 Welcome back to the wireless village. Like most of you ever left Contestants, I'm sure you remember by now, but please be quiet We're all very glad you're here and quiet Really quiet because I didn't want to have to take Don't want to have to take points away or drop this mic So it is my distinct pleasure to introduce two people that Well, if you were playing the dog collar game you already know These these are two of our our newer friends of the village They've they've managed to ingratiate themselves in a short time Tim was one of very few people who said dog collar challenge that sounds like fun When Russ first introduced it no one else would play and then after Tim played for about 45 minutes Nobody wanted to play against him So, uh, yeah, that's it's been a lot of fun. He had no idea how software to find radios worked right up until then and then He's he's been ruined ever since and I'm sure he does nothing else from the look of it And what he sent me I cannot even imagine the most entertaining email I have ever read for the CFP Some something to the effect of I'd like to give this talk, but I need to bring my dog. Is that okay like Like just just bringing your dog is there any particular reason? Well, it's a hearing ear dog Okay, sure. So it's actually a service animal. It's not like a service pony. It's a dog. Yeah. Yeah, okay Yeah, you can bring your dog no problem So so these are some of our newest friends and they have done something that the entire wireless village team wanted to do Which is reverse engineer the bloody go-tenna. So I present go-tenna reverse engineering with our new friends. What are you and Tim? So we're glad to be here actually We want to thank wireless village. They also gave us a chance last year at Def Con We presented iris for any of you that have heard of infrared and how that might be a way to track cell phones We we did that they gave us a chance to do that and they brought us back again. So I Pretty happy to be here Little bit about me. I go by Woody and I play with software to find radios in RF and now Tim Yeah, I'm Tim. I came here to the Def Con for the first time about three years back and got really excited when Russ was like Playing with dog collars. It's like man. This is gonna be fun. Not only can we Shock people with dog collars like we can set this thing up on the internet like Japan's gonna get really excited about it It was anyways, so We're gonna be working on the go-tenna here. This is something that came out a couple of years back out of Hurricane Sandy and New Jersey. There is two people Daniela and Jorge Perdomo their siblings They thought, you know, it'd be kind of neat if we could have some way of communicating when cell networks go down And so they made these things you got do you got one on hand? Woody? They're about the size of a pack of Six pencils kind of taped together. They're really small and you pair your phone to it over Bluetooth And so once you've got your Bluetooth link up We got got one over there pretty sick Anybody else in the audience got one anybody else? All right. Well, we actually have a discount code from them at the end We don't work for them, but we ended up having to contact them about something which we'll talk about later So anyways you pair it with your phone or Bluetooth You send a little text message to your buddy and it goes out over MERS Which is sort of a similar to push-to-talk radio networks for like family radio service things like that And so some expectation management for the talk We're not doing anything with Bluetooth. We're not doing anything with mobile applications. That's it's just not our skill set We're gonna be focusing on the MERS link and how it communicates Also go-tenna is coming out with new hardware. This is not the new hardware that we're studying We're studying the the older Classic hardware if you will so now we have ordered the new hardware And it hopefully it'll be arriving within the next few weeks, but go-tenna is a fun to me thing So we're waiting for the new stuff to come out. So a couple things we're going to talk about We've all heard of this OSI model What became interesting as we did this a lot of things we do with software defined radios Key fobs entering vehicles bypassing your home alarm system Being able to open your garage door. I don't need to worry about the OSI model as much pretty much I have the hardware. I'm able to collect some stuff. I can replay make a couple changes make things happen That wasn't the way that this worked This actually has networking this actually has the physical model. This actually has presentation sessions and applications. So I Had to read But fortunately had Tim and he reads much better than I do screens blank Okay, so here's how we got started as he pulls up the presentation so This is what we did as we first started out. I got excited because I'm a big fan of using software defined radios and Let me caveat was saying that if you broadcast on the MERS network without permission that is an FCC violation So I'm making sure to tell you don't ever do it And if you do it only do it in the casino with a yogi, but But with that being said in my own home on my own large piece of property Inside of a RF free fair day environment. I might have played with this So as I did that one thing I noticed is I could replay a message from a go-tenant and device Hours later and have another go-tenant device still accept the message. So I was like, oh That's kind of interesting That would be something that could be of use if I had done that In a perfectly fair day cage with no RF environment or anything else. Yeah, my ferret cage was good to go So I was fine So the first thing I did was I started looking at a spectrum analyzer because I called Tim I said, hey, this is pretty cool. We need some really high-end expensive equipment to be able to move further with with this So we use Osmocon FFT You're gonna find out throughout this talk. We want to promote you to use basic tools and be able to use simple tools to Do complex tasks Osmocon FFT so I invite Tim over and I'm like hey We I know that you can do some rebroadcasting with this So let's figure out how this thing works and Tim is really good at software-defined radios and he's can write some really cool code So he said okay, well, let's start playing and they're boom things start hitting So can anyone tell me what's happening right here