DEF CON 23 - Van Albert and Banks - Looping Surveillance Cameras through Live Editing

8 років тому

This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers.
We have developed several applications for this technology. Most notable is the editing of live video streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced video transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent.
Speaker Bios:
Eric is a recent MIT graduate who spends his days building 3D printers for Formlabs and his nights crawling around places he probably shouldn’t. He has taught seminars on lockpicking and physical security vulnerabilities to various audiences at the Institute, and done a small bit of security consulting work. When he runs out of projects to hack on, he reads the leaked NSA ANT catalog for ideas.
Zach is also a recent MIT graduate with over 0 years of security experience. He’s particularly interested in the security of embedded devices and knots. In his free time, he enjoys putting household appliances on the internet and refactoring his old code.

КОМЕНТАРІ: 113

@Dreadlockyx 8 років тому

"Zach is also a recent MIT graduate with over 0 years of security experience." laughed my ass off

@JonThomas92 7 років тому

"Everyone who cheered is a fed" that was the most I laughed at anyone's defcon intro ever.

@jimothyus 4 роки тому

i love the description "Zach is also a recent MIT graduate with over 0 years of security experience" look at all that experience

@jodelboy 8 років тому

This is now one of my top Defcon-talks. THANKS!

@MrKinir 7 років тому

Yes it was amazing! Thanks guys!

@sirdouglashowel5thseat776 7 років тому

very good talk!~

@jenn5774 5 років тому

these guys may not be the best speakers, and while high level this seems pretty self explanatory, these guys went all out and really committed to doing it properly, one of the best talks ive seen. Im happy they explained the lower levels without just showing how "cool" it is like some other talks do.

@lilliansmith6996 7 років тому

10:03 His statement about them being invisible to cable analyzers. It depends. The generic $100 ones you'll see many self-employed contractors use wouldn't see a difference. The test kits we lug around on a cart at work get fussy if we untwist the wires before terminating them. So it's likely they'd throw an error of some sort. But most cables are only certified and tested when they are installed, or if the devices they are connected to are having issues. So it's unlikely that a system like this would be discovered unless it caused a significant drop in performance.

@scotshabalam2432 5 років тому

That's what I was thinking with oscilloscopes. 50mhz might not spot it but a 1ghz would see the cable moving when they touched it. I agree with the conclusion unless it starts saying "you are being haxed lol, gg" with a cartoon dog dancing around the vault, which by the way I would love to see played out in a movie with a guard trying to figure out what's going on.

@agumonkey 7 років тому

Forget looping, time to play Mission Impossible level video games now

@constantincolac1993 5 років тому

Brilliant guys! Enjoyed the talk.

@over00lordunknown12 7 років тому

This was an amazing topic to cover, and I think that they covered it very well! However, I do not support bagging on Riley from National Treasure, that was what sparked my interest in technology as a kid.

@OlafurArons 7 років тому

Amazing stuff.

@yepee1 Рік тому

Incredible

@DrTune 7 років тому

Excellent work, I really like the Python stack for hacking the various protocol layers. Nice!

@AgentOffice 7 років тому

incredible

@spacepirateivynova 7 років тому

I don't think it was mentioned (Or I might have missed it during the talk), but the twisting itself is also extremely important, and untwisting them too much can cause degradation in the signal. You can tell a good network engineer and a wiremonkey using punchdown by how long the leads are before they twist up. It's a good idea to untwist as LITTLE as possible. Also, same thing with those who crimp their own cables, try to untwist as little as possible. It not only works better, it looks professional :)

@hyperhektor7733 5 років тому

i learned that up to 1,5cm ( 13/25 of an inch) is the max to go without problems

@arbyyyyh 5 років тому

Yeah, they covered that in the talk.

@johnbrown1381 Рік тому

Ahhh yes, thanks to common-mode rejection, any interference introduced on one single wire also gets introduced on the other wire in a twisted pair. Then the interference gets canceled out. This only works if they are twisted due to the fact that if the interference is allowed into only one single wire and not the other in the twisted pair, it gets accepted as a valid signal.

@zwei-p1993 2 роки тому

best opening ever

@LemonChieff 5 років тому

this is epic

@unixfreak 6 років тому

Awesome

@ronanderson1023 7 років тому

*Public Butt *Private Butt *Hybrid Butt *??? *Profit!

@ultraviper1884 6 років тому

why does the con logo get more screen space than the actual presenters? wtf

@hyperhektor7733 5 років тому

its a scam

@tissuepaper9962 5 років тому

Because they can't really change the aspect ratio of the video, so, with the way they arranged the two streams, there is inevitably going to be a bunch of wasted screen real estate, which they decided to use for the logo.

