1 00:00:01,280 --> 00:00:16,000 [Music] 2 00:00:16,000 --> 00:00:18,080 hello all welcome 3 00:00:18,080 --> 00:00:20,240 i'm here to talk about ankle monitors 4 00:00:20,240 --> 00:00:22,480 and just at the start of the talk i 5 00:00:22,480 --> 00:00:24,640 would like to say that i'm keeping this 6 00:00:24,640 --> 00:00:27,039 limited to ankle monitors used in other 7 00:00:27,039 --> 00:00:28,160 countries 8 00:00:28,160 --> 00:00:30,320 because i sort of want to keep some 9 00:00:30,320 --> 00:00:33,760 friends here like i might not want to 10 00:00:33,760 --> 00:00:35,680 go to a country where i've just hacked 11 00:00:35,680 --> 00:00:38,320 all their stuff and you know 12 00:00:38,320 --> 00:00:41,360 that might be a thing um 13 00:00:41,360 --> 00:00:44,360 so 14 00:00:44,559 --> 00:00:46,559 first introduction i'm 15 00:00:46,559 --> 00:00:48,960 not a security researcher i'm just a 16 00:00:48,960 --> 00:00:52,719 developer at a bank at raibo bank 17 00:00:52,719 --> 00:00:55,600 nice place to work at but 18 00:00:55,600 --> 00:00:57,840 yeah i sort of stumbled into this by 19 00:00:57,840 --> 00:00:59,920 accident 20 00:00:59,920 --> 00:01:03,120 i wouldn't exactly call it an accident 21 00:01:03,120 --> 00:01:04,479 but it's 22 00:01:04,479 --> 00:01:05,600 basically 23 00:01:05,600 --> 00:01:07,920 my partner at the time really wanted to 24 00:01:07,920 --> 00:01:10,560 know where i was at the time 25 00:01:10,560 --> 00:01:13,520 and i kept setting these whatsapp gps 26 00:01:13,520 --> 00:01:14,640 links 27 00:01:14,640 --> 00:01:16,640 and you know you can track someone for 28 00:01:16,640 --> 00:01:18,240 like eight hours and they know what 29 00:01:18,240 --> 00:01:21,119 you're doing so eventually 30 00:01:21,119 --> 00:01:22,880 i got around to 31 00:01:22,880 --> 00:01:23,200 um 32 00:01:23,200 --> 00:01:24,560 [Music] 33 00:01:24,560 --> 00:01:26,799 watching talks on defcon about ankle 34 00:01:26,799 --> 00:01:28,320 monitors and there was this guy who 35 00:01:28,320 --> 00:01:30,560 hacked the ankle monitor and i was like 36 00:01:30,560 --> 00:01:33,200 maybe i can do this but better so maybe 37 00:01:33,200 --> 00:01:37,119 i can actually make these things usable 38 00:01:37,119 --> 00:01:39,360 and it turned out i was able to order 39 00:01:39,360 --> 00:01:41,759 one and i was able to make them useful 40 00:01:41,759 --> 00:01:43,840 and 41 00:01:43,840 --> 00:01:45,759 a few years later 42 00:01:45,759 --> 00:01:48,159 i got the opportunity to apply for a 43 00:01:48,159 --> 00:01:51,439 talk here and i did so 44 00:01:51,439 --> 00:01:54,000 yeah here i am 45 00:01:54,000 --> 00:01:56,399 you can see on the screen the url of my 46 00:01:56,399 --> 00:01:58,560 website you can actually download the 47 00:01:58,560 --> 00:02:01,040 software you can use these trackers with 48 00:02:01,040 --> 00:02:04,159 i'm not saying it's 49 00:02:04,159 --> 00:02:07,680 perfectly secure or 50 00:02:09,840 --> 00:02:13,200 the best code it's a hobby project 51 00:02:13,200 --> 00:02:14,480 so 52 00:02:14,480 --> 00:02:16,959 if there's any any bugs in it let me 53 00:02:16,959 --> 00:02:19,200 know 54 00:02:20,640 --> 00:02:23,680 in this presentation i'll just be 55 00:02:23,680 --> 00:02:24,720 you know 56 00:02:24,720 --> 00:02:26,080 beginning with 57 00:02:26,080 --> 00:02:29,200 how how it all started uh 58 00:02:29,200 --> 00:02:30,560 basically 59 00:02:30,560 --> 00:02:34,560 looking at a cv about gps trackers 60 00:02:34,560 --> 00:02:35,360 and 61 00:02:35,360 --> 00:02:37,120 examining the different devices and 62 00:02:37,120 --> 00:02:39,360 different protocols they use and then 63 00:02:39,360 --> 00:02:41,680 maybe later on the security implications 64 00:02:41,680 --> 00:02:43,040 of all that stuff 65 00:02:43,040 --> 00:02:45,360 but before i get started let's get this 66 00:02:45,360 --> 00:02:48,680 thing off 67 00:02:59,360 --> 00:03:03,159 so that should work 68 00:03:06,000 --> 00:03:09,440 so it does actually give alarm 69 00:03:09,440 --> 00:03:11,040 i'm not sure how long this is going to 70 00:03:11,040 --> 00:03:13,760 last but 71 00:03:15,599 --> 00:03:17,920 so as you can see these ankle monitors 72 00:03:17,920 --> 00:03:21,280 really do work for monitoring people and 73 00:03:21,280 --> 00:03:24,000 seeing generally where they are 74 00:03:24,000 --> 00:03:26,000 so how this all got started 75 00:03:26,000 --> 00:03:29,120 um ali express you can actually buy 76 00:03:29,120 --> 00:03:30,720 ankle monitors 77 00:03:30,720 --> 00:03:33,840 from the internet 78 00:03:35,920 --> 00:03:37,760 [Laughter] 79 00:03:37,760 --> 00:03:40,080 that should work 80 00:03:40,080 --> 00:03:42,560 so you can actually buy ankle monitors 81 00:03:42,560 --> 00:03:45,519 this is not a very 82 00:03:45,519 --> 00:03:47,920 advanced model it's also not doesn't 83 00:03:47,920 --> 00:03:50,959 have a great battery life it's just 84 00:03:50,959 --> 00:03:53,360 generally not the best technological 85 00:03:53,360 --> 00:03:56,159 option if you want to monitor something 86 00:03:56,159 --> 00:03:58,480 it does work 87 00:03:58,480 --> 00:04:00,720 and they're freely available so 88 00:04:00,720 --> 00:04:03,760 these are just a great like way to get 89 00:04:03,760 --> 00:04:06,720 started this is just something that's 90 00:04:06,720 --> 00:04:09,920 available to the public 91 00:04:10,400 --> 00:04:12,799 in this talk i won't be focusing on this 92 00:04:12,799 --> 00:04:13,760 one 93 00:04:13,760 --> 00:04:15,920 mainly because technologically it's not 94 00:04:15,920 --> 00:04:18,320 that great and the one i was just 95 00:04:18,320 --> 00:04:20,798 wearing is a lot more effective and a 96 00:04:20,798 --> 00:04:22,400 lot more interesting because it's 97 00:04:22,400 --> 00:04:24,720 actually used 98 00:04:24,720 --> 00:04:27,440 not just by private individuals 99 00:04:27,440 --> 00:04:28,560 so 100 00:04:28,560 --> 00:04:32,080 yeah but this is how it all got started 101 00:04:32,080 --> 00:04:34,479 and this is how it's going so this is a 102 00:04:34,479 --> 00:04:36,960 box of ankle monitors i have 103 00:04:36,960 --> 00:04:40,880 a few with me in the speaker stand so 104 00:04:40,880 --> 00:04:42,639 that's kind of how it goes i have 105 00:04:42,639 --> 00:04:45,360 another one here um this one is actually 106 00:04:45,360 --> 00:04:47,360 the one i'm most proud of talking out of 107 00:04:47,360 --> 00:04:50,000 a company because it has a metal cuff on 108 00:04:50,000 --> 00:04:52,639 it and maybe some of you know that china 109 00:04:52,639 --> 00:04:55,120 had some issues with 110 00:04:55,120 --> 00:04:58,199 some complaints about their how 111 00:04:58,199 --> 00:05:01,520 humanitarian their prisons were and 112 00:05:01,520 --> 00:05:02,400 um 113 00:05:02,400 --> 00:05:05,199 it became very difficult to like social 114 00:05:05,199 --> 00:05:07,919 engineer anything out of china for a 115 00:05:07,919 --> 00:05:10,960 while especially metal restraints for a 116 00:05:10,960 --> 00:05:12,560 reason 117 00:05:12,560 --> 00:05:15,039 so it took quite some effort to like get 118 00:05:15,039 --> 00:05:17,440 this sort of beta model of 119 00:05:17,440 --> 00:05:20,400 ankle monitor out of that company but 120 00:05:20,400 --> 00:05:24,560 it worked so i'm most proud of 121 00:05:24,560 --> 00:05:27,039 this one 122 00:05:27,120 --> 00:05:28,240 so 123 00:05:28,240 --> 00:05:31,039 we have a cv and i'm sure you can all 124 00:05:31,039 --> 00:05:33,120 sort of laugh at this this is for car 125 00:05:33,120 --> 00:05:36,160 gps trackers 126 00:05:36,320 --> 00:05:37,360 and 127 00:05:37,360 --> 00:05:39,520 the thing is most of the companies that 128 00:05:39,520 --> 00:05:42,080 produce the chipsets for these things 129 00:05:42,080 --> 00:05:45,039 like they also make car gps trackers 130 00:05:45,039 --> 00:05:47,759 there's a giant overlap between the 131 00:05:47,759 --> 00:05:50,560 chipsets of ankle monitor and what's 132 00:05:50,560 --> 00:05:52,720 used in a car tracker 133 00:05:52,720 --> 00:05:53,680 so 134 00:05:53,680 --> 00:05:54,960 this cv 135 00:05:54,960 --> 00:05:57,759 might sort of apply to these devices but 136 00:05:57,759 --> 00:06:01,520 there's way more than just that 137 00:06:01,520 --> 00:06:03,520 going on 138 00:06:03,520 --> 00:06:05,759 way more because 139 00:06:05,759 --> 00:06:08,639 this is also for ankle monitors also for 140 00:06:08,639 --> 00:06:10,319 car trackers and 141 00:06:10,319 --> 00:06:12,960 as you can see you know it's fairly easy 142 00:06:12,960 --> 00:06:14,800 to access their logging you just have to 143 00:06:14,800 --> 00:06:17,280 type in the url 144 00:06:17,280 --> 00:06:19,199 these slides are available and the data 145 00:06:19,199 --> 00:06:22,000 is also freely available apparently so 146 00:06:22,000 --> 00:06:24,240 yeah 147 00:06:26,160 --> 00:06:28,400 so how did i get this information or how 148 00:06:28,400 --> 00:06:31,280 did i get this tracker well just ask 149 00:06:31,280 --> 00:06:32,960 just talk to the company here's a 150 00:06:32,960 --> 00:06:36,240 conversation i'm having with a 151 00:06:36,240 --> 