 G'day folks, my name's Ed or Fuzz and this is a talk on exploring the 802.15.4 attack surface. So the talk I had for today is really more of an exploration from knowing absolutely nothing to knowing enough to get a bit of a familiarity and understanding with what's out there and start driving follow-on activities. So I run my own cybersecurity practice in Sydney Australia which I've been doing for the last few years, been pentesting for a number of years as well, but I'm also now lecturing down at the the Defence Force Academy in Canberra. So this was a photo a friend of mine sent through a little bit earlier this morning where we had the minister visit. That's kind of the guy that heads up stuff around cybersecurity Australia for from the government side of the house. Funnily enough we had our labs and of course we had things going ping so the everyone that attended was was very interested in some of the stuff that we were doing. So I took over the course for wireless and IoT security in 2017 and it's been evolving ever since and you know what a couple parts of that evolution have been you know what do we really want to get out of the course as well as even some student contributions. So I think we've found a bunch of O-day in a number of our classes and that students have just purchased equipment and brought it in. Earlier this year we had a device from Costco that I decided to pick up that we found a couple of bugs on the HTTP interface. This was a home alarm system that the arm and disarm commands were sent by an app to HTTP interface that could be sent without authentication. So a little late last year one of my students was like hey look it's awesome we're working the 802.11 space it's awesome we're working in 433 to 435 megahertz. Can we start doing ZigBee and it was well yeah okay what ZigBee. So as I was starting to go through a lot of my prep activity for this for this it was well there's heaps of ZigBee stuff out there but this really starts for a part of the 802.15.4 standard which deals with networks that are designed for low power high interoperability and reliability of which during the explorations and you'll see a few those a little bit later there are different networks out there LW measures one I've seen a lot of my way not so much low pair not so much but ZigBee all of a sudden started become of course the common one and the one that was fairly widely adopted. So what are some characteristics about this it does operate on the 900 megahertz and 2.4 gigahertz ISAM M bands that being said that doesn't mean your network cards will actually connect with it it was funny I was actually doing a heap of write-ups on some of the research I was doing to which a student had a to which a an observer had just said well yeah you can just do this with a pineapple right yeah okay other facts as well you'll typically find that there's a bridge to a control point or an internet connection off the back of which well you'll probably find somewhere on that how well that bridge some sort of HDP interface that's probably going to be vulnerable you also note that there's actually limited user interaction on the hardware so it could just be something as simple as a button push or a or a couple of buttons and that's it with a lot of the other other control features taking place in other parts you also find that they're the low power devices low interaction low traffic as well which of course can lead to low security the low traffic one I think was quite interesting from a discovery standpoint for the places I was researching around in that actual capture and identification proved to be difficult as we were trying to do more drives and map out all sorts of networks so yeah so as I noted they're picking stuff up start to become quite difficult but at the end of the day it's a wireless network and we will have the exact same issues in this same environment as we've had for last hundred and fifteen years which will either be we can impersonate we can monitor we can replay we can jam all those same fundamental issues that we have with wireless security are still there and so this was a little map I drew up to get my head around alright what can we do and how can we we start doing any sort of targeted stuff on this on this network so power consumption and was one that came up quite interesting in that because a lot of these networks have independent power sources either be operated by battery and are quite are quite constrained by that any sort of heavy interaction could drain power and they could actually present a risk the the fry one was interesting in that this came up in a discussion I had with someone who does research in electronic warfare is I well if you think about it the nature of the devices means that it's quite they can only really receive so much power anything above that could actually damage the devices off the back of this we then still have our same consistent attacks of things such as jamming monitoring even locating networks as well and these will stay quite quite consistent so whilst I was trying to prepare for this hey let's do to be let's actually start writing into the course I was struggling to find a lot of information out there so there's some really cool stuff by way of of the the killer B framework and some of the research right has done but identifying products that we can research outside of light bulb started to prove difficult and then even getting an understanding of what these were was where I started to find things were falling short I also had to start practicing some of the tool sets that I wanted to introduce to a lot of my students it was also another piece of game I head around capture and analysis as well of what would that look like and how could that be structured into a course and also at the end of the day I want to do something practical and relevant and fun that wasn't some sort of theoretical literature review or something that could be gurgled so I kind of started resorting to well let's start actually exploring what is out there so that could start evolving a piece of so that we could actually start evolving something for students to train with so in terms of software you have the existing killer B platform which which is actually pretty cool and then you also have a heap of software that you get from manufacturers things such as Texas instruments have some pretty pretty decent stuff out there terms of the hardware so you'll see the RZ Raven which allows us to transmit and receive which is pretty cool but finally enough the the easiest the easiest piece of hardware I found to play with was this Texas instruments receiver on the the top left of the screen there I've also procured a another device from Europe which is a COO open sniffer so I'm going to be playing with that as things start to evolve that will allow us to also work in the in the 900 mega Hertz ISM band whereas the other two devices are really only focused on on 2.4 gigahertz so what did this start to look like as I was doing research so my first setup was simply a a nexus 5 with the the RZ Raven all I was doing was walking around polling out for networks now the issue I have here is or one of the issues I did start to discover was that only a handful of networks would actually would actually respond to any sort of polling out that that the actual that was actually getting done the other problem you have as well is if you think about it your devices also having to do channel hopping it's having to do it across up to 16 frequencies so if you're walking along an urban environment where you mainly have a couple of yet we mainly have a couple of meters to to actually transmit and also receive on you're probably not going to be able to capture everything this was