voltage dividers or with a low dropout uh type uh sort of regulator. And um finally Eddie's neighbors are

[ __ ] So the next toy I'm going to show you is a toy that's over at my house. So, has anybody here ever used SDRs? Hands up. RTL SDRs. Quite a few people. Okay. So, basically, you can get these very cheap USB TV sticks that you can use to go and listen to radio signals way outside of the scope of the frequencies they were originally defi designed for. And there are a lot of tools that will allow you to use these um for various purposes. some of which are more legal than others. So, one of the big problems that people who use radio equipment face is attenuation loss. Well, loss due to attenuation basically from having an

aerial go to a cable going to a receiver. because we can use an SDR, which is not as good necessarily as um a normal radio that's tuned to a specific set of frequencies. Um we can actually go and cut the cable out, stick the SDR on something portable, Wi-Fi powered, connect it directly up to the antenna or through some boost circuitry or something like that for whatever signals we're getting, and then have Wi-Fi and then access it over Wi-Fi. The SDRs aren't exactly perfect. They have clock drift. they have lots of problems because they're very cheaply designed and we're using them outside of the scope of the thing that they're designed for. So, what can we do? And

the answer is this, which for about roughly 2530 gets you an SDR um that you can just plug in, connect to your wireless network, plug in somewhere, and off you go. Mine's plugging plugged into my TV aerial at home because I don't have a TV. And basically what it's made of is anything that will work with OpenWRT. So if you have a home broadband router and it's not far from your TV aerial for example, you can do exactly the same thing with that using OpenWRT. My personal thing of choice at the moment is the GLET 6416A or the AR150 which is a clone of a device called the TPLink WR73N which is a very very hackable

device. The GLET's more hackable. It has lots of GPIO pins on it for you to play around with, but also there's quite a few devices. Um, this is the Hoouu TripMate Mini. Um, which is, uh, uses an MT5350 chipset, and that basically lets you go and do all the same stuff, but it's low power. Uh, the wireless technology on the board is not as good as the GLETS. But because we're not worried about that, we're worried about USB, it's fine. So, we install the open WRT firmware on our device. Uh, there are two ways to do this. One is to build the firmware. So, everything's baked in. And I'm going to go and go into a lot more depth about

that at Bides Athens. So, if you're coming along to Bides Athens and you look for my talk, then we'll go into it in extreme detail about it step by step. But you install the OpenWRT firmware. If you just want to build this while you're messing around, run a command called OPKG update. OPKG install RTL- SDR set up a program called RTLTCP to listen on a socket and then you connect your relevant W um SDR analysis tools over Wi-Fi to the device. So I'm going to do a demo which may or may not go as intended because I'm going to do this over 4G. It's not that I um I don't trust the Wi-Fi here, but

um yeah, I don't trust the Wi-Fi here. All right, let me see if I can get this working. Ah, hang on. I need to go my

bag. No, wait.

I'm reaching into my pocket for cable. I

promise. There we [Music] go. All right.

Okay. Okay, there we go. Me just pull this off here.

Cool. Okay, so

yada yada yada. Okay, so there we go. And I just pull this back over

here. Oh, wait. That's not right.

Nope. There we go. So, if you can see that. Okay, there we go. So, this is what the OpenWRT prompts like. Um, let me just do RTL grap dump.

Yeah. Okay. RTL TCP minus A 0000 minus S. Okay. So, what I've done is I've started the RTLTCP program and that will allow me to go and connect to it. Obviously, because I'm using 4G, it's nowhere near as good. in terms of speed and in terms of latency. So, I'm going to try and see if I can pick up some radio, but I'll be picking up radio from my home in Hampshire not here.

