1 00:00:00,000 --> 00:00:03,079 speaking of kakalaki 2 00:00:03,839 --> 00:00:07,160 con in its uh previous history also so 3 00:00:07,160 --> 00:00:08,559 Daryl Highland principal security 4 00:00:08,559 --> 00:00:11,320 researcher at rapid 7 uh there's no 5 00:00:11,320 --> 00:00:13,080 sense in wasting time on me that's 6 00:00:13,080 --> 00:00:15,200 boring so let's go ahead and move into 7 00:00:15,200 --> 00:00:17,720 the talk so we're here to talk 8 00:00:17,720 --> 00:00:21,760 about iot technology and cellular 9 00:00:21,760 --> 00:00:24,519 technology within iot specifically so 10 00:00:24,519 --> 00:00:27,480 this is a project that I started about a 11 00:00:27,480 --> 00:00:29,439 year or two ago it was like as we see 12 00:00:29,439 --> 00:00:32,320 this growth both in cellular technology 13 00:00:32,320 --> 00:00:34,840 and iot uh either used in like home 14 00:00:34,840 --> 00:00:36,680 security systems for back hul 15 00:00:36,680 --> 00:00:40,000 Communications we also see it in uh 16 00:00:40,000 --> 00:00:42,440 remote camera devices uh the device I'm 17 00:00:42,440 --> 00:00:44,920 actually going to be using in demo today 18 00:00:44,920 --> 00:00:47,280 is a trail camera battery operated trail 19 00:00:47,280 --> 00:00:50,600 camera as an example and as I've started 20 00:00:50,600 --> 00:00:53,239 looking at these devices and trying to 21 00:00:53,239 --> 00:00:55,480 observe them I'm going to try to 22 00:00:55,480 --> 00:00:58,239 share a lot of different topics in this 23 00:00:58,239 --> 00:00:59,960 area and I think it's kind of fun and 24 00:00:59,960 --> 00:01:01,280 exciting and I hopefully you enjoy it 25 00:01:01,280 --> 00:01:04,119 too uh if you have any questions uh it 26 00:01:04,119 --> 00:01:06,479 isn't like we got such a large a 27 00:01:06,479 --> 00:01:08,840 audience feel free to like raise your 28 00:01:08,840 --> 00:01:10,880 hand uh if you have something to say or 29 00:01:10,880 --> 00:01:14,119 a question to ask about it so so first I 30 00:01:14,119 --> 00:01:16,840 want to start off with intro to Cellular 31 00:01:16,840 --> 00:01:19,400 technology not all cellular technology 32 00:01:19,400 --> 00:01:21,799 but what we typically see utilized in 33 00:01:21,799 --> 00:01:25,680 iot isn't like cell phone cell modules 34 00:01:25,680 --> 00:01:29,280 which uh way more bandwidth you know 35 00:01:29,280 --> 00:01:30,880 you're you you're downloading in your 36 00:01:30,880 --> 00:01:32,759 internet you're taking pictures there's 37 00:01:32,759 --> 00:01:35,000 just all kinds of crazy things going on 38 00:01:35,000 --> 00:01:38,399 iot based technology usually uh is quite 39 00:01:38,399 --> 00:01:41,040 different when you talk to Cellular so 40 00:01:41,040 --> 00:01:43,200 uh the whole group is maintained by this 41 00:01:43,200 --> 00:01:45,880 uh uh this group called 3gpp I think 42 00:01:45,880 --> 00:01:48,360 tells what it is there uh that group 43 00:01:48,360 --> 00:01:50,320 actually doesn't run the standards but 44 00:01:50,320 --> 00:01:52,000 it runs all the organizations that run 45 00:01:52,000 --> 00:01:53,680 the standards so they kind of see 46 00:01:53,680 --> 00:01:56,600 oversee the whole picture uh and what 47 00:01:56,600 --> 00:01:59,560 you think about an iot based saor three 48 00:01:59,560 --> 00:02:00,920 General areas you're looking at things 49 00:02:00,920 --> 00:02:04,000 are size smaller has go into a smaller 50 00:02:04,000 --> 00:02:06,240 device in some cases we're also looking 51 00:02:06,240 --> 00:02:10,080 at Cost obviously if it cost $200 for a 52 00:02:10,080 --> 00:02:12,360 cellular module in some cheap crappy 53 00:02:12,360 --> 00:02:14,319 piece of iot it's never going to be 54 00:02:14,319 --> 00:02:16,360 there so it has to be cheap and then we 55 00:02:16,360 --> 00:02:18,560 get into power power consumption is 56 00:02:18,560 --> 00:02:20,160 always an issue because you're dealing 57 00:02:20,160 --> 00:02:22,560 with devices that may be battery 58 00:02:22,560 --> 00:02:24,480 operated so if you want to do 59 00:02:24,480 --> 00:02:26,760 transmission of data if you consume a 60 00:02:26,760 --> 00:02:28,239 lot of power you're going to drain the 61 00:02:28,239 --> 00:02:30,519 batteries quickly so these devices fall 62 00:02:30,519 --> 00:02:33,599 into those categories two general type 63 00:02:33,599 --> 00:02:38,120 of devices we call mbot and LTM there's 64 00:02:38,120 --> 00:02:39,560 couple different versions each one of 65 00:02:39,560 --> 00:02:42,280 those uh real quick on the 66 00:02:42,280 --> 00:02:45,840 nbiot this kind of functions in several 67 00:02:45,840 --> 00:02:48,560 different modes you have LTE and band 68 00:02:48,560 --> 00:02:50,400 which is communication goes in the 69 00:02:50,400 --> 00:02:54,280 actual LTE bands you have a guard band 70 00:02:54,280 --> 00:02:55,599 so when you start looking at the 71 00:02:55,599 --> 00:02:57,879 channels or the bands in the LTE signal 72 00:02:57,879 --> 00:03:00,599 range there's gaps between them those so 73 00:03:00,599 --> 00:03:02,480 a device can actually communicate out of 74 00:03:02,480 --> 00:03:04,840 those or in between those two bands it's 75 00:03:04,840 --> 00:03:07,239 known as gar band area and then you get 76 00:03:07,239 --> 00:03:10,040 Standalone Standalone they actually 77 00:03:10,040 --> 00:03:14,599 utilize like um G uh earlier standards 78 00:03:14,599 --> 00:03:16,000 for the most part and it's usually 79 00:03:16,000 --> 00:03:19,200 focused to specific functions and 80 00:03:19,200 --> 00:03:22,560 services uh they often have two types of 81 00:03:22,560 --> 00:03:24,440 power controls in them discontinu 82 00:03:24,440 --> 00:03:26,280 reception obviously you don't want to 83 00:03:26,280 --> 00:03:28,159 consume power so if you're not 84 00:03:28,159 --> 00:03:31,080 transmitting anything 85 00:03:31,080 --> 00:03:33,760 you don't keep signaling reduce the 86 00:03:33,760 --> 00:03:35,599 power consumption the other is power 87 00:03:35,599 --> 00:03:37,159 saving mode and you'll actually see it 88 00:03:37,159 --> 00:03:39,159 happen on this device this device will 89 00:03:39,159 --> 00:03:41,040 come up running it'll do a bunch of 90 00:03:41,040 --> 00:03:43,040 Transmissions it'll turn around and 91 00:03:43,040 --> 00:03:45,280 it'll power the module down and you'll 92 00:03:45,280 --> 00:03:47,760 see that and that's done to actually 93 00:03:47,760 --> 00:03:49,920 improve power consumption on these 94 00:03:49,920 --> 00:03:52,720 devices so uh there's two main ones when 95 00:03:52,720 --> 00:03:56,280 you get into nbiot nbit one and two and 96 00:03:56,280 --> 00:03:58,599 you can see the download Peak speeds 97 00:03:58,599 --> 00:04:01,640 very low we also notice they're half 98 00:04:01,640 --> 00:04:04,000 duplex again these are just passing 99 00:04:04,000 --> 00:04:05,360 Telemetry data so you're not going to 100 00:04:05,360 --> 00:04:08,799 move Voice or SMS messages or anything 101 00:04:08,799 --> 00:04:10,920 like that it's pure Telemetry data it's 102 00:04:10,920 --> 00:04:13,159 a quick measurement hey you know this 103 00:04:13,159 --> 00:04:14,760 thing has this much pressure and off it 104 00:04:14,760 --> 00:04:16,079 goes or it's going to be this little 105 00:04:16,079 --> 00:04:18,478 piece of data and off it goes it's 106 00:04:18,478 --> 00:04:21,560 basically Telemetry data moved on 107 00:04:21,560 --> 00:04:26,000 these and then we get into LT LTE M M1 108 00:04:26,000 --> 00:04:29,160 M2 uh or cat one M1 M2 whatever how you 109 00:04:29,160 --> 00:04:31,600 want to call it different names are used 110 00:04:31,600 --> 00:04:33,960 it's higher complexity May more features 111 00:04:33,960 --> 00:04:37,800 functions capabilities we also see lower 112 00:04:37,800 --> 00:04:39,800 latencies obviously in this case you're 113 00:04:39,800 --> 00:04:42,440 moving more data so you don't want or 114 00:04:42,440 --> 00:04:45,000 more critical data in some cases there 115 00:04:45,000 --> 00:04:46,560 so you don't want to have the excessive 116 00:04:46,560 --> 00:04:49,720 latency associated with it it does only 117 00:04:49,720 --> 00:04:52,120 inband LTE Communications it doesn't do 118 00:04:52,120 --> 00:04:54,280 the other two weird things and then we 119 00:04:54,280 --> 00:04:56,280 get into Power you still had the same 120 00:04:56,280 --> 00:04:58,720 power consumption issues again these 121 00:04:58,720 --> 00:05:00,440 devices that are on this device I think 122 00:05:00,440 --> 00:05:04,639 it's an M2 uh communication type device 123 00:05:04,639 --> 00:05:06,759 so it actually does the same power 124 00:05:06,759 --> 00:05:08,320 things to keep the reduction because 125 00:05:08,320 --> 00:05:09,720 this device that we're actually looking 126 00:05:09,720 --> 00:05:13,080 at playing with is battery operated 127 00:05:13,080 --> 00:05:14,560 obviously I'm not running batteries on 128 00:05:14,560 --> 00:05:17,440 it because it'll take 12 volt input also 129 00:05:17,440 --> 00:05:18,880 but if you want to put it in the field 130 00:05:18,880 --> 00:05:21,280 it's going to be battery 131 00:05:21,280 --> 00:05:24,080 operated again main two standards on 132 00:05:24,080 --> 00:05:25,960 those and you see the different down 133 00:05:25,960 --> 00:05:28,759 Peak rates and Uplink rates much more 134 00:05:28,759 --> 00:05:31,000 data you you can actually make voice 135 00:05:31,000 --> 00:05:35,479 calls over these uh two devices so I've 136 00:05:35,479 --> 00:05:37,199 actually seen I've actually taken not 137 00:05:37,199 --> 00:05:39,240 this device but I've taken other 138 00:05:39,240 --> 00:05:42,199 devices uh that are iot devices that had 139 00:05:42,199 --> 00:05:44,000 one function and actually have made 140 00:05:44,000 --> 00:05:46,520 voice calls with them but hooking into 141 00:05:46,520 --> 00:05:48,000 it and connecting up and actually making 142 00:05:48,000 --> 00:05:50,039 voice calls with iot device to prove 143 00:05:50,039 --> 00:05:52,000 that it could be done having done that 144 00:05:52,000 --> 00:05:53,240 with this one we're going to do some 145 00:05:53,240 --> 00:05:55,400 other similar stuff so you can see how 146 00:05:55,400 --> 00:05:58,240 to control the device in an iot device 147 00:05:58,240 --> 00:06:00,880 to get it to do other things you may 148 00:06:00,880 --> 00:06:02,560 want it to 149 00:06:02,560 --> 00:06:05,639 do and again you look down here and uh 150 00:06:05,639 --> 00:06:08,039 as you can see the speeds full duplex it 151 00:06:08,039 --> 00:06:10,319 could do half or full duplex so he's 152 00:06:10,319 --> 00:06:12,160 signaling in both ways better 153 00:06:12,160 --> 00:06:13,919 performance 154 00:06:13,919 --> 00:06:16,840 for more bandwidth type data that you 155 00:06:16,840 --> 00:06:18,960 need to use camera you're moving images 156 00:06:18,960 --> 00:06:21,160 you're moving video things like that you 157 00:06:21,160 --> 00:06:23,919 have to be able to have that full duplex 158 00:06:23,919 --> 00:06:25,680 to be able to get commands into it to 159 00:06:25,680 --> 00:06:27,880 send data up all that type of 160 00:06:27,880 --> 00:06:30,440 stuff any questions 161 