00:06:40,400 person from i think this is my rope 152 00:06:40,400 --> 00:06:42,560 where they 153 00:06:42,560 --> 00:06:46,160 produce the watch type trackers they're 154 00:06:46,160 --> 00:06:49,440 actually more modern i would say 155 00:06:49,440 --> 00:06:51,599 um and more convenient 156 00:06:51,599 --> 00:06:54,400 so here here i'm explaining i have my 157 00:06:54,400 --> 00:06:57,520 own platform for 158 00:06:57,599 --> 00:07:00,479 using gps trackers on and they're 159 00:07:00,479 --> 00:07:02,400 way impressed with 160 00:07:02,400 --> 00:07:04,400 how i'm able to communicate with those 161 00:07:04,400 --> 00:07:06,000 things and 162 00:07:06,000 --> 00:07:08,240 you know 163 00:07:08,240 --> 00:07:10,800 easily impressed it's nice to be able to 164 00:07:10,800 --> 00:07:11,680 uh 165 00:07:11,680 --> 00:07:14,240 to talk to a company like that and just 166 00:07:14,240 --> 00:07:16,160 get the information from them you can 167 00:07:16,160 --> 00:07:17,759 see here that where they're sending a 168 00:07:17,759 --> 00:07:20,319 manual this actually includes 169 00:07:20,319 --> 00:07:21,599 commands to 170 00:07:21,599 --> 00:07:24,000 set up a device to a server 171 00:07:24,000 --> 00:07:26,960 so you might um 172 00:07:26,960 --> 00:07:30,720 yeah you might be able to see how that 173 00:07:30,720 --> 00:07:33,520 can be abused to 174 00:07:33,520 --> 00:07:35,840 set a lot of those devices up against 175 00:07:35,840 --> 00:07:37,919 different servers and that's exactly 176 00:07:37,919 --> 00:07:39,680 basically what i did with this one i 177 00:07:39,680 --> 00:07:41,759 just proxied it 178 00:07:41,759 --> 00:07:45,039 via my own server watched the data 179 00:07:45,039 --> 00:07:46,560 looked at like 180 00:07:46,560 --> 00:07:48,479 how does it work 181 00:07:48,479 --> 00:07:50,960 how does it communicate with their 182 00:07:50,960 --> 00:07:54,000 server because i just proxied it 183 00:07:54,000 --> 00:07:55,360 and 184 00:07:55,360 --> 00:07:57,360 i basically copied all the information 185 00:07:57,360 --> 00:08:00,720 and wrote a protocol driver for it 186 00:08:00,720 --> 00:08:03,360 so yeah and the trick with chinese 187 00:08:03,360 --> 00:08:05,280 companies is basically you pretend to be 188 00:08:05,280 --> 00:08:07,039 a big company you know you're doing 189 00:08:07,039 --> 00:08:09,120 research 190 00:08:09,120 --> 00:08:11,840 trying to find out which device is best 191 00:08:11,840 --> 00:08:13,039 to use and there's different 192 00:08:13,039 --> 00:08:14,879 manufacturers so you just 193 00:08:14,879 --> 00:08:16,720 kind of start a conversation talk to 194 00:08:16,720 --> 00:08:18,639 them ask if you can order samples that 195 00:08:18,639 --> 00:08:19,840 kind of stuff 196 00:08:19,840 --> 00:08:20,960 and 197 00:08:20,960 --> 00:08:23,120 yeah you end up with a tracker sometimes 198 00:08:23,120 --> 00:08:27,120 it's way more difficult in this case 199 00:08:27,120 --> 00:08:29,039 and you have to kind of 200 00:08:29,039 --> 00:08:30,400 say okay 201 00:08:30,400 --> 00:08:33,039 we're worried about the longevity of it 202 00:08:33,039 --> 00:08:34,880 you know like the metal strap might be 203 00:08:34,880 --> 00:08:36,240 sturdier 204 00:08:36,240 --> 00:08:38,399 that kind of stuff so you're gonna have 205 00:08:38,399 --> 00:08:41,200 to play innocent a bit 206 00:08:41,200 --> 00:08:42,640 but yeah 207 00:08:42,640 --> 00:08:44,800 that should work and you should be able 208 00:08:44,800 --> 00:08:45,680 to 209 00:08:45,680 --> 00:08:47,760 to acquire some of these and it's 210 00:08:47,760 --> 00:08:50,240 actually cheaper to buy them off of 211 00:08:50,240 --> 00:08:52,720 alibaba than it is to buy him off of 212 00:08:52,720 --> 00:08:54,800 aliexpress so if you buy them directly 213 00:08:54,800 --> 00:08:56,320 off of the company or you social 214 00:08:56,320 --> 00:08:57,680 engineer them 215 00:08:57,680 --> 00:08:59,519 you're probably paying like half or a 216 00:08:59,519 --> 00:09:02,080 third of the price on aliexpress so you 217 00:09:02,080 --> 00:09:04,560 know it's worth trying if you want a 218 00:09:04,560 --> 00:09:08,680 whole bunch of gps trackers 219 00:09:08,720 --> 00:09:11,519 the first thing i showed was this one 220 00:09:11,519 --> 00:09:14,399 this is actually a jimmy 221 00:09:14,399 --> 00:09:18,399 gps tracker it's a am01 222 00:09:18,399 --> 00:09:21,200 they're actually based on a chipset 223 00:09:21,200 --> 00:09:24,800 that's used in cars um if you saw 224 00:09:24,800 --> 00:09:26,959 some of you maybe saw amon ras def 225 00:09:26,959 --> 00:09:29,200 contact where he also talks about one 226 00:09:29,200 --> 00:09:31,839 that's based on car chipsets this is a 227 00:09:31,839 --> 00:09:34,240 common theme the people who produce gps 228 00:09:34,240 --> 00:09:35,519 trackers 229 00:09:35,519 --> 00:09:37,680 produce gps trackers for all sorts of 230 00:09:37,680 --> 00:09:39,680 things including people 231 00:09:39,680 --> 00:09:41,120 so 232 00:09:41,120 --> 00:09:42,480 this thing is 233 00:09:42,480 --> 00:09:44,800 decent as far as usability goes it has 234 00:09:44,800 --> 00:09:46,720 fairly good battery life like three to 235 00:09:46,720 --> 00:09:50,000 four days if you configure it right i 236 00:09:50,000 --> 00:09:52,080 would say the waterproofing on it is 237 00:09:52,080 --> 00:09:53,600 rather poor 238 00:09:53,600 --> 00:09:57,040 so i would not want to like use this day 239 00:09:57,040 --> 00:09:59,440 today the one i threw over there has 240 00:09:59,440 --> 00:10:01,920 much better waterproofing which is going 241 00:10:01,920 --> 00:10:04,000 to be useful if you want to take showers 242 00:10:04,000 --> 00:10:06,079 frequently 243 00:10:06,079 --> 00:10:08,640 but yeah this is basically the brochure 244 00:10:08,640 --> 00:10:10,079 for this thing 245 00:10:10,079 --> 00:10:12,160 you can see that it's meant for offender 246 00:10:12,160 --> 00:10:14,320 tracking it's also actually used for 247 00:10:14,320 --> 00:10:16,320 that 248 00:10:16,320 --> 00:10:20,000 it also has a attachment point for 249 00:10:20,000 --> 00:10:22,240 um where you can basically attach 250 00:10:22,240 --> 00:10:24,560 someone to a wall with it with the metal 251 00:10:24,560 --> 00:10:26,640 version so 252 00:10:26,640 --> 00:10:28,560 that's probably why it took a bit to 253 00:10:28,560 --> 00:10:32,000 social engineer the side of them 254 00:10:32,000 --> 00:10:35,200 so um you your jimmy trackers they get 255 00:10:35,200 --> 00:10:37,519 you weird friends like when you make uh 256 00:10:37,519 --> 00:10:39,519 post all the 257 00:10:39,519 --> 00:10:41,920 gps trackers right 258 00:10:41,920 --> 00:10:44,640 people might be interested and so 259 00:10:44,640 --> 00:10:47,200 if i wrote the server for these things i 260 00:10:47,200 --> 00:10:50,560 got contacted by this guy 261 00:10:50,880 --> 00:10:54,800 so essentially i ended up turning 262 00:10:54,800 --> 00:10:56,160 or 263 00:10:56,160 --> 00:10:58,160 letting this guy use my server to 264 00:10:58,160 --> 00:11:00,160 monitor people and he's using it for 265 00:11:00,160 --> 00:11:02,800 entirely different purposes than they 266 00:11:02,800 --> 00:11:06,959 were supposed to be used for 267 00:11:07,920 --> 00:11:08,800 but 268 00:11:08,800 --> 00:11:11,600 i'm definitely not sorry 269 00:11:11,600 --> 00:11:15,440 for doing this to that company 270 00:11:15,440 --> 00:11:17,360 and this guy ended up becoming a good 271 00:11:17,360 --> 00:11:19,360 friend so you know it's worth it he's 272 00:11:19,360 --> 00:11:21,519 also the best beta tester you will ever 273 00:11:21,519 --> 00:11:22,560 have 274 00:11:22,560 --> 00:11:24,160 like 275 00:11:24,160 --> 00:11:26,880 if i imagine running around town with 276 00:11:26,880 --> 00:11:29,120 basically a police siren going off on 277 00:11:29,120 --> 00:11:30,560 your leg 278 00:11:30,560 --> 00:11:33,839 like that's dedication 279 00:11:36,320 --> 00:11:38,320 so here's the 280 00:11:38,320 --> 00:11:40,880 video they made themselves on actual 281 00:11:40,880 --> 00:11:44,240 assembly of this device 282 00:11:48,079 --> 00:11:49,760 so here you can 283 00:11:49,760 --> 00:11:52,240 see exactly how it's opened 284 00:11:52,240 --> 00:11:55,279 and it has a few screws on the inside 285 00:11:55,279 --> 00:11:56,399 so 286 00:11:56,399 --> 00:12:00,079 fairly hard to reach i would say 287 00:12:07,360 --> 00:12:10,639 it's a fairly standard device on the top 288 00:12:10,639 --> 00:12:13,680 here you see the gps antenna 289 00:12:13,680 --> 00:12:15,920 there's a light sensor somewhere around 290 00:12:15,920 --> 00:12:16,880 here 291 00:12:16,880 --> 00:12:19,839 i think there's a button 292 00:12:19,839 --> 00:12:22,399 switch somewhere for if you remove the 293 00:12:22,399 --> 00:12:24,560 pcb 294 00:12:24,560 --> 00:12:25,680 what they're first going to do is 295 00:12:25,680 --> 00:12:28,480 disconnect the speaker just so they can 296 00:12:28,480 --> 00:12:31,360 get the case off 297 00:12:33,279 --> 00:12:35,200 most versions the newer versions 298 00:12:35,200 --> 00:12:37,120 actually have a bluetooth antenna on the 