 Good morning everyone. I see most of DEF CON is not here today because it is Saturday morning. I can't expect that. So welcome to iFight for the users. Episode one, attacks against top consumer products. I'm Zach. This is Erin. She's tech Barbie. And we always like to start with a slide of what our credentials are. We like to always say don't trust the speaker just because they're up here. Trust them because you validate what they're saying. So instead of having a long list of certifications, things we do, we like to say judge us for everything else. So before we get started, it's Erin's first time speaking at DEF CON. And we've been informed that goons are no longer allowed to do shots with first-time speakers. So this is Erin's way of celebrating. Congratulations, Erin. Alright, so before we get started, in all seriousness, this is our con speaker rule 101. So both Zach and myself have been around this game a few years. And what we see persistently is companies go out and they love to use these conferences as great PR hooks. So I want to start off by apologizing to every single news media outlet that reached out to us. But we learned really quickly years ago that as soon as you start dropping information, especially when you have things like consumer product, IOT, your talk will get pulled right away. So you've heard probably very little about what we're going to talk about, but we hope to excite you with a few, I don't know, names. We're not being very vague today. So welcome to DEF CON. So we're kind of covering three different topics here today. First is we're going to talk about, or I'll talk about Bluetooth, some fun things with that for Bluetooth low energy. Erin's going to be talking about some more of the security products, especially on the camera side. And then I'll also talk about on Windows security side, some fun things we found on there. So you might be like, this is a little ADD, this seems a little oddball to be jumping all over the place. Yeah, it is. But having one talk that goes on for 45 minutes, it kind of gets a lot of set up, a lot of like, okay, well let's talk about ourselves. We spent five minutes now. Let's talk about the background of this. So we just want to get through it and we're kind of ADD by nature about the stuff we want to look at. So we figured what better format than to just kind of jump through a bunch of fun topics and do it that way. So first thing, Bluetooth. Yes, we have another Bluetooth talk. We've had a few Bluetooth talks over the last four days, including Black Hat. Blue Hydro was released this week by Zero Chaos and Granolox over at Defcon 101 earlier. We've got a talk coming up about pick, actually it's today, isn't it? The Bluetooth lock picking from a mile away. That's really cool. I do want to go see it actually. And then over at Black Hat side, there's a Gap Proxy tool and a replay tool and a kind of fun Bluetooth suite. So why do we have another talk about Bluetooth low energy? So a little backstory. I like magic. I've always been kind of fascinated with it. And I always had this dream as a kid to start a magic bar, like a theme kind of magic bar. And yes, they exist, but it was kind of my little thing of like being able to have fun with that. And there's always the basic rules of magic. One, never reveal a secret. Two, never repeat the same trick twice. Three, practice over and over and over. Right? And so one and three, we can get covered. But how do you in a restaurant or some other establishment track if you've shown the same trick to someone over and over and over? So it kind of got my mind going as to how can you track who someone is in any kind of environment? So I kind of came up with this long list of ideas as to how you could track someone. You know, can you get them on the car on the way in through a license plate reader, through their electronic toll collection RFID, through Bluetooth on their car. And there was a great talk two or three years ago about how the toll systems are using Bluetooth to track cars. If they come by foot though or you're in a major metropolitan area where people aren't coming by car, could you do it by facial recognition, voice recognition, different ways of their cell phone, what do they have on them? Credit card, all these different fun things. And then always the not so fancy ways of just asking what is your name? And so I kind of was thinking about like, well, how do you, outside of like this from that kind of application, how do you track someone, right? And so it kind of came down to these three areas of, or four areas of like, well, these are the key ways that if you could get positive data that isn't all garbage. But Wi-Fi is a little bit of a problem. So we've gone through the Wi-Fi tracking thing for years. We've talked about it, about how the phones are probing for Wi-Fi. I'm not going to dive too much into it, but I hate to pick on Nordstroms because I love them, but they were the ones who got called out hard, Home Depot was doing it too. All of them kind of stopped this practice, but it was a way that we were tracking user behavior by looking for the Bluetooth or the Wi-Fi probes from your phone. But the mobile device manufacturers caught on to this, they started doing randomized Mac addresses and they decided that, okay, only if you connect to a genuine SSID will I take and actually display my real Mac. So we kind of take it as a data point, but we don't trust it now for Wi-Fi as not all devices randomized, but most kind of do on a mobile device right now. So that leaves us with Bluetooth, car keys, RFID loyalty card. That's kind of key ideas I was like messing in my head. And well, yeah, we could do car keys. I'm not great on my SDR skills. I'm