June 2, 2025 • 35 mins
What happens when you cross a Tamagotchi with a Wi-Fi hacking tool? You get the Pwnagotchi—a pocket-sized device that "feeds" on Wi-Fi handshakes and learns from its environment. In this episode, Jayden Traufler and Cameron Birkland join the crew to demonstrate how this deceptively cute device can passively capture encrypted Wi-Fi credentials from any network in range, autonomously gather handshakes, share intelligence with other Pwnagotchis, and operate completely under the radar from conference floors to airplane cabins in ways that might surprise you.
- Key Topics Covered:
- How the Pwnagotchi captures Wi-Fi handshakes through deauthentication attacks
- Why WPA3 networks are immune (and why most networks still aren't using it)
- Building your own Pwnagotchi vs buying a Flipper Zero with Wi-Fi dev board
- Real defense strategies beyond "just turn off your Wi-Fi"
- The legal gray areas of passive Wi-Fi monitoring
- Conference horror stories and the 600-handshake airplane incident
Whether you're a security professional looking to understand emerging threats or someone curious about DIY hacking tools, this episode delivers practical insights you can use to protect your networks today. The Pwnagotchi proves that the most dangerous attacks often come in the most innocent packages.
Don't let your organization become the next victim of passive Wi-Fi attacks. Like, share, and subscribe for more hands-on cybersecurity content that keeps you ahead of emerging threats!
#Pwnagotchi #cybersecurity #wifihacking #ethicalhacking #infosec #flipper zero
Relevant Links:
Jayden Traufler
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
You're listening to the audit presented by IT
Audit Labs.
My name is Joshua Schmidt,co-host and producer.
Today we're joined by JaydenTroffler and Cameron Birkland.
They spent a little bit of timeworking at IT Audit Labs and
they've spent even more time,probably in the recent weeks,
working on Ponegachi for thisepisode today.
We did a Ponegachi episodemaybe two years back, but we
(00:26):
wanted to refresh it today andkind of give a fresh look, bring
some updates and kind of goover the whole thing from the
top to bottom again.
So welcome to the Audit Podcast.
Thanks for joining us.
How are you two doing today?
Jayden Traufler (00:38):
Doing well.
Joshua Schmidt (00:39):
Working from home today.
Jayden Traufler (00:41):
Yes, and we got Eric Brown and.
Joshua Schmidt (00:42):
Nick Mellum riding shotgun in the IT Audit
Lab studio today, and we gotEric Brown and Nick Mellum
riding shotgun in the IT AuditLab studio today.
It's getting wild over here.
We got cats, we got pinballmachines.
We got Tibetan lunch happeningtoday.
As we were getting ready forthe podcast.
You were talking about ourrecent experience at Secure360.
And I believe we had somecontention around the
(01:04):
preparation and the winner.
Do we need to rehash that?
Is there anything we want totalk about?
Eric Brown (01:08):
I don't know if we need to rehash it.
I mean, I think we've acceptedthat we were beaten by the next
team.
Nick Mellem (01:14):
You didn't even come in top five, so I don't
know.
I think the argument thatyou're bringing up is hold on.
Eric Brown (01:19):
We came in top five, Sam signed delivered, we came
in top five.
Nick Mellem (01:23):
We came in top five .
Sam signed delivered, we camein top five.
Oh, you were top five, you werenumber five.
But we do have to say and bringup how good of a job that Cam
did.
He led the whole thing, thewhole competition, the whole
competition.
For every player.
There was 14 teams, yeah 15.
, 15.
Eric Brown (01:41):
And two weeks prior, cam was on our team.
Nick Mellem (01:45):
Well, we're going to fact check that news.
That's fake.
Cameron Birkland (01:48):
I did do some moving around.
Nick Mellem (01:51):
You don't need a Cam at Com, just keep it to
yourself.
Joshua Schmidt (01:54):
I'm going to switch gears to today's topic.
We're talking about Ponegachi.
So is this like a Tamagotchi?
What do we got going on here?
What is it?
What does it do?
Is?
What do we got going on here?
What is it what?
Jayden Traufler (02:08):
does it do?
Can you explain it to me?
I don't really know a lot aboutit.
Yeah, I'll start here.
Um, tamagotchi, ponegotchi.
They're similar but not thesame.
The Ponegotchi is actually atiny little Wi-Fi hacking tool.
