DefCon 22; Municipal Mesh, Social Engineering, Hackers, and Airplane Security Systems, Hak5 1701

this episode of high five is brought to you by hello welcome to hack 5 my name is darren kitchen and I'm Shannon Morse you didn't change your shirt last week did you no okay it's dirty and it smells bad that's how you steward since last week either quiet I just we got perhaps back from DEFCON a week and a half ago mm-hmm in recording time and I just haven't had time to do my laundry yet obviously clothesline yes some fun hijinks from DEFCON that you probably aren't aware of if you didn't go is that they like to make the hotel keys actually like DEFCON themed and one of them was fantastic in it it was a reminder to babe there was also another one that was for sleep it said like four plus hours nobody here got four hours of sleep I wish we've got four seriously before Sebastian in my talk like we were up until 5:30 working on crazy it was awesome if we have a totally burned out version of that actually we go to the Wi-Fi pineapple forums you'll find the embedded YouTube thing for the launch their first night that we were there it was the night that you guys were studying until 5 a.m. I actually got sleep I went to bed at like 11 o'clock and then I woke up for the vendor area like 8 a.m. it was amazing 9 hours asleep that never happens at Def Con I feel like I'm getting really old or something you are you're you can tell just by looking at your face it's it's part of the this is a service we provide here like five we've got a fantastic show coming up and before I get my ass kicked we're gonna just take a break and when we get back we got Brent with PAD with social engineering we got Jason or some stuff and then there's airplanes that can't be packed with filth whoa hey Ron I know where you live what yeah I don't make it on this side this is horrible how can you do the show like this alright we'll be right back I'm here with Dustin Hoffman from exigent systems and here's some pretty interesting information about mesh networks public mesh networks the ones that are watching you on the roads it's so it's kind of creepy to me because I'm all about like let's not do any Big Brother best thing I don't like being survey all the time either yeah it's not cool but I understand that when you're in public it can happen especially if a city is trying to keep itself safe right potentially I mean I think we've already given up our right to be what privacy in public okay I'm pretty sure someone's already decided that I'm not a lawyer so your talk that you gave what was it yesterday it's Friday Friday so that was all about some vulnerabilities that you were able to find in the loose mesh networks so tell me a little bit about the city that you are in and how you figured this out sure so the city we operate out of is a small municipality it's about 70,000 people so it's not a big city by any means since the mid-2000s like a lot of other cities they faced a shrinking budget right for police and on municipal services I've seen that happen sure right so they've been deploying many many committee meat cameras all over the city all over the city it makes sense because they won't have to suppose it it could make sense with a shrinking police force so beyond that in certain places we noticed a camera pods and directional antennas going up and then in certain other places you would actually see on you know your iPhone or your Android device you'd see hey open open wireless network available like than just coffee shop more than coffee shop Starbucks a lot and you would see things like police department your city's police department open and unsecured unencrypted in broadcasting seriously seriously so being a curious sort that we were and looking around and you can see the equipment from the ground so we took some pictures and we went on eBay and bought some similar equipment set up a lab for ourselves I mean it's common off-the-shelf parts actually really really great technology great great I really like the equipment they chose I've been a eBay and equipment they chose so in in in setting it up in the default manner we encountered a bunch of a bunch of vulnerabilities some of which are that could be concerning ought to be concerning I think especially as taxpayers people we came for this and you know I don't blame the city I don't blame the the technology itself I think was just a failure my human failure like a lot of IT projects that go awry right do they not I t's hard yeah I think of Obamacare where a government contract was awarded a product was delivered was it a great product I probably laugh or the website I would think a lot of people would say no we didn't get a great part we didn't get a great product so some of the things we discovered were I mean obviously like all wireless networks it's vulnerable to jamming and everything perhaps the two most concerning were that you could easily become a malicious node on the network and masquerade as as a trusted node all the nodes trust each other so you could join in and through various messages sent you could have all all the all the Misha's traffic routed through your malicious node presumably you could eavesdrop on all the traffic that's scary that's gonna scary I mean that's gonna wear the name of the talk came from what the Watchers see yeah conceivably you could see what all the other cameras could see which we're not probably intended for public consumption probably not and worse you could craft specific packet streams that you could actually inject your own video into the videos so like I'm sitting there watching the safe out of police place I always think oh Sh ins 