the biggest thing you take out a scene here? Exactly there's a command channel obviously So you see where it spikes right here Someone say command channel Yeah, so here's what happens that we said about that many packs and I go hey Tim look they got a command channel and he's like No, what he's we're gonna have to do some more time. I said no. No, that's a command channel So Tim can write really well and I can kind of look at weird things and sometimes they pick up So I was like I think there's a command channel at the highest end because we knew there were five channels Why because FCC's our friend and we knew there were five channels in the MERS band You're gonna find more out about that later So Tim doesn't believe me you'll find out if you talked if you were here for our iris talk Tim's a firm believer that I hunt unicorns. I Will tell you unicorns are real so what happened as after we start testing this out We realize that they're bouncing around but one thing stayed consistent So being a little bit more of a scientific man I thought hey, how can we test this and actually prove somehow that there's a command channel So if there's a command channel what what what would that mean? That means there's some sort of trunk radio network and I said well Let's let's do something that I think will help Woody and I understand this problem So I said Woody. Let's let's start role-playing and so I put on my robe and wizard hat All right, what he's gonna be one go tenna. I'm gonna be yeah He's get he's really into this by the way He made a character maxed out the stern in and I maxed out my wiz so it's just kind of yeah There you go Lightning bolt anyways, so so I'm gonna pretend like I'm trying to talk to Woody. I'm one go tenna. I'm the other I'm gonna start on channel four. That's the control channel. I'm gonna say hey Woody. I want to talk to you Let's meet on channel two Now Tim didn't do this to try to make it prove that I was right Tim was like well I'm gonna show you why this doesn't work So Tim said we're gonna do this and you'll find out if it still bounces around Woody You're wrong because it's free cop and I don't think there's a command channel. I was fortunate enough to be able to say well I think there is So we did it Yeah, so what happens if we start sending it to where one channel one radio is off and we send and that radio doesn't authenticate If there's truly a command channel, it should only send from one channel over and over and over So let's reset our peak holds and we're gonna shut down all other radios Except the one we want to accept the one who's sending and if what we're saying Oh, by the way, we're doing this live demo because if we're not willing to go live. Should we really be here? We have backups, but I think there should be some principles We're all the way off we've only got I've got my phone on and I've got my go tenna on I'm gonna try and transmit to a go tenna that's currently turned off if if Woody was right and I was wrong What we should see is on channel four. That's the one all the way on the right We should see it talking and never hopping over to channel two to finish off the conversation What was supposed to happen is hey Woody? Let's meet on channel two and what he was supposed to go okay, Tim I'm ready to receive a message, but he never did that so If it doesn't have a command channel on channel four, it'll bounce all over the screen so Huh, huh? Huh? God dang it. I'm sorry Tim I'm right so Now I might be right, but he can script so he wins but still So as we start to look at this We were like dang it this could be Something to look at because remember if I know where you start What are you probably going to tell me when you start who you want to talk to and? Where we're going? So we start working So let's go ahead and tell us why the FCC is our good friend We were able to find the actual board on the FCC why because they have to be there Now as we look at this remember I told Tim told you we're not doing Bluetooth exploit Not even going to attempt it. However in the lower left hand corner. That is the Wi-Fi antenna I'm sorry Bluetooth. We're not using Wi-Fi. Please. Okay case beer got it understood Now as we move up on that whole side. We look at the protocol and we realize that We move over all the way to the right that Is going to the MERS antenna and if we come just between everything else that is the actual radio antenna for the Go-tenna now this is the antenna Which for MERS is fairly small, but one of those things are working on So at this point we're like, okay, we're looking at this board. We're able to find some information So what kind of modulation do you think we're going to use Tim? So this is this is going to be on the MERS channel So if you're familiar with push-to-talk radios and that Whole plethora of frequencies that the FCC allocated for unlicensed people to use Everyone's using frequency modulations. So pretty sure about that. It's frequency modulation and also on top of that It's probably going to be within a 12 and a half kilohertz channel because each of the little push-to-talk radios every time You go to the next channel 12 and a half kilohertz so we can We should probably go to a live demo at this point So why we talk about this a little bit and we wait for this to pop up which up there we go waits over We looked at this and we're like, okay, it's probably well Tim's like hey You know what I bet they're using FM. We've seen a few things that made us feel that way We then we looked at the FCC stuff and he said hey, let's really sketch this out and see how it works So let's go ahead and send something and see what it looks like Now For the there we are So we have a good amount of data here for those of you that are familiar with FM or you know frequency modulation stuff you realize it's a little different than on-off keen and it can be a little more difficult to Demodulate and see what's going on So we need to figure out where all the packets start There's questions coming at the end sir, but I appreciate your enthusiasm That is a great question and please remember at the end that we're willing to answer those It's okay Yep One of the interesting things about this one is if you look at these bits that are being transmitted They're not square if you're looking at a doorbell or you're looking at a wireless fan remote They're going to be square because they're pure FM They're