 Hi, everyone, and welcome to track one, the 3 p.m. talk. Tonight we have our speaker is Amin Ra and he is going to be speaking about how to hack your way out of home detention. Ladies and gentlemen, Amin Ra. Hey, can you guys all hear me? Yeah? Louder. Louder? Can you hear me now? Cool. Okay. So you all know where you are. You know what this talk is. Introduction slides. I am Amin Ra. Some of you know me. Most of you don't. I work for a consultancy company doing pen testing. I should probably run over some disclaimers, but you're all big kids. What you do is your own responsibility. I legitimately own the system and don't just hack it, blah, blah, blah, academic use only. Don't be evil. On a more serious note, authorities are very upset when people tamper with home detention systems. If you do try and use this in the wild, you might be sent to jail for it, so I recommend only doing it in a lab. I'm sure we've all heard of home detention tracking systems. They're in the news. People are sentenced to this reasonably regularly. A couple of examples of sentences and crimes that have been sentenced to home detention are someone last year in LA was sentenced to home detention for an immigration scam. More recently, someone hacked someone's email and got some home detention. So they tend to be nonviolent, sort of relatively low-risk crimes. If you're a murderer, you probably won't get home detention. How do these systems actually work? It was all very well to talk about them, but how do they operate? The goal is to restrict movement of a person who's being sentenced. So instead of being sent to jail, they'll be given some amount of time where they're not allowed to leave their home. And this is quite attractive for enforcement agencies because it's much cheaper. They have to pay for their own accommodation and food. It's a lot cheaper for the taxpayers. There's sort of two general categories of tracking systems. The older generation would have a bracelet or anklets that would transmit a signal to a physical unit in the home that was not movable. And that would communicate with a monitoring station over a standard wired telephone network. Most of these systems are now considered legacy. All the new systems don't work like this. But because they're legacy systems, they're obviously still widely used. But all of them modern ones are phasing to a new type of system. That system uses GPS so that it can track you anywhere in the world. It doesn't have to be near your home. It uses a cell network, so it's not restricted to wired telephone lines. But it still may use a local beacon, which we'll look at later in the talk. Is this relevant here? The simple answer is yes. I haven't been able to find recent statistics, but an article I found from 2012 suggests that there are hundreds of thousands of people at any time on home detention. And we can see why that is because it costs a lot of money to keep someone in prison. It's a lot cheaper for the government if they can monitor you within your own home. So obviously I have a device. Now, how would you get one? I guess somewhat reasonably, the people who build and operate these systems are very reluctant to release any information. They're quite sensitive about it. So it's quite difficult to find information about them. If you Google for this, you're not likely to find much information. There is a simple way to get hold of one. Can you guess? Yeah. You could commit a minor crime, but I decided to go the more legitimate route. And so I found a company that builds these units in Taiwan. I managed to talk them into giving me a sample unit under the pretense that I was going to evaluate it for my company. I don't really care. I had to pay quite a bit of money, which if you have done business in South Asia, you will know that there's a fine line between cost of products and bribery, but I have the system. It's all I care about. Because I bought it from a manufacturer, they're obviously not going to tell me who their customer base is. And like I said, enforcement agencies are quite secretive about what technology they use. So I don't actually know where this unit is used. It could be, you know, right here, it may not be anywhere in the States. Someone somewhere is using this vulnerable system because there's a market for it. I don't know who. Some of the vulnerabilities I'll be talking about are quite specific to the implementation of this system, and so they probably won't be relevant to other systems. Some of them are reasonably general issues, and so they'll probably be relevant to other systems as well. Even once I got my hands on it, because it was a sample unit, it didn't come with documentation, so I wasn't able to operate it properly. I did a bunch of Googling and was quite lucky to find another system that used the same code. It's used for tracking cars, and I got a manual for that, so I know how to use it. Obviously, because it's the same system, it's also vulnerable to the same flaws. How does this particular system operate? It uses GPS as one of the new systems. It also has a base unit which transmits a low frequency or lower frequency beacon, and it has a large amount of tamper detection features, which we will look at once we open the case. Battery life is around a week, but you can recharge it while it's on your ankle, so you don't have to have someone come and change the battery. Base unit also has a battery. It communicates in two different modes, both SMS and