getting better, but, and the RFID loyalty card is kind of lame. So let's talk about Bluetooth. I'm not going to spend too much time on Bluetooth 101. If you want to learn more about Bluetooth and its stacks, there's plenty of talks about it, but for those of you who are catching up with us today, Bluetooth Classic uses 1MHz channels, has 79 of them for data, one for broadcast, hops at 1600 times a second. The MAC address, effective MAC address, the address it uses, uses a upper address part and a lower address part to make up the address. You only get the lower address part in the packets. And we all know about this. And the only thing that's really using Bluetooth now is obviously audio devices, headphones, Bluetooth earpieces, that kind of stuff. But we've kind of moved a lot more to this Bluetooth low energy or as Bluetooth likes to call it, Bluetooth smart. Smart. And we talked about a lot of the insecurity in the past at other talks. It's 37 channels, they're 2MHz wide for data, 3 announcement channels, and then the increment of rotation of those channels and the interval and all of that is dictated when it does the joining to the master. And what you get basically is you have a 6 byte address, effectively a MAC will call it for the sake of everyone that's used to do it in the advertisement. And then when it actually connects a 4 byte access address that is actually used to communicate for that session. Everyone with me so far? I know it's early, but I don't want to waste too much time on Bluetooth. So, Bluetooth does have security though. When we talked about the Wi-Fi randomization, the Bluetooth group actually started at randomization also for its addresses. And Bluetooth smart. And actually this is the funny thing, they actually have an ad on their site, or not an ad, a blog post on their site about protecting your privacy with Bluetooth. We've got good stuff. And they use this photo of this child walking alone. The biggest fud I've seen in a long time of scaring you of like, my kid's being tracked. Oh my god. So, like I said, there's the access address, right? That's what's actually used in those data packets. But they change upon the disconnect and reconnect every time a device is connecting, except for in the advertisements in which it's static. So long-term tracking of these access addresses isn't so reliable. Obviously if a device is connected for a long time, you can track some behavior moving throughout for an hour or two hours. But if there's any kind of disconnect activity, it will regenerate. So it gives you a good short term tracking. But from a long-term perspective, you can't really track someone with those access addresses. So it got me thinking. So we've got randomized addresses on that site. We've got randomized addresses on the access, around the advertisements in the access. So what else is there? So when it comes to Bluetooth, there's two different kind of profiles. There's the generic access profile gap, and the generic attribute profile gap. I'm not going to dive too much into these because obviously this is not a 101 talk. But basically the gap and gap profile provide the communication standard for communicating to the device to basically set up the connection and actually communicate with the services that the device, the slave has. So I started looking at these devices to see what can we test it. And obviously you go around, you play with the tools, you're like, okay, nothing, nothing, nothing, nothing. I travel a lot. A lot. So I've noticed when I was on planes that all of a sudden a lot of devices started showing up. So normally walking around you saw a few devices and we didn't really know what the behavior of all these devices were. We saw certain bit bits and that kind of stuff. But what's the deal? So it turns out that certain devices when they are disconnected from their phones or whatever they're paired to, they jump back into advertisement mode. So for your simple coding pleasure, if it's not paired, it goes into advertisement mode. And again this is unique behaviors we started determining with some of these devices. So can we get devices to disconnect and actually take and start broadcasting again? The answer is yeah, we can. It's interesting that you can actually jam the 2.4 gigahertz range with some success, right? Basically using the USRP V210, you have about 56 megahertz of bandwidth. It's not reliable, especially it takes a lot to drive it. But you can basically effectively create a 2.4 gigahertz jammer using a SDR by generating some random data and all. So we did this and we tested it and we noticed by jamming those frequency bands of 2,428 megahertz to 2,478 megahertz. So basically that 15 megahertz band we can actually take and get the devices to fall off and jump back to their advertisement channels. But obviously this depends on the host. I have to get credit to iOS. They have great frequency hopping and detection. So basically the phone detects, okay, I see a lot of jamming. I'm going to move to this frequency band and repair. So it does have some reliability but it's a little odd. The other way to get them to disconnect is by blasting terminate connection packets. This is basically effectively the Bluetooth version of D-Auth. As you look for the access address and then you just move a disconnect and it terminates. Now granted, again limited window and it gets wonky with some devices. We know some devices don't like to rejoin after they've been told to disconnect. So it's one of those things that if you're trying to track someone it's kind of gives you some good opportunity to get an ID from them and get connection to the advertisement side but not so much that it's not going to be noticed. So