 All right, thanks for having us. So today's talk is Snoop unto them as they snoop unto you. I'm Alan Meekins. I go by NullAgent on most social media, Twitter, Maston on all that good stuff. You find me a 7-bit byte on GitHub. And my personal website is actually kind of blank, so I'll try to fix that this week. And I've got a co-speaker, Rekadam, who couldn't be here today. He's stuck in Tokyo without a passport. And we've got Savage, our apprentice here today. So just quick background, Big Robotics Nerd, embedded systems, been playing with Linux since I built my first computer. Really love digital communications, which this talk is going to touch on a lot today. And I occasionally do, I guess, grown-up work, but these days I am recklessly unemployed and founder of Data Party. So we're basically a hacker collective looking at the intersection of kind of just media and all the things that hackers love. So today, the thing that got me started thinking about this was actually a lot of police interaction that my co-founder and I had over the years. He grew up going through high school, getting pulled over by the cops basically every day. And growing up, we were hearing a lot about no-knock raids. And coming from like a hacker's perspective and seeing things like no-knock raids, you kind of start wondering, WWLND, what would Lord Nikon do? So Lord Nikon would probably take a closer look at the boys in blue and maybe what they carry and how they operate. To give you some idea of kind of what the landscape is like on the digital world of a cop, they have on the left the things that they carry, typically tasers and body cams, a smart phone, pistol, things in the middle that certain companies wish they might carry maybe, flying drones with tasers on them, and then on the right, we have all the things that are in their vehicle, Wi-Fi hotspots, surveillance systems that can actually do license plate reading. So they actually do ALPR coming soon on their dash cams. And of course, they've got a laptop. And they have these weird little boxes called axon signal. So if you remember the movie Hackers, one of the big things that they talk a lot about is reading the manuals. So first step was just see what was out in the open. And so if you start reading through the manuals for all of these types of equipment, you'll see a whole bunch of terms like cradle point and net cloud mentioned. You'll see things like Bluetooth pairing and you'll see brand names like axon signal. Occasionally you'll find some really cool things like, hey, this is exactly what an error state looks like and here's an exact network map of what a police car looks like inside. And you know, you keep reading and before you know it, you find all sorts of URLs that look tasty and delicious and could be interesting. So if you ever talk to public defenders and those sorts of people, they hear about this thing called evidence.com. And a lot of them don't realize that that's actually built by the same folks who make the bodycams themselves and all the digital tech. It all just funnels up to this cloud. So they typically access it through their agency name or their city or state or something, .evidence.com and consume content. And then if you keep reading, you'll start seeing some interesting things that might get a hacker's eyebrows open a little bit. But at the end of the day, the thing that really caught my eye is that the boys in blue are actually, actually, there's a couple of things, so Wi-Fi access points and fleets and so on. But the boys in blue are actually the boys in BLE. So there's a term that keeps happening a lot called axon signal. And I keep seeing the word BLE co-occurring with that in the documentation. So just kind of a quick trip down memory lane from DEFCON is when we're talking about hacking the planet on the terms of BLE, there's been a great talk by Freaky at DEFCON 29 where she explained a lot of basic BLE, you know, the basics of BLE, how BLE pairs, how it interacts with the host and so on. And it's a great starting point to understand what might be going on under the hood of some of these products. And if you keep reading further, you might see some things like hand off your privacy, which deals with how Apple has a BLE protocol called Apple continuity. And you might also see some things called you better secure your BLE devices, which has a lot of parallels to what we're seeing today. And then lastly, Mike Spicer did a talk called I Know What You Did Last Summer. So just a quick refresher on BLE. I'm not going to go crazy deep on BLE fundamentals. But a BLE device needs to allow the other devices that it wants to pair with to know that it's around. So they send out these broadcasts, these beacons, a lot like how Wi-Fi access points also beacon out. And typically you'll find these types of parameters inside of there, at least a MAC address. And then basically everything else is kind of optional. So manufacturer data, services, product, company, local name, RSSI, possibly URLs and additional what are called gap fields. So additional fields just like this. And of course, you start thinking about if you were to reverse engineer or to fingerprint devices that you haven't seen before, say a cop device, there might be a whole spectrum of ways that you might approach