 Alright, so I'm going to try to talk as loud as I can, hopefully you can hear me or not. But thanks for coming. Real quick introduction, this is Rob Simon, also known as Kick and Chicken. He's got a really weird Twitter photo, so you can follow him on Twitter there. He's a penetration tester. He works for me at a Fortune 1000 company. He works in the application security group. And basically what we wanted to get out of this presentation was a lot of cool stuff around the home automation side as well as the broadband over power. So we'll be talking a little bit about that. About me, I'm the creator of the social engineer toolkit, fast track, I'm on the back track development team. I'm a CISO for a Fortune 1000 company and I give hugs. So if anybody wants to give a hug after my presentation, thought I did a good job, that's how I show it. Also one of the founders of DerbyCon. So before we start, I do want to get an introduction, there's a person in the audience that works with me that has an extreme fear of people that brush their teeth and I'm no joke. Just the talk of it makes them start to dry even and throw up. So I've slipped in some pictures of people brushing their teeth, so that person gets up and walks out, you know exactly who it is and will point at him and laugh at him. So he told his wife he's going to try to get over it in a year. So we're going to try to expedite that a little bit today, okay? So a quick slight diversion, since we're talking a lot about hardware hacking, we're going to get into it. One of the devices that we used was called the 10Z device, which you can get from PRJC.com. And with the 10Z devices, if you're not familiar, Adrian Crenshaw, our iron geek, found these little guys about a year ago and a guy named Josh Kelly and myself presented at Blackhand DefCon last year on it. And so we've kind of expanded our research a bit and I wanted to just do a quick hit on this before we dive down into the power line stuff. And really what the 10Z device is, this little microcontroller here, it's about this big and we use it in some of the stuff that we're going to be showing you today in the broadband stuff. But essentially what this does is you can program it via the Adrenal Programming Language and it can be anything you want to. In these cases, we basically program it to be a keyboard. And so when you insert it into a computer, it's got onboard memory and starts executing commands very fast and rapidly on the machine and you're able to basically attack the system via a fake keyboard. And why that's important is most companies disable auto-run, assuming you insert it, it's not going to automatically run. This circumvents and bypasses it because it's emulating an actual keyboard itself. Now last year we morphed it into a weapon and it was kind of a collage. What we did was you inserted it into the computer itself and it wrote out a VB script and then or a PowerShell downloader, went and downloaded something and then executed it on the system. Well, we were really happy with that. And so you can see that's the device right there and how small it is. You can buy them for about 16 bucks. And here's some customized ones. You can see the one in the middle, the one in the left is the 10Z2O, the one in the middle is the 10Z++ which has more onboard memory storage. And then the one on the right is one of the ones weaponized by Irongeek that has different dip switches, which you can program them to do different things. So you can program dip switch one to target a Windows machine dip switch two. So if you're on a penetration test, you pop it in, it does some cool stuff, right? And this is one of the ones that Garland did, which I know he's in the audience as well, did the motion sensor one, which is also really cool, so you can actually detect if that person's there or not. So let's walk through some basics real quick of this. In order, what we wanted to do with the 10Z device, Josh and myself, was basically take this device and figure out a way to drop a binary onto it and do it all through keyboard emulation. Now there's one major problem in hurdle. The 10Z device only stores about 34K of storage space and on the 10Z++ about 128K. So your binaries would have to be awfully small or you'd have to use some sort of download or something like that. And so our choice to get a binary on there, what we wanted to start off with first was taking a binary, converting it to hexadecimal base 64, and then writing it out via a keyboard, and then converting it back to a binary via PowerShell. So here's just some simple Python code that imports binasci, which is one of the Python modules for binary conversions to ASCII. And then we basically read in a binary, which is a metasploit base payload, and we convert it to a hexadecimal representation of that binary. Okay, so we've got some hex now, which is great. Now we need a way to actually convert it back to a binary on the system itself. So once you insert it, it's going to write out this blob of hex, and then you pop it back into the system. PowerShell basically then is going to take it, reverse it back to a binary, and then trigger on the system itself. So here's some more