February 20, 2023 • 50 mins
Join the IT Audit Labs crew to talk about Pwnagotchi’s! We will review how a pwnagotchi collects keys/wpa/wpa2 information from 4-way wifi handshakes, and how to crack those keys/how the key exchange functions. It’s a pwnagotchi party!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:14):
Hello and welcome to the Audit.
We are here for a Ponegachiparty, and joining me today is
Eric Brown, kyle Rosendahl andour guest Jaden Truffler.
Hi everybody.
Eric Brown (00:32):
Hey Mandy.
Mandi Rae (00:34):
Hello Well, thanks for joining the IT Audit Lab
gang, jaden.
We're excited to talk aboutPonagachis Kyle.
Do you want to take us throughour agenda?
Talk about ponagotchis, kyle.
Do you want to take us throughour agenda?
Kyle Rosendahl (00:46):
Yeah, absolutely so.
Today we're just doing a quickepisode on these little gadgets.
They're called ponagotchis.
I'll show it to the camera butfor those not watching, they're
built on a Raspberry Pi Zero,which is a tiny little
microcomputer.
It's like I don't know inch anda half by three and a half
inches, maybe an inch thick, andyou can put a little screen on
(01:08):
them or not, and they're justlittle cheap gadgets.
I think you can throw themtogether for 50 bucks and and
they're made for kind of wi-firesearch and for cracking wi-fi
um passwords.
So they're kind of fun.
A lot of people in the defconcommunity and in kind of the
hacking community in general allhave one.
They can connect to each other,talk together and we're just
(01:30):
kind of going over how they work, how they crack passwords, how
they collect the informationthat you need to crack a Wi-Fi
password, and then kind of thetypes of fun that you can have
with them.
So that's kind of our agendafor the day.
Eric Brown (01:41):
I feel like these e-ink screens, or even the
Ponegachi itself, would come innicely for a DEF CON badge.
Kyle Rosendahl (01:49):
That would.
Yeah, they've always done likethe LCD screens, but I bet an
e-ink one would be pretty cool.
Anyway, ponegachi is acombination of two different
words.
We were talking about thisbefore we started recording.
Poneg, I don't know, we talkedabout maybe it came from World
(02:12):
of Warcraft, but somewhere inthe online world it's
essentially just you knowgamerspeak or hackerspeak.
Now, to like, totally ownsomething, right, you pwn it,
you own it.
Slang on the internet, thatkind of evolved into a real word
.
And then Tamagotchi right, thecute little guys on the digital
pets from the 1990s.
You can still buy them today.
I think they're making new ones.
Stick those two words togetherand it's a Tamagotchi again.
(02:34):
For people not watching, thelittle ink screens on the front
have a little cute face on themand the idea is that these guys
like to eat wi-fi signals.
They like to eat wi-fi keys andthe whole point is that these
guys like to eat Wi-Fi signals.
They like to eat Wi-Fi keys andthe whole point is that they'll
collect the informationnecessary, use that for their
food and then give you somethingto crack so you can try and
figure out what that Wi-Fipassword is.
There's a little bit of AIgoing on in the background.
(02:57):
We'll talk about that.
They're super easy to set up,they're super easy to use once
you get them going, and it'sjust kind of easy fun to figure
out.
How does a Wi-Fi authenticationprotocol work?
What can you do to get in themiddle of it, crack it, you know
, take over an access point thatyou might not be supposed to,
(03:18):
and gives you a reason to getout, walk around your
neighborhood and see what's outthere.
Mandi Rae (03:22):
Did you guys have Tamagotchis?
Kyle Rosendahl (03:27):
I have two Tamagotchis at my house as of
Christmas this year.
Mandi Rae (03:30):
I love it Really.
I think one of the funnestaspects of this is what you guys
name your Ponagotchis.
Have we gotten into what thenames of your little guys are
that you shared with us?
Kyle Rosendahl (03:43):
We haven't.
I named mine Skajigachi after atattoo that I got.
Mandi Rae (03:49):
How about you Jaden?
Jayden Truffler (03:50):
Mine is Gloria.
I don't really have a reasonfor her name, I think it just
came to me.
Mandi Rae (03:59):
Every time I hear it, I think of the song and I want
to sing it to your Ponegachi.
And Eric, I think you have aunique name.
Eric Brown (04:09):
I do.
Mine is Pone McPoneface fromthe Boaty McBoatface.
Kyle Rosendahl (04:19):
So getting into kind of why it matters right
Again, it's for fun, it's tojust do things with, to learn
about Wi-Fi, to crack passwords,to learn.
But from an educationalstandpoint for users and for
people who create Wi-Fi, it canexpose that again.
(04:39):
Something that we like topreach in security is that the
defaults are dangerous On thescreen.
Here again, if you're notwatching and you're just
listening, I've got a whole setof different wireless router
photos of the backs of thoserouters by, like the barcodes
and the MAC address and theserial address.
Pretty much every router youget from Comcast or CenturyLink
(05:01):
or Spectrum or whoever you go tofor your internet connection.
They have that router loginpage on there.
They have the default usernameand they have that default
password.
There's a lot of people outthere who snap a photo of the
back of their router and theydon't change it.
They just plug it in once totheir device, they forget it and
then they never use it againuntil a guest comes over.
(05:23):
They go get the router, get thephoto and they bring it out and
share it with them.
Hackers know that these thingsare generated in a certain way.
I put a link on this.
We'll share these slides in theshow notes afterwards.
But RedSquirrel7, out on GitHubhe's a GitHub user that makes
some cracking, hacking tools,things like that out on GitHub
(05:45):
he's a GitHub user that makessome cracking, hacking tools,
things like that.
He figured out kind of thestructure by which Netgear was
creating their default passwords.
So he wrote a Python script outthere that takes I think it's
essentially like adjective verbnumber, and so he made the
biggest list of adjectives, thebiggest list of nouns I think it
(06:06):
was adjective noun number andthen numbers, and then he just
makes combinations of thosewhile it does the cracking and
it's got a pretty high successrate of getting into these net
gears.
So again, if you've got aPonegachi and you're collecting
Wi-Fi signals and Wi-Fi keys,the first good place to start is
with a tool like that where thepassword is created using some
(06:31):
sort of method that's guessableor knowable.
That's going to give you thehighest rate of actually getting
into access points.
If you're not doing somethingillegal, it doesn't really get
you anywhere.
But if you're trying to getinto a business or you're doing
something illegal or you'retrying to break into a network
that you're not supposed to bein, right, leaving those default
credentials in place makes itpossible for someone to just
(06:52):
grab it with a little $50 tool,crack it using just freeware out
on the internet and get inside.
So, again, easily guessable orknown password combinations, you
can kind of expose thatsecurity flaw with one of these.
So in talking about that Wi-Fisecurity, right, there's a few
different protocols that areused, and have been used
(07:13):
historically, to authenticatewith an access point.
When I say an access point, I'mtalking about a router or I
mean a wireless access pointthat's tied to some sort of
central switch.
Most people's homes, as you'relooking at those, are just going
to have your modem and yourrouter or a device that's both
in one um before you get on theinternet and before you're able
(07:37):
to get an ip address andactually connect to the internet
.
You need to authenticate tothat router, right, and most
people think of that as being ausername or maybe just a
password to authenticate to it.
But there's actually a lot ofpieces that go on in the
background that can be exploitedby something like a, like a
ponagachi or other tools thatexist out there, and the way by
(08:00):
which devices authenticate withthose wireless access points or
with the routers determines, youknow, how secure that password
is as you input it.
So, uh, wep was kind of thefirst wireless authentication
standard that existed.
Um, it used an rc4 stream cipherto encrypt those keys.
It used that due to us exportlaws and not being able to
(08:24):
export anything of cryptographicimportance I think that was
back in a 1980s or 1990s US codeso you couldn't send any
materials that explained or didcryptographic processes.
So in order to reach marketsoverseas, they put an
intentionally weak cipher onthem so that they could export
(08:44):
them make money.
In 2001, a whole group ofhackers used just default
freeware that they got.
It's called AircrackNG and theycould crack any WEP key in
minutes.
So this is known to be a badsecurity protocol.
If you see it, know thatbasically anyone can get in
within minutes without the keysor anything.
Most people don't have it, mostof it's not enabled.
(09:07):
But I think if you watch theDennis Pelton episode about
Wi-Fi security, he talks aboutWEP and people have done scans
on Shodan and there's stillplenty of WEP sitting out there
in the world.
So it's not totally gone, butit's definitely not secure.
So it's not totally gone, butit's definitely not secure.
Ponegachis, look at WPA and WPA2.
These use a four-way handshaketo authenticate with the
(09:46):
wireless access point betweenthe client and the access point.
That can be exploited bysomething like a Ponegachi or
someone who's able to snip thattraffic over the wire.
Basically, the only differencebetween WPA and WPA2 is the use
of AES-128.
So WPA2 uses an encryptionmethod called AES-128.
It's a fairly solid encryptionstandard.
It just kind of improves uponWPA and then WPA3, we can talk
(10:12):
about that more uses a totallydifferent authentication
protocol.
These Pantagotchi's not able tomess with WPA3.
There's some methods out therethat deal with trying to crack
WPA3, but in essence it's muchmore secure.
Nothing's really sent plaintext with that protocol, so it's
much more secure.
So, looking at WPA and WPA2handshakes, this is essentially
(10:39):
the meat of what the Ponegachisare doing when they are trying
to essentially brute force thekey to get onto the access point
.
Again, this is a prettyslide-heavy presentation so if
you're not watching I'd suggestgoing out checking out the show
notes, grabbing slide and Ithink it's six, but it shows
(11:02):
just a basic framework of howWPA, wpa2, four-way handshakes
work and what the Ponegachi islooking for and able to crack
that key.
So I'm going to use my mousehere to kind of point things out
.
When a device is trying toconnect to an access point or a
wireless router or anything likethat, there's four different
(11:23):
messages that go back and forthbetween the two devices, called
that four-way handshake, andeach message that gets sent back
and forth in these little tinyblocks of data contains a
different amount of data that'simportant to authenticate with
one another.