I actually have mine right hereyou can see, just a tiny little
(02:29):
guy, looks similar to aTamagotchi, but its job is to
passively listen to wi-fihandshakes and intercept those,
those encrypted keys that arebeing transferred, and you can
take those offline and crack.
It's quite the little device.
Joshua Schmidt (02:52):
And Cameron, I know you, you did a lot on our
Flipper Zero episodes but maybeyou could speak to like it's got
a little face on it.
Is that actually like showinganything of value or what's
behind the face?
Cameron Birkland (03:04):
Yes, so there's a number of faces on it
that can correspond to eitherwhat it's doing or what it isn't
doing, right Like.
It can be happy if it cracks orif it grabs a lot of handshakes
.
It can be sad If it doesn'tfind any.
It can be surprised.
I believe it can be angry.
It can sleep.
(03:24):
I can see if I can show mine.
Mine is sleeping right now.
It, they don't you know, affectthe functionality of it, but
it's something fun that itdoesn't.
It's it?
Uh, it almost, you know, ismeant to be like a like, like a
tamagotchi, right?
You can almost form anemotional attachment to this
(03:45):
thing.
Nick Mellem (03:47):
Do you have to feed it?
Because, merrill, we're.
Jayden Traufler (03:50):
You can get handshakes.
We all know when I was younger.
Nick Mellem (03:55):
Okay, see, that's good, because when I was younger
I had one.
It was a white one.
Obviously it looked like an egg.
This one looks like a box or asmall box, but you had to feed
it to keep the thing alive.
Looks like a box or a small box, but you had to, like, feed it
to keep the thing alive, right?
Eric Brown (04:06):
Okay so it's like the same thing, yep, you had to
feed it digitally to keep italive.
Nick Mellem (04:09):
This is the hard hitting evidence we're gathering
right now is if you have tofeed your on a gachi.
Joshua Schmidt (04:15):
Eric's pretending like he didn't have a
Tamagotchi Never had one Don'teven know what it is, just cats.
Nick Mellem (04:22):
Okay, so trying to get up here from Texas, brings
three cats with him.
I flew up here with three cats,first class Daddy Cathy over
here.
Yeah, maybe we'll get anappearance from Chatty Boy today
.
We're trying to.
He's ping-ponging off the wallsover here.
That's why we went mute asecond ago to try to get there's
(04:43):
Chatty Boy.
Joshua Schmidt (04:49):
Oh my gosh, we got tamagotchi and cats.
Nick Mellem (04:50):
Today we got chatty's little bat over here
just living the life.
He was engaged about thisepisode, or he still is so
jayden?
Joshua Schmidt (04:59):
um, I was reading on the ponagachi.
It claims to be like.
It claims to learn from itsenvironment.
Is it actually like machinelearning or is that just kind of
a branding thing that they cameup with?
Jayden Traufler (05:10):
Yeah, it's more so like reinforcement learning.
It learns based off of itsenvironment and how well it's
doing it.
Can, you know, determine ifit's you know what channels are
are the best to scope out?
Um, you know it prioritizes itsbattery life.
It knows when it needs to worka little less hard.
(05:32):
Um, and what's really cool is,with these devices, um, they can
actually detect each other andwhen they do, they can share
that, what they've learned inthe environment.
And, like I said, littledevices but very powerful.
Nick Mellem (05:49):
Do you have to approve the connection between
the two, or are they just, likeall, interlinked like an AirTag
is?
Jayden Traufler (05:56):
It's like a setting you can configure prior
like prior when you're making itto allow those connections, but
you can block it if it's notsomething you want to do.
Eric Brown (06:08):
Jayden, the output of it.
It's on an e-ink screen right.
Jayden Traufler (06:12):
Yep, yes, that is what these are, and it's not.
You don't need the screen, butit definitely makes it better
and the face makes.
Eric Brown (06:24):
the face changes a little bit when it gets a
handshake or you know it haslike when it's getting
handshakes and you can even seeon the screen, it'll tell you.
Jayden Traufler (06:33):
You know, in the process of getting a
handshake from SSID blank, um,so yeah, the screen is
definitely helpful in that sense.
Eric Brown (06:41):
So do you just kind of throw it in your backpack or
what do you?
How do you use it?
Jayden Traufler (06:47):
Um.
You know there's different waysto use it, different places to
use it.
Um.
I worked at a company thatallowed me to use it in
production, um and I had it runfor about a day and captured a
significant number of handshakesfrom all sorts of personal
(07:09):
devices, corporate devices,anything that is trying to
connect to Wi-Fi.
