 Hey everybody. Welcome to DEF CON. I know you guys are already here. For me this is my first time speaking in front of everybody here. So this is pretty much an honor slash dream come true. I'm kind of a fan boy. So I'm not that hard technical. I'm just a programmer. But anyways. So today in my talk is about Wi-Fi beacons. We'll give you up. And the beaconator here. So the beaconator is pretty fun. It's just put it together. It's basically ESP 8266's. But instead of just one or two it's about 57 of them. So I'll get to more about that later on in the talk. But basically I'm a programmer. And I've done a bunch of things. You could say sometimes they're potato and sometimes potato things. But you know we're not talking about low level stuff here at all. I'm much more working at higher level languages. Still getting into more security stuff. I know enough to get myself into a lot of trouble. Try not to do that. So this is the basic agenda. So I'm going to go over ESP 8266's in general. Then I'm going to Rickroll everybody. And show you how to roll your own real quick. Then I'll show you a survey of a bunch of stuff you can do with ESP 8266's. And show off the beaconator towards the end. And the beaconator I've been working on for a while. It's germinated last year. But it took me a while to actually bring it to fruition. So basically ESP 8266's are a bit like a gateway drug to microcontrollers. Chances are for some of you your first one is free with a badge. So Rickroll. Okay. One sec. Right now I'm firing it up. So if you have a Wi-Fi device, nothing I'm doing here is going to do anything bad to you guys because I'm more afraid of generic you than I am an asshole. So overall, right now, pretty soon, this is going to pop up on your Wi-Fi. And throughout the talk I'll turn on some more stuff in a little bit. I may not turn on the whole top range because it's a little bit powerful. But if you want a quick thing for just Rickrolls, you know. And this is basically the impetus of me getting into the ESP 8266's because it's just fun. And so basically to roll your own is pretty simple. I mean this is like really broken down here. But you just need an ESP 8266 unit which is a Wi-Fi module. The code for the roll which I'll have posted Wednesday but there's a bunch of them on GitHub. If you just search for GitHub ESP 8266's Rickroll, a bunch of people have Rickrolls up there. So feel free to use mine, somebody else's, whatever. And to basically to run it, you've got to have something that programs ESP 8266's which I tend to use Arduino IDE. A, because I don't have experience with the other ones, they may be better. So you know, your mileage may vary. If you want it portable, not just stuck underneath somebody's desk. So whenever they're computer on, they have all these access points. Got to have a little battery, cable, all that stuff. But once you get that set up, it's not too bad. If you've never set up Arduino IDE before, you may have to Google a few steps regarding ESP 8266's because you've got to add libraries to it, to preferences. Fort to actually pull up and build and compile and push on there. I'm just giving that out for the new people. If you're totally familiar with it, you know, it's for the new people. I was new too, not that long ago. So this is the part where I have a villain exposition part because I've got a lot of stuff to get through and I didn't make enough slides here for this part. But so the ESP 8266 is basically a physical manifestation of a minimally viable Wi-Fi controller board. And I was first exposed to it back in CactusCon two years ago in Phoenix. I was fascinated that a programmable Wi-Fi microcontroller system could be made so small and affordable. And like all good con goers, I got home and I promptly put it in a bag box and forgot about it. But I did do one cool thing after the convention. I got online and I ordered a few of them because I wanted to do something with RGB LEDs. I do light box photography on the side so I wanted to have this feel that these light boxes set up and control it with a laptop which is awesome. But unfortunately, it turned out that life, everything kind of got in the way. So I never really had a chance to do that. So last year before DEF CON, I was looking at all the stuff I had for the previous conventions and I saw the ESP 8266 and I was like, dude, I wonder what I can do with this. So I looked up online projects on GitHub and within the top 20 projects at the time was Ricroll. So I looked up Ricrolls and found it. And the guy used was Mark Zasbo, M-A-R-K-S-Z-A-B-O. He has a thing called fake beacon ESP 8266. He's a security student over in Europe and I used his GitHub as a reference point for a lot of the stuff I was doing with this thing. So, you know, I have the GitHub downloaded and everything and short order I got it working. Yay, Ricrolls. But honestly, it took me longer than I'd like to admit professionally that to get Arduino up and running because it was my first time with Arduino by myself. So, you know, Google, YouTube, it wasn't too bad. It was just your basic Google foo of hey, I've got an error message, what do I do? It's not too bad. And part of it too is I never really did experimenting with these things until I was really tired late at night because after doing all the other stuff, so I was like, you know, not always in the right mind when I do some of these things. So ESP 8266s themselves, they're made by a company called Expressive. I mean, they make the ITP, the intellectual property, and license it out to different companies to make it. So overall, there's multiple different companies that produce different versions of this. And with those different versions, some of them are optimized for cost, memory size. Some have