GPRS, so you can either communicate with the text messages or to a server on the internet through a socket. You can remotely reconfigure the device. So you can set it commands, change the settings, for example, change the position where the person has to remain remotely. You don't have to go and physically update the settings. So here I have the base unit. We won't spend a lot of time looking at this, because there's not very much in it, really. It's a pretty simple system. There's some tamper detection so that if you try and open up the case, it will send a message, which will be relayed by the antlet to the authorities. But there's not a great deal of technology in there. Most of the interesting stuff is in the antlet itself. This is like a close-up picture of what it is, but it's not that much of interest. The antlet, the bit that goes on your leg, is far more interesting. So this is what it looks like if we take off the strap. This is what the inside of it is. Some features that are interesting, we've got a read switch. So there's a magnet in the strap. If you remove it, it can detect that and will send a warning, a tamper warning to the people monitoring it. Same thing with the push pin. Remove the strap. There's a warning. There's an infrared LED and an infrared sensor. So this is also for tamper detection. How this works is there's a piece of fiber optic cable that runs around the band, around the strap. If you take bolt cutters and try and cut through it, that'll disrupt the infrared signal and the system will again send an alert. Other features is obviously where the battery is plugged in. There's a SIM card and some kind of programming header. I don't really know whether to have tried reprogramming it. So when we actually open up the circuitry so we can see exactly what's in it, we have an off-the-shelf GSM cell network module that is taste-care of all of the network communications. We have a standard NAND flash memory chip which is used for storing settings and storing locations when logging is turned on. There's a vibration motor so you can automatically trigger alerts so that if someone moves into an area where they're not supposed to be or leaves an area, you can make the antlet vibrate so that the person is immediately warned that somewhere they're not supposed to be. If we flip over the circuit board, we've got a standard Texas Instruments microprocessor. It's just off-the-shelf. That'll take care of all of the sort of processing on the system. I'm not sure if you noticed, but you will have seen this module on the base unit as well. There's no identifying information on it, so I don't know if it's custom built or if it's off-the-shelf. But it's obviously used for the local low-frequency radio transmissions. I don't know anything more about it than that. Obviously, we have a GPS module that's pretty standard. So when this device is operating, there's a large range of different features and settings and stuff you can change. These are the most interesting ones, but it's not an exhaustive list. I won't go over them in detail, but you can change like the user and their password or the coordinates where the user must remain and what happens when they tamper with it on all these sorts of features. Right. So that's enough for now about the security of this system. As we know, it communicates over the cell network. So in this case, GSM. GSM security has been investigated a lot by other people in the past. It's encrypted, so you can't just view traffic that's sent over the air. There's a secret key that's embedded in the SIM card that's used to authenticate the SIM card on a network. But it's a well-known feature that's reversed is not true. A SIM card or a cell phone does not usually verify the authentication of the network. So this means it's possible to spoof a cell phone network. There's a temporary key which is used to encrypt traffic on the fly that's generated once the SIM card is authenticated. The SIM card does not know its own cell phone number. It has a unique ID which is then mapped within the telco to a number. This is relevant to the SIM card. This is relevant to what we'll be talking about. I have a Blade RF. This is software-defined radio. I'm not going to go into details about it. Suffice to say that it allows me to receive and transmit within the cell network frequencies. YetiBTS is an open-source GSM stack. It allows high-level scripting and JavaScript so you can easily change how the network operates. If you know these are publicly available information, the network number and country number of a cell phone network, you can spoof that network. It's obviously illegal to do this, but from a technical point of view it's not hard. I have a DIY Faraday cage here. Two reasons for that. One is that I need to block some of the signal because my transmitter is not very powerful. So if I block some of the legitimate cell phone signals, it means the device is more likely to switch to my fake network. Another reason is that it's illegal to transmit in the cell phone network without a license. And so I don't want to go to jail. As I said, there's two different modes this ANK that operates in. If it's in TCP mode it uses a socket. It's not encrypted so you can interfere with that. You can temple with it. I haven't been able to do this because I haven't been able to get GPRS working on my Blade RF, but there's nothing to stop you doing that. If it's in SMS mode, it's a lot more difficult, but as