Sunday, August 04, 2019

Securing devices for DEFCON

There's been much debate whether you should get burner devices for hacking conventions like DEF CON (phones or laptops). A better discussion would be to list those things you should do to secure yourself before going, just in case.

These are the things I worry about:
  • backup before you go
  • update before you go
  • correctly locking your devices with full disk encryption
  • correctly configuring WiFi
  • Bluetooth devices
  • Mobile phone vs. Stingrays
  • USB
Backup

Traveling means a higher chance of losing your device. In my review of crime statistics, theft seems less of a threat than whatever city you are coming from. My guess is that while thieves may want to target tourists, the police want to even more the target gangs of thieves, to protect the cash cow that is the tourist industry. But you are still more likely to accidentally leave a phone in a taxi or have your laptop crushed in the overhead bin. If you haven't recently backed up your device, now would be an extra useful time to do this.

Anything I want backed up on my laptop is already in Microsoft's OneDrive, so I don't pay attention to this. However, I have a lot of pictures on my iPhone that I don't have in iCloud, so I copy those off before I go.


Update

Like most of you, I put off updates unless they are really important, updating every few months rather than every month. Now is a great time to make sure you have the latest updates.

Backup before you update, but then, I already mentioned that above.


Full disk encryption

This is enabled by default on phones, but not the default for laptops. It means that if you lose your device, adversaries can't read any data from it.

You are at risk if you have a simple unlock code, like a predicable pattern or a 4-digit code. The longer and less predictable your unlock code, the more secure you are.

I use iPhone's "face id" on my phone so that people looking over my shoulder can't figure out my passcode when I need to unlock the phone. However, because this enables the police to easily unlock my phone, by putting it in front of my face, I also remember how to quickly disable face id (by holding the buttons on both sides for 2 seconds).

As for laptops, it's usually easy to enable full disk encryption. However there are some gotchas. Microsoft requires a TPM for its BitLocker full disk encryption, which your laptop might not support. I don't know why all laptops don't just have TPMs, but they don't. You may be able to use some tricks to get around this. There are also third party full disk encryption products that use simple passwords.

If you don't have a TPM, then hackers can brute-force crack your password, trying billions per second. This applies to my MacBook Air, which is the 2017 model before Apple started adding their "T2" chip to all their laptops. Therefore, I need a strong login password.

I deal with this on my MacBook by having two accounts. When I power on the device, I log into an account using a long/complicated password. I then switch to an account with a simpler account for going in/out of sleep mode. This second account can't be used to decrypt the drive.

On Linux, my password to decrypt the drive is similarly long, while the user account password is pretty short.

I ignore the "evil maid" threat, because my devices are always with me rather than in the hotel room.


Configuring WiFi

Now would be a good time to clear out your saved WiFi lists, on both your laptop and phone. You should do this regularly anyway. Anything that doesn't include a certificate should be removed. Your device will try to connect to known access-points, and hackers will setup access points with those names trying to entrap you.

If you want to use the official DEF CON WiFi, they provide a certificate which you can grab and install on your device. Sadly, it's not available right now. It's available now. The certificate authenticates the network, so that you won't be tricked into connecting to fake/evil-twin access points.

You shouldn't connect via WiFi to anything for which you don't have a certificate while in Vegas. There will be fake access points all over the place. I monitor the WiFi spectrum every DEF CON and there's always shenanigans going on. I'm not sure exactly what attacks they are attempting, I just know there's a lot of nonsense going on.

I also reset the WiFi MAC address in my laptop. When you connect to WiFi, your MAC address is exposed. This can reveal your identity to anybody tracking you, so it's good to change it. Doing so on notebooks is easy, though I don't know how to do this on phones (so I don't bother).


Bluetooth trackers

Like with WiFi MAC addresses, people can track you with your Bluetooth devices. The problem is chronic with devices like headphones, fitness trackers, and those "Tile" devices that are designed to be easily tracked.

Your phone itself probably randomizes its MAC address to avoid easy tracking, so that's less of a concern. According to my measurements, though, my MacBook exposes its MAC address pretty readily via Bluetooth.

Instead of merely tracking you, hackers may hack into the devices. While phones and laptops are pretty secure against this threat (with the latest updates applied), all the other Bluetooth devices I play with seem to have gapping holes just waiting to be hacked. Your fitness tracker is likely safe walking around your neighborhood, but people at DEFCON may be playing tricks on it.

Personally, I'm bringing my fitness tracker on the hope that somebody will hack it. The biggest threat is loss of the device, or being tracked. It's not that they'll be able to hack into my bank account or something.


Mobile phone vs. Stingrays

In much the same way the DEF CON WiFi is protected against impersonation, the mobile network isn't. Anybody can setup evil twin cell towers and intercept your phone traffic. The insecurity of the mobile phone network is pretty astonishing, you can't protect yourself against it.

But at least there's no reason to believe you are under any worse threat at DEF CON. Any attempt to setup interception devices by attendees will quickly bring down the Feds (unless, of course, they do it in the 900 MHz range).

I install apps on my phone designed to track these things. I'm not diligent at it, but I've never seen such devices ("Stringrays" or "IMSI Catchers") at DEF CON, operated either by attendees or the Feds.


USB

Mousejacking is still a threat, where wireless mouse/keyboard dongles can be hijacked. So don't bring those.

Malicious USB devices that people connect to your computer are a threat. A good example is the "USB Rubber Ducky" device. Some people disable USB entirely. Others use software to "whitelist" which devices can be plugged in. I largely ignore this threat.

Note that a quick google of "disable USB" leads to the wrong device. They are focused on controlling thumbdrives. That's not really the threat. Instead, the the threat is things like network adapters that will redirect network traffic to/from the device, and enable attacks that you think you are immune to because you aren't connected to a network.


Summary

I've probably forgotten things on this list. Maybe I'll update this later when people point out the things I missed.

If you pay attention to WiFi, Bluetooth, and full disk encryption, you are likely fine.

You are still in danger from other minor shenanigans, like people tracking you.

There are still some chronic problems, like mobile network or USB security, but at the same time, they aren't big enough threats for me to worry about.













1 comment:

Fazal Majid said...

I’d use a burner device like a Chromebook and an always-on VPN myself, but then again I work with guys who compromised baseband and WiFi processors for a living when they were part of the Israeli Military Intelligence unit 8200. Those things are poorly secured by obscurity and I wouldn’t trust them not to have remote exploits.