 going to do some really, really cool shit. They have a big piece of wood up here with about $4,000 worth of shit on it. And I bet it's going to do really cool shit and you're going to take it home and do your old cool shit at home. All right, so we are going to have a Q&A mic if they finish early but they probably won't. At the end of the presentation we will take them out into the chaos that is the hallway and you guys can pester them there with questions. So with that, the floor is yours. Now working. Hello, hello. Check mic. There we go. Hey, good afternoon, everybody. All right, does anybody in the audience, anybody at all, do you like heist movies? How many people out there like surveillance cameras? Everybody who cheered is a fed. So my name is Eric Van Albert. My name is Zac Bank. And we will get this sorted out soon enough. During the day we work cushy software jobs, not doing much of anything. But by night we turn into hackers. And our most recent project was working on surveillance cameras. So hopefully you're here to see how to loop surveillance cameras like in the movies because that's what our talk is. And if you're not here to see that, you should probably stay anyway because you'll hurt my feelings if you leave. Today in this talk we're going to talk about a few different things. We're going to start out with an overview of prior art. See how other people have looped surveillance cameras in the past. Then we're going to move along to the anatomy of an ethernet cable. We're going to see how physically data goes from point A to point B. After that we're going to look at how we made a piece of hardware to splice into the middle of an ethernet cable and intercept that data. Once we have control of that data we can look at what network layers are built on top of ethernet. Then we're going to talk about the software stack we wrote to decode those extra layers. Finally we're going to conclude with some demos unrelated to camera looping because hopefully throughout this entire talk we will be running a live demo where we are splicing into a camera feed and causing it to loop. Sound good? Cool. Prior art. So we did extensive research on this topic before embarking on this project using reputable journals such as TVTropes.com. And we found that there are basically two ways to loop cameras. One involves taking a picture of what the camera is seeing, printing it out and taping it over the security camera. This seemed a little bit too low tech for us. It didn't really peak our interests. So we looked on to the other type. This type involves taking your heist team's hacker guy, sending him into the network closet telling him to find the ethernet cable that runs the camera feed, attach a small device to it and cause the camera to loop. We found numerous examples of this. On the left you can see a shot from Oceans 11 where they have about a one square inch device that appears to be sort of tacked on to the ethernet cable with some sort of adhesive. Not really interacting with the wires in any way. Honestly, we were a little bit skeptical that this one worked. On the right is a little bit of a more realistic example. This is from National Treasure. It appears that there's a link-sys router with the front cover removed and a 9 volt battery stuck inside and I think there's a circuit board taped on top. We remain skeptical. So we set out to create our own device as close to the movies as possible to see how practical this attack really is. So this is the system that we're trying to attack. It starts with a surveillance camera which is connected via ethernet to, well, we really don't care what it's connected to. It could be connected to a router, a switch, a firewall, directly to a computer. It doesn't matter as long as there's an ethernet cable somewhere in the mix. And the entire length of that ethernet cable is our attack surface area. So up on stage let me show you a little bit of what we have here. Over here we have the vault that we're going to try to break into. Here we have the surveillance camera watching the vault. This surveillance camera is connected via ethernet through this long coil to the security guard computer, which has gone to sleep. And so, sorry, let me real quick make sure this is up to date. You can see the security guard camera showing the feed from the camera pretty much live. There's a little bit of a delay but I can't steal the money from the vault because it's being watched by a security guard and they'd come arrest me. All right. By the way, the rest of the demo, the rest of the things that we have set up on this board are strictly for us to aid in presenting this. None of the security guard computer isn't actually attached to these other computers in any way, which is why we're displaying the picture from it using another camera. It's a little bit silly, I know, but it helps to show that we really don't need network access. We just need one ethernet cable. All right, so what's inside an ethernet cable? Well, if you remove the jacket from an ethernet cable, pretty much any kind of cable, cat five, cat six, you're going to find yourself with four twisted pairs. Now these twisted pairs are what carry the actual data. There's a lot of various ethernet standards, for instance, 10 base T and 100 base T. These two ethernet standards are quite simple in the way they work. They only use two of the four pairs to send data. One of the pairs takes data this way, the other pair takes it that way, and beforehand they of course negotiate which one's going to talk in which direction. This is neat because you can just sort of tap into the middle of the cable, sort of phone tap alligator clip style and pull the data off of the middle. This is called a passive tap. Now the wires are twisted together, first of