Horseless Carriage Exploits and Eavesdropping Defenses Boston 2009 Copyright 2009, James M. Atkinson.

Horseless CarriageHorseless CarriageExploits and Eavesdropping DefensesExploits and Eavesdropping Defenses

Boston 2009Boston 2009

Copyright 2009, James M. Atkinson

Speaker Contact

James M. AtkinsonJames M. Atkinsonwww.tscm.com

[email protected](978) 546-3803(978) 546-3803

www.linkedin.com/in/jamesmatkinsonwww.linkedin.com/in/jamesmatkinson

What Are We Looking For?What Are We Looking For?

Any Threat or Risk, PeriodAny Threat or Risk, Period• Tracking DevicesTracking Devices• Video DevicesVideo Devices• Audio DevicesAudio Devices• Telemetry DevicesTelemetry Devices• Exploitable HardwareExploitable Hardware• Other Hazards or RisksOther Hazards or Risks

Vehicle Sweep BasicsVehicle Sweep Basics

1.1. Make a PlanMake a Plan

2.2. Follow the PlanFollow the Plan

3.3. ““Show Your Work” - DocumentationShow Your Work” - Documentation

4.4. Work From Shop ManualsWork From Shop Manuals

5.5. Essential Tools and Test EquipmentEssential Tools and Test Equipment

6.6. Place to WorkPlace to Work

7.7. Knowledge of ThreatsKnowledge of Threats What is out there?What is out there?

Essential ResourcesEssential Resources

Shop ManualsShop Manuals• Original Hardcopy Shop ManualsOriginal Hardcopy Shop Manuals

Avoid “Chilton Style”, or Multi-Year BooksAvoid “Chilton Style”, or Multi-Year Books Avoid CD’s, or Hardcopy ThemAvoid CD’s, or Hardcopy Them

• Make, Model, Year, Trim?Make, Model, Year, Trim? Trim and Powertrain VariationsTrim and Powertrain Variations

• Electrical Diagrams are Critical Electrical Diagrams are Critical • These are VERY ExpensiveThese are VERY Expensive• NOTNOT the Owners Manual the Owners Manual

Essential ResourcesEssential Resources

FlashlightsFlashlights• Plus, lots of extra batteriesPlus, lots of extra batteries

Compact Mirror SystemCompact Mirror System Thin Nitrile GlovesThin Nitrile Gloves

• Keeps the grease out of the carKeeps the grease out of the car Protective Tarp or Covers for SeatsProtective Tarp or Covers for Seats Ground Tarp (if appropriate)Ground Tarp (if appropriate) Warm Weather is optionalWarm Weather is optional

Critical Test EquipmentCritical Test Equipment Broadband Signal DetectorBroadband Signal Detector

• One for each Mobile “Uplink” One for each Mobile “Uplink” Sharp Band Pass Filters AND Matching AntennaSharp Band Pass Filters AND Matching Antenna Most of the U.S. Requires 4 FiltersMost of the U.S. Requires 4 Filters

Spectrum AnalyzersSpectrum Analyzers Amplifiers and AntennasAmplifiers and Antennas

• DC Adapter/HP FilterDC Adapter/HP Filter Digital VoltmeterDigital Voltmeter PCM Tools PCM Tools (Power Train Control Module Interface)(Power Train Control Module Interface)

Bluetooth DongleBluetooth Dongle Cell Phone Service MonitorCell Phone Service Monitor

ImportantImportant

In a Perfect World:In a Perfect World:• Performed in a 4500+ sq ft GaragePerformed in a 4500+ sq ft Garage

Have a Hydraulic Lift, Four Mechanics, etc.Have a Hydraulic Lift, Four Mechanics, etc. Contain Every Known Mechanics ToolContain Every Known Mechanics Tool Sterile Clean Room, Epoxy Floors, Lab CoatsSterile Clean Room, Epoxy Floors, Lab Coats

In Reality?In Reality?• Work With What You HaveWork With What You Have

In the Amount of Time Are GivenIn the Amount of Time Are Given Always bring cleaning suppliesAlways bring cleaning supplies

……and a first aid kitand a first aid kit

PCM ScannersPCM Scanners

GenericGeneric• BnB, AutoTapBnB, AutoTap• ActronActron• One-Size-Fits-All MentalityOne-Size-Fits-All Mentality