00:06:30,440 --> 00:06:32,280 so now you know everything there is to 162 00:06:32,280 --> 00:06:36,960 know about iot based cellular Tech also 163 00:06:36,960 --> 00:06:38,880 there's some new release 164 00:06:38,880 --> 00:06:41,240 versions so I spent some time looking at 165 00:06:41,240 --> 00:06:42,720 these going is there anything really 166 00:06:42,720 --> 00:06:44,440 seriously impactful that we need to 167 00:06:44,440 --> 00:06:47,000 address today not really so you get 168 00:06:47,000 --> 00:06:48,880 better efficiency in network operations 169 00:06:48,880 --> 00:06:50,960 they've improved in that uh Access 170 00:06:50,960 --> 00:06:54,680 Control small sales support basically 171 00:06:54,680 --> 00:06:57,840 small sale is a micro environment for 172 00:06:57,840 --> 00:07:00,160 cellular where you have a higher density 173 00:07:00,160 --> 00:07:03,319 of devices and be able to support higher 174 00:07:03,319 --> 00:07:06,039 densities within those areas uh let's 175 00:07:06,039 --> 00:07:07,560 say let's say you want to put in some 176 00:07:07,560 --> 00:07:10,000 kind of control systems within a large 177 00:07:10,000 --> 00:07:11,840 hotel where you actually have hundreds 178 00:07:11,840 --> 00:07:14,560 or several hundred devices you may want 179 00:07:14,560 --> 00:07:16,560 to set up a small cell type environment 180 00:07:16,560 --> 00:07:19,080 to be able to handle that density uh and 181 00:07:19,080 --> 00:07:21,400 bandwidth associated with again they 182 00:07:21,400 --> 00:07:23,160 actually made more power improvements I 183 00:07:23,160 --> 00:07:25,759 don't know what that means I just know 184 00:07:25,759 --> 00:07:27,599 without reading a lot of the standards 185 00:07:27,599 --> 00:07:30,080 and everyone knows reading standards is 186 00:07:30,080 --> 00:07:33,039 somewhat painful uh and of course 5G 187 00:07:33,039 --> 00:07:34,960 services and features were added into 188 00:07:34,960 --> 00:07:37,599 some of these uh releases I think in the 189 00:07:37,599 --> 00:07:40,560 later releases I think it came out in uh 190 00:07:40,560 --> 00:07:42,440 15 or 16 and then obviously more 191 00:07:42,440 --> 00:07:44,960 improvements that we moved to release 17 192 00:07:44,960 --> 00:07:48,000 of that so now we've covered all that so 193 00:07:48,000 --> 00:07:51,120 let's dig into the dirt now uh so let's 194 00:07:51,120 --> 00:07:52,319 look under the 195 00:07:52,319 --> 00:07:55,080 hood so when you start thinking about 196 00:07:55,080 --> 00:07:57,639 modules we've seen in devices these are 197 00:07:57,639 --> 00:07:59,639 the typical manufacturers quit tell 198 00:07:59,639 --> 00:08:02,639 ublock Sierra whatever uh teite and 199 00:08:02,639 --> 00:08:05,680 Centon actually merged here last 200 00:08:05,680 --> 00:08:08,759 year I like the Centon devices and I 201 00:08:08,759 --> 00:08:11,560 I'll tell you why I like them often if 202 00:08:11,560 --> 00:08:13,560 you want to get a development kit for 203 00:08:13,560 --> 00:08:15,759 one of these devices for every one of 204 00:08:15,759 --> 00:08:17,080 their modules you have to have a 205 00:08:17,080 --> 00:08:20,280 development kit gets kind of expensive 206 00:08:20,280 --> 00:08:23,199 saton came out with one that had a 207 00:08:23,199 --> 00:08:25,759 socket you could buy two sockets for one 208 00:08:25,759 --> 00:08:28,240 development board cover every module 209 00:08:28,240 --> 00:08:30,000 produced 210 00:08:30,000 --> 00:08:31,840 big savings it costs a little more than 211 00:08:31,840 --> 00:08:34,719 most of the devices but again I can test 212 00:08:34,719 --> 00:08:37,799 and enact with all other devices using 213 00:08:37,799 --> 00:08:41,880 one $700 purchase versus you know a 300 214 00:08:41,880 --> 00:08:44,800 300 300 300 to get through their whole 215 00:08:44,800 --> 00:08:47,680 uh series of devices uh I was out at CES 216 00:08:47,680 --> 00:08:49,360 this year and I end up talking to 217 00:08:49,360 --> 00:08:52,120 quicktel and U blocks and I I actually 218 00:08:52,120 --> 00:08:54,399 spent most of the conversation scolding 219 00:08:54,399 --> 00:08:55,959 them on cheating me on development 220 00:08:55,959 --> 00:08:57,720 boards and why aren't they doing what 221 00:08:57,720 --> 00:09:00,120 canton's doing and they were they 222 00:09:00,120 --> 00:09:01,320 admitted man what they're doing is 223 00:09:01,320 --> 00:09:03,200 really cool we should do that so 224 00:09:03,200 --> 00:09:05,399 hopefully hopefully they took that back 225 00:09:05,399 --> 00:09:08,399 and do something with it uh if you look 226 00:09:08,399 --> 00:09:10,920 under the hood of these devices every 227 00:09:10,920 --> 00:09:14,040 one of them have uh Qualcomm chipsets 228 00:09:14,040 --> 00:09:16,320 that is the standard throughout is there 229 00:09:16,320 --> 00:09:19,040 any exceptions to that I have not found 230 00:09:19,040 --> 00:09:22,839 it yet uh but I have come across devices 231 00:09:22,839 --> 00:09:25,200 that had cellular capability that did 232 00:09:25,200 --> 00:09:27,279 not use modules they cooked their own 233 00:09:27,279 --> 00:09:29,200 solution actually on the main control 234 00:09:29,200 --> 00:09:31,680 board boards uh in those cases I saw 235 00:09:31,680 --> 00:09:34,600 qualcom and some other devices also used 236 00:09:34,600 --> 00:09:36,120 within those 237 00:09:36,120 --> 00:09:38,279 environments so uh let's go through a 238 00:09:38,279 --> 00:09:41,920 tear down often when I pick up a new 239 00:09:41,920 --> 00:09:43,959 module or a device has a certain module 240 00:09:43,959 --> 00:09:46,440 I want to dig in a little deeper go a 241 00:09:46,440 --> 00:09:49,279 little further how's this thing work uh 242 00:09:49,279 --> 00:09:50,920 I've actually been paid to do this in 243 00:09:50,920 --> 00:09:54,040 the past uh by certain vendors and what 244 00:09:54,040 --> 00:09:57,680 I do is we start taking it apart so in 245 00:09:57,680 --> 00:09:59,640 this case we've actually unpacked it and 246 00:09:59,640 --> 00:10:01,720 these devices are packed in Tights so 247 00:10:01,720 --> 00:10:03,320 you're looking at a fairly small device 248 00:10:03,320 --> 00:10:05,160 and you can see how small these devices 249 00:10:05,160 --> 00:10:08,120 are here uh and you can see how T packed 250 00:10:08,120 --> 00:10:10,760 the components are so literally I go out 251 00:10:10,760 --> 00:10:13,240 and buy the cellular modules first thing 252 00:10:13,240 --> 00:10:15,800 I do is I throw it in an 253 00:10:15,800 --> 00:10:19,240 oven I heat it up and then I scrape all 254 00:10:19,240 --> 00:10:21,519 the components off of it I want the 255 00:10:21,519 --> 00:10:22,959 circuit board I want to know what's 256 00:10:22,959 --> 00:10:25,040 going on with that circuit board so when 257 00:10:25,040 --> 00:10:26,880 you think about these these devices 258 00:10:26,880 --> 00:10:28,040 they're just they're just another 259 00:10:28,040 --> 00:10:30,040 circuit board and then those are 260 00:10:30,040 --> 00:10:32,360 attached to the the the board within the 261 00:10:32,360 --> 00:10:35,480 iot technology and the connections under 262 00:10:35,480 --> 00:10:37,279 the underside of it instead of being 263 00:10:37,279 --> 00:10:38,720 like ball grid array they're known as 264 00:10:38,720 --> 00:10:41,839 LGA land grid arrays uh they're larger 265 00:10:41,839 --> 00:10:43,920 Square pads 266 00:10:43,920 --> 00:10:47,959 typically so if a vendor certain 267 00:10:47,959 --> 00:10:49,600 services or functions on this if a 268 00:10:49,600 --> 00:10:51,839 vendor puts a device on their box on in 269 00:10:51,839 --> 00:10:53,720 their device there's certain things I 270 00:10:53,720 --> 00:10:55,320 may want to look at and they're not 271 00:10:55,320 --> 00:10:57,519 always easily accessible so I always 272 00:10:57,519 --> 00:10:59,760 want to say hey can I attack these from 273 00:10:59,760 --> 00:11:03,560 the surface and dig into them so that is 274 00:11:03,560 --> 00:11:05,399 like a land grid array for this which I 275 00:11:05,399 --> 00:11:06,680 think it is the 276 00:11:06,680 --> 00:11:09,480 91 and we start looking at the layout up 277 00:11:09,480 --> 00:11:10,880 here after it was clean that's where the 278 00:11:10,880 --> 00:11:14,519 flash memory sets um and that is a BGA 279 00:11:14,519 --> 00:11:16,000 multi-chip package which we're going to 280 00:11:16,000 --> 00:11:18,200 get into a little deeper here and the 281 00:11:18,200 --> 00:11:20,600 other part is the actual CPU so I'm 282 00:11:20,600 --> 00:11:22,720 always curious can I get J tag on there 283 00:11:22,720 --> 00:11:24,240 it's not always easily available on 284 00:11:24,240 --> 00:11:27,600 these devices so what we do is uh take 285 00:11:27,600 --> 00:11:29,320 the chip apart if I can get a data she 286 00:11:29,320 --> 00:11:32,480 sheet I try to identify all the JTAG 287 00:11:32,480 --> 00:11:34,519 connections and then I trace it out on 288 00:11:34,519 --> 00:11:37,079 the circuit board so the best way to do 289 00:11:37,079 --> 00:11:38,959 that as if there's no components on the 290 00:11:38,959 --> 00:11:41,160 circuit board so that's why I strip it 291 00:11:41,160 --> 00:11:43,200 clean and those are messy I if you went 292 00:11:43,200 --> 00:11:45,480 into my lab and you walked out and 293 00:11:45,480 --> 00:11:47,040 actually look at the bottom of your feet 294 00:11:47,040 --> 00:11:49,000 you probably find all kinds of micro 295 00:11:49,000 --> 00:11:50,600 resistors and components stuck to your 296 00:11:50,600 --> 00:11:52,839 feet uh it it's kind of it's kind of 297 00:11:52,839 --> 00:11:54,920 insane I always tell my wife don't bring 298 00:11:54,920 --> 00:11:56,360 the dog in here because I don't want 299 00:11:56,360 --> 00:11:59,360 these components all over the house uh 300 00:11:59,360 --> 00:12:02,160 so it can get really messy but we can 301 00:12:02,160 --> 00:12:04,240 dig into it so the next thing I want to 302 00:12:04,240 --> 00:12:06,519 look at is memory chip we saw the memory 303 00:12:06,519 --> 00:12:09,000 chip was on there these memory chips 304 00:12:09,000 --> 00:12:09,920 even 305 00:12:09,920 --> 00:12:12,920 though the ball grid array structure on 306 00:12:12,920 --> 00:12:16,240 this 162 balls it's about a qu 307 00:12:16,240 --> 00:12:18,480 millimeter approximately each one of the 308 00:12:18,480 --> 00:12:21,480 pads uh this is an mCP which is very 309 00:12:21,480 --> 00:12:24,160 different than an e mCP these are 310 00:12:24,160 --> 00:12:26,480 multi-chip package meaning they came 311 00:12:26,480 --> 00:12:28,519 contain flash memory usually an an flash 312 00:12:28,519 --> 00:12:31,920 memory and RAM on the same chip 313 00:12:31,920 --> 00:12:34,320 body so when I first saw one of these 314 00:12:34,320 --> 00:12:36,000 things and I didn't have a data sheet my 315 00:12:36,000 --> 00:12:38,399 first thing is this just an em you know 316 00:12:38,399 --> 00:12:42,160 emcp which is an embedded controller 317 00:12:42,160 --> 00:12:43,680 those have an embedded controller on 318 00:12:43,680 --> 00:12:46,399 them so if you find an emcp there's 319 00:12:46,399 --> 00:12:47,920 readers that you