Python code. And all of this I'll talk about is it's available in the new version released today in the social engineer toolkit. But here's some of the code there. And so here's kind of what it looks like on the Tinsy device itself. We have different byte arrays that we've broken down the hex into in order to get it to work. And so that's some more. Unfortunately, we didn't have enough size, right? A metasploit base module is probably going to be around 74k, even if it's packed. And so we started looking around and were like, well, hey, we could do some really cool stuff with shellcode exact. And if you're not familiar with shellcode exact, it's a small 5k executable that reads in alphanumeric shellcode, injects it straight into memory, and actually executes on the system. So we're like, OK, this is pretty cool. Maybe we can get shellcode exact as a binary, and then drop an alphanumeric shellcode base from the interpreter onto that, injects it straight into memory, never touching this. So circumventing antivirus and everything else out there and get that to work directly into memory with whatever we want to. So testing it out, we custom compelled shellcode exact to make it as small as possible, humanly possible, and convert it to hex. We created a interpreter-reversed TCP stager that was alphanumeric shellcode, and then we converted that to hexadecimal and popped it into the system. And just real quick, sorry. It hates the froth. That's what gets them. So that's the best one I could find. You all right, buddy? All right, so here I want to show you an example. And this is in the new version of the social engineer toolkit. And so we're going to go ahead and run setting. If you're not familiar with the social engineer toolkit, it's a Python-driven, open source tool set aimed at social engineering and penetration testing. It's been out for about two years now and has a wide variety of different attack factors in it. It's free, community-driven. Hopefully, Joey Furr is in here somewhere. Joe Furr is one of the development teams. Prime is on the development team. And then Thomas Worth. So thanks to all those guys for making all this happen. But essentially, we're going to go on the Adreno-based attack factors, which is number six. And we're going to do the binary 10Z attack, which is number seven. We're going to enter our interface IP address, which is going to be the reverse connect back. And then we're going to do a interpreter shell. We're going to have it connect back to us in 443. And what set will automatically do is take that binary, convert it to Hex, pop it in, redo all the PowerShell encoded commands, convert that to Unicode, then base 64, pop it in for you and create a listener. Took a while to code. And then all I'm going to do is I'm going to copy this onto my Mac drive here. And then I'm going to upload it to my new 10Z device. OK. So now here's the Adreno stuff right here. And this is all going to be a good precursor to what we're talking about, again, on the PowerLine stuff. We're going to go ahead and compile it. I'm going to take a device right here, which is a 10Z device that's modified a bit, to 10Z2.0, pop it in, upload it. It's all right. All right, so now we've got our new code running on. And I've got a fully patched Windows XP or Windows 7 system here. We're going to insert it and see, hopefully, it works. So again, this is all through keyboard emulation. You guys are going to see some cooler stuff than this. Right now, obviously, this is typing on the screen for everybody to see. I can't type that fast. I'm pretty fast typer. But actually, there was a 10-mill-second delay in there, so it can't go faster. But we'll talk about something here in a second that's just going to blow you guys' mind. This is basically the trivial stuff compared to what Josh was able to do here in a few minutes. Yeah, we need something. I'll dance. Do you want to write, buddy? So let's do this conversion back to binary for us. And then we should have our shell. Let's find out. Alas, we've got him at SuperShell. Nice job, Josh. Nothing, nothing yet. So that's not all, guys. So that was doing it through shell code, except we weren't happy there. We're like, OK, well, we can get shell code exact, we can get alphanumeric shell code. But what about a binary that we want as large as we possibly want? So Josh started in an SD card mounts onto the Tensi device. And basically, we can natively read in the SD card so when you insert it into a computer, it doesn't recognize as a flash storage device. It still recognizes as a computer. The Adreno device then reads off of the SD card natively and starts writing that binary, that representation of hex onto that system as long as you want it to be. So now we can basically put a 16 gig file onto that system all through a Tensi device and all through keyboard emulation. So that's not really not all. So try to type in out a 128K file or a 2 meg file all through the keyboard emulation. It's going to take a long time, right? So Josh figured out it's a way to open up a Serocom adapter and copy it over Serial ETH all through the native USB driver itself. So you plug it in. It rewrites itself as a