radBIOS: Bsides LV - Speaker Deck

radBIOS: Bsides LV

by Richo Healey

Slide 1

Slide 1 text

radBIOS Yolo audio networking

Slide 2

Slide 2 text

This guy •richo (rich-oh!) •rust warrior •duck enthusiast •security jerk for Stripe •many past lives

Slide 3

Slide 3 text

#radBIOS

Slide 4

Slide 4 text

#radBIOS “A rollicking adventure in building on top of components you don’t understand”

Slide 5

Slide 5 text

badBIOS

Slide 6

Slide 6 text

#radBIOS

Slide 7

Slide 7 text

badBIOS

Slide 8

Slide 8 text

Recap •Nation state malware • exﬁltrates data via audio • infects via audio • platform agnostic; doesn’t care about your • os • hardware • Runs in ueﬁ/bios

Slide 9

Slide 9 text

Recap •Nation state malware • exﬁltrates data via audio • infects via audio • platform agnostic; doesn’t care about your • os • hardware • Runs in ueﬁ/bios

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Demo Time! •If you’re not good at high pitched noises speak now •This part once gave someone a nose bleed • But I’m mostly convinced it wasn’t actually my fault

Slide 12

Slide 12 text

groundstation •https://github.com/richo/groundstation •Distributed graph database •Content addressable •Eagerly distributed

Slide 13

Slide 13 text

groundstation •Originally mostly a toy •Wrote it to avoid interacting with JIRA (srsly)

Slide 14

Slide 14 text

Architecture •object graph •protocol drivers •transport drivers

Slide 15

Slide 15 text

Data Structures •Immutable graphs are neat •Only operation is insert

Slide 16

Slide 16 text

Graphs

Slide 17

Slide 17 text

Graphs

Slide 18

Slide 18 text

Graphs

Slide 19

Slide 19 text

Graphs

Slide 20

Slide 20 text

Graphs ?????

Slide 21

Slide 21 text

D’you like dags? Dags DAG Source of truth is here Root of the graph is here

Slide 22

Slide 22 text

Protocol Drivers Architecture •Protocol Drivers • Encapsulate data • Handle presentation • Handle ingestion

Slide 23

Slide 23 text

Protocol Drivers Architecture •Protocol Drivers

Slide 24

Slide 24 text

• TCP/UDP Hybrid Transport Driver Homogenousish link layer network

Slide 25

Slide 25 text

Transport Driver • Shriek UDP Broadcast to ﬁnd new friends Homogenousish link layer network

Slide 26

Slide 26 text

Transport Driver • Then communicate with them Homogenousish link layer network

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Why didn’t you just.. •Use soundmodem? •Use gnuradio? •Use $thing?

Slide 29

Slide 29 text

Quietnet • Cool project from Kate Murphy • Easy enough for a non radio person to understand • Not hugely fault tolerant • Easy to hack on and embed!

Slide 30

Slide 30 text

Quietnet

Slide 31

Slide 31 text

Encoding •Quietnet uses PSK31

Slide 32

Slide 32 text

PSK 31 •Geared toward encoding natural language •Symbols optimised for english •Doesn’t need syncwords or the like

Slide 33

Slide 33 text

How even to audio? •Audio driver gives you a stream of frames •FFT your frames into points •Walk along your points with a sliding window, looking for tones •Transform your tones into bits •Ham the bitstream into symbols •Unpack the symbols into bytes

Slide 34

Slide 34 text

SO SIMPLE right?

Slide 35

Slide 35 text

Fourier Transforms •Transform signal from its original domain • In our case time •To the frequency domain •Tl;dr let’s us answer the question “How strong was this frequency in this sample” •Programmatically, you can treat it as an array of ﬂoats

Slide 36

Slide 36 text

Fourier Transforms

Slide 37

Slide 37 text

Walking our points 0 1.25 2.5 3.75 5 1.266

Slide 38

Slide 38 text

Walking our points 0 1.25 2.5 3.75 5 2.466

Slide 39

Slide 39 text

Walking our points 0 1.25 2.5 3.75 5 4.0

Slide 40

Slide 40 text

Walking our points 0 1.25 2.5 3.75 5 3.03

Slide 41

Slide 41 text

Walking our points 0 1.25 2.5 3.75 5 1.83

Slide 42

Slide 42 text

Tones -> Bits •Naively: • Tone Present => 1 • Tone Absent => 0

Slide 43

Slide 43 text

Unambiguous Encapsulation •Ossman & Spill at Shmoocon ’14 •Linearly isolated hamming codes