So, essentially, what they'retrying to build up to is called
(11:44):
the pairwise master key, thisPMK, and that PMK is, once it's
crafted and correct, the accesspoint knows what it's supposed
to look like.
And if they have the correctPMK, pairwise master key, then
the device is able to then, youknow, be a part of the network.
(12:05):
So, essentially, whenever anaccess point and a device are
trying to communicate, thatdevice reaches out and says hey,
you know, access point, I wantto connect to you.
So that access point is goingto start out by sending one
message back using just a knownpublic key, and it's going to
send that.
And it sends an anons, and ananons is essentially just the
(12:28):
access point nonce, a noncebeing just a randomly generated
string of digits and then itsends it via unicast, right.
So it sends that over to thedevice and once the device
receives that, it's going togenerate a pairwise transit key
right, and that pairwise transitkey includes the supplicant or
(12:49):
the device, nonce sendWUnicast.
And then it adds the messageintegrity check to the end of
that thing.
So as far as a Ponygachi isconcerned, this first two steps
is all it needs to see to begincracking the pairwise master key
that's eventually generated.
(13:10):
Because in essence, that PTKincludes the SNONs and the MIC.
Message one includes the ANONs,and when you're creating a
final PMK, the PMK is basicallythe ANONs, the SNONs, the two
MAC addresses of the accesspoint and the device, and then
(13:33):
that's all stuck together withthat message integrity check.
So message one it receives thatANONs.
Message two you receive theSNONs.
You have those two pieces.
You get the two MAC addressesof the devices.
The only thing you need to solvefor is that PMK and just a
little bit of basic algebra saysyou know, whenever the message
(13:56):
integrity check for that PTKreturns true, from this being in
place, the PMK, anons, snonsand the MAC addresses, then you
know you're good.
So since you have all thepieces to make the PMK or guess
the PMK, all you need to do isthen crack the PMK.
So that's where the bruteforcing comes in place.
(14:17):
Then, essentially, what you'redoing when you're cracking is
you're just putting in randomvalues for the PMK or educated
guesses as the PMK, combiningthem with the A, the S, the MAC
and seeing if they then matchthat message integrity check.
Once you get a match, you knowthat you've gotten the correct
password for that PMK.
(14:38):
Does that make sense or doesanyone have any questions on
that?
Mandi Rae (14:42):
There's a lot of algebra.
Kyle Rosendahl (14:45):
Yeah, it's a lot , and I'm trying to explain it
in a way that you know, ourlisteners can get an idea for it
.
Mandi Rae (14:51):
You're doing a great job.
It's a bad word problem.
Kyle Rosendahl (14:54):
It is, and I wish there were better ways to
describe you know I could havecome up with some goofy analogy
for all of these pieces, but ifyou listen to it, you go.
Look at the slide.
I think it'll make a littlemore sense.
Eric Brown (15:08):
Mandy was smiling like she had walked into a Calc
3 class when she was expecting,like an English lit.
Mandi Rae (15:14):
Totally.
You got to Unicat and I waslike, okay, I'm lost here, but I
do think your visual and beingable to see it is imperative to
understanding.
So definitely check out ITAudit Lab website and or watch
the YouTube.
Kyle Rosendahl (15:31):
So the Ponegachis come into play.
Right Again, if we're lookingat the slides, the access point
is sitting out there.
It's communicating with acellular device, right?
Let's just say, here, we've gotan iPhone, you've got it
connected to your Wi-Fi channel.
Everything is good when youauthenticate for the first time,
that WPA, wpa2, four-wayhandshake takes place and then
(15:56):
you basically stay authenticated.
Now the only difference is mostof our cell phones, most
iPhones, most Androids, mostevery device that you can
connect to the Wi-Fi, you canchoose to save that password in
the memory and say you know,I've authenticated once, keep my
session valid.
You know, if I drop the Wi-Fiwhen I go to work, when I come
(16:17):
home, I don't want to have toretype my password back in,
right.
So it's not saving a plain textpassword, but it's saving that
authenticated data and saying ohyeah, you've got the correct
PMK, you've got all these pieces.
So when you come back withinrange, yeah, just automatically
reconnect, that's totally fine,no problem there.
Essentially, what the Ponegachiis doing here is it's sitting
(16:40):
in the middle listening for adevice sending that signal to an
access point and just kind ofscooping up that information
while it's in flight.
So it's looking for the firsttwo halves, two parts of that
four-way handshake.
You know, message one, messagetwo to get the nonces, the
message integrity check, andthen it's trying to guess that
PMK.
The Ponegachi also has a littlepiece of software built into it
(17:02):
called BetterCap, and BetterCapcan be used as kind of an attack
framework to dodeauthentication attacks.
This is where these guys getinto the gray legal area,
because what they can do is ifthey're sitting on a network
long enough, or they see anetwork long enough and nobody's
authenticating to it, they cansay hey, you know who's
authenticated to you.
(17:22):
I'm going to send a flood ofdeauth packets to the access
point, which in turn disconnectsall devices from the access
point and then forces them tore-authenticate.
Then it can sit there and sniffthose authentication handshakes
and try and grab moreinformation, if all that makes
sense.
The last kind of fun pieceabout these Ponegachis is that
(17:45):
they also have a little bit ofAI kind of built into the
background, the AI on these.
It's nothing super fancy, it'sa pretty quick little method.
But since different Wi-Fienvironments are different right
, if you're at a hotel, there'sa lot more access points,
there's a lot more peopleconnecting, there might be a lot
(18:06):
more kind of variedauthentication times and you'll
see a lot more authenticationswithout de-authenticating
anybody.
The Ponegachi is sitting thereand, as it's collecting
handshakes and as it'sde-authenticating people from
access points, what it's alsotrying to do is it's trying to
figure out how long do I sitthere and try to deauthenticate.
How long do I sit here and waitfor handshakes to appear?
(18:29):
You know how long do I searchfor new access points?
And so it's taking thosevariables and, using a what they
call A2C or an advanced actorcritic model, it essentially
tries to balance out the lengthof time for which it sits there
and scans for access points,deauthenticates people and grabs
(18:52):
handshakes to try and bringback the most valid sets of
information that then you cantake forward to crack.
So the longer you have itonline in a certain environment,
theoretically the better it'sgoing to be at collecting more
handshakes faster and in a morekind of constructive manner,
rather than sitting there tryingto deauthenticate someone.
(19:13):
For 30 minutes Doesn't work, youknow it's going to stop doing
that and try something different, and its return value is
basically just on.
You know, if you got morehandshakes doing this, keep
doing that.
You know if you got fewerhandshakes doing this, keep
doing that.
You know, if you got fewerhandshakes trying something
different, go back to what youwere doing before.
So there's a whole write up onponagachiai about how the model
(19:34):
actually functions, but inessence it'll just kind of tune
itself to whatever environmentyou happen to be in after you
know being on for longer andlonger.
And then finally you've figuredout how do the handshakes work,
how do we de-auth people fromaccess points?
What are we trying to collect?
(19:54):
Once you have that, thePwnagachi keeps a little tally
in the bottom left corner thatsays how many things have you
pwned, meaning how manyhandshakes have you collected
that have enough information inthem for you to start brute
forcing?
That's where you can startbrute forcing some of these
passwords and connect them backto those access points.
So there's a few ways to takethese.
(20:15):
It'll dump those handshakesinto a PCAP file on the local
device and you can pull thoseoff, and then it's up to you to
choose how you want to crackthose and decide whether you
want to.
You know, try and brute forcethe passwords for the access
points that you saw.
Again, if you're doing somesort of pen test or red team
assessment you're trying to getinto a business, you definitely
(20:36):
want to take those two handshakefiles and try and get the you
know wireless password for thecorporate wireless.
That's a pretty big target.
So a few ways you can do it.
Hashcat has a converter.
It's out on GitHub.
I think it's actually part ofthe Hashcat installation if you
(20:57):
get all the Hashcat utils offthe Hashcat website.
So I think you can get itGitHub or off the Hashcat
utilities and it essentiallytakes any PCAP file that has
enough of that information andit'll create a Hashcat hash for
version 22,000.
So as you're doing your Hashcatwith your GPUs, you can crack
(21:19):
those PCAP files as Hashcatfiles and speed it up with GPU
processing.
So if you have a lot, it's agood way to do it.
Another method if you don't wantto screw around with hashcat
and converting and GPUs and allof that tuning stuff, aircrack
NG also can do PCAPs natively.
You don't have to convert themto anything.
The only downside is I think itruns only on CPU.
(21:42):
If I'm correct, it'll crack WEP, wpa and WPA2 files.
So you can just sit there, feedit a word list.
If you want to do thecombinator attack for the
Netgear routers, you can throwwhatever you want at it and
it'll, one by one, try and crackthat pairwise master key to get
(22:02):
you your Wi-Fi password and geton.
Eric Brown (22:05):
Question for you when it's doing the deauths, is
it doing it on every channel atthe same time or does it hop
between channels?
Kyle Rosendahl (22:14):
For the most part it's just flooding the
access point with the deauthpackets.
So basically all channels itdepends on your Ponegachi.
So like the Pi Zeros theselittle guys they only have 2.4
gigahertz.
So if someone's connected onfive it's not going to deauth or
even see those connections.
If you get like a fivegigahertz antenna to plug into
(22:37):
this, you can get that fivegigahertz channel and then it'll
do it on that as well.
There's a tiny bit more setupto do.
Or if you build it on a biggerPI board that has both channels,
then you can do that as well.
But basically it's just dumpingeveryone off the Wi-Fi.
Jayden Truffler (22:54):
So it goes by access point.
Kyle Rosendahl (22:56):
So if you're in an environment where there's
eight access points for oneWi-Fi signal, it's only gonna
hit one of those and theclient's connected to that.
So if you're in some sort ofmesh network, it's only doing
like one MAC address at a time.
Oh, I see.
Eric Brown (23:11):
That makes sense.
Yeah, well, like in Wi-Fi 2.4,there's 11 channels, I believe,
so it would go channel bychannel to get all 11.
