Sunday, February 12, 2017
DEF CON 22 - Dr. Philip Polstra - Am I Being Spied On?
##########################################
>>I know many of you came here expecting to see the Dr. Phil from the Oprah Show. Talking about relationships, drug addiction, and eating too much. But, in fact, this guys much better. >> Alright, thanks for that intro, well, it's probably one of the better ones I've gotten. But ah, someone said to me once, you're not THE Dr. Phil. It's like, no, he's like the other guy. But anyway... So, today, just want to talk a bit about some cheap to free ways of detecting surveillance. So maybe you are a little paranoid and thinking, I wonder if someone is spying on me? We're going to talk about some simple ways you can find out if that's true or not. In particular we are going talk a little about video surveillance and also we are going to talk about tailing, someone following you in your vehicle. Also, some.
Eavesdropping, also some other physical surveillance. Also, some other surveillance that could be embedded into your technical devices and how you might find those. Little bit about why should you care about this stuff? Our government's assault on our constitution is pretty much known. I don't know if you can read this cartoon very well, but it's like hey, I wonder what people think about us violating their rights.... Why don't we check their emails and see. [Audience Laughter]. And it's not just the national governments, it's the national governments, competitors, it's stalkers. Like this little lady in the corner here, she looks like a stalker. Some of you might remember her from some of her youtube videos. And sometimes there are people that just don't like you. So they are following you, waiting for you to do something. Okay, so first I want to talk about video surveillance. Now, when it comes to video surveillance, there are different kinds of surveillance today. Virtually everyone walks around with a video camera all the time. Most people have them in their smart phones. Even if you have a dumb phone, it probably has a video camera in it. So, I want to talk about some of these phones, such as an IP cameras. You've probably seen things like this. Foscams are pretty popular, you just go to Best Buy or some similar store, buy a couple and plug them in. Maybe hide them, you get similar technology, a nanny cam and such. Now, if you have a night vision camera, there's a simple way to detect this night vision because there's a flaw that all these cameras share, and this kind of demonstrates this flaw. Which you are looking at, I have a digital camera and I'm directing it at a remote control. So you may know some of this already. But digital cameras of all forms, pick up infrared light. So, if I go back here to this slide, you see all those LEDs around these cameras. Those are infrared LEDs that are used to illuminate the subject of your camera during darkness. So, if you have an infrared remote, for your tv, whatever and you're not sure if it's working or if your battery is working, batteries dead, you can just pull out your camera and point it at the remote, push some buttons and you should see lights flashing. The same thing can be done to detect a night vision camera that might be spying on you. So, here's what I've done, I've hidden a camera, can anyone see the camera? Yeah, so I hid a camera behind flowers in my workshop, and what you want to do, some of these cameras are motion activated, and so it's dark. Turn off the light, and so nobody's really going to see – unless they have a video camera and have been taping it the whole time. They've probably seen you do something more embarrassing than (speaker waving his arms) than this anyway. So, just grab your video camera, (someone got a picture of that), move around, wave your arms. And if you have a video camera that is presently a video camera, you will probably get something as showing up on this screen. Alright, it'll be very obvious, these lights showing up on the screen. Alright, there are some other ways to detect infrared, such as these little cards that you can get. They probably don't work as well as just using your video camera on your phone. But you could do it this way. But, in general, if you have some of these wireless cameras, they are nice, easy to set up things, which makes them easy to detect. Okay, so I want to talk a little about detecting wireless cameras. And first off, the free way. If you have a wireless camera, these are set up different ways. Sometimes they are set up to existing wireless networks, sometimes themselves as an access point, sometimes adhoc. In particular, if they are set up as an access point or adhoc network a pretty easy way to find them is just to use your Android tablet or smartphone and download a couple of free apps. This one is just called WiFi Analyzer. You download this app and you can look and see, oh, I see some suspicious networks. And you will say, hey what's this spying on Phil network? Sometimes it will be anonymous, unnamed network or an adhoc network. But if there's another network that's pretty strong, that's another clue. You have a pretty strong network in your house, and you're not expecting to have that and it's not your home network, it's suspicious. By the way, thinking about being suspicious, I just bought a new laptop recently, and I was running Windows 8.1 and I was noticing, hey, don't hate me it came with it. I don't normally run windows and I'm not running now. So, I thought it was running kind of slow, and I look at the task manager, and there's this video camera app, consuming 100% of my disc IO? And I'm not running my video camera app? Little suspicious. Okay, some other ways you might detect video cameras etc., you can use something inexpensive, something you know. I like the.