11 yeah right no I'm looking at the vault and everything nobody is it no one's in there and in the meantime some of these stealing and there's someone in there right yeah that's very scary so gonna be able to fix this well the thing is is all the equipment selected offers really great its I really like it after buying it and playing with it off eBay I would use it for our own projects yeah well they could they could encrypt it that would be a nice strong encryption with the exits right the products actually support each node but actually through PK I would actually authenticate themselves you could actually go this is a this is a note I should trust versus this is a note that I can't authenticate yeah there's probably some people here who could do it did you run into any problems with the city when you were doing all these different tests did they come to you and be like oh you can't talk about this no no no being aware and how sensitive things like this are you know we talked about it and really we limited ourselves strictly to to what we'd what we could do in the lab you know it's just like you see the guys here doing work on cell phones buzzing other GSM things yeah strictly doing it in a lab environment you don't want to disrupt public services you don't want to do that so I want to get a little bit of an opinion piece from you okay I'm saying you know we have some hackers down Francisco where I live and they find similar issues in their City how can they go to this and explain this without getting in trouble well that was that that's a thing right we looked around for like a hey if you find a security flaw within our products like Google or other other tech companies have there's a there's a published means for contacting them who didn't see anything like that honestly I think a safe bet for anyone in the community is to probably talk to the ffs or the experts operating in this area excellent well thank you so much is there anything else that you want to mention to our audience about these issues with open mesh networks you know I would say it's probably a failure of the government contracting process it's just it's just a blindside there in the end all security problems are really people problems they're not gonna be solved for more technology they're gonna be solved maybe through the community yeah being able to participate in our do a post install QA maybe we could look to we could have an uninterested party examine things after install our cities ought to get reasonably secure products from the vendors I absolutely agree thank you so much for chatting with us is there a place online where people can find more information about what you do know we don't really tweet or anything you know we have other day jobs exigent comm awesome thank you so much thanks enjoy the rest of you definitely she ate it Brett welcome to the hacker abduction van at DEFCON Thank You Def Con VIN man that's been pretty good you know busy as usual yeah I had a packed talk at the social engineering village yeah it was great we actually when I heard how to still had a line outside maximum capacity at people sitting in the floor right in front of us sitting in the aisles everything so it was it was great so what's the name of the talk it was corporate espionage gathering actionable intelligence via covert operations that just sounds all sorts of like yeah spying yeah totally he's got a very ominous military vibe to it yeah what kind of what kind well does social engineering have in a modern ped test oh it's it's I think well because I am a social engineer it's a huge part if you have a target you know they're they're pretty secure obviously their network is secure people are usually obviously the weakest link in the system so if you're able to sort of manipulate them enough to get into to get Hardware access without them knowing that's sort of what the point of the talk was about yeah would you believe me we've always said that as soon as you have physical access all bets are off yeah absolutely all you need is just a few minutes to you know to plug into USB or you know it run any sort of payload or just all sorts of things that you can do within a matter of minutes with physical access so what are some of your techniques for gaining physical access you know well besides social engineering you know obviously you want to do your open source intelligence gathering before so you can understand the target you want to be familiar enough based on what industry they're in you want to know that industry so you can you know have shop talk with whoever you might encounter throughout the buzzword yeah that way you want to be convincing that you want people to trust you you got to be able to build trust and once you've got a convincing story you know most people want to help you out by nature so once you sort of exploit them that way what do you mean by that most people want to help you out by nature well what I found out in my experience and then too through other research from others people naturally you know are good hearted so like say for example you're trying to get into a door that you clearly don't have access to but you have a fake badge you go to the door with a box that's heavy just you know the box is really full just you're stressed out you're trying to get into a room go to the door it's shut you were trying to piggyback it didn't work just set that up and so the door shuts in front of you you're trying to get it with a leg someone's gonna see you hey that guy is struggling he's got a heavy box you need some help I'm gonna help him out regardless of the security awareness training that's been given you have that