DEF CON 22 – Robert Rowley – Detecting and Defending Against a Surveillance State

May 20, 2019 posted by

We have Robert Rowley who is
a ‑‑ he works for what I
understand is Trustwave in their Spiderlabs division, is that
right? I don't want to get
anybody in trouble here. He's going to talk and he's going to
talk about detecting and
defending against State-Actor surveillance as we all know
certainly in the past couple of
years we all know for sure that the state is as much a threat as
a lot of the other threats that
are out there. Let's give a big party track welcome to Robert! [
Cheers and applause ] >> Thank
you all for showing up at this 1:00, I'm sure you have just
woken up. Turn on my notes.
Definitely thank you for choosing the presentation. I'm
going to talk about deteching
the surveillance tools that State-Actor Surveillance groups
are using, an extension of
series of blog posts that I posted earlier this year to the
Spiderlabs blog. it details how to detect and defend against
the State-Actor Surveillance
tools that were released earlier or uh, late last year, 2013.
Foremost is who is this guy, I'm
Robert Rowley, my day job is working at the security research
for Trustwave. I work in the
Spiderlabs division, Spiderlabs department. I specifically do
vulnerability assessment, that
is not really what… there's not a lot of cross over between
what this talk is about and my
actual day job. I pretty much write ruby code. Not specific to
the work that I do but a great
example of the organization that I work for and how they allow me
to kind of ‑‑ basically run on
my own, do my own independent research let me have their name
on these slides which is really
quite amazing. I'm part of the southern California hacker
scene, I've been going to DEF
CON since DEFCON 9. I've been part of the California hacker
scene for ten‑plus years, I feel
very old. But I really started doing this when I was 14 and 15
years old choosing a Linux
computer instead of a car. [ Applause ] Thank you. I was
stuck at home a lot I got a lot
of walking in. You can hit me up on Twitter @Ianli you can
#harassme all you want, I don't
care. You can during, after, whatever. Again back to me, I
was identified security research
is my former title, years and years ago it was somebody else
told me I was security
researcher after fun shenanigans I had at DEF CON. Where I am
actually the guy who is
responsible for that free cellphone charging kiosk at the
wall of sheep. So if anybody's
battery is dead please feel free to go to the wall of sheep and
charge your phone for free, I
swear it's all on the up and up. On a good note, I probably
because that have charging
station I'm probably the reason why the paid charging station
that was also here at the Rio
the first year, I'm probably the reason why that thing is gone. I
don't think it lasted the
weekend. I've been giving a lot of presentations from talks
about cell phone stuff, some web
stuff, a lot of crazy stuff this is completely different, this is
kind of tie in to some kind of
pseudoactivism that I have been associated with. I've given talk
to activists groups, like
Restore the 4th, down in southern California. I like what
they do, they do things that I
can't do. But I can't do alone. I care a lot about privacy it
has always been one of my own
personal concerns and especially after what happened about a year
or so that definitely escalated.
I've been interested in privacy for four or five years. Goes
back to about ten years I'll get
in to that story. But before ‑‑ always good. I should also take
note, everybody here, I have a
thing I don't like hearsay. Hearsay is a story with no
tangible evidence. Something
that you've heard from a third party or heard from a second
party or feel like happened but
you don't have any tangible evidence to back up your story.
I really loathe how that is, I
do appreciate somebody who can show me evidence as opposed to
somebody who says, this is how
it is, is this is how I think it is. There is a lot going wrong,
mostly not necessarily this
community so much and DEF CON hacking technical oriented
people with the logical minds
that we know how things add up and how things work. But I see a
lot in the activists groups,
especially L.A., southern California area where there is a
lot of well this is how I feel
things happened. I really feel sad. But going on to this
talk I'm going to cover a couple
categories on this surveillance talk in the introduction
already. I am going to give a
quick introduction of things, explain some things kind of give
a back story on some things that
I go into the talk about the detailed information and
surveillance catalog leaks which
is what I'm calling it. It's the TAO release from alleged NSA top
secret documents. For anybody
here who has security clearance may be worried about me leaking
the security clearance
information, I have it covered. I'll explain that, no worry you
will not have any risk of seeing
any top secret documents released here. Basically the
documents were released last
year in 2013 by researcher journalist who explained how
everything was. I looked in to
them and I'll get in to more specifics. After released I
started writing up a blog post
that's how I felt nobody was looking at it as let's find
evidence for this. I wanted to
give people information on how you find that evidence, how you
detect against them so you know
you are or are not being spied upon. The focus on the talk is
to detect how to find tangible
evidence. This talk is not pedaling snake oil which is key.
Not trying to sell you a service