hopping right between two frequencies as soon as that bit changes boom just hops right over the other bit problem with that is it makes your it makes your Frequency content really wide and if you are here for balance excellent talk you when you start increasing your bit rate You start increasing your bandwidth, and this is something that we're under a constraint from the FCC So what you do is instead of hopping instantaneously between frequencies you slide between frequencies that lowers your spectral content as You can see in the bottom. That's only about nine kilohertz wide easily fits within 12 kilohertz So as you look at this and remember Tim Tim's the person who taught me software to find radio So anything I say incorrectly falls on him, but Guzman modulation is what we're looking at and we're away Is that oh, I'm sorry Gaussian, but the way this works is it helps us know that it's a something else that we need We need that because we need clock recovery We need to be able to figure out the timing the sequence of these bits to be able to turn them into ones and zeros And then from those ones and zeros we need to be able to make real information This part of the packet is called the preamble and it's something that most radios like to do to start out It's kind of like it kind of gets everybody's attention, but it also lets the clock recovery algorithm sink to each bit So what you're looking at here if I'm going to try I'm getting a little fancy here Let's see if this is going to break everything stump lot All right, those are the actual samples So if you had an array inside your programming language each of those would be a sample The problem is we got to figure out which one is the one which one's the zero So this is where something that really handy came in from Andy walls Andy walls The stuff that he did. Oh by the way, this is all GNU radio based which means everybody has a chance to play with this You don't have to be high-end or anything else. You have to be some guru Everybody has an opportunity to play with every piece of this and it will be released So everyone will be able to do exactly what we do up here even noobs Now we got bad clock recovery So Tim tell us what that means So if we have bad clock recovery, it means we're not going to know what bits are correct inside our packet So you can see here we had one zero one zero one zero one zero in the preamble. We shouldn't see that sloping. This was this The stock clock recovery block in GNU radio Don't make me say that again So it didn't do a very good job The one that Andy no the one that Andy walls wrote was much better You see how each of those points are pretty much perfectly on plus or minus one That's great clock recovery and for these longer packets these variable length packets We really needed to have something that would be good on that. So thank you to Andy walls if you're hearing this Now one of the other things that needed to be done was a way to actually look at this and spit it out into something That was readable where you could actually start and stop where you wanted to so Tim came up with this really cool module for GNU radio called GR revenge now, let me give you a caveat You're gonna have to use that when we release this you're gonna have to add that to your repositories and everything from github When you look up GR revenge, what's gonna pop up is girlfriend revenge over and over because that's apparently the number one search for Google under GR. That is not what he wrote. It is GR revenge without an E So please find that on github. We It will be an issue. I promise you when you search it that's what's gonna pop up now what we're able to do here is Take the information start with a radio move it over and as we set it up because we know there's five channels in the MERS, right? We break it into five channels not we Him okay now we break it into that and we make virtual syncs the virtual syncs give us the ability now continue working our Progresses and see what each channel does? Individually so if we can look at all five channels individually We can start figuring out how they work together and because we've already started to figure out There's a command channel the command channels tell me where the next place I need to look at anyway and once that happens I can ignore the other channels all together So just to run through the This really quickly it looks really complicated until you start doing FM demodulation enough and all of a sudden once you do It enough this becomes like this design pattern that you do over and over and over again on the far left Demodulate it from a radio signal into something that you can plot out on an oscilloscope After that you do a low-pass filter on it to make sure there's less noise clock recovery Turn it into a bit one or zero and then after that look for the packet So we had to figure out what the sync word is This is a stream of information coming through. It's not there's no way to slice it up easily So as far as radios are concerned they have to know when a packet begins so what they do is they shift Every bit they think they're receiving into a shift register and they look to see when the shift register equals a magic value in this case it was 2dd4 and When we found that we weren't actually sure if we found that correctly So we googled it and it we found the data sheet for the silicon labs radio which turned out to be really good Now one thing as you look at this and realize Spitting the data out and being able to see it one of the interesting things that really came out that Tim found Which should really go on his counter But he didn't put it on here is the fact that as he comes through and he's able to spit this data out and be able to see what's going on he does a great job because Initially, we didn't know the full length is remember. We've got a lot of information We got back and forth back and forth like a Wi-Fi handshake Initially, we didn't realize We actually have to be able to segregate the length of the packets for every step of that communication So now we start looking at this and Initially like oh 11 we're good to go. We know how long this packet is right. Yeah. Yeah, so we had some issues with that We that may not have been correct So then we come down here like oh, well things are looking a little bit better now If I want to start figuring something out I know that I have a protocol that