all to minimize interference they receive, second of all to minimize the interference that they emit, and third of all to maintain a very carefully controlled impedance of about 90 ohms. Now at either end of the ethernet cable is a network interface card or NIC. And these network interface cards have a termination resistor on them, which is also 90 ohms. This prevents reflections and loads the cable in a very nice way that makes it all happy. So if you just sort of blindly take another network interface card and attach it to the middle, you will be able to sniff the data off of it, but you're unintentionally adding another termination resistor to the middle of the cable, which is going to heavily degrade the signal and perhaps cause data loss. So it is possible to passively tap 10 hundred base T ethernet with another network interface card, but you have to remove that termination resistor, which is a little bit of an invasive surgery for your NIC, not the best option. Now 10 base T and 100 base T are great, but they're a little bit outdated. They were introduced in 1995. We want to be a little bit more up to date. So in 1999 gigabit ethernet was introduced, so we want to be at least current with 1999, I think. Now gigabit ethernet is a whole another beast. Gigabit ethernet uses all four pairs to send data, and it's not this simple two this way, two that way scheme, no. They use all four pairs to send data in both directions at the same time. They should say, hey Eric, how is that possible? Doesn't the data get all mixed up, all jumbled together? And the answer is yes, it does, but here's how it works. Let's say I want to send data onto this line. I'm at one end of the cable. What I do is I write the data I want to send onto the line, and then I immediately read back what I see on the line, and then I subtract out what I know that I sent, and the result is what the other person sent. It's pretty clever, but it means that if you're trying to tap the cable in the middle, you're going to see all that data going both directions. There's going to be no way to really disambiguate it, and it's basically impossible to pass away, tap gigabit ethernet. I certainly don't know of a way. The only way to read the data off of a gigabit ethernet line is to become one of the ends. That is, if you're in the middle of the cable, you need to cut that cable, add your own network interface cards or other devices into the center, and you've now basically become the ends of those ethernet cables, and you can accurately tell what data is being sent. The only kind of tap you can do on gigabit ethernet is an active tap topology. Now, there's a lot of different, you know, I mentioned 10 base, 100 base, gigabit ethernet. I really don't want to implement these protocols, mostly because there's a lot of people who have done it very well already, namely the people who make network interface cards. And so, in order to insert myself into the middle of this cable, I really don't need to learn how ethernet works or implement ethernet. I just need to implement a way to reroute where the signals are going, to take the cable and change the direction of the data to go to my Nix rather than straight through the cable. Now, I'm going to take a break for a second here to show what Zach has been doing here. He took this blue ethernet cable that was connecting the camera to the computer and he removed the sheath. And he's now exposed to the four twisted pairs on the inside. You can see green, brown, orange, and blue. So, the device that we made to redirect the ethernet, to redirect the flow of the data is called the tap board. And it looks approximately like this. I can show you it on the camera too. This is the tap board. Now, the tap board has a lot of cool features. It has eight latching relays, which are used to reroute the ethernet signals where we want them to go. Now, these aren't standard relays. These are 1 gigahertz rated relays. These relays will pass things up to 1 gigahertz bandwidth without breaking a sweat. And that's good because 100 base T and gigabit ethernet only use 125 megahertz of bandwidth, so that will work great. It uses additionally 16 punch-down connectors. These punch-down connectors are really neat because they connect to the cable by displacing the insulation around it and connecting to the metal inside. You don't actually need to break the physical connection at any time to attach a cable to these punch-down connectors. On the board, there are several traces which the ethernet will flow through eventually. And these traces are designed to be 90 ohms impedance just like the ethernet cable. This is cool because if you attach our board to the ethernet cable and then use a cable network analyzer, we weren't able to get our hands on one of these because they're very expensive and nobody we knew had one. But we feel that we strongly believe that this board would be basically invisible to a cable tester. It would show up as the same length and it would show up without very much distortion in the signal where the board is spliced in. Lastly, this board is completely powered and controlled over USB. And the nice thing about USB is that you can connect it to a computer and then you can connect that computer to the internet with SSH, which means you can control the routing of this ethernet cable from across the internet way far away from where you might actually be interacting with your victim's network cables and stuff. So let's take a quick look at what Zach has been doing over here. What he's done is he's working diligently on splicing the cable into the tap board using this punch down tool. And so what he's doing is he's displacing the insulation on the wires, making electrical connections to the board, but without interrupting the data