But yeah it's very portable.
You can put it anywhere.
Nick Mellem (07:20):
Jaden or Cam.
Both of you can jump in on this.
Is there places you shouldn't?
This is not an omission ofguilt if you have done anything
nefarious.
Cameron Birkland (07:32):
Well, for me I'd say, technically, you're not
really supposed to use itanywhere, but at home, right,
like you can set a whitelist onit to just do your home network,
which is what you're supposedto do, because there's, you know
, I don't the laws andeverything are kind of a gray
area there as far as, like youknow, is it legal?
(07:55):
You can, I think, things thatare traveling through the air
like this that are unencrypted,you know it's a.
I don't feel like it wouldnecessarily be illegal to
capture them.
But the Ponegachi also activelydeauthenticates devices so that
it can grab the handshake whenthe device reauthenticates.
So that's where it gets alittle more shaky.
Joshua Schmidt (08:17):
Could you expand on that, cameron?
So like, how is a hacker goingto use this or a threat actor
going to use this and maybe,jaden, you could fill in any
gaps but how are people going touse this in a nefarious way?
Cameron Birkland (08:28):
Yeah, I mean.
This is a device where ifthere's a particular Wi-Fi
network that you want to getinto, you have to get the hash
for the password right to beable to crack it.
So the Ponegachi goes out anddeauthenticates any devices that
it can find in an attempt tocapture the handshake when it
(08:50):
goes to reconnect.
And if there's a particularnetwork you're targeting, you
can set the Ponagachi to do that, or you can just turn it on in
range of the network and justlet it run until it captures a
handshake.
Eric Brown (09:01):
What's the difference between the Ponagachi
and the Flipper Zero?
Cameron Birkland (09:07):
Yeah, the Flipper Zero is more they call
sub-gigahertz, right, like thethings like garage door
transmitters and so on, like notwireless.
But there's a wirelessattachment for the Flipper Zero
that can give it all thecapabilities that the Ponegachi
has.
Nick Mellem (09:27):
So if you have a Flipper Zero, you're good
Essentially, and I did hear thatsomebody had some sticky
fingers at Secure360.
Eric Brown (09:34):
Really.
Nick Mellem (09:35):
We got an email yesterday or one of the last two
days that if you took a FlipperZero, you're supposed to return
it to booth.
Whatever number it was oh,somebody swiped it from the
booth.
It might have been Cam, but wecan't, we don't know.
We're not sure.
Joshua Schmidt (09:53):
I think it might have been one of Nick's cats.
Nick Mellem (09:55):
Mr Miyagi took it.
Joshua Schmidt (09:57):
I'm allergic to these things so yeah, can you
think of anything that we missedthere?
That like, or maybe you canexpand upon, like, how threat
actors could use this in avarious way, like once you get a
handshake, then what do you golike?
Try to crack, crack passwords,or, or after that what happens?
Jayden Traufler (10:14):
yeah, so you are just capturing any and every
handshake you can get yourhands on.
So I, even if you're justtrying to get into one network,
you have the potential to getinto tons.
And you're getting all of theseencrypted hashes that you can
take offline, go crack and thedoor's wide open after that.
Joshua Schmidt (10:37):
You mentioned that you got to use this at
another project.
How did you use it to make suresecurity was shored up, or how
did you use it to make suresecurity was shored up, or how
did you use it in a good way?
Jayden Traufler (10:48):
I think it was more so, just to show how easy
it was to do.
I mean, you can build one ofthese things with a few pieces
of hardware in an hour of sparetime and it I had it on for one
day and was able to get hashesfrom you know significant
(11:09):
numbers of SSIDs.
So I mean, although, yes, it'sgood to you know, defend
yourself against that.
And that's one way to look atit and that's how we took it was
.
How do we defend against that?
But it's also, you know, alsoshowing how simple of a device
(11:29):
this is and yet it can be sopowerful.
Eric Brown (11:33):
Was it true, Jaden, that on the plane to DEFCON that
maybe somebody had thePonegachi on?
Nick Mellem (11:41):
That's what I was trying to get into when I said
you shouldn't do that.
Jayden Traufler (11:44):
There was a rumor that somebody took one on
a plane.
I cannot confirm or deny.
Nick Mellem (11:53):
You don't know who that would be.
Jayden Traufler (11:55):
I don't know who it was, but I did hear that
they were very successful andhad 600 handshakes by the time
the plane landed.