we've all talked about tracking before, right? So why am I rambling about tracking, tracking, tracking? Well a lot of the talk before has been about well it's possible. Okay, well with who, with what? You know this is really more of an implementation issue. This is when it comes down to individual devices implementing it especially on the consumer side. What does what? Amazon and Best Buy probably loves me by now because I just bought a crap ton of Bluetooth low energy devices that people use everyday. And we're going to go through a few of them and set what we tested and basically we did a consumer report style kind of testing against them to see what privacy information are they actually leaking. And we'll start with the worst. Sorry, I need water. These guys were on Shark Tank a while back and you may have heard them because it's kind of a funny idea of shocking yourself every time you do something bad. It's also a fun thing to shock your friends when they do something bad and they're like oh I'm trying to learn what you hit, what, stop it. But basically they use a static MAC address. The MAC address, last four, sorry, 8 bits? 8 bits. 16 bits. 16 bits. Sorry, math is hard. Last 16 bits of the MAC is actually in the name of the device. Correct me on my math. And if you don't happen to have the MAC address from the static MAC address or from it in its name, send a gap request to it and it gives it to you and it asks you to hex. I dodged it. Somebody wrote a bad converter on that. So this is super easy to track because we have a static address. Never rotates. But like I said they've started implementing this rotation in Bluetooth smart that devices are starting to take advantage of. But then we have these devices that are meant to track you. Tracker and tile. We'll talk about tile on next. But effectively these addresses they show up in the broadcast as being random. And they do generate a random one because the IDs rotate through it. But the ID actually never really rotates on it. The MAC address we've noticed over a period of over four months, they never rotated. Said they did. But they never rotate. So it effectively seems that as the device powers on it generates a new one. But it never powers off and never rotates after that. As well as what these devices meant to track you, it's meant as a community can track you. So regardless of the MAC address there's a static ID associated in the GAP profile that will take and actually display in the case of the tracker the raw MAC address of the device. And it constantly broadcasts when it's disconnected. Tile is the same way. Um the Tile identifier in GAT is one of the services in there. Uh again static MAC address effectively because it does randomize but never rotates. Uh randomizes on boot. And it stays connected to a device but only while the Tile app on a phone is open once you close the Tile app it disconnects. Our friends over at Fitbit, the Fitbit one also uses a random MAC address but after about four months we didn't notice it rotated at all. Uh it doesn't remain connected to a mobile device at all. So basically to save energy it only connects when you connect to it and say hey how many steps do I have? What's my my time? All that stuff. But it doesn't remain connected so it's constantly broadcasting as well. So things have started to get better after this. A little bit. Uh with the withings active. Another device we tested. The MAC address randomizes. But it still advertises the raw MAC address in the advertisement data which broadcasts out. So while the MAC address is changing it's advertising its real MAC address inside the manufactured data. Uh okay. Uh that's a security choice. Then the Pebble Steel also uses another way we can track the devices is in their name. And we've talked about this before too. But it has in the name the last four digits. I'm done doing math. Um of the MAC address. And it's random but still after days of rebooting the device and turning it on and off and losing power it still kept the same static address. Uh but advertising is random. Again in the device info in the gap profile it's got the serial number of the device and it goes to sleep every once in a while so it's not really reliable. But it's a cool choice it also uses classic so we can track its lower address too. So interesting choices on how it connects. The Fitbit Alta. The MAC address randomizes but again like all the other ones they stay static for four months even after battery loss. Um getting a little bit better. This one doesn't turn Bluetooth on until you actually turn it on to sync mode. This one has the name of the microsoft band has the name of the address uh inside of the device name and it does randomize the MAC. So we're halfway there. We got a name that's kind of static as to what you set it for. But the addresses are rotating so. And then on the better side of things the people actually implement security well. We got to give credit to Apple they rotate their MACs pretty well. Android Wear um this was on sale thank you Amazon Prime Day. Hey. Um but also notice that this is really cool on the uh Android Wear watch is once it's connected it stops responding to broadcasts forever. Uh basically it'll still randomize it'll connect to the device it knows but unless you go into the watch and say let me reconnect it doesn't respond to broadcast anymore. So I have to give kudos to them because that's actually the best we solve all the things. iOS devices of well like to broadcast some Bluetooth low energy noise. Uh they do randomize though and advertise that they're an iPhone, iPad, etc. But that MAC address randomizes constantly so while it's being used in fun apps including Safari we noticed um take