can buy for like a 320 00:12:47,920 --> 00:12:50,120 hundred bucks you just drop the chip in 321 00:12:50,120 --> 00:12:52,040 plug it in plug it into your box to the 322 00:12:52,040 --> 00:12:54,160 USB it'll Mount up the entire file 323 00:12:54,160 --> 00:12:55,639 system for you automatically because it 324 00:12:55,639 --> 00:12:58,040 has a build-in controller you're not 325 00:12:58,040 --> 00:13:00,199 lucky with that here 326 00:13:00,199 --> 00:13:02,680 also if you want to take it any further 327 00:13:02,680 --> 00:13:04,639 chip sockets for these are horribly 328 00:13:04,639 --> 00:13:06,839 expensive when they first started using 329 00:13:06,839 --> 00:13:08,440 them on a larger scale a couple years 330 00:13:08,440 --> 00:13:11,320 ago to buy a chip socket for a flash 331 00:13:11,320 --> 00:13:14,639 memory reader was upward over $2,000 for 332 00:13:14,639 --> 00:13:15,519 a 333 00:13:15,519 --> 00:13:18,000 socket uh and that happened to be a 334 00:13:18,000 --> 00:13:20,240 socket based on the dimensional size of 335 00:13:20,240 --> 00:13:23,240 the chip not all chip dimensions are 336 00:13:23,240 --> 00:13:25,720 going to be the same some of them be 11 337 00:13:25,720 --> 00:13:29,160 by 11 by1 I've seen them 10 by 10 338 00:13:29,160 --> 00:13:32,360 they'll be uh uh 9 by 11 all different 339 00:13:32,360 --> 00:13:34,560 measurements well the sockets have come 340 00:13:34,560 --> 00:13:37,320 down now they're only like6 or 341 00:13:37,320 --> 00:13:40,199 $700 uh unfortunately most of the 342 00:13:40,199 --> 00:13:42,120 reasonably priced chip 343 00:13:42,120 --> 00:13:46,519 readers can't read these okay they don't 344 00:13:46,519 --> 00:13:49,360 have this particular devices in it you 345 00:13:49,360 --> 00:13:51,399 can buy chip readers that do you're 346 00:13:51,399 --> 00:13:54,199 paying into the thousands three four 347 00:13:54,199 --> 00:13:56,440 five 6,000 for a high-end chip reader to 348 00:13:56,440 --> 00:13:57,839 be able to do that and then you're 349 00:13:57,839 --> 00:13:59,880 dropping another 350 00:13:59,880 --> 00:14:02,720 two to4 th000 for sockets to be able to 351 00:14:02,720 --> 00:14:06,920 read these well I'm cheap but I'm not 352 00:14:06,920 --> 00:14:11,320 lazy so what we do is we find out that 353 00:14:11,320 --> 00:14:14,920 the 162 ball grid array of these devices 354 00:14:14,920 --> 00:14:16,680 is identical doesn't matter who the 355 00:14:16,680 --> 00:14:18,440 manufacturer is so if you can get a pin 356 00:14:18,440 --> 00:14:20,880 out design for any one of these you can 357 00:14:20,880 --> 00:14:22,880 identify key components so if you look 358 00:14:22,880 --> 00:14:25,199 up the top where the the upper green or 359 00:14:25,199 --> 00:14:28,000 or turquoise looking one RS that's the 360 00:14:28,000 --> 00:14:30,720 flash memory location 361 00:14:30,720 --> 00:14:32,639 there's a paper that I put out or 362 00:14:32,639 --> 00:14:34,560 actually a Blog I put out where I detail 363 00:14:34,560 --> 00:14:38,480 the process here of actually deadbugging 364 00:14:38,480 --> 00:14:41,759 these so the way we dead buug these and 365 00:14:41,759 --> 00:14:42,759 make it 366 00:14:42,759 --> 00:14:46,240 easy well I think it's easy I think 367 00:14:46,240 --> 00:14:47,639 everyone should think it's easy so go 368 00:14:47,639 --> 00:14:49,959 look at my block so what we do is we 369 00:14:49,959 --> 00:14:52,160 identify these map it out on the Chip 370 00:14:52,160 --> 00:14:54,360 And then I ball the thigh I actually add 371 00:14:54,360 --> 00:14:57,600 .25 mm balls or3 mm balls based on the 372 00:14:57,600 --> 00:14:59,959 size of the pad and I flow them onto 373 00:14:59,959 --> 00:15:02,639 there as a landing point and then what 374 00:15:02,639 --> 00:15:06,480 we do is we hand wire them up 375 00:15:06,480 --> 00:15:10,120 so so uh so if you looked at my badge 376 00:15:10,120 --> 00:15:11,800 soldering you 377 00:15:11,800 --> 00:15:15,839 go he's not capable of doing that I do 378 00:15:15,839 --> 00:15:17,399 that under a 379 00:15:17,399 --> 00:15:19,880 microscope when I was doing the when I 380 00:15:19,880 --> 00:15:22,480 was doing the uh B badge in the other 381 00:15:22,480 --> 00:15:25,639 room the lighting uh these typical type 382 00:15:25,639 --> 00:15:27,880 of lighting makes it nearly impossible 383 00:15:27,880 --> 00:15:29,600 to do good soldering and then you take 384 00:15:29,600 --> 00:15:32,360 into the fact I'm an old man um it 385 00:15:32,360 --> 00:15:34,959 deteriorates quite rapidly uh I still 386 00:15:34,959 --> 00:15:36,600 soldered it and I looked at it real 387 00:15:36,600 --> 00:15:38,000 close and it came out pretty good for 388 00:15:38,000 --> 00:15:40,839 somebody who couldn't see 389 00:15:40,839 --> 00:15:43,000 anything I usually want to patch this 390 00:15:43,000 --> 00:15:45,199 around so you can get a closer look at 391 00:15:45,199 --> 00:15:49,639 it thing is here so what we do with that 392 00:15:49,639 --> 00:15:53,560 then is I build basically a zip socket 393 00:15:53,560 --> 00:15:54,720 breakout 394 00:15:54,720 --> 00:15:57,279 board and I use these for dead bugging 395 00:15:57,279 --> 00:15:58,800 so I'm pass this around so you can see 396 00:15:58,800 --> 00:16:02,120 the the chip and the wires this was one 397 00:16:02,120 --> 00:16:05,399 off the eg9100 398 00:16:29,160 --> 00:16:32,319 of chips don't create new chip silicon 399 00:16:32,319 --> 00:16:34,759 for everything underneath the Sun what 400 00:16:34,759 --> 00:16:36,319 they do is they just put it in a 401 00:16:36,319 --> 00:16:39,720 different package no different from this 402 00:16:39,720 --> 00:16:42,759 so then you have to figure out what of 403 00:16:42,759 --> 00:16:45,360 all the chips that they produced is most 404 00:16:45,360 --> 00:16:46,880 likely to be what's underneath the hood 405 00:16:46,880 --> 00:16:51,000 of this one and you do that with no data 406 00:16:51,000 --> 00:16:52,880 sheets because most of these don't have 407 00:16:52,880 --> 00:16:56,519 data sheets uh but it's fairly easy you 408 00:16:56,519 --> 00:16:59,120 can you have uh cell slicks on these 409 00:16:59,120 --> 00:17:01,319 things it tell you things like hey it's 410 00:17:01,319 --> 00:17:04,720 8bit so many bytes it's a uh you know 411 00:17:04,720 --> 00:17:07,119 it's a a different structure size and 412 00:17:07,119 --> 00:17:09,000 you get that information and you just 413 00:17:09,000 --> 00:17:11,039 search to that manufacturer's list of 414 00:17:11,039 --> 00:17:13,559 chips I typically like to look for ones 415 00:17:13,559 --> 00:17:17,039 that are t-a 48 or 48 pin chips that 416 00:17:17,039 --> 00:17:18,919 would potentially have that same silicon 417 00:17:18,919 --> 00:17:22,520 underneath them and then what I do is I 418 00:17:22,520 --> 00:17:26,039 wire this thing up like it's a t-t 48 419 00:17:26,039 --> 00:17:28,000 plug it into my socket and pick one of 420 00:17:28,000 --> 00:17:30,919 their things and this particular case uh 421 00:17:30,919 --> 00:17:33,600 when you read when you read this in a 422 00:17:33,600 --> 00:17:36,240 Flash Reader two things will happen 423 00:17:36,240 --> 00:17:38,520 either It'll recognize the chip ID 424 00:17:38,520 --> 00:17:40,000 because the first thing it does is it 425 00:17:40,000 --> 00:17:43,039 checks for the chip ID if the chip ID 426 00:17:43,039 --> 00:17:45,919 matches it'll read it out to you turned 427 00:17:45,919 --> 00:17:47,880 out this one actually matched the chip 428 00:17:47,880 --> 00:17:50,880 ID so my first pick was right on the 429 00:17:50,880 --> 00:17:52,640 first time and that's amazing 430 00:17:52,640 --> 00:17:53,960 considering these places produce 431 00:17:53,960 --> 00:17:55,400 hundreds of different types of flash 432 00:17:55,400 --> 00:17:58,480 memory chips if it is wrong and you know 433 00:17:58,480 --> 00:18:01,240 the data of this flash memory matches 434 00:18:01,240 --> 00:18:02,640 the data of what you're looking like the 435 00:18:02,640 --> 00:18:04,679 voltage and all that type of stuff just 436 00:18:04,679 --> 00:18:06,360 tell the chip reader to 437 00:18:06,360 --> 00:18:09,880 ignore uh the actual chip ID and it'll 438 00:18:09,880 --> 00:18:12,600 still read all the data out of it clean 439 00:18:12,600 --> 00:18:14,799 uh and I've done this with dozens of of 440 00:18:14,799 --> 00:18:17,440 different chips many times on these 441 00:18:17,440 --> 00:18:19,120 particular chips I haven't run into this 442 00:18:19,120 --> 00:18:21,760 but I've run into uh certain weird BGA 443 00:18:21,760 --> 00:18:24,120 chips where I was able to do the same 444 00:18:24,120 --> 00:18:27,200 attack uh on those recently about a year 445 00:18:27,200 --> 00:18:29,520 ago uh one of the guys on team go I got 446 00:18:29,520 --> 00:18:31,919 this chip I don't have a socket for it I 447 00:18:31,919 --> 00:18:34,120 don't know what it is they just drop it 448 00:18:34,120 --> 00:18:36,960 in an envelope and ship it to me uh I 449 00:18:36,960 --> 00:18:39,159 get the chip I analyze it I do this type 450 00:18:39,159 --> 00:18:41,880 of attack to it uh and it turned out I 451 00:18:41,880 --> 00:18:44,039 did find a data sheet of the pin outs on 452 00:18:44,039 --> 00:18:45,480 the back side of it enough for that 453 00:18:45,480 --> 00:18:47,520 information and was able to match it up 454 00:18:47,520 --> 00:18:50,360 to a t-o for the Silicon one thing it 455 00:18:50,360 --> 00:18:51,520 kept throwing me it wouldn't read it 456 00:18:51,520 --> 00:18:53,039 wouldn't read wouldn't read so I went 457 00:18:53,039 --> 00:18:54,960 back to not the data sheet but the pin 458 00:18:54,960 --> 00:18:57,400 out the structure it showed it and it 459 00:18:57,400 --> 00:19:02,919 actually lists VC V C1 vcc2 vdd1 vd2 460 00:19:02,919 --> 00:19:04,640 turned out even though the voltages in 461 00:19:04,640 --> 00:19:07,480 the ground were typically uh acceptable 462 00:19:07,480 --> 00:19:09,760 common they were not common inside the 463 00:19:09,760 --> 00:19:11,919 chip body so I actually that's where 464 00:19:11,919 --> 00:19:13,919 those jumpers are on that particular one 465 00:19:13,919 --> 00:19:15,679 so I just jumped it out on my chip 466 00:19:15,679 --> 00:19:18,000 reader to lie to it and add it to two 467 00:19:18,000 --> 00:19:21,679 two new wires for each side of that uh 468 00:19:21,679 --> 00:19:24,559 to to make that 469 00:19:25,600 --> 00:19:29,039 happen so interacting with Hardware yes 470 00:19:29,039 --> 00:19:31,520 is that 471 00:19:31,520 --> 00:19:33,880 separatec power ground is that because 472 00:19:33,880 --> 00:19:36,440 it's a multi chip pack no no no the one 473 00:19:36,440 --> 00:19:38,240 I seen it on wasn't multichip it was 474 00:19:38,240 --> 00:19:41,640 purely a nand flash I just bring that up 475 00:19:41,640 --> 00:19:43,679 because it bit me in the ass on 476 00:19:43,679 --> 00:19:45,280 something else and more than likely if 477 00:19:45,280 --> 00:19:46,679 you're doing this type of stuff you're 478 00:19:46,679 --> 00:19:49,400 going to come across that eventually um 479 00:19:49,400 --> 00:19:51,159 so it was different different Power 480 