ProprietaryProprietary• DealershipsDealerships• Snap On, MacTools, etcSnap On, MacTools, etc

Snap-On MODIS

Common Vehicle ExploitsCommon Vehicle Exploits

Cell PhoneCell Phone Concierge Services Concierge Services (more to follow)(more to follow)

• On-Star/GM, Ford, ToyotaOn-Star/GM, Ford, Toyota• Lethal To PrivacyLethal To Privacy• ““Listen-In” FeatureListen-In” Feature

Vulnerable >12-bit Security SystemsVulnerable >12-bit Security Systems Garage Door Openers >8 bitsGarage Door Openers >8 bits Similar “Conveniences”Similar “Conveniences” SpeedPass/RFIDSpeedPass/RFID

Vehicle Sweep BasicsVehicle Sweep Basics

It takes the spy less then 60 It takes the spy less then 60 seconds to install a bug or tracking seconds to install a bug or tracking

device in a car. device in a car. <60 seconds<60 seconds

But it only take 15 seconds or less But it only take 15 seconds or less to exploit something that you to exploit something that you

already have. already have. <15 seconds<15 seconds

Detection ModalitiesDetection Modalities

RF AnalysisRF Analysis• Signals on the AirwaysSignals on the Airways

Variety of EquipmentVariety of Equipment• ““Tickle the Sleeping Dragon”Tickle the Sleeping Dragon”• Make it wake up and make noiseMake it wake up and make noise

Voltage/Current AnalysisVoltage/Current Analysis• What Does the PCM and Radio Draw?What Does the PCM and Radio Draw?


Physical InspectionPhysical Inspection• Dismantle As NeededDismantle As Needed

Always Limited by TimeAlways Limited by Time


NLJ Ping on GPS and Cell/PCS BandsNLJ Ping on GPS and Cell/PCS Bands• Generic NLJD Good for 800/900 MHzGeneric NLJD Good for 800/900 MHz• GPS/PCS Needs a Different UnitGPS/PCS Needs a Different Unit

• Sweep Generators with Off-Set Non Sweep Generators with Off-Set Non Contiguous Sweep is Very ProductiveContiguous Sweep is Very Productive

Manual Under Vehicle InspectionManual Under Vehicle Inspection

Reality:Reality:• A Lot Of Crawling Under CarsA Lot Of Crawling Under Cars• Less Then Optimal SituationLess Then Optimal Situation• Takes Hours, and it is MessyTakes Hours, and it is Messy

TrackingTracking

Most Often a GPS Receiver, and Cell Most Often a GPS Receiver, and Cell Phone RepeaterPhone Repeater

Could Be an On-Star SystemCould Be an On-Star System• Sold Under Many Names/VariantsSold Under Many Names/Variants

Lo-Jack, Remote ActivationLo-Jack, Remote Activation Security System ElementsSecurity System Elements

SiRF State of the ArtSiRF State of the ArtSmaller Smaller than than your thumb, your thumb, and shrinking…and shrinking…

On-Star Surveillance ModuleOn-Star Surveillance Module

Almost All GM Vehicles, Lexus, etcAlmost All GM Vehicles, Lexus, etc Simple ModuleSimple Module GPS TrackingGPS Tracking TelemetryTelemetry Engine ControlEngine Control Audio SurveillanceAudio Surveillance

On-Star Surveillance ModuleOn-Star Surveillance Module Factory InstalledFactory Installed Highly ExploitableHighly Exploitable Hybrid DeviceHybrid Device Note Note the the Size…Size…


Easy to Find with Spectrum AnalyzerEasy to Find with Spectrum Analyzer


Easy to Find with ScrewdriverEasy to Find with Screwdriver

Similar European ModuleSimilar European Module

Easy to Find with ScrewdriverEasy to Find with Screwdriver

Vehicle Video SurveillanceVehicle Video Surveillance

Normally, it is Less Important to Know Normally, it is Less Important to Know What is Going on Inside a VehicleWhat is Going on Inside a Vehicle

Important to Know What is Being SaidImportant to Know What is Being Said

Most Important to Know Where the Vehicle Most Important to Know Where the Vehicle is Going, or Has Been in the Past.is Going, or Has Been in the Past.