we'll see it's still possible. So let's assume that we have a fake network and the device is now authenticated to it. When it sends a status update about where the person is, we can now see that message. So let's have a look at what the content of the status updates are. The username. So that's obviously what is sent when we're authenticating messages. So when you change settings, you send it a username and a pin. When it sends an update, it sends back the username. This is a major issue because now we can just capture the username and replay it. So we only need to get the pin before we have full control of the system. The next part of the message is a standard GPS coordinate. That's quite easy. The last part of that is a check sum, but it's not a signature, so we can recalculate the check sum. We don't need a key for that. The message is... Oh, it appears to be custom. I haven't found any documentation about what it is. I can guess some of it or derive some of it. But we don't have to. So there's the message relayed from the base station. There's the charging status. Those things are pretty certainly there. Things that it might include, but I'm not 100% sure on, how much battery is left, how many local cell towers are. It's possible to spoof the sender information from a text message. Normally when you receive a text, it obviously has a sender number, but I'm sure you've all received messages from a company name. That's because the sender information is just a string. It's not forced to be a cell phone number. That's just enforced by the local network. But people have set up restrictions without much regulation. When they send a message to a local cell phone, they pass the message to the local carrier who has to trust the sender information. They have no way of verifying that. So they can send anything you want. You can use it to fake the sender number. They cost a small amount of money, but it's quite easy to do. I'm using a serious game, but there's a range of different providers. If you want to spoof a number, you have to know what number you want to spoof, because as I said, the SIM card only has a unique identifier, not the cell phone number. But it's possible to get the cell phone number. We can pull out the SIM card, place it in our phone we control, and send ourselves a text message. That would obviously get the information, but if we open it, it's going to send a warning, right? So we can't do that. Well, a naive solution to that would be to wrap it into an aluminum foil and block out the signal so it can't send that tamper detection. That doesn't work because the designer's thought of this, and if it can't send a message, it writes it to memory and retransmits it as soon as it can. The trouble is that it only checks that it's been sent from the network. The network acknowledges, yes, message delivered. It doesn't do an end-to-end check. So if it's connected to a fake network, we can just say, your message delivered fine. You don't need to worry about it, and then it doesn't retransmit it. And we have it connected to a fake network. So we can do that. We can just put it in a fake network, pull out the SIM card, put in our own phone, send ourselves a message, and we have the number. We could replace the SIM card and forward messages to our own phone, but if the authorities come and check the device, they're going to know that it's been tampered with. So maybe not a good idea. Option number two. As I mentioned, because it transmits the username, we only have to get the pin number before we can control the device. So we could possibly brute force it, maybe. The default pin is just four zeros. If it's set by a human, it's probably not random. We might be able to dictionary attack that. The problem is that because it's going to be on a fake network, any status updates that are sent will not be delivered. So we need to stop the fake network, tell it that the message was not delivered, stop the network, and then have it retransmit on the legitimate network, and then start up our fake network again. That's an option. If it's configured to transmit very frequently, this won't work because it's going to spend most of its time switching networks and very little time brute forcing the pin. But if it's transmitting reasonably infrequently, say once every second, brute forcing the pin, the advantage of this way is we're not just faking the messages. Once we have the pin number, we can take and pre-control the device. Is it possible? So the pin must be four characters. It cannot be longer or shorter. It is only letters and numbers, no special characters. With these constraints, we have a bit over a million and a half possible pins. I've got not great hardware, so I haven't been able to get these speeds, on the internet, so it's possible to get around 30 messages a minute. That's just about 40 days, so that's a really long time. But you're sitting at home on home detention, so what else are you going to do? Okay, option number three. So there's a tool called Crackin and some rainbow tables for attacking GSM communication. A guy much smarter than me has done research on this and he released this tool. Basically it allows you to capture GSM traffic off the air and in certain circumstances decrypt that to get the plain text. You can potentially forge messages and the cell network will believe it came from the device because it has the same key. You could forge a message to a phone you control and it will appear to come