ComDrive Seroport and then basically copies it over. And you have about a two second write out of a binary file versus about a five minute size of a binary file. So essentially, you can copy any binary over you want in any way should perform. And so you might be saying to yourself, this is kind of, because I mean, you can see the stuff writing out on this machine itself, right? So someone's going to notice that. So what we're doing right now, and unfortunately, we're able to bring in here, it's like all literally wrapped around our table and office all soldered with different parts. But what we did was we did an inline repeater for the keyboard. So essentially what we were able to do is take a keyboard, remove all the connections from it, have the Adreno device be the inline input for the keyboard. So when you type a key, it goes to the Adreno device and then replays back onto the machine itself. But why is that important? Is we cannot detect when someone's not there. So if someone hasn't touched the computer in 20, 30 minutes or six hours, we can still move the mouse, because we can emulate a mouse, move it up and over so the screensaver doesn't kick in. And then when they're not there off hours, you just inject all your stuff into there, no one knows that it happened and it disables itself, you never know. And so that's all easily conceivable inside of the 10Z itself. And so that's us starting off with the basics. That's when we're trying to get the SD mount into place. And you can see, we just started soldering a whole bunch of them. And that didn't go very far, but that's a free one for somebody. And that was the finished product. That's what it looks like right there. All right, so back to what we're talking about before. That was a good introduction to what we're talking about. When we decided to do this talk, we wanted to talk about a couple of different technologies that are using it, but we focused heavily on home automation aspects. So what we're gonna be talking about a little bit is broadband over power. We're gonna be talking a little bit about the different types that are out there right now, like the Home Plug, which is one of the more common ones. We'll talk a little bit about X10 Crestron, Lutron Z-Wave, a few of the different home automation systems out there. And we're releasing some new tools and some new code out there for breaking them up a bit. And so a little bit about BPL. Broadband over power lines was really a standard that came out to transmit ethernet-based signals over power lines, right? And you can get them at Best Buy. You can go to Best Buy and spend a hundred bucks and you have these two pieces of these two devices. One plugs into your power jack upstairs or downstairs, and you plug another one up somewhere else and it bridges the connection of ethernet through those power lines. And so you can get pretty high speeds. I mean, I've seen anywhere from 35 to 40 megs per second to what they tout anywhere up to 365 megs per second all over power lines. It really depends on how much noise you have going through your power lines themselves. And so one of the more popular ones right now is the Home Plug, which is the standard that's essentially used for these new devices that are out right now. So normal wiring systems can transmit this in other standard powers. Now, the drawback is it's really hard to carry higher frequency ranges during these type of things. Most of the newer devices support 56-bit DES and they also support AES as well. So the newer ones that you can find in Best Buy do support AES. No problem, we're bouncing a bit. And it's also used a lot by the smart grid systems. There's a lot of foreign countries as well as third parties that like to use this because they don't have to invest in any type of existing infrastructure. So really they can communicate via Ethernet pay systems all through power lines. And so the more the home ones, which we did a lot of research on, but they're also being used a lot in corporate environments for bridging networks, which we're not even seeing a lot of or we're not even pen testing as attackers. The generally support DES, like I said, or AES, keys for those AES keys are generally Linksys or whatever the manufacturer of them was. So the default password key for the AES encryptions are generally Guessable. One cool one is the Netgear 500, which actually you can press a button that randomizes the AES security key between the two. Fortunately, they're not generally using FIPS compliant base encryption key exchange. So you can actually intercept those if you want to. But I mean, for the most part, they're pretty heavily decent and they're awesome for penetration testing. And so what we wanted to do was use it for a real world scenario. And so we did it for our own company. We did a penetration test and we used one of those badge cloners to clone someone's badge, going to the infrastructure, going to our organization. And then we basically modified a power supply for a computer and used that as our method to transfer the ethernet connection over the power lines and then back to a different room that we were hiding in. And so we were able to actually attack