BeagleBones, done a lot of work with the BeagleBones. Developed my own linux, the deck on the BeagleBones. So, in this picture I have a couple systems. Up in the upper left, it's my picture of my famous Buzz Lightyear Hack you to infinity and beyond lunchbox computer. And down in the lower left corner, it is the same thing, a BeagleBone running the deck with a 7 inch touchscreen. By the way, that touchscreen is from a company called 4D Systems and they just started making some stuff for the Beagles. Seems to have some good stuff and it's a little cheaper than some of the other stuff out there, just a little tip. And then on the right, I have a couple BeagleBone systems with touchscreens and a wireless antenna, simple wifi, alpha adapter you've probably seen before, little keyboard. And in the lower right hand corner, I didn't do it, because it would make the picture less clear but you can do it, take all that stuff and tape it onto the wireless antenna and have a nice little bug detector. Kind of on the go. So, if you're feeling lazy, you can take that set up and you can run your standard Airodump and the Airodump at the bottom will show you the clients and also shows you the power. So you notice the top one shows powers was minus 28 and now it's gone to 30. Smaller negative numbers are better when it comes to power. You can use that and you can pan around your office, your house, wherever you are and look for wireless signals. Alright, now with just a little bit more work, you can make this better. And everything's better with Python, right. So, just a little Python script that I wrote, yeah, I realize you probably aren't going to be able to read that and or copy it during this but the slides will be available later, so, feel free to get it later. But, I just wrote a simple Python script and what it was is scapy, some of you are probably familiar with that. And it uses the radio tap headers which include the power or the signal strength. So what I do is capture for about 2 seconds and I record the different devices that I have found and which were their strongest signals I displayed on the screen, wait a second, blank the screen, repeat. And basically if you do that and you run it, you get something kind of like this. You will see the strongest signals at the top and now it's a minus 5 so that's a good strong signal so that means I just went past something emitting a bunch of wireless traffic. In a little bit here you will see I swept back and pinpointed exactly where that device is. You don't see it in the screen capture but what I essentially did was, I had my foscam and my big old yagi antenna and I just swept the room and got that minus 5, kept going – came back and was able to say, that's where the bug is. That's where that video camera is. That's pretty cheap. The BeagleBones, $45,maybe a little less if you get a deal. If you want to spend a little bit more money. This talk is about how you can do this free or for very little money. Obviously, if you like to spend money, you can go buy the commercial detectors. If you've got thousands of dollars to spend, go for it. Ah, but another fairly cheap way you can detect these sorts of things is to use this little board from Linear Technologies, RF meter chip, called LTC5582 and you can use this to detect a signal. Any kind of RF signal. And if you're only interested in frequencies, like say wireless frequencies or some other frequencies that you suspect some bugs might be working on. When we're talking about video cameras, we are talking mostly wireless ones. So probably the standard 2.4 ghz frequency would be fine. You can detect them with a very simple circuit. Alright, they make the raw chips, but they also make this little demonstration circuit. This board is about $100 so, it's not free but not terribly expensive. To the right is an example of a band pass filter, basically you just screw it onto the adapter. It will go between this board and your antenna. And your circuit's going to look kind of like this. Oh, I forgot to warn you guys, there's a guy that's going to have a really good talk after me... so if my talk starts to suck, if you hang around you will get a good seat for the next guy. He won't suck so much – just letting you know. Little fyi there. So, it's a pretty simple circuit, you know you hook this up to your directional antenna you hook up some power to the 2 top leads. You get an output voltage and you also have to hook up the ground. You know, you can just hook up a meter to it. You can use a meter, you can use a BeagleBone, use whatever you want. Basically, you just need to measure the voltage coming off of that and that's another way to go. Let's talk a little bit about physical surveillance. All right. Is somebody following you in your car or tailing you? We're going to talk a little bit about common vehicles that are used in tailing, some standard techniques and we'll talk a little bit about stake outs. Often those are also done from vehicles and what are some standard techniques you might find and then we'll kind of move on from there and talk about what could you possibly do in order to actively thwart attempts. Alright, so tailing. If you have a non-government adversary they'll tend to use vehicles that are going to blend in. A Honda sedan, Toyota sedan. Things like that..
