DEF CON 23 - Van Albert and Banks - Looping Surveillance Cameras through Live Editing

Рет қаралды 165,985

8 жыл бұрын

This project consists of the hardware and software necessary to hijack wired network communications. The hardware allows an attacker to splice into live network cabling without ever breaking the physical connection. This allows the traffic on the line to be passively tapped and examined. Once the attacker has gained enough knowledge about the data being sent, the device switches to an active tap topology, where data in both directions can be modified on the fly. Through our custom implementation of the network stack, we can accurately mimic the two devices across almost all OSI layers.
We have developed several applications for this technology. Most notable is the editing of live video streams to produce a “camera loop,” that is, hijacking the feed from an Ethernet surveillance camera so that the same footage repeats over and over again. More advanced video transformations can be applied if necessary. This attack can be executed and activated with practically no interruption in service, and when deactivated, is completely transparent.
Speaker Bios:
Eric is a recent MIT graduate who spends his days building 3D printers for Formlabs and his nights crawling around places he probably shouldn’t. He has taught seminars on lockpicking and physical security vulnerabilities to various audiences at the Institute, and done a small bit of security consulting work. When he runs out of projects to hack on, he reads the leaked NSA ANT catalog for ideas.
Zach is also a recent MIT graduate with over 0 years of security experience. He’s particularly interested in the security of embedded devices and knots. In his free time, he enjoys putting household appliances on the internet and refactoring his old code.

Пікірлер: 113

@Dreadlockyx 8 жыл бұрын

"Zach is also a recent MIT graduate with over 0 years of security experience." laughed my ass off

@JonThomas92 7 жыл бұрын

"Everyone who cheered is a fed" that was the most I laughed at anyone's defcon intro ever.

@jimothyus 4 жыл бұрын

i love the description "Zach is also a recent MIT graduate with over 0 years of security experience" look at all that experience

@jodelboy 8 жыл бұрын

This is now one of my top Defcon-talks. THANKS!

@MrKinir 8 жыл бұрын

Yes it was amazing! Thanks guys!

@sirdouglashowel5thseat776 7 жыл бұрын

very good talk!~

@jenn5774 5 жыл бұрын

these guys may not be the best speakers, and while high level this seems pretty self explanatory, these guys went all out and really committed to doing it properly, one of the best talks ive seen. Im happy they explained the lower levels without just showing how "cool" it is like some other talks do.

@lilliansmith6996 7 жыл бұрын

10:03 His statement about them being invisible to cable analyzers. It depends. The generic $100 ones you'll see many self-employed contractors use wouldn't see a difference. The test kits we lug around on a cart at work get fussy if we untwist the wires before terminating them. So it's likely they'd throw an error of some sort. But most cables are only certified and tested when they are installed, or if the devices they are connected to are having issues. So it's unlikely that a system like this would be discovered unless it caused a significant drop in performance.

@scotshabalam2432 5 жыл бұрын

That's what I was thinking with oscilloscopes. 50mhz might not spot it but a 1ghz would see the cable moving when they touched it. I agree with the conclusion unless it starts saying "you are being haxed lol, gg" with a cartoon dog dancing around the vault, which by the way I would love to see played out in a movie with a guard trying to figure out what's going on.

@agumonkey 7 жыл бұрын

Forget looping, time to play Mission Impossible level video games now

@spacepirateivynova 7 жыл бұрын

I don't think it was mentioned (Or I might have missed it during the talk), but the twisting itself is also extremely important, and untwisting them too much can cause degradation in the signal. You can tell a good network engineer and a wiremonkey using punchdown by how long the leads are before they twist up. It's a good idea to untwist as LITTLE as possible. Also, same thing with those who crimp their own cables, try to untwist as little as possible. It not only works better, it looks professional :)

@hyperhektor7733 5 жыл бұрын

i learned that up to 1,5cm ( 13/25 of an inch) is the max to go without problems

@arbyyyyh 5 жыл бұрын

Yeah, they covered that in the talk.