00:19:51,159 --> 00:19:54,799 different Power different ground they 481 00:19:54,799 --> 00:19:57,799 were split on the chip I don't know why 482 00:19:57,799 --> 00:19:59,559 absolutely no why 483 00:19:59,559 --> 00:20:01,120 uh but it turned out as soon as I 484 00:20:01,120 --> 00:20:03,840 corrected that the chip read instantly 485 00:20:03,840 --> 00:20:06,360 uh in that case I did not have a match 486 00:20:06,360 --> 00:20:10,480 for the tsop style uh silicon but I just 487 00:20:10,480 --> 00:20:12,760 totally just ignore that and it dumped 488 00:20:12,760 --> 00:20:13,919 everything 489 00:20:13,919 --> 00:20:16,600 fine uh and again that paper that paper 490 00:20:16,600 --> 00:20:18,120 that blog I put out goes through the 491 00:20:18,120 --> 00:20:21,080 whole process yes is this the uh 492 00:20:21,080 --> 00:20:22,799 firmware for the whole device or just 493 00:20:22,799 --> 00:20:24,400 the cellular modem itself just the 494 00:20:24,400 --> 00:20:26,360 cellular modem So today we're not 495 00:20:26,360 --> 00:20:27,520 actually going to look at anything on 496 00:20:27,520 --> 00:20:30,280 the device other than the cellular data 497 00:20:30,280 --> 00:20:33,320 and look at that uh the actual get into 498 00:20:33,320 --> 00:20:36,080 the CPU and that flash memory U if 499 00:20:36,080 --> 00:20:37,640 you're doing an overall assessment of a 500 00:20:37,640 --> 00:20:39,720 device you're going to pull that to uh 501 00:20:39,720 --> 00:20:41,080 and look at it but in this case I want 502 00:20:41,080 --> 00:20:43,799 to talk purely cellular how's that 503 00:20:43,799 --> 00:20:45,520 impact these devices what can you look 504 00:20:45,520 --> 00:20:47,919 at how do you interact with 505 00:20:47,919 --> 00:20:51,720 it so extracted firmware uh interacting 506 00:20:51,720 --> 00:20:52,960 with Hardware we're going to dig into 507 00:20:52,960 --> 00:20:55,799 this a little bit so this is not this 508 00:20:55,799 --> 00:20:57,799 particular device but I wanted to share 509 00:20:57,799 --> 00:21:00,240 this kind of approach this approach will 510 00:21:00,240 --> 00:21:01,360 work 511 00:21:01,360 --> 00:21:03,799 on any kind of Hardware you're messing 512 00:21:03,799 --> 00:21:06,760 with and the way it works is so we have 513 00:21:06,760 --> 00:21:08,679 this device they're multi-layer boards 514 00:21:08,679 --> 00:21:10,440 but we have two lay at least two layers 515 00:21:10,440 --> 00:21:13,120 that have V visible components on it how 516 00:21:13,120 --> 00:21:16,320 do we figure out and track things down 517 00:21:16,320 --> 00:21:18,320 so what we do is we 518 00:21:18,320 --> 00:21:20,360 transpose so as you can see we can 519 00:21:20,360 --> 00:21:23,480 transpose both sides on each other and 520 00:21:23,480 --> 00:21:26,919 from there we can identify relationships 521 00:21:26,919 --> 00:21:28,279 between one side of the board and the 522 00:21:28,279 --> 00:21:30,200 next side of the board to help us figure 523 00:21:30,200 --> 00:21:31,840 out where the possible communication 524 00:21:31,840 --> 00:21:33,520 lines are coming from the cellular 525 00:21:33,520 --> 00:21:36,840 module and then we overlay a grid off 526 00:21:36,840 --> 00:21:39,000 the cellular module on top of that 527 00:21:39,000 --> 00:21:42,440 because often not always often if you're 528 00:21:42,440 --> 00:21:45,039 looking at something you go hey here's 529 00:21:45,039 --> 00:21:49,080 art you know or hey here's USB where do 530 00:21:49,080 --> 00:21:51,120 you think that could come to the surface 531 00:21:51,120 --> 00:21:52,559 it's probably not going to do it on this 532 00:21:52,559 --> 00:21:54,039 side it's not going to do it on that 533 00:21:54,039 --> 00:21:55,640 side more than likely it's going to do 534 00:21:55,640 --> 00:21:58,760 it on the side that that data's at one 535 00:21:58,760 --> 00:22:00,559 of the things you think about I don't 536 00:22:00,559 --> 00:22:01,880 even know if I have a picture when 537 00:22:01,880 --> 00:22:03,640 you're looking at these 538 00:22:03,640 --> 00:22:06,840 devices is that and every one of the 539 00:22:06,840 --> 00:22:09,279 cellular modules I've looked at talking 540 00:22:09,279 --> 00:22:13,600 about iot devices that MB iot and the 541 00:22:13,600 --> 00:22:15,000 cat M1 542 00:22:15,000 --> 00:22:17,400 M2 most of the important stuff are 543 00:22:17,400 --> 00:22:19,360 always going to be along the outer edge 544 00:22:19,360 --> 00:22:20,679 of the 545 00:22:20,679 --> 00:22:22,919 Chip And I want to talk about something 546 00:22:22,919 --> 00:22:24,840 but we'll we'll get through this right 547 00:22:24,840 --> 00:22:26,720 now so so we knew where the 548 00:22:26,720 --> 00:22:30,159 communication lines were potentially at 549 00:22:30,159 --> 00:22:32,400 and uh so you can see so if we even go 550 00:22:32,400 --> 00:22:33,880 back 551 00:22:33,880 --> 00:22:36,159 further and we see on this side we see 552 00:22:36,159 --> 00:22:38,000 the wires I've attached to it that's 553 00:22:38,000 --> 00:22:39,919 actually attached to the uart 554 00:22:39,919 --> 00:22:41,919 communication on this particular 555 00:22:41,919 --> 00:22:44,840 device this device wasn't used in USB 556 00:22:44,840 --> 00:22:46,440 for communication it was doing all with 557 00:22:46,440 --> 00:22:48,679 uart with this particular chip but we 558 00:22:48,679 --> 00:22:50,600 wanted to map that out so we get around 559 00:22:50,600 --> 00:22:51,960 to doing 560 00:22:51,960 --> 00:22:55,000 that and uh we need to wire up to it and 561 00:22:55,000 --> 00:22:56,559 if you saw my talk last year where we're 562 00:22:56,559 --> 00:22:59,200 were talking about interchip analysis 563 00:22:59,200 --> 00:23:01,240 uh interchip communication analysis on 564 00:23:01,240 --> 00:23:04,000 iot devices uh one of the things I like 565 00:23:04,000 --> 00:23:05,400 to do especially when we're dealing with 566 00:23:05,400 --> 00:23:08,480 art can't do this with USB but with uart 567 00:23:08,480 --> 00:23:11,720 we can actually cut the runs so what I 568 00:23:11,720 --> 00:23:14,279 do is I cut all the runs between the 569 00:23:14,279 --> 00:23:16,640 main processor and other communication 570 00:23:16,640 --> 00:23:20,240 devices communicating with and 571 00:23:20,240 --> 00:23:22,880 then let's come back here and then I 572 00:23:22,880 --> 00:23:24,880 bring it out to a breakout board and 573 00:23:24,880 --> 00:23:26,400 then from the breakout board has on 574 00:23:26,400 --> 00:23:28,000 andof switch you'll see a one later on 575 00:23:28,000 --> 00:23:30,159 in here from that device there that 576 00:23:30,159 --> 00:23:31,600 gives me the ability so if I want to 577 00:23:31,600 --> 00:23:33,799 inject data into the U communication on 578 00:23:33,799 --> 00:23:36,480 a device if it's fully in circuit you're 579 00:23:36,480 --> 00:23:37,520 not going to be able to do that it's 580 00:23:37,520 --> 00:23:38,960 just going to ignore that the way to do 581 00:23:38,960 --> 00:23:41,039 it is break the connections you let the 582 00:23:41,039 --> 00:23:42,799 device come up the full operation you 583 00:23:42,799 --> 00:23:45,279 throw the switches you have your devices 584 00:23:45,279 --> 00:23:47,320 hooked to it now I can inject data in 585 00:23:47,320 --> 00:23:49,000 and control 586 00:23:49,000 --> 00:23:51,400 components or send other communication 587 00:23:51,400 --> 00:23:53,559 to the through or to the 588 00:23:53,559 --> 00:23:56,279 device so circuit board Communications 589 00:23:56,279 --> 00:23:58,720 so let's kind of break that down so when 590 00:23:58,720 --> 00:24:00,520 we're dealing with 591 00:24:00,520 --> 00:24:03,400 cellular the iot cellular devices now 592 00:24:03,400 --> 00:24:06,039 this may be different on higher end 593 00:24:06,039 --> 00:24:08,640 devices but on these devices you have 594 00:24:08,640 --> 00:24:10,960 two typical Communications you have USB 595 00:24:10,960 --> 00:24:13,000 you have uart they almost always have 596 00:24:13,000 --> 00:24:14,760 two uarts I want to mention that one of 597 00:24:14,760 --> 00:24:17,080 them is a debug art so you can plug into 598 00:24:17,080 --> 00:24:19,480 the debug art it's mostly available and 599 00:24:19,480 --> 00:24:21,480 you can watch the chip boot up it has 600 00:24:21,480 --> 00:24:23,760 some kind of embedded operating system 601 00:24:23,760 --> 00:24:25,640 and you can actually see it boot up the 602 00:24:25,640 --> 00:24:27,240 device I have on the board over there EG 603 00:24:27,240 --> 00:24:29,799 91 comes up with actual log on problem 604 00:24:29,799 --> 00:24:31,120 so if you can get a password you can 605 00:24:31,120 --> 00:24:33,760 actually literally log onto the uh 606 00:24:33,760 --> 00:24:37,559 cellular module when you get into USB 607 00:24:37,559 --> 00:24:40,200 interchip comms there's three standard 608 00:24:40,200 --> 00:24:43,279 types of uh USB Communications there's 609 00:24:43,279 --> 00:24:45,840 what's known as high-speed interchip you 610 00:24:45,840 --> 00:24:49,320 have e USB I've encountered us e USB on 611 00:24:49,320 --> 00:24:52,960 devices that may communicate USB from 612 00:24:52,960 --> 00:24:55,840 one board to another board because 613 00:24:55,840 --> 00:24:57,440 obviously sometimes when you get into 614 00:24:57,440 --> 00:25:00,399 more lower power USB Communications 615 00:25:00,399 --> 00:25:02,840 length is an issue e USB gives you the 616 00:25:02,840 --> 00:25:06,039 ability to do that uh you can go from a 617 00:25:06,039 --> 00:25:08,720 standard board um 618 00:25:08,720 --> 00:25:13,520 USB to an actual uh real USB over a 619 00:25:13,520 --> 00:25:16,520 regular cable back into inner circuit 620 00:25:16,520 --> 00:25:19,240 USB or high-speed NB it's usually called 621 00:25:19,240 --> 00:25:23,120 ESU USB I've seen this actually used on 622 00:25:23,120 --> 00:25:26,080 Communications and solid state drives on 623 00:25:26,080 --> 00:25:28,159 uh certain embedded type devices where 624 00:25:28,159 --> 00:25:30,240 the solid state drive was on a another 625 00:25:30,240 --> 00:25:32,320 board or another system and that was the 626 00:25:32,320 --> 00:25:33,919 first time I came across 627 00:25:33,919 --> 00:25:36,279 ESB uh and then you have standard which 628 00:25:36,279 --> 00:25:39,080 is low speed fast speed and high speed 629 00:25:39,080 --> 00:25:41,919 uh the super speeds I have yet to see 630 00:25:41,919 --> 00:25:43,520 these on an iot 631 00:25:43,520 --> 00:25:47,600 device there's rarely a reason for it um 632 00:25:47,600 --> 00:25:49,559 also the one thing to think about usb 633 00:25:49,559 --> 00:25:51,720 and in chip could easily be a 634 00:25:51,720 --> 00:25:53,960 substandard so high-speed interchip will 635 00:25:53,960 --> 00:25:57,159 be a substandard of 20 so when USB comes 636 00:25:57,159 --> 00:26:00,760 up it basically Cory's out says how many 637 00:26:00,760 --> 00:26:02,120 devices are out there because you can 638 00:26:02,120 --> 00:26:05,120 have multiple devices on USB 2.0 we're 639 00:26:05,120 --> 00:26:06,760 looking at an embedded device you will 640 00:26:06,760 --> 00:26:09,919 not have multiple devices on USB so 