that one on for size and think about that. It does randomize quickly and randomly so there's not really any trackability on the actual iOS devices we noticed. So we have to give kudos to these three doing it right the rest we kind of went through quick as it's kind of the consumer report style. Um and what we were going to do is we were going to release a tool with this to kind of track all these things. Fuck you Zero KS. He kind of used the punch and got a better tool out so I just said nope bravo we'll do it on that side and point over there because they did a great job on that so the Pony Express crew released this uh was it Thursday at 1-1? I think he posted it probably three days before then four days before then so um this is definitely a great tool to look at for tracking those things it doesn't I don't think it supports GAT yet but I'm sure it will soon if I have a few more minutes to tweak some code. So where do we go from here about all these devices? To complain about them all? Um and I spent 15 minutes rambling about this. Um we really need to start testing more and more of these devices to determine what's the implementation issues with them instead of just like well it's a problem. With these new IoT things it's obviously a problem across the space and we've all complained about IoT this, IoT that. Um so we're throwing up on oh I forgot to actually commit this this morning. Uh throwing up on Github uh basically a repository that everyone can submit pull requests to that as you test device and say hey I looked at this and it does this this this this behavior and we'll have a little checklist of things we're looking for then we can all kind of source together as to hey here's how this specific device behaves here's the trackability of this device not that it's possible not fill people with fud fud fud fud uh but that's actually possible or that it's possible for this device and this implementation. Long story short uh when MAC addresses are random look for things that aren't involved in the MAC addresses which include not actually randomizing them. The uh gaps and gaps leaking serials and the device names. You can knock a device off Bluetooth uh using either uh the D-auth packets or actually broadcasting on 2.4 gigahertz a lot of noise um certain frequencies. And when the standard while the standard of Bluetooth is great supports a lot of cool stuff uh these devices aren't implementing it. Alright I'm gonna switch it over down to Aaron who's gonna talk more about the home security side. Alright this is a squirrel part of our talk squirrel. Oh he's not done he has to get back up again don't you guys don't do that to him just give him a minute. Right yeah right you're gonna yeah don't don't feed the ego not yet later later. Alright so we're gonna talk a little bit about consumer wireless camera and office security. So before we get into this we've had lots of talks about uh wireless CCTV all this kind of stuff so let's chat about what we're not gonna talk about. We are not gonna talk about weaker default passwords you guys have Google you can use it. Yes everybody with exception of maybe 10% of people still use all of these congratulations. We're also not gonna talk about IP weaknesses but if you wanna make your network even more insecure this guy on YouTube could actually help you out and tell you exactly how to route it to the external internet if you really want to. Good times. I mean it was helpful it was his intent. We're also not gonna talk about diaphing 101. Um everybody has Google download Cali use some Google foo and you can figure out yourself how to buy the cards that'll work and diap it yourself. So. Hint. Hint. Also we're not gonna talk about Shoden. It's awesome not this talk though. Go have fun with it and I wanted to put a slide up and say we're also not gonna talk about Pokemon Go cause it's almost as fun to show it in but. So uh so who cares about these CCTV cameras and the security? Well you know what? It grinds my gears I care because these camera companies are selling it as security devices. Not all of them. Most of them are selling security. So that got me to thinking. You know what if. What if these were used as security devices? Well I want to be a bad guy and for anybody that knows me knows that I have a little problem when it comes to automobiles I like them a lot. So uh so step one in my little mental process when I was thinking about these cameras was was kind of getting into the mood. So I wanted a channel in my inner sway and think about hmm if I had this this absolutely amazing warehouse full of Ferraris that was protected by these security cameras. What would I do? This also plays into homes and stuff but I find Ferraris to be a lot more fun than thinking about the homes right now. So the first thing I would do get into the mood. Second thing I would do I get some information. Information is a pretty easy to find. Especially you know we have this technology or I'm going to use that really loosely. Everyone in this conference we've been talking about war driving for a freaking years decade. Wow decades. Wow that's old. Anyway okay it's old. So some people call it war driving in this case we're going to call it target identification. So with that you can drive around because these devices are lovely and like to tell you who they are all the time and in their match addresses you can actually tell who they're from. So you can go on tonight the nice little Google's help us out again and identify who exactly these cameras belong to. Or you can actually just look for the cute little stickers that come with the cameras and say hey you're on camera and some of them even have the brand name on them. Even easier. So