The Machines That Betrayed Their Masters

ZeroNights 2013

@glennzw

Glenn Wilkinson@glennzw

SensePost.com

@glennzw

•2-y Donskoy proyezd, 7/1, Moscow

•Leninskiy prospekt., 2А, Moscow

•Ulitsa Bakhrushina, 24 строение 1, Moscow

•Rublevskoye shosse, 44, Moscow

•Krylatskaya ulitsa, 23, Moscow

•Ulitsa Sushchevskiy Val, 46 строение, Moscow

•Ulitsa Krasina, 3, Moscow

•Bolshaya Sadovaya ulitsa, Moscow

@glennzw

•P132, Kaluzhskaya

•Nevsky Prospect, 114, Saint Petersburg

•Prospekt Medikov, St Petersburg

•Ulitsa 8 Marta, 41, Yekaterinburg

@glennzw

•North 16th Street, Philadelphia, USA

•Captain Cook Drive, Australia

•Trillerpark, 1210 Viena, Austria

•3 Luvianpuistokatu, Satakunta, Finland

@glennzw

•Wingate by Wyndham, Dallas, Texas, USA

•Hotel Strata, California, USA

•Hotel Hacienda, Spain

•Sunrise Diamond Beach Resort, Egypt

•5Footway Inn, Singapore

•H2O Hostel Ljubljana, Slovenia

@glennzw

@glennzw

@glennzw

Machines? Betrayal?

@glennzw

@glennzw

Machines?

@glennzw

Betrayal?

A Device

A Unique Signature

A Link from Signature to a Human

@glennzw

Snoopy Framework

@glennzw

@glennzw

@glennzw

@glennzw

XBee

XBee

XBee3G

@glennzw

XBee

XBee

XBee3G

XBee

XBee

XBee3G

Ethernet

Ethernet

@glennzw

A Unique Signature

98:03:ab:32:11:33

Linking the Signature

Linking the Signature

1. Passive Linking

BTHomeHub-AFV1, are you there?Starbucks, are you there?Virgin-AFVT, are you there?Is anyone out there?

98:03:ab:32:11:33

BTBusinessHub-2DF1

Virgin-AFVT

Starbucks

Starbucks

Virgin-AFVT 50.507 -0.128Starbucks 50.408 -0.041

BTBusinessHub-2DF1 50.601 -0.045Starbucks 50.391 -0.050

SSID GPS Lat GPS Long

@glennzw

BTHomeHub-AFV1, are you there?Starbucks, are you there?Virgin-AFVT, are you there?Is anyone out there?

98:03:ab:32:11:33

@glennzw

Linking the Signature?

2. Active Linking

@glennzw

BTHomeHub-AFV1, are you there?Starbucks, are you there?Virgin-AFVT, are you there?Is anyone out there?

98:03:ab:32:11:33

Hey iPhone! It’s me, Starbucks!

Intertubes

BTOpenzoneVirginMedia-AR45

BTHomeHub-BHA7Starbucks

00:11:22:33:44:55

00:22:33:44:55:66

Drone001

Client00100:11:22:33:44:55

Client00200:22:33:44:55:66

Drone002

Client00311:22:33:44:55:66

Client00444:55:66:77:88:99

squidsslstripmitmproxy

<script src=profiler.jsp>IP= 10.2.0.45

Site= www.facebook.comCookie = supersecretcookie

IP= 10.2.0.45Site= www.facebook.com

username: joepassword: secret

Traffic Inspector

Social Media APIs

SnoopyServer

@glennzw

@glennzw

@glennzw

@glennzw

@glennzw

Scenarios

@glennzw

Conference Unique  Devices Number  of  A4endees

Device  Per  Person

BlackHatVegas2012 4778 6500 0.74

ITWeb2012 1106 400 2.77

44CON2012 969 350 2.77

BlackHatEU2013 681 607 1.12

Securitay2013 375 100 3.75

BSides2013 208 474 0.44

Hackito2013 309 400 0.77

CERT  Poland2013 598 500 1.2

ZeroNights2013 507 ?

@glennzw

glenn@sensepost.comjobs@sensepost.com

http://research.sensepost.com/