Nick Mellem (12:07):
So for anybody listening out there, jadenden or
cam, can you guys comment onhow you would protect yourself
against an attack like this?
Are you just turning your wi-fioff, or what are we doing here?
Jayden Traufler (12:16):
yeah, I mean, obviously wi-fi off is priority,
um, but you can't always dothat, so I think turt or
deleting old ssids out of yourphone is always good.
Any SSID that your personaldevice or any device has
connected to, it's consistentlytrying to make that connection
(12:38):
all the time.
I mean, if you think about it,you go to work and all of your
devices automatically connect toWi-Fi.
It just knows it's alwaysattempting to make those
connections.
Cameron Birkland (12:47):
Yeah, yeah, don't use Wi-Fi is what it's
always, you know, attempting tomake those connections.
Yeah, yeah, don't, don't usewi-fi.
Is is what it comes down to.
But, um, but in actuality, thethe ponagachi.
I think the main concern iswith home and business networks
right, public networks.
You're already allowing anybodyand everybody to access it,
even if it has a password.
(13:08):
So in the Ponegachi's real goalis to get handshakes with
password hashes.
So public networks aren'treally of concern as much.
But for your home network andeven your business network,
there's a number of things thatyou can do to protect yourself
against a Ponegachi attack.
(13:30):
The biggest one is switching toWPA3.
Right now, a lot of ournetworks are still on WPA2.
I may support WPA3, but areusing both WPA2 and WPA3.
Wpa3 can't be touched by thePonegachi.
(13:50):
That's the latest Wi-Fiencryption security standard.
Nick Mellem (13:55):
Well, we were talking about this the other
night.
At that event, we were what wasthe mode?
It was called, was it?
Eric Brown (13:59):
listener or transition mode, transition mode
.
So after Secure360 on Wednesday, brian Johnson, who's been on
with us before from 7 MinutesSecurity, was having a gathering
and he was talking about goinginto an organization doing a pen
test and one of the things thathe's finding is that
(14:19):
organizations leave their ifthey're using Meraki.
Meraki has the ability to leavethe APs in transition mode and
transition mode then stillallows for those legacy
authentication methods.
So if you leave the APs withtransition mode enabled, the old
(14:41):
attacks still work.
So the advice or the guidancewas turn off transition mode.
But if you do that, then thelegacy or older devices may not
work.
So then you may hear from usersand I think the consensus at
that thing, nick, was the bestway to do it, or kind of the
only way to do it is just do it,pick a day and time and do it
(15:01):
and then have the screen test.
Nick Mellem (15:04):
All hands on deck for all the tickets that are
coming.
Cameron Birkland (15:07):
I mean we're at a point where almost every
device that we're using on Wi-Finow supports WPA3, right, we're
just the routers and you know,access points are just kind of
still holding on to that old,you know WPA2.
Just in case.
Eric Brown (15:24):
So what I was just going to share was, off of this
computer, the networks that ithad, quote unquote, known.
And if I took this computerinto a Starbucks or into another
location, turn it on, like whatJaden was saying was, it's
going to beacon out and it'sgoing to say you know IT audit
labs, are you there Becausethat's one of the known networks
(15:46):
and it's going to broadcastthat out.
Are you there Because that'sone of the known networks and
it's going to broadcast that out?
So if I was at a Starbucks andthen I see that the wireless is
connected to IT audit labs, Iwould know that there was
someone with a device that wasspoofing IT audit labs,
something like a Wi-Fi pineapple, for example, or, you know,
(16:06):
maybe even a flipper zero thatwas spoofing the network and
then trying to capture that,that handshake.
Joshua Schmidt (16:17):
So, cameron, I know you you're really
proficient at the flipper zeroand you're kind of our go to
tech guy when it comes to thesekinds of episodes.
When it comes to these kinds ofepisodes, are there any other
like tools you can pair with thePonegachi to like up its
abilities or anything like that?
Or is that just kind of astandalone device?
Cameron Birkland (16:35):
Yeah, I mean, there's, you know, more complex
devices out there that you canuse, and I think the Flipper
Zero is actually one of them,just by a bit.
But the Ponegachi is just sodead simple is is why it?
You know, I don't know ifthere's something that can
compare to it because this is aseasy as getting a, you know,
(16:59):
raspberry pi and a screen andyou know, in my case, a battery,
um, flash the firmware onto ansd card and you're running,
maybe some minor settings,adjustments, but it just goes
and does what it does and youdon't have to do anything to it.