uses encryption But I also know that the same protocol can be used without using encryption. What's the first thing we do to start checking ourselves? We send information unencrypted and can we find it inside the packet? Oh Shites a bill so there's 41 which would be a capital a 62 which is actually a lowercase b and then 63 which is C and we had just sent that exact same message and Right next to it in red. It actually gave us the length of the message So if we can transfer this over to the encrypted side, we can start developing how long the packets They're sending are now we start looking at everything else and we start realizing we can count how far it goes To start figure out a little bit more information Yep eat the elephant one bite at a time now You see the one e up there. So as we looked at one e What we realized when we up the size of the packet by one it now became 1f and Tim informed me that means it went up by one size So I was pretty happy because we had now done a b c and d I also watched Sesame Street a lot. So I was like this is probably this System we should use because that's what I watch every day so I Had to tell Woody though that the next thing after 1f was not 1g. It was actually 20. All right All right, this is another one of Woody's wins I'll have him run the slides for a little bit here So one of the things he called me up on the phone He was really saying Tim Tim. I just I just found the next channel. They're transmitting on it's this It's this bit right here. It says to and then the next channel it transmits on is to and I'm like They could have put those bits anywhere This could have been anywhere inside the packet and he was just so dang sort of it And I'm starting to try and learn from my mistakes of telling Woody. He's wrong every time. He's actually right so That's how I remember it going anyways If you look at that one that's highlighted right there in green the two tells you that the next packet is going to go on Channel two and on the the second one down here. The three says it's gonna be on channel three We turned out turns out we didn't need to know that In a single receiver system that can only look at one channel at a time It's really important for it to tell the next radio. Hey, I'm gonna be talking to you over here You need to go there, but we're looking at all five channels simultaneously. So although we found that Hmm, it's it's just a you know interesting interesting thing to know So yeah, I'll give Woody another point for that one And so once we so we found the length of the packet, right? This is starting to tread into like layer layer two territory So an ethernet frame a lot of times it has this is who it's going to it's got a length It's got a payload and then the checksum. So we're starting to step into layer two territory. We found Pardon me. We found the synchronization We found the length bite where it's located in the packet and we found out Just about enough to start trying to find checksums This was really hard and without a checksum We're just gonna be looking at a bunch of bits on the screen And this is this is really hard to look at and figure out who's talking to who I don't even know which radio It is we have no checksum if there's any noise we're screwed so that was kind of me and I came in one day and I found Woody just sitting there with a screen with packets scrolling across them And I'm like, oh, hey, did you dremel the thing apart and solder down on to the to the debug wires and write some Thing to analyze the packets and he's like no, I just plugged into the USB port and it showed up as TTY USB I mean, I don't even know why I wrote this whole like radio thing. It's Yeah, so he also introduced me to dumb and dumber. I'm a nerd. I don't get out I don't watch movies a lot. So this movie is actually really funny Yeah, so one point for Woody so we actually got full packets here coming through which meant we didn't have to worry about the Check some yet. That was just something we pushed off into the back burner while I worked on it later So what was interesting about that is Tim had been working this clock recovery piece and he's like man I think I really got this but I can't confirm it. Well now we were able to actually From the radio see what it said and then compare his radio to it and pretty good to write and guess what he Was right We're gonna keep that low though because then he'll put it on his column So as we start looking at this we start figuring more things and that more things out and we keep getting this go Tenna ID when we start getting into serial port. They call it a G ID Which would basically be the equivalent of a unique identifier think of anything else So as we start looking at unique identifiers, we keep having these numbers pop up Now as we look at these numbers up here where it says t arcs and you see odb 9 We kept seeing that and we're like, hey every time I send to somebody It says that first where it says hey you on this chain. Hey on this channel. I want to talk to you Okay, well that works and we start realizing that we start seeing these packets. Oh And now let me tell you you know how you start figuring this out when you just have a whole bunch of numbers and letters on the screen Anyone in here ever heard of a little program called Vim? Yeah, why don't know how to use it so we use get it So Get it control left. So if you're reverse engineering something You really want to have a quick easy way to do it and I'm not insulting anyone on Vim because I can't spell Vim What I use is get it. I take get it. I use control F I highlight what I'm looking for Because part of this talk is we want to help you learn how to use the basic tools to be able to do this for For the basic person to be able to do it and for the advanced person then be able to add it to their advanced systems But by doing that we start searching and seeing where this pops up in all the packets and man We keep seeing this 5 8 5 7 od fe cdb. We keep seeing the Hash 16 equals db 9 and I keep looking at that and I'm like Tim. I think I know what that is So we found some other stuff. There's cryptography. So it's public key trip travel Yeah, public key cryptography as well. So at some point I'm gonna have to exchange my key with each other So I found this in a message public key and it told me what it is And then I control F for it and lo and behold it's sitting somewhere down here