or anything like that or by you a safety net from evil aliens,
illuminati, or the owl farm, or
any other controllers of the universe, anybody reading your
minds, not trying to protect
from you those guys. You need to seek out psychotherapy. Who is
involved in this matter.
Surveillance, you're looking at what people are doing, people
don't feel good, there are spies
and those that are spies upon.Simple. Spies can spy on
other spies. But there are two
factors in this matter. Somebody is either listening in or
somebody being listened to.
People gather intelligence they spy on other agencies that
gathering intelligence or how
they use the intelligence and the information that they're
gathering for good or evil.
Remember, folks, it's he who that writes the history books.
I've been spied upon in my life,
this is where the core of my ideals and activism work, I
believe it was… I like to call
it scare and care, in 2001‑2002 right after certain events in
this country that allowed the
agency that was doing the spying to look in to everything that I
was doing at the time and I was
aware of this because they weren't really good at what they
were doing at that time. They
came up to my house, they asked for the name on the DSL bill
which was my grandmother, I was
living at my grandmother's house. They assumed that she was
the individual who was
responsible for all this activity on the network so they
sat down with her, in the living
room with their guns on their side, just nice, happy, well
dressed agents. They had guns on
them and they sat down with my grandmother and they talked with
her for 15, 20 minutes, probably
only five minutes. I wasn't around for that. But they saw a
laptop on her dining room table
they just assumed it was her laptop that I bought her to play
Solitare. So she didn't have to
shuffle. Then I heard my grandma call. I came out said, hello.
They said, oh, it's you that
we're looking for. 18‑year‑old me. Eventually those agents… I
hope if he's here, I'd love to
talk to you if you remember that story, you remember who I am.
It's all about who spies, where
do spies spy they can spy for good or evil. It's what they do
with it. In reality they spy,
it's a job. They justify their actions for greater good or for
better words it's what their
duty is, if they don't spy right or enough, it is their job, they
lose their money, house, family,
not necessarily good just whether or not they have
morality of their own soul to
say, this is wrong. And tell people how it's wrong or refuse
to do that work. Find other
work. My previous slide, it's about he who wins wars writes
the history books. Allen Toring
is good example, somebody who did a great thing and he was
breaking encryption. He was
spying on what was the access powers and using his knowledge
to break their encryption
protocols to be able to listen to their stuff. He did bad if
you look at it from the access
point of view, he did great, if you look at it from the allied
point of view. Allies won World
War II. Post war we all know how he was treated and we know how
that works, again, when you're
valuable you're invaluable and when you're no longer valuable,
they'll treat you just like you
were originally. History is always being written though,
we're at a very interesting time
right now. There are lot of current efforts going on, who
all knows what's going on right
now? Is surveillance state fear a new thing for anybody here? I
highly recommend actually
looking back to the '70s most of the stuff that we see today is
just a repeat of exactly… many
similar things back in the 1970s which is when there was a great
overhaul in privacy laws in the
United States. But look back I'm not going to dwell too much on
that. Full disclosure. Again,
both tin foil hat wearers. People come up to me with crazy
whimsical stories after I've
given similar talks and they talk about how the Illuminati
came in and they black bagged
their girlfriend, hint‑hint she's just not returning your
calls. (Laughter) I can't help
you if you don't have physical evidence, in fact, frankly, I'm
not really interested unless you
have physical evidence. I'm very interested if you have physical
evidence you can show me
something happening. To date nobody has come forward based on
these links and actually shown
physical evidence of one of these existing or having been
found. There's a story here, in
2010 well before this information was released, there
was an individual who did write
up story, they contacted one of the publishers
published a story found a GPS
tracking device in their car. This has happened. Not a leak
that we're talking about. This
information is out there you can probably find it if you look.
You just have to know if you see
something that doesn't belong, unplug it see if a black SUV
shows up and some guys in suits
try to talk to you. Only major story that I found, I'm familiar
with it because it was from
southern California which is where I'm from. It's basically
the only thing that has evidence
that I was aware of, obviously nobody accepts or admits any
involvement to it that's when
you can expect in the end what happened was there was actually
a wired article in something
tangible was presented and discussed in a public arena.
Getting to the beef now. What is
the surveillance catalog. Something written up by
presenter, journalist,
researcher, 30C3 released, it was released in Der Spiegel, as
well as during that conference
at the same time run around just like Christmas 2013.
Surveillance catalog, lots of
details on how they worked kind of an idea. There's a lot of
missing components, but what is