really cool from an introductory standpoint just walking up one of the main streets in in Sydney in Australia there was an air conditioning unit outside of a rather large financial institution there was also a heap of shopping malls as well so there were actually a fair few devices that that responded to to be king so what became evident off the back of that was well what if we did a proof of concept where we were able to set up with even just a couple of the text instruments on calls and and just receive off them also at this time I was playing with receiving off both the RZ Raven and the CC 2531 dongles off text instruments and I was identifying that the TI kit was actually quite reliable for for doing captures off that and that at five dollars it's actually a far better the five dollars I picked it off from somewhere it was far more reliable that at receiving then the RZ Raven I purchased so off the back of this I decided to put together a very simple proof of concept for for capture now the software I was using I was still using the so I was using both software from TI as well as the killer bee framework to to start coming around and hunting for networks and just off this setup alone a couple of the issues I was encountering was around power so being able to power all the USB status to prove quite difficult another issue I was having was just having the software remain stable and reliable on either the Nexus or on the the pies was also proven quite quite irritating relative to stuff I was doing off the back of a laptop but off the back this we're able to say hey well we've been able to map out a few spaces just within the city of our office so things things actually worked quite well and off the back this we're able to start building things out a little bit more so this is where I decided to get 16 dongles one for each channel there's also a really cool tool I discovered on GitHub also is going through however I did notice that being able to to the outputs from the the tool set were starting to prove a little bit frustrating so I had to actually start writing up a few scripts convert that so that we could do some proper analysis also the the actual pie and the Nexus were struggling to support all 16 all 16 dongles so I decided to go back to my laptop to support all these dongles which actually worked out quite quite well so off the back of this I started doing a whole heap of wall driving around Canberra and Sydney this was the results for about 90 minutes in Canberra I just popped up a QR code if you want to check it out I'll leave that up there for a bit but just to give you a bit of an explanation of Canberra and what's actually around Canberra you'll see you've got the lake there to the south of which you have the parliamentary triangle and a whole heap of federal government buildings and to the north of it you kind of have the the commercial center of Canberra so what was quite interesting around this and it was a consistent thing I was noticing across both Sydney and Canberra was that a lot of hotels and hotel locks all were beating out or all were transmitting and transmitting quite a lot so this actually became a really interesting characteristic to track was a hotel lock would be communicating and just sending stuff out and in this case you could actually see two different hotels this one here is also a little bit interesting and I'm getting someone shaking their head at me in the audience right now so one of the so one of those buildings is Department of Foreign Affairs which is also our Department of State the problem is though if you would have a look if you have a look I also did a couple of loops around this building because I was seeing a lot of traffic on the southeast side of it which I'm pretty sure is associated with the three or four hotels that are nearby and then also somewhere around Parliament House I started picking up a few a few more of these so how did Sydney look so I thought it would be a fantastic date night to go for a bit of a war drive and Deb's laughing in the corner there so I thought it would be a fantastic date night to go for a bit of a war drive and introduce my girlfriend to what this is war driving so we managed to pick out 3,698 packets over three and a half hours before before dinner what was interesting here was Star City which is the only casino in in Sydney was there was a heap of traffic we saw around there but there was also Harris Street so Harris Street is also where there's a whole heap of data centers in Sydney I believe say again global switch thank you so global switch and two or three others are down there so this is also a brand new precinct that's also being built in Sydney recently so we can see with a new construction development some new facilities being put up and they've obviously got the greatest and greatest tech so there was a lot of traffic around here that that was that we identified be mindful though this is only after about a few minutes driving past each of these that we're able to at least just identify some of these networks so off the back of this and saying yep cool we've found stuff we can start saying well this is what we understand is occurring in these buildings based on what we know about the premises off the back of this we can start doing things such as as much large collection and mapping out what is occurring and then maybe notionally planning for any attack or or exploitation which at the end of the day this is stuff that I don't actually own so one of the things I have been doing a lot of off the back of this is building out what I call capture devices so this is a solar power plant in New South Wales and this is a raspberry pi with a battery pack and a couple of a couple of dongles connected to it which and a note for anyone who decided to find it just say hey call me if you see this but yeah we were able to just leave this setting outside a solar power plant for about 24 36 hours to see what we could actually see so I managed to get about a 60 megabyte p-cap off the back of this found some cool stuff nothing major but it's you know enough for us to start thinking through all right well what can we identify here off the back of this what can we start doing so after all of this identification and large-scale capture I've now started to identify as much tech as I can online to start purchasing and start building out labs and stuff so a simple typing into Ali Baba of Zigbee has brought up a whole heap of vices for subsequent research so I'm probably going to be doing a lot more large-scale what I would call large-scale capturing analysis throwing out a lot more pies to actually collect information on now that I have a bunch of devices that I purchased I should actually start to do it do a few more target attacks on them I'm also trying to work out can I actually have four students in emulated environment off the back raspberry pies will we just replaying traffic that with either captured or simulated and even probably building out a few more of the tools that's I mean at the end of the day there's a lot of existing tool sets out there it's turning into how do you apply apply those to the environments that you're testing that that I think really became one of the things I started doing over the last six months to work out well this is what we'll be doing for our students so this is very much still an evolving piece for me so hopefully I'll be having a lot more over the next six to twelve months if you have any questions if you have any thoughts or or you know even any suggestions feel free to email me also my business is available by the QR code as well if you want to touch space or or chat guys thanks for having me yeah are there any questions nope everyone's tired thank you