in a transmission message So we know they're transmitting the Gotenna ID. We know they're transmitting public keys and That actually helped us even understand the format of the protocol because This is 49 bite long public key. This is a 49 Anyways, if you turn 49 into hexadecimal it turns into 31 and so we're understanding even more of this a pretty common paradigm for Sending variable length packets as you say this is what it is That's the first bite the next bites the length then you have your data and maybe a checksum if you go back to this previous slide You see where it says oh one oh nine and then the Gotenna ID Oh one means Gotenna. There's nine bites to it And you keep going on to find the end of the packet there So this helped us really understand having this debug port like the What's it called? What was that rock that they found in the desert that helped him understand Greek? Thank you. All right, so I'm also bad with history All right So I wrote a script that would let you plug to Gotenna's in to the same computer And it would interleave the serial port streams and what this meant is Beforehand in the wireless domain. I didn't know which radio is transmitting what I just got all these packets I didn't know who was talking but now I know this radio started the transmission and the next radio responded to it So sitting up here. That's what he's oh, that's what he's too. He's really excited about that and This is this is kind of a little obtuse to look at so I translated into English right So it starts out the first radio is transmitting it says hey, I'm looking to talk to a guy odb 9 That's like the short name for the for the whole Gotenna ID It lets them get away with not transmitting so much on the control channel The next thing that happens just like what do you and I sort of hypothesize in the beginning It meets over on the the message channel and says yep. This is me. What do you want to say? Well, here's the problem if I say I'm looking to talk to W. How many people in this room have a name that starts with W All right, we got a couple of people. What do you included? Everyone's got to meet I actually have to disambiguate that and say okay I actually wanted to talk to this guy. Is that you and also I might need your public key Further the radio goes and responds. Here's your key Then you end up transmitting the data which here's the data from this this user and then finally an acknowledgement So this is a pretty stereotypical Paradigm for transmitting stuff over a lossy medium or you're gonna lose a packet somewhere or get a bike corrupted And it's like I need you to send this again. Fortunately, we're working really close to each other We didn't have to worry about that So now we start looking at this and we start going wow so we can see using the serial port When each person talks when they want to send something we start realizing it was almost like a golden egg Given by the person that designed the protocol that it goes one zero Hold on a second even I can figure this one out remember Sesame Street two three four five Four five six seven they start following into a sequential order as they start working the packets out And that was pretty nice to be able to figure out what's going on and as we move to the end of it We're actually able to see They start designing out the packets they're going to use how big they're going to be and what sequence they're going to fall into and Yeah, head averse payload So we're like wow we can work with that and then we come up To one of the funner nights of the entire project This is called the GID which we've already said is the go-tenna identifier Who in this room's ever used a go-tenna anybody? Anyone tell me what the default protocol is for using a go-tenna? For the name that you want to be for your unique identifier. It starts with phone ins with number. That's right so So here's the thing but Tim and I aren't those guys like we don't use our phone numbers for stuff because we both have high levels of paranoia So we always use randomized so this actually was a setback for us at first So we start looking at this and we're like man We're never finding this nine seven two two one zero in any of the data I don't know how they're sending it then we're like well wait a minute Maybe we look into the hex maybe it's some kind of MAC address formula because obviously whoever wrote this is going to make sure It's very secure in a very high-end protocol Nah, that ain't working Well, let's look at it again Maybe there's some kind of sequential ordering that goes back and forth and we start we start kind of pulling our hair out A little bit and we start going hey, what is that? Anyone here ever use a thing called gnome calculator? Well hold on before we get to that. Well, no, we're about there So let's just talk about gnome calculator So gnome calculator, which is an all most Linux systems. It allows you to take like hexadecimal and transferred into other protocols But we figure there had to be some high-end things being used so this is what we did We just jumped out of presentation mode and said let's just get it on and just throw things on the screen Yep. Oh Yeah, so what Tim was just saying because again remember he's the guy that helps teach me so any mistakes I make are his so We started noticing you know that whole nine five nine seven sequence saw that's a fairly high number But then we decided you know what we're gonna do We're gonna use one of the cell phone numbers just like the default protocol is in Gotenna And when we did they were like wow, that's a really little number. That's a little odd So we busted out the gnome calculator again Please always use basic tools first because then you can talk to me and I can understand it so We throw the information in there zero one zero zero zero one C three eight nine B. Does there wait a minute what Own shite's a biscuit. That's a phone number You're two and from blocks we know it been identified and what we realized is they broadcast if you use your phone number for Gotenna So if any of you do open-source information or technologies we can talk on the side But I'm pretty good with phone numbers and Facebook to be able to figure out who you are But that's another conversation How dangerous could it be oh? Well, and then we're sitting there and I was like man I'm bored and Tim was working on the presentation and he's an engineer So he