Mandi Rae (23:24):
Before we dig into these resources anybody, have
fun Ponegachi stories.
I'm living vicariously throughyou guys.
Eric Brown (23:35):
Jayden wants to say something.
Jayden Truffler (23:50):
I'll touch a little bit on my story.
So, um, we went to defcon twoyears ago and I was working with
kyle to set up my pono gochigotchi uh, and I was very, very
excited to get going with it.
I think we set him up like aweek before we left, so I had
mine going all the time, butmight have brought it to the
(24:10):
airport, might have kept it inmy backpack and might have
gotten, I think, 500-ishhandshakes in that time.
Mandi Rae (24:23):
That's a pretty amazing coming out party for
Gloria.
Jayden Truffler (24:28):
Gloria was.
She was having a good time.
She was busy that first weekend.
Kyle Rosendahl (24:34):
I feel because you flew into DEF CON like
overnight on the red-eye flight,I feel like we all met up the
next morning and you're like,yeah, I've already got 550
handshakes.
How did you get so many Likefour hours of sleep?
Jayden Truffler (24:49):
Nope, we just kept going.
Eric Brown (24:55):
Is that the same year, Kyle, that you were
cloning the hotel room keys?
Kyle Rosendahl (24:59):
No, that was the year after.
Mandi Rae (25:00):
Kyle that you were cloning the hotel room keys?
No, that was the year after.
There's always fun.
Defcon shenanigans.
Kyle Rosendahl (25:08):
There is and another fun thing that you can
do with them and I've nevergotten the chance to do it with
just a random person.
But the Ponegachis actually havean encrypted message thing
built into them, so it's calledthe PwnGrid.
So if you opt into it in yourconfig files, you can see other
little Pwnagachis that livenearby and if they're active and
(25:31):
they're within range, they canactually communicate and so you
can actually send peer-to-peerencrypted messages from one
Pwnagachi to another by usingjust an open API.
So if you're sitting there onyour computer you see, oh, this
guy's got his Ponegachi onnearby, there's Pone with
Poneface.
I could just pull up my API, goto a web address of my
(25:54):
Ponegachi, say, send message tothis guy.
I could send an encryptedmessage directly from Ponegachi
to Ponegachi, fully encrypted.
So there's goofy little thingson them that you can do that
I've never done with anybodyelse, but I know at DEF CON
every year I think, they have aPonegachi party where people put
(26:14):
them together, they raffle offyou know sets and some people go
all out and put like leds andshiny stuff on them and make
them all fancy.
Jayden Truffler (26:23):
Yeah, we'll have to try that out next jayden
shared her fun ponagachi story.
Eric Brown (26:31):
Do you have a fun ponagachi story, kyle?
Kyle Rosendahl (26:35):
I don't know if I have a fun one like that, um,
for the most part, you know it'sit's interesting to use them as
kind of tools for crafting wordlists, right.
So if you're just sniffing thewire and you're not
de-authenticating people,they're not technically doing
anything illegal, right, you canjust scoop that stuff up as
(26:58):
it's in transit, um, and ifyou're not using the information
you gather to break intosomebody's Wi-Fi, there's no
malicious interaction with thatperson's network, so you're not
breaching anybody's networks.
But one thing that I've foundthem very useful for is just
(27:19):
collecting stuff, practicingcracking hashes, and then you
get some really interestingcontext for how people create
their passwords.
So I've been able to use it to,you know, make better crafted
word lists and things to try andcrack other stuff.
Because I think one of thethings that you find, especially
(27:40):
if you're in kind of the redteam side of things and you work
on creating word lists or ifyou work on cracking passwords
or even AD password crackingpeople think they're kind of
creative with how they buildtheir passwords, but a lot of
times they're very similar andand they're very not unique.
So finding ways that people dotheir, their wi passwords, you
(28:02):
know, kind of gives us a betteridea on how to craft passwords
more effectively in the future.
So building those kind ofcrafted word lists is something
that you know.
I think they're super handy todo, so not nearly as exciting as
Jaden's story, but a fun usefor him.
Mandi Rae (28:20):
Eric, do you have any stories of your Pony McCone
face up to no good?
Eric Brown (28:29):
No, I don't.
I've just carried it around theoffice from place to place and
gotten a couple handshakes, butnothing like, uh, nothing like
Jaden's story.
Kyle Rosendahl (28:45):
Before we go too off topic, right, I think one
of the things I didn't cover toomuch is is common defenses,
right, against these types ofattacks.
Um, so, for those people usingWPA, wpa2, to protect their
networks, um, you know, onething that you can do to protect
against something like this isto use a secure password that's
(29:06):
not easily guessable.
If you want to be super secure,make sure that you're not
remembering your password withany device so that if it gets
disconnected it's notautomatically resupplying that
password to the access point.
Doing those two things with WPA, wpa2 makes it much more
(29:27):
difficult to breach.
But then, kind of the lastpiece and I can try to jump to
add some resources up to WPA3.
And talking about that handshake, you could implement WPA3.
It's not super widespread atthis point in time, just because
(29:51):
, as it comes to WPA3 and WPA2compatibility, essentially both
the device and the access pointhave to be compliant with one
another, and if one of them isusing WPA3, the other one
doesn't support WPA3, it's goingto default back to WPA2 if
that's enabled.
And if you don't have WPA2enabled, then it won't get on
(30:13):
the Wi-Fi.
So there's a compliance issuethere between having a device
and the access point, bothcompliant the same
authentication standards andthen making sure that you know
you have widespread availabilityas well as a secure system.
Um, essentially I could havelooked it up, but uh, wpa3 uses
(30:34):
like a simultaneous key exchangeand then it uses like a
diffie-hellman key exchange aswell, with an epileptic curve.
But essentially what that meansin non-super technical nerd
speak is that both the accesspoint and the client are
creating a private and a publickey invisibly from one another
(30:55):
and similar to how, like PGP,encryption works for email.
The only thing that the otherside sees is that public key as
they encrypt their messages, andthen they're using the other
side's public key to decrypt themessages and make sure they
match the privates on the backend.
That stops this four-wayhandshake attack from working,
(31:15):
because there's no kind of plaintext data that's getting sent
in between.
That works for theauthentication protocol.
Now there are some researcherswho've tried to crack.
What do they call it?
They don't call it AES.
There's SEO, maybe the way inwhich these things occur at the
same time simultaneousencryption, something.
(31:41):
Seo, I think, is what theynamed it.
But some people have shown somesecurity vulnerabilities.
But it's still way more securethan WPA, wpa2.
So if you can do WPA3,obviously do that.
Otherwise, strong passwords andnot saving your password.
Mandi Rae (32:01):
Those are really good insights to how to protect you
against other people withPonegachis.
Let's dig into our listenerswho are kind of jealous right
now and want to take this nextweek to make their own.
Is the first resource you have?
Build a Ponegachi it is yeah,so Ponegachiai is the have built
of Ponegachi.
Kyle Rosendahl (32:21):
It is yeah.
So ponegachiai is the websitefor the Ponegachi.
It basically has all yourinstructions.
It gives you a shopping list ofwhat items you need to buy, as
well as links to the recommendedhardware and then just basic
installation configurationinstructions on there.
(32:42):
So it's pretty straightforward.
Takes a little bit of technicalknowledge, but they do a really
good job of kind of spelling itout step by step.
So as long as you readcarefully and just kind of
choose the most easy stuff toput together, I'd say you could
get it done in an afternoon.
Mandi Rae (32:59):
I was reading as you were scrolling down here,
someone saying it's cute AF, andI agree they are so stinking
cute.
Jayden Truffler (33:08):
I like how they make different faces when they
make a handshake, so you canhear.
It's like he's wearing glasses.
Mine looks like it's scared.
But, yeah, they make differentfaces when they make new
connections or when they'rearound another Ponegachi.
Mandi Rae (33:27):
What other resources do we have?
Kyle Rosendahl (33:31):
Yeah, the other resources.
I don't know if we have to getinto Learning about BetterCap,
that framework that thePonegachi uses to do
deauthentications.
I've got an explanation of theBetterCap attack and how it does
that.
And then again GPU and CPUcracking just some resources
there for Hashcat usages andthen that AircrackNG website.
(33:55):
So if you're interested,obviously check out the slides,
check out the ponagachiaiwebsite and if you want to learn
more about the attacks, I'vegot some good resources there as
well, anything with IPv6 andhow that might relate to this at
(34:15):
all.
Kyle, yeah, I mean IPv6 is it'spost-authentication with the
wireless access point, soprobably not a ton to do with
these access point attacks, butIPv6 is I mean we skip IPv5.
Ipv4 is a 32-bit address.
Ipv6 is a 128-bit address.
(34:38):
128?
Yeah, because IPv5 would havebeen 64.
So, yeah, it's a 128-bitaddress.
128?
Yeah, because IPv5 would havebeen 64.
So, yeah, it's a 128-bitaddress and essentially will
expand.
You know how many addresses canexist out on the internet.
Ipv6 is going to betheoretically more secure from
that standpoint, but I don'tknow.
(35:01):
I think it'll be the standardsomeday.
I'm not sure when that day isgoing to be, hopefully when WPA3
is fully standard.
What are your thoughts on IPv6?
Eric Brown (35:16):
I was at CES last week and CES, if you haven't
been, it's huge.
It takes up multiple floors ofmultiple casinos, convention
centers, and I was in one of thefloors I don't remember which
(35:39):
one, but I was walking along andthere was a sad little table
off to the side where thesecompanies like LG, for example,
have they've spent millions ontheir booth.
It's hundreds of feet long andtall and wide and has all sorts
of new technology in it.
So just walking over all aroundseeing all these new technology
(36:01):
things, and I see this sadlittle table off to the side and
it's it's um, it was uh,there's a poster on it for ipv6,
and it was the WirelessFoundation or whoever is
advocating for IPv6.
And they had a couple stickerson the table and everything.
And I stopped and chatted withthem and asked them how people's
(36:25):
reaction was to IPv6.