Thus, Video is of Less Value to Most SpyThus, Video is of Less Value to Most Spy

Video CaseVideo Case

Reverse Police Dash CamsReverse Police Dash Cams• Officers Didn’t Know the Chief Did ItOfficers Didn’t Know the Chief Did It• Officers Sleeping In CruisersOfficers Sleeping In Cruisers• Chief Re-Aimed the Dash CamsChief Re-Aimed the Dash Cams• Result: Three Suspended OfficersResult: Three Suspended Officers


Parental SupervisionParental Supervision• Old Owners Never Removed ItOld Owners Never Removed It• Video Cameras and Recording Sys.Video Cameras and Recording Sys.• Old Owners Honestly Forgot to RemoveOld Owners Honestly Forgot to Remove• Originally Installed to Supervise KidsOriginally Installed to Supervise Kids


Car Rental CompaniesCar Rental Companies• ““Liability Recorders”Liability Recorders”• High Risk RentersHigh Risk Renters• Customers Not AmusedCustomers Not Amused• Records a Video of the CrashRecords a Video of the Crash


Suspicious SpouseSuspicious Spouse• ““That’s not my brand of lipstick…”That’s not my brand of lipstick…”• Very Common SituationVery Common Situation• Marital InfidelityMarital Infidelity• Results: Divorce Results: Divorce (device found too late)(device found too late)

Multi-Billion Dollar DivorceMulti-Billion Dollar Divorce

Typical GPS TrackerTypical GPS Tracker Passive Tracker/RecorderPassive Tracker/Recorder Computes LocationComputes Location Stores FixesStores Fixes Later RetrievedLater Retrieved Spy DownloadsSpy Downloads Very, Very CheapVery, Very Cheap Millions SoldMillions Sold

Typical GPS TrackerTypical GPS Tracker

Drop In and RecordDrop In and Record Easy User InterfaceEasy User Interface


Active GPS TrackerActive GPS Tracker Cellular Data LinkCellular Data Link

• AT+CTK CommandsAT+CTK Commands• Default PasswordDefault Password

““00000000”

• Default Unit ID “00000000”

• Spies Rarely Set the Unit ID or Password off of the Factory Default


• 98% Detected with: AT+CTKP=“00000000”,””,””,”00000000” AT+CTKC=10,10,10,3600,0,1,1,1,0,0,0

• ““Screams Itself to Sleep”Screams Itself to Sleep” Kills the Battery in MinutesKills the Battery in Minutes

• Max Out Spies AccountMax Out Spies Account• Easy To Find Easy To Find – just DF– just DF

• Change PasswordChange Password Seize ControlSeize Control

• Smoke Out the SpySmoke Out the Spy• Burn the SpyBurn the Spy

Active GPS TrackerActive GPS Tracker

Typical “Classified” TrackerTypical “Classified” Tracker

Active GPS TrackerActive GPS Tracker

Detection of “Classified” TrackerDetection of “Classified” Tracker

GPS Tracker Current DrawGPS Tracker Current Draw

Audio RisksAudio Risks Microphones, Microphones,

• Easy enough to findEasy enough to find• Usually on mirror, A-Pillars, Head LinersUsually on mirror, A-Pillars, Head Liners

SpeakersSpeakers• All speakers are a issueAll speakers are a issue• Follow those wires closelyFollow those wires closely• Be Suspicious of “Dead” SpeakersBe Suspicious of “Dead” Speakers

Audio RecordersAudio Recorders• Often under seats or inside upholsteryOften under seats or inside upholstery

TransmittersTransmitters• Mind your vehicle beltlinesMind your vehicle beltlines

Vehicle Audio BugVehicle Audio Bug

Vehicle Audio BugVehicle Audio Bug

Truck Telemetry SystemTruck Telemetry System

1600 - 1645 MHz Sat Uplink

Truck GPS + Telemetry SystemTruck GPS + Telemetry System

TelemetryTelemetry

Primarily for Trucks and Service Veh.Primarily for Trucks and Service Veh.• Little Black BoxesLittle Black Boxes

PCM InterfacePCM Interface Airbag ControllersAirbag Controllers Accident Recorders, Remembers EverythingAccident Recorders, Remembers Everything Attorneys and DOT Love TheseAttorneys and DOT Love These

• Who Did What, When, and WhyWho Did What, When, and Why• May Be Interfaced To:May Be Interfaced To:

Tracking SystemTracking System Video, or ImagingVideo, or Imaging Voice RecordingVoice Recording

