 Hello, my name is Vlad Gostamelsky. Uh, the presentation I have for you today is attacking go-tenor networks. Uh, quick disclaimer, uh, you should definitely try to not violate federal laws, FCC regulations, uh, applicable laws in your state and country, all the good stuff. Uh, anything I say is my personal opinion and not the opinion of my employer, so, uh, don't blame them. Uh, a little bit of background, uh, I've been doing this professionally for 18 years, uh, doing vulnerability research, uh, attacking various wireless systems, uh, medical devices, uh, life critical devices, uh, and, uh, infrastructure. Uh, for those of you not familiar with, uh, go-tenor mesh, this is what you're talking about. You're not talking about the first generation go-tenors, you're talking about, uh, the second generation go-tenor meshes. Uh, this is what's inside of the lovely little, uh, plastic case. Uh, for those of you in the wireless hacking village, something should jump right at you. Uh, first of all, is that really amazing antenna, uh, that you could swap out, which is, actually doesn't exist because it's a regulated device. Uh, uh, it does not require licensing, so it's severely limited by its power output. Uh, you're not, uh, supposed to be able to add on an auxiliary antenna. Uh, of course, some folks have been, uh, modifying them. Uh, second thing you should notice is that amazing tiny little battery, which, uh, supposed to last 24 hours, but, uh, from the testing you've done here at DEF CON, we're getting about three and a half hours. Uh, especially with, uh, the people that have been spamming the network. Uh, this is build is, uh, device that you could use when networks go down, when everything else fails. Uh, so, something you should notice is the waterproof seal on this case, which also doesn't exist. It's basically, uh, ultrasonic welded together, which means if, uh, there's pouring rain and flooding, again, these devices don't seem to survive very well. Uh, so why are we doing a talk about attacking something that's supposed to be the backup network when everything fails? Uh, well, first of all, the only way to see if something is, uh, really has any business being an emergency communication device is to see whether or not their claims are true. And they're talented in emergency infrastructure. Uh, they've received quite a bit of FEMA funding. Uh, they've, uh, they're being deployed at some of the large ski resorts, uh, to help people, uh, find their families in the mountain, but also to be used during, uh, emergency communications. Uh, New York City, uh, actually is giving away quite a few of these two businesses that were previously impacted by Sandy. So again, uh, large metropolitan area, 8 plus million people who are going to be relying on it as critical infrastructure when there is no cell phone service. Uh, so Goten has had, uh, an opportunity to become, uh, emergency infrastructure in Puerto Rico. Uh, we have not had a lot of good data coming back, uh, about how well it's working. It's kind of been scattered because well, right now things are still, uh, mostly down. Uh, but, uh, from what I've been able to find online has not been very encouraging. Uh, we're going to go through some of those things. Uh, quick specs. Uh, interesting things of note. Uh, you'll see the amazing output of one watt. Uh, not exactly what you want to see in, uh, emergency infrastructure. Uh, ISM radio band, uh, 900 megahertz, roughly ISM, uh, covers both region one and two. Uh, it can work with, uh, cellular interlink if you pay for the premium subscription. Uh, we're going to get into that. Uh, again, if this is emergency infrastructure and the cellular goes down, then so does your cellular interlink. So again, not very helpful. Uh, compare that with a typical handheld, uh, walkie-talkie that covers, uh, VHF, UHF bands, somewhere in five, uh, five watt range. Uh, in some cases a lot more if you buy from, uh, certain shady Chinese manufacturers. Uh, uh, you're able to, uh, have APRS, which is an automatic position reporting system. Uh, makes the radio quite a bit more expensive, but again, it gives you actual digital radio that you can connect your computer, you can send messages, you can send positioning data, you actually have a GPS that's built into the radio. Uh, it's an open standard, so you're not locked into a dinky little plastic device. Uh, it's an open standard, so you have interoperability, you can use multiple manufacturers, multiple, uh, uh, different components that you can cluch together, uh, even, uh, just doing plain radios and, uh, open source software and the Raspberry Pi. Uh, and of course again, if you buy, uh, radios from certain shady