from that SIM so you can get the number that way. A downside to this is you can't intercept and block legitimate status updates which you can with the other two methods because it's not on your network. I haven't done this because I only have one SDR but I think it's probably possible to place the device with one SDR in a Faraday cage and have another SDR outside the cage and then decrypt the traffic on the fly as it flows through a laptop and therefore filter out messages although the key changes quite often like every 10 minutes so you need to sit there with the laptop you won't be able to go elsewhere. If you can snoop an incoming message so a message that is changing a setting then you can get the pin number and have control of the device but you're probably going to have to wait a long time because it won't be updated frequently. Okay so you and the judge may have different definitions of alcoholics anonymous but let's say he sent a message to go to them. Alright so we're going to do a demo what we're going to be doing is we're going to assume we already have the number because that takes some time to get so we don't have time for that in the demo we're going to assume we got it from one of those methods we have a Faraday cage and an SDR we're going to spoof a cell network we're then going to get the messages the status messages that the device is sending replace the location information recap the checksum re-encode the message send it to a SMS spoofing service and then we'll see that the message has been changed because it's encoded it's a little difficult to obviously see that it's changed so I've put together a Google map which will show us which points were received by my cell phone in this case it's pretending to be the monitoring station the authorities and which points were captured on the spoof network here's the map so if we look at I have the phone here here are the messages it has three messages that I sent earlier today so I have a script which will check for messages on the phone and display them on a map so these green points are messages that were delivered to the end system the monitoring station in this case we're going to start running so this is the cell phone network basically and we have a script which will search through all the messages that it sees and then also display them on the map they're going to be displayed in red so because I've got this case open it's going to beep because it thinks I'm tampering with it so now we're going to place this in the farada cage with the transmitter and we'll run our network so this may take a minute or so to start but we should start seeing network information so that's bringing up the radio radio ready so the network is all up and running now we just have to wait for the device to authenticate to it instead of the real network so it can take a few minutes but it's configured to send a status update around three times a minute so we shouldn't have to wait too long as you can see it's just information about the low level network event so it's authenticated to the network it's talking to the network we should see here soon the content of one of the status updates yep so oops well I don't know if you saw that but let's see if we can scroll up just here this is the content of one of the messages it sent so let's look at the map so as you can see we've got some red points so the green points are what's showing up on the phone the red points are faked now we should see more of these let's see if we've got more points yep we've got another point there let's just kill this green thanks okay so as we can see basically we're faking points now normally what you'd want to do is fake points that showed you being at home while really you were at the pub or somewhere but in this case we are not doing that we're just going to fake them that we're next door because I can't leave and fake me being here alright okay so sorry I'd rather not drink alright so the base unit yes I do you gonna force me to drink what's wrong with hacker cons it's water it's a death car okay so the base unit why would it have this unit when it has a GPS locator the reason is that GPS is quite expensive in terms of battery power and it's not particularly accurate indoors so most of the time you're going to be at home near a base unit so it can save a lot of power transmitting a local signal when it detects a signal it doesn't need to get a GPS fix this transmits at around 434 megahertz it's using FSK so you can see on the right hand side of the screen that's an actual sample that I captured from this device it transmits every 10 seconds is this interesting it transmits a static message it doesn't change well it does change if you power on and off the device but it doesn't change during operation so you can just retransmit it I don't know if it's unique to the device but yeah record it retransmit it um yeah so this has been kind of cool from an academic point of view but let's look at how it works in the real world often like I mentioned earlier if you tamper with a system in operation by the police they will probably be very upset and try and send to jail if you tamper with a system that's not yours someone else may go to jail they might come and get you in retaliation so don't use it so what you can do is as I mentioned it transmits a signal no one signal we can look for that it's obviously not a very powerful signal it's meant to only cover the range of someone's house so you're