Slide 44

Slide 44 text

Unambiguous Encapsulation 000000 101001 110110 011111

Slide 45

Slide 45 text

Unambiguous Encapsulation 000000 101001 110110 011111

Slide 46

Slide 46 text

Unambiguous Encapsulation 000000 101001 110110 011111 000001 -> 000000 100001 -> 101001

Slide 47

Slide 47 text

I don’t actually know DSP •Decided that I could solve all my problems with this hammer

Slide 48

Slide 48 text

First steps •My ﬁrst attempt was awful •Gigantic sigils, binary encoding slapped onto PSK31

Slide 49

Slide 49 text

ihavenoideawhatimdoing.jpg

Slide 50

Slide 50 text

ihavenoideawhatimdoing.jpg

Slide 51

Slide 51 text

Actual Airgap Hopping •By this point I have a thing that Sort Of Works In The Lab •Figured it’s probably done •Slap a BSD socket interface on it, call it a day

Slide 52

Slide 52 text

Actual Airgap Hopping •Audio is hard •Duplex is harder •Doing this in a room full of jerks while I’m speaking is really damn hard

Slide 53

Slide 53 text

FAIL: Duplex •Hacked at this for ages •Concocted a bunch of exciting schemes

Slide 54

Slide 54 text

Handshaking Tone Match Tone Match

Slide 55

Slide 55 text

Handshaking: 2 Announce Random tone Duplex comms, retransmit failure

Slide 56

Slide 56 text

Reexamining •Duplex actually wasn’t really what I wanted •Didn’t allow for 1:many exﬁl •Complex •Error prone •Monstrosity to debug

Slide 57

Slide 57 text

D’you like dags? Dags DAG Source of truth is here Root of the graph is here

Slide 58

Slide 58 text

D’you like dags? Content Addressable Dags { name: sha1(body), data: body } Naming

Slide 59

Slide 59 text

D’you like dags? Content Addressable Dags { name: sha1(body), data: body } Naming { parents: [parents], payload: [bytes] } Encoding

Slide 60

Slide 60 text

D’you like dags? Dags DAG Source of truth is here Root of the graph is here ??????

Slide 61

Slide 61 text

(Sometimes) Dumber is better •Cranked back the hamming a little to make the messages smaller •Just keep yelling all the data all the time •Eventual consistency ftw •This got me remarkably far

Slide 62

Slide 62 text

DSP redux •I decided to actually do some research •Originally mostly didn’t out of: • Hubris • Desire to actually know how the damn thing works

Slide 63

Slide 63 text

DSP redux •UE insulates us from bitﬂips •Doesn’t help us at all working out where we are in the stream

Slide 64

Slide 64 text

Keying •What I’ve done so far is FSK •Read a lot about PSK •Lots of math, hard to scrutinize

Slide 65

Slide 65 text

Keying •Separate the sigil bit from the signal bits •Ham the snot out of everything afterward

Slide 66

Slide 66 text

Tones -> Bits •nFSK: • 19000hz => 1 • 17000hz => Sigil • 18000hz => 0

Slide 67

Slide 67 text

Keying

Slide 68

Slide 68 text

Keying

Slide 69

Slide 69 text

Unambiguous Encapsulation 000000 101001 110110 011111 000001 -> 000000 100001 -> 101001

Slide 70

Slide 70 text

Unambiguous Encapsulation 000000 101001 110110 011111 000001 -> 000000 100001 -> 101001 0000_0 -> 000000

Slide 71

Slide 71 text

How’s that demo going?

Slide 72

Slide 72 text

Conclusions •You probably shouldn’t use this to steal docs from journalists •You maybe should use this for a research project! •Audio isn’t super inscrutable •Hillclimbing totally works •You will get really used to coding with a splitting headache

Slide 73

Slide 73 text

gr33tz y0 •snare for tooting about #radBIOS •mossmann for schooling me about DSP •mike and dom for repeatedly telling me that my SUPER NOVEL INVENTION was created forever ago •Kate Murphy for quietnet •dragos for not killing me that time I went to cansec

Slide 74

Slide 74 text

Resources: •github.com/richo/groundstation •github.com/katee/quietnet •soundmodem •gnuradio •Me: @rich0H [email protected] •I’ll tweet the link to these slides