most interesting was, a lot of people alluded to assume what
the source was Snowden but the
source, the leak information was actually the source was never
credited. It's unknown if it was
directly related to Edward Snowden leaks but I can tell you
that from my knowledge of which
reporters in news agencies have released information about
Snowden first, Der Spiegal
wasn't on that list. Possibly never had the actual copy of
Snowden's leaks nor would they
be going forward with this information while others were
ignoring it. You can consider
that, there's been a lot of talk about this considering the
second leaker, I don't know
really what it is, either second leaker there is information they
had from perhaps a Wikileaks
type source we know there is connection with the research
involved with it. And Wikileaks,
basically not necessarily Snowden a lot of people like to
say Snowden, it could be second
shooter or leaker, there on the grassy noll or through
Wikileaks. Let the conspiracy
theories begin, please keep them away from me. This is what I
promised earlier, I'm
introducing a character called surveillance Sam. This is
helping me avoid showing secret
documents during the talk. It's also because when I thought
about how do I show the images,
I don't have copywrite for because they are top secret
documents, I didn't know if I
could all the NSA and say "Hey, can I use these in my slides?" I
just kind of assumed what their
answer would be so, appropriate action, created my own
character. I think more people
should be doing this. Copywrite free, everybody can have them, I
have stickers up here as well
and there's a vendor in the vendor area also has stickers
available. Come see me.
Obviously comes with my special limited black helicopter and
anti‑whistle blower karate chop
action. Thanks for listening to my Schpeel. Let's get into some
actual details. We're going to
start with four sections we'll start off with Hardware Bugs.
After each section feel free,if
you have a question, raise your hand, come to the podium, hoot
and whistle, try to figure me
out so I don't want to jump back if anybody has specific
questions. First, again the
first introduction is this is a series of hardware bugs, these
are all Retro Reflectors. Rage
master is a bug that attacks to your VGA cable typically on the
red data feed. It is used to
transmit the data from your VGA red feed to a remote source to
see what is on your screen. Loud
Auto is basically an embedded microphone system. These have
existed since the 60's well
before the mention of other microphones that RSA signal
starts transmitting what it
hears in the room. Tawdryyard is a radio beacon, kind of think of
this RFID on crack they can
track down where physical device is maybe laptop or phone, can
use radio beacons to try to find
out where you are. Surlyspawn, similar to the rage master
system that is embedded in line
with your keyboard now and they transmit an RF signal to turn it
on, it starts transmitting what
you're typing on your keyboard. Basic ideas here, very simple
they all collect information
send it over the RF frequencies, radio frequencies. Obviously we
know how to fix this by wearing
tin foil hat. You can go call EFF get limited edition hat. By
the way not sponsored, not real,
that was a joke. It wouldn't detect anything, And again that
is not the point of this talk so
please don't actually think tin foiling up your stuff will tell
you if someone was spying on
you. It's a good thing as a detterant but it won't tell you
if somebody was doing anything.
you'll be running around with a non‑stylish hat. Unless somebody
figures that out and makes it
cool. You can ‑‑ this tracks back to what I mentioned before
with juice jacking. With
malicious cell phone kiosks something that I did awhile ago
it's gained a lot of popularity,
it's been back in the news recently. Just coincidentally
people were releasing these
items called USB condoms. Where it removes the data lines from
your USB port so that you can
charge freely. Again this is a problem that I feel prevent
something but it doesn't tell
you that somebody was actually trying to get data off of your
phone. Surprisingly enough there
is a solution for that called plugging your phone in, it's
kind of scary, but when you plug
your phone in most phones, Android phones, iPhones will
tell you if it's trying to
negotiate with a computer and if you want to access it and that
is point in time, perhaps plug
in a burner phone you're not afraid to lose or plug in
another device. Then that's
point in time where the hell is there a CPO on the other end of
this charging station. That's
far more valuable to know than running around with a little USB
condom assuming every charging
USB port is out to get you. For these bugs, the correct answer
would be using a radio,
something like the hacker F board, software defined radio is
great thing in recent years
instead of buying $10,000, $30,000, or $100,000 piece ever
gear listen to radio spectrums
you buy small board, I don't know how much they go for only
few hundred bucks if that. You
write software for them it will listen in to the spectrums that
you're trying to listen in on.
You sit there you can figure out what the ambient radio noise in
any room or office is simply
listen for spikes or changes. When you see spikes or changes,
perhaps it was associated when
you were typing in the keyboard or when you had a computer on
and now you can start ruling out
things find out what the hell is going on. I was asked by a
reporter if I had any like
software that I was releasing for this or a tool to detect
surveillance states, I have to