You will probably not use a red Ferrari. If you're in texts the most common vehicle might be an F150 pick up truck. If you're smart and are going to follow somebody you will pick a vehicle that kind of blends in. Not something that's super bright, really flashy, you know. Something that everyone you drive by and they're like I always wanted one of those. Nothing like that. So a nice bland colored vehicles, SUV's are popular in certain areas and you might expect to see that. You know, government spies on people. Traditionally what's the stereotype? Black SUV. Right? Sometimes there's a little truth to things like that. Of course Crown Victorias are popular. That doesn't mean that you should only look for those kinds of vehicles. Depending on how interested people are in you, you know, they'll get all kinds of different vehicles. They'll get women and children, old people, you know, all kinds of people you don't suspect are working for the FBI but they are. All right. So some general techniques. If you're following somebody the follow distance is going to vary. Generally from about 2 cars behind you, you know, typically it's kind of frowned on to be right behind somebody that you're following because they might notice to a couple of blocks. And a lot depends on things such as, you know, is it just one car? Is it the stalker that we saw earlier? Or is it a government? All right. So if it's one car or even if it's multiple cars they might extend that range using a bumper beeper. Now there are different kinds of bumper beepers. Simple ones like literally something that just makes a tone on a certain frequency to its a GPS tracker. All right. Generally speaking a tail is considered to be blown if you've had 3 suspicious impressions. Like if you're following somebody, not that any of you have ever followed anybody because that would be bad but if you're following somebody and they look right at you 3 times or do something similar like act strangely because they think they're being followed, typically most people say, all right, we're done. All right. So single car tailing generally speaking as I said you will be a little closer then with multicar tails. You can't afford to lose somebody if it's this. You're more likely to follow traffic laws, running a couple lights. A little suspicious. And again you might use something like a bumper beeper in order to help extend your range. This picture down in the corner is an example of a bumper beeper. If you look at the long tube it has a couple of magnets on it and there's electronics you can cram in there with good batteries and you just slap it on someone's car. It doesn't have to be the bumper but some metal part. And track away. All right. Multicar tailing. Typically if you got multicar tailing it's probably not stalker. It's probably somebody else. In most cases everyone is behind you. Again, most cases. Not a hard and fast rule. Sometimes you might have cars on parallel streets not just all behind you in a big caravan. If you're in an urban area, if you're in the country they're probably just behind you. Also, you might see cars taking relative positions and having that change. So that you're not always seeing the same car behind you. Now here's a big give away. If you see vehicles that appear to go a different direction. They turn off somewhere then they magically reappear later either they're lost or they're following you. So decide if you're paranoid or not. Okay. So how can you combat tailing? The number one thing you can do to combat tailing... Look. Have a little situational awareness. Look around you. You know, when you're going places don't just look ahead. Look around. When you're getting in your vehicle check your car. Look for trackers. Look for vehicles that seem to be behind you for a long distance. You know, maybe they're just going the same way. Maybe not. And again watch for those vehicle that is go away then suddenly come back. That's a little bit suspicious. You know, if you see that happen I would say that's one impression. You have two more things happen, they're probably done. Other things you can do. Detect electronic devices. I'm sure many of you know what this scene is from. He finds the GPS tracker on his car. How can you detect these electronic devices? You can use the RF detection system previously described. Typically if you use that don't use the band filters. Some really simple ways, if someone has a simplistic bumper beeper you might be able to detect that just by tuning in your AM radio. I know nobody uses AM radio in their car. Nobody uses the radio in their car. Right? It's all Bluetooth connection to iPad or iPod and things like that. So... Anyway... Some of these home made and cheaply available trackers operate on the AM band so if you scan through that band and you hear this nice strong tone and it's always nice and strong and it's just a tone guess what? It's probably you. All right. It's probably something on your car. Other things you can do, some active techniques. You can drag at the traffic light. If you don't know what that means basically you can try to time it so you're the last person that gets through a traffic light and if someone tries to run the light or whatever then you can be suspicious. Take unusual routes. Don't take the normal route that somebody would to go to whenever your destination is or switch up your route. Don't take the same route every day. You can also try driving through some residential neighborhoods. You might look suspicious. I just moved and I live in a neighborhood ‑‑ there's only a couple entrances and they all let out on the exact same street. So if you follow me through my neighborhood it looks very suspicious. Like why would anyone drive in there? Unless you're going there, there would be no reason. Don't be afraid to take a few alleys or deserted side streets. Occasionally you might even just park your car. No reason. Sit on the side for a couple minutes. If you're real paranoid, get out of your car. Only in a good neighborhood. Right? Phil