with that I'm thinking about where the attack goes. So obviously we've had many talks that have talked about wireless yaw thing and what not. So let's take that a little bit of a step further. This talk was kind of composed with the idea that let's find out what these cameras actually do. Let's find out what happens when they get deothed. Let's find out do they notify do they recover. So in the attack we're going to be thinking about the fact of how long it would take an intruder to get into a facility of building a house what not. What they would have to do ahead of it. How long they would have to deoth the cameras and could they make it away clean so to speak. So that being said you know we're not going to talk about point of entry and what not. Like Zach said earlier there's a wonderful Bluetooth lock talk and some assuming some of these homes that have these lovely camera systems also have the Bluetooth locks and we can do a whole bunch of fun things with that as well. So the attack. So in the attack we're going to talk about which cameras are weak. So in order to do that we had to just like Zach go and buy a whole bunch of cameras. But you know since we this is Def Con and you know we're progressive these years. I wanted to make sure that we had diversity. So we have lots of different cameras that we tested. Lots and lots of them from different manufacturers of different sizes. So we went from the big guys to small guys. That's them. So which one of them are not saying they're a security camera was my question. I showed you guys earlier all the articles and what not. So how many actually say they do security? All but two. So there are two really really I'll say forthcoming companies that don't claim to be security cameras. They're just like hey we're this. This is what we are. Good for them. So what was tested? So we did a little bit of everything. So obviously we want to know what the offline time was. We want to know if it does any kind of notifications. So if you get bumped offline network interference what not what's the threshold of notifications. Is there any type of cash to video on the device. So if it's knocked off how you know what what amount is going to actually store locally before we have to recover. What if there's any type of wired network options. If there's any type of SD options on the device itself for local storage. Type of power kind of was curious whether it was battery or wired obviously it's points of failure there. Additional equipment needed for the function of cameras. Not all of them are just stick up. And any other performance options for surveyions. So because we were actually being pretty pragmatic about how this was done we actually had a test procedure. So you know at zero stopwatch starts at about a minute in we did a targeted de-auth attack. About every 30 seconds we were waving our hands for motion recognition because some of the cameras did require it. And at about 10 minutes into the attack we did the targeted de-auth ending so we terminated it and we gave it about five minutes from there to see when it would come back online on the network. So this is my high tech setup. It's pretty impressive. So we have the timer. Whatever camera was being tested at the time. The iPad with the camera app so we could actually visually see what was going on with the camera when it was going to recover and obviously a whole bunch of airy play fun going on right there. So that being said I like to always prove my work like in my good old math classes. And live demos never work. And live demos never work. So for you guys I want you to know I spend many weekends with my GoPro taping these lovely things. But I fast forwarded them for you. This is your drink break. Anyone who has coffee or anything. Have a nice drink. Take a second. Yeah there's about like two minutes and I fast forwarded the crap out of these and split screen them so yeah. You get the idea. So now the results. Kuna. I love this little Kuna device. It was a kickstarter actually. As were a few of these. But the cute thing was the Kuna device it kind of did what it said it was going to do. Not quite security. You know it recovered after about a minute 30 a minute 40 after the de-off ended. The positives it's a light. If the camera doesn't work you got a front light. Yay. Another positive it's wired. There's no way around it. There's no battery power. It's hard wired. The negatives only if the app's open are we getting notifications. One of the other negatives or positives depends how you look at it. It had this really cool. Pardon me. The clanking is killing me. I had these cool status lights at the bottom of the light. Which were super helpful and I appreciate the developers that put them on there. Because you know it's supposed to help out the consumers to let them know if it's paired and what not. Or if it's online. That's always a good one for an outside security light to have it flash red. So one of the things we learned from the de-off attack is after ten minutes of it being online de-offed it kind of just doesn't recover. Before that if you cut it a little bit early it will do the minute 40 recovery. But you let it go longer. It kind of falls over. So in the testing you know these are consumer products. We did a few rounds of testing and found these things out. Well like I told you about these cute little status lights. I was googling you know for the point of this talk and trying to see if I could find you guys a pretty picture because I actually didn't fly to Vegas with a picture of the bottom of the status lights. And I come across this. On their website. They actually do tell you, good to them, that it will fall over and not recover and you have to reset