the network through the power lines itself, which was pretty neat. So, you know, a small example here. Now this is when we start getting into the cool stuff. Okay, so the next thing we're going to be talking about is some of the home automation stuff that we're looking at. All right. We're going to be talking about some of the home automation stuff that we were looking at. So, we looked at two of the main ones, which is X10 and then Z-Wave. How you doing, Adam? Don't all right? Can we go on? All right. So there's a number of other ones, including proprietary and commercial ones. There's Creston, Lutron, ZigBee, and Insteon. You might have heard of some of those. Sorry, guys. So, home automation basics. Basically, the X10 devices, you plug those into the power line and you don't have to run additional wires throughout your house. You can use these for security devices. So they have motion sensors, door sensors, window sensors. You hook these up to your doors, your windows, and then when they sense the signal, whenever the doors and windows are open, it sends a burst through the power lines whenever the AC wave is hitting the zero crossing and it sends data through to a transceiver and this is going to pick it up and it's going to notice whenever somebody is breaking into your house, it's going to send the signals to the security alarm and the security alarm is going to send the signals to the rest of your lights throughout the house, flash of lights on and off, and it's going to have an alarm signal that's going to go off too, an audible alarm that's going to alert your neighbors and then it also calls out and it's going to alert the authorities or a number that you set up. So some of the stuff that we were looking at is being able to maybe sniff that communication or jam the communications and we'll be talking about that here in a second. So the basics of X10, equipment that you can also hook up on that, you can hook up your HVAC devices so you can have time signals whenever you want your air conditioning to kick on and off and set that up through the power lines so you don't have to run anything through it and then again we covered the motion sensors, lights, there's cameras, security systems in your doors. Some of the drawbacks of X10 that we found is they don't have any encryption on them so the data that goes through there, it's all documented online and on their website, it goes through in clear text, there's no encryption. Another drawback is that there's only 256 devices that you can have on a system with X10 and there is also heavy interference on that sometimes so if you've got heavy appliances like your TVs, microwaves, large appliances like that, they're going to cause some interference and drop the signal that's going over the power lines. Some of the devices for X10 also communicate over RF, they communicate over in the US over the 310 megahertz frequency. The devices that use the RF would be your motion sensors and your windows and door sensors and then there's also some of the other devices that you can get where you plug into the wall and use wireless remotes to turn your lights and stuff on and that also transmits over RF. The RF transceiver is going to pick up that signal and it's going to replay the signal back through the power lines to communicate with the devices. So here's some of the X10 codes that we have. You can see the different binary strings that gets sent across. Some of the commands for turning units on and off, turning lights off, some of the extended codes that they have out there too. Not all of the devices use the extended codes but some of the security devices use the extended codes. So this is the X10 kit that we got. On the left, we've got the transceiver that we use to send the devices to the power lines and then on the right is going to be one of our appliance modules and this is going to be what you're going to control your lights with, your HVAC systems. So you're going to plug a device into here, you've got a dial on the top for a unit number 115 and then you've got a dial on the bottom for a house code. So you can set different rooms on different house codes, control the devices on house code A, turn them all off and that could be like one room or whatever. So that's how you can kind of communicate with the different devices. And the window and door sensors are the same way. They've got different codes that they'll send in. So when a door is open or when a window is open, it's going to send that device code over to the security console and it's going to let you know which device was opened. So we decided to try to make a jammer and a sniffer for X10. We thought it'd be kind of cool if you could walk up to someone's house and pop a plug-in on the outside of their house and kind of sniff the commands that go back and forth. So what we've got right here is we started doing an Arduino-based sensor. It's going to plug into your outlet and we can walk up to the outside of someone's house which is the cool part, you don't even have to be inside. You plug it in and it's going to receive all the signals that are going through the house. So when people are turning their lights on, turning