like works on things like really intensely So I get bored really easy and I got tired of shaking my keys because they're they weren't shiny enough So I said huh I took a couple phones and I just started saying well if I now there is a fix for this if you use the Gotenna GID random identifier, you know what's gonna happen You get a random identifier and you don't have to compromise your phone So Gotenna has put this in there I want to add there's not a slam on Gotenna this whole talk. I still like Gotenna I will use Gotenna and I think for the what is designed to do I think it's great and I want to make sure I add that in there, but I was like man Hey, Tim, do you think I could make two Gotenna IDs that are exactly the same if they're random at some point They'll cross contaminate and they'd have to be identical and he's like what are you stuff doesn't happen like that? So I said Tim's poking me again remember he beats me all the time So what I did was I took two phones and I at the exact same time. I pressed New random identifier on both of them and we realized this is a time sequence Now and then I was like well, what if we go back to what 19 Maybe 1970 a certain month a certain day a certain time and see what happens couldn't do it We could go back to a certain date and that's the furthest it led to go back So we could go back to a certain date and try to set it at the exact same time But it actually goes all the way to the millisecond so we couldn't get the same one I was a little bum, but that's okay, but what we did realize is the year doesn't matter That's what the nine does it stops you from having the year important, but the month The day the time all the way down the millisecond That's how you set these identifiers so you can from someone's identifier at least know some rough information So even if I don't have your phone number, I can still pull some rough information out of this And I can still do link analysis Tim those are your words not mine So if you've ever seen a movie where there's like some guys sitting up with like this wall with all this stuff And little red lines going there. It's called a crazy wall and we made we made our own crazy wall I'm gonna sorry if you just give me a second to get it open Pulling open my favorite tool here. I'm gonna actually need to move this to my monitor so I can see what I'm doing So what we ended up doing is? One of our primary tools like we mentioned earlier. We're sorry about the disjointedness of this protocol this presentation It's kind of that's kind of the way we worked. You don't find things in a linear manner That would be really nice, but we didn't So this is this is our crazy wall And I'll just show you a couple of things this is a lot to process and I don't want to spend a lot of time here But what we did first is we started by organizing our packets by the way they happen So each one of these little blocks of text is a communication And what we started doing is we just started spacing things out in the way that made sense to us So remember we had that zero DB nine. This is what what he was talking about we Control f for it and we found it in another part of the packet And so we use that to create divisions within the packet structure and that helped us break the fields out of side the packet Moving on down so these are these are communications. So again 10 was the hello. I'd like to talk to you 62 was I'm there 23 was this is the person. I actually wanted to talk to Remember this was the GID coming along here Followed by yep, that's me. Here's the packet and I got it. Thank you very much When you have it in this structure, you can see some interesting things, but not everything One of the neat ones if I can find it. Yeah, here it is This was a long message that got sent and so if you have a very long message It gives you a high probability of a bit error, which means your packets kind of get dropped So you chop your messages up to smaller packets so that you have a better chance of getting through So this is part one and this was part two of the passage But what really helped was when we looked at it from a different perspective. Let's gather all the Transmit announcements on the on the control channel. Let's gather all those together and look at them again And that helped us see more things Down here in the packet ha ha all right So once we started finding that that type length data Paradigm again, we saw okay fb. Oh f da da da da da. Oh, hey look There's a Gotenna ID that we found we control F and that popped out so Within the message fb that means this is the Gotenna ID There's lots of little other things that we didn't particularly understand. Here's your message 41 62 63 That's a bc and then at the beginning this this one here the type 3 wraps the entirety of the packet And so that this is my crazy wall You got to be careful with crazy walls Enough said So to break the packet apart to we showed you like all these bites in your eyes are probably blurry So we're ours so to make it simple You've got a packet header at the start of every packet Optionally, there's a frame that shows up at the end of the packet Which is again the type length and then some checks them at the end of it Each frame you can stick together to form a message and the message has the type length whatever So if you send if I type a message to you, there's several frames that build together to form some sort of message Which brings us to this part here So as we look at this what we would like to see versus what we did see versus How things work Your broadcast messages are meant for everyone. Let's say there's an emergency. You want some know where you are You just send it out. It's not encrypted. Everyone can see it. You can also your lat long. There's quite a bit to it It's a great protocol again. I'm not slamming go to and I think it's a great thing and I don't discourage anyone from using them I just want you understand the difference between anonymity and privacy and security They're different elements now In the broadcast you can see everything from who's sending it to it goes out to everyone You can see the initials of who's sending the message you can see GPS coordinates message is all that now on the private side I can still see the sender But there's actually a little bit more I can see to Not just the sender, but I can also see who it's going to Yeah, so early in the conversation I