Joshua Schmidt (17:16):
So it's kind of a one-trick pony for hackers.
Then the tool does specificallyone job.
Cameron Birkland (17:23):
Yes, it does one thing, but it does it well.
Nick Mellem (17:26):
I guess either of you, if you were going to buy
one of them right now flipperzero or a panagachi would you
buy one versus the other, orwould you just want them both?
Jayden Traufler (17:34):
I think I would want both of them personally,
yeah, yeah, I think the thepanagachi is so easy to just
build yourself too, like it'snot, you know, hard to have both
.
Reclipper Zero has so manydifferent parts to it and it can
do so much more.
It's probably a cooler device.
Cameron Birkland (17:53):
but I mean just for one example.
Like you know, the Flipper Zeroon its own has no wireless
capabilities.
So you get the Wi-Fi dev boardclips on the top and this gives
it similar capabilities to thePonegachi.
(18:14):
I'm pretty sure that I don'tknow if you can run the
Ponegachi firmware on here, butyou might be able to.
I mean, this can essentially doall the same things, right, but
you have to get the FlipperZero, which comes at a little
bit of a cost, and then thisboard is extra, whereas this is
probably less than half theprice.
Nick Mellem (18:33):
Unless you stole that Flipper Zero from the
conference this week.
Did that happen?
Hey, I can't say so.
What I'm curious about is if Iwanted to get a panagachi right
now, where am I going to go tobuy one?
Cameron Birkland (18:49):
so you, you know you can.
I believe you can buy thempre-built at a cost, you know,
because somebody else builds itfor you.
But essentially this, this is aproject right?
You buy the parts and build ityourself.
You can go out to a fewdifferent places, buy each
component and build it.
The case in my case is 3Dprinted and I think that goes
for a lot of people.
(19:09):
You can buy all kinds ofdifferent 3D printed cases.
Print it yourself.
You know you can do differentconfigurations Like mine is
extra tall because I've got aparticularly large battery in it
so it can run for at least afew hours on its own without
having to charge it that's itonly a few hours with that big
battery it's it.
(19:29):
Um, it actually runs a littlewarm, you know, once, once it
starts going, and I think mybattery is also a few years old,
so it's not as good as it was.
Joshua Schmidt (19:40):
So doubles as a hand warmer here in Minnesota.
Have you taken this out intothe wild at all?
I mean, I know you said you'resupposed to use it at home, but
what are some of the ethicallike implications, Like can you
just have this on you and is italways looking for a handshake
or?
Cameron Birkland (19:56):
Well, I think that's how people generally use
it.
And for myself, I would kind ofsay yeah, I've captured a
number of handshakes with mine.
I recently, you know, reset itand put new firmware on it, so
the count isn't there, but Ithink I'm up to like 80
different handshakes.
Eric Brown (20:16):
What's your number at Jaden?
Joshua Schmidt (20:22):
I deleted mine off, I'm back at zero.
Say, you're doing a blue teamkind of a deal and there's a
Ponegachi on the premises, likeat Secure360, someone snuck one
in.
What would tip you off?
Is there a way that you cantell if there is one looking for
handshakes?
Are there any any other devicesthat could help guard against
that sort of a thing?
Cameron Birkland (20:43):
I think that there's a um there is.
There's not really a great wayto, but I know of a um sort of.
It's an enterprise sort ofprogram, I believe called enzyme
, where it it uses uh, you use,I think you can use Raspberry
Pis, wireless ones and use themas like sort of access points,
(21:05):
put them around.
It keeps tabs on the airspacefor wireless and if it can see a
bunch of you know DIA packetsbeing sent out, it can send you
an alert.
You know, because that would becoming from a Ponegachi.
But overall there's not alwaysa great way to tell when
(21:26):
something is happeningespecially if you're not
specifically set up to detectthat.
Eric Brown (21:32):
So, josh, if you're going to a security conference,
you're pretty much guaranteed torun into it.
You're pretty much guaranteedto run into it.
At DEF CON, they used to havethis thing called the Wall of
Sheep, and they would publiclypost whose device they were able
to compromise.
A little public shaming in thetown square, then at the
(21:59):
conference.
If you're going to the probablythe, you know, the premier
hacking event in the world,probably pretty safe to assume
that there's some charactersthere that are not doing all
white hat work.
Nick Mellem (22:11):
So nefarious activity for sure.