clarify because nobody has come forward with an actual tangible
here's what the NSA or CIA or
any other group is actually using, it would be inappropriate
to design detection tool because
simply enough you wouldn't know what frequencies they're
listening on and it's either
going a false positive or never detected at all and then I'd be
selling snake oil which is not
what I want to do. Which I guess shout out does go to the group
who in your DEF CON schedule see
NSA talks, all those guys are designing what the open source
alternative to the surveillance
tools would be it's very interesting. Go find those talks
and perhaps then you can be the
one that creates the detection tools just for the fun of it, it
won't work in real life you can
assume or not using ‑‑ maybe not using open source ones or maybe
surveillance or NSA just doing
them a favor. To be funny. Moving on. Another way for
hardware bugs to work, data
exfiltration methods or embedded compromising devices for cotton
mouth this is USB bug, it embeds
in your USB hub or USB device or cable and USB injections over an
air gap. It starts sending USB
attacks onto a USB system. Ginsu which is PCI bus bug, those ‑‑
who here is familiar with IPMI?
10%. Basically IPMI is a control utility that plugs in to your
control utility bus and let's
you do anything to the box. Remotely administer the box by
plugging in this PCI card.
That's basically what Ginsu is. It's tailored for surveillance
usage. Howlermonkey, which is a
series of RF transmitters basically simply explain what
they do, howler monkey transmits
RF or other utilities. Fire walk is Ethernet bug it can inject or
monitor traffic, basically
packets, if it were a packet injector. For these… or any of
these devices which connect to
JTAG which is Godsurge, which is a Bios attack system, compact
flashcards, star montana
systems. They all mean basically it's a most odd of persistent
compromise following a device.
Attack the BIOS, the peripherals, that is what all
these devices are they share one
thing in common they can be found if you look for them. If
you look in the system and you
see surveillance Sam you know something is wrong, means your
kid has gotten in to your
computer. More importantly if you look in to a system you see
a PCI card that perhaps you
don't know what it does, why it's plugged in, you unplug it
and a Black SUV again shows up
an hour later then you know you have something going on. Or if
nothing breaks perhaps you just
want to leave it unplugged not try to worry. Some of these
systems plug in to JTAG headers
which surveillance Sam is inspecting right below. JTAG
headers are headers that… they
are leads that go in to CPU. They are intended usage on
mostly embedded systems. Also
Godsurge which was in the NSAor, the TOA catalog in which is
targeting a server on certain
vendor which I probably shouldn't name to keep my job.
But the idea that simply enough
they have leads that lead… it left it exposed on the board
which they shipped out which is
very common thing for any vendor to do. It's used during
debugging and development…
during the debugging and development process. Allows to
you get to the CPU to find out
what was wrong, way easier to do it that way especially for
embedded devices that have no
monitors or keyboard inputs. You just plug it into the JTAG port
its like a serial interface
directly to the CPU pretty much is, it's … trying to
think of the right expletive to
use. Fill in the blank. The key detecting anything like this you
assume perhaps I'll never be
able to detect anything embedded in the system that remember that
every vendor who ships a board
is going to have every single PCP trace on the board. They
aren't going to run cables over
the board to make connections because they didn't have
enough layers. Pretty much
everybody nowadays with the technology of the PCP creation,
they can make as many layers as
they want to pass the cost on to the consumer. This isn't the
1980s with the Apple 2 that you
had to build yourself in the garage. Nobody has exposed
leads, exposed wires, if you see
one on a computer, perhaps you want to look up the manager
specs that's connected to your
CPU or to JTAG or XTP or ITP header. That would be how you
find them. Again how you find
them simply looking for the thing that doesn't belong. If
you… what I have here is two
allergy pills and one laxative. Specifically they're children's
medicine. If you can't tell
what's wrong then perhaps you shouldn't be a parent who may
accidentally give your sick
child the laxative pill which doubles your problems.
(Laughter) Move on to some
software compromises. The software exploits basically
attack firmware or BIOS. They
aren't an embedded device you can't just open up a mother
board or your case and start
looking inside and creating the persisted compromise, which what
you would actually do… well
let me explain what they are. Iratemonk Swap are basically
master boot record or hard drive
firmware attacks. Interestingly enough in the last month, well
Master Boot record attacks
existed for years, hard drive firmware attacks have been
recently popularized at some
other conferences. Mother board BIOS attacks they rewrite your
BIOS there has been some talk
about malicious BIOS in the last year, simple ‑‑ what's
interesting that the way they
were detecting, I didn't see many people showing examples of
the BIOS where that is basically
what you want to start pulling off the data from the chip, it's
very time consuming, it's very
tedious, the fast way to do it just re-flash the devices.
Unfortunately it's really not