Okay. All right. And now I'll pop over to GQRX. And if we pop this down to

27.5 There should be something popping up in a minute. Nope. Okay. All right. My demo sucks. So, but basically what you can do is if this was my home wireless network, it would all run perfectly smoothly. And the advantage of this is that you can run your your radio tools and just use something like netcap to pipe the audio into a FIFO and pull it out. And meanwhile, you've got your actual radio and you've not got the attenuation loss. Now, you might wonder why this is useful. Uh but if you're ever doing any large scale signals analysis, that would be why. Okay, let me just bring this over here a moment.

D A in

home. Now, obviously the reason that that didn't work was because it was 4G and the bandwidth that we've got isn't so great. U my upstream bandwidth isn't also so great either. So, I'm just going to go over onto the radio [Music] and there we go. restart and bring up a Firefox session. And I'll show you something else that you can do. Now, another package that is standard in OpenWRT for some reason is uh a thing called dump 1090, which is an ADSB receiver tool, which all sounds very boring until you realize that you can actually do some interesting stuff on it. Uh that

there minus n. Ah, it's because I'm an idiot.

Okay.

Ah, right. Sorry, I had some stray RTL processes running.

Okay. Okay. So, that should come up now. There we go. Right. So, I'll just bring this over. Um, okay. There we go. Right. So if we zoom in on here, we can actually track aircraft flying over quite a distance all the way up from Milton Kees pretty much all the way down the south coast and around Heathrow. And although this doesn't look very clear, what this is is you have the actual flight reference, a squawk code which tells you a bit about what sort of flight it is and what it's doing, the altitude, the speed, the track, and then what happens is with this tool, it's got a very nice little web interface. If you

click on a flight, you can then go and look the flight up on a tool like Flight Aware or in this case possibly not for that flight. Let's try this one. There we go. EasyJet. That'll do. Cuz some flights Flight Aware won't have the info for because it's private. But we can see here that this is an easyJet flight going from uh somewhere to somewhere. I can't really see the screen very well but um the reason I wanted to do this at Bides Athens is because they get some really interesting flights coming in. It turns out that European bureaucrats um all use various different types of chartered jets for official troa business. And it's the sort of thing

that you could run in Greece to go and track those flights and then you could see where else those flights have gone because all the flights have to log their flight history. So you could see for example that perhaps when a distinguished member of the troer is visiting to go and ask Greece if it wouldn't mind bending over that that person or at least that plane had come from Germany but had also flown to Portugal. So, it had flown from Portugal to Germany to Greece and that if you check the news, you'll see that there was a negotiation in Portugal a few days earlier. So, I'm quite interested in correlating some of that information and just having a look and

seeing how our great European democracy works. So, that's um that's that. Now, that's kind of the boundary of what I would legally be able to show you. Not sure which side entirely. Let me take that out there. And then there we go. And why is this a wicked toy? Well, first of all, you could go and fit something like a DS1307RTC module via GPIO, especially if you add something like a 6416A. Um, does anybody know what happens when you give uh a softwaredefined radio a real-time clock? Okay, you're able to start sniffing frequencies within the range that are very timesensitive and you can then start looking at time slots and start analyzing when those things occur

down to fractions of milliseconds, which is the sort of thing that you would need if you were going to do any work on GSM. And because GSM broadcasts very loudly, you would be able to put one of those devices in, say, a friend's flat in Berlin and have it listen to and stream data back. Of course, I chose instead to use an Arduino and basically make somebody's MacBook fail, which shows what kind of skills I've got, i.e. none. Um, so software expansions, dump 1090 for ADSB logging, which I've already shown. And then there's a thing called multimong and I've put other in air quotes because I'm fairly certain that if I showed a demo of that then that

would pretty much definitely be illegal. Um it allows you to do things like pox sag which is pages which you would be surprised if you were ever to go and actually go and look at other people's recordings of these messages. um and AF any AFSK 1200 signal and various other types of encoding and keying. So I'm going to say no to any other demos because the wireless telegraphy access. So you could also put a 4G dongle in for streaming over the USB port. Um, I wouldn't recommend streaming the RTL data, the raw IQ, but if you can analyze the stuff on the box itself and send useful data up, then you could hypothetically have something like a