@johnbrown1381 Жыл бұрын

Ahhh yes, thanks to common-mode rejection, any interference introduced on one single wire also gets introduced on the other wire in a twisted pair. Then the interference gets canceled out. This only works if they are twisted due to the fact that if the interference is allowed into only one single wire and not the other in the twisted pair, it gets accepted as a valid signal.

@ultraviper1884 6 жыл бұрын

why does the con logo get more screen space than the actual presenters? wtf

@hyperhektor7733 5 жыл бұрын

its a scam

@tissuepaper9962 5 жыл бұрын

Because they can't really change the aspect ratio of the video, so, with the way they arranged the two streams, there is inevitably going to be a bunch of wasted screen real estate, which they decided to use for the logo.

@DrTune 7 жыл бұрын

Excellent work, I really like the Python stack for hacking the various protocol layers. Nice!

@over00lordunknown12 7 жыл бұрын

This was an amazing topic to cover, and I think that they covered it very well! However, I do not support bagging on Riley from National Treasure, that was what sparked my interest in technology as a kid.

@constantincolac1993 5 жыл бұрын

Brilliant guys! Enjoyed the talk.

@ronanderson1023 7 жыл бұрын

*Public Butt *Private Butt *Hybrid Butt *??? *Profit!

@mikemikson2565 7 жыл бұрын

I never though it's possible to connect to Ethernet without disturbing connection :D

@DrTune 7 жыл бұрын

It isn't, not Gig-E anyway. You can (passively) tap 100mbit ethernet (see Great Scott's "Throwing Star Lan Tap") but the point of this is to modify the data not just sniff it). What their board is doing is the fancy equivalent of quickly unplugging the a network cable then reconnecting it to a dual-port NIC that is passing/modifying the packets. If you do it quickly it's pretty unlikely that anyone would notice. You're right to some degree - they point out in the Q+A that it's possible to optimize the renegotiation of the intercepting NICs so that there's no obvious up/down transition on the PHYs on network being patched;.

@davidthacher1397 4 жыл бұрын

Wild card L2 forward ports or force VLAN ports on switch. Granted the switch has to support it but it would do this pretty easily. No POE outage, link log entries, or wire cuts. Isn't software just grand.

@iDerekMC 5 жыл бұрын

the "cloud to butt" technique is awesome

@BierBart12 Жыл бұрын

The Advantages of Public Butt

@gl_tonight 8 жыл бұрын

with access to two segments far enough apart im sure one could passively resolve individual bits streams from each end of a gigabit ethernet link with reasonable effectiveness

@moth.monster 5 жыл бұрын

What's next, they're gonna get Robert ')DROP TABLE Students;-- to present?

@Semperverus0 Жыл бұрын

Little Bobby Tables we call him

@JBFromOZ 6 жыл бұрын

fantastic demo, love the giggling like a school girl!

@OlafurArons 7 жыл бұрын

Amazing stuff.

@yepee1 Жыл бұрын

Incredible

@nicholasosczypko2248 5 жыл бұрын

These guys are great...don't get me wrong....but, this reminds me of early Beavis and Butthead episodes. "Hey Beavis....yeah?... I totally changed their website to butt...huh..hee hee...ugh huh hee...TP my bunghole!"

@zwei-p1993 2 жыл бұрын

best opening ever

@AgentOffice 7 жыл бұрын

incredible

@JoeArbiter 6 жыл бұрын

Is there a device that can do this without splicing the wires even if the connection is broken for a few seconds? (ex taking the cat 5e and plugging it into the device while its connected into the system)

@NolePTR 7 жыл бұрын

With MITM on HDMI you should be able to fake HDCP authentication, and forward decrypted steam elsewhere. Could just use multiple cables tho :/

@LemonChieff 5 жыл бұрын

this is epic

@unixfreak 6 жыл бұрын

Awesome

@stocktonjoans 6 жыл бұрын

would be good to somehow connect 8, or at least 4 of the punch connector tools so you can make multiple conections at once

@Crucizer 4 жыл бұрын

Someone: What Do You Do? Me: I Do Shit.