299 00:12:37,120 --> 00:12:39,519 outside of the case so you can also do 300 00:12:39,519 --> 00:12:41,760 bluetooth indoor location 301 00:12:41,760 --> 00:12:44,639 so that's a nice thing to have with 302 00:12:44,639 --> 00:12:48,160 the fancier trackers some even have rf 303 00:12:48,160 --> 00:12:49,360 tracking 304 00:12:49,360 --> 00:12:52,480 not this brand or model but yeah so 305 00:12:52,480 --> 00:12:54,639 there's tamper detection here there's 306 00:12:54,639 --> 00:12:57,120 basically a switch that goes off if you 307 00:12:57,120 --> 00:12:58,639 remove the pcb 308 00:12:58,639 --> 00:13:00,800 there's actually a light sensor in this 309 00:13:00,800 --> 00:13:02,320 part 310 00:13:02,320 --> 00:13:05,279 so if you open the case it'll go off 311 00:13:05,279 --> 00:13:08,079 and if you can see here 312 00:13:08,079 --> 00:13:10,639 there's the attachment points 313 00:13:10,639 --> 00:13:12,720 for the strap and these attachment 314 00:13:12,720 --> 00:13:14,560 points they actually have wires going to 315 00:13:14,560 --> 00:13:16,410 them so there's 316 00:13:16,410 --> 00:13:17,519 [Music] 317 00:13:17,519 --> 00:13:20,639 inductive sensor so it's not that 318 00:13:20,639 --> 00:13:22,720 there's constant current running through 319 00:13:22,720 --> 00:13:25,230 it but it does detect if you take it off 320 00:13:25,230 --> 00:13:26,639 [Music] 321 00:13:26,639 --> 00:13:28,959 i would say with this model it's too 322 00:13:28,959 --> 00:13:30,480 sensitive 323 00:13:30,480 --> 00:13:31,519 so you get 324 00:13:31,519 --> 00:13:33,440 a few false positives 325 00:13:33,440 --> 00:13:36,000 with that other model that's also not an 326 00:13:36,000 --> 00:13:38,000 issue but there's false positives in 327 00:13:38,000 --> 00:13:39,040 this case 328 00:13:39,040 --> 00:13:41,040 they do not happen too frequently but 329 00:13:41,040 --> 00:13:42,959 they do happen 330 00:13:42,959 --> 00:13:43,839 they 331 00:13:43,839 --> 00:13:46,160 do tend to happen with regular law 332 00:13:46,160 --> 00:13:49,360 enforcement models as well i've heard 333 00:13:49,360 --> 00:13:52,360 so 334 00:14:03,279 --> 00:14:04,720 here you can see him i removed the 335 00:14:04,720 --> 00:14:06,399 battery connector 336 00:14:06,399 --> 00:14:09,040 simple name 337 00:14:12,399 --> 00:14:17,000 and the antenna to the gps 338 00:14:17,760 --> 00:14:19,920 this is all fairly sensitive hardware 339 00:14:19,920 --> 00:14:22,880 like if you were to 340 00:14:22,959 --> 00:14:24,000 you know 341 00:14:24,000 --> 00:14:25,760 cut into it in the right place you could 342 00:14:25,760 --> 00:14:27,519 probably mess with it 343 00:14:27,519 --> 00:14:29,600 but you might trip the light sensor so 344 00:14:29,600 --> 00:14:30,639 you gotta 345 00:14:30,639 --> 00:14:33,440 avoid tripping that 346 00:14:33,440 --> 00:14:35,760 there's ways to do that 347 00:14:35,760 --> 00:14:38,720 and there's actual um 348 00:14:38,720 --> 00:14:40,720 most most of the actual chips are on the 349 00:14:40,720 --> 00:14:42,800 back side so what they're gonna show you 350 00:14:42,800 --> 00:14:44,560 now is how to insert this in but then 351 00:14:44,560 --> 00:14:46,240 you can also see the 352 00:14:46,240 --> 00:14:49,040 chips responsible for the gsm 353 00:14:49,040 --> 00:14:52,480 the communications everything 354 00:14:54,480 --> 00:14:56,639 so that's basically the jimmy ankle 355 00:14:56,639 --> 00:14:59,120 monitor and it's nice that they showed 356 00:14:59,120 --> 00:15:00,079 you 357 00:15:00,079 --> 00:15:02,399 overview of the hardware even the board 358 00:15:02,399 --> 00:15:05,680 information everything 359 00:15:06,560 --> 00:15:09,120 so these are fairly simple and in the 360 00:15:09,120 --> 00:15:11,440 what you see would see with like the 361 00:15:11,440 --> 00:15:13,680 ones used in the netherlands like the 362 00:15:13,680 --> 00:15:15,199 ones used by 363 00:15:15,199 --> 00:15:16,480 actual cops 364 00:15:16,480 --> 00:15:18,880 is you would see a fiber optic strap 365 00:15:18,880 --> 00:15:21,120 instead of the metal one 366 00:15:21,120 --> 00:15:24,079 i would say that the fiber optics both 367 00:15:24,079 --> 00:15:27,360 have less false positives 368 00:15:27,360 --> 00:15:30,320 and there's a you know security aspect 369 00:15:30,320 --> 00:15:31,600 to it 370 00:15:31,600 --> 00:15:32,959 where 371 00:15:32,959 --> 00:15:34,720 fiber optics are just generally harder 372 00:15:34,720 --> 00:15:37,519 to spoof i'm not saying it's impossible 373 00:15:37,519 --> 00:15:41,839 i'm saying it's more difficult to do 374 00:15:46,720 --> 00:15:49,360 so we have the 375 00:15:49,360 --> 00:15:51,440 tracker protocol and this is just taken 376 00:15:51,440 --> 00:15:53,440 from car trackers 377 00:15:53,440 --> 00:15:55,600 so 378 00:15:55,600 --> 00:15:58,160 there is actually software track car 379 00:15:58,160 --> 00:16:01,199 which is used for gps tracking cars 380 00:16:01,199 --> 00:16:03,040 and they have implementation of this 381 00:16:03,040 --> 00:16:04,720 protocol it's a 382 00:16:04,720 --> 00:16:07,360 more complete implementation but there's 383 00:16:07,360 --> 00:16:09,519 a few features 384 00:16:09,519 --> 00:16:12,399 surrounding this device and specific 385 00:16:12,399 --> 00:16:15,040 error cases that are not implemented 386 00:16:15,040 --> 00:16:18,320 there and that i have implemented 387 00:16:18,320 --> 00:16:20,160 if you see the software on my website 388 00:16:20,160 --> 00:16:23,040 all the manuals to this one are included 389 00:16:23,040 --> 00:16:25,759 all the protocol documents are included 390 00:16:25,759 --> 00:16:28,000 you when i'm gonna show you the protocol 391 00:16:28,000 --> 00:16:29,519 documents they might show you 392 00:16:29,519 --> 00:16:31,759 confidential on the site just forget 393 00:16:31,759 --> 00:16:34,000 about that for a while you know 394 00:16:34,000 --> 00:16:35,199 like 395 00:16:35,199 --> 00:16:37,120 i don't think it's very confidential 396 00:16:37,120 --> 00:16:38,160 anymore 397 00:16:38,160 --> 00:16:40,000 um 398 00:16:40,000 --> 00:16:41,839 so that that's basically what they do 399 00:16:41,839 --> 00:16:44,720 they're car tracker manufacturers and 400 00:16:44,720 --> 00:16:47,519 they switched into producing gps 401 00:16:47,519 --> 00:16:49,279 trackers and there's a lot of companies 402 00:16:49,279 --> 00:16:51,360 like that 403 00:16:51,360 --> 00:16:53,519 and there's a few interesting commands 404 00:16:53,519 --> 00:16:55,920 in the command manual there 405 00:16:55,920 --> 00:17:00,240 i'm just hoping it'll show correctly 406 00:17:02,160 --> 00:17:05,720 that's my bill 407 00:17:08,319 --> 00:17:09,520 yep 408 00:17:09,520 --> 00:17:11,119 there we have it 409 00:17:11,119 --> 00:17:12,720 so if you 410 00:17:12,720 --> 00:17:15,679 see the command list 411 00:17:16,880 --> 00:17:18,880 you can actually query 412 00:17:18,880 --> 00:17:21,359 these commands can all be sent by sms 413 00:17:21,359 --> 00:17:23,839 command to this device so if you have 414 00:17:23,839 --> 00:17:25,679 the cell phone number 415 00:17:25,679 --> 00:17:28,160 you can already compromise it 416 00:17:28,160 --> 00:17:29,520 and 417 00:17:29,520 --> 00:17:31,200 is anyone here 418 00:17:31,200 --> 00:17:35,120 familiar with imse catcher 419 00:17:35,440 --> 00:17:38,400 yeah so you guys know how to compromise 420 00:17:38,400 --> 00:17:39,520 these really quickly 421 00:17:39,520 --> 00:17:43,280 [Laughter] 422 00:17:43,280 --> 00:17:45,520 so that's a thing and these are also 423 00:17:45,520 --> 00:17:48,559 just 2g so they're generally very easy 424 00:17:48,559 --> 00:17:51,039 to compromise 425 00:17:51,039 --> 00:17:52,320 like it's 426 00:17:52,320 --> 00:17:54,400 it's a plain text hd 427 00:17:54,400 --> 00:17:57,120 plain text protocol sort of 428 00:17:57,120 --> 00:17:59,520 over 2g so 429 00:17:59,520 --> 00:18:01,600 i sort of see you smiling 430 00:18:01,600 --> 00:18:02,720 this this 431 00:18:02,720 --> 00:18:04,880 might not be the most secure option for 432 00:18:04,880 --> 00:18:08,080 a people tracker 433 00:18:08,160 --> 00:18:09,840 so you can query which server it's 434 00:18:09,840 --> 00:18:11,760 talking you can set which server it's 435 00:18:11,760 --> 00:18:13,280 talking to 436 00:18:13,280 --> 00:18:15,039 so you can just configure your own 437 00:18:15,039 --> 00:18:17,600 server this makes sending commands a lot 438 00:18:17,600 --> 00:18:19,760 easier because you can send them via the 439 00:18:19,760 --> 00:18:21,280 server you don't have to pay for each 440 00:18:21,280 --> 00:18:23,280 message 441 00:18:23,280 --> 00:18:25,280 but you could also do a factory reset 442 00:18:25,280 --> 00:18:27,760 from the sms commands 443 00:18:27,760 --> 00:18:29,679 so if this thing is talking to someone's 444 00:18:29,679 --> 00:18:32,240 server or it has a password you can just 445 00:18:32,240 --> 00:18:36,160 send it the sms to do factory reset 446 00:18:36,160 --> 00:18:37,919 then yeah 447 00:18:37,919 --> 00:18:39,919 security leaves something to be 448 00:18:39,919 --> 00:18:41,840 desired i would say 449 00:18:41,840 --> 00:18:44,720 