70-80’s Era Bumper Beeper70-80’s Era Bumper Beeper

“Bumper Beeper” Transmitter

Direction towards Car

Direction Finder Receiver

Victims CarSpies Car

Early 90’s Era Bumper BeeperEarly 90’s Era Bumper Beeper

Note the Big MagnetsNote the Big Magnets

2004 Era Bumper Beeper2004 Era Bumper Beeper

Range is Blocks to MilesRange is Blocks to Miles Batteries Last Hours to WeeksBatteries Last Hours to Weeks Does Not Use GPS as AllDoes Not Use GPS as All Attached with MagnetsAttached with Magnets

2005 Typical DHS Tracker2005 Typical DHS Tracker

1.6"x1.1"x.85“ (with 9 days of battery life)

2006 Era Bumper Beeper2006 Era Bumper Beeper

Smaller Then a QuarterSmaller Then a Quarter

LoJack Tracking System

173.075 MHzEffective radiated power (ERP) of approximately 200-300 mw.

LoJack Tracking System

What It Looks LikeWhat It Looks Like Nothing SpecialNothing Special

LoJack Schematic

LoJack Detected

LoJack Period “Covert Burst”Every 16 or 360 Seconds

Other Hazards or RisksOther Hazards or Risks

Safety IssuesSafety Issues• Damaged WiresDamaged Wires• Battery LoadsBattery Loads• Bad BulbsBad Bulbs

SecuritySecurity• Bad Locks or Bypassed AlarmBad Locks or Bypassed Alarm• Missing Grease, or Scraped Area under CarMissing Grease, or Scraped Area under Car

ObservationsObservations• Leaking Fluids, Bad Things Under SeatsLeaking Fluids, Bad Things Under Seats• Missing Jewelry, etcMissing Jewelry, etc

Use The TSCM ProfessionalsUse The TSCM Professionals

Highly Specialized SkillsHighly Specialized Skills Laboratory Test GearLaboratory Test Gear Long, Tedious TestsLong, Tedious Tests Hundreds of Test FormsHundreds of Test Forms Takes HoursTakes Hours

• A Full ExamA Full Exam 12-36 Hours Per Vehicle12-36 Hours Per Vehicle

• Cursory Testing Cursory Testing Four HoursFour Hours

TSCMTSCMTechnical Surveillance Counter MeasuresTechnical Surveillance Counter Measures

Inspection by a technician or Inspection by a technician or engineer of a physical item or placeengineer of a physical item or place

Highly Technically TrainedHighly Technically Trained Vast Equipment RequiredVast Equipment Required Specialized ProtocolsSpecialized Protocols

Scientific Voice of ReasonScientific Voice of Reason

Illicit EavesdroppingIllicit Eavesdropping

In the United States over In the United States over six million six million dollarsdollars worth of surveillance devices worth of surveillance devices

are sold are sold each dayeach day - This number is very conservative

Lay PersonLay Person

Defenses Against the Dark ArtsDefenses Against the Dark Arts

Defenses Against the Dark ArtsDefenses Against the Dark Arts

Install Vehicle Security SystemInstall Vehicle Security System Consider Removal of On-Star, etcConsider Removal of On-Star, etc Minimize Cell Phone UsageMinimize Cell Phone Usage Minimize Bluetooth UsageMinimize Bluetooth Usage Buy Foil Bag for Speed-PassBuy Foil Bag for Speed-Pass

Parking CountermeasuresParking Countermeasures

Always Lock Vehicles in Attached Always Lock Vehicles in Attached Garage (with LOCKING doors)Garage (with LOCKING doors)

Do Not Use Wireless Door OpenersDo Not Use Wireless Door Openers

Always Park in Well Lit LotAlways Park in Well Lit Lot

Tampering CountermeasuresTampering Countermeasures

Watch for “Scuffed” InteriorsWatch for “Scuffed” Interiors Watch for Missing Screws, and Wires.Watch for Missing Screws, and Wires. Be Wary of Panels being AjarBe Wary of Panels being Ajar Seats Moved?Seats Moved?