@mikemikson2565 7 років тому

I never though it's possible to connect to Ethernet without disturbing connection :D

@DrTune 7 років тому

It isn't, not Gig-E anyway. You can (passively) tap 100mbit ethernet (see Great Scott's "Throwing Star Lan Tap") but the point of this is to modify the data not just sniff it). What their board is doing is the fancy equivalent of quickly unplugging the a network cable then reconnecting it to a dual-port NIC that is passing/modifying the packets. If you do it quickly it's pretty unlikely that anyone would notice. You're right to some degree - they point out in the Q+A that it's possible to optimize the renegotiation of the intercepting NICs so that there's no obvious up/down transition on the PHYs on network being patched;.

@davidthacher1397 3 роки тому

Wild card L2 forward ports or force VLAN ports on switch. Granted the switch has to support it but it would do this pretty easily. No POE outage, link log entries, or wire cuts. Isn't software just grand.

@gl_tonight 8 років тому

with access to two segments far enough apart im sure one could passively resolve individual bits streams from each end of a gigabit ethernet link with reasonable effectiveness

@JBFromOZ 6 років тому

fantastic demo, love the giggling like a school girl!

@terraria0graus 4 роки тому

10/10 good shit

@iDerekMC 5 років тому

the "cloud to butt" technique is awesome

@BierBart12 Рік тому

The Advantages of Public Butt

@moth.monster 5 років тому

What's next, they're gonna get Robert ')DROP TABLE Students;-- to present?

@Semperverus0 Рік тому

Little Bobby Tables we call him

@hackbitchhackingbaarbi3426 6 років тому

good

@stocktonjoans 6 років тому

would be good to somehow connect 8, or at least 4 of the punch connector tools so you can make multiple conections at once

@jasonportnoy7866 8 років тому

love this shit

@NolePTR 7 років тому

With MITM on HDMI you should be able to fake HDCP authentication, and forward decrypted steam elsewhere. Could just use multiple cables tho :/

@JoeArbiter 6 років тому

Is there a device that can do this without splicing the wires even if the connection is broken for a few seconds? (ex taking the cat 5e and plugging it into the device while its connected into the system)

@nicholasosczypko2248 5 років тому

These guys are great...don't get me wrong....but, this reminds me of early Beavis and Butthead episodes. "Hey Beavis....yeah?... I totally changed their website to butt...huh..hee hee...ugh huh hee...TP my bunghole!"

@verymuchgoodgaming132 8 років тому

cool shit ;)

@sadface 7 років тому

cool shit

@wagyourtai1 5 років тому

the vault looks like it's probably a ch751 anyway :P

@iDerekMC 5 років тому

23:09 and what about RTMP :D

@timothyferrell245 6 років тому

@22:00 I was laughing along.

@Crucizer 4 роки тому

Someone: What Do You Do? Me: I Do Shit.

@damianhardouin1137 6 років тому

throw in a gsm sim for a remote connection

@amstorm8954 5 років тому

NSA like ''hold my beer''

@tokenlectronix5223 4 роки тому

HAK5 now has man in the middle for hdmi

@bitgoblin8497 6 років тому

[CLAP] lol love it ! !

@TekkGnostic 7 років тому

Couldn't the signal be passively tapped (relative to the cable) with some opamps and a small battery? I'd think a simple voltage follower/unity-gain amp could feed off the lines and reproduce the signal with nearly zero current loss. (ed: nm I'm guessing that's what's being done with the usb supply.)

@ElectronicMarine 7 років тому

hmmm nice ideea, the only problem i could think is the capacitance of the lines... but they took it to the next level with the live editing of the live stream

@DrTune 7 років тому

A passive tap isn't very useful is it - the point is to intercept and modify the video, not just copy it.

@lmaoroflcopter 7 років тому

Dr Tune I'd consider a passive tap useful. Being able to confirm viewing angles of camera feeds, occupation of rooms and movement of staff, etc.

@washboardman7435 6 років тому

But how do we know they didn't live edit the camera showing the video feed to look like they looped the feed, but didn't?

@ZeroG84 7 років тому

hmm. Easy low level safety against this would be a clock on top of that safe that can't be manipulated and would be easy to detect if looped. Cool show still.

@SonOfNone 6 років тому

.... or just Gigabit infrastructure as he stated at the beginning... If you have a business which has a safe which is being monitored by camera on a 10[0]baseT network...

@ebouwman034 8 місяців тому

They basically covered that with the timestamp thing. Just merge that part of the stream.

@Add12this 7 років тому

Guy asking question: "...ninth degree." ...you mean n'th degree?? lol.

@DerUnbekannte 5 років тому

a ninth degree of most things is also a lot

@famousamoso7 3 роки тому

Freudian slip

@delusionsama 7 років тому

You can run it on the new pi lol its 64 bits now .