this also goes for the car trackers this 450 00:18:44,720 --> 00:18:47,840 manufacturer makes by the way so if you 451 00:18:47,840 --> 00:18:49,760 contact one of those car trackers and 452 00:18:49,760 --> 00:18:52,720 you send a factory reset command 453 00:18:52,720 --> 00:18:55,440 it will do a factory reset and you can 454 00:18:55,440 --> 00:18:57,360 actually configure them to talk to your 455 00:18:57,360 --> 00:19:00,159 own server then 456 00:19:01,039 --> 00:19:02,160 yeah 457 00:19:02,160 --> 00:19:04,960 you might see issues in that with car 458 00:19:04,960 --> 00:19:06,400 trackers 459 00:19:06,400 --> 00:19:08,559 some of their 460 00:19:08,559 --> 00:19:10,559 car trackers can actually cut off the 461 00:19:10,559 --> 00:19:14,080 fuel to a vehicle while it's moving 462 00:19:14,080 --> 00:19:16,400 so people trackers not much fun if 463 00:19:16,400 --> 00:19:18,160 they're talking to someone else's server 464 00:19:18,160 --> 00:19:20,000 and they're malicious car trackers also 465 00:19:20,000 --> 00:19:23,200 not much fun in that way 466 00:19:23,600 --> 00:19:25,120 so that's uh 467 00:19:25,120 --> 00:19:27,360 basically the protocol of these things 468 00:19:27,360 --> 00:19:29,760 or the command manual if you look at the 469 00:19:29,760 --> 00:19:31,440 protocol document 470 00:19:31,440 --> 00:19:34,240 i'm pretty sure this says confidential 471 00:19:34,240 --> 00:19:36,559 yep 472 00:19:37,280 --> 00:19:39,200 so it has a complete protocol 473 00:19:39,200 --> 00:19:41,760 documentation with the login packets 474 00:19:41,760 --> 00:19:43,120 everything 475 00:19:43,120 --> 00:19:45,679 a login packet is sort of a weird way to 476 00:19:45,679 --> 00:19:47,440 name it because it just sends the email 477 00:19:47,440 --> 00:19:49,760 number as a identification and this is a 478 00:19:49,760 --> 00:19:51,760 team with all these trackers including 479 00:19:51,760 --> 00:19:54,400 the car trackers they use the email 480 00:19:54,400 --> 00:19:55,600 number 481 00:19:55,600 --> 00:19:59,679 as the identification for this device 482 00:19:59,679 --> 00:20:03,360 can anyone see a problem with this 483 00:20:05,679 --> 00:20:08,559 yeah exactly 484 00:20:08,559 --> 00:20:10,960 you you can look at it um fairly easy 485 00:20:10,960 --> 00:20:13,679 and if you have like imsc catcher you 486 00:20:13,679 --> 00:20:15,760 already have the mi number especially if 487 00:20:15,760 --> 00:20:17,679 it's a 2g device 488 00:20:17,679 --> 00:20:18,480 which 489 00:20:18,480 --> 00:20:20,080 everyone can sort of look at the 490 00:20:20,080 --> 00:20:21,600 communications 491 00:20:21,600 --> 00:20:23,760 so with the email number you can 492 00:20:23,760 --> 00:20:26,159 actually contact the server 493 00:20:26,159 --> 00:20:29,120 and you can pretend to be sort of this 494 00:20:29,120 --> 00:20:30,130 device so 495 00:20:30,130 --> 00:20:31,440 [Music] 496 00:20:31,440 --> 00:20:35,280 i'm not saying that's a smart thing to 497 00:20:35,280 --> 00:20:37,919 do but that's how it works 498 00:20:37,919 --> 00:20:40,080 so the full protocol documentation 499 00:20:40,080 --> 00:20:42,159 whatever it's also on the website it's 500 00:20:42,159 --> 00:20:44,000 included in the archive with the 501 00:20:44,000 --> 00:20:46,720 software so you can design your own if 502 00:20:46,720 --> 00:20:49,840 you feel like it 503 00:20:54,960 --> 00:20:57,919 so there's also mega stack trackers and 504 00:20:57,919 --> 00:21:00,840 if you look at this one this is a m2 505 00:21:00,840 --> 00:21:04,720 200x and they're actually used this is a 506 00:21:04,720 --> 00:21:07,760 site from brazil tracking the world 507 00:21:07,760 --> 00:21:10,240 and the beam is slightly over the slide 508 00:21:10,240 --> 00:21:12,559 but you can sort of 509 00:21:12,559 --> 00:21:15,120 guess that this is from 510 00:21:15,120 --> 00:21:18,640 advertising for these trackers so this 511 00:21:18,640 --> 00:21:20,640 is where they're actually selling these 512 00:21:20,640 --> 00:21:22,400 to customers 513 00:21:22,400 --> 00:21:23,520 these have 514 00:21:23,520 --> 00:21:25,600 sort of the same vulnerabilities the 515 00:21:25,600 --> 00:21:27,679 same sort of technology 516 00:21:27,679 --> 00:21:31,520 one exception the one on the top 517 00:21:31,520 --> 00:21:32,720 like on the 518 00:21:32,720 --> 00:21:35,360 left this one actually has a fiber optic 519 00:21:35,360 --> 00:21:37,919 strap so if you guys want to 520 00:21:37,919 --> 00:21:39,679 experiment with how to break a fiber 521 00:21:39,679 --> 00:21:42,400 optic strap without tripping a device 522 00:21:42,400 --> 00:21:45,440 you might want to order this one 523 00:21:45,440 --> 00:21:46,720 and 524 00:21:46,720 --> 00:21:48,720 yeah these ones just have a metal strap 525 00:21:48,720 --> 00:21:50,720 better waterproofing 526 00:21:50,720 --> 00:21:53,919 and a lot of nice features they're just 527 00:21:53,919 --> 00:21:55,600 generally 528 00:21:55,600 --> 00:21:57,679 pretty decent trackers they also 529 00:21:57,679 --> 00:21:59,200 manufacture 530 00:21:59,200 --> 00:22:00,640 patient trackers 531 00:22:00,640 --> 00:22:02,799 so you see the wristband there it can 532 00:22:02,799 --> 00:22:05,520 actually monitor spo2 it monitors your 533 00:22:05,520 --> 00:22:07,520 location it monitors your heart rate 534 00:22:07,520 --> 00:22:09,760 everything 535 00:22:09,760 --> 00:22:12,240 these are sold to hospitals and 536 00:22:12,240 --> 00:22:14,400 psychiatric clinics and they're used 537 00:22:14,400 --> 00:22:16,320 sort of all over the world 538 00:22:16,320 --> 00:22:17,919 so 539 00:22:17,919 --> 00:22:19,600 yeah they these 540 00:22:19,600 --> 00:22:22,480 all sort of are based on the same car 541 00:22:22,480 --> 00:22:24,240 tracking chipsets 542 00:22:24,240 --> 00:22:26,880 and megastack is a more widely used 543 00:22:26,880 --> 00:22:29,520 brand so you will see this used for 544 00:22:29,520 --> 00:22:32,320 tracking people for corrections in 545 00:22:32,320 --> 00:22:34,480 smaller countries 546 00:22:34,480 --> 00:22:38,480 not in the west you will see this used 547 00:22:38,480 --> 00:22:40,640 basically all over the world i think you 548 00:22:40,640 --> 00:22:42,960 see the patient trackers within europe 549 00:22:42,960 --> 00:22:43,840 though 550 00:22:43,840 --> 00:22:44,720 but 551 00:22:44,720 --> 00:22:46,720 the ankle monitors you will not see over 552 00:22:46,720 --> 00:22:48,960 here 553 00:22:49,600 --> 00:22:52,400 so here we have a example of what 554 00:22:52,400 --> 00:22:54,880 scram's now doing this is from january 555 00:22:54,880 --> 00:22:57,360 2022. 556 00:22:57,360 --> 00:23:00,080 they're claiming this is a very new 557 00:23:00,080 --> 00:23:01,919 fancy idea they have a watch like that 558 00:23:01,919 --> 00:23:04,400 but if you saw the previous slide 559 00:23:04,400 --> 00:23:07,760 that's an old old patient monitor it's a 560 00:23:07,760 --> 00:23:10,480 2g chipset it's probably a decade old by 561 00:23:10,480 --> 00:23:14,720 now so scram is not that fancy or unique 562 00:23:14,720 --> 00:23:16,320 in 563 00:23:16,320 --> 00:23:20,000 in this market basically 564 00:23:21,039 --> 00:23:24,240 so what i want you to 565 00:23:24,240 --> 00:23:29,039 notice about the protocol with megastack 566 00:23:30,559 --> 00:23:34,240 so it has the sort of the same 567 00:23:34,240 --> 00:23:36,559 features you send the sms command to the 568 00:23:36,559 --> 00:23:39,760 device to set it up and it talks to your 569 00:23:39,760 --> 00:23:41,760 server and it maintains a 570 00:23:41,760 --> 00:23:43,600 heartbeat with the server so if it 571 00:23:43,600 --> 00:23:46,240 disconnects 572 00:23:46,240 --> 00:23:49,120 they know and they can call you and you 573 00:23:49,120 --> 00:23:51,279 know figure out where you are 574 00:23:51,279 --> 00:23:53,440 if you're still compliant that kind of 575 00:23:53,440 --> 00:23:55,760 stuff 576 00:23:56,559 --> 00:23:58,880 they also have a factory reset command 577 00:23:58,880 --> 00:24:00,559 somewhere in here 578 00:24:00,559 --> 00:24:02,840 in the instructions list you can 579 00:24:02,840 --> 00:24:05,360 actually retrieve the location from this 580 00:24:05,360 --> 00:24:06,400 device 581 00:24:06,400 --> 00:24:08,159 with sms commands 582 00:24:08,159 --> 00:24:10,080 this one you can actually password 583 00:24:10,080 --> 00:24:11,520 protect i think 584 00:24:11,520 --> 00:24:14,000 so if you password protect it sms 585 00:24:14,000 --> 00:24:16,240 commands aren't gonna work unless you 586 00:24:16,240 --> 00:24:17,840 have the password which is a nice 587 00:24:17,840 --> 00:24:20,080 feature to have but then you can just 588 00:24:20,080 --> 00:24:22,720 factory reset it 589 00:24:22,720 --> 00:24:25,600 and it still uses the email number as a 590 00:24:25,600 --> 00:24:28,159 identification so it still has the same 591 00:24:28,159 --> 00:24:29,600 sort of issues 592 00:24:29,600 --> 00:24:31,919 and the same sort of problems you would 593 00:24:31,919 --> 00:24:33,120 have with 594 00:24:33,120 --> 00:24:34,640 this one 595 00:24:34,640 --> 00:24:37,120 except you have much less in