that's being sent. And as you can see, the camera feed is uninterrupted. You can see the time stamp up there still ticking away. Come on. Lights are annoying. There we go. So far we haven't interrupted the camera feed. Now by default, or let me start with there are four ports on the tap board. Device under test A, device under test B, tap A and tap B. In the default sort of passive configuration, device under test A is connected to device under test B. Now the way that you attach to this tap board is first of all by splicing your own man in the middle nicks into tap A and tap B. Then you can lay the target ethernet cable across it, splicing it into both DUTA and DUTB. And if you remember, DUTA and DUTB are connected together by default. So what you've done is there are now two possible signal paths for the data to go through. You've added a redundant copper path by punching down the ethernet cable into the tap board. And because there are two redundant paths in the tap board, this means that you can then remove one of them. That is, you can cut the twisted pair, leaving the signal routed purely through the tap board. And you can do this without ever interrupting the signal at all. We can look over on the camera now. Zach has finished punching it down into both DUTA and DUTB. The camera, camera feed is still going. It's a little hard to tell. Yeah, you can wave your hand in front of it. There we go. So far the camera feed is uninterrupted, but now we're going to start removing the middle of this ethernet cable, leaving the signal routed only through the tap board. Let's look at the video. You can see the time stamp still ticking away. No disturbance yet. Almost done, just two more twisted pairs. Again, video. And there we go. We've completely removed the middle of this ethernet cable. So what do we do now that we've spliced in the middle of the ethernet cable? Well, first let me talk a little bit more about how this tap board works. Just real quick. This tap board has a couple of cool features. One is that it's basically fail safe. So right now it's in a completely passive configuration. The cable looks basically identical to how it was before. And we are going to want to change that eventually. But if the board suddenly loses power, or if your computer program running it freezes, you want it to revert back to that. Maybe. Maybe it's better that the camera feed go down than show what is actually going on. Who knows. But in any case, this board has a fail safe feature where if the board loses power, let's give it a second. So I'm going to pull out the board's power by pulling out this USB. What's going to happen is that blue light is going to blink indicating that power was lost. And this giant capacitor here stores enough energy to reset all of the relays back into the pass through configuration if that's what you want. Another cool feature of the tap board is that it is, this is my favorite feature personally, the tap board is tamper evident. What this means is that there is an accelerometer on the board. And this accelerometer will detect if the board is jostled or otherwise disturbed while in operation. And so we have a short little program running here where if I tap it, the blue light is going to blink to indicate that it's been tampered with. But of course you can actually connect this to something that phones home. Because sometimes I imagine you might be using this board in a sort of critical application where it's very important that it hasn't been disturbed. This circuit can give you peace of mind. Now we're of course in a passive tap configuration right now. The copper paths are as they were with the original cable. But that's not how we want it to be. We want it to eventually be an active tap. We want to connect device under test A to tap A and device under test B to tap B. This is the sort of critical step. This is where we first start to take control of the ethernet cable. And so this is going to cause a little bit of packet loss as the NICS renegotiate the various protocols they're using. But we found that it doesn't cause TCP connections to drop for instance. And it causes very minimal interruption to UDP traffic and other lower level traffic. And so let's show that right now. We are about to run this command which is going to flip the relays and switch our box into an active tap configuration. So let's do that. Let's show this board. You can see the blue light is on indicating that we are now actively tapping the traffic and the guard computer went to sleep unfortunately again. But if we make sure that's up to date we can see that the camera feed is still ticking away. Sorry you can't see the time stamp there. But here, I have a thumbs up. Oh, okay. So Brian's giving a thumbs up on that camera showing that it's still completely uninterrupted. Yet the signal is now routed through our NICS and we now have complete control over the network cable. With that I'm going to hand the mic over to Zach here and he's going to talk a little bit about the software side of things. Hello? Great. I guess it's sort of a figurative mic handoff here. So now that we have basically complete control over the traffic going between the camera and our security guard's computer, we're really close to being able to loop the video that's being sent from the camera. But before we get into that, we need to think a little bit about how the video is transmitted. So the sort of like obvious thing to do would be kind of to record all the traffic that's going through this cable for like a minute or something. And they just play that same set of packets over and over and over again. The problem is this doesn't actually work. It turns out there's sequence numbers and things that are involved in the data stream that prevent this attack