Supervise Vehicle While In ShopSupervise Vehicle While In Shop

Bugged Vehicle Counter MeasuresBugged Vehicle Counter Measures

Use a Flashlight and GlovesUse a Flashlight and Gloves Inspect Every Square cm outsideInspect Every Square cm outside Pay attention to lights and undersidePay attention to lights and underside


Remove EVERYTHING from CarRemove EVERYTHING from Car Remove Boot/Trunk LinersRemove Boot/Trunk Liners Remove Rear SeatsRemove Rear Seats Remove Spare TireRemove Spare Tire Identify all wires and traceIdentify all wires and trace


Inspect UpholsteryInspect Upholstery Inspect Consoles Inspect Consoles Inspect Glove Boxes Inspect Glove Boxes Inspect DashInspect Dash Inspect Balance of Every Thing ElseInspect Balance of Every Thing Else

Essential Vehicle DataEssential Vehicle DataVehicle LocationVehicle LocationPlate and VIN #Plate and VIN #Make and ModelMake and ModelTrim CodeTrim CodeEngine SizeEngine SizeColorColorModificationsModifications

Date Manuf.Date Manuf.Service Records, list of all prior workService Records, list of all prior work

Type of Audio Video Entertainment EquipmentType of Audio Video Entertainment EquipmentSIRIUS/XM?SIRIUS/XM?On-Star, or Similar ServiceOn-Star, or Similar ServiceSecurity System ModelSecurity System ModelLo-Jack or SimilarLo-Jack or Similar

Vehicle Tasking ProtocolVehicle Tasking Protocol

Results = Average of Results = Average of 324+324+ Pages Pages on Any Vehicle for a Full Inspectionon Any Vehicle for a Full Inspection

This Analysis is Usually Manually Intensive, but is This Analysis is Usually Manually Intensive, but is always based on what is found in the shop manual always based on what is found in the shop manual

for your specific vehicle.for your specific vehicle.

Search MethodologySearch Methodology

1.1. Stand Off RFStand Off RF2.2. Exterior SearchExterior Search3.3. Trunk/LinerTrunk/Liner4.4. Fast Access to InteriorFast Access to Interior5.5. Engine CompartmentEngine Compartment6.6. Electrical Tie InsElectrical Tie Ins7.7. UpholsteryUpholstery8.8. Dash and ConsolesDash and Consoles9.9. Everything ElseEverything Else10.10. Repeat, and ReverseRepeat, and Reverse11.11. ““Shake and Tickle”Shake and Tickle”

CautionCaution

We have barely touched on:We have barely touched on:1.1. How a vehicles can be buggedHow a vehicles can be bugged

2.2. How vehicle bugs are foundHow vehicle bugs are found

There are many other methodsThere are many other methods

You Must Pay Close Attention to DetailYou Must Pay Close Attention to Detail

Think about how Think about how YOUYOU can find bugs can find bugs

TSCM MantraTSCM Mantra

Always Assume that the Always Assume that the Vehicle is Bugged Until Vehicle is Bugged Until You Can Scientifically You Can Scientifically

Prove Otherwise.Prove Otherwise.

Detection ToolsDetection Tools

Premium Handheld Premium Handheld

Digital Volt MeterDigital Volt Meter

Fluke 289Fluke 289


Premium Handheld Premium Handheld

OscilloscopeOscilloscope

Fluke 199CSFluke 199CS

FFT Spectrum FFT Spectrum

Analyzer ModeAnalyzer Mode


Spectrum AnalyzerSpectrum Analyzer


Broadband RF DetectorBroadband RF Detector Use these in sets, with filtersUse these in sets, with filters

Vehicle Detection ToolsVehicle Detection Tools

Audio Amp with DC Bias CircuitAudio Amp with DC Bias Circuit Look for Hidden MicrophonesLook for Hidden Microphones

Bug/Wiretap Detection ToolsBug/Wiretap Detection Tools

Totally Avoid Spy Shop ToysTotally Avoid Spy Shop Toys

Use Only Laboratory Grade Test Use Only Laboratory Grade Test Equipment and ProceduresEquipment and Procedures

Take All the Time You NeedTake All the Time You Need

Never Miss the Details, EverNever Miss the Details, Ever

Cardinal RuleCardinal Rule

Convenience and Convenience and Privacy are Privacy are InverselyInversely

Proportional™Proportional™

www.tscm.comwww.tscm.com

Please Keep In TouchPlease Keep In Touch

Questions?Questions?

Thank YouThank You

????????

????

Horseless Carriage Exploits and Eavesdropping Defenses Boston 2009 Copyright 2009, James M. Atkinson.

Documents

optional slide

atkinson slide

owners manual slide

essential tools

appropriate ground tarp

seats ground tarp

seats protective tarp

powertrain variations