intuition of hey someone's in trouble I'm gonna do something about this interesting because in that scenario then that person who may not be an InfoSec person may not be you know on the IT department never have any idea of you know kind of the dangers of this doesn't may not want to then become like the police absolutely the company and there's even cases to where let's say someone is you know they actually do remember their security awareness training and whatever role you're doing you do set off an intuition alarm and they ask well who are you let me see your badge and they actually get suspicious there are several ways to counteract that where you can still maintain your guys for you know your engagement without giving up the operation if you call it that and a simple way of doing that is hey I'm in a hurry I don't know who you are but I have a meeting with so-and-so I've got to get there right now you've got to let me just make it very uncomfortable you just you know you you bring that comfort level where it's just something someone doesn't want to be around and they're gonna say oh it's their problem now and now it's their problem and hey this is weird I don't know this guy I'm uncomfortable I'm gonna help him out just so the problem can be over and that's and that's a pretty common thing so so what are some of the other techniques that you found to be successful well some of the things that we use you know we we talked about the Wi-Fi pineapple quite a bit that's great for a drop device in a Dropbox also for gathering information at if you're not inside of the target you know just being around the target using that even as an external drop to gather those you know Wi-Fi or the luggage place across the street from the joint exactly if you're able to get roof access dropped on the roof just there's so many things you can do and then as I mentioned earlier as long as you have just a minute for physical access you know run a payload with the rubber ducky so getting physical access what is it what has been successful for you most of the time it's just trying to be charming you know getting your story straight and being convincing we've had people actually vouch for us that worked in the company just because we built a rapport with them hey I'm new I'm supposed to meet so-and-so today and they say well his office is in the other building but you probably need to get into this room first for the rest of your paperwork that room happened this is actual some of something that happened and we actually mentioned this in our talk the room was part of the server room they actually had armed guards and everything in the facility and a co-worker was able to get them to vouch the lady to vouch back to the guard hey he's new he probably doesn't have access yet can you try it he scans this fake badge of course it doesn't work here let me it wouldn't let you in the armed guard then export you know escorts him into the thing the the guy that was aware of the test going on his office was in there so the co-worker was actually able to walk up to his desk and lay his business card essentially saying you know hey we got you so and that's all just from the trust building a rapport and just knowing people targets yeah it's not solutely security it's nothing door alarms it's not the security cameras no yeah you could you know a lot of people who have ways of bypassing those things and that's sort of a last resort but there are so many ways that you don't even have to actually touch the the technical side of things because of you know people will do it for you basically so yeah cool drop them Oh days on people yeah exactly all the time can people follow you on twitter at brent w design is the twitter handle awesome pitch down go and check out yeah I really appreciate it right yeah and also wanna mention I on the co-worker Tim Roberts who gave the talk with me you can find him it's zanshin hats and h4x is how you spell hacks so of course make sure to follow him great great guy I'd only appreciate what you're doing thank you good deal thanks Aaron it doesn't matter if you're a fan of free candy or free mustaches when you've got a great idea you need to get your website online very quickly and you know where you can do that at because they have this awesome domain name registry domain discovery system checkout process it makes it super easy so your website boom up and running before you even thought about it like it's probably up and running right now you just gotta go and pay for it and then you go future in time and then they have already been there to know where because they're affordable and reliable and easy to use and as I've told you guys before they're super fun to tweet at and ask them about their special time machine of great domain goodness and it really just makes it a fun place to do business and the guys over at there are huge fans of hack 5 and so they want to hook you up whether it's in the past or now or in the future so use the coupon code hak5 at checkout and that'll get you an extra 15% off so when you think domain names think of them last week's trivia question was Apple's firewire cable design was influenced by what and the answer is surprise surprise the Gameboy link cables that's so weird now this trivia question is for this week what object takes the longest orbital path around the Sun in our solar system you can answer that question over at haq5 org slash trivia for your chance to win some awesome PAC 5 goodies there's a lot of information out there about hackers but what is right and what is wrong and how people feel about hackers well everyone feels a little bit different and it kind of depends on