from just working as easily as you might have hoped to. There also might be some spurious traffic going on or maybe the security guard's computer tries to access a website. Either way we need to actually examine how our video data is being sent across the network. So the video is encoded with the H264 codec. But H264 isn't just dumped over the network. It's actually wrapped up in okay, is this better? Okay, so the video isn't just the H264 packets aren't just dumped right over the network. They're wrapped up in a protocol called RTP, which itself is wrapped up in UDP, which is wrapped up in IPv4 if you're in the 90s and which is then wrapped up in Ethernet. So in order to actually understand what is video data, we need to be able to decompose all these packets or all these protocols. And so in order to do this, we built our own man-in-the-middle network stack called Lens. And Lens stands for live editing of network streams. So as I said, it's a like two-faced network stack that we wrote in Python actually and basically is able to decode all these protocols that might that we need to do video looping and a few others. And basically it's designed to be as transparent as possible. Basically we don't want to just remake a TCP stream using the standard Linux TCP stack because the way that the embedded device our camera does TCP might look a little bit different from the way my laptop does TCP and we want our attack to be as indistinguishable as possible. Also it's worth noting because we've done this ethernet wire trick, we don't need to do any type of ARP spoofing or adding any additional traffic to the network that might be detectable and would let people know that someone's trying to perform a man-in-the-middle attack. Finally we also have the ability to implement in our system these extra layers that are sort of like very high level applications that we can use to just filter data or say run things through ffmpeg video streams. This is really useful for us to just make cool applications using this stack. So let's take a look at how we might use Lens in a different example from video. Let's look at how we might implement one of my favorite Chrome extensions, the cloud to but extension. So the way this works is you're reading tech news and it's terribly boring and so it'd be much better if we replaced every instance of the word cloud with my but maybe it would be worth reading. So normally this is done in your browser and it's all nice, but it would be cool if we could implement this at the network level. So everyone on your network sees or gets to experience the joy of cloud to but. So let's take a look at our software. So first we're going to need to decode Ethernet. So we're going to add a layer to decode Ethernet and from there we're also going to need to decode IPv4 and TCP and HTTP so that way we can get all, we can extract out just the body of an HTTP request. From there yeah, okay. From there we're going to just take the body of an HTTP request and run it through the layer which will replace every instance of cloud with but. Pretty simple. Okay. Great. So now if we have this stack set up when we I'm almost there. Okay. When we have the stack up if the security guard's laptop tries to open up a page on cloud computing instead of what they saw before they'll see something a little different. Maybe. The internet here has been a little bit flaky all day. I definitely blame the internet and not what we're working on. Not our fault at all probably. There we go. There's some really great headlines here. So we can do this to modify this just shows that we can modify TCP streams on the fly that are going through our lens box. So now we can use this to make camera loops, right? So to loop video it's a little bit more complicated than just dealing with an HTTP request. Instead we have to deal with this protocol called RTP. RTP stands for real time protocol and it's a bit more complicated because it also involves a few other things. There's also this channel known as RTSP which just handles sort of like session data like playing and pausing the video. RTSP which is unrelated to TCP and just sort of tells you some codec information and quality of service statistics, things that we don't actually care about for looping video. And finally we have RTP and this is the actual meat that we care about. Sorry about that. So with RTP the data that's going through RTP is the H264 data that we want to loop. So here you can see this is like a graph of all the layers that we have to decode everything in a video session, in an RTP session. So we have this UDP layer which and this video port filter to just filter out the traffic on the specific RTP port that we care about and we have an H264 layer to unpack these UDP packets into an H264 stream that we can pass off to say FFMPag. And so FFMPag is really great. We're going to use it a lot here because it lets us perform a bunch of transformations some of which are more subtle than others and basically with FFMPag we can do looping like cool color effects or maybe something really subtle. Yeah this is probably not what we actually want when it comes down to the live stream but you can see this is live. But if we can do that we're really close to being able to loop video. So all we need to do is just record some of this H264 data from the camera maybe for like a few seconds or a minute and then we're going to pipe this into FFMPag and use FFMPag to actually perform a looping command. Then we'll take the stream coming out of FFMPag and forge packets to look like they're from the camera but they were just entirely crafted via FFMPag. The security guard's computer is just going to show our loop and we can do whatever we want afterwards in front of the safe whatever that may be probably very