the way of 596 00:24:37,120 --> 00:24:38,480 false positives 597 00:24:38,480 --> 00:24:41,360 these are much more widely used 598 00:24:41,360 --> 00:24:44,720 and just general better testing better 599 00:24:44,720 --> 00:24:46,480 waterproofing better 600 00:24:46,480 --> 00:24:48,159 everything 601 00:24:48,159 --> 00:24:50,320 as far as tracking goes even better 602 00:24:50,320 --> 00:24:52,240 accuracy like you can 603 00:24:52,240 --> 00:24:54,880 you know run around the 604 00:24:54,880 --> 00:24:56,559 building with thick concrete walls and 605 00:24:56,559 --> 00:24:58,880 these will pick up your gps signal 606 00:24:58,880 --> 00:25:01,919 so that's pretty nice to have these also 607 00:25:01,919 --> 00:25:04,320 have wi-fi support so they will collect 608 00:25:04,320 --> 00:25:06,080 all the wi-fi access points around you 609 00:25:06,080 --> 00:25:08,080 and send them to the server 610 00:25:08,080 --> 00:25:09,679 which is very useful if you want to 611 00:25:09,679 --> 00:25:12,880 locate a person by that but you can 612 00:25:12,880 --> 00:25:14,720 definitely have a great war driving 613 00:25:14,720 --> 00:25:16,960 device with this you know if you 614 00:25:16,960 --> 00:25:18,880 tag a bunch of people and have them run 615 00:25:18,880 --> 00:25:21,200 around 616 00:25:24,960 --> 00:25:25,760 so 617 00:25:25,760 --> 00:25:27,760 now back to 618 00:25:27,760 --> 00:25:29,520 not to another brand 619 00:25:29,520 --> 00:25:30,640 think race 620 00:25:30,640 --> 00:25:34,480 and think race is a brand 621 00:25:34,480 --> 00:25:36,960 which this talk actually got its title 622 00:25:36,960 --> 00:25:37,840 from 623 00:25:37,840 --> 00:25:40,840 this person actually lives in the arab 624 00:25:40,840 --> 00:25:44,399 emirates and 625 00:25:45,120 --> 00:25:47,760 she doesn't really strike me as the sort 626 00:25:47,760 --> 00:25:50,159 of person who would live in the emirates 627 00:25:50,159 --> 00:25:52,559 work in the emirates for a tech company 628 00:25:52,559 --> 00:25:55,360 and then contact someone who 629 00:25:55,360 --> 00:25:59,520 talks on gps trackers you know like 630 00:25:59,520 --> 00:26:01,360 sorta seems odd 631 00:26:01,360 --> 00:26:03,440 and 632 00:26:03,440 --> 00:26:06,159 she works for a government connected 633 00:26:06,159 --> 00:26:08,880 company so 634 00:26:08,880 --> 00:26:10,480 yeah that's 635 00:26:10,480 --> 00:26:12,640 sort of stalkerish i guess if they start 636 00:26:12,640 --> 00:26:15,679 adding you or like did 637 00:26:16,159 --> 00:26:17,919 so you can all look this person up if 638 00:26:17,919 --> 00:26:21,120 you feel like it yeah 639 00:26:21,120 --> 00:26:25,279 so this is their uh advertising 640 00:26:25,279 --> 00:26:27,679 and basically what you can see is how 641 00:26:27,679 --> 00:26:29,120 they 642 00:26:29,120 --> 00:26:31,679 track immigration in the united arab 643 00:26:31,679 --> 00:26:32,799 emirates 644 00:26:32,799 --> 00:26:35,279 fire these watch type trackers they also 645 00:26:35,279 --> 00:26:37,200 make ankle monitor versions i have some 646 00:26:37,200 --> 00:26:39,840 with me at the speaker desk 647 00:26:39,840 --> 00:26:42,000 those are also used in emirates 648 00:26:42,000 --> 00:26:44,080 and 649 00:26:44,080 --> 00:26:45,120 yeah 650 00:26:45,120 --> 00:26:47,200 basically this is what a watch like that 651 00:26:47,200 --> 00:26:48,880 looks like 652 00:26:48,880 --> 00:26:50,880 and they're used for covet monitoring 653 00:26:50,880 --> 00:26:53,840 they're used for immigration tracking 654 00:26:53,840 --> 00:26:57,678 here's how their platform works 655 00:26:58,799 --> 00:27:00,559 so here you can see all the happy 656 00:27:00,559 --> 00:27:03,440 customers with a new uh 657 00:27:03,440 --> 00:27:07,840 we want to track you watch you know 658 00:27:10,159 --> 00:27:12,480 this is sort of them explaining their 659 00:27:12,480 --> 00:27:15,120 immigration procedure and 660 00:27:15,120 --> 00:27:17,120 how it works 661 00:27:17,120 --> 00:27:19,120 you also see they used to email 662 00:27:19,120 --> 00:27:20,799 identification 663 00:27:20,799 --> 00:27:21,919 it's a 664 00:27:21,919 --> 00:27:25,039 strong trend in this 665 00:27:29,440 --> 00:27:31,600 i just really like how they made this ad 666 00:27:31,600 --> 00:27:33,520 and explained every procedure in the 667 00:27:33,520 --> 00:27:36,320 entire device 668 00:27:39,200 --> 00:27:41,679 somehow opsec just doesn't register with 669 00:27:41,679 --> 00:27:45,000 them i think 670 00:27:48,159 --> 00:27:50,640 these devices actually work and they do 671 00:27:50,640 --> 00:27:53,840 work as advertised and 672 00:27:57,279 --> 00:27:59,760 yeah you can set two offenses with them 673 00:27:59,760 --> 00:28:01,679 and the geofences are actually on the 674 00:28:01,679 --> 00:28:03,440 server not on the device so that's 675 00:28:03,440 --> 00:28:06,640 something to keep in mind 676 00:28:11,200 --> 00:28:12,960 so for immigration scope with 677 00:28:12,960 --> 00:28:14,559 quarantines whatever they want to keep 678 00:28:14,559 --> 00:28:16,399 here in your hotel 679 00:28:16,399 --> 00:28:18,559 so they set a geofence around the hotel 680 00:28:18,559 --> 00:28:20,240 and then you can't leave the hotel 681 00:28:20,240 --> 00:28:22,559 otherwise they get an alarm and then the 682 00:28:22,559 --> 00:28:24,399 cops show up to bring you back to you 683 00:28:24,399 --> 00:28:26,320 wherever you're supposed to be kind of 684 00:28:26,320 --> 00:28:28,880 like a real ankle monitor except in the 685 00:28:28,880 --> 00:28:30,720 country where i wouldn't want to travel 686 00:28:30,720 --> 00:28:31,440 to 687 00:28:31,440 --> 00:28:35,679 and especially not now after this talk 688 00:28:38,080 --> 00:28:41,120 so that's sort of how it works tinkrace 689 00:28:41,120 --> 00:28:43,679 also produces devices that monitor 690 00:28:43,679 --> 00:28:45,440 people going on the hajj 691 00:28:45,440 --> 00:28:47,440 so there might be reasons why you'd want 692 00:28:47,440 --> 00:28:48,960 to 693 00:28:48,960 --> 00:28:50,399 tap one of these 694 00:28:50,399 --> 00:28:51,279 because 695 00:28:51,279 --> 00:28:52,880 you know 696 00:28:52,880 --> 00:28:55,440 if you want to monitor very religious 697 00:28:55,440 --> 00:28:56,640 people 698 00:28:56,640 --> 00:28:58,559 this is sort of the brand you'd want to 699 00:28:58,559 --> 00:29:01,039 go for 700 00:29:06,960 --> 00:29:08,640 so i could show you the protocol 701 00:29:08,640 --> 00:29:11,360 documents again 702 00:29:11,360 --> 00:29:13,120 but i have a question what would happen 703 00:29:13,120 --> 00:29:15,600 if we just send a bunch of sms commands 704 00:29:15,600 --> 00:29:18,320 to people in the uae trying to guess 705 00:29:18,320 --> 00:29:20,159 their cell phone numbers or maybe if we 706 00:29:20,159 --> 00:29:22,399 find a block of cell phone numbers you 707 00:29:22,399 --> 00:29:23,360 know 708 00:29:23,360 --> 00:29:26,399 that would belong to a provider they 709 00:29:26,399 --> 00:29:27,919 used to 710 00:29:27,919 --> 00:29:31,200 communicate with these watches 711 00:29:31,200 --> 00:29:32,960 anyone have an idea do you think we 712 00:29:32,960 --> 00:29:33,919 could 713 00:29:33,919 --> 00:29:36,720 hack all of them 714 00:29:38,799 --> 00:29:42,080 so yeah it's definitely possible and 715 00:29:42,080 --> 00:29:44,159 um you can definitely 716 00:29:44,159 --> 00:29:46,640 find them in the emirates um and you can 717 00:29:46,640 --> 00:29:49,200 definitely get a response out of them 718 00:29:49,200 --> 00:29:51,520 so you could set them up against your 719 00:29:51,520 --> 00:29:52,960 own server 720 00:29:52,960 --> 00:29:55,900 and that's sort of a 721 00:29:55,900 --> 00:29:58,000 [Music] 722 00:29:58,000 --> 00:29:59,760 interesting thing to do 723 00:29:59,760 --> 00:30:02,399 avast actually looked into this and how 724 00:30:02,399 --> 00:30:03,520 they 725 00:30:03,520 --> 00:30:05,200 some of 726 00:30:05,200 --> 00:30:08,000 similar devices communicate to a server 727 00:30:08,000 --> 00:30:10,080 their kids trackers 728 00:30:10,080 --> 00:30:12,240 these protocols are not that different 729 00:30:12,240 --> 00:30:14,320 from the kids trackers protocols they 730 00:30:14,320 --> 00:30:16,799 have the same sort of vulnerabilities 731 00:30:16,799 --> 00:30:18,880 i would say the servers in the website 732 00:30:18,880 --> 00:30:20,720 part is better designed 733 00:30:20,720 --> 00:30:24,399 so you your chance of actually 734 00:30:24,399 --> 00:30:26,240 getting into their web servers is 735 00:30:26,240 --> 00:30:28,399 slightly lower except for the megastack 736 00:30:28,399 --> 00:30:30,960 devices they're the best at hardware 737 00:30:30,960 --> 00:30:33,440 but their websites just aren't really 738 00:30:33,440 --> 00:30:35,520 that great security wise like you have a 739 00:30:35,520 --> 00:30:38,080 default password so it's one two three 740 00:30:38,080 --> 00:30:39,919 four five six 741 00:30:39,919 --> 00:30:41,919 you just log in with your email number 742 00:30:41,919 --> 00:30:43,120 and your 743 00:30:43,120 --> 00:30:45,679 default password and you're done you can 744 00:30:45,679 --> 00:30:47,840 monitor someone so 745 00:30:47,840 --> 00:30:48,720 yeah 746 00:30:48,720 --> 00:30:50,399 that's an issue 747 00:30:50,399 --> 00:30:52,640 with think race you actually have more 748 00:30:52,640 --> 00:30:55,360 specific uh sms commands and you have 749 00:30:55,360 --> 00:30:57,600 fewer of them 750 00:30:57,600 --> 00:31:00,000 that said they were friendly enough to 751 00:31:00,000 --> 00:31:02,399 ship me a jtag debugging cable for their 752 00:31:02,399 --> 00:31:03,519 watches 753 00:31:03,519 --> 00:31:06,159 so that's nice of them you know i really 754 00:31:06,159 --> 00:31:07,679 appreciate it 755 00:31:07,679 --> 00:31:10,000 they have two types they have a 2g watch 756 00:31:10,000 --> 00:31:12,080 which you can 757 00:31:12,080 --> 00:31:14,240 talk let let it talk to your server like 758 00:31:14,240 --> 00:31:16,799 this so you can configure your tracking 759 00:31:16,799 --> 00:31:18,640 server 760 00:31:18,640 --> 00:31:21,120 so if you want to proxy it or have it 761 00:31:21,120 --> 00:31:23,440 talk to your own server figure out where 762 00:31:23,440 --> 00:31:26,080 someone from the uae actually 763 00:31:26,080 --> 00:31:27,679 walks around 764 00:31:27,679 --> 00:31:30,720 this is what you can do 765 00:31:31,279 --> 00:31:34,000 and there's actually a 766 00:31:34,000 --> 00:31:36,080 protocol manual in here as well because 767 00:31:36,080 --> 00:31:38,480 they have a binary protocol and i would 768 00:31:38,480 --> 00:31:42,320 find it very difficult to 769 00:31:42,559 --> 00:31:45,279 reverse engineer this by hand 770 00:31:45,279 --> 00:31:49,279 from just proxied requests so 771 00:31:49,279 --> 00:31:50,799 you know if you want to roll your own 772 00:31:50,799 --> 00:31:53,279 this is definitely useful and i did roll 773 00:31:53,279 --> 00:31:55,760 my own but you know 774 00:31:55,760 --> 00:31:58,000 here it is so you can guys can sort of 775 00:31:58,000 --> 00:31:59,519 see how this communicates with the 776 00:31:59,519 --> 00:32:01,360 server 777 00:32:01,360 --> 00:32:03,200 yeah they have a few 778 00:32:03,200 --> 00:32:05,600 packets i would say the protocol is less 779 00:32:05,600 --> 00:32:08,159 complex than the jimmy version 780 00:32:08,159 --> 00:32:10,000 but 781 00:32:10,000 --> 00:32:11,200 it works 782 00:32:11,200 --> 00:32:12,080 it's 783 00:32:12,080 --> 00:32:13,919 decent enough so here's the type of 784 00:32:13,919 --> 00:32:15,519 packets they have and so login 785 00:32:15,519 --> 00:32:17,840 information again the email number as 786 00:32:17,840 --> 00:32:20,399 they showed in the video 787 00:32:20,399 --> 00:32:24,320 they have a gps information package lbs 788 00:32:24,320 --> 00:32:25,919 information package 789 00:32:25,919 --> 00:32:29,919 they also transmit wi-fi data so 790 00:32:29,919 --> 00:32:31,919 they basically offer the entire package 791 00:32:31,919 --> 00:32:34,399 of like 792 00:32:35,039 --> 00:32:37,200 methods to track someone 793 00:32:37,200 --> 00:32:40,880 and they also transmit information about 794 00:32:40,880 --> 00:32:42,720 your 795 00:32:42,720 --> 00:32:45,440 blood pressure if you have the 2g watch 796 00:32:45,440 --> 00:32:48,399 your heart rate your spo2 797 00:32:48,399 --> 00:32:49,840 those you can all monitor and your 798 00:32:49,840 --> 00:32:51,760 temperature which is useful if you're 799 00:32:51,760 --> 00:32:55,600 using it for covet monitoring 800 00:32:55,600 --> 00:32:57,120 so think race 801 00:32:57,120 --> 00:33:00,000 watch tracker-wise hardware-wise it's 802 00:33:00,000 --> 00:33:01,120 great 803 00:33:01,120 --> 00:33:04,240 the protocol has the same sort of 804 00:33:04,240 --> 00:33:09,399 pitfalls as all the other ones do so 805 00:33:10,640 --> 00:33:13,919 that's stink race um 806 00:33:13,919 --> 00:33:16,159 yeah i i would say this is a very 807 00:33:16,159 --> 00:33:18,159 interesting one to 808 00:33:18,159 --> 00:33:20,399 monitor people in foreign countries if 809 00:33:20,399 --> 00:33:22,840 you want to monitor someone but there's 810 00:33:22,840 --> 00:33:24,720 more 811 00:33:24,720 --> 00:33:27,279 so we have the sigson type trackers 812 00:33:27,279 --> 00:33:29,440 they're used mainly in china here you 813 00:33:29,440 --> 00:33:32,880 can see where they're used 814 00:33:33,440 --> 00:33:35,200 i also have an implementation for this 815 00:33:35,200 --> 00:33:37,279 one on the website so in case you want 816 00:33:37,279 --> 00:33:39,840 to like buy your own from that company 817 00:33:39,840 --> 00:33:42,799 or social engineer your own um 818 00:33:42,799 --> 00:33:44,559 you know they're used for the power grid 819 00:33:44,559 --> 00:33:46,559 they're used for prisons 820 00:33:46,559 --> 00:33:48,480 i i don't know any of these prisons i 821 00:33:48,480 --> 00:33:50,399 haven't contacted them before holding 822 00:33:50,399 --> 00:33:52,720 the stock to see if i could you know 823 00:33:52,720 --> 00:33:54,960 i didn't think that was a good idea to 824 00:33:54,960 --> 00:33:56,480 do so 825 00:33:56,480 --> 00:33:58,799 here you can sort of see where 826 00:33:58,799 --> 00:34:00,080 these are used 827 00:34:00,080 --> 00:34:02,080 it's actually a binary protocol and this 828 00:34:02,080 --> 00:34:04,880 one does not use sms commands to set up 829 00:34:04,880 --> 00:34:07,120 the device so it's slightly harder to 830 00:34:07,120 --> 00:34:08,480 hack 831 00:34:08,480 --> 00:34:10,879 but they also gave me jtag cables for 832 00:34:10,879 --> 00:34:12,560 the device so 833 00:34:12,560 --> 00:34:14,800 you know jtag is 834 00:34:14,800 --> 00:34:17,918 fairly nice to debug or just configure 835 00:34:17,918 --> 00:34:19,280 the server 836 00:34:19,280 --> 00:34:21,760 it is talking to and that's exactly what 837 00:34:21,760 --> 00:34:24,079 you can do if you buy one you could use 838 00:34:24,079 --> 00:34:26,639 their platform or their website to set 839 00:34:26,639 --> 00:34:28,800 it up against your own server also but 840 00:34:28,800 --> 00:34:29,679 you know 841 00:34:29,679 --> 00:34:30,960 jtag 842 00:34:30,960 --> 00:34:31,839 if you 843 00:34:31,839 --> 00:34:33,760 pretend to be a big enough company you 844 00:34:33,760 --> 00:34:36,000 will get a jtag 845 00:34:36,000 --> 00:34:38,639 cable for these for free 846 00:34:38,639 --> 00:34:40,079 and they will 847 00:34:40,079 --> 00:34:42,000 they obviously want you as their 848 00:34:42,000 --> 00:34:43,839 customer you can also upgrade the 849 00:34:43,839 --> 00:34:46,079 firmware with it you can download the 850 00:34:46,079 --> 00:34:48,480 firmware with it you can modify your gps 851 00:34:48,480 --> 00:34:49,760 tracker with it 852 00:34:49,760 --> 00:34:52,560 so if you ever end up in one of these 853 00:34:52,560 --> 00:34:53,918 prisons 854 00:34:53,918 --> 00:34:55,918 you might just want to you know 855 00:34:55,918 --> 00:34:58,160 have friends who can find you one of 856 00:34:58,160 --> 00:35:00,000 these jtag cables 857 00:35:00,000 --> 00:35:01,599 since you have the full protocol 858 00:35:01,599 --> 00:35:03,920 documentation i'm sure you all can 859 00:35:03,920 --> 00:35:07,200 figure out how to talk to the server and 860 00:35:07,200 --> 00:35:09,040 tell it that you're in the location 861 00:35:09,040 --> 00:35:10,880 you're supposed to you know within a few 862 00:35:10,880 --> 00:35:15,800 yards with some random error margin 863 00:35:16,240 --> 00:35:18,000 yeah these are actually used the 864 00:35:18,000 --> 00:35:20,240 execution type trackers i've brought a 865 00:35:20,240 --> 00:35:22,160 few also um 866 00:35:22,160 --> 00:35:24,160 in the speaker stance so that's why the 867 00:35:24,160 --> 00:35:27,200 giant bucket of gps trackers i do tend 868 00:35:27,200 --> 00:35:29,680 to actually test them and use them with 869 00:35:29,680 --> 00:35:32,879 the server i've developed 870 00:35:33,520 --> 00:35:35,359 so it has 871 00:35:35,359 --> 00:35:37,040 all of these devices have multiple 872 00:35:37,040 --> 00:35:38,400 tracking methods 873 00:35:38,400 --> 00:35:40,640 so you have lbs which is local base 874 00:35:40,640 --> 00:35:42,240 station 875 00:35:42,240 --> 00:35:43,119 so 876 00:35:43,119 --> 00:35:45,599 your cell phone tower some of them just 877 00:35:45,599 --> 00:35:47,599 send the one cell phone tower they are 878 00:35:47,599 --> 00:35:48,880 connected to 879 00:35:48,880 --> 00:35:50,320 and 880 00:35:50,320 --> 00:35:53,599 i would say most of them i think the 881 00:35:53,599 --> 00:35:56,160 jimmy ones the 882 00:35:56,160 --> 00:35:57,680 seeks um 883 00:35:57,680 --> 00:36:00,560 the think race and 884 00:36:00,560 --> 00:36:03,200 my rope some of their versions 885 00:36:03,200 --> 00:36:04,480 send 886 00:36:04,480 --> 00:36:06,400 multiple base stations so that makes 887 00:36:06,400 --> 00:36:09,119 location easier but lbs is not 888 00:36:09,119 --> 00:36:11,359 the best way to locate someone some of 889 00:36:11,359 --> 00:36:13,520 them have bluetooth like jimmy 890 00:36:13,520 --> 00:36:15,440 where you have bluetooth beacons they 891 00:36:15,440 --> 00:36:16,960 place in your house it's sort of like 892 00:36:16,960 --> 