told me to get out of my car. I was afraid someone was following me and guess what? I got mugged. I am not responsible for anything you do from what you hear in my talk. All right. Other things, all right. So that's tailing or mobile surveillance. What about stationary surveillance or stake out? Again a lot of this occurs in a vehicle. Not always. But sometimes. You might expect the same vehicles to be used as in tailing. Additionally sometimes people like a little bit more room so they might have an SUV, commercial van, pick up truck with a nice Topper, things like that. This picture down in the corner is actually from an article I found on‑line and make your own surveillance van. All right. Now I got a question for you guys. If you make your own surveillance van should you put Tony's pizza on the side of it? What's wrong with that? There's no phone number. Okay. What else is wrong with it? >> [Off mic] >> Who delivers pizza in a van and when you deliver pizza what do you do? You deliver the pizza and leave. If you make your own surveillance van pick a plumber, electrician, sewage guy, septic. Put mud on the side. All right. How can you combat stationary surveillance? Again the best thing you can do, look. You know, look for people. Sometimes people stop for a little bit. Maybe they're waiting for somebody. But if you're sitting in your car for more than 5 minutes, yeah, I'm suspicious. Especially if you're eating donuts and wearing a cop uniform. But other things to look for. Now this one is a little rough. Construction, utility workers who appear not to be doing anything. [Laughing]. Yeah sometimes they don't ever look like they're doing anything. You know? You know, it's the old joke. Slow, men working. Okay. The slow men are working. Or is it slow, because the men are working? All right. So I have to get a grammar Nazi on that. So yeah, especially I know this is a stereotype but if you've got some guy on a pole if you know anything about people that do like cable and phone work they don't like to go up and sit on that pole all day long. They go up and do what they have to do and come down. So if you have somebody parked up there and eating a sandwich it's probably not a cable guy. Right? And again even if it's not Tony's pizza you get commercial vehicles that seem to be parked for a long time, um... Another big clue. If there's anyone that has a view of all of your exits. All right. Someone that has conveniently placed themselves in a spot where they can see every exit to your house or to your office, that's probably not a co‑incidence. All right? Some active techniques. Get out your binoculars. Spy back. Why not? All right. Do you think that would be an impression? They would be like hey he's spying back at me. I'm pretty sure that this one is blown. All right. So don't be afraid to do that. Do strange things. You know, run outside. Jump in your car. Run back inside the house. See if anybody suddenly started their car. Maybe your neighbors are like it's just Phil. Drive around the block. See if anybody follows you. It might sound stupid but simple things like that, you know, you drive around the block and someone thinks you're going to go somewhere. Maybe they'll move towards your house, maybe they'll follow you. All right. Audio bugging. You can get various kinds of audio bugs. You can go on the internet and buy these things. I really like this one in it is upper right hand corner. Nice apple logo on it. Nobody suspects anything with an apple logo on it. Right? Slap it on the back of someone's iPhone or iPod and bug away. You do have some different kinds of bugs. Some of them are radio transmitters. Some of them use DSM phone networks. The GSM phone networks a little bit harder to detect. Not a lot but a little bit. Also a little bit more expensive to use because you have to have a phone account and all these things. Some freeways you can do it, you can get your AM/FM radio. You can use the software defined radio such as the little dongle I have in this picture connected to a begal bone. You can use an FDR by the way. If you're going to use the cheap little TVdongle you should know they work usually 50 megahertz. They will not necessarily detect all the bugs but if you have one laying around anyway it doesn't cost you anything. Moderately expensive way you can use that circuit I described earlier with the linear technology RF power meter or you can drop 500 bucks for this thing down in the corner. If you got the money and you want to buy a new toy maybe it's for your office. Right? Mr. President we need this. 500 bucks. What's our safety worth? How could you use an AM/FM radio? Basically you have to have an analogue radio. You can buy these probably at the dollar store. Scan for the AM/FM range. If you hear yourself, if you hear the audio you're generating be it your voice or radio or whatever then it's probably you being retransmitted. So... This is only going to work with some of the simplest bugs but again it's worth a shot. All right. Now what about passive bugs? Bugs that aren't always on. You can try to excite them. Basically you can have some passive bugs that get irradiated. You don't have to be on the exact frequency to make it work. If you blast a lot of power at these devices they will probably generate some sort of signal that you can detect. I remember many years ago I had a friend who was really into CB radios and he also liked to buy illegal amplifiers. So this guy had a thousand watt amp he bought from some guy and hooked it up to the CB and he was in the parking lot and we dropped off a buddy and we were in the store and guess what was coming over the intercom in the store? This guy. He was way off the frequency but the signal was so powerful it was bleeding over. It's kinds of a similar thing with exciting these RF bugs where, you know, if you're close to the frequency and you shoot them with enough power you can probably get them to at least turn on, generate some sort of signal you can then detect. All right? So what