needs or – so I'm talking to Jason E Street from stratagem 1 solutions Jason thank you so much for joining me you're giving a talk on Sunday about right it's a really weird talk this is one of the weirdest ones I've ever done I started off about to the 2012 it's like I was actually the next time with dark tangent except you know it was far more like how the hacking cultures are different around the worlds like how it like in Kuala Lumpur they've got a really good makerspace and then like in Germany they're very big on privacy ride and cryptography Brazilians are like Carter's and bankers activities and like America's got a whole conglomeration available to everything and so it just shows that there's different variations and it's and I was thinking that would be a great talk to explain to people hey this is what it's like somewhere else and so that was what my talk was supposed to be about and that's what I wanted it to be about I really did and then I started doing the research and then I started sending out questionnaires to hackers all over the world tell me about your culture don't just get it from my perception do it from your perception what you perceive it to be because because in the whole thing it's basically I talk about perception and so they started sending these in and I started reading them and I was like there was one underlying theme and it was that hackers or criminals we're not I know and that's it you know it I mean I'm serving a villa it enraged me it's like a nice still getting that thing about it cuz it's like we are not criminals we come from Tesla from the Vinci from Turing we are creators we are artists we are inventors we are the ones that go and say we're told that it's supposed to go from here to here to here what after we do this wide if we look at it and look at the world differently that's what we are and it's like and to see something that I love it's something that I'm a part of just be maligned like that I was just so upsetting so I started changing the talk I started doing the research and on this and why this is like this and it just and yes and that's what I went into my talk the McDonald's lady the hot coffee lady she's limits four to twenty nine million dollars yes they said that she was driving and she spilled her coffee and their Jay Leno make jokes about her there was comic strips meetings whenever she's a sweet blue old lady who burned 15% of her body third-degree burns required skin grafts to fix it McDonald's was serving the coffee at a hundred and eighty to one hundred and ninety degrees so it would stay warm during the transit there's also and I got a picture my slide of all these people highlighted in pink over fifty of them that were admitted to the emergency room for the same thing for scalding because of the coffee and I tell people it's like it's like I have seen the McDonald's coffee lady and she is us it's like because I was a hypocrite I made fun of her I thought that was hilarious because I didn't bother to find out what the truth was and and that media is telling people hackers or criminals hackers the ones that are getting in and stealing your credit cards and taking down your planes and doing cyber pearl harbors going through your tubes if we don't stop and change that voice it's not the the populace is fault if that's what they believe because that's what they're being told it's it's like mind washing exactly it's like it's propaganda anything so in that we've got people Dave Kennedy Evan fort booth evan booth tree fort 1c Dan Kaminsky Brian Krebs as a reporter and stuff you know it's like your show it's like we're getting that message out there it's getting better and that's the part that I talk about I talk about what we've done wrong what's gone wrong in the media and then I talk about what there's always I never end on just the negative is there's always got to be something positive well how can we make it better how can we make people think that hackers are the good guys we're trying to help you we're not trying to scare you by talking it's like by going to the InfraGard meetings that it's the meetings the local meetings and not just talking within our community because that's just the echo chamber when heartbleed came out when there's a thing about open SSL when people are talking about android hacking go and contact your local press go and tell your local TV station hey I'm familiar with this topic I'm willing to talk to you everybody thinks is like well I can't talk to the press I'm not Dan Kaminsky I'm not dead candy it doesn't matter they're looking for factual information don't go in there if you don't know what you're talking about stuff you know but go in there if it's something that you're familiar with if you were able to say hey I can talk on that then do it stop just looking and screaming at the TV angry and stuff you know like they got that wrong that's so stupid change it call them up and say I know what this is let me inform you and tell you what it is and let them know that you're a hacker trying to do it is there any other way that people can help out Icom I think basically just getting together and starting to spread the voice Josh Corman has got something called I am the Calvary where he's trying to get more people involved in it exactly and I think the way I look at it is they don't mean just chrome have been like little antique because like I'm not waiting for the Calvary it's like I think everybody should be that roaming night and stuff you know the Danka who do that tips of the windows cuz I'm gonna still be that dong Cody I think it can get better I believe this community I believe and I have seen the awesomeness