00:36:20,320 the rf location you have with 893 00:36:20,320 --> 00:36:23,040 the more western devices the 894 00:36:23,040 --> 00:36:24,960 older versions of the ankle monitors 895 00:36:24,960 --> 00:36:28,320 they have over here you would have a rf 896 00:36:28,320 --> 00:36:30,800 transmitter in your house somewhere and 897 00:36:30,800 --> 00:36:33,119 they would be able to see over your 898 00:36:33,119 --> 00:36:35,599 phone line back then 899 00:36:35,599 --> 00:36:38,640 where you are located 900 00:36:38,640 --> 00:36:41,760 around that transmitter based on that rf 901 00:36:41,760 --> 00:36:43,520 signal you can do the sort of the same 902 00:36:43,520 --> 00:36:45,680 thing with bluetooth and a lot of these 903 00:36:45,680 --> 00:36:49,759 devices actually have bluetooth for that 904 00:36:50,800 --> 00:36:53,760 they also have wi-fi and thanks to arch 905 00:36:53,760 --> 00:36:57,359 linux i'll get back to later 906 00:36:57,359 --> 00:36:59,760 and gps of course 907 00:36:59,760 --> 00:37:01,040 gps is 908 00:37:01,040 --> 00:37:03,280 by far the most accurate tracking option 909 00:37:03,280 --> 00:37:05,359 you have it's within a few yards so if 910 00:37:05,359 --> 00:37:07,440 you really want to know where someone is 911 00:37:07,440 --> 00:37:11,359 you prefer gps but wi-fi is sort of a 912 00:37:11,359 --> 00:37:14,400 good fallback because wi-fi geolocation 913 00:37:14,400 --> 00:37:17,440 is also usually within 5-10 yards of 914 00:37:17,440 --> 00:37:20,880 where someone actually is 915 00:37:21,839 --> 00:37:24,079 yeah there are a few security details 916 00:37:24,079 --> 00:37:26,800 just as far as 917 00:37:26,800 --> 00:37:29,920 location goes um i have not implemented 918 00:37:29,920 --> 00:37:32,079 this but since they implement multiple 919 00:37:32,079 --> 00:37:34,240 tracking methods you can cross-reference 920 00:37:34,240 --> 00:37:36,880 them and here i'm sort of talking about 921 00:37:36,880 --> 00:37:39,040 how western devices work but if you 922 00:37:39,040 --> 00:37:42,160 block your gps signal 923 00:37:42,160 --> 00:37:46,960 a proper server would then look at 924 00:37:47,359 --> 00:37:50,800 your lbs and that's sort of what i do 925 00:37:50,800 --> 00:37:53,920 here but if you spoof your gps signal 926 00:37:53,920 --> 00:37:57,280 you can still look at your lbs and see 927 00:37:57,280 --> 00:37:58,880 is he somewhere 928 00:37:58,880 --> 00:38:01,119 within the 929 00:38:01,119 --> 00:38:03,200 area he's supposed to be in 930 00:38:03,200 --> 00:38:04,480 so 931 00:38:04,480 --> 00:38:07,280 if the gps does not match with the lbs 932 00:38:07,280 --> 00:38:10,000 or the wi-fi geo location you can send 933 00:38:10,000 --> 00:38:12,000 the alert and you can show okay 934 00:38:12,000 --> 00:38:14,560 someone's tampering with the device 935 00:38:14,560 --> 00:38:17,040 and this is a security measure you will 936 00:38:17,040 --> 00:38:20,480 generally not see in the 937 00:38:20,480 --> 00:38:22,000 chinese 938 00:38:22,000 --> 00:38:25,040 servers or 939 00:38:25,599 --> 00:38:28,400 chinese devices i have not implemented 940 00:38:28,400 --> 00:38:30,320 this it's very possible to do because 941 00:38:30,320 --> 00:38:31,440 you can 942 00:38:31,440 --> 00:38:33,119 the code is already there to do the 943 00:38:33,119 --> 00:38:34,960 geolocation all you need is a sort of 944 00:38:34,960 --> 00:38:38,079 temporal earth with that 945 00:38:38,400 --> 00:38:40,079 there are multiple attacks on this you 946 00:38:40,079 --> 00:38:42,960 can downgrade one of these 4g devices to 947 00:38:42,960 --> 00:38:46,000 2g so you can jam all the 4g signals 948 00:38:46,000 --> 00:38:48,560 this is fairly illegal to do 949 00:38:48,560 --> 00:38:50,560 but you can do it and then it'll 950 00:38:50,560 --> 00:38:53,040 communicate over a 2g signal 951 00:38:53,040 --> 00:38:55,920 and the 2g signal you can intercept and 952 00:38:55,920 --> 00:38:58,079 you can spoof and you can mess about 953 00:38:58,079 --> 00:39:00,880 with 954 00:39:00,880 --> 00:39:03,440 jamming is possible because their server 955 00:39:03,440 --> 00:39:05,359 does not match 956 00:39:05,359 --> 00:39:06,240 the 957 00:39:06,240 --> 00:39:08,880 lbs for the wi-fi location to the gps 958 00:39:08,880 --> 00:39:11,040 signal so you can 959 00:39:11,040 --> 00:39:13,040 mess about with it 960 00:39:13,040 --> 00:39:14,720 some of them actually 961 00:39:14,720 --> 00:39:17,200 shut down the gps 962 00:39:17,200 --> 00:39:18,960 receiver 963 00:39:18,960 --> 00:39:22,079 when there's a wi-fi signal present 964 00:39:22,079 --> 00:39:24,160 that's a bug because 965 00:39:24,160 --> 00:39:26,240 if you shut down your gps receiver when 966 00:39:26,240 --> 00:39:28,240 there's a wi-fi signal present well my 967 00:39:28,240 --> 00:39:30,160 phone can send the wi-fi network just 968 00:39:30,160 --> 00:39:33,920 fine i can broadcast the ssid 969 00:39:33,920 --> 00:39:36,560 from my phone i can broadcast multiple 970 00:39:36,560 --> 00:39:40,079 ssids while i'm driving in my car and if 971 00:39:40,079 --> 00:39:42,400 it's not getting a gps location 972 00:39:42,400 --> 00:39:44,320 but it's just doing wi-fi location you 973 00:39:44,320 --> 00:39:46,000 would never be able to tell i'm just 974 00:39:46,000 --> 00:39:48,960 walking out with my router you know 975 00:39:48,960 --> 00:39:50,880 it's not that difficult to add like a 976 00:39:50,880 --> 00:39:52,720 backup power supply to your router and 977 00:39:52,720 --> 00:39:54,720 just walk out the house 978 00:39:54,720 --> 00:39:59,040 so there's a few bugs in there um 979 00:39:59,040 --> 00:40:01,119 that's with xeekson 980 00:40:01,119 --> 00:40:03,280 with think race you can actually force 981 00:40:03,280 --> 00:40:05,680 it to gps locate and that's what i'm 982 00:40:05,680 --> 00:40:07,920 doing in the software so it's harder to 983 00:40:07,920 --> 00:40:09,040 fool 984 00:40:09,040 --> 00:40:11,599 the server if properly implemented and i 985 00:40:11,599 --> 00:40:12,640 don't think 986 00:40:12,640 --> 00:40:13,359 the 987 00:40:13,359 --> 00:40:15,839 actual chinese server pulls the same 988 00:40:15,839 --> 00:40:17,119 trick 989 00:40:17,119 --> 00:40:19,359 but mine does so you won't be able to 990 00:40:19,359 --> 00:40:21,760 run away with your wi-fi router in hand 991 00:40:21,760 --> 00:40:22,839 with this 992 00:40:22,839 --> 00:40:26,640 one but yeah that's sort of the trick 993 00:40:26,640 --> 00:40:27,760 between 994 00:40:27,760 --> 00:40:29,839 these sort of devices now if you have 995 00:40:29,839 --> 00:40:32,800 the lbs tracking 996 00:40:32,800 --> 00:40:34,960 you 997 00:40:35,359 --> 00:40:38,560 want to know where the user is 998 00:40:38,560 --> 00:40:40,799 so 999 00:40:41,200 --> 00:40:43,440 if if we're gonna 1000 00:40:43,440 --> 00:40:45,359 if we have no other options 1001 00:40:45,359 --> 00:40:48,560 so no gps no wi-fi we want to use lbs 1002 00:40:48,560 --> 00:40:50,720 lbs is accurate within 1003 00:40:50,720 --> 00:40:52,480 a mile ish 1004 00:40:52,480 --> 00:40:54,880 um if you have multiple local base 1005 00:40:54,880 --> 00:40:56,319 stations 1006 00:40:56,319 --> 00:40:58,800 you can be more accurate to within a few 1007 00:40:58,800 --> 00:41:01,680 hundred yards of where a person is 1008 00:41:01,680 --> 00:41:03,760 this is kind of how you do a 1009 00:41:03,760 --> 00:41:06,400 lookup for where a cell tower is 1010 00:41:06,400 --> 00:41:09,839 that's kind of all there is to it 1011 00:41:10,000 --> 00:41:12,720 the software on my website contains a 1012 00:41:12,720 --> 00:41:15,680 huge database 1013 00:41:16,319 --> 00:41:18,640 halfway from open cell id halfway from 1014 00:41:18,640 --> 00:41:21,280 other sources with all these tower 1015 00:41:21,280 --> 00:41:22,560 locations 1016 00:41:22,560 --> 00:41:24,400 so you can 1017 00:41:24,400 --> 00:41:26,480 look them up really quickly it's also 1018 00:41:26,480 --> 00:41:28,640 really easy to radix sort them because 1019 00:41:28,640 --> 00:41:30,879 they're 1020 00:41:31,440 --> 00:41:32,480 just 1021 00:41:32,480 --> 00:41:34,480 binary data it's really 1022 00:41:34,480 --> 00:41:37,119 efficient to look them up locally 1023 00:41:37,119 --> 00:41:38,720 so it takes 1024 00:41:38,720 --> 00:41:41,599 less than a millisecond to do lbs lookup 1025 00:41:41,599 --> 00:41:43,520 if we can't find it in our own database 1026 00:41:43,520 --> 00:41:45,920 we fall back to google 1027 00:41:45,920 --> 00:41:47,680 and we ask google hey where's the cell 1028 00:41:47,680 --> 00:41:49,440 tower located and google knows 1029 00:41:49,440 --> 00:41:52,480 everything so 1030 00:41:54,880 --> 00:41:57,599 in order to figure out where someone is 1031 00:41:57,599 --> 00:41:59,680 having these locations we need to 1032 00:41:59,680 --> 00:42:01,119 interpolate 1033 00:42:01,119 --> 00:42:03,119 i used the quick and dirty method i just 1034 00:42:03,119 --> 00:42:06,720 did a grid grid square optimization just 1035 00:42:06,720 --> 00:42:08,880 walk through the grid squares between 1036 00:42:08,880 --> 00:42:10,880 these cell towers and figure out where 1037 00:42:10,880 --> 00:42:13,200 the strength is sort of optimal i know 1038 00:42:13,200 --> 00:42:15,359 it's not a linear relationship per se 1039 00:42:15,359 --> 00:42:17,520 but 1040 00:42:17,520 --> 00:42:18,640 works 1041 00:42:18,640 --> 00:42:21,359 well enough 1042 00:42:21,920 --> 00:42:23,040 so 1043 00:42:23,040 --> 00:42:24,960 the next tracking option and the next 1044 00:42:24,960 --> 00:42:28,160 best tracking option is wi-fi tracking 1045 00:42:28,160 --> 00:42:31,359 the sort of the only provider you have 1046 00:42:31,359 --> 00:42:34,160 nowadays for good wi-fi tracking is 1047 00:42:34,160 --> 00:42:37,760 google and what google does is 1048 00:42:37,760 --> 00:42:39,520 basically whenever you walk around with 1049 00:42:39,520 --> 00:42:41,680 your android phone they collect all the 1050 00:42:41,680 --> 00:42:44,480 wi-fi networks and your gps data 1051 00:42:44,480 --> 00:42:45,920 and they store it 1052 00:42:45,920 --> 00:42:48,319 and then we can just query it the 1053 00:42:48,319 --> 00:42:50,960 downside is these location api calls are 1054 00:42:50,960 --> 00:42:52,640 fairly expensive 1055 00:42:52,640 --> 00:42:56,160 so it's 28 000 map loads 1056 00:42:56,160 --> 00:42:58,720 for 200 bucks you can see here 1057 00:42:58,720 --> 00:43:01,119 and how often do you think a gps tracker 1058 00:43:01,119 --> 00:43:04,000 connects with the server to notify them 1059 00:43:04,000 --> 00:43:04,960 okay 1060 00:43:04,960 --> 00:43:08,640 i'm seeing these wi-fi networks 1061 00:43:09,760 --> 00:43:13,400 anyone have an idea 1062 00:43:16,560 --> 00:43:19,520 not once a second 1063 00:43:20,400 --> 00:43:23,200 yeah usually once a minute once uh 30 1064 00:43:23,200 --> 00:43:25,119 seconds it depends on how you set it up 1065 00:43:25,119 --> 00:43:27,599 if you want to save power or you want to 1066 00:43:27,599 --> 00:43:29,200 track someone for a long time you might 1067 00:43:29,200 --> 00:43:32,480 set it to three or five minutes 1068 00:43:32,480 --> 00:43:34,960 but there's a lot of minutes in a day 1069 00:43:34,960 --> 00:43:36,960 and this would get expensive fairly 1070 00:43:36,960 --> 00:43:38,839 quickly 1071 00:43:38,839 --> 00:43:43,040 so i've implemented caching in my server 1072 00:43:43,040 --> 00:43:44,800 usually people are stationary and they 1073 00:43:44,800 --> 00:43:46,800 stay in the same house caching only 1074 00:43:46,800 --> 00:43:49,520 works if you do not send the 1075 00:43:49,520 --> 00:43:51,599 signal strength because 1076 00:43:51,599 --> 00:43:54,319 signal strength will vary for a lot in 1077 00:43:54,319 --> 00:43:55,839 the same area 1078 00:43:55,839 --> 00:43:58,640 so what i've done with the 1079 00:43:58,640 --> 00:44:01,839 caching is 1080 00:44:01,920 --> 00:44:04,160 i have just 1081 00:44:04,160 --> 00:44:06,000 stripped all of that data sent google 1082 00:44:06,000 --> 00:44:08,240 the plain wi-fi networks and got back 1083 00:44:08,240 --> 00:44:10,400 the location 1084 00:44:10,400 --> 00:44:12,880 i am unfortunately not that rich and i'm 1085 00:44:12,880 --> 00:44:15,200 not going to be able to afford 200 bucks 1086 00:44:15,200 --> 00:44:17,200 a month just to track one person let 1087 00:44:17,200 --> 00:44:20,560 alone like 10 people using my server 1088 00:44:20,560 --> 00:44:22,960 luckily each open source distribution 1089 00:44:22,960 --> 00:44:24,960 has chrome 1090 00:44:24,960 --> 00:44:27,839 and anyone know if chrome also has a 1091 00:44:27,839 --> 00:44:31,040 location api call in the api key in the 1092 00:44:31,040 --> 00:44:33,680 source code 1093 00:44:34,560 --> 00:44:35,760 yeah 1094 00:44:35,760 --> 00:44:38,640 you're correct um they have a location 1095 00:44:38,640 --> 00:44:40,560 api 1096 00:44:40,560 --> 00:44:42,560 code 1097 00:44:42,560 --> 00:44:43,760 in 1098 00:44:43,760 --> 00:44:45,680 the source code for the for instance 1099 00:44:45,680 --> 00:44:47,920 arts repositories so i'm using the arch 1100 00:44:47,920 --> 00:44:50,480 keys for myself but in case anyone wants 1101 00:44:50,480 --> 00:44:51,599 to 1102 00:44:51,599 --> 00:44:53,280 set this up you know if you want to do 1103 00:44:53,280 --> 00:44:55,760 it cheaply there's ways please don't 1104 00:44:55,760 --> 00:44:57,200 block me 1105 00:44:57,200 --> 00:44:59,440 i enjoy doing this far too much and i'm 1106 00:44:59,440 --> 00:45:03,359 far too cheap to stop doing that 1107 00:45:03,359 --> 00:45:05,839 um if that doesn't work we fall back to 1108 00:45:05,839 --> 00:45:08,880 the hereto location api it's 1109 00:45:08,880 --> 00:45:11,680 what used to be tomtom it's cheaper 1110 00:45:11,680 --> 00:45:15,359 it's a lot cheaper per api 1111 00:45:15,880 --> 00:45:20,640 call um so yeah wi-fi geolocation is 1112 00:45:20,640 --> 00:45:23,680 efficient gps we all know 1113 00:45:23,680 --> 00:45:25,440 and we know the security implementations 1114 00:45:25,440 --> 00:45:27,520 of this now i said i wouldn't talk about 1115 00:45:27,520 --> 00:45:29,680 western devices and i have very little 1116 00:45:29,680 --> 00:45:31,119 time 1117 00:45:31,119 --> 00:45:33,680 but i'm just gonna give you guys a small 1118 00:45:33,680 --> 00:45:34,800 hint 1119 00:45:34,800 --> 00:45:37,119 most of these devices in the west have a 1120 00:45:37,119 --> 00:45:39,839 fiber cable 1121 00:45:40,560 --> 00:45:45,078 anyone remember the right picture 1122 00:45:46,640 --> 00:45:49,839 so this strap is bent right 1123 00:45:49,839 --> 00:45:52,079 and it's flexible you can sort of bend 1124 00:45:52,079 --> 00:45:53,280 it 1125 00:45:53,280 --> 00:45:54,480 you know 1126 00:45:54,480 --> 00:45:56,079 so there's a 1127 00:45:56,079 --> 00:45:58,800 ways to inject and extract light from a 1128 00:45:58,800 --> 00:46:01,119 cable like that it's fairly difficult 1129 00:46:01,119 --> 00:46:03,200 and expensive but 1130 00:46:03,200 --> 00:46:05,839 it's doable 1131 00:46:06,880 --> 00:46:08,640 and then there's still the open servers 1132 00:46:08,640 --> 00:46:11,200 you can use 1133 00:46:11,280 --> 00:46:13,040 which i've shown you before and i'm 1134 00:46:13,040 --> 00:46:16,560 gonna skip for now i think because i 1135 00:46:16,560 --> 00:46:19,440 don't have that much time left 1136 00:46:19,440 --> 00:46:22,000 but basically this is the 1137 00:46:22,000 --> 00:46:24,160 live gateway log you can all experiment 1138 00:46:24,160 --> 00:46:24,750 with 1139 00:46:24,750 --> 00:46:26,560 [Music] 1140 00:46:26,560 --> 00:46:30,240 which contains some information on 1141 00:46:30,240 --> 00:46:32,480 the myroap type devices 1142 00:46:32,480 --> 00:46:35,200 including full locations everything so 1143 00:46:35,200 --> 00:46:37,119 remember that url 1144 00:46:37,119 --> 00:46:39,280 you can ask me for it later if you want 1145 00:46:39,280 --> 00:46:41,200 this is a server where they've just you 1146 00:46:41,200 --> 00:46:42,880 know been kind enough to publish their 1147 00:46:42,880 --> 00:46:45,599 logging data 1148 00:46:46,079 --> 00:46:48,720 nice to have 1149 00:46:48,800 --> 00:46:50,720 now let's get back to the actual 1150 00:46:50,720 --> 00:46:52,079 software 1151 00:46:52,079 --> 00:46:53,920 so this is the end product you can sort 1152 00:46:53,920 --> 00:46:56,079 of see where i came from and travel to 1153 00:46:56,079 --> 00:46:57,200 mch 1154 00:46:57,200 --> 00:47:02,399 you can sort of see how fast i was going 1155 00:47:02,960 --> 00:47:04,800 and the battery level of course and 1156 00:47:04,800 --> 00:47:06,960 everything 1157 00:47:06,960 --> 00:47:08,640 you can see the status of the device 1158 00:47:08,640 --> 00:47:10,880 here you can see how many satellites it 1159 00:47:10,880 --> 00:47:12,720 has what kind of connection it has so 1160 00:47:12,720 --> 00:47:15,440 there's a fully working implementation 1161 00:47:15,440 --> 00:47:17,040 of this thing 1162 00:47:17,040 --> 00:47:18,720 here and you can sort of 1163 00:47:18,720 --> 00:47:21,119 see where i'm standing 1164 00:47:21,119 --> 00:47:23,280 at this point point right now 1165 00:47:23,280 --> 00:47:25,440 and you can see an event 1166 00:47:25,440 --> 00:47:26,480 which is 1167 00:47:26,480 --> 00:47:27,440 where i've 1168 00:47:27,440 --> 00:47:29,760 taken this device off and then closed it 1169 00:47:29,760 --> 00:47:31,440 again 1170 00:47:31,440 --> 00:47:33,920 so it has the full functionality you 1171 00:47:33,920 --> 00:47:36,000 would expect of a law enforcement device 1172 00:47:36,000 --> 00:47:37,280 including 1173 00:47:37,280 --> 00:47:40,800 all the geofences whatever 1174 00:47:40,880 --> 00:47:43,680 so that's sort of 1175 00:47:44,160 --> 00:47:48,400 sort of it for what i can demonstrate in 1176 00:47:48,400 --> 00:47:50,800 the 50 short minutes i have the software 1177 00:47:50,800 --> 00:47:52,559 is on my website if you have any 1178 00:47:52,559 --> 00:47:55,599 questions you can talk to me later or 1179 00:47:55,599 --> 00:47:58,079 outside this tent or at the speaker tent 1180 00:47:58,079 --> 00:47:59,599 i would like to thank you all for your 1181 00:47:59,599 --> 00:48:02,120 attention 1182 00:48:02,120 --> 00:48:05,540 [Applause] 1183 00:48:14,160 --> 00:48:16,240 you