that problem. So for instance, sometimes gap fields come in different orders. So even two devices from different manufacturers might have identical data, but they might put those fields in different orders. So that might be a thing that fingerprints. Or you might go and try to see if you can find things on wiggle.net. Wiggle's a big network of war driving that a lot of people who are participating in the worldwide war drive right now, they're currently constantly feeding Wi-Fi and BLE data into wiggle.net. And then also, I built an app called RF Party, which is basically like wiggle in your pocket without a cloud so that you can be entirely off-grid. You could also go down the decompiled apps route. So how can we figure out what these police devices are actually doing? And just as a note, most of the apps needed to manage these police devices are actually currently in the Google Play Store. So you can go download those and decompile them right now. So without doing all of that crazy stuff, how do I do this without violating any kind of permissions or laws or anything? Go back to reading the manual. So I keep seeing this thing called axon signals. So what is that? And what does it do? Well, it turns out that the devices highlighted in blue here are actually all Bluetooth enabled. So body cams and tasers are designed to basically interact with one another. And when a taser is fired, certain models can actually send out a Bluetooth beacon that will notify the body cams and the surveillance in cars to start recording or to rather start retaining their recording. Body cams also have basically shot spotter technology built into them after the third generation or the second generation of those. And they can also detect a gunfire and trigger a Bluetooth transmission. And then third to all of this, the pistol holster itself, there's attachments that can detect when a pistol's unholstered and again sends out a Bluetooth beacon that is designed to trigger the body cam. And the same thing happens on the car side as well. So again, the blue circles here are things that are Bluetooth enabled. So the documentation indicates that the same axon signal technology is built into dash cams. And how are those dash cams triggered? They can be triggered of course by everything on the left here, but they can also be triggered by this little tiny box at the bottom that detects when your police lights are falling off of your van there. And that will actually detect when you turn on your siren, when you turn on your flashing lights and send a signal to the recorder as well. And then finally, they have a laptop in the mix that also takes a Bluetooth dongle. I actually never fully figured out exactly why that is because it doesn't seem to actually trigger much on there. And then finally, things that I didn't even feel like digging into, but they have cradle point Wi-Fi hotspots in there that have all kinds of interesting things in the documentation that I don't even feel like touching today. So yeah, so overall, that's the general architecture of how Axon Signal works. And we went through the list of devices it's deployed on. And so yeah, so where is it used? It's also used, Axon has basically their fingers in every part of police life from how do you charge these devices at home or in the office. And also things like interrogation rooms, all of the systems inside of there. And again, that documentation was a little bit more locked down. So I don't have as much to share directly on entry points under those systems. So again, with all of this in hand, how do you do analysis on this without having to interact too closely? And turns out, go back to reading the manual and there's this thing called an OUI. And there's an OUI for the company Axon, which was initially Taser International, called 0025DF. And that is the first three octets of most MAC addresses in the Bluetooth spectrum. So if you register an OUI and you want other people to recognize your device over Bluetooth, you're going to use these in places like potentially in the MAC address itself or in the manufacturer data. You can also have a fingerprint in there. So for my app RFParty, I actually built a database of over 4,000 device identifiers simply by looking at OUI databases and additionally Wireshark and their database. And of course, looking at manufacturer data and just kind of from my own, analyzing my own devices, discovered that there's a lot of kind of like, I'm not sure if things are always on spec as far as like how manufacturer data gets formatted. But there's a lot of interesting ways to fingerprint your devices just looking at those. So looking at the Taser OUI, you find out that they have a particular block size. So they've basically allocated 16 million MAC addresses that will be prefixed by this OUI. Since we're talking about broadcast protocols in Bluetooth, a lot of people are very accustomed to when devices are paired. And when devices are paired, the broadcast will stop. But there's a growing number of protocols being released lately, which rely entirely on the broadcast capability and basically none at all on the direct connection. So some examples are COVID exposure tracking has a fairly cryptographically secure approach to fingerprinting a person and then fingerprinting or