the lights off, any kind of sensors that are tripped or sent off, we'll get a code for that. We're actually working on a sniffer that's going to be working over GSM. So we can plug a SIM card into that, plug it into someone's house and walk away and it's going to send us a text notification every time someone comes in and out of the house, every time somebody turns on their devices. So we can kind of case the place out, find out when are they home, when are they not home. Get an idea of when might be a good time to break into the house. Even better with that, you can send in commands too. So you send a command to it. Oh, that's different. Well, we'll show you here real quick what the sniffer looks like though. So we've got a demo set up that you can see on our screen to give you an idea of what kind of codes you'll be able to see. Oh, you got it right there. So what we have here is, this is one of the standard remotes that you can find for it. It plugs into the power line and then you push one of the buttons on the remote here and it's going to send the signal to turn the lights on and off. We need Christmas lights. Unfortunately it's not Christmas in July so we missed it by a little bit, but the spirit's there. So you can imagine, you know, if somebody's tripping alarms or whatever, that's going to be sending these signals as well. So a good visible demonstration. We've got some Christmas lights for you guys to see. So someone comes home, they send the signal to turn their lights on and nothing happens, but the lights turn on. So that's good. So let's go double check this and make sure it's still running. Two seconds. The TSA was not kind to me when my devices went through and they knocked a couple of the wires out. So I just want to make sure everything's connected up right here. There we go. So you hit the off button and then you can see that the lights went off and the lights go back on. So we can snip these commands and we can actually have these commands that are being sent to us through text messages so we know when people are turning their lights on off it's kind of getting an idea of when they're going to bed. And then, so these are actually hooked up to any other devices, but there's other commands on here so we can snip these as well. So any of the other devices that are being controlled will be able to see them. So think about it in a large scenario. A lot of corporations are leveraging home automation aspects. You can essentially snip their entire infrastructure and find out everything that's going on there. And we'll talk about the jammer second, but the ability to actually send messages over like a Verizon network or something like that to that device and start jamming it, i.e. security systems or those and walking into the infrastructure being unattected is definitely a plausible situation. Get that back up. Okay, so just another screenshot of the device that we have set up here. So moving on, we're going to talk about the TW 523. That's going to be the device that we had plugged in there with a phone jack and that's hooked up to our Guino. So that's what's going to be doing our sniffing and sending. This is one of the products you can buy. You can get it from smarthome.com and this is going to allow you to do the communications over the power line. So what we thought would be really cool is instead of having all this mess over here, you know, on the breadboard and all the wires, you know, it's going to be kind of noticeable. Plugging that into an outlet outside of somebody's house. So we thought we could take one apart. We can put a tinsey inside of it and then we're going to put that all back together, kind of make it a little bit stealthier and then we can walk up outside someone's house and plug that in and then we could start jamming signals. So we could turn off all the devices and then whenever you're tripping these motion sensors, the window sensors, the door sensors, it's going to jam the signal. It's not going to be able to get through. It's not going to be able to alert the security console and then the lights won't flash on and off and the alarm's not going to go on. So basically you just walk in the house, you trip all the sensors. They're not going to be able to do anything. So this is where we hooked it up and we're testing it out. The first time we tried it, we actually sent a little bit too much voltage and current through our tinsey. So we got one here that we fried. So AC is kind of difficult to work with sometimes. So we tried it again. We got a working jammer. What we had to do was use a buck converter to step down that high voltage and current to get a stable five volts for that tinsey to work off of. So that was the most difficult part for us. But then once we got that all set up, it actually worked pretty cool. So we'll be showing you this device here real quick. So this is the jammer. So all you have to do is you walk in up to someone's house, you go into one of the outside outlets, you plug this device in, and it's going to kill all the lights. It's going to kill the sensors and it's going to jam the signal. So now if I try to turn the lights back on, you can see that the light's