radBIOS: Bsides LV

radBIOS Yolo audio networking

This guy •richo (rich-oh!) •rust warrior •duck enthusiast •security jerk
for Stripe •many past lives

#radBIOS

#radBIOS “A rollicking adventure in building on top of components
you don’t understand”

badBIOS

#radBIOS

badBIOS

Recap •Nation state malware • exﬁltrates data via audio •
infects via audio • platform agnostic; doesn’t care about your • os • hardware • Runs in ueﬁ/bios

Demo Time! •If you’re not good at high pitched noises
speak now •This part once gave someone a nose bleed • But I’m mostly convinced it wasn’t actually my fault

groundstation •https://github.com/richo/groundstation •Distributed graph database •Content addressable •Eagerly distributed

groundstation •Originally mostly a toy •Wrote it to avoid interacting
with JIRA (srsly)

Architecture •object graph •protocol drivers •transport drivers

Data Structures •Immutable graphs are neat •Only operation is insert

Graphs

Graphs ?????

D’you like dags? Dags DAG Source of truth is here
Root of the graph is here

Protocol Drivers Architecture •Protocol Drivers • Encapsulate data • Handle
presentation • Handle ingestion

Protocol Drivers Architecture •Protocol Drivers

• TCP/UDP Hybrid Transport Driver Homogenousish link layer network

Transport Driver • Shriek UDP Broadcast to ﬁnd new friends
Homogenousish link layer network

Transport Driver • Then communicate with them Homogenousish link layer
network

Why didn’t you just.. •Use soundmodem? •Use gnuradio? •Use $thing?

Quietnet • Cool project from Kate Murphy • Easy enough
for a non radio person to understand • Not hugely fault tolerant • Easy to hack on and embed!

Quietnet

Encoding •Quietnet uses PSK31

PSK 31 •Geared toward encoding natural language •Symbols optimised for
english •Doesn’t need syncwords or the like

How even to audio? •Audio driver gives you a stream
of frames •FFT your frames into points •Walk along your points with a sliding window, looking for tones •Transform your tones into bits •Ham the bitstream into symbols •Unpack the symbols into bytes

SO SIMPLE right?

Fourier Transforms •Transform signal from its original domain • In
our case time •To the frequency domain •Tl;dr let’s us answer the question “How strong was this frequency in this sample” •Programmatically, you can treat it as an array of ﬂoats

Fourier Transforms

Walking our points 0 1.25 2.5 3.75 5 1.266

Tones -> Bits •Naively: • Tone Present => 1 •
Tone Absent => 0

Unambiguous Encapsulation •Ossman & Spill at Shmoocon ’14 •Linearly isolated
hamming codes

Unambiguous Encapsulation 000000 101001 110110 011111

Unambiguous Encapsulation 000000 101001 110110 011111 000001 -> 000000 100001
-> 101001

I don’t actually know DSP •Decided that I could solve
all my problems with this hammer

First steps •My ﬁrst attempt was awful •Gigantic sigils, binary
encoding slapped onto PSK31

ihavenoideawhatimdoing.jpg

Actual Airgap Hopping •By this point I have a thing
that Sort Of Works In The Lab •Figured it’s probably done •Slap a BSD socket interface on it, call it a day

Actual Airgap Hopping •Audio is hard •Duplex is harder •Doing
this in a room full of jerks while I’m speaking is really damn hard

FAIL: Duplex •Hacked at this for ages •Concocted a bunch
of exciting schemes

Handshaking Tone Match Tone Match

Handshaking: 2 Announce Random tone Duplex comms, retransmit failure

Reexamining •Duplex actually wasn’t really what I wanted •Didn’t allow
for 1:many exﬁl •Complex •Error prone •Monstrosity to debug

Root of the graph is here

D’you like dags? Content Addressable Dags { name: sha1(body), data:
body } Naming

D’you like dags? Content Addressable Dags { name: sha1(body), data:
body } Naming { parents: [parents], payload: [bytes] } Encoding

Root of the graph is here ??????

(Sometimes) Dumber is better •Cranked back the hamming a little
to make the messages smaller •Just keep yelling all the data all the time •Eventual consistency ftw •This got me remarkably far

DSP redux •I decided to actually do some research •Originally
mostly didn’t out of: • Hubris • Desire to actually know how the damn thing works

DSP redux •UE insulates us from bitﬂips •Doesn’t help us
at all working out where we are in the stream

Keying •What I’ve done so far is FSK •Read a
lot about PSK •Lots of math, hard to scrutinize

Keying •Separate the sigil bit from the signal bits •Ham
the snot out of everything afterward

Tones -> Bits •nFSK: • 19000hz => 1 • 17000hz
=> Sigil • 18000hz => 0

Keying

-> 101001

-> 101001 0000_0 -> 000000

How’s that demo going?

Conclusions •You probably shouldn’t use this to steal docs from
journalists •You maybe should use this for a research project! •Audio isn’t super inscrutable •Hillclimbing totally works •You will get really used to coding with a splitting headache

gr33tz y0 •snare for tooting about #radBIOS •mossmann for schooling
me about DSP •mike and dom for repeatedly telling me that my SUPER NOVEL INVENTION was created forever ago •Kate Murphy for quietnet •dragos for not killing me that time I went to cansec

Resources: •github.com/richo/groundstation •github.com/katee/quietnet •soundmodem •gnuradio •Me: @rich0H [email protected] •I’ll tweet
the link to these slides

radBIOS: Bsides LV

radBIOS: Bsides LV

More Decks by Richo Healey

Other Decks in Technology

Featured

Transcript