legal. Okay so we're going to just demonstrate that here so we're using that same setup that we had I just showed we're going to first start recording some video record some packets Okay so we've recorded our loop now we're going to actually loop this video and we're using a slightly different setup here that just goes into FFMPag and we're using the FFMPag to loop so now if we look at our security guard's camera it's actually looping or yeah it should be looping you can see by the way if my hand is not showing up and if you pay careful attention to the time stamp oh you should put it back on the time stamp if you look at the time stamp the time stamp will actually go in circles yeah so yeah that's really great we can do things in front of the camera in a lazy security guard probably won't notice that anything weird is going on but we can do one better so that pesky time stamp it'd be nice if we could generate that or something easy way the camera is still streaming data to our box we're just kind of throwing that out but if instead we use FFMPag to merge it with our loop stream we can just take that little rectangle that contains the time stamp and like know nothing else important in there and just paste that over our video and so when we put that loop together the time stamp will still keep going up but the rest of the video will just be completely static and so Eric set this up now sorry the time stamp is there just a little off screen okay so yeah you can see the time stamp is ticking up the the time stamper is ticking up and you're gonna okay great and yeah if you notice Eric is at work breaking into the vault and nothing is showing up the time stamp is still going and we have all the money so where do we go from here now that we have run away with our big value of cash what else can we do with this box so one thing that we totally glossed over was that there was absolutely no encryption going on here and so theoretically if there was SSL or HTTPS going on it would be a lot harder for us to perform this man in the middle of attack however I'm not particularly concerned about well implemented SSL on an embedded system like this camera which is incredibly hard to give firmware updates to and yeah it's a really hard problem so we're glossing over that besides that we'd also like to mention that this tap board that we've created could be used for a few other things besides Ethernet it also might be useful for tapping USB which uses a single pair of twisted sending data or HDMI which sends most of its data over a set of four twisted pairs we just haven't come up with any good use of banning the middling at HDMI but maybe you have something in mind we also have a cool other we have a handful of other demos that are unrelated to camera looping but we figured there were kind of fun applications and so why not make them switch to the camera so we've loaded up this webcomic which may look a little familiar to some people and so a fun thing that this webcomic recommends is you have some people using your Ethernet why not just flip all their images over HTTP so that their experience is just really annoying and having used the upside down Ethernet it's just really like you don't know what's going on it's really hard to use so we basically have some software just to take every image that's coming in over HTTP and flip it before sending it to the browser this one's taking another second to work we're having demo problems this demo relies on the internet which is a hard thing to rely on oh no try killing it does anybody know any jokes okay we're going to try that one again because we had some internet issues there we go okay yeah so here you can see the images are all flipped upside down and so you know one of the things this comic talks about for those of you who haven't seen it is it has this quote oh I have to write it there we go no it's mirrored oh it's mirrored oh my god don't stop being clever but it's like what someone's live editing the TCP stream what no one's that fast so who wants to guess what we're going to try to do right now so we have another layer or we have another program set up that basically lets us say TCP streams live so you just open up the real editor like vim and you know you can add extra things to the html so you can just open up vim and then once you write out the file get sent to the computer I'm pretty sure this doesn't have any practical purpose other than just making yourself look cooler but that's irrelevant okay so yeah basically we have some more demos coming up just to remind everyone we have all the in source for our project up on github right now we have both the hardware for the tab board and the schematics the firmware for the tab board all the mechanical components and most importantly the lens software stat code that's all available on github and you should definitely use github if you want to reach out and contact us but yeah so we have some extra demo we have some extra demos using the video again so the thing about oh do you want to switch back? show the video so yeah you've robbed the safe you've taken all the goods out you're totally safe and you want to just turn back and rub it in the security guard space so how do you how might you go about doing that well thankfully when we were robbing the safe we recorded it so we could play it back later and so now they go try to chase you down and stop the robbery while you're 100 miles away and they're wondering what's going on yeah that's the end of our talk, let's get questions yeah so that's the basis of all we wanted to talk about so if anyone has any questions it would be great if yeah you should how much processing power does the attack computer need could you run this on a pie you should answer I'm going to set this up real quick can