up the wireless camera after ten minutes of de-off. So let's just say hypothetically you have one of these lights out in front of your house. You lose power for more than ten minutes. You forget. Your lights useless you know. So I would love to talk to someone who's doing the IOT monitoring of things. There's your start for your little project because these are some of the things you should be looking for. So because of timing I'm going to try to go through these a little faster. The media has this cute little blink wireless HD monitoring and alarm system. The blink is totally cute. I will give it credit that with movement it will recover in about nine seconds. It does have a onboard about ten five to ten second video recording. It's clip based though. None of this is persistent recording. It's just clips. But the cute thing is it's easy to mount. It does continue doing the clips. Negative. You know it does require a base station. It is battery powered. There is no option for SD. There's no wired option. It is what it is. Amcrest. Which I had never heard of this until again let's look at Amazon and find out what the best selling wireless camera on Amazon is. It's this one. I don't know how. Anyway. It is cheap. It is cheap. But you would think that maybe Nest would. Anyway. So it recovers in two minutes. Not a bad little camera. It keeps about ten seconds on board. Storage that does have a wired option for wired network. Not wired power. It does have wired power. And there is a non-off switch on the unit. Not overall a bad camera. Somebody like that? Yay Amcrest. Anyway. D-link. D-link. We love D-link just for the purpose that they don't actually claim to be a security camera. They're like hey we're a net cam. We're cool like that. I'm like alright. So on the positive it does have an SD option. Negative there's no actual wired option for the camera itself. It recovers after about a minute after the D-off. No movements required for that one actually. So. Neck gear. Cute little Arlo's. I love these Arlo's. They recover after about 45 seconds. They're versatile because they have a cute little magnet. That's how they attach. And they have a sticker. So remember to the war driving. Yeah put. No. No. Let's not put the sticker up and say it's not even bad that it's a sticker. It actually just tells you what it is. So you have a few options when it comes to my little putting on my sunglasses and being sway and breaking into my little Ferrari warehouse. For these. These are great. I could just D-off it. Go. Grab them all. Put them in my back. Throw it in the Ferrari and drive out. So. So again requires a base station. It is battery powered. There's no SD or onboard storage. Again no actual wired option for the camera itself because again pops on a little magnet. Battery powered. Here we're getting into the fun ones. So the Logitech the Logi Circle. Oh sorry. All right we got to run. I never thought that. Okay anyway. All right ADD theater here. Logi Circle. Logi Circle recovers in about a minute 30. It does do some constant push notifications. Negatives has on switch on the unit. Again magnet. Can grab it. Throw it in my bag in the Ferrari out of here. No SD or onboard storage. No wired option. Belkin my little buddy. I'm going to give you like one more second. He recovers after I call it the negative 10 seconds because it does have an onboard buffer. So the nice thing is it does come back pretty quick. So the onboard memory does recover it. I don't know if that was intentional or network interference space because they don't actually tell you on their website and marketing that they do that at all. They also don't tell you that they're a security camera either. Yay Belkin. There is an on off switch on the unit and we did find inconsistent push notifications through the app. So it doesn't help you too much. Samsung recovers up to 10 seconds if there's immediate movement. Downside to that one. Not immediate movement until the cat walks through. So positive SD option. There is a wired option to it. The kind of negative is they're kind of working out their cloud option. There isn't one that was one for our camera. There was for other cameras and so that's that's forthcoming and the SD storage only is on downloadable through the app download the clip to the SD directly it's not running a constant cache. So the canary all in one security device. Canary is awesome on the recovery if there's immediate movement. Again please have your cat running through after a burglary. So again the deoth attack. There's a very quick recovery two seconds. There is a wired option. There's notifications. The sad part to the notifications is it takes 30 minutes. So it has to be offline for 30 minutes and that's kind of not enough because the other side of that it has to be offline consistently for 30 minutes. We did try and attack where we deopt it for about 10 minutes brought it back deopt it 10 minutes brought it back. You can pretty much do that for a while. So the negatives movement is required for recovery nest nest not drop cam nest anyway recovers after 20 seconds nest is actually pretty good. I'm not going to I'm not going to beat them up too bad. I hope that we see better things coming through them in the future. It does keep between 30 30 seconds and four minutes of cash. We were finding inconsistencies through the testing of that just because we did everything at 720p but it seemed that lighting any other ambient movements were causing that to change and fluctuate. There are push notifications for activity. They're pretty consistent. So that's definitely a positive. No SD option. No wired option. So. I know I'm going I'm going going okay so very fast. Oh shoot. Bad guys won't