manufacturers, uh, you could do other band operations, uh, covering MRS bands, ISM bands, uh, in some cases even police frequencies, which you should definitely not transmit on, but receiving is obviously fine, depending where you are. Uh, cost of entry, uh, this morning, the OTANA mesh was 179 bucks, uh, BFN radios were still 22 dollars in Amazon Prime delivered to your door. Okay, sorry, yes, so it's a 179 for two Gotanas, correct, but you need two of them to work. If I have one Gotana, then, uh, I can't call this gentleman because he may not have a Gotana, so, uh, correct, yes, you have a wide community of, uh, ham radio users as opposed to people who just bought into this closed ecosystem. And of course all the police officers who are not, uh, linked to the repeater at the moment. Uh, looking at, uh, Kenwood radios, you have an actual digital modem, uh, again built in GPS, something that you could use without a cell phone being connected. Uh, basic operations, uh, first thing you need to install the Gotana application on the phone, uh, which becomes rather difficult if, uh, the internet is down, so even if you're to airdrop, uh, Gotana somewhere, uh, the instructions start out with fully charge your Gotana. Well, powers down. Then you download the application from where. Internet is down. Uh, you connect your phone to the Gotana, and you turn on the Gotana essentially, and then you could connect with other users and your message is going to travel hop to hop. Uh, for the reason I put down this X number of hops up until a few weeks ago, uh, it was three hops. Uh, last update, they pushed it out to six hops. Uh, again, because of propagation issues because, uh, you're only getting a few city blocks if you're really lucky with, uh, these radios. Uh, looking at, uh, the FEMA website, uh, this is what they demand from emergency infrastructure. Needs to be resilient, meaning it'll, uh, stay up even if there's flooding, if there's, uh, monsoon rains, earthquakes. Uh, needs to be robust. Uh, needs to be secure, reliable, and that last one, open standard. Uh, I haven't seen any other radios that work with, uh, Gotana Mesh, so again that, it fails on that point alone before we even examine the secure portion a little bit deeper. Encryption. Encryption is handled in a cell phone application, not on a device. Uh, that means it opens up the, uh, iPhone and Android devices to attacks. Uh, you know, there's been two major updates to the Gotana application. Uh, so we had to scramble to do, uh, kind of, uh, source code review while we were here at the conference. Uh, so, uh, we were going to be publishing updates of slides with actual issues that we found in there. Uh, what I can tell you is that we have, uh, initialization vector issues, uh, in, uh, open source script that they're using. Uh, there's key storage issues. Once the key is actually generated, it's, uh, stored in a way that's essentially accessible to many other applications on the device. So if you have a malicious application, or if you don't fully trust the government in an area where you're running an application, the key could be extracted, uh, and moved to another device. Uh, and we have implementation issues. The algorithms that they're using are sound and peer reviewed. However, their implementation is flawed. Uh, one of the big features that tout for connectivity again is Gotana Plus SMS Relay. So if somebody's play is, uh, paying for a premium subscription, they're using somebody else's device for backhaul and using cellular connectivity. Uh, which is really great if you're in the middle of a city and everything's working fine. Uh, not so useful if, uh, cell phone towers are down. When somebody's doing a default install, the GID, which is the global unique identifier by default is set to be your cell phone number. Again, uh, not really great for anonymity. Uh, it is possible to set the GID manually, but it's not very straightforward. You essentially have to know that you want to do this and go back and do it. Uh, so if you're in a large network such as here at DovCon, uh, you've been, uh, harvesting quite a few phone numbers. So even the audience here, uh, has been using phone numbers. If you haven't, uh, called up those people to verify if they're indeed the Gotenna users when large cities they typically are. Uh, public shouts. Uh, again, uh, the phone numbers go out in clear, uh, clear text. Uh, and emergency broadcasts include, uh, the GID as well as somebody's GPS location or somebody's last known GPS location. Uh, so your cell phone application is leaking data. Uh, there's been a really fun application released in the iOS store, which is the mesh developer toolkit. Uh, so we've