that is our community and I'm going to keep fighting that and I'm gonna keep showing that and I'm gonna keep taking that out there thank you thank you so much it's so good to see somebody else out there who is as passionate about this as I am there's so many that are in there yeah and being part of a hacker is having that passion is that you have to have that passion to keep battling your head saying this isn't working okay nine hundred times this isn't working and like Thomas Edison said oh you know you was a jerk it's like he actually said it's like he tried thousands of ways to make the filament work for the light bulb until he got it right so so I mean that's what happens he said I don't start at Tesla Edison Gordon here but but exactly but but yeah it's like that's what happens is that you've got to have that passion to keep knocking at something until it works alright thank you so much no problem where can we find information about you and you can go to Dyson it's in the hack comm it's a actually online community for people that are getting interested in information security if you don't have a place to write your blog if you don't have a place to actually get involved it's like it's a community that doesn't allow flames it's just for people to provide information and get out there also oh that's all I'm on it's like it's like I like tweet my life so at jys o NS TR ET on Twitter and I try to respond to every single person that replies to me stuff you know and it's just get out there and it's not just about me so just get out there and be part of the community and stuff you'll go to these kind of conferences go to these situations it's an awesome blast but I'm a speaker here right so it's like I'm supposed to be speaking to the audience I'm learning from the audience it's up you know I am meeting people in the hallway and talking and learning something new and that's what it is it's not about just giving to accept another it's getting something back from it and you I get so much from this community and stuff you know and I don't give enough back from what I've been receiving I think you give a lot back and thank you so much for being on that fight today thanks for having me oh my god awkward handshake there we go I got the super super exciting chance to talk to you dr. Phil Cole strut Bloomsburg University you got some fun airplane stuff going on huh so I'm a little scared because I think that I might die on my way home to San Francisco am I gonna die well it's pretty short flight probably okay but whole hour and a half the short answer is no but I'm flying with like all my hacker friends and are they gonna be able to like you know hack the plane and through the gogo in-flight sand and just take it down and turn off all the lights and make all the oxygen medics come out again the short answer would be no and the slightly longer answer is that if you look at how that in-flight system is connected or not connected to ever the other interesting things in the plane it's really not possible to go from that in-flight network over to the a beyond its network occasion even if it were possible you still have some challenges because anything that came in like let's say a new flight plan or something like that has to be validated by the pilots and entered into the flight computers and executed by the closets interesting ok so let's go down this path of all the systems that are in an airplane and why this is not going to work for me when can I take sample plane all right well you can't take down a plane using the in-flight Wi-Fi because of what we just said yeah because it's not really connected plus there are tests and some other things that people have talked about in the past we've talked about a DSB yeah IDs be hawking various raki is something you can really do you can send out bogus ADSP messages it's unsecured that's you know a totally legit thing to do you can buy boards probably here at Def Con yep and things like that and the only issue is that you send those messages out and those messages are not directly used by any aircraft really so are they just sent to the traffic control they're sent to air traffic control now air traffic control has a service called T's be try traffic information service be that small aircraft use where they will get information on traffic in their area but that information comes from ATC now ATC if they receive a bogus transmission that doesn't have a corresponding radar blip will likely just ignore that okay so they're gonna recognize it as being fake yes okay so it's not gonna appear on your screen and when it comes to the big guys they have what's called a t caste system a traffic collision avoidance is don't owe and it doesn't use that system at all it actually uses the old-school transponders and so what it does is those systems will send out active interrogations of other transponders in the area and then based on where those signals come back from they have an antenna array so they can see distance directions set etc they will have a display that shows other airplanes so those fake messages will just go completely by you they just pass through nobody's even gonna pay attention to him so basically the entire time that a pilot is working with air traffic control and everything they have humans behind everything verifying that what the technology is telling them is actually in legit that's correct okay so what about what other technology is in an airplane that I can't hack into there's been a lot of talk about SATCOM satellite communications recently a couple days ago there is a talk here in Las Vegas about hacking vulnerable comm systems it's scary it's a