Cameron Birkland (22:14):
Yeah, I wouldn't even want to use a
mobile hotspot there.
Joshua Schmidt (22:17):
Right, so is this something a VPN would guard
against?
I guess, speaking aboutconferences and then more
specifically Ponegachi, ifyou're running on Wi-Fi and you
have a VPN, does that make yousafe, or is that just?
Eric Brown (22:31):
Well, this is going to work at a lower level than
the VPN right, a lower levelthan the VPN right.
This is going to operate at thenetworking layer, where it's
going to work to grab thesession token, if you will, that
(22:52):
handshake, when the device isconnecting to the wireless
access point.
So it doesn't necessarilymatter if you are using a VPN or
not, because the session hasn'tnecessarily been established.
So once the session isestablished and you have that
(23:13):
wireless connection, and thenthat wireless connection is
allowing you to the internet,that's where you could build the
VPN tunnel and everything thatflows in that tunnel is then
encrypted.
But if these handshakes arebeing acquired during the setup
phase, so the VPN tunnel doesn'tcome into play yet.
(23:33):
Does that make sense?
Joshua Schmidt (23:35):
Yeah, absolutely , that's a good tip.
So, eric, we all know that youlike to travel like four laptops
deep.
When you're going on vacation,are you taking any precautions?
Yeah, or when you're going to aconference, I'm sure you're
fully loaded as well.
Maybe, Nick, you can speak tothis, since you're taking a
flight tomorrow.
Are there any things that youguys do before going to a
(23:58):
conference or going on anairplane?
We mentioned a few things, butI wanted to dig a little deeper.
Nick Mellem (24:05):
I think we've talked about it before just a
few different things but I thinknotably is we talked about the
VPNs.
I don't connect to a publicWi-Fi without it.
No Starbucks or anything likethat.
When I did fly up here with thethree cats, I did use the Delta
Wi-Fi.
Without it, you know, noStarbucks or anything like that.
When I did fly up here with thethree cats, I did use the Delta
Wi-Fi.
Did you get it working?
Joshua Schmidt (24:26):
I got it working .
Nick Mellem (24:27):
It never worked for me.
Joshua Schmidt (24:29):
I've paid for it and it sits there like with the
pinwheel of death spinning andlike the loading sign.
Nick Mellem (24:34):
I got it to work.
First shot, first shot.
But I think, like one otherthing we talked about before too
was checking the country you'regoing to see what restrictions
they have Because, like Ericsaid, mexico you probably don't
want to go to Mexico with fiveor six devices.
Two is the limit, two is thelimit.
So this is the kind of thingswe want to look at.
Joshua Schmidt (24:57):
People obviously want to get on the internet,
but the VPN you've got to usethe VPN.
How about you, jayden?
Are there any precautions youtake before getting on an
airplane or going to publicspaces with your gear to work?
Jayden Traufler (25:04):
Yeah, I mean I'm going to turn my Wi-Fi off
whenever possible, especiallyknowing how this device works.
But, yeah, always using a VPNfor everything and, honestly,
just powering down machines whenyou're not using them.
Even if they're just locked,they can still be transmitting
lots of handshakes or, you know,reaching out to other things.
(25:27):
So turning off completely willmitigate that.
Nick Mellem (25:30):
That's a good one, that's a good one.
Joshua Schmidt (25:33):
I got a tinfoil hat moment for everyone here.
Let's see, I wanted to see ifyou guys followed this rule.
So here we go, folks.
Cell phones emit RF radiation.
Are you all putting this inyour pockets, in your laps, by
your head at night, or are youfollowing some of the emerging
recommendations to safelydistance yourself from your
(25:55):
phone, from your head at nightand things like that?
I like to turn mine on theairplane mode when I'm thrown in
my pocket on a walk or whatever.
It also helps kind of justcreate a little space and a
little quiet, which is great.
But are you guys hip to that atall, or are you not concerned?
Nick Mellem (26:12):
You should get a Faraday cage throw it in there.
You know so you can't betracked.
But no, no, you know, josh, Ican't say I have that there.
You know so you can't betracked.
But no, no, I.
You know, josh, I can't say Ican't say I have that luxury.
You know, we're alwaysavailable for our clients here
at IT Auto Labs.
Joshua Schmidt (26:23):
Nice, well, you can still be working on your
laptop, but just when yourphone's in your pocket, or more
more so at night um you you'reon a nap at lunch.