going to need special equipment to find it and it might be easier to just find out where someone lives by figuring out who's on home detention if you do find them you can easily jam all of the signals from this device it's quite cheap to buy this equipment from China but it's obviously legal so you wouldn't do that you could maybe like this is very maybe quite hard but not necessarily impossible to perform the attacks we did remotely so if you sat outside their house in a van you might be able to do them but I think it's going to be pretty difficult can we make money from the system that's the obvious question to our advantage if someone tampers with their system or breaks the terms of their home condition they usually sent to jail because the sentence of home detention is usually an alternative to a short time in jail could we blackmail the user maybe we can make it look like they're tampering with their system and get them sent to jail maybe but I think it would be kind of difficult a more viable option would be to build a device or a service which you just strap your leg alongside the tracker and that performs these attacks automatically and lets them leave their home now that's actually sort of feasible I haven't done this obviously because that would be really illegal our final option is maybe you'll be able to find someone who hates the person on home detention and get them to give you money to tamper with the system and get that person sent to jail so finally there are issues with these systems like we like to think they're secure because they're part of the justice system but they are not perfect by a long shot some of the things that I found with the system can be easily fixed there's no reason not to fix these issues like mutual authentication so authenticate the tracker and the monitoring station not just one way into an encryption people rely on the encryption of the cell network but it's been well known for a long time that it's not very safe so people shouldn't rely on that they shouldn't retransmit the user name they should use better pins to get an excuse for that some stuff is very hard to fix with this design and that's jamming of the system and finding out where the users are it's basically impossible to fix them are there things in the future we could do with this? yes given how poor the rest of the system is it might be possible to get code exec or DOS or something through sending it I don't know, I haven't tried that but it will be cool to look at the flash memory is a standard chip there are tools out there that let you dump the code from that you can potentially write reverse engineer it and look for bugs or backdoors in the system it will be not difficult to write an android simulator that you can pull out the SIM card put on your phone and that will pretend to be the anklet you can also spoof the GPS location and that will cause it to think it's in a different location actually someone is talking about that right now in a different room why are you here? there's a better talk happening questions I don't know how much time we have to someone do you have any questions? yes so this particular unit or home detention systems in general it was just a friend of mine said hey I wonder how secure these systems are and I was like hey that would be a cool project so I brought one anything else? sorry no it's all of my work he just said it in passing and I spent a thousand dollars on hardware to get it I don't know for sure when I was searching for manufacturers I found a half dozen different manufacturers each with a few different models of trackers so I'd estimate it on the order of a few dozen but I don't think there's that many anybody else? yeah no like I said people are very cagey about information with these systems no one will tell me who their customers are or jurisdictions won't tell me which system they use so I really have not been able to find out where things are used so the question is if we can replay the signal from the base station why don't we do that? it's a lot easier than trying to attack the sound network communications the reason is that it's only sometimes useful so the device can be configured to always check the GPS location or it can be configured to only check when it's not in the home and you don't really know whether it's in one of those two modes so if it is then it's definitely the easier attack but you don't really know that you got anybody else? no? oh yes so you're asking is anyone interested in building better systems? oh no as far as I mean no none of the manufacturers of anyone have talked to me about it so I don't really care so the IR tamper detection device sorry? yeah so it's just an infrared LED as far as I know and it transmits a signal of some kind is it emitter and a detector that is fed through a piece of fiber optic that runs around the band if you cut the fiber optic the light is going to be disrupted it won't reach the receiver and so then it will send an alert so that's how the IR tamper detection works yeah so possibly that's beyond MySQL level I couldn't do that but there are definitely people who are able to tamper with and tap into fiber optic cables and so yeah I think that's plausible yep is that everybody? I did read about that I know 4GS is used in a number of countries this is not one of their devices but yeah I wanted to try and get their device but I couldn't get them to give me one yeah is that everybody? cool well thanks for coming