so having a secure database of exposures that's managed by your local authorities and then you go and prove it and eventually the other people who basically have been around you are essentially war driving when it comes to COVID exposure tracking. They're slurping up all these BLE broadcasts and they're saving the ones that have the correct fingerprint for this protocol and they're remembering all the public keys of the people around them. So COVID exposure tracking is another great example. It's one of the most pervasive Bluetooth broadcast protocols, but now it's kind of winding down. So if you look at wiggle data and if you do your own stumbling and whatnot, you'll see that COVID is the COVID broadcast have reduced substantially over time. But Apple continuity on the other hand is basically second as far as you know from my this is my personal ranking as far as like total traffic that I see. And Apple continuity has a lot of interesting things that it does. Again, the app that we built called RFParty, we parse all the sorts of things that hand off all your privacy discovered. So things like AirPlay IP addresses. Your iPhones are currently beaconing your IP address in BLE constantly. You can get information like whether or not the person's on the phone, whether or not they're looking at a video, if it's their primary iCloud device. So these broadcast protocols have a pretty pervasive impact on your personal privacy and how trackable you are in public and public spaces and governmental spaces. And then finally, we have a really new broadcast protocol that's coming online next month called DroneID. So DroneID will also operate primarily in Wi-Fi, but there's capabilities to do it in BLE as well, Bluetooth. And I suspect part of the reason is that the BLE hardware might be more lightweight, more ready to be embedded than some of the Wi-Fi equipment to put on smaller drones. And so again, at RFParty, on RFParty we're expecting to be able to parse that type of data. And so finally, AxonSignal. So AxonSignal kind of fits into this patchwork of prevailing and existing broadcast protocols. So kind of taking our understanding of broadcast protocols and everything we found in the manual, let's see what we can find. So if you go to Wiggle right now and type in 0025DF, you will find on the left we have the locations of police departments, say, in the San Francisco region. And on the right we have the Wiggle map of where 0025DF returns have been heard. And it corresponds pretty closely and of course is clustered along highways that cops probably patrol. So there's a decade or more data in Wiggle. If you run these queries, you're going to see that there's a worldwide footprint that you guys in this audience have been collecting and putting on Wiggle. So that's pretty dope. So what can we do with this? And what are the other ways that we can detect this? So our party could hypothetically, allegedly detect these sorts of things. I can't demo that sort of thing. Unfortunately, I haven't been contracted by any police departments to actually do any pin testing on them. So if you know any, let us know. We'd be happy to help you figure out how to improve this. But for demonstration purposes, it also turns out that GoPro video cameras have a broadcast protocol that they implement. So I took my GoPro and essentially assumed, hey, let's treat the GoPro like a body cam and see what that might look like in RF Party. So here we have RF Party in public space. I verified that my wireless connections are enabled on the GoPro. And at this point forward, the GoPro will actually beacon so that my phone can manage it. The other interesting thing to know about GoPro's and their broadcast protocol is that the protocol does not stop when the GoPro has been turned off. The screen is off, but the packets continue to be emitted. And that MAC address, as I've observed on my GoPro, never changes over the course of years. So when I put in my GoPro into Wiggle, I didn't see anything lately, but that's probably changed this weekend if I accidentally turned on my wireless connections. And so if you had a continuous monitor running and when you searched, if you search for the right parameter, so in RF Party, we're looking for the name of a GoPro, what we will find is the first ping that we receive will show up on the map as a dot. And if you click on that dot, you can see all of these packet information, all of the service information. I've learned my doubt because this is all my actual personal MAC addresses here. And we're able to then see where we've crossed paths with that particular device. And so here I am walking through a park. These are my GPS pings in this ghostly white. And then at the end, I'm going to run the query again. And boom, I've discovered that, hey, I initially saw the GoPro somewhere around here. And then its final location was somewhere over here. And there's a number of queries that we support, like duration and triggers that are coming soon and alerts and that sort of thing. But you could imagine that if this were, say, a body cam, so this is more of like a simulation of if I were wearing a body cam. And we actually have more data points along the way. It just doesn't render it on this screen. But you could imagine that you yourself could monitor