Nick Mellem (26:32):
Yeah, I kept to keep the ringer on.
Joshua Schmidt (26:34):
How about you, Cameron?
Are you concerned about RFradiation?
Yeah, I've heard about this.
Cameron Birkland (26:43):
I've been hearing somewhere between like
this is real and you need totake it seriously, or this is
hocus pocus and you reallyshouldn't worry about it.
I don't sleep with my phonenext to my head, but it's on the
nightstand next to my bed, so Idon't know how what that means
for me, but it's there.
Nick Mellem (27:04):
You know, josh, do you?
Do you think, like the the bitof it, radiation or whatever
you're concerned with your phoneis a factor compared to what's
going around, going on aroundyou on a daily basis?
Joshua Schmidt (27:15):
I I mean I think there's a certain amount that's
unavoidable.
But I'm with Cameron.
I've heard the same rangespectrum of advice from.
This is not a problem to don'thave it anywhere near your head
while you're sleeping or makesure it's on airplane mode in
your pocket.
You know I'm always a littleskeptical of like expert advice.
(27:38):
I mean there was a point whereyou know your physician or
doctor would recommend you smokea pack of cigarettes a day to
help your anxiety, or yourdepression.
Those doctors you know, and youknow that goes to alcohol and
pregnancy and all sorts ofterrible advice that they used
(27:58):
to give us right about ourhealth.
So I'm always a bit skepticalwhen there's a so-called expert
weighing in.
And I'm sure there's a lot oflobbyists and there's a lot of
money wrapped up in the cellphone business, right.
But we haven't heard from Jaden.
I want to know what Jaden does.
Maybe you can help me out hereand make me sound a little less
conspiratorial.
Jayden Traufler (28:21):
So what's funny is I actually did a project on
that in college and gave apresentation about the radiation
aspect of our phones.
And it's what I mean honestlynot a ton of successful research
being how new all of thesedevices are and their impacts
are probably not even being seenyet, but what's known is there
definitely is radiation, butit's just a so minuscule amount
(28:47):
that you know it's tough to seeor tough to know what that
impact is.
I specifically did like aproject on who sleeps with their
phones like next to their heads, and for college students it
for when I was testing, um, itwas 75 percent of the college
(29:07):
students actually slept likewith it on their pillows.
Um, so I mean, that was kind ofeye-opening and I don't do that
.
I, I keep mine on a bed, sitthere across the room for me,
but, um, yeah, I think therethere maybe is an impact.
I, I don't have a full like yes, you're on to something.
Nick Mellem (29:28):
I think, yeah, it's just too early to know but so,
josh, do you do anythingdifferent when you rub up your
microwave a couple times a day?
I don't't have a microwave.
Yeah right, it's fake news,don't.
Joshua Schmidt (29:41):
I switched out my microwave for a toaster oven
about a year and a half ago.
Yeah, not because I was afraidof micro radiation or anything
like that.
I just I don't use it and Ithink food tastes better in the
oven.
Eric Brown (29:57):
Quite frankly, and Josh, food tastes better in the
oven quite frankly and, Josh, Iused to have because I hear you
on the radiation and back in theday when cell phones kind of
first came out and we weregetting into the smartphones, I
did have a case or two of thephone cases that purportedly
(30:18):
blocked the radiation.
Don't know how true it was ornot, it's probably more of a
gimmick, like half of a Faradaycage, but it, I mean, it is a
concern.
It's, you know, probably notgreat to be in your pocket all
day long.
But you know, I don't know.
It's one of those things whereI can avoid living underneath
(30:41):
power lines.
But it would be very difficultto avoid operating without a
cell phone because that's myprimary communication device.
Joshua Schmidt (30:56):
Yeah, I'm with you, Eric.
I guess I just keep my ear tothe ground, so to speak, about
any kind of news that's comingout about that and take it with
a healthy dose of skepticism.
But yeah, you can buy stickersthat you can put on your phone
that have some kind ofgeometrical symbol on them that
are supposed to negate anynegative radiation.
Nick Mellem (31:14):
Where are you getting this information from,
Josh?
What subreddit pages are you on?
Eric Brown (31:20):
I mean from a physics perspective.
A little sticker is not goingto get the job done.
That's not possible.
Joshua Schmidt (31:27):
I agree.
I agree.
These are things being sold onInstagram.
You start going down theserabbit holes and, all of a
sudden, these things startpopping up on your….