641 00:26:09,919 --> 00:26:11,840 sometimes that functionality will not 642 00:26:11,840 --> 00:26:13,880 even be executed because it already 643 00:26:13,880 --> 00:26:15,720 knows the identifi is one because 644 00:26:15,720 --> 00:26:19,960 there's only one device on the bus 645 00:26:20,720 --> 00:26:23,960 U any 646 00:26:23,960 --> 00:26:27,360 questions is this all making sense you 647 00:26:27,360 --> 00:26:29,600 know I do I do live a dark room so 648 00:26:29,600 --> 00:26:31,159 sometimes I always communicate with 649 00:26:31,159 --> 00:26:34,080 humans all the time 650 00:26:34,080 --> 00:26:37,840 so so let's get into USB 651 00:26:37,840 --> 00:26:40,600 Communications so the device I'm using 652 00:26:40,600 --> 00:26:43,320 is a beagle this is not cheap it's about 653 00:26:43,320 --> 00:26:46,279 a $1,300 device I looking for somebody 654 00:26:46,279 --> 00:26:48,720 producing an open source the problem is 655 00:26:48,720 --> 00:26:51,279 if you go out and look at USB sniffers 656 00:26:51,279 --> 00:26:53,520 they're all inline USB sniffers that 657 00:26:53,520 --> 00:26:55,640 means data in data out the back side of 658 00:26:55,640 --> 00:26:57,640 it if you're doing intership 659 00:26:57,640 --> 00:27:01,039 communication which travels 3 cm you 660 00:27:01,039 --> 00:27:03,279 can't stick a device in between plus 661 00:27:03,279 --> 00:27:05,440 it's usually a lower power level so 662 00:27:05,440 --> 00:27:07,399 you'll instantly drain the circuit down 663 00:27:07,399 --> 00:27:10,200 and it quit working all together this 664 00:27:10,200 --> 00:27:11,720 particular vendor and I hunted for a 665 00:27:11,720 --> 00:27:13,720 while this vendor claimed in one of 666 00:27:13,720 --> 00:27:15,520 their data sheets or from a question 667 00:27:15,520 --> 00:27:17,640 from somebody else that you could do 668 00:27:17,640 --> 00:27:20,679 this so I'm like okay I'm willing to G 669 00:27:20,679 --> 00:27:23,320 gamble $1,300 on that it's my company's 670 00:27:23,320 --> 00:27:26,399 money anyways um so I bought one of 671 00:27:26,399 --> 00:27:28,039 these only like a month about two months 672 00:27:28,039 --> 00:27:30,159 a go and I finally got to look at it 673 00:27:30,159 --> 00:27:33,480 like 3 weeks ago so about 3 weeks ago I 674 00:27:33,480 --> 00:27:35,840 was looking at this Final Phase of this 675 00:27:35,840 --> 00:27:38,039 uh and this particular case you see uh 676 00:27:38,039 --> 00:27:39,640 you see these devices sorry I'm going 677 00:27:39,640 --> 00:27:42,000 get in here so you see this hooked up 678 00:27:42,000 --> 00:27:42,799 right 679 00:27:42,799 --> 00:27:46,919 here it turns out for uh the USB sniffer 680 00:27:46,919 --> 00:27:50,039 to work it has to detect V uh uh the 681 00:27:50,039 --> 00:27:51,880 basically has to detect 682 00:27:51,880 --> 00:27:55,320 vbus so normally on USB cables you have 683 00:27:55,320 --> 00:27:57,880 ground you have vbus 5 volts and then 684 00:27:57,880 --> 00:28:00,120 you have have D minus D+ which is the 685 00:28:00,120 --> 00:28:04,840 data lines when you look on the chips uh 686 00:28:04,840 --> 00:28:07,279 vbus is never brought to the surface 687 00:28:07,279 --> 00:28:08,600 it's underneath the chip so you can't 688 00:28:08,600 --> 00:28:11,640 even tap into it most of the time uh not 689 00:28:11,640 --> 00:28:14,440 easily uh I may mention another method 690 00:28:14,440 --> 00:28:16,600 here in a little bit uh to potentially 691 00:28:16,600 --> 00:28:18,279 get access to it so you just lie to the 692 00:28:18,279 --> 00:28:21,159 Beagle so I set up a 5volt power supply 693 00:28:21,159 --> 00:28:23,760 in this case I just used a a 5vt power 694 00:28:23,760 --> 00:28:25,960 supply you little when you plug in and I 695 00:28:25,960 --> 00:28:27,760 just hook five volts to it so it says 696 00:28:27,760 --> 00:28:30,559 yeah there's a device there of course uh 697 00:28:30,559 --> 00:28:31,880 it works pretty 698 00:28:31,880 --> 00:28:34,480 good so but to connect to it you can't 699 00:28:34,480 --> 00:28:36,799 connect right to the USB lines you'll 700 00:28:36,799 --> 00:28:39,919 instantly overwhelm it so the vendor 701 00:28:39,919 --> 00:28:41,840 says you need to put a 20 to 40 Ohm 702 00:28:41,840 --> 00:28:43,919 resistor in there so the best way to do 703 00:28:43,919 --> 00:28:46,080 that was let's just wire it onto the 704 00:28:46,080 --> 00:28:48,960 board so I went ahead and I soldered in 705 00:28:48,960 --> 00:28:51,679 so this is the bus here and it had two 706 00:28:51,679 --> 00:28:54,519 resistors in line was interesting so I'm 707 00:28:54,519 --> 00:28:55,960 looking at that I'm like hey there's two 708 00:28:55,960 --> 00:28:58,200 resistors in line I've seen that before 709 00:28:58,200 --> 00:29:01,080 those resistors measure at zero 710 00:29:01,080 --> 00:29:04,080 ohms so I'm not sure what their purposes 711 00:29:04,080 --> 00:29:06,799 in this particular case um maybe it was 712 00:29:06,799 --> 00:29:08,679 to just disconnect the circuit all 713 00:29:08,679 --> 00:29:10,240 together at one time and that was just 714 00:29:10,240 --> 00:29:13,080 being used as jumpers uh so I add it to 715 00:29:13,080 --> 00:29:17,360 33 33 ohm resistors in there and I wired 716 00:29:17,360 --> 00:29:19,640 the device up to it hooked the device up 717 00:29:19,640 --> 00:29:22,399 to it hooked it into my device now let's 718 00:29:22,399 --> 00:29:25,120 go ahead and do a demo so we can see 719 00:29:25,120 --> 00:29:27,760 this thing working so this is a live 720 00:29:27,760 --> 00:29:28,960 demo 721 00:29:28,960 --> 00:29:31,039 no chickens lost their life in this 722 00:29:31,039 --> 00:29:33,039 process so I'm not sure if it's going to 723 00:29:33,039 --> 00:29:36,559 work uh but we'll 724 00:29:39,640 --> 00:29:44,000 see looks like I'm gonna have to end the 725 00:29:46,200 --> 00:29:49,200 show 726 00:29:52,960 --> 00:29:55,880 okay okay what we got here this will be 727 00:29:55,880 --> 00:29:57,559 small but I'll blow it up as we start 728 00:29:57,559 --> 00:29:59,760 getting real data so we're actually 729 00:29:59,760 --> 00:30:01,840 connected to it right now and you'll see 730 00:30:01,840 --> 00:30:04,799 some stuff take place so uh this is the 731 00:30:04,799 --> 00:30:06,880 rig I have right here uh and it happens 732 00:30:06,880 --> 00:30:09,760 to be one of these it's a cellular uh 733 00:30:09,760 --> 00:30:12,360 field camera that we got hooked up and 734 00:30:12,360 --> 00:30:15,159 let's see if I turn it on whether it'll 735 00:30:15,159 --> 00:30:17,960 come on oh yes it did come on so we 736 00:30:17,960 --> 00:30:20,799 starting to see things happen here got 737 00:30:20,799 --> 00:30:22,880 to wait up the USB is actually doing 738 00:30:22,880 --> 00:30:26,360 this game uh as it Powers up and the CPU 739 00:30:26,360 --> 00:30:28,240 Powers up and it starts communic ating 740 00:30:28,240 --> 00:30:30,080 with the device and boom we're actually 741 00:30:30,080 --> 00:30:31,919 communicating the device so if we come 742 00:30:31,919 --> 00:30:34,880 over here and I 743 00:30:34,880 --> 00:30:38,399 select um filter only on data now we get 744 00:30:38,399 --> 00:30:39,960 to communication 745 00:30:39,960 --> 00:30:42,760 data so we can see there's a a lot going 746 00:30:42,760 --> 00:30:46,000 on here um we can see it past this data 747 00:30:46,000 --> 00:30:49,519 right here 748 00:30:49,519 --> 00:30:53,559 um so we can see it sending Bill mode 749 00:30:53,559 --> 00:30:55,360 information upgrade information is 750 00:30:55,360 --> 00:30:57,159 checking all this stuff out to the 751 00:30:57,159 --> 00:30:59,519 actual device now this device will 752 00:30:59,519 --> 00:31:03,120 actually connect out to Amazon S3 Cloud 753 00:31:03,120 --> 00:31:06,159 um this may take a minute it's set up to 754 00:31:06,159 --> 00:31:08,840 detect motion but it's kind of odd and 755 00:31:08,840 --> 00:31:12,639 slow at it hey you know it is a field 756 00:31:12,639 --> 00:31:14,880 camera isn't a smartest thing in the 757 00:31:14,880 --> 00:31:17,880 world but 758 00:31:17,880 --> 00:31:20,519 uh but we can see the data continue 759 00:31:20,519 --> 00:31:22,960 flowing uh billing and you see a lot of 760 00:31:22,960 --> 00:31:27,360 commands here um data being passed 761 00:31:27,360 --> 00:31:30,440 different commands and C status let me 762 00:31:30,440 --> 00:31:31,960 find one that's more 763 00:31:31,960 --> 00:31:33,720 interesting 764 00:31:33,720 --> 00:31:38,000 um here we go this is actually the 765 00:31:38,000 --> 00:31:41,840 modem uh validating connections to the 766 00:31:41,840 --> 00:31:47,120 actual Services out there um so we got 767 00:31:47,120 --> 00:31:51,440 that and interesting some of it's boring 768 00:31:51,440 --> 00:31:53,480 but uh there's a lot of data in here and 769 00:31:53,480 --> 00:31:56,200 you get to see the entire functionality 770 00:31:56,200 --> 00:31:58,200 of this device communicating between the 771 00:31:58,200 --> 00:32:00,760 primary CPU let me see if we can find 772 00:32:00,760 --> 00:32:03,200 something else that makes sense okay 773 00:32:03,200 --> 00:32:06,399 here we go we can see this this is 774 00:32:06,399 --> 00:32:09,080 actually um and you'll know this is the 775 00:32:09,080 --> 00:32:12,880 actual service MCM i. us like you would 776 00:32:12,880 --> 00:32:14,760 call Verizon this is calling out to this 777 00:32:14,760 --> 00:32:17,279 service 778 00:32:21,240 --> 00:32:24,120 here so there's a bunch of data in here 779 00:32:24,120 --> 00:32:26,840 and uh and we're going to get into some 780 00:32:26,840 --> 00:32:28,559 interesting things in a minute let's see 781 00:32:28,559 --> 00:32:30,399 if this thing I'm hoping it'll actually 782 00:32:30,399 --> 00:32:31,960 take an image but it never does it when 783 00:32:31,960 --> 00:32:34,279 I want it to so we're going to move on 784 00:32:34,279 --> 00:32:36,320 with the presentation and then we're 785 00:32:36,320 --> 00:32:40,120 going to come yes so I have several 786 00:32:40,120 --> 00:32:42,279 question number one what tool is that 787 00:32:42,279 --> 00:32:44,440 that you're using this tool is the one 788 00:32:44,440 --> 00:32:46,519 put out by the uh what's the name of the 789 00:32:46,519 --> 00:32:49,080 company total total phase it's for their 790 00:32:49,080 --> 00:32:51,279 products uh multiple products will 791 00:32:51,279 --> 00:32:54,960 actually work in this but uh does it C 792 00:32:54,960 --> 00:32:57,159 to like hand Shades right now and can 793 00:32:57,159 --> 00:33:01,039 you save up yes so you can save all this 794 00:33:01,039 --> 00:33:03,919 data out in in comma delimitate format 795 00:33:03,919 --> 00:33:07,720 for parsing later uh you can also uh I 796 00:33:07,720 --> 00:33:09,559 read a reference where one of the guys 797 00:33:09,559 --> 00:33:11,320 had he didn't share it but he wrote a 798 00:33:11,320 --> 00:33:15,360 script to convert this data into pcap 799 00:33:15,360 --> 00:33:17,679 structure and then import it into wi 800 00:33:17,679 --> 00:33:21,279 shark so it would be possible uh to do 801 00:33:21,279 --> 00:33:23,120 that and potentially pull the graphic 802 