@alanstone3125 8 років тому

almost like beavis and butthead but for entertainment sheer brilliance

@davemann6030 6 років тому

Most security guards don't give a shit what happens you won't even need that. Most of the videos are very small and they don't even look at them it is just when something happens they have to spend a lot of time rerunning the video to see what happened by that time they bad guys are long gone.

@jean-jacqueschirac8733 7 років тому

Anyone else think of payday ?

@netraft_4435 6 років тому

Jean-Jacques Chirac guys the thermal drill, go get it

@rkpetry 7 років тому

[00:00] Introducer does a good 'Trump' imitation before that became popular... [07:39] couldn't you tap in two places and combine differentially for direction... [12:29] "without ever interrupting"-but it is interrupting impedance-matching... gradual-transition might be done with a ferrite clamp and 'smart' terminators...

@rkpetry 7 років тому

[30:45] You could try Trojan-joke-ware to make it look like the camera fell off its mount and is dangling-about on its cable-distracting viewers a few seconds....

@paul123701 5 років тому

Guys has anyone seen bain, I have an idea to tell him

@opiniondiscarded6650 5 років тому

I'd tap that

@radekwysocki7875 7 років тому

BEEF!!

@callumshotmail 8 років тому

The only other evidence is the punched/spliced wires :)

@eleftherios11 8 років тому

which won't have to be inspected if nothing breaks up

@SomeGuyFromCrowd 7 років тому

Solution: Lots of thermite

@lmaoroflcopter 7 років тому

Steven Haussmann go the route of "badboys 2" and when you're out the building, blow up the tap device.

@redd_cat 5 років тому

I think the wires are the least of a banks problem if this were to happen to them.

@noobvisual1588 4 роки тому

Vigil players when they use erc-7

@mariarahelvarnhagen2729 10 місяців тому

Cool Down Down Date & Time For A Minute

@Symuality 7 років тому

2 people got caught trying to rob a bank without this method.

@DoRC 6 років тому

Cool concept.... But man that delivery....

@claudiahampton9946 8 років тому

If Anyone is looking to buy one of these tap boards "PCB Board Only" I've purchased 20 of them to get into programming. Just be aware that the project can get quite pricey. The Boards are cheap to produce, but some of the components to complete a working board can cost around 190 bucks all together. I'm selling the boards for 15 bucks each with shipping included. I bought them in bulk before I knew how much all the components to complete the board cost. If you'd like a picture of the boards I have just shoot me a message.

@claudiahampton9946 7 років тому

if you download REV 3 from their Github. From there you should see the DOM. That is a list of all the components. All you have to do is import the DOM into digikey. All the components cost around 212 USD.

@pierrekircher4383 7 років тому

github.com/ervanalb/lens/blob/master/hardware/release/bom.txt its all in there , the expensive part are the relays all other parts are cheap

@randall3981 7 років тому

Claudia Hampton do you have any additional boards available for purchase?

@Mastermodr94 7 років тому

Do you have any pcbs? I would be willing to buy one or two off you and pay for shipping.

@GhostsPlace 6 років тому

Can't you use cheaper relays?

@fredhauser7357 7 років тому

anyone here that girly mouse laugh lol!!!

@izafas 7 років тому

kid in black laughs like a dweeb

@over00lordunknown12 7 років тому

I haven't seen anyone use that insult in a long time... But it is true. x)

@PeterVanHertum 6 років тому

it's called a nerdgasm

@alexoja2918 6 років тому

Cute girl though

@XDRosenheim 5 років тому

_inhales_ heee

@HylianOverlord 5 років тому

'tism laughing.

@vcMalice 7 років тому

intro from king cringe

@AholicKnight 6 років тому

he said a lot of cool shit

@Cray2TheZ 6 років тому

A brilliant presentation despite the ANNOYING PERSON GIGGLING IN HIS MIC. Amazing work anyway !

@jonascurry9996 7 років тому

thats alot of shit lol haha

@Rising_Pho3nix_23 5 років тому

The easier solution is not to tap the ethernet traffic, but the video feed. Duplicate what goes into the glass lenses, and then feed that into the circuit directly. That's the same as the "low tech" that they said was "too easy"...Gotta love it when people pride themselves in making things harder and more risky than required.

@Mostlyharmless1985 5 років тому

brandon day the video feed IS the Ethernet traffic.

@over00lordunknown12 7 років тому

Am I the only one that gets annoyed by people with speech patterns like the guy in orange?

@maxmanwar 6 років тому

They've DEFINATELY never seen any decent cable diag machine. I've practiced with one this year in school and a tiny 1500€ monster knows every fucking twist in the cable in 30 km radius. They're monsters to detect any change in the cable. The Rtp&video part was boring af.