@washboardman7435 7 жыл бұрын

But how do we know they didn't live edit the camera showing the video feed to look like they looped the feed, but didn't?

@amstorm8954 5 жыл бұрын

NSA like ''hold my beer''

@terraria0graus 4 жыл бұрын

10/10 good shit

@hackbitchhackingbaarbi3426 6 жыл бұрын

good

@alanstone3125 8 жыл бұрын

almost like beavis and butthead but for entertainment sheer brilliance

@jasonportnoy7866 8 жыл бұрын

love this shit

@Add12this 7 жыл бұрын

Guy asking question: "...ninth degree." ...you mean n'th degree?? lol.

@DerUnbekannte 5 жыл бұрын

a ninth degree of most things is also a lot

@famousamoso7 3 жыл бұрын

Freudian slip

@wagyourtai1 5 жыл бұрын

the vault looks like it's probably a ch751 anyway :P

@verymuchgoodgaming132 8 жыл бұрын

cool shit ;)

@TekkGnostic 7 жыл бұрын

Couldn't the signal be passively tapped (relative to the cable) with some opamps and a small battery? I'd think a simple voltage follower/unity-gain amp could feed off the lines and reproduce the signal with nearly zero current loss. (ed: nm I'm guessing that's what's being done with the usb supply.)

@ElectronicMarine 7 жыл бұрын

hmmm nice ideea, the only problem i could think is the capacitance of the lines... but they took it to the next level with the live editing of the live stream

@DrTune 7 жыл бұрын

A passive tap isn't very useful is it - the point is to intercept and modify the video, not just copy it.

@lmaoroflcopter 7 жыл бұрын

Dr Tune I'd consider a passive tap useful. Being able to confirm viewing angles of camera feeds, occupation of rooms and movement of staff, etc.

@iDerekMC 5 жыл бұрын

23:09 and what about RTMP :D

@ZeroG84 7 жыл бұрын

hmm. Easy low level safety against this would be a clock on top of that safe that can't be manipulated and would be easy to detect if looped. Cool show still.

@SonOfNone 6 жыл бұрын

.... or just Gigabit infrastructure as he stated at the beginning... If you have a business which has a safe which is being monitored by camera on a 10[0]baseT network...

@ebouwman034 9 ай бұрын

They basically covered that with the timestamp thing. Just merge that part of the stream.

@sadface 7 жыл бұрын

cool shit

@tokenlectronix5223 4 жыл бұрын

HAK5 now has man in the middle for hdmi

@delusionsama 7 жыл бұрын

You can run it on the new pi lol its 64 bits now .

@damianhardouin1137 6 жыл бұрын

throw in a gsm sim for a remote connection

@timothyferrell245 6 жыл бұрын

@22:00 I was laughing along.

@bitgoblin8497 6 жыл бұрын

[CLAP] lol love it ! !

@jean-jacqueschirac8733 7 жыл бұрын

Anyone else think of payday ?

@netraft_4435 6 жыл бұрын

Jean-Jacques Chirac guys the thermal drill, go get it

@davemann6030 6 жыл бұрын

Most security guards don't give a shit what happens you won't even need that. Most of the videos are very small and they don't even look at them it is just when something happens they have to spend a lot of time rerunning the video to see what happened by that time they bad guys are long gone.

@rkpetry 7 жыл бұрын

[00:00] Introducer does a good 'Trump' imitation before that became popular... [07:39] couldn't you tap in two places and combine differentially for direction... [12:29] "without ever interrupting"-but it is interrupting impedance-matching... gradual-transition might be done with a ferrite clamp and 'smart' terminators...

@rkpetry 7 жыл бұрын

[30:45] You could try Trojan-joke-ware to make it look like the camera fell off its mount and is dangling-about on its cable-distracting viewers a few seconds....