going to tell you if there was anything malicious on the
device. Like I mentioned, the
only way to do it is by, pulling the firmware off of the device
from finding the way to pull the
BIOS off the device, every device is different. But pull
that data get a copy of the
firmware from the manufacturer try to talk to them see if it
was what you inspect to see then
do comparisons, if something comes up then now you know what
is ‑‑ now you know something
interesting going on you can start debugging it or
decompiling it. Nobody came
forward with any BIOS‑based malware found in the wild in the
last year or so that actually
explained in detail, said this is exactly where these attacks
are. Another way that saves it,
the problem with doing that is that really, really slow to pull
firmware off of the device about
900 mod or slower. It takes forever. With this day and age
from the Internet is gigabits
something that is measured in basically bits in baud rate is
very sad. There's platform
module in the system called TPM, trusted platform module, if
you're familiar with how they
work. Not many. Who here is familiar with how to hack them?
Even less. One guy over there.
Thank you. Somebody. I had somebody yell at me last time I
gave something, last time I
mentioned TPM sat there shaking his head, disappointed as to
what I was talking about.
Reality is, let me explain :trust platform module is a chip
that cold crypto key, private
key and securely holds that key, so it can not be pulled off.
There are attacks against it and
tear apart the chip start pulling the data off the chip.
Be able to get the key but that
requires physical and destruction actions. You'll know
when your chips are being
desaudered using acids and other gizmos. Somebody needs to borrow
your laptop is handing it back
to you wearing haz‑mat suit you have something to be concerned
about. Gotten a lot of flack
from the security community mostly because manufacturers
enjoy using TPM to block down
hardware, be able to detect changes in hardware and your
device and hackers don't like
that because they want to change things. We want to modify
stuff, want to not be punished
for doing that. What's funny is the universe of this they want
to use, we can use TPM to detect
changes in devices, to detect changes in firmware is the
secured key that the ‑‑ any time
something changes or weaken that, something change, look in
to this. It doesn't
automatically, does it much faster than physically pulling
the device. Problem with it only
ever as good as its been implemented. Most manufacturers
do not implement TPM correctly
there are attacks against it and you can see in this picture
which I took when I was out in
the desert sometimes people don't understand security they
think putting a lock on it
works. In this case it wasn't work for shit I had to see what
was inside that shed, a lot of
rat poop. Think some paint cans. Let's talk a little bit
about WIFI. There are two
devices, who here has a Wi‑Fi pineapple? You have exactly what
this TAO playset was explaining
except for one of them is attached to UAB. Or in this case
special edition surveillance Sam
black helicopter. The night stand is effectively a Wi‑Fi
pineapple, nothing special.
Looked like it was a laptop in a case that looked like opened up
probably just has series of
Wi‑Fi based attacks that you can use. Sparrow was a simple small
form factor, Wi‑Fi device
attached to a drone, you would use all your same common sense
with Wi‑Fi attacks that existed
for the last 10, 15 years to be able to detect these devices
listening in on you or detecting
devices in your area. If you have a Wi‑Fi pineapple it's a
good thing, if you don't know
what a Wi-Fi pineapple is you are probably going to be
compromised for these types of
attacks so just turn Wi‑Fi off unless you need it. There's not
much more I can say here not to
get in to too much details or about to spin off an entire talk
about Wi‑Fi based attacks I'm
just going to skip over it. Cellular networks is the final
section I think I'm going pretty
good pace, a little bit fast, if anybody has any questions again
feel free to let me know. I
worked in the final group where now making large jump from the
basic cargo‑based attacks. Cell
phone bugs, easy to say we all rely on cell phones and are very
familiar with people who rely on
cell phones especially with the work that did I before. Going to
push to detect and monitor for
the cell phones and cell phone networks just what they do. I
should say that I found out
sense of pride when the research that I did with malicious stuff
on a cell phone kiosk, actually
ended up in a government document how to protect yourself
while traveling abroad.
Apparently helped save the state by letting them know to let
their top operatives and
government agents not charge cell phones from their flying in
to China or Russia. Perhaps that
free cell phone charging kiosk at the embassy, wasn't such a
nice present. But none of the
information catalog included malicious cell phone kiosk
attacks. None of that
information got leaked. I will be adding because I talked to
Michael Austin a little while
ago, I will be adding the tracking device and some
software for it to the NSA play
set which is what he's releasing here at DEF CON a series of
tools that are all open source.
Some of you may think it looks fun to look at you can
explain… you can understand a
little bit more exactly how these juice jacking malicious
kiosks were using that was using
to pull data from the phones and push data to phones. Going back
to this cell phone bugs, they're