more pinouts like NodeMCU ones have 30 pins and we most boards have like 16 pins. And some USB development boards, some boards have a USB port on them. The one up here on the screen here, that doesn't have a USB microcontroller part. So you've got to get like a F, a CUSB to serial programmer to actually code that. Now the flip side is once you have that done, this is smaller and lower power, et cetera. So you know, there's always kind of ying and yang. Now there's also a really neat thing with these ESP 8266s is that there's a lot of things called shields. If you're not familiar with the shield, because I assume someone somewhere watching this isn't, it's basically a little board that sits on top of it or underneath depending that with that, you can actually break out and do other stuff and attach cool things to it. So there's relay boards, there's micro SD boards, there's soil temperature sensors, there's humidity sensors. The list kind of goes on. There's a lot of stuff out there and this is a pretty common device. So if you look up a project with ESP 8266s, chances are somebody's done something and you can learn from their mistakes or just riff off of what they did, which is not rip, but riff. So that's pretty cool. So with these pinouts, sorry, a few of the pinouts are reserved for programming so you can't use all the pins if you want to be able to use it later. And most of them have an analog IO pin, which basically means it can read voltages between zero and one volts. So you can have like a rheostat or a trim pot hooked up to a voltage step down so you can actually read a dial, which is kind of cool. But you have to write the code for that, which you know, is always that. Now I haven't done too much with the relays and stuff yet, but you can do some pretty neat stuff with them. So if you've gone to enough conventions, you probably have ESP 8266s hanging around in your badge bag on the badge. Alternatively, you can buy them on Amazon Prime for cheap, not too cheap, but you know, under 10 bucks delivered. And eBay can get them on a slow boat from China for under four or five bucks, depending on what you want to do. Now in quantity, like what I'm doing, it's having something cheap adds up when you're doing a bunch of it. So depending on what you want to do with them, I don't have empirical proof, but the Node MCU boards tend to be less power hungry than the WiIMOS chips. And later on, I can show you what they look like up here in the device. But so what I got hooked on was that last year, I deaf, I Rick rolled a bunch of people at the con and I broadcasted some SSIDs, which was pretty fun. So with SSIDs, it's basically when you open up your phone and look at the available Wi-Fi networks, that's just the access points. So what these are doing is just broadcasting just the beacon frame of the Wi-Fi access point, not actually responding to any other results. So you see all these access points, but you can actually connect to them or do anything to them. So that's pretty fun because there's nothing like having something that looks malicious that you can't connect to. But that's just me. And what I did is I just basically had it in a little Ziploc bag, put it together, and just with the USB powered. And I kept that in my backpack, the whole convention. And it was fun. People were like, hey, check the Wi-Fi. And I was like, yeah, I have. But that's me kind of bragging on myself there. But so technicality. So one thing I found with these ESP 266s, if you want to advertise a persistent set of Wi-Fi SSIDs with randomized max, I had to stick between 13 and 17 total access points per board to have it stable when you pull up your phone. Because you have to broadcast the beacon frames often enough for a computer to pick it up. And my code's not perfectly optimized because I've borrowed other people's and honestly, I'm just like a little gorilla with the code sometimes just going poke, poke, poke, what happens? So that was pretty funny, which led me just an idea I had, which is, well, if you have a couple of these things, what happens if you have a bunch of them in your broadcast? So if you haven't heard of it, this Wi-Fi mapper, ECHAHOO's Wi-Fi mapper, they have it's like a laptop based product. It's free. You can get it download, install it. And it generates really beautiful pretty picture drafts and charts, which is pretty much the most important thing when you're talking to business to say, hey, I need three more access points over here. You can do the work with this mapper and show them that yeah, this red part here, that's bad. We need to have more access points or change the channels, that type of thing. But, you know, for personal use, it's free. So that's pretty cool. So what I did is this is a baseline scan of my house. And some of it's been redacted for obvious reasons. I mean, you know, but so basically the line in the middle near the top, that's where I set in the scanner that I was walking around my house. So each of those is a point in my house. And that's just what the scanner looks like. It actually was run on this laptop at the time, which is pretty cool. But I found out something fun. Is that when I did with 14 early B-canaders, a previous version of this, one's on the top here. I had those running. I ran the Wi-Fi scanner. And something fun happened. Ta-da! Windows slowed to a crawl and the program crashed. It just didn't want to do anything. So after that I basically decided not to be a complete tool and I restarted the computer fresh so I don't have any memory issues. It's not a super vast computer here. So going again, I was like, huh, well, I did the restart here. And then, boom! So what happened was, you can't really see much here, but that little thing in the middle was all the