can see who it's going to and who it's from What would how does this bother us? Well, because maybe some of that could be protected a little bit better You don't have to necessarily give away both ends of the conversation. I want you to think a tour Do we want everyone to know where we're starting and where we're going could be dangerous So as we move forward and we start looking at this we start thinking what would our goals be? What would we like to see we'd like to see a little less information come out of that and with that Initially the name of the program was called Go dump kind of like arrow dump But then we started realizing wow, this is a little bit overseeing it sees everything going on who's sending something Who's receiving something what channel they're going to go to next it lets us know How big the packet is? So if I know how much information you sent Where it started from and where it's going to would that be of any value to anybody? If it is it is if it isn't it isn't I'm gonna leave it at that so now What we're going to show you's a little bit about how some of the scape plays into this so you can see what does it look like if you you up So what we're going to release? Saron we want to kind of show you a little bit about what it looks like and how we put this into place Going from what we were initially using to scape So if I'm sure all of you guys are in here are familiar with scape But to explain it a little bit better just in case anyone doesn't know it's a Python framework for understanding packets So you give it? You give it a block of data, so I've got this here. I called this variable M and You feed that into an object and Scapi will pull apart the fields as you've told it and it will let you access them in a really easy programmatic way So one of the things you can do here is packet that show and so what you're looking at right? It was it was type 45 packet, which if you guys remember that was the here. I'm here's the data I'm sending to you So it automatically understands that it's a message fragment It pulled apart the The payload down here And it separated that out for us However, the payload remember it's a multiple-step thing and so you might need more sequences or more more fragments to make the complete payload I know for a fact that this one was short, so I'm going to pull it out really quickly. I'm going to do packet dot Fragment or you know what I can't even remember My own code, so we're not going to do this We're just going to show you sorrow So parents are moving to sorrow All right So you're going to see something similar to the sin because what happened was In the beautiful mind he put all this together and he actually has it spit it out So you have to do zero work. So do you see where it says press enter to quit? That's because right now we're live and we're going to go ahead and just go live with this Okay, because again, you probably want to see it What's that? That's right. Let's just go live Then we don't have to remember the code. So oh Wait a minute. What is that? So Tim just sent a broadcast message Over go tenna. So this would go out in it So if you had a go tenna you'd be able to read and decrypt this too But the simple fact is we now have a listener a packet sniffner Sniffer that can listen to all of this and make it happen now on top of that Can't see it. You got it. They can't see it. There's nothing up there. Okay? Unchats a biscuit Okay, spell spelling errors are okay Yeah, you're you're not in any of it. Okay, so why he's why he's Putting that back up. Does anyone in here have a go tenna if you do send a message Go ahead. What's the worst that happens? Let's go live Everyone with a go ten it launched as fast as you can. Let's go Tim does not want this to happen, but I do. Let's see it. Oh Oh, if you're using your phone number, don't do it unless you really want some things to happen. So Tim Tim you're not paired with anything. I told you kids these days. So Hold on. Let me get my go ten up All right. So here's what we're gonna do. We're gonna go ahead and look at a couple things We're gonna launch some go ten is we're gonna make some things talk and go live with it Okay There we go now So again, if you have a go ten up, please feel free to Send whatever messages you want and we'll just see what happens randomly. Oh You're you're paired that one right there Okay, we'll send it. All right. So now he's gonna send a message Jared is yours up All right, so we got Jay Boone in the room, which by the way if any of you do software to find radio like just amazing work He's just incredible So Yeah, what radio are you using? That's not it is anyone jamming any of the MERS channels go again. We don't know Try it again. Okay. So what winds up happening is We should write HDMI Go ahead push it Here we go. So we're gonna run off the other radio. So when this is working which typically it was up until earlier That's why if anyone is jamming MERS, please don't so what'll happen is it'll actually spit out your message So let me tell you what you're gonna be able to see Who sent the message? Who's the message going to and how large is the message? Oh Wait a minute. Oh, shoot. What is can you go ahead and pull that up a little bit? It pulled up there we go. So now we're up again. So wait, what is seven five seven five one two Oh a phone number So we're using a burner phone up here and the burner phones phone number is although It's not quad zeroes at the end which we've modified that out you get to see where it came from Who it's going to and what it means and you see where it says Defcon. That's the individual name of the individual Who has listed that as their name? So if you said Jeff Wilson, it would say Jw what we did is made a very long name that the first initial of each name spelled out Defcon But That's a live demo right there. You're actually able to see it So so sorry that didn't quite work out the way it we hoped it would but it's live environment So the metadata circle this is like a lame thing that I came up with to try and explain metadata So there's like five different things that are being sent out whenever you transmit packets who when where how much and then the actual content With cryptography you can kind of get rid of the content You can hide that and make it so that people can't see what you're saying the who that's that's a little tricky to hide Because at some point my