basically group of two sections there's malicious base stations
like, Cyclone Crossbeam, EBSR,
Entourage, Nebula, Typho and then there's intelligence
gathering tools. Gathering tools
are more like hardware like physical cell phone basically
like their hack of some phones
so they can use it for software radio, listen to RF frequencies
while on the ground, just look
like they're looking at their cell phone. That's basically
majority of what they are. They
can track cell phones using their cell phones signals or
again one of them, very popular
was candy gram which was a cell phone tracker basically so they
can follow you around allegedly
if they get your cell phone. Again, if you're traveling and
somebody from government agency
hands you a cell phone say, use this while you're abroad,
perhaps if you don't want to be
tracked you won't use it. base stations though, are a entirely
different thing because it's not
something that you physically had access. Pretty much never
know that malicious cell phone
base station may exist unless you take specific action here is
a basic idea of what you would
do. There are a lot of ‑‑ listening out on cell phone
networks, your cell phone may be
able to pair with and having your cell phone let you know if
something is new or something is
changing. Obviously everybody when you move around your cell
phone towers would change so the
point of this type of system keep one cell phone at your
office in basically a static
location and I assume that cell phone towers just pop up and go
down, pop up and go down unless
somebody is doing something funky with a cell or a rogue
network. That would be a reason
for you to be concerned what is happening in my area, perhaps
you may find that cell phone
tower that was available at your office is now available at your
home then it followed me to the
hotel down the street and another state. Maybe you want
the see what is going on, you
want to think a little bit. Now the difference is that you know
that there is a cell phone tower
for some reason that is following you. I don't have any
software to release with this.
There would be ‑‑ I built some test codes, some proof of
concepts it's a lot of false
positives. Especially whenever you start moving cell phones,
cell phone towers turn off and
on. I don't want to release something that freaks everybody
out. You have to make sure that
the phone stays in the same location, things don't change
too much around you, also I
don't think anybody really needs that because a lot of people
keep their one cell phone in
static location maybe if you're stuck in embassy trying to avoid
extradition. I don't know how
many there are in the world right now that might want fit
that guy wants to buy this
program I'll sell it to him. But again back on ‑‑ cell phones,
main problem, you do not control
the network. You control your device to a degree but you do
not control your network. You
have to remember that once information leaves your hands,
leaves your control, you have no
control over this. This doesn't cover with just cell phones but
servers, cloud, anything, star
cloud, anything cloud relayed. You have to remember honestly a
hat tip say, remember OPSEC at
all times, operational security without it you really will just
be toiling in the dark playing
in a playground and failing to detect or know anything but you
will be detected and people will
know what you're doing. If you remember to do OPSEC its the
best solution here for people ‑‑
the best solution for people who are concerned about these sort
of things especially if you use
some of these methods to detect surveillance states you want to
be sure to apply operational
security. Obviously detecting will know if you're operational
security as failed or not. In
conclusion here I don't know if there were any other questions.
Nope. Please feel free to come
up to one of the microphones that are available out there.
Find one of the speaker Goons.
The majority of this was mostly about an experiment, it's not ‑‑
it is really to invoke
discussion, bugs are detectable, meaning the information out
there has been out there it's
been discussed at hacker conferences over the years.
There's hard evidence which is
best for more so than hearsay. Tin foil hats are never stylish.
Here are the slide for
information on further reading, read exact specific blog posts
about specific types of things
that I was saying. I'll leave this on while I get through some
questions over here on the
right. >> I have a question. Some of the major Internet
service providers are deploying
a pilot where your home Wi‑Fi basically becomes public Wi‑Fi.
How does this change things? >>
Well, now you're offering service… you're
becoming ISP at your home, how
would it change things for ISP or for yourself, or for your
home,or the places of liability
are being monitored. >> I'm thinking more from liability of
now your kind of access point to
people you don't know. >> Yeah. That gives you not liability but
that gives you plausible
deniability. I don't know if I was that person or not this is
why I'm not endorsing this
necessarily, this is do at your own risk but opening up your
Wi‑Fi have open Wi‑Fi access
allows you to say plausible deniability. Absolutely, yeah,
very risky to do that. Anything
can happen once you do that. You'll have to fight it off in
court but you'll have some
consideration of plausible deniability especially so if
you're ISP is turning it on for
the people. Mind you remember if the ISP is controlling ‑‑ if ISP
network or other people on the
same ISP or other people as a Wi‑Fi hot spot the they probably
have embedded something on that