put in the effort. Yeah right bad guys are putting in the effort to do some of these attacks. We're not talking about it to consumers so then what should consumers actually do. Wired is better than wireless. Verify and understand the limitation of the products like Zach said. We're trying to put together a database so that way everybody in this room can also contribute to what they're finding on their own. Nobody's talking about this to consumers. This is our consumer disclosure. Just tell consumers this is what you're putting in your house to protect yourself. Let's be let's be smart and understand what we're doing. These cameras do have unintended great uses like real estate. Anybody selling your house in here. I feel put one of these cameras that has the voice. Listen to what the potential buyers are telling you. Anyway I'm out. I went too long. Thank you. I have ten minutes to do a whole topic. One thing I want to reiterate about Erin's side that I don't think she really announced and made everyone's really clear on that. That was great. So all these cameras basically you do the wifi de-auth on and they're offline and Erin is there any cash recordings for the majority of these cameras or which ones have cash recordings? Oh her mic's not working. She said very few. Sorry. But yeah so like I know that the Nest camera was 30 seconds or 30 seconds to four minutes. Four minutes of the max. So basically once you de-auth these cameras they're offline they're not seeing any movement they're not seeing anything. So if you wifi de-auth them guess what you have no recording and there's no cash recording on most of the devices the ones that STCAR options do. So I have to talk about windows 10. I have 10 minutes we're going to get through this fast and the teleprompter is going to try to keep up with me. Good luck. Have fun. Um so a lot of people are buying windows devices especially with windows 10 these are tablets we have fun with them. Um and we're not going to be talking about OEM devices with all these custom configurations because the duo security crew they did a great job on that. Uh but we tell users all these things. Patchy device install antivirus use h2bs use a password manager watch out for suspicious downloads. Uh don't use this wifi. Pick a strong password. All these are great things. Oh it's going to get faster. Uh reading. Sorry. Gotta keep going. These are all great things we need to keep telling users but these are things that are not going to stop this. So back at Defcon 20 I gave this talk about NTLM relaying. I don't have time to slow down. I have probably 20 slides to go. Um back at Defcon 20 I gave this talk about NTLM relaying. You can watch it on YouTube or all the other places that it's up there. The old focus was about relaying NTLM network authentication to corporate accounts. We were focusing on corporate corporate corporate and focusing on internal tax. For those of you who are just joining us today. Windows uses NTLM for some network authentication. It does use Kerberos as well but uses NTLM for hashing. It's an MD4 of the password. Uh but it's also used for network authentication and signing of network authentication at some points. NTLM network authentication has two flavors. Version 1. Version 2. Uh basically has a client say hey what's up do you support this? Yup here's my challenge and here's the uh the hash of the hash. Have fun. Um Microsoft recommends uh to switch over to Kerberos. It is scryable. Love you. I hope that shows up in the video somehow. Um and by the way Windows auto authenticates things. So how does Windows auto authenticate? It uses uh we've talked about WPAD there's not another WPAD talk. There's been two other WPAD talks about all the fun things out with that. But with WPAD Windows auto authenticates with NTLM in some things. Windows 10 does this less but Chrome still does it. Um there's other ways to get users auto authenticate with things. Um it's not just WPAD. You can also use injection of UNC Pass into HTTP traffic if you're on a rogue access point. Uh certain file formats support UNC Pass and third party applications that don't use uh proper cores uh yeah. I won't name names. Um but for a while we talked about this on the corporate side, the corporate side, the corporate side on internal attacks. But was it internally only? Defconn 20 had talked about how exchange web services as well as Sylvone and Burl. But this is still a huge issue. Now I've talked about corporate corporate corporate. We never really talked about cracking these hashes which are possible and we've always said it's possible to crack them. We never talked about the implications of them. Um so for corporate size we can do VPN access, share point, share passwords all that fun stuff. But what about personal users? We're talking about fighting for the users. Things that we're going to go and defend against them. Um so well what if they have a share pass with a certain accounts whether they're broadcasting these things? What about local file shares? What about those things? So we've talked about this for years for Windows XP, Windows 7. The Windows 8 came along and Microsoft decided to introduce a thing called Microsoft accounts. On Microsoft accounts they included logging into your Windows device. Yay! I have a woman demo video because demo is rock. This is the point where I actually have to wait the full minute. So we launched a rogue AGTB and SMD server in a tool called Zach Attack. Yay! There's an update soon. Um we used the NBNS broadcast. We set the options to broadcast to this device that has a rogue AGTB and SMD service. Exploit! We wait! This is real time by the way. If you know this it's a Microsoft account with an email