And they said most people saidthat while they understood the
need for IPv6, they weren'tlooking forward to implementing
it or hope to be retired by thetime it was implemented, just
because it's changing theparadigm of how networks connect
(36:47):
and talk to each other, withall addresses essentially being
public.
So from an information securityperspective, that does change
quite a lot around how you setup your networks.
So not that it would be betteror worse, just different.
So it was cool to see themthere and glad that they're
(37:07):
advocating for it.
But I've heard the same thingwhen I've talked to others about
how much IPv6 they've put intheir networks.
I know when we go into clientsites we don't see it a whole
lot.
Obviously it's already outthere in some of the public
space with Comcast and otherISPs.
(37:28):
Your modem or your gateway willhave an IPv6 address and your
cell phone has an IPv6 address.
But we don't see it a lot incorporate networks yet.
Kyle Rosendahl (37:42):
And I know from like an analyst perspective and
maybe Jaden can speak to thistoo the one thing that doesn't
exist for IPv6 very well rightnow is like a standard lookup
table.
So it doesn't apply to, youknow, access point security.
But when we see an IPv6 addresscome in as part of like an
(38:03):
attack or as part of a you knowthreat framework or inside a
piece of malware or somethinglike that, there isn't
necessarily like a publicdatabase right now.
That's super accessible.
We can do like a reverse IPv6lookup and say you know, this
address belongs to, you know,this group of Facebook data
(38:23):
centers and here's theadministrator for it.
You know you can put in 111.
You name it for your 32-bitaddress and basically find who
owns it.
Ipv6, there just isn't like agood curated database right now,
so it feels more anonymous andweird.
But I can see why people wouldbe not wanting to do the work to
(38:45):
get it implemented.
That makes perfect sense.
Jayden Truffler (38:48):
Yeah, I agree, Kyle.
There's just not a lot of infoout there on analyzing these IP
addresses, the IPv6, but I'msure over time, once people
start migrating that direction,they'll become more available.
Mandi Rae (39:04):
And I've heard a lot of acronyms today.
So CES I want to try to guessIs that the Consumer Electronics
Show.
Eric Brown (39:13):
It is.
Yes, it's held once a year inVegas, usually in the, I think
it's first convention of theyear, so it's usually first or
second week of January, which isa great time to be in Vegas.
Um, quite opposite of DEF CON,where it's like 120 degrees in
(39:36):
Vegas it was a nice comfortable40 and 50 degrees during CES,
and this year there were, Ithink I saw, 160,000 people.
They said that were there thisyear.
In past years I think it'sapproached 200,000.
Can you?
Mandi Rae (39:57):
state tech.
You want to brag that you gotto see.
Eric Brown (40:00):
Let's see.
I was impressed with a coupleof things.
One of them is a 3D monitor.
So where in the past, in orderto see something in 3D, we've
had to put on the glasses right,like you're going to the movies
?
This year there were a couple ofcompanies that had monitors
(40:23):
that had cameras built into themand if you stood a certain
distance away from the monitor,like three or four feet, it
would capture where you werelooking.
So the built-in cameras wouldrecognize your eyes and from
that point on it would trackwhere your eyes were looking.
So if you moved a couple offeet to the left or right, it
(40:44):
would track your eyes and theway the frame refresh rate was
built.
It was showing essentially twostereo images and what it looked
like when you were standing inthe right field of view was an
actual 3D image in that monitor.
(41:05):
So that was pretty cool and ifyou were behind somebody that
was looking at it you could kindof see that it was 3D.
But when you were right infront of that monitor it really
looked 3D, which was pretty cool.
And then I saw some othertechnology where there's a
company that had a camera off tothe side of the keyboard that
(41:26):
was paired with a pen and thatpen then was moving in 3D space
so you could manipulate the 3Dobjects on the screen with the
pen.
I don't know a lot of practicaluses for it yet, but maybe in
doing some engineering orbioscience you might want to
(41:48):
manipulate models inthree-dimensional space on a
computer screen.
Seems like it'll be pretty cooland I I would think in the next
three years we're gonna seethat mainstream, like we saw the
curved monitors and I thinkbefore that, um, wasn't it like
around 2010 you could go to bestbuy and get a 3d tv, but you
(42:10):
had to wear the glasses, so thatwas cool.
There's a lot in the roboticsaround home automation and yard
automation with robotics, vacuummachines and things like that.
We've seen those for a while.
Mandi Rae (42:31):
A few different companies had lawnmower machines
that I was gonna say myneighbor has one where it's like
dj roomba but for your grassand I.
I thought that was crazy.
So you're seeing more of thatin the marketplace yes, uh,
there's one company.
Eric Brown (42:50):
There's one company maybe it's called Yardbird they
have.
It's essentially the enginepiece and then there are three
different attachments at thistime One is the lawnmower,
another one is a leaf blower andthen another one was a
(43:11):
snowblower.
So it essentially would wouldgo out, and if you had the
snowblower attachment on there,it's just going to continue to
clear the driveway or thesidewalk throughout the
snowstorm, because it it couldonly do maybe six inches at once
, but the the thought was youwould just have it continually
running.
Mandi Rae (43:31):
Unless you lived in Minnesota with a good snowstorm.
Eric Brown (43:38):
Yeah, so there were some pretty cool things.
I don't know that I would goevery year.
I might go every five years orevery 10 years, just because I
don't think the stuff is goingto turn over.
There's not going to beanything next year.
That probably was there.
This year Maybe there'll be oneor two things that came out,
but it's the slow progression oftech.
(44:01):
Lots of electrical vehicleselectric boats were a thing
electric hydrofoils Not a lot ofdrones.
This year it didn't seem.
There was a dental device.
I think it was a company out ofKorea.
It looks like a water pick butjust the handle part and you
(44:27):
could scan your teeth with it.
It had a laser on the end.
You could scan your teeth withit and it would measure the
depth of any cavities that youhad and then over a certain
number they say you should go toyour dentist.
So it would kind of measure.
The scale was between 1 and 99.
So I thought that wasinteresting and they were
(44:48):
selling that on the spot for$200.
Mandi Rae (44:52):
Crazy People are going to be triaging their own
dental care needs now from home.
Eric Brown (44:57):
That's frontier medicine yeah.
Mandi Rae (45:00):
See what you see there and predict how soon in
the future it will be readilyavailable for us to buy markets.
Eric Brown (45:07):
Yes, and a lot of companies there were trying to
get their products picked up bya distributor or a manufacturer,
so it could be a company oflike 10 people Like a low-key
shark tank.
(45:27):
Exactly um, um, bloodless, uh,or or sorry, um, yeah, I guess
bloodless, you could say whereyou didn't have to prick your
skin to test your glucose levels, so it was using a laser to to
(45:48):
get that information.
So there there was a laserlance where it it burned.
I think they said like at athousand degrees, something like
that.
But it would.
It would actually prick yourskin with the laser, but you
wouldn't feel it because it wassuch a small hole, and then you
(46:10):
could put that on a piece ofpaper and stick it in the
machine to get the glucosereading.
I thought that was interesting.
Mandi Rae (46:18):
That's really cool as we strive to look for cures for
things such as diabetes.
Hopefully, technology canadvance so it's not so
uncomfortable to be able tomanage your health.
That's really cool.
Eric Brown (46:32):
And the last one I guess I could talk about was in
that home medical device.
There is a company and I don'tremember the name of the company
, but they had these almost liketongue depressor size sticks
and the idea is you put thatstick in a urine stream and then
(46:57):
take a picture with their app.
So you take a picture with yourcamera, with your phone camera.
Jayden Truffler (47:05):
You're starting to sound dirty.
Okay, keep going.
Mandi Rae (47:08):
PMA stick.
Take a picture of it.
Eric Brown (47:11):
And then it would tell you what was going on with
you and all of your maladies,associated with what it could
pick up, so glucose or othervitamin deficiencies, anything
that could be essentially, Iguess, detected that way.
(47:33):
So I thought that was kind ofinteresting.
Mandi Rae (47:38):
Kind of brings new thoughts to using a stick and
urine to find things.
Notoriously it would be.
Am I pregnant?
And now we're finding out, oh,I'm vitamin D deficient.
It's pretty cool how they'reevolving on things.
Kyle Rosendahl (47:55):
It's just about gender equality with being on
sticks.
Eric Brown (47:58):
I think there was a couple other things that were
there, but we could talk aboutthose in an After Dark episode,
Okay yeah, that sounds good Wellthank you for sharing with us.
Mandi Rae (48:10):
That's so interesting to talk more about the Consumer
Electronics Show Pivoting backto Ponegachis.
Anything else, team, before wewrap up for today.
Eric Brown (48:28):
Not for me, that we've got both Kyle and Jaden on
with us here and we may have tohave them come back for a
future episode, Because rightnow there's a little contest
going on between Kyle and Jadenwhere Jaden's got a project that
she's working on essentiallyreplacing the physical security,
(48:51):
the door badges and the doorlocks for a company, and
Jayden's got some pretty cooltech there and she did a pretty
cool design on that security andKyle thinks that he can bypass
Jayden's security.
So this could be a pretty goodfuture episode.
Kyle Rosendahl (49:15):
Good luck, Kyle security so this could be a
pretty good future episode.
Good luck, Kyle.
I tried to put a case of highnoon on the line and she didn't
respond, so I think she's afraid.
Mandi Rae (49:22):
I think a case of high noon is exactly what the
bet needs to be, and I'm goingto ask our loyal listeners to
stay tuned because we will visitonce Jaden has her security
structure in play.
If Kyle was able to penetrateit, this is going to be
interesting Competition's on man.
(49:42):
Well, thank you to Jaden forjoining the podcast team here on
this episode of the Audit, andmany thanks to you, eric and
Kyle, for bringing this valuableinsight.
As our listeners know, you canstream the Audit anywhere that
you stream podcasts.
If you want to check out thepresentation material, get to
(50:05):
see the video.
Please check us out on YouTubeor our website, itauditlabscom.
Hope everybody has a great restof your day.
Talk to you guys later, bye,bye.
Eric Brown (50:21):
A well-designed framework will reduce
organizational risk and improveoverall security posture.
Contact IT Audit Labs and haveus lead your team in outlining a
strategic approach to remediateorganizational risk.
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:14):
Hello and welcome to the Audit.
We are here for a Ponegachiparty, and joining me today is
Eric Brown, kyle Rosendahl andour guest Jaden Truffler.
Hi everybody.
Eric Brown (00:32):
Hey Mandy.
Mandi Rae (00:34):
Hello Well, thanks for joining the IT Audit Lab
gang, jaden.
We're excited to talk aboutPonagachis Kyle.
Do you want to take us throughour agenda?
Talk about ponagotchis, kyle.
Do you want to take us throughour agenda?
Kyle Rosendahl (00:46):
Yeah, absolutely so.
Today we're just doing a quickepisode on these little gadgets.
They're called ponagotchis.
I'll show it to the camera butfor those not watching, they're
built on a Raspberry Pi Zero,which is a tiny little
microcomputer.
It's like I don't know inch anda half by three and a half
inches, maybe an inch thick, andyou can put a little screen on
(01:08):
them or not, and they're justlittle cheap gadgets.
I think you can throw themtogether for 50 bucks and and
they're made for kind of wi-firesearch and for cracking wi-fi
um passwords.
So they're kind of fun.
A lot of people in the defconcommunity and in kind of the
hacking community in general allhave one.
They can connect to each other,talk together and we're just
(01:30):
kind of going over how they work, how they crack passwords, how
they collect the informationthat you need to crack a Wi-Fi
password, and then kind of thetypes of fun that you can have
with them.
So that's kind of our agendafor the day.
Eric Brown (01:41):
I feel like these e-ink screens, or even the
Ponegachi itself, would come innicely for a DEF CON badge.
Kyle Rosendahl (01:49):
That would.
Yeah, they've always done likethe LCD screens, but I bet an
e-ink one would be pretty cool.
Anyway, ponegachi is acombination of two different
words.
We were talking about thisbefore we started recording.
Poneg, I don't know, we talkedabout maybe it came from World
(02:12):
of Warcraft, but somewhere inthe online world it's
essentially just you knowgamerspeak or hackerspeak.
Now, to like, totally ownsomething, right, you pwn it,
you own it.
Slang on the internet, thatkind of evolved into a real word
.
And then Tamagotchi right, thecute little guys on the digital
pets from the 1990s.
You can still buy them today.
I think they're making new ones.
Stick those two words togetherand it's a Tamagotchi again.
(02:34):
For people not watching, thelittle ink screens on the front
have a little cute face on themand the idea is that these guys
like to eat wi-fi signals.
They like to eat wi-fi keys andthe whole point is that these
guys like to eat Wi-Fi signals.
They like to eat Wi-Fi keys andthe whole point is that they'll
collect the informationnecessary, use that for their
food and then give you somethingto crack so you can try and
figure out what that Wi-Fipassword is.
There's a little bit of AIgoing on in the background.
(02:57):
We'll talk about that.
They're super easy to set up,they're super easy to use once
you get them going, and it'sjust kind of easy fun to figure
out.
How does a Wi-Fi authenticationprotocol work?
What can you do to get in themiddle of it, crack it, you know
, take over an access point thatyou might not be supposed to,
(03:18):
and gives you a reason to getout, walk around your
neighborhood and see what's outthere.
Mandi Rae (03:22):
Did you guys have Tamagotchis?
Kyle Rosendahl (03:27):
I have two Tamagotchis at my house as of
Christmas this year.
Mandi Rae (03:30):
I love it Really.
I think one of the funnestaspects of this is what you guys
name your Ponagotchis.
Have we gotten into what thenames of your little guys are
that you shared with us?
Kyle Rosendahl (03:43):
We haven't.
I named mine Skajigachi after atattoo that I got.
Mandi Rae (03:49):
How about you Jaden?
Jayden Truffler (03:50):
Mine is Gloria.
I don't really have a reasonfor her name, I think it just
came to me.
Mandi Rae (03:59):
Every time I hear it, I think of the song and I want
to sing it to your Ponegachi.
And Eric, I think you have aunique name.
Eric Brown (04:09):
I do.
Mine is Pone McPoneface fromthe Boaty McBoatface.
Kyle Rosendahl (04:19):
So getting into kind of why it matters right
Again, it's for fun, it's tojust do things with, to learn
about Wi-Fi, to crack passwords,to learn.
But from an educationalstandpoint for users and for
people who create Wi-Fi, it canexpose that again.
(04:39):
Something that we like topreach in security is that the
defaults are dangerous On thescreen.
Here again, if you're notwatching and you're just
listening, I've got a whole setof different wireless router
photos of the backs of thoserouters by, like the barcodes
and the MAC address and theserial address.
Pretty much every router youget from Comcast or CenturyLink
(05:01):
or Spectrum or whoever you go tofor your internet connection.
They have that router loginpage on there.
They have the default usernameand they have that default
password.
There's a lot of people outthere who snap a photo of the
back of their router and theydon't change it.
They just plug it in once totheir device, they forget it and
then they never use it againuntil a guest comes over.
(05:23):
They go get the router, get thephoto and they bring it out and
share it with them.
Hackers know that these thingsare generated in a certain way.
I put a link on this.
We'll share these slides in theshow notes afterwards.
But RedSquirrel7, out on GitHubhe's a GitHub user that makes
some cracking, hacking tools,things like that out on GitHub
(05:45):
he's a GitHub user that makessome cracking, hacking tools,
things like that.
He figured out kind of thestructure by which Netgear was
creating their default passwords.
So he wrote a Python script outthere that takes I think it's
essentially like adjective verbnumber, and so he made the
biggest list of adjectives, thebiggest list of nouns I think it
(06:06):
was adjective noun number andthen numbers, and then he just
makes combinations of thosewhile it does the cracking and
it's got a pretty high successrate of getting into these net
gears.
So again, if you've got aPonegachi and you're collecting
Wi-Fi signals and Wi-Fi keys,the first good place to start is
with a tool like that where thepassword is created using some
(06:31):
sort of method that's guessableor knowable.
That's going to give you thehighest rate of actually getting
into access points.
If you're not doing somethingillegal, it doesn't really get
you anywhere.
But if you're trying to getinto a business or you're doing
something illegal or you'retrying to break into a network
that you're not supposed to bein, right, leaving those default
credentials in place makes itpossible for someone to just
(06:52):
grab it with a little $50 tool,crack it using just freeware out
on the internet and get inside.
So, again, easily guessable orknown password combinations, you
can kind of expose thatsecurity flaw with one of these.
So in talking about that Wi-Fisecurity, right, there's a few
different protocols that areused, and have been used
(07:13):
historically, to authenticatewith an access point.
When I say an access point, I'mtalking about a router or I
mean a wireless access pointthat's tied to some sort of
central switch.
Most people's homes, as you'relooking at those, are just going
to have your modem and yourrouter or a device that's both
in one um before you get on theinternet and before you're able
(07:37):
to get an ip address andactually connect to the internet
.
You need to authenticate tothat router, right, and most
people think of that as being ausername or maybe just a
password to authenticate to it.
But there's actually a lot ofpieces that go on in the
background that can be exploitedby something like a, like a
ponagachi or other tools thatexist out there, and the way by
(08:00):
which devices authenticate withthose wireless access points or
with the routers determines, youknow, how secure that password
is as you input it.
So, uh, wep was kind of thefirst wireless authentication
standard that existed.
Um, it used an rc4 stream cipherto encrypt those keys.
It used that due to us exportlaws and not being able to
(08:24):
export anything of cryptographicimportance I think that was
back in a 1980s or 1990s US codeso you couldn't send any
materials that explained or didcryptographic processes.
So in order to reach marketsoverseas, they put an
intentionally weak cipher onthem so that they could export
(08:44):
them make money.
In 2001, a whole group ofhackers used just default
freeware that they got.
It's called AircrackNG and theycould crack any WEP key in
minutes.
So this is known to be a badsecurity protocol.
If you see it, know thatbasically anyone can get in
within minutes without the keysor anything.
Most people don't have it, mostof it's not enabled.
(09:07):
But I think if you watch theDennis Pelton episode about
Wi-Fi security, he talks aboutWEP and people have done scans
on Shodan and there's stillplenty of WEP sitting out there
in the world.
So it's not totally gone, butit's definitely not secure.
So it's not totally gone, butit's definitely not secure.
Ponegachis, look at WPA and WPA2.
These use a four-way handshaketo authenticate with the
(09:46):
wireless access point betweenthe client and the access point.
That can be exploited bysomething like a Ponegachi or
someone who's able to snip thattraffic over the wire.
Basically, the only differencebetween WPA and WPA2 is the use
of AES-128.
So WPA2 uses an encryptionmethod called AES-128.
It's a fairly solid encryptionstandard.
It just kind of improves uponWPA and then WPA3, we can talk
(10:12):
about that more uses a totallydifferent authentication
protocol.
These Pantagotchi's not able tomess with WPA3.
There's some methods out therethat deal with trying to crack
WPA3, but in essence it's muchmore secure.
Nothing's really sent plaintext with that protocol, so it's
much more secure.
So, looking at WPA and WPA2handshakes, this is essentially
(10:39):
the meat of what the Ponegachisare doing when they are trying
to essentially brute force thekey to get onto the access point
.
Again, this is a prettyslide-heavy presentation so if
you're not watching I'd suggestgoing out checking out the show
notes, grabbing slide and Ithink it's six, but it shows
(11:02):
just a basic framework of howWPA, wpa2, four-way handshakes
work and what the Ponegachi islooking for and able to crack
that key.
So I'm going to use my mousehere to kind of point things out
.
When a device is trying toconnect to an access point or a
wireless router or anything likethat, there's four different
(11:23):
messages that go back and forthbetween the two devices, called
that four-way handshake, andeach message that gets sent back
and forth in these little tinyblocks of data contains a
different amount of data that'simportant to authenticate with
one another.
So, essentially, what they'retrying to build up to is called
(11:44):
the pairwise master key, thisPMK, and that PMK is, once it's
crafted and correct, the accesspoint knows what it's supposed
to look like.
And if they have the correctPMK, pairwise master key, then
the device is able to then, youknow, be a part of the network.
(12:05):
So, essentially, whenever anaccess point and a device are
trying to communicate, thatdevice reaches out and says hey,
you know, access point, I wantto connect to you.
So that access point is goingto start out by sending one
message back using just a knownpublic key, and it's going to
send that.
And it sends an anons, and ananons is essentially just the
(12:28):
access point nonce, a noncebeing just a randomly generated
string of digits and then itsends it via unicast, right.
So it sends that over to thedevice and once the device
receives that, it's going togenerate a pairwise transit key
right, and that pairwise transitkey includes the supplicant or
(12:49):
the device, nonce sendWUnicast.
And then it adds the messageintegrity check to the end of
that thing.
So as far as a Ponygachi isconcerned, this first two steps
is all it needs to see to begincracking the pairwise master key
that's eventually generated.
(13:10):
Because in essence, that PTKincludes the SNONs and the MIC.
Message one includes the ANONs,and when you're creating a
final PMK, the PMK is basicallythe ANONs, the SNONs, the two
MAC addresses of the accesspoint and the device, and then
(13:33):
that's all stuck together withthat message integrity check.
So message one it receives thatANONs.
Message two you receive theSNONs.
You have those two pieces.
You get the two MAC addressesof the devices.
The only thing you need to solvefor is that PMK and just a
little bit of basic algebra saysyou know, whenever the message
(13:56):
integrity check for that PTKreturns true, from this being in
place, the PMK, anons, snonsand the MAC addresses, then you
know you're good.
So since you have all thepieces to make the PMK or guess
the PMK, all you need to do isthen crack the PMK.
So that's where the bruteforcing comes in place.
(14:17):
Then, essentially, what you'redoing when you're cracking is
you're just putting in randomvalues for the PMK or educated
guesses as the PMK, combiningthem with the A, the S, the MAC
and seeing if they then matchthat message integrity check.
Once you get a match, you knowthat you've gotten the correct
password for that PMK.
(14:38):
Does that make sense or doesanyone have any questions on
that?
Mandi Rae (14:42):
There's a lot of algebra.
Kyle Rosendahl (14:45):
Yeah, it's a lot , and I'm trying to explain it
in a way that you know, ourlisteners can get an idea for it
.
Mandi Rae (14:51):
You're doing a great job.
It's a bad word problem.
Kyle Rosendahl (14:54):
It is, and I wish there were better ways to
describe you know I could havecome up with some goofy analogy
for all of these pieces, but ifyou listen to it, you go.
Look at the slide.
I think it'll make a littlemore sense.
Eric Brown (15:08):
Mandy was smiling like she had walked into a Calc
3 class when she was expecting,like an English lit.
Mandi Rae (15:14):
Totally.
You got to Unicat and I waslike, okay, I'm lost here, but I
do think your visual and beingable to see it is imperative to
understanding.
So definitely check out ITAudit Lab website and or watch
the YouTube.
Kyle Rosendahl (15:31):
So the Ponegachis come into play.
Right Again, if we're lookingat the slides, the access point
is sitting out there.
It's communicating with acellular device, right?
Let's just say, here, we've gotan iPhone, you've got it
connected to your Wi-Fi channel.
Everything is good when youauthenticate for the first time,
that WPA, wpa2, four-wayhandshake takes place and then
(15:56):
you basically stay authenticated.
Now the only difference is mostof our cell phones, most
iPhones, most Androids, mostevery device that you can
connect to the Wi-Fi, you canchoose to save that password in
the memory and say you know,I've authenticated once, keep my
session valid.
You know, if I drop the Wi-Fiwhen I go to work, when I come
(16:17):
home, I don't want to have toretype my password back in,
right.
So it's not saving a plain textpassword, but it's saving that
authenticated data and saying ohyeah, you've got the correct
PMK, you've got all these pieces.
So when you come back withinrange, yeah, just automatically
reconnect, that's totally fine,no problem there.
Essentially, what the Ponegachiis doing here is it's sitting
(16:40):
in the middle listening for adevice sending that signal to an
access point and just kind ofscooping up that information
while it's in flight.
So it's looking for the firsttwo halves, two parts of that
four-way handshake.
You know, message one, messagetwo to get the nonces, the
message integrity check, andthen it's trying to guess that
PMK.
The Ponegachi also has a littlepiece of software built into it
(17:02):
called BetterCap, and BetterCapcan be used as kind of an attack
framework to dodeauthentication attacks.
This is where these guys getinto the gray legal area,
because what they can do is ifthey're sitting on a network
long enough, or they see anetwork long enough and nobody's
authenticating to it, they cansay hey, you know who's
authenticated to you.
(17:22):
I'm going to send a flood ofdeauth packets to the access
point, which in turn disconnectsall devices from the access
point and then forces them tore-authenticate.
Then it can sit there and sniffthose authentication handshakes
and try and grab moreinformation, if all that makes
sense.
The last kind of fun pieceabout these Ponegachis is that
(17:45):
they also have a little bit ofAI kind of built into the
background, the AI on these.
It's nothing super fancy, it'sa pretty quick little method.
But since different Wi-Fienvironments are different right
, if you're at a hotel, there'sa lot more access points,
there's a lot more peopleconnecting, there might be a lot
(18:06):
more kind of variedauthentication times and you'll
see a lot more authenticationswithout de-authenticating
anybody.
The Ponegachi is sitting thereand, as it's collecting
handshakes and as it'sde-authenticating people from
access points, what it's alsotrying to do is it's trying to
figure out how long do I sitthere and try to deauthenticate.
How long do I sit here and waitfor handshakes to appear?
(18:29):
You know how long do I searchfor new access points?
And so it's taking thosevariables and, using a what they
call A2C or an advanced actorcritic model, it essentially
tries to balance out the lengthof time for which it sits there
and scans for access points,deauthenticates people and grabs
(18:52):
handshakes to try and bringback the most valid sets of
information that then you cantake forward to crack.
So the longer you have itonline in a certain environment,
theoretically the better it'sgoing to be at collecting more
handshakes faster and in a morekind of constructive manner,
rather than sitting there tryingto deauthenticate someone.
(19:13):
For 30 minutes Doesn't work, youknow it's going to stop doing
that and try something different, and its return value is
basically just on.
You know, if you got morehandshakes doing this, keep
doing that.
You know if you got fewerhandshakes doing this, keep
doing that.
You know, if you got fewerhandshakes trying something
different, go back to what youwere doing before.
So there's a whole write up onponagachiai about how the model
(19:34):
actually functions, but inessence it'll just kind of tune
itself to whatever environmentyou happen to be in after you
know being on for longer andlonger.
And then finally you've figuredout how do the handshakes work,
how do we de-auth people fromaccess points?
What are we trying to collect?
(19:54):
Once you have that, thePwnagachi keeps a little tally
in the bottom left corner thatsays how many things have you
pwned, meaning how manyhandshakes have you collected
that have enough information inthem for you to start brute
forcing?
That's where you can startbrute forcing some of these
passwords and connect them backto those access points.
So there's a few ways to takethese.
(20:15):
It'll dump those handshakesinto a PCAP file on the local
device and you can pull thoseoff, and then it's up to you to
choose how you want to crackthose and decide whether you
want to.
You know, try and brute forcethe passwords for the access
points that you saw.
Again, if you're doing somesort of pen test or red team
assessment you're trying to getinto a business, you definitely
(20:36):
want to take those two handshakefiles and try and get the you
know wireless password for thecorporate wireless.
That's a pretty big target.
So a few ways you can do it.
Hashcat has a converter.
It's out on GitHub.
I think it's actually part ofthe Hashcat installation if you
(20:57):
get all the Hashcat utils offthe Hashcat website.
So I think you can get itGitHub or off the Hashcat
utilities and it essentiallytakes any PCAP file that has
enough of that information andit'll create a Hashcat hash for
version 22,000.
So as you're doing your Hashcatwith your GPUs, you can crack
(21:19):
those PCAP files as Hashcatfiles and speed it up with GPU
processing.
So if you have a lot, it's agood way to do it.
Another method if you don't wantto screw around with hashcat
and converting and GPUs and allof that tuning stuff, aircrack
NG also can do PCAPs natively.
You don't have to convert themto anything.
The only downside is I think itruns only on CPU.
(21:42):
If I'm correct, it'll crack WEP, wpa and WPA2 files.
So you can just sit there, feedit a word list.
If you want to do thecombinator attack for the
Netgear routers, you can throwwhatever you want at it and
it'll, one by one, try and crackthat pairwise master key to get
(22:02):
you your Wi-Fi password and geton.
Eric Brown (22:05):
Question for you when it's doing the deauths, is
it doing it on every channel atthe same time or does it hop
between channels?
Kyle Rosendahl (22:14):
For the most part it's just flooding the
access point with the deauthpackets.
So basically all channels itdepends on your Ponegachi.
So like the Pi Zeros theselittle guys they only have 2.4
gigahertz.
So if someone's connected onfive it's not going to deauth or
even see those connections.
If you get like a fivegigahertz antenna to plug into
(22:37):
this, you can get that fivegigahertz channel and then it'll
do it on that as well.
There's a tiny bit more setupto do.
Or if you build it on a biggerPI board that has both channels,
then you can do that as well.
But basically it's just dumpingeveryone off the Wi-Fi.
Jayden Truffler (22:54):
So it goes by access point.
Kyle Rosendahl (22:56):
So if you're in an environment where there's
eight access points for oneWi-Fi signal, it's only gonna
hit one of those and theclient's connected to that.
So if you're in some sort ofmesh network, it's only doing
like one MAC address at a time.
Oh, I see.
Eric Brown (23:11):
That makes sense.
Yeah, well, like in Wi-Fi 2.4,there's 11 channels, I believe,
so it would go channel bychannel to get all 11.
Mandi Rae (23:24):
Before we dig into these resources anybody, have
fun Ponegachi stories.
I'm living vicariously throughyou guys.
Eric Brown (23:35):
Jayden wants to say something.
Jayden Truffler (23:50):
I'll touch a little bit on my story.
So, um, we went to defcon twoyears ago and I was working with
kyle to set up my pono gochigotchi uh, and I was very, very
excited to get going with it.
I think we set him up like aweek before we left, so I had
mine going all the time, butmight have brought it to the
(24:10):
airport, might have kept it inmy backpack and might have
gotten, I think, 500-ishhandshakes in that time.
Mandi Rae (24:23):
That's a pretty amazing coming out party for
Gloria.
Jayden Truffler (24:28):
Gloria was.
She was having a good time.
She was busy that first weekend.
Kyle Rosendahl (24:34):
I feel because you flew into DEF CON like
overnight on the red-eye flight,I feel like we all met up the
next morning and you're like,yeah, I've already got 550
handshakes.
How did you get so many Likefour hours of sleep?
Jayden Truffler (24:49):
Nope, we just kept going.
Eric Brown (24:55):
Is that the same year, Kyle, that you were
cloning the hotel room keys?
Kyle Rosendahl (24:59):
No, that was the year after.
Mandi Rae (25:00):
Kyle that you were cloning the hotel room keys?
No, that was the year after.
There's always fun.
Defcon shenanigans.
Kyle Rosendahl (25:08):
There is and another fun thing that you can
do with them and I've nevergotten the chance to do it with
just a random person.
But the Ponegachis actually havean encrypted message thing
built into them, so it's calledthe PwnGrid.
So if you opt into it in yourconfig files, you can see other
little Pwnagachis that livenearby and if they're active and
(25:31):
they're within range, they canactually communicate and so you
can actually send peer-to-peerencrypted messages from one
Pwnagachi to another by usingjust an open API.
So if you're sitting there onyour computer you see, oh, this
guy's got his Ponegachi onnearby, there's Pone with
Poneface.
I could just pull up my API, goto a web address of my
(25:54):
Ponegachi, say, send message tothis guy.
I could send an encryptedmessage directly from Ponegachi
to Ponegachi, fully encrypted.
So there's goofy little thingson them that you can do that
I've never done with anybodyelse, but I know at DEF CON
every year I think, they have aPonegachi party where people put
(26:14):
them together, they raffle offyou know sets and some people go
all out and put like leds andshiny stuff on them and make
them all fancy.
Jayden Truffler (26:23):
Yeah, we'll have to try that out next jayden
shared her fun ponagachi story.
Eric Brown (26:31):
Do you have a fun ponagachi story, kyle?
Kyle Rosendahl (26:35):
I don't know if I have a fun one like that, um,
for the most part, you know it'sit's interesting to use them as
kind of tools for crafting wordlists, right.
So if you're just sniffing thewire and you're not
de-authenticating people,they're not technically doing
anything illegal, right, you canjust scoop that stuff up as
(26:58):
it's in transit, um, and ifyou're not using the information
you gather to break intosomebody's Wi-Fi, there's no
malicious interaction with thatperson's network, so you're not
breaching anybody's networks.
But one thing that I've foundthem very useful for is just
(27:19):
collecting stuff, practicingcracking hashes, and then you
get some really interestingcontext for how people create
their passwords.
So I've been able to use it to,you know, make better crafted
word lists and things to try andcrack other stuff.
Because I think one of thethings that you find, especially
(27:40):
if you're in kind of the redteam side of things and you work
on creating word lists or ifyou work on cracking passwords
or even AD password crackingpeople think they're kind of
creative with how they buildtheir passwords, but a lot of
times they're very similar andand they're very not unique.
So finding ways that people dotheir, their wi passwords, you
(28:02):
know, kind of gives us a betteridea on how to craft passwords
more effectively in the future.
So building those kind ofcrafted word lists is something
that you know.
I think they're super handy todo, so not nearly as exciting as
Jaden's story, but a fun usefor him.
Mandi Rae (28:20):
Eric, do you have any stories of your Pony McCone
face up to no good?
Eric Brown (28:29):
No, I don't.
I've just carried it around theoffice from place to place and
gotten a couple handshakes, butnothing like, uh, nothing like
Jaden's story.
Kyle Rosendahl (28:45):
Before we go too off topic, right, I think one
of the things I didn't cover toomuch is is common defenses,
right, against these types ofattacks.
Um, so, for those people usingWPA, wpa2, to protect their
networks, um, you know, onething that you can do to protect
against something like this isto use a secure password that's
(29:06):
not easily guessable.
If you want to be super secure,make sure that you're not
remembering your password withany device so that if it gets
disconnected it's notautomatically resupplying that
password to the access point.
Doing those two things with WPA, wpa2 makes it much more
(29:27):
difficult to breach.
But then, kind of the lastpiece and I can try to jump to
add some resources up to WPA3.
And talking about that handshake, you could implement WPA3.
It's not super widespread atthis point in time, just because
(29:51):
, as it comes to WPA3 and WPA2compatibility, essentially both
the device and the access pointhave to be compliant with one
another, and if one of them isusing WPA3, the other one
doesn't support WPA3, it's goingto default back to WPA2 if
that's enabled.
And if you don't have WPA2enabled, then it won't get on
(30:13):
the Wi-Fi.
So there's a compliance issuethere between having a device
and the access point, bothcompliant the same
authentication standards andthen making sure that you know
you have widespread availabilityas well as a secure system.
Um, essentially I could havelooked it up, but uh, wpa3 uses
(30:34):
like a simultaneous key exchangeand then it uses like a
diffie-hellman key exchange aswell, with an epileptic curve.
But essentially what that meansin non-super technical nerd
speak is that both the accesspoint and the client are
creating a private and a publickey invisibly from one another
(30:55):
and similar to how, like PGP,encryption works for email.
The only thing that the otherside sees is that public key as
they encrypt their messages, andthen they're using the other
side's public key to decrypt themessages and make sure they
match the privates on the backend.
That stops this four-wayhandshake attack from working,
(31:15):
because there's no kind of plaintext data that's getting sent
in between.
That works for theauthentication protocol.
Now there are some researcherswho've tried to crack.
What do they call it?
They don't call it AES.
There's SEO, maybe the way inwhich these things occur at the
same time simultaneousencryption, something.
(31:41):
Seo, I think, is what theynamed it.
But some people have shown somesecurity vulnerabilities.
But it's still way more securethan WPA, wpa2.
So if you can do WPA3,obviously do that.
Otherwise, strong passwords andnot saving your password.
Mandi Rae (32:01):
Those are really good insights to how to protect you
against other people withPonegachis.
Let's dig into our listenerswho are kind of jealous right
now and want to take this nextweek to make their own.
Is the first resource you have?
Build a Ponegachi it is yeah,so Ponegachiai is the have built
of Ponegachi.
Kyle Rosendahl (32:21):
It is yeah.
So ponegachiai is the websitefor the Ponegachi.
It basically has all yourinstructions.
It gives you a shopping list ofwhat items you need to buy, as
well as links to the recommendedhardware and then just basic
installation configurationinstructions on there.
(32:42):
So it's pretty straightforward.
Takes a little bit of technicalknowledge, but they do a really
good job of kind of spelling itout step by step.
So as long as you readcarefully and just kind of
choose the most easy stuff toput together, I'd say you could
get it done in an afternoon.
Mandi Rae (32:59):
I was reading as you were scrolling down here,
someone saying it's cute AF, andI agree they are so stinking
cute.
Jayden Truffler (33:08):
I like how they make different faces when they
make a handshake, so you canhear.
It's like he's wearing glasses.
Mine looks like it's scared.
But, yeah, they make differentfaces when they make new
connections or when they'rearound another Ponegachi.
Mandi Rae (33:27):
What other resources do we have?
Kyle Rosendahl (33:31):
Yeah, the other resources.
I don't know if we have to getinto Learning about BetterCap,
that framework that thePonegachi uses to do
deauthentications.
I've got an explanation of theBetterCap attack and how it does
that.
And then again GPU and CPUcracking just some resources
there for Hashcat usages andthen that AircrackNG website.
(33:55):
So if you're interested,obviously check out the slides,
check out the ponagachiaiwebsite and if you want to learn
more about the attacks, I'vegot some good resources there as
well, anything with IPv6 andhow that might relate to this at
(34:15):
all.
Kyle, yeah, I mean IPv6 is it'spost-authentication with the
wireless access point, soprobably not a ton to do with
these access point attacks, butIPv6 is I mean we skip IPv5.
Ipv4 is a 32-bit address.
Ipv6 is a 128-bit address.
(34:38):
128?
Yeah, because IPv5 would havebeen 64.
So, yeah, it's a 128-bitaddress.
128?
Yeah, because IPv5 would havebeen 64.
So, yeah, it's a 128-bitaddress and essentially will
expand.
You know how many addresses canexist out on the internet.
Ipv6 is going to betheoretically more secure from
that standpoint, but I don'tknow.
(35:01):
I think it'll be the standardsomeday.
I'm not sure when that day isgoing to be, hopefully when WPA3
is fully standard.
What are your thoughts on IPv6?
Eric Brown (35:16):
I was at CES last week and CES, if you haven't
been, it's huge.
It takes up multiple floors ofmultiple casinos, convention
centers, and I was in one of thefloors I don't remember which
(35:39):
one, but I was walking along andthere was a sad little table
off to the side where thesecompanies like LG, for example,
have they've spent millions ontheir booth.
It's hundreds of feet long andtall and wide and has all sorts
of new technology in it.
So just walking over all aroundseeing all these new technology
(36:01):
things, and I see this sadlittle table off to the side and
it's it's um, it was uh,there's a poster on it for ipv6,
and it was the WirelessFoundation or whoever is
advocating for IPv6.
And they had a couple stickerson the table and everything.
And I stopped and chatted withthem and asked them how people's
(36:25):
reaction was to IPv6.
And they said most people saidthat while they understood the
need for IPv6, they weren'tlooking forward to implementing
it or hope to be retired by thetime it was implemented, just
because it's changing theparadigm of how networks connect
(36:47):
and talk to each other, withall addresses essentially being
public.
So from an information securityperspective, that does change
quite a lot around how you setup your networks.
So not that it would be betteror worse, just different.
So it was cool to see themthere and glad that they're
(37:07):
advocating for it.
But I've heard the same thingwhen I've talked to others about
how much IPv6 they've put intheir networks.
I know when we go into clientsites we don't see it a whole
lot.
Obviously it's already outthere in some of the public
space with Comcast and otherISPs.
(37:28):
Your modem or your gateway willhave an IPv6 address and your
cell phone has an IPv6 address.
But we don't see it a lot incorporate networks yet.
Kyle Rosendahl (37:42):
And I know from like an analyst perspective and
maybe Jaden can speak to thistoo the one thing that doesn't
exist for IPv6 very well rightnow is like a standard lookup
table.
So it doesn't apply to, youknow, access point security.
But when we see an IPv6 addresscome in as part of like an
(38:03):
attack or as part of a you knowthreat framework or inside a
piece of malware or somethinglike that, there isn't
necessarily like a publicdatabase right now.
That's super accessible.
We can do like a reverse IPv6lookup and say you know, this
address belongs to, you know,this group of Facebook data
(38:23):
centers and here's theadministrator for it.
You know you can put in 111.
You name it for your 32-bitaddress and basically find who
owns it.
Ipv6, there just isn't like agood curated database right now,
so it feels more anonymous andweird.
But I can see why people wouldbe not wanting to do the work to
(38:45):
get it implemented.
That makes perfect sense.
Jayden Truffler (38:48):
Yeah, I agree, Kyle.
There's just not a lot of infoout there on analyzing these IP
addresses, the IPv6, but I'msure over time, once people
start migrating that direction,they'll become more available.
Mandi Rae (39:04):
And I've heard a lot of acronyms today.
So CES I want to try to guessIs that the Consumer Electronics
Show.
Eric Brown (39:13):
It is.
Yes, it's held once a year inVegas, usually in the, I think
it's first convention of theyear, so it's usually first or
second week of January, which isa great time to be in Vegas.
Um, quite opposite of DEF CON,where it's like 120 degrees in
(39:36):
Vegas it was a nice comfortable40 and 50 degrees during CES,
and this year there were, Ithink I saw, 160,000 people.
They said that were there thisyear.
In past years I think it'sapproached 200,000.
Can you?
Mandi Rae (39:57):
state tech.
You want to brag that you gotto see.
Eric Brown (40:00):
Let's see.
I was impressed with a coupleof things.
One of them is a 3D monitor.
So where in the past, in orderto see something in 3D, we've
had to put on the glasses right,like you're going to the movies
?
This year there were a couple ofcompanies that had monitors
(40:23):
that had cameras built into themand if you stood a certain
distance away from the monitor,like three or four feet, it
would capture where you werelooking.
So the built-in cameras wouldrecognize your eyes and from
that point on it would trackwhere your eyes were looking.
So if you moved a couple offeet to the left or right, it
(40:44):
would track your eyes and theway the frame refresh rate was
built.
It was showing essentially twostereo images and what it looked
like when you were standing inthe right field of view was an
actual 3D image in that monitor.
(41:05):
So that was pretty cool and ifyou were behind somebody that
was looking at it you could kindof see that it was 3D.
But when you were right infront of that monitor it really
looked 3D, which was pretty cool.
And then I saw some othertechnology where there's a
company that had a camera off tothe side of the keyboard that
(41:26):
was paired with a pen and thatpen then was moving in 3D space
so you could manipulate the 3Dobjects on the screen with the
pen.
I don't know a lot of practicaluses for it yet, but maybe in
doing some engineering orbioscience you might want to
(41:48):
manipulate models inthree-dimensional space on a
computer screen.
Seems like it'll be pretty cooland I I would think in the next
three years we're gonna seethat mainstream, like we saw the
curved monitors and I thinkbefore that, um, wasn't it like
around 2010 you could go to bestbuy and get a 3d tv, but you
(42:10):
had to wear the glasses, so thatwas cool.
There's a lot in the roboticsaround home automation and yard
automation with robotics, vacuummachines and things like that.
We've seen those for a while.
Mandi Rae (42:31):
A few different companies had lawnmower machines
that I was gonna say myneighbor has one where it's like
dj roomba but for your grassand I.
I thought that was crazy.
So you're seeing more of thatin the marketplace yes, uh,
there's one company.
Eric Brown (42:50):
There's one company maybe it's called Yardbird they
have.
It's essentially the enginepiece and then there are three
different attachments at thistime One is the lawnmower,
another one is a leaf blower andthen another one was a
(43:11):
snowblower.
So it essentially would wouldgo out, and if you had the
snowblower attachment on there,it's just going to continue to
clear the driveway or thesidewalk throughout the
snowstorm, because it it couldonly do maybe six inches at once
, but the the thought was youwould just have it continually
running.
Mandi Rae (43:31):
Unless you lived in Minnesota with a good snowstorm.
Eric Brown (43:38):
Yeah, so there were some pretty cool things.
I don't know that I would goevery year.
I might go every five years orevery 10 years, just because I
don't think the stuff is goingto turn over.
There's not going to beanything next year.
That probably was there.
This year Maybe there'll be oneor two things that came out,
but it's the slow progression oftech.
(44:01):
Lots of electrical vehicleselectric boats were a thing
electric hydrofoils Not a lot ofdrones.
This year it didn't seem.
There was a dental device.
I think it was a company out ofKorea.
It looks like a water pick butjust the handle part and you
(44:27):
could scan your teeth with it.
It had a laser on the end.
You could scan your teeth withit and it would measure the
depth of any cavities that youhad and then over a certain
number they say you should go toyour dentist.
So it would kind of measure.
The scale was between 1 and 99.
So I thought that wasinteresting and they were
(44:48):
selling that on the spot for$200.
Mandi Rae (44:52):
Crazy People are going to be triaging their own
dental care needs now from home.
Eric Brown (44:57):
That's frontier medicine yeah.
Mandi Rae (45:00):
See what you see there and predict how soon in
the future it will be readilyavailable for us to buy markets.
Eric Brown (45:07):
Yes, and a lot of companies there were trying to
get their products picked up bya distributor or a manufacturer,
so it could be a company oflike 10 people Like a low-key
shark tank.
(45:27):
Exactly um, um, bloodless, uh,or or sorry, um, yeah, I guess
bloodless, you could say whereyou didn't have to prick your
skin to test your glucose levels, so it was using a laser to to
(45:48):
get that information.
So there there was a laserlance where it it burned.
I think they said like at athousand degrees, something like
that.
But it would.
It would actually prick yourskin with the laser, but you
wouldn't feel it because it wassuch a small hole, and then you
(46:10):
could put that on a piece ofpaper and stick it in the
machine to get the glucosereading.
I thought that was interesting.
Mandi Rae (46:18):
That's really cool as we strive to look for cures for
things such as diabetes.
Hopefully, technology canadvance so it's not so
uncomfortable to be able tomanage your health.
That's really cool.
Eric Brown (46:32):
And the last one I guess I could talk about was in
that home medical device.
There is a company and I don'tremember the name of the company
, but they had these almost liketongue depressor size sticks
and the idea is you put thatstick in a urine stream and then
(46:57):
take a picture with their app.
So you take a picture with yourcamera, with your phone camera.
Jayden Truffler (47:05):
You're starting to sound dirty.
Okay, keep going.
Mandi Rae (47:08):
PMA stick.
Take a picture of it.
Eric Brown (47:11):
And then it would tell you what was going on with
you and all of your maladies,associated with what it could
pick up, so glucose or othervitamin deficiencies, anything
that could be essentially, Iguess, detected that way.
(47:33):
So I thought that was kind ofinteresting.
Mandi Rae (47:38):
Kind of brings new thoughts to using a stick and
urine to find things.
Notoriously it would be.
Am I pregnant?
And now we're finding out, oh,I'm vitamin D deficient.
It's pretty cool how they'reevolving on things.
Kyle Rosendahl (47:55):
It's just about gender equality with being on
sticks.
Eric Brown (47:58):
I think there was a couple other things that were
there, but we could talk aboutthose in an After Dark episode,
Okay yeah, that sounds good Wellthank you for sharing with us.
Mandi Rae (48:10):
That's so interesting to talk more about the Consumer
Electronics Show Pivoting backto Ponegachis.
Anything else, team, before wewrap up for today.
Eric Brown (48:28):
Not for me, that we've got both Kyle and Jaden on
with us here and we may have tohave them come back for a
future episode, Because rightnow there's a little contest
going on between Kyle and Jadenwhere Jaden's got a project that
she's working on essentiallyreplacing the physical security,
(48:51):
the door badges and the doorlocks for a company, and
Jayden's got some pretty cooltech there and she did a pretty
cool design on that security andKyle thinks that he can bypass
Jayden's security.
So this could be a pretty goodfuture episode.
Kyle Rosendahl (49:15):
Good luck, Kyle security so this could be a
pretty good future episode.
Good luck, Kyle.
I tried to put a case of highnoon on the line and she didn't
respond, so I think she's afraid.
Mandi Rae (49:22):
I think a case of high noon is exactly what the
bet needs to be, and I'm goingto ask our loyal listeners to
stay tuned because we will visitonce Jaden has her security
structure in play.
If Kyle was able to penetrateit, this is going to be
interesting Competition's on man.
(49:42):
Well, thank you to Jaden forjoining the podcast team here on
this episode of the Audit, andmany thanks to you, eric and
Kyle, for bringing this valuableinsight.
As our listeners know, you canstream the Audit anywhere that
you stream podcasts.
If you want to check out thepresentation material, get to
(50:05):
see the video.
Please check us out on YouTubeor our website, itauditlabscom.
Hope everybody has a great restof your day.
Talk to you guys later, bye,bye.
Eric Brown (50:21):
A well-designed framework will reduce
organizational risk and improveoverall security posture.
Contact IT Audit Labs and haveus lead your team in outlining a
strategic approach to remediateorganizational risk.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.