Multimon NG node that sits in a friend's house and looks at Poxag traffic and then relays the results over tour to a web service on the dark web. I'm not aware of such a service existing, so it's a hypothetical thing. You could also use a micro SD card for data logging if, for example, one of these things were to turn up at an airport in Athens. So, to have a bit of a a recap, these toys are cider weapons. They are crap, but they're still technically cider weapons. They can still do damage in the wrong hands. And the thing about it is none of these things are difficult. And rather than show you, hey, I did something really

cool and elite, uh, that's quite complicated, I wanted to try and encourage people to start experimenting with this type of hardware. Because just because you're no good at something doesn't mean you can't do great things. I'd say I'm living proof, but I'm not. But it's called garbage can, and not garbage cannot. So drink up your cider and build naughty toys for cider security because the implant of tomorrow could come from you. But build an exploit responsibly. Don't make people screw up their lives with MacBooks. Now before I go, I've just got one final thing that I'd like to show you. Um over at 44con over the past few years we started doing badges that have had

circuits on them and there are two complaints that we commonly get. The first one that we commonly get is these badges don't work. Can I have a refund? The second complaint we often have is that these badges are quite hard to assemble. Sometimes requiring custom cable adapters sometimes requiring uh circuits in pack sorry uh chips in packages that are really hard to actually put together. So, we started looking at this and we started bouncing some ideas around. We're hoping to have it ready for this year. If not, we'll have something else that is equally easy to put together. But I want to talk to you about what I call the minimalist electronic learner. And that is

basically seven bits of equipment, but it's seven things that when put together, you can do all manner of stuff. And the design of this thing is designed specifically to enable you, the user, to modify the IoT hardware that you have to make it do the things that you want it to do. So let's say for example that you had um a smart fan, but the smart fan requires you to use an app and sign up to a whole load of T's and C's and costs £100, but instead you went to a shop and you bought a dumb fan for 20 quid and all you really wanted to do is to come on when it's warm. Well,

using one of these devices and a relay, you could prototype up a circuit very easily to go and switch the fan on with a TMP36 sensor or any number of other temperature sensors to say when the temperature goes above this level, switch the fan on. Another example of a thing that we've actually done is build a Raspberry Pi off switch, which is using one of these to go and connect to a Raspberry Pi over the GPIO port. uh connect over serial issue you know login issue pseudo shutdown minus h now and then when the serial connection goes down flash a light so you know it's safe to unplug. So the principle behind this is modifying stuff and also enabling

cool research in hardware buses and things like that. So although it doesn't look like much on a breadboard we'll have a PCB hopefully by 44con. If not then we're going to do a different circuit that we've already got. But it supports a thing called universal serial interface which is amazing. It basically means that anything that you can send down it you can write a library for and then go it will emulate any type of bus or signal uh interaction communication type thing you want and because of that it supports USB. Now we can use these devices to do USB hit attacks. We can use these devices to impersonate mice various other things. We can even

impersonate USB 1.1 mass storage. uh can also use I2C and SPI either as slaves or masters and start messing around with chips. So if you wanted to go and build a device to pull the flash off a specific chip, then this would be a really really interesting thing to use to do it. It's got a whopping 8 kilob of flash memory. So we're talking 1983's finest technology here. 512 bytes of RAM and 512 bytes of Epron. But in the in the embedded hardware world, it's actually quite a lot to work with um for very simple bus type projects. And there are six pins including analog digital controllers, a breakout board area, and the badge is

going to be all throughhold soldered. And I'll be doing a demo of the of building the badge from scratch at Bides Manchester on the 18th of August. So, in conclusion, I'd just like to thank Adafruit for the CC 3000 library, Cryptorthorne is his is Wi-Fi jamming code, uh the Bides crew, and um also Host Unknown and all the 44 concrete. So, thanks very much, guys. [Applause]