00:33:23,120 --> 00:33:26,120 images or uh the videos or things out of 803 00:33:26,120 --> 00:33:28,559 the actual Communications so you have 804 00:33:28,559 --> 00:33:30,480 that data so we're going to talk about 805 00:33:30,480 --> 00:33:34,159 some attack vectors that I have not done 806 00:33:34,159 --> 00:33:36,679 um that are potentially there as we kind 807 00:33:36,679 --> 00:33:39,200 of move on but let me see if I can get 808 00:33:39,200 --> 00:33:41,360 the slide deck back up if I can figure 809 00:33:41,360 --> 00:33:42,600 out where it's 810 00:33:42,600 --> 00:33:47,200 at and we can uh slideshow uh play from 811 00:33:47,200 --> 00:33:49,080 current slide and we're going to let 812 00:33:49,080 --> 00:33:53,840 this run um and kind of move on and come 813 00:33:53,840 --> 00:33:55,559 back to this I'll be back over in a 814 00:33:55,559 --> 00:33:57,559 second doing something else so the next 815 00:33:57,559 --> 00:33:59,960 thing I want to talk to you about is how 816 00:33:59,960 --> 00:34:02,799 do you control as You' seen you saw in 817 00:34:02,799 --> 00:34:04,799 that picture how do you control a 818 00:34:04,799 --> 00:34:07,639 cellular modem you control it with modem 819 00:34:07,639 --> 00:34:12,399 commands AT commands uh they're very 820 00:34:12,399 --> 00:34:14,760 customized uh so they're not the old 821 00:34:14,760 --> 00:34:18,040 Haze modem ones at least not all of them 822 00:34:18,040 --> 00:34:20,239 there may be some like that in there and 823 00:34:20,239 --> 00:34:22,079 it it varies based on the product and 824 00:34:22,079 --> 00:34:24,520 the vendor and stuff like that um you 825 00:34:24,520 --> 00:34:26,320 could do file Services you could do 826 00:34:26,320 --> 00:34:28,359 firewall and socket services on these 827 00:34:28,359 --> 00:34:30,800 FTP Services mqt 828 00:34:30,800 --> 00:34:32,960 HTTP we're actually going to take this 829 00:34:32,960 --> 00:34:34,280 field camera and we're actually going to 830 00:34:34,280 --> 00:34:36,520 download a web page with it here in a 831 00:34:36,520 --> 00:34:38,560 few minutes by passing commands yes sir 832 00:34:38,560 --> 00:34:40,280 is there a relationship between the AT 833 00:34:40,280 --> 00:34:42,520 commands and the like three digigit 834 00:34:42,520 --> 00:34:44,800 numeric commands that go with a with a 835 00:34:44,800 --> 00:34:49,320 star or pound sign that maybe can get 836 00:34:49,320 --> 00:34:51,800 various data out of your cell phones 837 00:34:51,800 --> 00:34:55,159 controller I'm not familiar with that no 838 00:34:55,159 --> 00:34:57,280 sorry I haven't seen that this whole 839 00:34:57,280 --> 00:35:01,320 listic command so uh I will be I will be 840 00:35:01,320 --> 00:35:03,480 releasing so I'm working on a paper 841 00:35:03,480 --> 00:35:04,960 right now where we document some of 842 00:35:04,960 --> 00:35:07,000 these processes and thought patterns and 843 00:35:07,000 --> 00:35:09,760 stuff like that hopefully before Defcon 844 00:35:09,760 --> 00:35:11,119 at the same time I'm going to be 845 00:35:11,119 --> 00:35:14,000 releasing some Python scripts that you 846 00:35:14,000 --> 00:35:16,079 can use on these devices so one of the 847 00:35:16,079 --> 00:35:18,160 things we found out and and like on this 848 00:35:18,160 --> 00:35:20,160 device what we did was we took all the 849 00:35:20,160 --> 00:35:22,160 at manuals that were available online I 850 00:35:22,160 --> 00:35:24,119 need to double check we got them all we 851 00:35:24,119 --> 00:35:26,079 downloaded those and parsed all the AT 852 00:35:26,079 --> 00:35:28,359 commands out of those and put it in a 853 00:35:28,359 --> 00:35:30,880 automated python script so you can 854 00:35:30,880 --> 00:35:32,359 actually if you want to know what the 855 00:35:32,359 --> 00:35:33,960 command structures are you can read the 856 00:35:33,960 --> 00:35:36,720 manuals or go online and search but if 857 00:35:36,720 --> 00:35:38,599 you want to know what's available you 858 00:35:38,599 --> 00:35:40,160 can actually make 859 00:35:40,160 --> 00:35:42,920 requests with with basically this Python 860 00:35:42,920 --> 00:35:45,560 scripts to the device and it'll test 861 00:35:45,560 --> 00:35:47,000 every one of the commands and give you 862 00:35:47,000 --> 00:35:48,599 the command structure back so you can 863 00:35:48,599 --> 00:35:50,040 ask what the structure of the command 864 00:35:50,040 --> 00:35:53,040 should be it'll give you that data um 865 00:35:53,040 --> 00:35:54,880 and you can also run it to actually pull 866 00:35:54,880 --> 00:35:56,640 the data that's actually stored on the 867 00:35:56,640 --> 00:35:58,839 cellular modem off and we've kind of 868 00:35:58,839 --> 00:36:00,240 automated all that to give you 869 00:36:00,240 --> 00:36:03,240 everything and then we also created uh 870 00:36:03,240 --> 00:36:05,280 some some weird fuzzing script so 871 00:36:05,280 --> 00:36:07,680 basically you can go you can type in the 872 00:36:07,680 --> 00:36:09,599 name of the command and it'll actually 873 00:36:09,599 --> 00:36:11,520 query the device tell you what the 874 00:36:11,520 --> 00:36:13,240 command structure is you can say all 875 00:36:13,240 --> 00:36:15,800 that's four variables you say I want to 876 00:36:15,800 --> 00:36:18,680 fuzz four variables or I want to fuzz 877 00:36:18,680 --> 00:36:20,520 and it'll go which ones you want to fuzz 878 00:36:20,520 --> 00:36:23,000 and you go I just want to fuzz one and 879 00:36:23,000 --> 00:36:24,880 three and then it'll let you fill in 880 00:36:24,880 --> 00:36:27,640 everything uh with the data you want and 881 00:36:27,640 --> 00:36:29,440 then you can feed a fuzz file into it to 882 00:36:29,440 --> 00:36:31,920 just start dumping data into a 883 00:36:31,920 --> 00:36:35,079 particular uh command structure um we 884 00:36:35,079 --> 00:36:36,880 haven't found anything interesting doing 885 00:36:36,880 --> 00:36:38,440 that but we haven't really sented any 886 00:36:38,440 --> 00:36:41,160 real fuzz any really workable fuzz data 887 00:36:41,160 --> 00:36:43,119 it was just proof of concept let's see 888 00:36:43,119 --> 00:36:45,280 if we can even do this usually I just 889 00:36:45,280 --> 00:36:48,520 overwhelm the modem and crash it um so 890 00:36:48,520 --> 00:36:49,880 you have to put timing in there and 891 00:36:49,880 --> 00:36:51,319 figure out what the timing is to make it 892 00:36:51,319 --> 00:36:53,520 work better uh we're going to talk about 893 00:36:53,520 --> 00:36:57,599 some other stuff so let's uh so uh 894 00:36:57,599 --> 00:37:00,359 you're an injection so to be able to do 895 00:37:00,359 --> 00:37:04,160 this uh what we did was as I mentioned 896 00:37:04,160 --> 00:37:07,839 before yes so about the fuzing um what 897 00:37:07,839 --> 00:37:10,040 kind of fuzzing do you do do you just 898 00:37:10,040 --> 00:37:13,440 use more um already existing messages 899 00:37:13,440 --> 00:37:14,960 yeah it would be it would be the command 900 00:37:14,960 --> 00:37:16,720 structure this this fuzzing here we're 901 00:37:16,720 --> 00:37:18,079 talking about is using the command 902 00:37:18,079 --> 00:37:19,800 structure that's available at command 903 00:37:19,800 --> 00:37:22,160 structure that's available in the modem 904 00:37:22,160 --> 00:37:23,880 yeah we can set it up to automate so 905 00:37:23,880 --> 00:37:25,839 we've automated all that and say hey 906 00:37:25,839 --> 00:37:28,200 this particular variable or value for 907 00:37:28,200 --> 00:37:30,440 this command we want you to feed all 908 00:37:30,440 --> 00:37:33,160 this data into it one after another and 909 00:37:33,160 --> 00:37:35,200 record the response back so we record 910 00:37:35,200 --> 00:37:36,720 all the response back and put it out 911 00:37:36,720 --> 00:37:39,920 into a file um again the data we were 912 00:37:39,920 --> 00:37:42,240 sending into it was not interesting fuzz 913 00:37:42,240 --> 00:37:44,520 data it was just a test file with junk 914 00:37:44,520 --> 00:37:46,880 in it uh just to make sure we get the 915 00:37:46,880 --> 00:37:50,119 process working so uh Ur injection 916 00:37:50,119 --> 00:37:52,480 commands so in this particular case we 917 00:37:52,480 --> 00:37:55,240 did we we traced out the runs from the 918 00:37:55,240 --> 00:37:58,640 module we went ahead and we uh cut the 919 00:37:58,640 --> 00:38:01,960 runs cut the actual runs here routed it 920 00:38:01,960 --> 00:38:04,280 out to a breakout board where we 921 00:38:04,280 --> 00:38:06,960 actually have the circuit turned off uh 922 00:38:06,960 --> 00:38:08,480 the cool thing with this device now when 923 00:38:08,480 --> 00:38:10,319 you encounter these devices there's two 924 00:38:10,319 --> 00:38:13,560 ways for it to take data or Comm and 925 00:38:13,560 --> 00:38:16,160 commands you'll never have them do them 926 00:38:16,160 --> 00:38:18,319 both it's either 927 00:38:18,319 --> 00:38:20,480 USB or It's 928 00:38:20,480 --> 00:38:22,880 uart the weird thing with this is the 929 00:38:22,880 --> 00:38:26,200 first device I've seen that had USB but 930 00:38:26,200 --> 00:38:28,000 the uart was still connected even though 931 00:38:28,000 --> 00:38:31,280 it wasn't using it so since the CPU 932 00:38:31,280 --> 00:38:32,920 really wasn't communicating anything we 933 00:38:32,920 --> 00:38:35,440 just break the circuit but the modem 934 00:38:35,440 --> 00:38:37,480 would still respond back over the UR and 935 00:38:37,480 --> 00:38:40,000 tell us when it's ready or any commands 936 00:38:40,000 --> 00:38:41,640 we send to it and all that stuff by 937 00:38:41,640 --> 00:38:43,119 cutting the runs it give us the ability 938 00:38:43,119 --> 00:38:45,800 to get in there if for 939 00:38:45,800 --> 00:38:48,400 chance it isn't connected which is 940 00:38:48,400 --> 00:38:51,240 common if it's all USB the uart may not 941 00:38:51,240 --> 00:38:53,960 be connected so getting commands in is 942 00:38:53,960 --> 00:38:56,280 more problematic so how would you do 943 00:38:56,280 --> 00:39:00,000 that um if underneath the chip 944 00:39:00,000 --> 00:39:02,839 body it was those those connections were 945 00:39:02,839 --> 00:39:05,400 not connected Well turns out like I 946 00:39:05,400 --> 00:39:08,000 mention all of those exist around the 947 00:39:08,000 --> 00:39:09,720 outer edge and we found out through 948 00:39:09,720 --> 00:39:11,760 testing and it'll be in the paper where 949 00:39:11,760 --> 00:39:13,960 I show this on 950 00:39:13,960 --> 00:39:16,440 smaller devices like we looked at like a 951 00:39:16,440 --> 00:39:18,240 BG 95 as an 952 00:39:18,240 --> 00:39:21,240 example those land runs were closer to 953 00:39:21,240 --> 00:39:25,040 the edge and we were able to insert um 954 00:39:25,040 --> 00:39:27,160 acupuncture needles underneath the chip 955 00:39:27,160 --> 00:39:29,720 B body to gain access to those circuits 956 00:39:29,720 --> 00:39:31,880 that weren't available to us and it 957 00:39:31,880 --> 00:39:35,359 worked now we tried it on the larger 91s 958 00:39:35,359 --> 00:39:37,359 it's more problematic because it was 3 959 00:39:37,359 --> 00:39:40,240 mm in about 3 millim in before the land 960 00:39:40,240 --> 