are you going to use? You know, again the freeway you probably have an alpha card and nice directional antenna. Just crank that sucker up. By the way if you don't know this with those alpha cards you have to tell it it's visiting another country if you want to crank up the power. Bulgaria is nice by the way. I've never been there. I'm not going to say my alpha card has been there. It might have been there. I'm not going to commit. Anyway FCC doesn't like it. No it's never been there. Scratch that. Mine has never been there. But you can change that and give it a little bit of a signal boost. Other things. There have been some other folks that have talked about these. Some of you might notice these pictures as some of the NSA bugs. Jacob Applebaum described some of these bugs recently in Germany and they can be installed when shipments are intercepted. You buy something through Amazon and it comes with your NSA bug. Service professionals, your own IT people, people just don't like you. If you're going to piss somebody off make sure they have no skills. All right. All right. How do you detect these bugs? Again the free way. Look. If you know what the bugs look like, look for them. If you didn't know what they looked like and you open up your computer you probably wouldn't find them. You know, some of these are pretty clever and they just look like regular stuff. You know, some of them are attached to debugging ports that Dell conveniently left there just for that purpose, for their own internal debugging. Other things you can do. You can look ‑‑ you might have some drop boxes. I've talked about drop boxes before a little bit last year at DEF CON. And some of those drop boxes are pretty easily hidden and stuff on your desk. I'll show you some examples. So really you need to check every device especially those that are connected to your network or USB. USB is great if you want to hack somebody. All right. I love USB. So here are a couple hiding places. I stole these from my book so I guess it's okay to steal pictures out of your own book. In the upper left it's an access panel in the floor in a classroom. So I have power, I have networking and I have enough space for the drop box. Lower left is one of my favorites. Desktop defender from Think Gate. Anyone heard of these before? Maybe some of you have them. They're nice toys. You put them on your desk. People come by and tell at you. It's USB powered which is awesome. Because I can put a drop box in there. USB power it. I got power forever. I got a hand sanitizer dispenser not completely full. Space on the top. Again drop box. And the little talking Tardis toy. So plenty of space for a drop box. So look. Again look. Pictures have been released. You can also look for current links. Unless a bug is battery powered it needs power from you. So it will leech power somehow. Turned off devices kind of like a video camera shouldn't be consuming resources. So one way that you can detect this is you can use a modified universal lap top power supply and what you do is you modify it so you can read out some current that's flowing and if you have a lap top or phone and you can remove the battery just pull the battery, turn it off and then hook it up. If there's current flowing something's wrong. Right? Now sometimes there might be a little bit of current like your laptop to run LED's and things like that but, you know, if there's much current at all could be something to investigate. Now if you have a tablet or can't remove the battery it's harder. You want to fully charge it then see if there's much current that's flowing when it's turned off. If you have a bad charging circuit you might have some current flowing so you have to be careful with this method. If you have another device and you can measure its current flow to get kind of a base line that would be the best. Okay. So here's the basic idea. You have your lap top adapter which has a series of plugs and you hack a little cable and you break one of the lines so that you can put a meter on it and detect how much current is flowing. All right? It's kind of like this. In the upper left hand corner is my little adapted wire. Basically had an extension cord for this connecter. I just hacked the ends off it and I solderedered it up on a board and you can plug it in line to this adapter I got for $13 on Amazon, something like that. All right? And then get the right adapter tip, set the voltage, connect it to your device, measure the current. Desktop computers same idea. I recommend physical inspection because it's easier. Sometimes the power supplies will leak a little bit of current. So if you see a little bit of current flowing don't be suspicious. Always be suspicious but... Other things about desktop bugs they might only work when the desktop is on. So you have to be aware of that. This method might not detect everything. Some passive bugs, same thing. Excited just like the audio bugs we talked about. Uses the same kind of techniques in order to try and detect it. Now you're not going to detect everything. You know, like the NSA bugs probably not. But again what can you do for cheap to free? All right. So in summary I would say choose your level of paranoia. You know, even if you're not paranoid though you can still detect a lot of these spying attempts at no cost or little cost and if you're truly paranoid but you're not rich you can still test some of these things without financial ruin. A couple of references. A little bit more about the BeagleBone stuff. You can find that in my book and here's a reference to Jake Applebaum's NSA talk that he gave and if you have questions you can talk to me later. Again don't leave though because the next guy is really good. He doesn't suck so much. All right? @ppolstra on Twitter or you can go to one of my websites and, you know, again for the BeagleBone stuff there's more in my book, website, and all that. So thanks. [Applause]..
##########################################
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment