Episode Transcript
Transcript was generated by AI and has errors, as you can see in the first line. The SCARY SERENGETI!
David: [00:00:00] Welcome to The Scary Serengeti. We're your hosts, David Swinger and Matthew Keener. Stop what you're doing and subscribe to our podcast and leave us an awesome star review and follow us at SerengetiSec on Twitter.
Matthew: we're here to talk about cybersecurity and technology news headlines, and hopefully provide some insight analysis and practical applications that you can take to the office to help protect your organization.
David: And, as usual, the views and opinions expressed in this podcast are ours and ours alone and do not reflect the views or opinions of our employers.
Matthew: So there are. Connected adult toys. Given that we're talking about the orb networks and Chinese adversaries that like to use IOT devices, what do you think the chances of any given one being part of one of their networks
David: pretty high, because I think the CIA are starting to use those as honey [00:01:00] traps.
Matthew: they're bugged,
David: All right first article Chinese late hacking units increasingly use orbs to obfuscate espionage, researchers say.
The, you know, researchers say or analysts say, do you really have to, I mean, is that really a, a stipulation you have to put in the headline anyway?
It's just one of those things that just annoys me.
Matthew: well, how else would you know, they're appealing to authority.
David: Oh, yeah, because the researchers are obviously correct. Good point. And you need that in your headlines, because if they just said, if that wasn't there, I wouldn't have even read the article.
Matthew: That's right.
David: And this come to us from CyberScoop. And, uh, what's going on is APT, These that have been linked to China are, are shifting their infrastructure to Internet of Things devices and virtual private servers in order to make it harder to [00:02:00] track and block their infrastructure. So this is not new traffic but, Supposedly it is according to the article for these actors,
Matthew: Yeah. Which I did some research cause I was thinking about this. I was like, man, I feel like I've seen this before. I did find a two, two other items on this. There's previously Russian linked actors have been documented using this type of infrastructure. Specifically, APT 28 from 2018 and bugs me, the report said that it's new for these actors, but if you actually pivoted into the Mandiant report, the, that this is based off of the Mandiant report says that they have been using versions of this back to 2016.
So this isn't even new to this actor. You know, the cyber scoop. I, you know, I thought this was a legitimate news source that you could believe.
David: it really depends on your definition of new. I mean, 2016 is less than a decade ago.
Matthew: That's fair. That's eight news.
David: Yeah. Maybe the name Orb is new. That's what they're [00:03:00] saying. So Orb is operational relay box networks. So they say that they're built and administered by. Independent entities, contractors, administrators within China but used by government controlled hacking units of that hacking units. Great name.
Matthew: Yeah. Yeah. Just hordes of people in dark hoodies.
David: Yeah. And they got rank patches on their hoodies.
Matthew: that's actually hilarious. Like the slabs caps the military has. Yeah, they, they've got there.
David: But each actor doesn't maintain their own infrastructure. These independent entities own and control the infrastructure that they act and actually just use it. You know, which is one of those things where, you know, according to the U. S., all computer users in China are Chinese, which makes them all an arm of the government. There are no independent people in China.
The the article goes on to say that Vipo The VPS server which is the [00:04:00] controller is similar to the a method used by Tor
Matthew: Well, so they've got, what they have is the VPS controller. Is in China and that is what is used by what is administered by the, the independent contractor. And it's weird. They called them independent contractors and they called them administrators. Like some Chinese citizen administrator just suddenly decides to stand up some infrastructure for attacking the capitalists out of the goodness of their heart. although actually maybe that's a reference to criminal actors rather than contractors maybe. But they set up a VPS server in China. And then that's where the network is administered, and that's where the and then, and then the the attackers in China will then enter the network through a TOR node in at least one of the examples.
And looking at the way the networks are described, it actually does remind me a lot of TOR where there's a whole bunch of nodes that are controlled by a bunch of different people, [00:05:00] and, You just go to the one that you wanted to go to and and it's, it pops out the other end and you don't necessarily know where you're coming out
from,
David: Yeah. It's like a mix between Tor and in and VPN providers.
Matthew: yeah, well, you know what? And I, I misspoke there. I said, you don't even know where you pop out from, but that's not true. You do know where you're, you can select where you're going to pop out from. So they also have the ability to do that, which is helpful to them. I'm sure
David: Yeah, I would assume so.
Matthew: is
David: But what something that stood out to me in, in the in the summary was that Manion assesses with. Then this is a quote from the article, Manding assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise's network and shifts the advantage towards espionage operations by evading detection and complicating attribution.
So they're giving a confidence assessment on the motivation of the actor, not on the actions they're taking and the motivation that they're talking about that they only have [00:06:00] a moderate confidence in. Is what is true of all hackers, which is evading detection. They should have supremely high confidence that that's true because.
All hackers or attackers. Attempt to avoid detection.
Matthew: maybe the attackers just found that it was cheaper to do it this way.
David: That's really possible because really what we're talking about is something that's been done forever, which is compromising one box to leapfrogs from that box into another box in order to obfuscate where you're coming from.
Matthew: Nobody, you know, no, you know, better than that. Nobody's ever done this before. This is completely new
David: Brand new,
Matthew: brand. Yeah,
David: less than a decade old. So one of the things that they harp on a lot in, in the in the article or in the paper is the declining value of IP addresses as IOCs. You know, is it worth blocking IP addresses? And how long does that, is that block worth?
Matthew: So, and this is interesting to me because when I read this, like that [00:07:00] was my assumption, my assumption was like, Oh, you know, they're only using these IPs for like an hour or a day. Like, cause especially with all the harping, like you just said on how the value is declining. But then when I read the report, the report said the shortest lifespan they've seen is 31 days.
That is way longer than I expected. They said some of these networks have 200, 000 IP addresses in them. Why aren't you rotating them, like, on a daily basis?
David: Yeah, I think this might be, even though this has been happening for almost a decade, it might be a matter of maturity because I'll tell you what, if I was running this project, it would be 31 today, but I would be working towards dynamic instruction and usage of orbs, right? So you'd have a, an infrastructure set out where you just, you know, you Anybody who wants to use the, the infrastructure, they just type in the number of nodes that they need, the country where they want them to go from, and they hit go, and it builds the orb network on the fly.
Scans for [00:08:00] victims, compromises victims, builds the orb, you execute the attack, and then you clean up or abandon the orb behind you, and that's it. It's a one time use, throw on you know, fire and forget type of system.
Matthew: You know, if they have 200, 000 IPs in the network, that'd probably work. They probably don't need to reuse the IPs, honestly.
David: Yeah, and new vulnerable, vulnerable systems are coming online every day.
Matthew: Well, so true. Yeah, they could constantly be dumping old ones and bringing, like, after it's used in the attack, they dump it off the network, or they only use it as an intermediary node.
David: Now, a simple use, once you've used it.
Consider it as compromising and dump it.
Matthew: Interesting.
That is
David: That's the way I would run it anyway.
Matthew: Huh. That would make it very difficult to track. It's fair.
David: Yeah, and if you can do it, why not?
Matthew: Yeah. I mean, you could just do it programmatically. So that makes a lot of sense. So my, my first thought on this was not quite so on the, on the attacker side building a more effective way to [00:09:00] do it. My thought was on the defense side. When do you stop blocking IPs? So, 31 days. 31 days, I think it still provides value to block an IP address.
Especially if they're not rotating, you know, on a daily or even per attack basis like you're talking about. At what point in time do you think it does make sense to stop blocking IP addresses? Once it gets down to a day? Like, cause then, you know, maybe it comes in overnight, the analyst sees it, they go to block it, but it's already been, you know, 12 hours, 18 hours since it was used.
Yeah,
David: I don't know. I think it's, I mean, standard, standard place I've been is 30 to 90 days is, is what I've seen in the past. And, you know, and if there's any kind of service or something you could subscribe to that will, will provide feedback on them, you could use that service to dynamically decide what you're gonna block.
Cause it could be that you set a default block for 90 days and like a service like Mandiant or whatever says, okay, well that's, that IP is no longer compromised. [00:10:00] Maybe you can forego blocking at the, you know, if you're at day 60, maybe forego blocking the last month. But I would say it as long as your system can support the length of a list that you create, as long as you are eventually aging them out, I don't see any reason why you couldn't pick any date that you think is appropriate. I mean, that's the whole reason that TIPS have IOC age out stuff built into them anyway.
Matthew: that makes a lot of sense. I do think that one of the things that you definitely want to do and this is don't waste your analyst time manually blocking these.
David: Mm hmm.
Matthew: Get this automated, get this in the ticket so that when you close the ticket, you know, if you close it as a true positive, it automatically pulls those malicious indicators out and sends them to someone to be blocked or even better goes directly via API and blocks them.
David: Right. And automate the aging out also, because you don't want to have to remember to go back and say, oh, wait, has it been 90 days? I need to go back
and clean up those IPs.
Matthew: that would be trouble.[00:11:00]
David: the way that I that I, I've done it programmatically at, at another office was we had just a single IP list and it was created new every day and then the IPs that were over 98 or simply weren't added to the newly created list and then just updated that list constantly and the IPs just fell off that list.
Yeah.
Matthew: Some I've encountered at least one product that does not include aging. It was a proxy. It does, did not include aging of indicators when you block them. Domains, specifically. So you had to maintain an external, some sort of external method to age your indicators, which was very frustrating.
David: Yeah. We kept a, it was A
Matthew: A
David: think it was just a flat file. I'm not even sure. It was a, I don't, it may have been a SQL database but it had the, the IOC and then the date the IOC added. And then when the new created, when the new list was created, it checked the date that the IOC was added. And if it was over 30 days, I think it was, [00:12:00] then that IP was just not added to the newly created list.
Matthew: Yeah.
David: And then it was also removed from the file.
Matthew: Makes a lot of sense. Sexual mind. And
David: Yeah, it is.
Matthew: Where are we?
David: The article
quoted. So this article had a quote from an analyst at Mandy at Michael Raggi, and I wanted to add this whole paragraph because this was.
But he's the one that wrote the paper.
Matthew: Oh, he's the one that wrote the paper? Okay, so, so they just pulled this straight out of the, the paper then. Alright, so the quote is, quote, Rather than waiting to be reactive or responsive to block each IP as an indicator of compromise, you should be trying to look at the patterns of infrastructure that they're registering, what types of routers they're compromising, what ports and services do you know they're coming from.
This way, you have a profile of activity to look for, something to create behavioral based rules for now, rather than just relying on indicators that compromise or blocking in a one off. That is. Absolutely correct. And that is also absolutely out of reach of [00:13:00] 90 percent of companies out there doing security. So, I mean, I guess this is actually just a cloaked sales call for people to reach out to Mandiant and pay for them to do this.
David: Yeah, I wouldn't be surprised. But I don't know. I kind of see that statement as a bait and switch also. Because he's saying, you know, don't look for IPs, but look for ports and services. Well, that's just another type of IOC. And, you know, an order of service isn't necessarily bad. What he's saying is, Don't look for these IOCs, look for these IOCs.
Matthew: and not only that, he's also saying, like, look for these patterns of like, which routers, I mean, Is there even a way to check like every IP that hits your network? Oh, this is from a small home router. We should block it. I don't know. I don't see that there's any reasonable way for a company to be able to identify that on an ad hoc basis as stuff hit your, hit your
network. But
David: No, I mean, if something becomes part of an incident or maybe an alert, [00:14:00] then you send it off to domain tools. And then maybe you have an automation that gives a deep dive on the register and domain
tools.
So dig that out,
Matthew: Yeah. And you can use like IP, IP quality score or something like that. And it'll come back and say like, Oh, this is residential. And then you'd be like, Oh yes, well residential, it's a router of some sort, but then you've got to, you've got to scan it and try and pull try and do some like in map style identification, you know, grabbing grabbing the banner, trying to identify what it is. Yeah. This was, this was very annoying. I do not like this.
David: So additionally, the article calls out that attrib attributing can't be done by network infrastructure.
Matthew: I thought, honestly, I thought that was that a long time ago. I mean, that being said, I don't think I've ever gone up against an APT. So I don't know, maybe they're using, maybe they were using longer lasting networks.
David: I don't know, from, from a typical defender standpoint though, who cares? I don't care about attribution.
Matthew: Honestly. Yeah. Most companies should ignore. Yeah. It's never [00:15:00] been something where I felt like I had to know, Oh no, we're being hit by APT 28.
David: Right. You know, the cost benefit ratio is simply not there for attribution for most organizations. I mean, the government. I'm sure they feel the need to do it.
Um, but Civil War Company is not going to have any real necessity for attribution. If it comes down to a court case, attribution is going to be figured out by the cops.
Matthew: Yeah. I mean, although for some reason, it really makes leadership really happy if they feel like they've got somebody to
David: Point the finger
Matthew: Blame. Yeah.
David: want to be able to defend the fact that you failed to say that, Oh, we were attacked by an APT. We can possibly defend against it. Uh, maybe you want to do attribution in that case, like Sony.
Matthew: Makes sense. All right. They did mention that you can choose IP addresses that you can use that are geographically close to whoever you're targeting. I have seen that occasionally in the past using VPNs, [00:16:00] although I don't know if that was on purpose or not, it's entirely likely that even a criminal using a random output on a VPN is going to sometimes you know, end up in a neighboring city.
But I can definitely see where having that true all the time would be very frustrating. Because when you're reviewing an account for malicious logins, you're looking for You know, weird geo located IP addresses, you're looking for different IP addresses than normal, although that one's tough because, you know, you know, they go to a, they go to a coffee shop or something, or they're in the office, they're out of the office, their, their own IP address cycles.
Can't rely on that. You look for different user agents. You look for different weird hours of logging in outside of working hours, although again, with these days where people are expected to answer email at all times of day, maybe that's not a great way. But I can see I can see somebody building a better phishing kit and I'm wondering if this already exists because this does not seem like this is that much of a brilliant move on my part.
But I'm imagining a phishing kit that, you know, you set up a landing page, someone hits it, they sign in, it records the browser [00:17:00] agent, the time of login, the source IP address. Probably measures the type of the device that it's logging in from. And then when the attacker pivots, you choose your VPN or your orb network.
You find an exit IP as close as possible geographically, which again, with the internet of things, like Can you imagine if they own the router in your own home? They're like, there's like, Oh, wow, I can log in from the same IP address.
David: Right,
Matthew: we should do something about that. Maybe we should be like watching their traffic directly.
And then the attacker can, you know, choose to hit during normal working hours. They can automatically edit the browser agent. So it matches the person. And now it's coming from the same geolocated area. Now it's very difficult to detect through behavior based rules unless you've got something like Intune on the devices or certificate based authentication.
David: and if they're good out a little bit deeper dive to then simply, you know, mimicking the browser, but actually. Coming up with the device fingerprinting would look
Matthew: Yeah. [00:18:00] Like the cookies and the other stuff that they, the various places used
to.
David: right? You know, when you, when you log into some sites, and this is actually typical for a lot of banking sites where they'll say you know, remember this device or, or remember this system, you check that check box. So that's sending fingerprint information for your system back to the organization. So if they were to capture that same data and be able to mimic that back when they connect, also, that's another thing they could do.
In order to further obfuscate what, you know, the fact that they aren't who they, who you think they are, or that they're someone you should be more trust, you should trust when the connection happens.
Matthew: Now that makes a lot of sense. I mean, they're already doing that right with the the session stealing and the cookie stealing.
So just, just grab all the information from the browser. They can try to steal the cookie. If that fails and they try and log on, you know, trying to match it as closely as possible, hoping not to trigger MFA.
I actually don't know if MFA. Is smart enough. I don't know how the workings of it. So I'm [00:19:00] not a hundred percent sure if this would trick MFA or not. I'd like to think the people that work on that are smarter than me. And I've already thought of that.
David: mm, sure.
Matthew: They probably have, hopefully. Ah, so this is a, as I mentioned before, this is some criminal level separation, which is kind of a funny thing to say, but we've already seen the criminals get very specialized. In specific ways. And now I'm wondering if we are going to see more of this on the APT side, although maybe, maybe the study has, I know that our government is very specialized and, you know, has dozens of different contractors that specialize in stuff.
But I, I, I'm, I'm curious about the, how they choose which orb infrastructure to use. Do they have like some of them, Aster have more bandwidth or some of them prioritize more towards reliability when you're bouncing between, I mean, I don't know if you've used Tor. I've tried to use Tor a couple times and it's a pain.
It's kind of slow. I imagine, especially since they're using compromised devices, the [00:20:00] reliability is probably not great.
David: Well, it could be that they rate each individual device and then if you, when then the, the quality, when you build the orb, because you imagine that, At least this is the way I would think. When they compromise a device, that device compromise doesn't automatically tie it to a specific orb. It's just a device that's available to be connected to an orb.
So maybe they build the orb based on The attributes of the devices that are compromised.
Matthew: is, each orb is slightly different because of the types of devices it
includes,
David: Right. So
Matthew: is used for a
David: that have higher bandwidth or more processing power may be shunted off to, or attached to a very specific high value or, and ones that aren't are low value ones or, you know, they have different types of orbs based on what they've got available.
Matthew: be interesting, you know, [00:21:00] like, like selecting arrows from a quiver in a Green Arrow movie or something. Like, this is the
one that does this.
Ha
David: Yeah, exactly.
Matthew: like Jerry, doesn't he?
David: And this is the one that does this and pops out in Gary in the end. Yeah,
Matthew: Ah, it's always Gary at the end. Alright, yeah, I have to imagine that they would, these contractors probably, would start selling this access to criminals as well. Or maybe they started off working with criminals. There's a couple pros to this. More money. There's more camouflage for the APT. Is it a criminal or an APT coming out of this exit node if they start identifying these orb networks?
Of course, there's also some cons. The more the network gets used, the more attention it draws. If there's a bunch of criminals coming out of it, then people might notice it and block it before the APT actually uses it. But I don't know, I guess it depends on how greedy or greedy they get.
David: But who's to say this is not happening already? It could be that there, these orbs are already being [00:22:00] sold on the dark web. I don't know. Cause if you're dealing with, uh, and this another quote from the, the paper, you're dealing with a dedicated entity whose sole job it is to maintain a vast array, different types of compromised routers. And just for the purpose of renting those out. So someone can try and access your environment with them. So I think the fact that he says, for the purpose of renting out, maybe it may already know or, or assume that these are actually part of criminal infrastructures that can be rented. And another quote from the paper is, these networks are not controlled by APT actors using them, but rather, are temporary. Used by or temporarily used by these AP Act A a these a PT actors. So who knows? You could search the dark web and see if you can find advertisements for it or not.
Matthew: Yeah. That makes, that makes some, that makes a lot of sense actually with some of the way, like we talked about [00:23:00] this briefly before some of the way they phrase some of the stuff earlier the, where they said contractors and administrators.
That does seem to go with that where it's not just where they are renting from an actual criminal.
David: Right. And this is part of the other annoying part, like I mentioned earlier, is that we've stopped treat treating all actors in a country that's, you know, chosen by the United States government as an enemy. To be an arm of that, the government of that foreign country.
Matthew: Yeah.
David: some may be tied to the government, some may be independent criminals.
Some might be part time government employees, part time criminals, or some may be like the mafia that will, you know, generally acts in their own best interest, but occasionally will do stuff from the government when the government twists their arm. You know, kind of like the, the mob in the U S during World War II and for a few decades afterwards was very much like that where they were another part of the government, just about doing things for the, on behalf of the government.
Matthew: Yeah, from the perspective of a company, like they're all trying to break in, [00:24:00] you can treat them all the same.
David: Right. Reason this is important is that this piles on the idea that thread Intel really needs to do more than just throw IOCs around. You know, if ThreatIntel was able to say, okay, where are the most attacked IOT devices? Who sell those? Who sells those? Who's using those? Are they does a certain ISP use a highly attacked modem?
And are we seeing attacks from those ISPs or something like that? That
could be something useful from ThreatIntel versus just providing an IP address.
Matthew: yeah, and, and it'd be really nice to have the context around them too. Like it, this is something that drives me nuts all the time, working in the SOC. You get, you know, you've got your ISEs being fed into your TIM and you get an alert that says this IP address was bad and you don't get any. Initially you don't get any context from the original source and you've got to kind of go out and look yourself and, you know, troll through the list and try and find it.[00:25:00]
David: When it doesn't say IP bad botnet.
Matthew: Yeah. Well, IP bad orb network would be useful. Like you're like, all right, so this is probably an IOT device. You know, it may be a legitimate resident. It may be a bad guy. It may be a criminal. It was picked up, you know, 27 days ago. All right. It may be reaching the end of its lifetime. Stuff like IP quality score.
Second time I mentioned that this one, they do a good job of adding a fraud score. They, they specialize in watching for more commercial fraud, but they'll put like, you know, recent abuse scene and they'll put, you know, what the, their confidence level is and whether it's a VPN or a Tor node. It'd be interesting if they added an orb.
I feel like a lot of this stuff that you're talking about here with the most attacked IOT devices and who sells them and who uses them. That's kind of out of scope of the average security team. The average security team needs to know this is part of an orb network. You know, other folks have seen malicious traffic from it recently. You know, within these dates.
David: [00:26:00] Well, I think if you have a threat intel team, though, they could do this level of research in order to find the networks
Matthew: Yeah, that
David: the IPs that could be part of the orb network, because, you know, this network has a lot of IOT devices that are typically attacked by the orb network.
Matthew: So that would actually be really interesting. We've talked a lot about risk based alerting. I don't know if this is even reasonable to do, but that would be an interesting bit. If you get a communication that's flagged for some other reason, and then look at the, you know, maybe hit it back with a quick mMap scan or look at other enrichment sources, probably not a mMap scans, I think are generally considered legal or hit it, hit it against some of those other enrichment sources we're talking about, and then assign a risk score based on that. But again, like, if they get to the point where you're talking about where they're flipping it daily or each attack, then all of a sudden all that becomes useless.
Yeah,
David: But anyway, but if you tie this in, you know, cause what you do is you [00:27:00] get, you know, if you also have. A you know, a subscription to Shodan then you can get reports from Shodan and what that, what that, that device might be, or you may know from a Shodan scan what that device is or ready to realize that it is a typically compromised IoT device.
Matthew: that would be interesting, that would be interesting to assign risk scores to like every incoming IP address you'd have to require some bandwidth and some processing power though.
David: depends on your volume, obviously. Yeah.
Matthew: I mean, I know some of the big, the big internet companies with giant websites that have hundreds of servers behind them. They're doing that sort of thing. But yeah
David: but like I said, what you could do about it is, you know, have a show to end subscription, have a, have a domain tool subscription and start writing some automated scripts in order to do some of this analysis for you.
Matthew: Yeah.
You do not want to have your analysts be doing this manually. You don't want to be doing it, them doing it five years ago and you definitely don't want to be doing it in a year or two when the the bad guys listen to this [00:28:00] podcast and picked up on what David's putting down.
Start running it.
Start changing each
time.
David: you know, you might do it manually once or twice to get a feel for what the process looks like. But definitely if you're going to scale this to make it useful, you're going to have to
automate,
Matthew: All right, second article for today. The Privacy Implications of Tracking Wireless Access Points from Schneier. He linked to a article that was written based on a paper, which sounded, made it sound much worse than it actually is.
David: in our opinion
Matthew: in our opinion, yeah. So I'm going to start with their own summary, since I was, I didn't want to try and rewrite it to avoid plagiarism, so I'm just going to put quotes around it and copy and paste it here.
Quote, Wi Fi based positioning systems are used by modern mobile devices to learn their position using nearby Wi Fi access points as landmarks end quote this is all about the Alternative to GPS because GPS power consumption tends to be higher. So mobile [00:29:00] devices are relying on WPS instead more these days GPS is still used occasionally and when it's used they actually Both Apple and Google scan for nearby, nearby Wi Fi basic service set identifiers, and then report those to Apple Google.
So when you, your phone uses GPS, you're feeding the Wi Fi positioning system as well. So other devices that are, have GPS turned off can now receive those results. So these work at, these work by looking at detected BSS IDs. And then they query the database and say, Hey, I'm seeing this BSS ID. Tell me where you have seen this at. And it will then return GPS coordinates that it's been seen at. That's why, frequently, if you're not using GPS and you look at your phone, there's a circle around it on the map that says, you know, you're somewhere within this area. That's because that is the area that that BSS ID has been seen at.
David: Yeah, because it also gives up the the power level
Matthew: Yeah.
David: so to give you an idea about your distance from the from [00:30:00] wherever that BSS ID is.
Matthew: Yeah. I imagine to some degree of triangulation with the multiple B SSIDs that it sees.
David: Yeah, I mean, that's probably why they can get it down to so close. If, if that, that that power analysis is really good, because if you end up being in the center of, you know, 10 BSS IDs they probably have a pretty good indication of where you're at.
Matthew: Yeah. I was at a restaurant yesterday and I got that little uncertainty circle and I mean, it, it got the restaurant I was at, it did not get the seat. I was sitting at the seat, I was sitting by the window and I was a little bit outside of the
circle, but,
David: Remember, and that's why I've sniper missed.
Matthew: close enough for a bomb strike. Yeah. So this apple likes to make things easier and more useful to the phone. When you send one of these queries up to the API for Apple, they will return up to 400 other BSSIDs that they have seen nearby, and their locations as well. This is, generally speaking, good for the user, because now, [00:31:00] The user in the phone doesn't have to make multiple queries.
They only had to query once and they, you know, can keep walking and before they have to query again. But it makes surveillance and discovery a lot more easier. Because it turns out you only have to know one BSSID in an area to start with and then Apple will helpfully feed you a whole bunch of other ones.
Well,
David: Yeah, well, if they don't get the distance between you and the BSSID, then it's still not gonna improve the the accuracy a whole lot, is it?
Matthew: what they're talking about here now is they're not, they're talking about the they're not talking about the accuracy of that. Yeah, I don't know, I don't know if that, how that all blends together. They're just talking about using this as a discovery mechanism to just try and find all
the BSSIDs.
David: Right.
Matthew: Yeah.
So Google and Apple make these Wi Fi positioning systems public which makes sense. You know, they both make phones. They use this on their phones, but they allow other people to use it too applications and other devices. [00:32:00] So they do it a little bit differently. I found out as I was reading the paper that the reason that they chose to use Apple for this is because Apple's API is free. They let anybody use it. You do not need an API key. There is apparently very little in the way of. Quality or content checking or any kind of rate limiting on this. So they were able to, they did this because they could download millions and millions of BSS IDs very quickly. Google charges it's not much as like 5 per like 5, 000 queries or something like that.
So it's not too expensive, but it is expensive enough to keep them. from doing this. But as it turns out, you don't have to prove that you're seeing what you're seeing. You just ask the API for a BSS ID and it will tell you the location. They focused on Apple because as I mentioned, there's no auth, there's no controls.
But it kind of makes sense from the perspective of, you know, an engineering team. The engineering team wants to make this as simple and as easy as possible so that all of their customers can easily perform these lookups. So to prove their point, they have [00:33:00] three different use cases. First one was, actually they have four different use cases, sorry estimating, estimating damage from Maui wildfires. They took a look at the BSS IDs. They were doing this experiment during the Maui wildfires because they did find that the information that Apple has is updated after about a week.
They put up a new BSSID and they waited to see how long before it would appear in the dataset. And it took about a week to be added to the dataset. It also takes about a week to be removed from the dataset after it's no longer seen. So, they were able to go in and check the BSSIDs available in MAUI.
Both before and after the wildfires, and then they mapped those locations onto a map and then matched it against the damage estimates. The maps showing where the most damage was and they found that it worked out pretty quickly. They were able to get a pretty accurate idea of the [00:34:00] most damaged parts of Maui because the most damaged parts of Maui were the same parts that had the BSS IDs disappeared.
Therefore, the wireless networks disappeared and probably the houses as well.
David: Could be.
Matthew: Yeah, or people moved out too, that could not necessarily mean the house disappeared. Might be people left, you know,
so,
David: my router's in my go bag.
Matthew: they suggested that this might be useful to estimate damage from I was thinking from military strike, but they were talking about from disasters and other things as well. You can assume that if an SSID goes away, then the people may not be dead, but they might be injured or they might've just left.
That's just not a very accurate method of assessing
damage.
David: Well, I mean, also, you can't, you don't know the, the people count for an SSID. It, you just know that you got one SSOD in the house, or maybe you've got three or four in that same house and you know, one guy, or maybe you've got one and you've got a [00:35:00] half a dozen people in the house.
Matthew: I've got four in my household right now, probably more, actually. I mean, cause they talk about later, some IOT things create their own wifi spots. There's four that I know about, but might be more.
David: yes. And the Chinese have asked you to put up a couple more
Matthew: They just sent me this laptop and they told me to just lock it in a drawer and don't pay any attention to it. I figure it's harmless.
David: That, yeah. Is that you, you heard about the the, was it the, the North Koreans that were. Using people to get jobs.
Matthew: It wasn't actually that there was, this was, this was somebody was reading an article and I think, I don't remember which magazine it was one of the, one of the political ones I get, I get, you know, we've talked about this before, I get a, a conservative and a liberal and a libertarian political magazine, and one of them was talking about a book review of some guy.
Who was a publicist for the worst people in the world. Like he represented like Libya and like the Saudi [00:36:00] government and folks like that. And it mentioned that he had been arrested because one of his, one of the people that he worked with from one of these countries had asked him and given him a bunch of money and just, and given him a laptop and told him to just, you know, turn on the laptop and lock it in a drawer and just let it run. And he did. And the FBI came looking and came knocking on his door.
David: I don't know where there's something else that came out that North Koreans were. Applying for jobs in the United States,
Matthew: Yeah. That's
David: to make it look like they were in the U S so they'd use a cutout.
Matthew: that, woman in Arizona.
David: Yeah.
Matthew: Yeah.
David: use that cutout in order to get the job. And then when the company sent the laptop out for that remote worker, who they thought was in Arizona, they would send it to the address in Arizona and she would plug it in and turn it on.
And then they'd VPN into it from North Korea and then connect into the corporate networks from the laptop in Arizona,
Matthew: Yeah. I saw that the other day. I tried to get in on that.
But
David: very enterprising [00:37:00] because the deal was that. Whoever they hooked up with, they would get a percentage of the salary that they were making.
Matthew: yeah, I'll take an extra thousand a month,
David: yeah, no.
Matthew: let that thing heat up my house a little bit. I, you know, I needed a thousand a month because of the extra air conditioning bills.
Yeah.
David: that,
you've got five or six of those that you're getting a thousand a month from pretty good business,
Matthew: I, I'm surprised given how many people act as cutouts already for criminals, that they didn't have just a whole bunch of people across the US that were just happy to let folks do that. Of course, my second call then would be to the FBI, and I would go ahead and be like, hey guys for a thousand dollars, I'll let you put a bug on my, on my,
David: I'll let you eavesdrop on this laptop,
Matthew: we'll just we'll just put a SPAN port here on the thing, and you guys can just get all their transmissions and, you know, How did I get paid twice?
David: double
Matthew: sell it to MI6 too.
David: Well, you might have to sell it to [00:38:00] MI6 first. So then as they can say, they weren't We're getting it from the U. S. citizens directly.
Matthew: Hmm. I probably paid double that way. Alright, second use case. They tracked users in Russia based on BSSIDs seen but they both looked at Russian and Ukrainian side. The Russian side, they were watching for BSSIDs that started somewhere other than Ukraine and then ended up in Ukraine. And they saw what they thought were aid workers moving into Ukraine that were coming from European countries.
They saw a lot of folks from St. Petersburg and Moscow and a couple other places going to Ukraine. What I find really interesting about this I'm surprised that they saw so much David and I were talking before we started recording and we were kind of laughing about how Like people don't pick up and take their routers with them, but apparently a lot of people do in European countries
David: Yeah, it could be a thing. We're overseas, [00:39:00] it's just not something that happens in the United States
Matthew: Yeah, I don't know. I'll talk about more about this later I just realized that I have a note about this and several lines down So I'm jumping the gun so we'll get back to that in a
minute. I know I know So Ukraine apparently does use Starlink extensively. There's been a lot of talk, you know, before earlier in the war about Elon Musk providing Starlink for them.
And apparently at the Starlink terminals the way that Starlink works is it's a router that connects to Starlink and you connect your computer to the router. Your computer does not connect directly to the Starlink satellite. So they were able to track these Starlink terminals. And they were able to see that they were geographically limited to the territory that Ukraine currently controls, which is part of the deal.
I actually think that this would be a really interesting case where you could really kind of screw with the Ukrainians if you, you know, hadn't in. With Elon or some, or some other provider and you would get them to actually be like, you know what? No, you can use them wherever you want to and then track where they were like moving to like all of a sudden [00:40:00] now you see Starlink, you know, terminals popping up behind your lines and you're like, Oh, Ukraine uses this pretty extensively.
I wonder if this is a, someone trying to, you know, upload their data from a mission or
something.
David: Yeah, because I was thinking
that, since it's geographically linked to what Ukraine controls, they're going to have to keep moving that line west.
Matthew: Yeah, probably are. third one was the Hamas war. This one was pretty like, it was interesting, but it was not terribly surprising. They tracked the number of BSS IDs in Gaza both before Israel started bombing and turned off the electricity. And they think they said they saw something like a 72 percent drop in BSS IDs. Which is surprising in two ways. Like number one, that's a lot of BSS IDs that are gone, but that's surprising also that there's that many left. There's still 23, 28 percent of the BSS IDs in Gaza are still running. Are these people with solar panels or
David: And have not been hit with a bomb?
Matthew: that have not yet been hit with a [00:41:00] bomb?
Yeah, I don't know. Final items that they mentioned as a use is not a use case, but a kind of thing here was China has a law. That you can't store BSS IDs. So Apple's database and Google's database, they don't upload Chinese BSS IDs. So that's just a giant blank spot to this to this database.
David: Well, that seems like a simple fix then, doesn't it? Ha,
Matthew: More laws. I knew that's what you would come up with,
David: ha, ha, ha, ha, ha. ha. You know I always like more laws. That's what I think, anytime someone pisses me off, it's like, there ought to be a law.
Matthew: Yeah, exactly. So discussion points for here. Number one, this tracks Wi Fi access points. This does not track your phone. Your phone does have a hotspot, but your phone's hotspot creates a random BSS ID. Well, I looked into this a little bit. It turns out they started this in the mid 2010s or so. So they were concerned about being able to track people based on their BSS ID of their phone.
What a hotspot. So they've already implemented a remediation for this. So I was really [00:42:00] confused by this. I was surprised at how many people were moving in the U S at least frequently your wifi router comes with your subscription in your house. You don't take your router with you when you leave. It stays with the house.
If you have only one internet vendor or if you have multiple internet vendors, you return it when you leave to the vendor. So I may not be sure in other countries, maybe you take your router with you
wherever you
David: mean, I mean, I've moved a couple of times, so in Virginia, that's what you do. You turn, you go drop it off at the ISP or they, or you mail back to them, one of the two.
Matthew: yeah. I mean, I actually in recent years have started to buy my own routers, but. Yeah, for, for probably 20 years I just used the the one. But wait, there's more apparently Roku's create their own Wi Fi networks. They did specifically comment that Roku's were the number one and the number two BSSID manufacturers.
There could be SSID's just a Mac. So those were the top two manufacturers they saw. So, I don't know why a Roku creates a Wi Fi network. Maybe to connect it with [00:43:00] the remote?
David: So the Roku is not asked to, the Roku doesn't connect to an IP. NAP.
Matthew: I mean, it's still, I mean, sure it still connects to an AP. But it apparently also creates its own as well.
David: Interesting.
Matthew: Yeah, that is very, very interesting. But you know, actually I'm looking at my networks in the area right now. So there's a bunch of them that say Fios that's the, the provider, but there's a couple of them, there's an NG hub. I don't know what an NG hub is. There's HP setup. I don't know what that is.
David: NG is
Matthew: there are, Oh, Nick here, there are a couple of things around. I've seen some other smart home devices pop up there before travel routers, they found a number of wifi APS that are designed to move and they could track them around the world. People that use these travel routers, which this is something that's new to me.
I've never heard of these before. I looked them up and they're actually kind of cool. They are a box you plug into a ethernet. And they have the, then you connect your [00:44:00] laptop to the travel router, your phone to the travel router, and the travel routers have a built in VPN endpoint some of them have tour, some of them have other like certificate based certificate security.
So everything that you communicate to the travel routers, then encrypted over the ethernet which is really interesting. And that's a trade off. You have better comm security to prevent somebody from listening in on you. If you, you know, connect to a hotel Wi Fi and you accept their certificate and now they command in the middle of you.
But now you can potentially be tracked with those travel routers, although only at a delay since it takes seven days to update those.
David: All right, and you're typically not going to be someplace for
Matthew: Yeah,
David: seven days. So it'd be seven days up, and by the time it's relevant, you're no longer there
Matthew: yeah, this only matters if there's some way, some importance that could be ascribed to you being at a specific location.
Like if
David: than two weeks.
Matthew: secretary of state, well, no, even after the fact like they just there's actually just a discussion around somebody high up [00:45:00] on operations from Apple going over to Taiwan to talk to somebody from the, the chip manufacturer there.
And there's a, I saw an article speculating that they were taking over the full two nanometer chip. Like you could potentially do some business espionage style stuff by like watching who goes where,
David: I see.
Matthew: maybe, I don't know
David: insider trading, maybe.
Matthew: Ooh, insider trading with seven days.
Could be enough time to get in on that stock. I don't know. So Weigel has been doing this for years. I don't even know if that's how you pronounce it. W I G L E. Is it
wiggle? It only has one G though.
Uh, which stands, yeah, that's fair. It stands for something. I don't know what it stands for.
David: Yeah, so it's definitely Wiggle then.
Matthew: Definitely wiggle then. All right. They've been doing this for years keeping track of these, but this is a little bit different. It's crowdsourced by people were driving. Apple is way more ubiquitous. There's not very many people were driving these days. Although I'm curious actually now how many folks [00:46:00] are. That would be interesting. Stumblers. They have 543, 000 people. I'm guessing Stumblers. They have updated 535, 000 of these today. That's really fascinating. There's still people going around trying to Do this just for fun?
David: But maybe that these people just keep it running in their car.
Matthew: Yeah, I have seen some people do
that, yeah.
David: And they don't even really think about it anymore. It's just a thing that they do and then they download it when they get home or whatever.
Matthew: but Apple's way more ubiquitous. It said there's 543, 000 stumblers. There's millions and millions and millions of people with Apple phones and Android phones. Millions.
Yeah, you're right. It's more than a million. They did do some cross checking and they found that Wiggle did have some APs that were not in Apple, which was really a surprise.
It was about 10 percent of their query. They didn't provide the opposite. They didn't see if there were any in Apple that weren't in Wiggle. Because I imagine that number would be a lot higher than 10%. Terms of remediation. They proposed the following three things. Apple should rate limit queries. API manufacturers should [00:47:00] randomize the DSSID each time it's rebooted. That's already implemented in phones, so it's totally doable. And users, if you think someone would track you, don't move your Wi Fi devices.
Abandon them and purchase a new one. Ha, ha, ha, ha, ha, ha.
David: on the side of the road when you do the abandonment.
Matthew: yeah. If your AP allows it, set it to randomize DSSID. It's probably really the, like, I'm thinking about getting one of these travel routers now. These look kind of cool. Not that anybody's looking at me or watching anything, but
it'd be a cool
David: you think.
Matthew: That's what I think. All right. So why does this matter? Well, it mostly doesn't. It turns out this is a lot less than it seemed to me initially read it. But if you are using something like travel routers or anything like this for your executives you should probably take a look at protecting them from being followed seven days later.
David: And do you know, does anybody use classified communications?
Matthew: I don't think you can, can
you?[00:48:00]
David: I don't know. I was just thinking about, you know, putting a something on a drone and flying around and seeing if any of there's ad hoc wireless networks in the middle of nowhere that's coming from a olive green tent or something.
Matthew: Oh, interesting. Using it for intelligence collection, instead of for tracking people looking for stuff like, Oh, the government, you know, buys this type of modem and here's a cluster of BSS IDs that are all from this type of modem and this nondescript building in the middle of Minneapolis or
something.
David: Yeah, kinda.
Matthew: Kind of orb network where certain types of devices are being compromised, but that doesn't mean all those devices are compromised. They're just more likely to be. You could do like some behavioral style detections.
David: it's a percentage, or a confidence score, however you want to put it.
Matthew: know what? You probably could because you could, because there's probably a bunch of tells cause they would all be configured in the same way in that area, indicating some type of [00:49:00] organization. They might use standard DoD naming conventions as well or something like that. I don't know if, I don't know if these things get the regular wire, just the BSS IDs, or if they get the full. Network name. So maybe interesting. So, or if you detect it, you know, on a military base and then suddenly it pops up
David: Right.
Matthew: Oh, cause I would, I would bet that war drivers probably circle military bases pretty happily.
David: It said you could use a drone.
Matthew: Yeah. Yeah. That'd be faster.
David: And typically, you know, if this were a thing, they would, it would be Duke conducting military exercises. Right? So you could collect them, knowing that they're going to leverage them on the installation. Whenever they're doing an exercise, and then just keep track of those, so when they show up somewhere else, you know exactly where that where it came from.
Matthew: This is wild. I'm looking at this wiggle. There are, there are [00:50:00] wifi things detected in the middle of Yosemite national park, like off the road, like not even anywhere close to. Like lodges or anything.
David: Like nature cam kind of stuff, maybe?
Matthew: Maybe. Yeah, I don't know. I don't know. Do those, those like animal cams, like, do they set up a network so you can connect to your phone because Oh my gosh. All right. This is wild. I have a, my, my kids bought me a little like microscope for your phone and the way that it works is this microscope. It's like, it's like the size of your palm.
It has a built in wifi chip and to connect to it, you, you turn it on and it turns on the wifi and then you connect your phone to the wifi. And then you can like use your camera to see what the micro, see what this little microscope thing sees. So, Yeah. It makes me wonder about how many, I just hit my daily limit on my golf.
Ooh.
David: That
Matthew: it makes me
David: was,
fast.
Matthew: how it [00:51:00] was fast. I wonder like how much this thing costs to get anyways, it just makes me wonder like how many things there are that use wifi networks for communication that we're probably not even thinking because this is like a cheap piece of cheap piece of something from you know, like Alibaba.
net or something.
David: All right. Well, that looks like that's all the articles we have for today. Thank you for joining us and follow us at SerenitySec on Twitter and subscribe on your favorite podcast app.