to do remote monitoring and caching that makes that hardware
not your hardware but their
hardware. So you don't own the hardware you would be able to
make changes or be worried or
control what's going on. I'll get guy behind you. >> Are
there ‑‑ most of these tools
sort of made by hand by NSA, CIA or ‑‑ >> Catalog, basically are
they made by hand. Catalogs has
items available for sale, I don't know if this was the
documents were released by a
third party that was trying to sell it kind of like a skymall
for all the surveillance
hackers, but the information on it explicitly stated that the
hardware that they're using is
things that are available off the shelf. Again to reference
the NSA play set talks, they're
using items that are all off the shelf and you can make
effectively the same things by
just going to the store or ordering things from Amazon.
Over here. >> Is there a reason
you're not saying Jake Applebaum's name >> I don't
know. I blacked out there. Who,
who are you talking about? (Laughter) >> I guess that did
answer the question. [ laughter
] >> Yes, Jacob Applebaum was researcher journalist who
released the information for Der
Spiegel . You can talk to me later about it especially after
a few drinks I'll be very, very
tended. Doing it for his protection not mine. Yes. >>
Your comments about TPM chips ‑‑
>> Oh No. Are you from Trusted Platform (Laughter) >> No. But I
am interested in TPM chips now
starting to see similar devices that are being embedded into
mainstream processors, from free
scale renaissance those devices are typically trust anchors; Do
you see that as something that
is going to continue to expand in various hardware fields? >>
Expand or continue to be trusted
platform modules or trust anchors, I don't know. I can't
say. What I do know is that the
people who are making these ‑‑ who choose to pay to install
them are organizations, they're
businesses, more likely for a business purpose, if it's
business viable for them to put
it in they will put it in to the hardware. If it's not, I'll just
be frank, they're probably not
going to do it. There's some awesome thing that made
surveillance state- actors in
basically ‑‑ makes your hardware impervious to surveillance more
likely [inaudible] is going to
get behind that make that available on the shelf. But
again it's a two‑sided thing.
While trusting platform modules and trust anchors can be used
from the manufacturer to protect
their investments, so they can tell people that this is exactly
how it works hopefully everybody
here would know how to break in to them, change them to make it
so that we can protect
ourselves. Going to be a weird give‑take going to be between
whether or not they have a
financial reason to install these chips. Or help their
bottom line. >> I've been told
that the TPM chips are in many commercial devices today like
iPads, is that true? >> I do
not ‑‑ I'm not aware. You can ask somebody from Apple but I
think their answer… I can give
it to you… >> They won't answer. >> They won't answer.
Get them drunk enough perhaps
they will answer. That's very difficult. All right. I don't
see any more questions.
Afterwards, great. One more question. >> You mentioned the
software radios for finding RF
signals that ultimately you don't know. >> Yeah. >> Is there
any ‑‑ any good at open source
tools for triangulating them figure out where they're coming
from? >> There's tons of stuff
for that. Look up software radio types, I think it's,
or search Google for software
radio. Tons of stuff, they all release their information,
talked how to triangulations the
series of based atenae based, things like that. All that data
is all online I would really
enjoy to look at more in to it myself give cool talks about it.
There are plenty of resources
out there that's easily well in to the hour‑long talk just to
get over the basics of the
triangulation. It is key to note that software defined radio, I
skipped over this, your hardware
will have a limit typically you'll see between two to five
gigahertz on the high end,
hacker f is about three gigahertz, I apologize if I'm
wrong but it's high. There is a
huge spectrum beyond the three gigahertz range that ‑‑
gigahertz range if any sort of
surveillance tools happen to work in those spectrums, good
luck. I apologize. Tens of
thousands of dollars to acquire the hardware to do that
protection. Fair warning. >>
There is actually one last question. Great presentation.
You keep making references
lately of course having a few drinks getting them drunk. I'm
assuming this is something that
you have had experience in the past of getting information? >>
I don't know if I was
successful. I think I got too drunk in the process. >> The
tower concept you were talking
about. Does that cover like LTE , SYP handovers. 4G, 3G
handovers or is it specific to
one type of tower. >> Specific to the type of tower. >> You can
do a SYP handover and track
that. >> Yeah. That goes in to… yeah, you don't own that
hardware. You don't know what is
going on also one of the major reasons why I didn't want to
release anything that says this
is the solution because some networks can get way more
convoluted and complicated than
a simple app on your phone to tell you what is happening. >>
Need to know the S1 and
interface and [inaudible] >> Thank you. >> All right. Thank
you all for sticking around. [
Applause ] "This text is being provided in a rough draft
format.  Communication Access
Realtime Translation (CART) is provided in order to facilitate
communication accessibility and
may not be a totally verbatim record of the proceedings."