data I was able to connect, collect because it just wouldn't, it just slowed to a crawl. There's so many little things happening. As I was walking along, you can barely see it, but there's, that green line has little striations. I know each of those striations is an access point. So in theory, you could use a bunch of beacons like this to mask other attacks or to be a red team and just kind of make a squawk and see if anybody notices on the blue team that, hey, there's 24 access points, so there used to be two. It goes to investigate. And you can do that based off of one little thing that fits in the palm of your hand in a battery. It's, it's pretty cool. So a close up, you know, it took a long time. It literally took about 10 minutes from the time I turned off the Beaconator before it actually, the results were able to show up in here and the application caught up to it. And it's Java based, which isn't bad, but you know, Java memory, but it's multi-platform. So I zoomed in and enhanced it, but enhancing doesn't work because it's not the best resolution. But each of those striations is basically a access point, which is pretty cool. And that's just with basically a third of what's here on the top. If I had a fully running, which I haven't had a chance to test yet, that would be pretty fun. So with ESB8266's, you can do things like a D-Auth, Spacehunt, developed at ESB8266's Wi-Fi D-Auth, which is neat, but I just don't really feel like it's kind of a dick move and it's not really something I want to do. But really cool stuff that you can build in terms of just craziness is you can build, like, IoT relay devices. You can use these devices to hook up to like your garage door so you get close to your house, connect to your Wi-Fi, hit a button and pop your garage. You can put them up to power strips, lawn garden sprinkler systems. One guy did a tea kettle, so he's sitting in bed, has the tea kettle ready to go, pops open his phone and just logs into his tea kettle and hits button and it starts up the tea kettle. So he can get his tea started without being out of bed. You can do the same thing with coffee and with a soil sample or soil sensors in there. You can also do, like, hook up your own grow house for, you know, vegetables, that type of thing. You wouldn't want to use these to control it because they don't have a ton of power, but you could use it to monitor every plant for under, or every pot for every, probably under 15 bucks total if you didn't buy things in bulk, which per, you know, that's a pretty reasonable price for tomatoes. But it's amazing the stuff you can do with it. Like, if you wanted to build your own Christmas light display, you could have a Wi-Fi power with these guys with little, um, the mains power running the ASP266 is the one who's power. You don't have to worry about battery. Just doing a little relay. I've got a board relay I can show you guys. Well, actually it's, I'm sorry, I have a board relay at home I can show you guys, but basically you see what a relay it looks like. It just fits on a little shield that goes on it or you can wire up it yourself to it. It's pretty cool. So the limitations of the ESP266 is, well, it's single threaded. So it's limited to about a mega program space. And then on top of that you have some flash memory you can access, but it's not stupid easy. You have to actually do a little bit of work. And then the other thing with these is the reading and writing from the micro SD cards is a bit slow. It's probably me, but I had the pin out, I had the, um, text coming from serving, like I had a webpage serving from the micro SD card and I was watching the text scroll and refresh and it was just painful to watch the text show up on the screen. So that was kind of funny. Now it could totally be me and there may be ways to serve it quickly for micro SD cards, but I think they're better suited for logging. So you could use it like for a logging system. But one thing I noticed which is kind of interesting is that something was missing. So when I was working on this I could show things up in my phone, right? But I couldn't find anything in Wireshark. So basically what I had to do right here is, well it's kind of small to see, but I had to set the time. When you turn the ESP266 on, it has an internal timer from the time it turns on. I'm not familiar with how to actually change that timer. So you probably have to mod the, like add the value to that to actually adjust the time. But with that timer, it gives you a time stamp which is awesome because in the beacon frame which is pretty long, one of those slots is for the time and without that time stamp being populated, you're going to end up with basically it not showing up in Wireshark, at least the way I had it configured. So this is the beaconator lit up and with the beaconator, it's two sections, the biggest section and the smaller section. So in the smaller section, it's got a Rickroll unit. It's got a couple of project Trevor units. So in about 10, 15 seconds, you can look at your Wi-Fi. You should see some interesting Wi-Fi access points available. When I say available, they're not really available. They're just there. But one cool thing about them is I do have four book servers on there where they're connected to DEF CON open right now and because of that you can find them and actually download little brother and some other books on there. But the reason I was able to do that, even though there's a MEG program limitation space and the files are bigger than a MEG, is that there's a thing called SPIFFS. Now not SPLF, but SPIFFS. It's called Fristerial Peripheral Interface Flash File System, which is a mouthful but it basically allows you to put the files in the left over memory after you've programmed