at OwLog.com address. Yes it's a fake email that we set up for this. And there goes the yaw. We run in an OCL hashtag. Crack the password. We get the password of Hunter2Bang. Wow no one got that. You guys are all noobs. I love you, I love you. We go ahead and go into Microsoft.com. This is the Microsoft account. This is the account used to log into the machine. We log in with that Microsoft account. The password we just cracked from a network broadcast authentication request. We copy, we paste. Copy and paste. Come on. Real time. Sign in. Come on. Get there. I have 10 or five minutes left. We're logged in. Yay! So what does that mean? I don't have time for applause. First off, Moomix said that I have to release an update. Uh yes Zach Attack is getting an update for Zachs who can't code good and want to learn to do other stuff good too. Um yes I have to post that but yeah there is cool new things with web hooks and with um uh the Microsoft accounts I've added in there. But yes sure enough your Microsoft account that you're using to log into those machines to log into your Windows 10 devices. It's using your Outlook Gmail hot mail. All those front emails you use it's actually broadcasting those across the network. So what? At a minimum it's information to the closer of the user's information. But this is the first time offline password attacks are valid over a network thing. Yes it's worked on some bad services before but never in this thing. So what happens when you crack someone's password? You get in their Microsoft account. What do you actually get? You get their data births. You get their zip code. You get their billing information. You get the last four of their credit card numbers for all the billing things attached to their Microsoft account. And yes these things are sensitive. This is a 2012 article from this a reporter who got completely pwned. Um but basically someone got a hold of one of his account. Got the last four of his credit card and he used that to pivot to all his things. You also get their search history including things. Well this is a libertarian noob who wants to commit first degree murder. Um and if you're a heavy Microsoft user using your Microsoft account not just all your thing but for all the things. You've got your OneDrive. All your freaking files. Your emails. You've got remote file access to systems if you haven't enabled. You've got Wi-Fi sense that fun thing to share passwords if it's enabled obviously. But yes from a network broadcast thing. From sniffing someone on the same Wi-Fi access point. No offline cracking is not original but it's the original application of this. We've used our offline passwords before and but we've never had it where it's harvestable from a land before. So what we've told users. Passing devices yes it's still important but it doesn't matter for this. Install antivirus yes some host intrusion detection system detects the default challenge. Just change it. You're cracking it anyways you're not using a rainbow table. Um by default it uses NTL and V2 so it doesn't matter. Use HTTPS only. Well you're gonna hit the HTTPS endpoint and WPAD broadcast don't care. Um use a password manager at health but it doesn't actually help if you're cracking this. It helps with other accounts. Don't use or suspicious downloads. Doesn't apply to this. Whoops. Um no use of this is Wi-Fi seriously. We tell people this why don't we just protect them and pick a strong password that doesn't mean something. Well we should never tell users just use a random VPN service cause that's a horrible friggin' idea to trust traffic with someone else. But for some reason we think that's a good idea to tell people. Um what we need to tell them pick a strong password enable two-factor authentication. Yes in Microsoft it takes over ten steps to take and enable two-factor authentication including in adding device passwords to all your devices. Oh my god it's painful. Um you need to use unique creds per site. Yes that's important so if someone gets one credit they're not gonna be public and maybe avoid hotmail and outmail and all of one drive for a little bit until you can take and use a local account. How do we fix this to disable NTLMoth? Uh yeah that kind of sucks telling users how to disable NTLMoth but that's one of the ways to fix it. The other thing is just don't use a Microsoft account to log into your system use a local account instead. So TLDR Gas stock windows laptop attack around the same network use a Microsoft account to log in your phone. Alright I have three minutes summary of the issues. Uh fitness tracking devices that we talk about with Bluetooth can be tracked and monitored for certain implementations. Wi-Fi security cameras you de-authom they're off the network there's no recordings and some don't give notifications. A few give notifications after 30 minutes and there's very limited caching on most devices except for the two we pointed out. Consumer Windows laptops are constantly leaking credits for offline cracking. This is the first time we've seen that there's gonna actually be offline cracking against those kind of things. Want to acknowledge these people for doing some cool things? Mubics fuck you. And end of line. Two minutes remaining we're gonna go ahead and post this slide. I'll slow down. We'll post the slides up there. Um we're gonna go ahead and I don't know where we can take Q&A because we're right up on the time. Uh we'll we'll we'll we'll do Q&A right to the side outside. We have two minutes so we'll have to go outside yeah. Uh we'll take outside uh to the next track and get in here. Thanks everyone for coming. We appreciate you guys coming out to you. Make DefConk great again. Thanks for coming out.