00:39:43,520 grid started and the chip the way it was 961 00:39:43,520 --> 00:39:46,040 slightly bowed so it was closed and we 962 00:39:46,040 --> 00:39:48,760 couldn't get to it now I did attempt to 963 00:39:48,760 --> 00:39:51,440 method of actually side drilling right 964 00:39:51,440 --> 00:39:53,280 where the two meet but I couldn't get 965 00:39:53,280 --> 00:39:55,720 any kind of real Precision with that and 966 00:39:55,720 --> 00:39:58,200 all I did was just maim bunch of boards 967 00:39:58,200 --> 00:40:01,040 and chips and wasn't successful I wasn't 968 00:40:01,040 --> 00:40:02,839 about to try plugging stuff up to this 969 00:40:02,839 --> 00:40:05,400 because I did way too much damage to it 970 00:40:05,400 --> 00:40:09,720 using pin VI with with uh uh with drill 971 00:40:09,720 --> 00:40:12,480 bits that were really small and no 972 00:40:12,480 --> 00:40:14,280 matter what they still tore things up 973 00:40:14,280 --> 00:40:16,800 too much I need a more finer hole to be 974 00:40:16,800 --> 00:40:18,960 able to make this successful because 975 00:40:18,960 --> 00:40:21,200 because we also test it Tak taking the 976 00:40:21,200 --> 00:40:24,319 needles and actually coating them with 977 00:40:24,319 --> 00:40:28,920 um um with solder mask and UV in them so 978 00:40:28,920 --> 00:40:30,359 that they wouldn't short out as an 979 00:40:30,359 --> 00:40:33,079 example too uh total fail yes sir I 980 00:40:33,079 --> 00:40:35,000 wonder if a high power laser might work 981 00:40:35,000 --> 00:40:38,480 to Blade away two laser right in the 982 00:40:38,480 --> 00:40:40,560 right spot blast yeah so the big thing 983 00:40:40,560 --> 00:40:42,200 is you got a multi-layer board so you 984 00:40:42,200 --> 00:40:43,440 got to be careful about hitting one of 985 00:40:43,440 --> 00:40:45,520 the layers in there and then you have 986 00:40:45,520 --> 00:40:47,119 typically the ground planes sitting 987 00:40:47,119 --> 00:40:49,319 there uh also on the main board and you 988 00:40:49,319 --> 00:40:51,720 got to worry about that now for the ones 989 00:40:51,720 --> 00:40:53,000 where we were just able to enter the 990 00:40:53,000 --> 00:40:55,359 needle we use Captain tape covered the 991 00:40:55,359 --> 00:40:56,920 board with Captain tape and then slid 992 00:40:56,920 --> 00:40:58,240 the needle AC cross that and we're able 993 00:40:58,240 --> 00:41:00,920 to put it in without shoren out the 994 00:41:00,920 --> 00:41:03,319 components so let's go ahead and look at 995 00:41:03,319 --> 00:41:06,160 this oh we're running out of time this 996 00:41:06,160 --> 00:41:07,520 getting close to finishing up but I want 997 00:41:07,520 --> 00:41:10,640 to talk about some of the 998 00:41:10,640 --> 00:41:12,280 stuff 999 00:41:12,280 --> 00:41:16,240 okay let's end this show 1000 00:41:18,560 --> 00:41:21,839 again so we should be hooked 1001 00:41:21,839 --> 00:41:25,160 up okay so I'm hooked to the uart so 1002 00:41:25,160 --> 00:41:26,839 you've seen the thing go ready power 1003 00:41:26,839 --> 00:41:29,400 down power down is the power management 1004 00:41:29,400 --> 00:41:31,319 system kicking in powering it down on 1005 00:41:31,319 --> 00:41:33,880 its own but I can bring 1006 00:41:33,880 --> 00:41:36,040 this back 1007 00:41:36,040 --> 00:41:38,680 up oh it's back up already there it goes 1008 00:41:38,680 --> 00:41:42,160 start back up uh and I just wanted to 1009 00:41:42,160 --> 00:41:44,720 run a couple commands to show that we're 1010 00:41:44,720 --> 00:41:48,279 able to do that don't do that to 1011 00:41:50,200 --> 00:41:53,000 me okay so it's ready so now we can just 1012 00:41:53,000 --> 00:41:55,599 enter at commands on this device uh 1013 00:41:55,599 --> 00:41:58,000 comes back okay we we can actually send 1014 00:41:58,000 --> 00:41:59,720 data there we can get information about 1015 00:41:59,720 --> 00:42:02,560 the band that's connected to uh on the 1016 00:42:02,560 --> 00:42:04,760 device uh let me see if I get this 1017 00:42:04,760 --> 00:42:07,680 smaller there we go um let's come over 1018 00:42:07,680 --> 00:42:11,000 these commands get what's that is are 1019 00:42:11,000 --> 00:42:12,839 these commands going through the UR yes 1020 00:42:12,839 --> 00:42:14,760 they are these commands are going into 1021 00:42:14,760 --> 00:42:17,200 the art we're able to attach to the art 1022 00:42:17,200 --> 00:42:19,000 let me shrink this thing down because 1023 00:42:19,000 --> 00:42:21,599 I'm not typing these commands um what 1024 00:42:21,599 --> 00:42:23,640 speeds are typical for the 1025 00:42:23,640 --> 00:42:27,359 UR uh I you know I've seen I've seen 9 1026 00:42:27,359 --> 00:42:29,960 600 uh actually used remember a lot of 1027 00:42:29,960 --> 00:42:31,880 these devices that just use the uart 1028 00:42:31,880 --> 00:42:33,640 aren't moving massive amounts of data 1029 00:42:33,640 --> 00:42:35,160 it's just cimin data so they'll do it 1030 00:42:35,160 --> 00:42:37,240 low but almost always 1031 00:42:37,240 --> 00:42:39,920 115200 1032 00:42:39,920 --> 00:42:42,640 um and let's let's let's look at another 1033 00:42:42,640 --> 00:42:44,839 one 1034 00:42:44,839 --> 00:42:48,040 so another command see if it hasn't shut 1035 00:42:48,040 --> 00:42:50,280 down yet hasn't shut down that one gave 1036 00:42:50,280 --> 00:42:52,040 me an error because I copied a t in 1037 00:42:52,040 --> 00:42:53,200 there so 1038 00:42:53,200 --> 00:42:58,160 at plus uh c g d 1039 00:42:58,160 --> 00:43:01,960 c o n and this basically I don't know 1040 00:43:01,960 --> 00:43:03,400 why it's turning back in air on that one 1041 00:43:03,400 --> 00:43:05,520 that's kind of odd uh let's go ahead and 1042 00:43:05,520 --> 00:43:06,920 try it it's possibility something ain't 1043 00:43:06,920 --> 00:43:10,400 working on it but we'll check so um so 1044 00:43:10,400 --> 00:43:12,000 uh with that we can send all the AT 1045 00:43:12,000 --> 00:43:14,440 commands available this device had a 1046 00:43:14,440 --> 00:43:15,880 bunch of commands that weren't in the 1047 00:43:15,880 --> 00:43:16,880 actual 1048 00:43:16,880 --> 00:43:19,880 manual um so what we're going to do is 1049 00:43:19,880 --> 00:43:21,119 uh let's see if this will work if we can 1050 00:43:21,119 --> 00:43:25,319 get it before it shuts down on us 1051 00:43:28,599 --> 00:43:32,200 so we're going to actually connect it 1052 00:43:34,200 --> 00:43:36,800 out we're actually going to point it to 1053 00:43:36,800 --> 00:43:39,040 a 1054 00:43:39,319 --> 00:43:42,520 website okay and 1055 00:43:42,520 --> 00:43:45,000 then now we can do this before it goes 1056 00:43:45,000 --> 00:43:47,240 to power 1057 00:43:47,240 --> 00:43:51,919 down U there we go HTTP 1058 00:43:54,400 --> 00:43:57,440 get there we go so we're actually able 1059 00:43:57,440 --> 00:43:58,770 to take this 1060 00:43:58,770 --> 00:44:02,160 [Applause] 1061 00:44:02,160 --> 00:44:05,480 device so we can do we can do FTP 1062 00:44:05,480 --> 00:44:09,319 connections with this um let's uh real 1063 00:44:09,319 --> 00:44:14,319 quick let's jump back over to the actual 1064 00:44:14,319 --> 00:44:18,880 um this device here 1065 00:44:19,000 --> 00:44:23,359 and asky data and I want to look 1066 00:44:23,359 --> 00:44:25,480 at 1067 00:44:25,480 --> 00:44:27,920 bucket I'm hoping actually move some 1068 00:44:27,920 --> 00:44:30,920 data yes it did so now we move some data 1069 00:44:30,920 --> 00:44:35,319 so now if we come down here look at this 1070 00:44:35,319 --> 00:44:37,040 is that one it is that it here we go 1071 00:44:37,040 --> 00:44:38,079 let's look at this one I'm not going to 1072 00:44:38,079 --> 00:44:39,720 look at all the data because that would 1073 00:44:39,720 --> 00:44:43,079 like give you all my freaking Keys um so 1074 00:44:43,079 --> 00:44:44,599 you can see we're actually connecting 1075 00:44:44,599 --> 00:44:47,599 out we have a client ID so now we know I 1076 00:44:47,599 --> 00:44:51,760 my client ID secret access 1077 00:44:53,160 --> 00:44:56,040 keys that we have there well let's uh 1078 00:44:56,040 --> 00:44:58,280 kind of go up to the other one one let's 1079 00:44:58,280 --> 00:44:59,800 see if this one will give it to me no 1080 00:44:59,800 --> 00:45:02,200 that won't one of 1081 00:45:02,200 --> 00:45:04,000 these well I don't want to give you all 1082 00:45:04,000 --> 00:45:06,480 my keys but as you can see we actually 1083 00:45:06,480 --> 00:45:08,200 connected out I thought this would show 1084 00:45:08,200 --> 00:45:09,800 me the 1085 00:45:09,800 --> 00:45:12,480 uh hold up a 1086 00:45:12,480 --> 00:45:16,400 second no let's come over here but it 1087 00:45:16,400 --> 00:45:18,880 should show U you can get more of my 1088 00:45:18,880 --> 00:45:21,800 keys you got it all yet so we can get 1089 00:45:21,800 --> 00:45:23,640 all the keys but it actually connects 1090 00:45:23,640 --> 00:45:27,680 out to the S3 bucket um and it 1091 00:45:27,680 --> 00:45:30,599 it's all the data so that gives us a lot 1092 00:45:30,599 --> 00:45:33,359 of information from a security 1093 00:45:33,359 --> 00:45:37,200 standpoint if we want to be able to test 1094 00:45:37,200 --> 00:45:38,960 uh actual 1095 00:45:38,960 --> 00:45:41,160 devices and we're going talk about that 1096 00:45:41,160 --> 00:45:42,800 before I get shut down here in 10 1097 00:45:42,800 --> 00:45:45,359 minutes play from current slide because 1098 00:45:45,359 --> 00:45:47,559 this so we have some things so we know 1099 00:45:47,559 --> 00:45:50,480 we can get this device to connect out uh 1100 00:45:50,480 --> 00:45:53,960 and do some stuff there but the truth is 1101 00:45:53,960 --> 00:45:55,520 and I haven't done this yet because I 1102 00:45:55,520 --> 00:45:57,760 haven't had time 1103 00:45:57,760 --> 00:45:59,200 one of the things in this particular 1104 00:45:59,200 --> 00:46:00,599 guys I could get to anywhere on the 1105 00:46:00,599 --> 00:46:03,440 internet okay often what we run into 1106 00:46:03,440 --> 00:46:04,960 with some of these devices or some of 1107 00:46:04,960 --> 00:46:06,839 these Services they actually have 1108 00:46:06,839 --> 00:46:09,599 private vlam connections on the cell 1109 00:46:09,599 --> 00:46:12,599 okay that means the backend data cloud 1110 00:46:12,599 --> 00:46:16,040 data or or private clouds are not 1111 00:46:16,040 --> 00:46:17,720 accessible from the Internet only from 1112 00:46:17,720 --> 00:46:20,119 these devices I've seen devices doing 1113 00:46:20,119 --> 00:46:22,520 that it's not uncommon that's this is 1114 00:46:22,520 --> 00:46:26,400 cheap Chinese stuff so they don't care 1115 00:46:26,400 --> 00:46:28,119 so what can can we do so from an 1116 00:46:28,119 --> 00:46:30,480 attacker perspective or a security 1117 00:46:30,480 --> 00:46:32,040 tester perspective because that's the 1118 00:46:32,040 --> 00:46:34,480 direction I come from if I'm testing a 1119 00:46:34,480 --> 00:46:36,680 product's overall 1120 00:46:36,680 --> 00:46:39,079 ecosystem how do I get to those backend 1121 00:46:39,079 --> 00:46:41,880 systems by doing what we did now we're 1122 00:46:41,880 --> 00:46:44,359 on that modem I can send commands to it 1123 00:46:44,359 --> 00:46:46,720 