Gotenna has to say to someone else's Gotenna. I'm talking to you the cryptographic protocols can Compensate for that, but it makes really it makes it really tough to program and it makes What's supposed to be simple device really complicated? But that being said Who it's going to we understand why they have that who it's coming from we definitely think that should be encrypted As far as when where and how much you're not going to get away from transmitting energy you have to use energy to send a signal There's no getting out of it and especially since We're constrained in frequency. We've only got a particular Yeah, we got it. We've only got a particular bandwidth We have to put all of our energy in that tiny narrow channel So we can get a long range and that just shows up like a thumbtack on on the waterfall So everyone's going to know when you transmitted They're going to know where you transmitted because they were with you when they caught that that waveform and they're also going to know How much got transmitted just by the length so it's understandable that you can't get away from those things there Also, it's on a mobile device. I'm not particularly sure that mobile devices are the most secure things ever I'm not convinced that's just me So we did contact Gotenna and we said hey look we'd like to talk to you guys about This we think this was maybe perhaps a mistake in your design and they did come back very there Very responsive to us. They were very welcoming of our analysis and our report and they were thankful for it And they said right now what we're promising our users is encryption. We're not promising them anonymity, right? So they said it's kind of like an envelope You can look at the inside of the envelope or you can look at the outside of the envelope and get to and from But the insides encrypted we didn't really study their cryptography protocol very much because we're not cryptographers But as far as we can tell they are encrypting it Just to wrap up So as we wrap this up, we're gonna go ahead and just talk a little bit more about this and it will only gonna have a couple questions Ha ha nice. I love seeing the Gotenna traffic that's kicking through here right now So what we want to be able to tell people is hey as you go through and do this There's a couple key features that are going to be safe that we want you to think about Do not use your phone number. Why well that is just gonna be a bad day There we go now. We got it kicking up. So see to and from now the couple things that I want you to realize Gotenna I think is still a great product if I send an encrypted message to somebody a couple of things that are gonna wind up happening is That you're gonna have issues those issues are If you use your phone number, I'm gonna see your phone number if you send hold on pull down. Do you see what that's? Do you see right there where it says location? What's that that just came across somebody just broadcast their actual Latin long we can see that if they're using broadcast Even if they're using encrypted we can see who it came from who it's going to in the size of the packet Anyone in here that does targeting? I think you understand what that means They were very receptive they gave us a code that we can use if anyone wants to buy Gotenna's They gave us a discount for Defcon. We do not work for Gotenna We are not salesmen for everything else, but part of the responsible disclosure was to tell them So they said hey, they said thank you if anyone wants 15% off use this code and you can buy their product I'm a big fan of it. Okay But as you can see and we did go live We had some recorded video, but we figured live was better because you guys are pretty impressive crew Anytime if you're a person that designs a protocol and you're using command channels Be careful with exposing where you're going to be next who you're talking to who you are and where it's gonna Go and the size of the packet because if you're a protester if you're a government person If you're anyone that uses this realize if I'm a celebrity and I walk down the street with a protective detail I Have security if I'm that same celebrity and I disguise myself and I sit on the corner of the street like a homeless person That no one looks at I now have anonymity But I no longer have security just like the celebrity surrounded by a bodyguard detail doesn't have anonymity The two are not always the same and that's one of the biggest things we want you to take away from this talk Security is not anonymity and anonymity is not security, but each can be used to protect in certain and individual ways Yeah further work So we have a lot of work that's still not done We haven't found the checks some yet. That's a kind of embarrassing We don't know how the cryptography works if you're a cryptographer We're gonna be putting this online in a couple days So we'd love your input We haven't done anything with group chat or emergency broadcasts or any of these like millions of unknown fields So we've got a lot of work to do still So I guess we've got about five minutes left Some things that we wanted to talk about is just what worked in this project if you're new to the security research field You're coming into this. There's some basic skills that are helpful The first is know your tools no cut grep sort Unique gnome calculator g edit we can have the fancy tools with the hundred dollar equipment But if you can't use these basic tools What what uses your equipment just like just like zero was saying earlier on also know your formats integers charge shorts floats Hexadecimal binary strings know how to convert between the other move it around yep We're finishing up. We're nearly done Automation you can do this with some of the tools Woody what's the name? Yeah, like d-spectrum, but it's not gonna get you too far. You need automation So again in conclusion, we appreciate your time understand how people communicate no human patterns Try before you pry sometimes you might get that serial port before you have to solder into something change one thing at a time And if nothing else if you're a new person out there who's never had a chance to speak or be in front of a crowd Submit to the wireless village because these guys are amazing They'll put you out there, and they'll let you do it, and they're just good people Thank you so much for everything you've done these are Twitter handles