blinking up here. Well, you probably can't see it from back there, but trust me, it's blinking and nothing is going through here. So as soon as we unplug this device again, now everything is working. So essentially what that means is all we have to do is walk up to your house. If you're using this security system, we're going to plug a device into your house and now all of your lights go out. None of your sensors work. Your alarm's not going to trip. It's not going to call the cops. We're going to walk right in. Take whatever we want and be able to walk out. So we've got a new tool release. We're going to be releasing the code for the X10 sniffer in the social engineer toolkit, which sniffs all the traffic what you just seen. And then we've got what we call the X10 blackout device where you plug it in and it kills all the lights. And then it's going to jam. Some of the other technology that we've been looking into was Z-Wave. It's a little bit more improved than the X10. It leverages mesh networking. So it doesn't actually transfer any of the data over the power lines, but the way that it works is it sends signals over the 900, I think we got a mic. Oh, no, sorry. Okay, so it sends the signals over a 900 megahertz frequency range and it uses the mesh networking. So it's got different devices in the network and you can kind of get a little bit of a better extended range on that. So what that means is you got one device hooked up on the mesh network and you're trying to reach another one, but the distance is too far. They can leverage some of the existing nodes that the network can kind of hop the communication through to pass along. So you're going to get a little bit of a better range with these devices. And they also have support for AES. However, we haven't seen many devices that use it, unfortunately. So that's unfortunate. The jamming, you can do some jamming on the Z-Wave. Since it's running on the 900 megahertz frequency range, if you just try to build a device that's going to send some interference through that 900 megahertz frequency range, it's going to be able to block the communication. So it's not going to be able to get through. Which is somewhat illegal, by the way. Yeah, so the whole RF thing is illegal, so we didn't bring any of those devices. I don't think we would be able to get that through the TSA. So we were looking at the SDK for Z-Wave and it actually comes with a sniffer with it. So you can kind of sniff the protocol, but they're a little bit pricey. They run around $2,000, $3,000. So it's not going to be something that your average person is going to be able to afford to pick up. But they do have that with it. So the AES encryption, when we're looking into this, when you do AES, when you initialize the keys, we found out that it doesn't appear to be using a FIPS-compliant method for initializing those keys. So it's actually possible to sniff those keys as they're initializing devices. So we can pick up those keys when a new device is being added to the network and now we'll be able to sniff the communication that's going through the mesh network and then also be able to maybe inject packets or whatever else you want to do at that point. But again, we haven't seen any devices traditionally. We saw one that was a door handle, basically, that supported AES, but aside from that, for the most part, the majority of them do not. So again, all of the stuff that you just saw here, the stuff for the 10Z device, with the conversion to, I think I'm talking a lot of them. What's that? Oh, gotcha. So all of the stuff that you saw from the 10Z device as far as the ability to take a binary, convert it back to hex and then write it off into the system is on the new version of the social engineering toolkit. And you can get that from secmaniac.com, so that's S-E-C-M-A-N-I-A-C dot com. And it's got all the code for all of the X10 based attacks that you saw here, as well as the different types of attacks that we got on there. Coming soon, we have a sniffer based on Z-Wave initialization keys, encryption keys. So basically you'll be able to run that off of the network itself and actually start to identify and spoof a Z-Wave-based controller. And then basically it'll send it to the system for you. And then also, if you're interested in how we actually built these devices, we'll have a blog post that has exactly what we did in order to start our devices on, the parts used to do it, everything like that. And it's very easy. I mean, it's not significantly challenging to do. So, well, we ran a little fast in this one, but I just wanna say to anybody, free hugs after this, I'm all for that. And check out DerbyCon, it's in Louisville, Kentucky. And thank you very much. Anybody have any questions? Yes, sir, in the back. Now, the only issue that we've seen with the home plugs are the default keys that are being used by the actual vendors themselves. The actual encryption standard for it is actually working really well. So, we haven't seen any exposure as far as that goes minus the default keys. And like the Netgear 500 AVs, they randomized the shared keys per initialization, which is really good. Folks, a great appreciate you.