been, uh, able to do open source recon and, uh, developers who are working on the Gotenna mesh devices and essentially locating them physically on the map and their, and their Gotennas. Uh, so we have a nice comprehensive map of where they are located in New York City. Uh, where they go out to lunch with their phones still running the application. Uh, we're going to see if you want to release the full list or not. So we took the default screenshots, uh, uh, from California but I think we're going to release the New York map. Uh, we mentioned, uh, the GID briefly. Uh, by default it's the phone number. Uh, it's totally non-alpha numeric. It is user configurable. Uh, so they decrease the attack surface if you want to either way throw all the cell phone numbers. The Gotenna mesh application, the official one, does limit how many direct messages you could send. But since it's an open SDK, uh, you can go out there in the announcement and grab, uh, 500, uh, API keys and just start spamming the whole network for hours and hours and there's absolutely nothing that anybody can do to stop you. And of course there's no authentication so it's not like you can kick me off the network. Uh, one of the, uh, most fun GID attacks to be implemented. Uh, by the way if you're in this room you may have noticed that your Gotenna kind of key is dropped significantly. Uh, is the GID attack. The way it works is it bases the hop count on the GID of the device. It will be unique identifier. Uh, however, you compare multiple antennas to have the same GID. So for example, I have a device with GID of one, two, three, four, five, six, seven, eight, nine and I'm a good citizen, I'm helping you broadcast on the network. But wait, this device has the same GID and this device and possibly his device. Now all of a sudden you have messages, uh, drawn essential around robbing in the same network. Uh, their packet count is dropping, uh, so I receive a message and the repeat can, uh, hop count is six. And if we broadcast it drops the packet count to five, then this radio gets and says, it repeats it with the same GID, drops the packet count to four. This radio receives it, drops the packet count to three. So now the distance your message can propagate has been dropped to essentially half of what it would have been, with the distance of what's in my cargo pocket. Again, not resilient infrastructure. And just to reemphasize, uh, emergency situations, it could be a nation state level attack, it could be a bunch of Saudi citizens that got in a plane intentionally caused, uh, uh, grid down situation. Uh, so if you can implement an attack that drops your emergency infrastructure, uh, for the cost of under two hundred dollars, that is not robust. Uh, if you want to play with this attack, uh, what you need to do is you need to set up one Gotenna with, uh, your friends at GID. Uh, so essentially find out, find out somebody who's using Gotenna, set up their phone number, uh, pair the Gotenna, turn off the Gotenna you've been using and pair a new Gotenna. So essentially you're telling the app that you dropped off the old Gotenna without deleting the GID, uh, from the actual radio. So this lets you bypass the controls with an application that prevents the GID attack. Uh, if they ever do fix an application, what you do is you stop by, uh, and pick up a few burner phones, uh, twenty, thirty dollar phones, and you stop the application with the custom GID, uh, being exactly the same. Uh, another really funny thing is, uh, if you program your friends GID, uh, because these devices are meant to work offline, it doesn't do proper certificate validation. So if you know that your friend is supposed to do a secret rendezvous with somebody else and you set up their GID and you go there in their place, you will receive the direct messages that are meant for them that are supposed to be encrypted and your device will successfully decrypt them because as I mentioned, there's initialization vector issue, uh, with the How Gotenna does encryption. Uh, there's been a major firmware update on August 7th. Uh, they finally pushed the fix for version one. Uh, it, uh, last time you heard, uh, vulnerabilities for version one released over a year ago, uh, right here in wireless hacking village last year. So if you're talking about robust infrastructure, over a year to fix uh, serious security vulnerabilities is, uh, not really what you want to see from, uh, critical infrastructure. They pushed both an app and firmware update. Uh, the new firmware has been over 32 megabytes, so we have not a chance, uh, have not had a chance to fully stick our teeth into it, which is why we're going to be pushing the update version