and potentially gain access into that 1124 00:46:46,720 --> 00:46:49,040 private VLAN through the device its 1125 00:46:49,040 --> 00:46:51,680 actual self and one of the things I 1126 00:46:51,680 --> 00:46:54,599 haven't tested yet completely is this 1127 00:46:54,599 --> 00:46:57,800 particular device also has this qio open 1128 00:46:57,800 --> 00:47:00,000 where I can set up 1129 00:47:00,000 --> 00:47:02,960 sockets so when I get back home I 1130 00:47:02,960 --> 00:47:04,720 already started the Python program for 1131 00:47:04,720 --> 00:47:06,640 this we're actually going to turn this 1132 00:47:06,640 --> 00:47:09,640 into a port scanner where we tack into 1133 00:47:09,640 --> 00:47:12,480 the uart and we can port scan the 1134 00:47:12,480 --> 00:47:13,960 backend virtual 1135 00:47:13,960 --> 00:47:16,720 environment it'll be slow as hell trust 1136 00:47:16,720 --> 00:47:20,319 me but the goal is is if I'm being paid 1137 00:47:20,319 --> 00:47:22,760 to assess your security of your overall 1138 00:47:22,760 --> 00:47:25,480 products ecosystem I want to look at the 1139 00:47:25,480 --> 00:47:28,240 whole ecosystem and I want to make sure 1140 00:47:28,240 --> 00:47:29,720 certain things so what would I be 1141 00:47:29,720 --> 00:47:33,040 thinking about to look for one those 1142 00:47:33,040 --> 00:47:36,200 keys that were being set up to gain that 1143 00:47:36,200 --> 00:47:39,960 access are they unique or is the same 1144 00:47:39,960 --> 00:47:43,079 key and authentication into that service 1145 00:47:43,079 --> 00:47:45,680 identical across multiple products and 1146 00:47:45,680 --> 00:47:48,800 then the only identifier is you know the 1147 00:47:48,800 --> 00:47:52,760 individual device number or if the 1148 00:47:52,760 --> 00:47:54,480 device can connect out even with 1149 00:47:54,480 --> 00:47:56,960 different Keys how much that virtual 1150 00:47:56,960 --> 00:47:59,119 environment 1151 00:47:59,119 --> 00:48:02,000 shared you know because is it a real 1152 00:48:02,000 --> 00:48:04,640 private VLAN per device some 1153 00:48:04,640 --> 00:48:06,680 manufacturers do that I've seen I know a 1154 00:48:06,680 --> 00:48:08,000 couple of them that actually do that and 1155 00:48:08,000 --> 00:48:10,680 do it right but if they AR doing it 1156 00:48:10,680 --> 00:48:12,119 right and it's a shared back in 1157 00:48:12,119 --> 00:48:15,119 environment instantly it's a risk 1158 00:48:15,119 --> 00:48:17,440 because now I could purchase your device 1159 00:48:17,440 --> 00:48:20,000 use that as a tunnel and then this is 1160 00:48:20,000 --> 00:48:21,680 nothing but a cell 1161 00:48:21,680 --> 00:48:24,079 modem okay on a device there's nothing 1162 00:48:24,079 --> 00:48:25,880 saying I can't pull the SIM card off 1163 00:48:25,880 --> 00:48:28,839 that pull the data we just seen go out 1164 00:48:28,839 --> 00:48:32,119 plug all that information basically into 1165 00:48:32,119 --> 00:48:37,160 a development board set up uh USB net 1166 00:48:37,160 --> 00:48:39,960 this device actually uses USB net to set 1167 00:48:39,960 --> 00:48:41,680 up a connection for the underlying 1168 00:48:41,680 --> 00:48:44,079 operating system to be able to pass data 1169 00:48:44,079 --> 00:48:45,880 it's just not none of it's encrypted so 1170 00:48:45,880 --> 00:48:48,200 we're able to see it all but it's 1171 00:48:48,200 --> 00:48:51,319 Network actual data um so you could 1172 00:48:51,319 --> 00:48:54,480 easily do that basically turn a 1173 00:48:54,480 --> 00:48:56,319 development board into a network 1174 00:48:56,319 --> 00:48:59,079 interface card using all this data and 1175 00:48:59,079 --> 00:49:02,359 then I have full access via the network 1176 00:49:02,359 --> 00:49:04,200 that is for devices that pass large 1177 00:49:04,200 --> 00:49:07,040 amounts of data and follow the USB net 1178 00:49:07,040 --> 00:49:09,359 setup function if they don't do that and 1179 00:49:09,359 --> 00:49:11,760 just move Telemetry data the attack 1180 00:49:11,760 --> 00:49:13,680 Vector becomes more complex smaller 1181 00:49:13,680 --> 00:49:16,280 devices may not have all these functions 1182 00:49:16,280 --> 00:49:17,839 but if there's any functions that you 1183 00:49:17,839 --> 00:49:21,319 can control to set up on that modem you 1184 00:49:21,319 --> 00:49:23,480 can turn that into a port scanner the 1185 00:49:23,480 --> 00:49:26,520 FTP can be turned into a port scanner 1186 00:49:26,520 --> 00:49:28,040 cuz because all we want to know is go 1187 00:49:28,040 --> 00:49:30,760 hey am I getting a live connection 1188 00:49:30,760 --> 00:49:32,319 doesn't matter if it gives me any useful 1189 00:49:32,319 --> 00:49:34,480 data if it times out and gives me no 1190 00:49:34,480 --> 00:49:36,599 connection we know there's nothing there 1191 00:49:36,599 --> 00:49:39,599 so it's all based on back error messages 1192 00:49:39,599 --> 00:49:42,160 and timeouts I can literally port scan 1193 00:49:42,160 --> 00:49:44,799 an entire environment doing this no 1194 00:49:44,799 --> 00:49:46,720 matter what features are available if 1195 00:49:46,720 --> 00:49:48,559 there any communication features that I 1196 00:49:48,559 --> 00:49:49,920 can 1197 00:49:49,920 --> 00:49:54,119 control so here's some references um the 1198 00:49:54,119 --> 00:49:56,040 paper on intership Communications I 1199 00:49:56,040 --> 00:49:57,240 released last 1200 00:49:57,240 --> 00:49:58,920 couple years ago I spoke here last year 1201 00:49:58,920 --> 00:50:01,440 on that check out the paper I think it's 1202 00:50:01,440 --> 00:50:03,839 a great write up on how that all works 1203 00:50:03,839 --> 00:50:06,200 and we were released a proof of concept 1204 00:50:06,200 --> 00:50:08,559 called a care and proxy which basically 1205 00:50:08,559 --> 00:50:10,960 gives us the ability to cut art 1206 00:50:10,960 --> 00:50:12,720 connections route them out to a breakout 1207 00:50:12,720 --> 00:50:15,760 board and turn and set a proxy on top of 1208 00:50:15,760 --> 00:50:18,440 it we can control all the flow capture 1209 00:50:18,440 --> 00:50:21,480 data replay it and inject your own data 1210 00:50:21,480 --> 00:50:24,000 automatically or actually replay data 1211 00:50:24,000 --> 00:50:25,920 and have it say you see this bit 1212 00:50:25,920 --> 00:50:28,200 sequence replace it with this be bit 1213 00:50:28,200 --> 00:50:30,400 sequence um and again it's still a proof 1214 00:50:30,400 --> 00:50:32,720 of concept so any questions because 1215 00:50:32,720 --> 00:50:36,119 we're kind of like at the 1216 00:50:36,119 --> 00:50:39,480 end yes have you looked 1217 00:50:39,480 --> 00:50:41,280 Ates 1218 00:50:41,280 --> 00:50:45,200 usell this no I have not you know anyone 1219 00:50:45,200 --> 00:50:47,400 will give me 1220 00:50:47,400 --> 00:50:50,359 some in five years I will give you one 1221 00:50:50,359 --> 00:50:54,400 okay okay yes sir so maybe I didn't 1222 00:50:54,400 --> 00:50:56,960 catch it so apologies in advance if and 1223 00:50:56,960 --> 00:50:59,920 I'm asking again I saw your board and 1224 00:50:59,920 --> 00:51:03,359 how you have very tiny wires and how you 1225 00:51:03,359 --> 00:51:05,799 did the soldering with Precision under 1226 00:51:05,799 --> 00:51:09,079 microscope uh how fin tip did the 1227 00:51:09,079 --> 00:51:12,040 soldering iron have to be to be able to 1228 00:51:12,040 --> 00:51:15,559 work at such a small scale mine's 0. 2 1229 00:51:15,559 --> 00:51:18,240 millimeters 2 millime 2 millimeters I 1230 00:51:18,240 --> 00:51:21,440 have a I have a my rig's like $1200 rig 1231 00:51:21,440 --> 00:51:23,280 so it has a micro iron for doing that 1232 00:51:23,280 --> 00:51:25,440 stuff the the Saving Grace I've done it 1233 00:51:25,440 --> 00:51:28,480 with a hackos it'll work the balls that 1234 00:51:28,480 --> 00:51:31,559 I put on there is the winning part so 1235 00:51:31,559 --> 00:51:34,040 what I do is I take the wires I put 1236 00:51:34,040 --> 00:51:35,880 solder on it and I run the wire in those 1237 00:51:35,880 --> 00:51:37,520 wires are covered with lacquer I burn 1238 00:51:37,520 --> 00:51:39,760 the lacquer off and Tin them then I clip 1239 00:51:39,760 --> 00:51:41,480 it under a microscope so I'm left with 1240 00:51:41,480 --> 00:51:44,400 just like a0 mill1 millimet on there and 1241 00:51:44,400 --> 00:51:47,040 I stick it against the ball and then 1242 00:51:47,040 --> 00:51:48,640 just tap it with an iron and it 1243 00:51:48,640 --> 00:51:50,839 instantly sets up and then I hold it in 1244 00:51:50,839 --> 00:51:54,240 place with uh E6000 flexible glue plb 1245 00:51:54,240 --> 00:51:55,839 the soer on the wire and then you kind 1246 00:51:55,839 --> 00:51:58,440 of he up the you don't have to do that I 1247 00:51:58,440 --> 00:52:01,160 do that just to avoid some issues 1248 00:52:01,160 --> 00:52:03,200 because I want to make it quick so when 1249 00:52:03,200 --> 00:52:04,480 you're when you're working you've seen 1250 00:52:04,480 --> 00:52:05,440 the chip when you're working with 1251 00:52:05,440 --> 00:52:07,559 something that small and you hold an 1252 00:52:07,559 --> 00:52:10,200 iron on there for more than a couple 1253 00:52:10,200 --> 00:52:12,280 milliseconds who knows what damage and 1254 00:52:12,280 --> 00:52:13,520 if you want to get good at it I always 1255 00:52:13,520 --> 00:52:15,760 tell people do what I do drink like 1256 00:52:15,760 --> 00:52:18,000 three or four big things of coffee 1257 00:52:18,000 --> 00:52:20,240 before you start and when you learn to 1258 00:52:20,240 --> 00:52:23,319 control your hands in that condition you 1259 00:52:23,319 --> 00:52:26,680 got it mastered 1260 00:52:27,040 --> 00:52:29,359 well I'm almost out of time uh also I 1261 00:52:29,359 --> 00:52:32,319 want to point out what we demoed today 1262 00:52:32,319 --> 00:52:34,720 is not a disc against this product 1263 00:52:34,720 --> 00:52:36,400 manufacturer now I haven't put the 1264 00:52:36,400 --> 00:52:37,880 product out there told you what the 1265 00:52:37,880 --> 00:52:40,040 product is but they have really I have 1266 00:52:40,040 --> 00:52:41,520 not looked at them from a security 1267 00:52:41,520 --> 00:52:43,240 standpoint nor tested their product from 1268 00:52:43,240 --> 00:52:45,680 the security standpoint this is p purely 1269 00:52:45,680 --> 00:52:47,599 a functional demonstration of how 1270 00:52:47,599 --> 00:52:49,680 technology works and how you can 1271 00:52:49,680 --> 00:52:51,640 leverage the normal functionality of 1272 00:52:51,640 --> 00:52:54,160 technology for a potential method for 1273 00:52:54,160 --> 00:52:57,599 attacks or security testing so uh don't 1274 00:52:57,599 --> 00:52:58,599 go out there and say oh these 1275 00:52:58,599 --> 00:53:01,280 manufacturers are doing it wrong you 1276 00:53:01,280 --> 00:53:02,880 know most of them are not they're doing 1277 00:53:02,880 --> 00:53:05,599 it based on how the technology works and 1278 00:53:05,599 --> 00:53:09,160 us as hackers what's our job to take 1279 00:53:09,160 --> 00:53:12,440 that technology and use it to our 1280 00:53:12,440 --> 00:53:14,480 advantage so thank you very much I 1281 00:53:14,480 --> 00:53:17,480 appreciate