@paul123701 5 жыл бұрын

Guys has anyone seen bain, I have an idea to tell him

@opiniondiscarded6650 5 жыл бұрын

I'd tap that

@callumshotmail 8 жыл бұрын

The only other evidence is the punched/spliced wires :)

@eleftherios11 8 жыл бұрын

which won't have to be inspected if nothing breaks up

@SomeGuyFromCrowd 7 жыл бұрын

Solution: Lots of thermite

@lmaoroflcopter 7 жыл бұрын

Steven Haussmann go the route of "badboys 2" and when you're out the building, blow up the tap device.

@redd_cat 5 жыл бұрын

I think the wires are the least of a banks problem if this were to happen to them.

@Symuality 7 жыл бұрын

2 people got caught trying to rob a bank without this method.

@noobvisual1588 4 жыл бұрын

Vigil players when they use erc-7

@mariarahelvarnhagen2729 10 ай бұрын

Cool Down Down Date & Time For A Minute

@DoRC 6 жыл бұрын

Cool concept.... But man that delivery....

@izafas 7 жыл бұрын

kid in black laughs like a dweeb

@over00lordunknown12 7 жыл бұрын

I haven't seen anyone use that insult in a long time... But it is true. x)

@PeterVanHertum 6 жыл бұрын

it's called a nerdgasm

@alexoja2918 6 жыл бұрын

Cute girl though

@XDRosenheim 5 жыл бұрын

_inhales_ heee

@HylianOverlord 5 жыл бұрын

'tism laughing.

@radekwysocki7875 7 жыл бұрын

BEEF!!

@claudiahampton9946 8 жыл бұрын

If Anyone is looking to buy one of these tap boards "PCB Board Only" I've purchased 20 of them to get into programming. Just be aware that the project can get quite pricey. The Boards are cheap to produce, but some of the components to complete a working board can cost around 190 bucks all together. I'm selling the boards for 15 bucks each with shipping included. I bought them in bulk before I knew how much all the components to complete the board cost. If you'd like a picture of the boards I have just shoot me a message.

@claudiahampton9946 7 жыл бұрын

if you download REV 3 from their Github. From there you should see the DOM. That is a list of all the components. All you have to do is import the DOM into digikey. All the components cost around 212 USD.

@pierrekircher4383 7 жыл бұрын

github.com/ervanalb/lens/blob/master/hardware/release/bom.txt its all in there , the expensive part are the relays all other parts are cheap

@randall3981 7 жыл бұрын

Claudia Hampton do you have any additional boards available for purchase?

@Mastermodr94 7 жыл бұрын

Do you have any pcbs? I would be willing to buy one or two off you and pay for shipping.

@GhostsPlace 6 жыл бұрын

Can't you use cheaper relays?

@fredhauser7357 7 жыл бұрын

anyone here that girly mouse laugh lol!!!

@vcMalice 7 жыл бұрын

intro from king cringe

@AholicKnight 6 жыл бұрын

he said a lot of cool shit

@jonascurry9996 7 жыл бұрын

thats alot of shit lol haha

@Cray2TheZ 7 жыл бұрын

A brilliant presentation despite the ANNOYING PERSON GIGGLING IN HIS MIC. Amazing work anyway !

@Rising_Pho3nix_23 5 жыл бұрын

The easier solution is not to tap the ethernet traffic, but the video feed. Duplicate what goes into the glass lenses, and then feed that into the circuit directly. That's the same as the "low tech" that they said was "too easy"...Gotta love it when people pride themselves in making things harder and more risky than required.

@Mostlyharmless1985 5 жыл бұрын

brandon day the video feed IS the Ethernet traffic.

@over00lordunknown12 7 жыл бұрын

Am I the only one that gets annoyed by people with speech patterns like the guy in orange?

@maxmanwar 6 жыл бұрын

They've DEFINATELY never seen any decent cable diag machine. I've practiced with one this year in school and a tiny 1500€ monster knows every fucking twist in the cable in 30 km radius. They're monsters to detect any change in the cable. The Rtp&video part was boring af.