little scary and it's certainly true that you could send out bogus information again you could send things like a bogus flight plan you can get hey why don't you you know we had a nice little video in our talking we did here at Def Con where there was a message that comes out says emergency reroute to Cuba and so any of those kinds of messages reroutes etc are going to get validated by the pilots and how do they validate it they will call their airline ok call them on his radio and they will validate anything especially suspicious yeah and then once that's been validated they have to input that information into the flight computer and depending on the airplane sometimes manually sometimes they can automatically move it but in all cases they have to authorize it and execute it so there are a lot of checks and balances there so you can't just send a bogus flight plan and have a plane just why of course so why do you feel like people have been so paranoid about this recently you know I think every time there's a major tragedy like the Malaysian flight 370 and of course more recent shooting down the plane which it's not just hacking but is horrible you know in general you know aviation accidents are rare so when they do happen you know there's a lot of attention there's a lot of people get scared but you know if you look at the safety of flying because flying is just so safe you're getting bitten by a shark you know I don't know about you but a lot of times people are like oh you're flying somewhere call me come with you get there but if I drove there I'd be much more likely to die yeah that's very very truth well thank you so much what is there is there anything else of importance in your talk that you would like to mention to our audience as far as airplanes and your security I would say that there's no need to be afraid you know there's a lot of fear-mongering out there and a lot of people going oh well be afraid be afraid and I would say today I don't think there's reason to be afraid I do think that we need to be mindful as we go toward more and more automation going forward and certainly we need to consider these kinds of issues you know some people have said we should have a switch in the cockpit that you can say okay hijackers I can't control this plane anymore it's remotely controlled which in my mind would be the worst possible thing yeah this is a day you cannot remotely hack into a plane and that's exactly what that would allow no no who are making these plans hopefully no one may call you dr. Phil you may call me doctor where can people find you online doctor soon they can find me on Twitter at people sprout just pee pee oh well Stra they can also find me at Phil Paul's that's probably the best place and here you have a book coming out I do have a book coming out should be out really soon it's all about building your own hacking hardware on the cheap it's called packing and penetration testing with low-power devices should be out here very soon and syngress congratulations thank you so much again to you for speaking with me about airplanes and how we can stop worrying about everything involving those I hope you enjoyed the race to go deaf on YouTube that just about wraps up this week's episode of hack 5 before we get going I am excited to make a little tiny announcement what and that is if you are in Vienna in November Sebastien Robin wood and myself will be doing an awesome workshop at deep SEC you can find the info at deep SEC net and that is it's in Austria oh my gosh Austria yeah we're doing it today plentiful course it'll be awesome I know right so I'm gonna have to bone up on my Austrian there's a joke there somewhere so I don't we continue on with feedback at hack 5 dot org is a fantastic place to email you can let us know all sorts of things that you would and would not like to see on the show and also make sure to check out a check a shop comm that's where you can find all of the things and buy all the things to help support us directly which is fantastic because you guys are our viewer shareholders that make the show happen with your no bears pairs and the dolls as well as hak5 dot org such follow it's a fantastic place where you can find the links to follow us on all of the social media places and you know what while you're at hack 5 dorg go ahead and head over to slash Brunton you'll get all the details on their upcoming Bay Area that's the San Francisco Bay Area hacker brunch where I believe the next time we're getting together at a missile silo I should be really fun we're gonna blow up mm-hmm so with all of that I'm Darrin kitchen I'm Shannon washer – Tecna must

  1. Have mailed, called and even talked face to face with 3 different tv news reporters aboat the hacker name is been used wrongly..
    Still it continues :

  2. I am surprised that no one have talked about ACARS (Aircraft Comm. Addressing and Reporting System)?

  3. How can I see the "Corporate Espionage – Gathering Actionable Intelligence Via Covert Operations" DefCon talk?

    Tried looking around but nothing.

  4. "People are inherently good hearted and will try to help you". It's a shame that because of bullshit arguments we have to teach those good people to ignore this nature so that everyone can protect their filthy money…

  5. The problem with the open mesh network from the first segment is likely because the contract was given to based on some favor rather than any measure of competence.

  6. I wonder how the NSA(and homeland) feel about hackers and airplane security being so close together in a title… #redflags

Leave a Reply

Your email address will not be published. Required fields are marked *