18 Replies to “DEF CON 22 – Robert Rowley – Detecting and Defending Against a Surveillance State”

  1. The Kaiser says:

    The spider of Roswell … he is alive.

  2. DeepPastry says:

    People with an agenda to write history books are the ones who write history books. Sometimes it's the "winners", sometimes it's the "Losers" trying to cover up their own culpability and various made up stories to paint themselves are the tragic heros they never ever were. At best the agenda is, I really like history.

  3. SeoKungFu says:

    Good Ole DefCon !

  4. urbex2007 says:

    At 18:00 he shows himself as such a fraud, and idiot. He will not build a detector because no one has told him what or how to build it. This proves he doesn't have a clue and is copying other talks.

  5. Jonas Steinberg says:

    This is a primitive and concerning talk.

  6. Set Ekh says:

    How come a DUMBASS is allowed to speak on DefCon ?!? Thanks for reading Krebs .. where is your input on something like we DONT KNOW or is remotely interesting !!!

  7. Jeff Arant says:

    nobody ever talks about cell phones they litery have cameras microphones gps all that. they dont plant bugs any more they just tap into your phone they can turn on your camera and watch you through your phone duhhhhh

  8. Concerned Zittizen says:

    Go to 14:19 if you wish to skip the cringey preamble.

  9. frknnutz says:

    If I were China, I would sell network equipment real cheap to a target nation. Within that equipment would be firmware that remains dormant until awoken and then could actively collect data from critical network infrastructure on targets of interest. Huawei is just that kind of vendor. They have been kicked out of India for embedded surveillance in their RNC platforms that as stated before, are dormant until activated. Currently, foreign network equipment vendors are not vetted by the NSA, yet their equipment is deployed throughout our critical network infrastructure. If you only knew how vulnerable these networks are. Example: I personally could access a wireless providers core RAN network by gaining access to a roof top Node B and telnet through a SIAD device to their core network elements. How? They NEVER change the passwords on their edge and core devices due to the sheer number of devices within their network. It is through this IP transport network that I could telnet to CDR collectors. As a consultant, I informed this wireless client of their vulnerability and demonstrated how easy it actually was. These wireless providers have a huge contingent of contract engineers, many of them are H1B visa engineers. These engineers are in and out of these networks on a regular basis and have access to the sensitive infrastructure of these wireless networks. The passwords are common to every network element!! It was true three years ago and is still true to this day. If you are reading this, you know who you are.

    Remember that the Office of Personnel Management was hacked. A third party vendor that performed data base management services allowed an engineer from China to have remote access to the servers. I found that very interesting. For me to work in federal government networks, I am required to have a TS clearance. How in the hell does a third party vendor slip in a remote engineer with no clearance?

    The biggest vulnerability within networks is the human factor.

  10. HiveMind1984 says:

    Seems like a true Euphoric Gentleman.

  11. Fraser G says:

    Says he doesn't like hearsay. Proceeds to give speculative talk with 0 physical evidence…

  12. THX1138A100 says:

    Nuke America, Russia and China too.

  13. Gr illa says:

    He doesnt exagerate, says 15-20, then probably 5. Plays down. Wants you to know you can take his word for "truth'. Says a lot about a person

  14. Ye4rZero says:

    I like this guy, it's important to have someone who only recognizes anything with actual physical proof. I'm not saying everyone should be so strict, but he's one end of the spectrum, and it's good to have a wide range of views, especially when the views are given by experts

  15. Da A says:

    What a Luddite.

    Three years ago most guys like this hipster were licking .gov boots, but since Snowden they get to acted surprised and are forced to even admit that government might be doing something wrong. It doesn't matter what is revealed in official documents, to people suffering from cognitive dissonance like this guy they will always be conspiracy theories. Wonder who created that little meme? CIA Document 1035-960 to combat anyone questioning the findings of the Warren report. Feel so pious using that pejorative now?

    It took an entire generation of doctors dying for germ theory to be accepted, it too was once a kooky conspiracy theory. Once a younger generation with intellectual acumen took the reigns the emotion and the dissonance no longer ruled the discussion, and they were able to recognize that the science supported germ theory. I will bet my life that this guy has been enriched in some way by the intelligence industrial complex, his refusal to see any malcontent is hardcore dissonance manifesting in the form of circular reasoning.

    What more do you people need to see before you stop trusting the government, and stop using a term created by the hardcore racist LBJ to marginalize journos who so much as questioned the findings of the Warren report to describe anyone who dares question the actions of government?

  16. Jay Erjavec says:

    Ignorant man for sure.

  17. SnapcrackerzTeam says:


  18. SnapcrackerzTeam says:

    Spoofing the macaddy then connecting to the the WiFi they are compromising always makes it look like it came from there machine. Can be done on any device.

Leave a Comment

Your email address will not be published. Required fields are marked *