the device. You have to download a tool from GitHub to do this, but it's pretty cool. So you're limited to about three MEGs of space on it, which is pretty neat. But overall, on this thing too, it's got an aluminum frame. The battery in here is AGM, gel lead acid, which is 110. And because of time and skill, I just have it running at 110, dropping down to 12 volts through some anchor adapters. In the perfect world, I would put lithium ion batteries in here because this thing's heavy, but I did add wheels, which is pretty cool. And overall, with this thing, the hardware is pretty nice, but I got the hardware at the hardware store, so the frame is just some aluminum stuff, stock, and different things here. And it's ungainly, but I can wear it if I have to. And the software for the beaconator is pretty basic. So what I did is I basically tinkered with a sample Arduino IDE program that could do exactly what I wanted to do. And you use Python to go through and basically tag on the body of the program and just tag on like 2800 lines of beacons per sample. So to go through and create Arduino sketch for every 2800 samples that it's running, which is pretty neat. And I'll be posting that here after the convention. And so with the mobile book library, it's basically just electronic only. There's just four of them running right now. And thanks to the Gutenberg library for basically supplying free books for me to use. So the first book I put on there was Frankenstein, because I mean, why not? And I also have to give a shout out to Foon on Twitter because he wrote the Sierra Death Generator, which I used to generate these images. And the second one I put on there was Allison Wonderland. And because, you know, Allison Bob, I had to. And for the fun of it, I put on Sherlock Holmes, you know. Now, I could have put in, if I had enough time, I could have done some steganography and mess with people a little bit, but I didn't have enough time. And of course, I put on Little Brother because, I mean, why not? So overall here on the top part, I'm about to plug it all in here for a second. This hasn't been running at all. Each, it'll pump out every six seconds it pumps out 130,000 beacon IDs a second, or not every six seconds. And back in the napkin math it works out to be about a million beacons wireless access points get advertised every minute. And because each beacon consists of two frames, it's actually pumping about two million frames a minute, which is fun. And the reason I know this is because, is because every six seconds or so these suckers will light up. And let me just double check. The demo guns are not smiling one second, sorry. Okay, so now we're rocking and rolling. So pretty soon you're going to see a few Wi-Fi access points on your phone. It's probably going to take 30 seconds to a minute for all of them to spin up. Right now, if you're running just 8021B, you may have problems with the internet, it may be getting a little bit slow. It's not de-offing anything, it's basically a bunch of people in a room shouting really loud going, hey, I've got a Wi-Fi access point. I've got a Wi-Fi access point 130,000 times every six seconds. Just for the fun of it. Now, I don't run that thing everywhere because I don't want to be a complete, complete deck on it. But so the way I know that how many it's running is because I have a list of about 2,900 each one of these 44 units on the top here. And from that list, I turn the LED on at the start and every time it hits the start of it, it toggles LED light. So if you're running like a wire shark right now, you might be seeing a few beacon frames if you have your beacons enabled. And what shows up around your phone isn't actually all the beacons available, it's just what your phone can actually capture at the moment. And there's also a bunch of RFID collision or radio collision because of that. So this is much more of like a cool toy than it is actually something you could use overall, like in the package it is in. It's just more like a fun experiment. But for possible future uses, you know, I thought of maybe making a, making this thing into a big open library where I have it broadcast all these access points. Each access point is a book that you can connect to and have a whole bunch of books. Like you just have like a mobile electronic book library. Which you know, I thought was kind of fun. Thought maybe of doing like a route map beaconator so you have a load of route map if you want to share with some friends that are just within a Wi-Fi range so they can connect to it and see what's going on. And also I thought maybe a survival beaconator where you can hook up a solar cell to it and actually run a bunch of stuff with like survival manuals and that type of thing. But it's a little impractical, it's kind of stretching there. But another fun thing I thought of is basically what happens if you go to the Yankees game broadcasting a whole bunch of times that the red socks are going to win or Yankees suck. I mean, you know, take your way or hear saying that Vim's better than Emacs. But anyways, you know, that's, you know, there's lots of ways to start stuff. And unfortunately with something like this, eventually people are going to use it to basically broadcast spam. So this is maybe not right away but eventually. So basically ESP8266 is our gateway drug to microcontrollers and possibly some pretty bad decisions depending on what you want to do. But right here is the Github. If you want to write it down, it'll be available Wednesday. And if anybody wants, has any questions, I'll be happy to answer them and go over the code if you want to see any specific spots ahead of time. And I really thank you guys for sticking through it and enjoy the rest of the convention guys.