for your own devices or in the case of cop detectors, you know, or in the terms of axon signal, this essentially demonstrates an idea that there might be a way to detect cops. And so if we switch back, what does this enable? So specifically an axon signal, apps like RFParty and Wiggle enable us to potentially do things like proof of body cam. So what's proof of body cam? If you read back on some of those no knocks that I mentioned, and if you read the news in the last couple of years, you'll find out that sometimes police departments can be cagey to release potentially damaging body cam footage, right? And it's kind of hard to compel them because they kind of like to beat around the bush of like, hey, we're not sure if anyone was there with a body cam, we got to check her records, and they can really slow walk things. So if you had a way to say, hey, I know this MAC address was in the vicinity. I know this MAC address was at a particular event or a particular occurrence of a potential police misconduct, you can more directly kind of light a fire under their butts and more legally be able to specifically, you know, inquire about that information in court, right? Other things that hackers probably think about, there was a competition, I think at Black Hat and Def Con many years ago, it's like over a decade ago, where people were competing to make kill switches, computer kill switches. So you hit a button and thermites your hard drive or hit a button, the hard drive catches on fire or various things, right? So you can imagine if you're a very enterprising hacker, you might have a cop alert in the Bluetooth spectrum that could trigger those sorts of things. And of course, knowing things like RSSI and receive signal strength that correlated with these devices, you can very tightly detect the distance that a cop is to your computer, and the computer could self-destruct automatically. You could do things like identifying specific cops. So a lot of cities, activists will file cases that will eventually put cops on something called the Brady list, basically a list of unknown police misconduct and bad behavior, bad apples, if you will. And you might want to get an alert if you're dealing with a bad apple or you might want to know, hey, I didn't catch that guy's badge number, but turns out I had wiggle running. And now you can go dig through that database, dig through your own logs, and now you know their MAC address and you might be able to subpoena for the rest of the information. And then the other interesting thing that organizations like ACLU and EFF currently monitor are things like surveillance. So where does axon signal factor in all of this? If all of these bodycams start doing facial recognition, for instance, so these bodycams actually have 4G LTE connections, and they actually can live stream video at any moment, and that's not even talking about the cloud this year. But there's a huge question about what's the prevalence of this technology, especially as we understand more and more about these features, especially like the license plate reader being embedded directly into the dash cam. What if that license plate reader technology gets embedded into bodycams? There's kind of a not even a slippery slope. It is a Homer Simpson falling down a ski mountain worth of interesting problems here that we might want to understand as civilians and for civil liberties, how prevalent these technologies are. So finally, tools like RF Party, we were absolutely inspired by these types of questions, and we really want to enable other people to be able to experiment and learn about these devices. And of course, if cops are trackable, we're very trackable as well with things like our GoPro's or our Apple continuity. How do we verify that any of those devices are actually in airplane mode? If you read the instructions for iPhone, it says, turn off the Bluetooth connection, turn off airplane mode, there's not really a great way for an ordinary person to verify that. And kind of what we're also pointing out here is that every device, not just air tags, every device is an air tag, right? So we actually need a way to detect all Bluetooth devices. We don't need one-off solutions that only work on iPhones and then take three years for Android to catch up and then leaves everyone who runs Linux completely in the lurch. We actually need a solution for everyone, right? And for every possible device. So that's kind of, that's the talk. And here are some tools. So the biggest tools are used here. We're the PDF viewer. The second most used tool was an OUI database. And then finally, Wiggle.net. And then some other super handy tool is NRF Connect. NRF Connect kind of is the only multi-platform Bluetooth scanner right now that's allowed because they're actually allowed on the Apple store. Apple doesn't really allow hacker tools in their app store. However, they do use the Nordic semiconductor Bluetooth chips. So somehow Nordic got an app in their store. And then so, yeah, so we're building this thing called RFParty. It runs on Android. And then it's on Mac, Linux, and Windows coming soon. And then finally we have some open hardware as well. And then all of this is open source. You can get it on the app store and help us get home. And part of y'all and everybody.