you hear me can you hear me great okay we haven't tried running this on a pie it's not very cpu intensive we're using a chrome box which is nice cause it's a 64 bit processor it's a nice platform to work on basically I can't answer your question specifically hi, great work how do you reconstruct the TCP streams do you use a SCAPI framework you built your own we built our own framework to reconstruct the TCP streams sorry about that we built our own framework to do the TCP stream reconstruction cause we wanted to be able to mimic how either end of the connection would handle the TCP stream so we used our own first of all kudos, this is brilliant and I applaud you for having taken it to the ninth degree did an excellent job with that my curious question was it seems like the only piece in here that leaves any sort of evidence of you having monkey with the system is that renegotiation you talked about and I'm sure you put some thought into this so my question is is it plausible to set the nicks on your tap side to already be appropriately configured probably not, tell me why excellent, I'll take this question if I go back a bunch of slides I was actually going to talk about this but Zach was too fast at punching down the cables so in the sort of pass-through mode, what happens is that DUTA and DUTB are connected together but also TAPA and TAPB are connected together this is so that you can verify that the board is working but also so that you can set up the negotiation you can do all of the negotiation on the nicks before throwing the switch and so you can set you can learn through using an oscilloscope or some other passive probing device whether you're dealing with gigabit or 100 base T and if 100 base T which pair is being used to go in which direction and you can configure that on the nicks that you're going to tap with beforehand and have them in fact talk to each other that way when you throw the switches no renegotiation has to happen now we sort of ran out of time and working on this talk to make that actually work but we feel like the hardware support is there and we're very close to having no link up link down effects as you throw the switches it's also worth noting that you also throw the switches in such a way that you passively tap the connection using just one network interface card if that's what you're into alright so when you're not injecting power through the pigtail how well does it handle the PoE transition because there is a little handshake there for that I am not honestly don't know very much about PoE and that handshake I know that if you're using PoE without any additional data our board is capable of that if you add your own PoE on the proper side and so again you can figure out which side is giving power for ethernet using a multimeter and a oscilloscope and then add your own PoE injector on one of the tap nicks and that will when the relay switch continue to give power basically seamlessly just a very small blip into power to the camera that you're trying to attack so normally if it's 10-100 PoE should always be on the fourth pair you should be able to just leave those clamped all the way through but that would certainly work I've heard there's many different standards for PoE and I don't pretend to know all of them but if you're actually not sending data and power over the same lines you can definitely leave the power lines still connected it's either 24 volts passive or 48 volts active cool so I guess you partly answered this before with the Daily General's question but no working? sorry this is partly answered by what the other people end up using the same MAC addresses in your nicks as the original hardware had is that happening in the real time when you do that first pack? yeah so basically we pretend to be the MAC addresses of the two devices under test we're able to just spoof ethernet packets that look like they're coming from those MAC addresses so our two nicks effectively don't advertise any MAC addresses or anything like that in that case yes this is about as cool as it could get so well done before we go to the next question if you are leaving please do not go out to that side of the room go out to the back or to this side so your right is no your left is yes straight back yes blah blah blah blah blah so you guys have clearly rehearsed this and it was well presented thank you now one question so well rehearsed how many times have you done this and how fast can you do it we need to know to tell the team let me first say this is the fastest we've ever gotten through it we expect it to be pressed for time and we can take some adrenaline involved do you want to do the animals? no animals? it's worth noting that no animals were harmed in the making of this talk but several tens of ethernet cables were completely destroyed so just like in the heist movie would it be possible to re-solder the two ends of the wires and then put some electrical tape around there and leave it untouched yeah actually they actually make little boxes that just have the same punch down connectors and you could basically when you cut the wires just leave enough tail so that you could re-punch them down and cut out our board so it's totally possible to remove our board from the ethernet cable and without disturbing it I was wondering is the tap board compatible with power over ethernet a lot of cameras are powered that way right we just covered that a little bit the short answer is yes it is compatible if you add your own POE injector on the proper side oh interesting as it is now we can't it's powered over USB and that sort of makes sense the tap board doesn't work without a host computer to run it off of but I can totally see being powered over POE as a reasonable option right that's it thanks a lot for coming