of slides in the forums. Uh, as I mentioned, they are using known good ciphers. Uh, the ciphers themselves have been peer reviewed. However, the implementation of the Gotenna's user has not been caught in the, uh, peer reviewed. Uh, I've let them know about this as far back as October 17th, so I don't feel really too bad about releasing information here or, uh, publishing exploits. Uh, the response basically has been, well, if you don't like it, why don't you write something better? And my response is you're the guys who are pushing out, uh, robust, uh, uh, architecture and saying that this is secure and this is what people should be using. Uh, the attack factors that we have are the phone application itself. If you have other, uh, malicious, uh, applications on the phone, uh, they can actually interact with the application. Uh, we have not found any malicious application on third-party app stores yet, but that doesn't mean there won't be by the time this talk is done. Uh, we have, uh, Bluetooth attacks. Uh, there's been a really cool Bluetooth, uh, rebinding attack. Uh, which means if somebody's sitting here and has their, uh, a Gotenna with them, you can, uh, force their phone to unbind the Bluetooth connection and essentially take over their, uh, Gotenna. Uh, you have USB attacks. Uh, USB debug is actually still turned on on these Gotennas. So if you have physical access and you find somebody's, uh, repeater node that's been placed in a strategic high location, uh, you can actually reprogram it and leave it there and nobody will be the visor. Uh, you actually can, uh, mess with other Gotenna nodes. Uh, uh, you've been playing with fuzzing over the Gotenna protocol and the Gotenna meshes have not been robust at all. You've had numerous antennas lock up, uh, and uh, you've been able to save them with a firmware update over there. Uh, but uh, you could certainly go around and crash other Gotennas over the Gotenna mesh protocol. Uh, you can also push malicious firmware updates over there because, uh, these devices are not doing proper certificate validation. Uh, who here has seen zombies? I'm talking about real life zombies. This is what zombies look like when the power goes down. People just mindlessly stare at their screen, hoping the bar will show up even if they see that the self wind tower is fulled over in half. When you see zombies, you tell your dog to get her gun and then you start building infrastructure. This is what keeps communications up. This is what helps hospitals communicate. This is what helps emergency services actually respond even in a grid down situation. This is a toy. This does not. Again, backup infrastructure, toy. Uh, in an emergency situation, uh, I can hand you a radio even though you may not have a ham radio license and now all of a sudden you can connect to, uh, to emergency services. You can communicate with other, uh, ham radio users, uh, with police officers. If I were to hand you a Gotenna, uh, if you do not previously have the application installed in your store and don't have all the firmware updates, the Gotenna is completely useless. Any questions? We have not, uh, found an aftroid, uh, so they've pushed a number of, uh, updates recently. So the, the Gotenna for version one is up an aftroid, uh, but not, uh, the latest updates. The, the aftroid, uh, store is about three versions behind right now. Uh, they're very significant. Uh, so they use different frequencies. Version one did not include any kind of a meshing. Uh, they had a better robust antenna, uh, physically speaking. However, the antenna was less efficient. So the new devices, even though they're using less power, uh, actually do have better range. As I mentioned, they have meshing. Right now, if everything works correctly, they can do six hops versus the old version was direct point-to-point communication. Uh, they've updated their API twice since then. So yes, they're able to push more data between it. Uh, that's how they were able to, uh, add the cell phone backhaul. Uh, so the, because they changed the protocol, it's been both a change in the application, uh, and the firmware. I still have not had a chance to dig into, uh, what they're doing with the version one that they pushed four days ago because they've been too busy updating, uh, slides for the version two. Any other questions? Uh, essentially use the GID, uh, for the private key, uh, uh, correct. But neither does the other user. So essentially when you're operating offline, uh, if I walk up to you and it looks like I have the correct GID, since your phone doesn't, uh, doesn't already have my certificate, it will just automatically trust it. Correct. Yes. Thank you everyone for coming.