Nick Mellem (31:37):
I mean, hey, good on the people that are making
money off that wait, I meanthat's a scam no I know but hey,
you can make money off thatgood on you just going circling
back on the ponagachi to wrapthings up here.
Joshua Schmidt (31:50):
Um, how do you build?
How do you build it out?
Uh, cameron, like what you said, you had a 3D printed case and
you can source the parts online,I'm assuming.
So is this to kind of give abetter understanding about how
these types of things work?
It's kind of a nerd gadget.
It's kind of part of the fun isputting it together.
Cameron Birkland (32:10):
Yeah yeah.
It's a good project for someonewho wants to build a fun little
tool.
You know that that can teachyou a lot about how Wi-Fi works
and how Wi-Fi attacks work.
And it's easy to do too.
This is mostly just.
The hardest part is flashingthe firmware.
With this thing, everything'skind of just plug and play.
(32:31):
They build it so that you canbuy the Raspberry Pi with the
header pins on it and thedisplay just slides right on.
My battery goes on the bottomand then four screws and that's
it, and it's built.
Nick Mellem (32:45):
So, cameron, if somebody wanted to get into this
, is there a place you woulddirect them to?
Is there a bunch of traction onReddit?
Is there a bunch of what'sgoing on there?
Facebook groups when do youguys go to geek out about this?
Cameron Birkland (32:59):
There's a lot of resources out there.
I think the place to start isthe Ponegachi website.
I think it's ponegachiai.
That's the get started guide.
You know, like, here's theparts you can use, here's how to
build it, here's the firmwareand everything.
It's probably the best way toget into it.
(33:20):
And then for me, I think itjust was a little extra research
to figure out what battery Iwanted and then what kind of
case I needed for it.
And you know, there's I don'tthink we touched on this, but
there's other firmware out therefor the Ponegachi as well.
Currently I'm running a customfirmware on mine that's more
(33:42):
actively maintained than thestock firmware.
Joshua Schmidt (33:46):
Let me ask you what do you think makes I mean
Ponegachi continues to get hitson our videos, like on our
analytics?
Cameron Birkland (34:03):
What do you think makes this such a popular
tool that creates a community ofpeople that are excited to
learn and know about it.
I think it's fun becausethere's not a high barrier to
entry with this.
If you're just starting out andwanting to learn about how
these sorts of things work, thisis know most people will have
the money to be able to buy.
It's less than a hundred bucksto build one of these and that's
everything.
(34:23):
You know that I have here thebattery, the screen, the and it.
You know, essentially, once youinstall the firmware, you just
flip the switch and you're goingright and you can go from there
.
It's a great platform to jumpoff and start learning about
Wi-Fi.
Joshua Schmidt (34:41):
Thanks so much for your time today.
We've been joined by Jaden andCameron and we have Eric and
Nick the usual suspects here.
You've been listening to theAudit presented by IT Audit Labs
.
My name is Josh, your co-hostand producer.
Thanks so much for tuning in.
Please like, share andsubscribe and we'll see you in
the next one.
Thanks so much for tuning in.
Please like, share andsubscribe and we'll see you in
(35:02):
the next one.
Thanks so much for tuning in.
Don't forget to like, share andsubscribe.
If you have a moment, leave usa comment on the youtube channel
or give us a review on applepodcasts.
It really helps others find theshow.
Thanks so much for joining usand we'll see you in the next
one.
You're listening to the audit presented by IT
Audit Labs.
My name is Joshua Schmidt,co-host and producer.
Today we're joined by JaydenTroffler and Cameron Birkland.
They spent a little bit of timeworking at IT Audit Labs and
they've spent even more time,probably in the recent weeks,
working on Ponegachi for thisepisode today.
We did a Ponegachi episodemaybe two years back, but we
(00:26):
wanted to refresh it today andkind of give a fresh look, bring
some updates and kind of goover the whole thing from the
top to bottom again.
So welcome to the Audit Podcast.
Thanks for joining us.
How are you two doing today?
Jayden Traufler (00:38):
Doing well.
Joshua Schmidt (00:39):
Working from home today.
Jayden Traufler (00:41):
Yes, and we got Eric Brown and.
Joshua Schmidt (00:42):
Nick Mellum riding shotgun in the IT Audit
Lab studio today, and we gotEric Brown and Nick Mellum
riding shotgun in the IT AuditLab studio today.
It's getting wild over here.
We got cats, we got pinballmachines.
We got Tibetan lunch happeningtoday.
As we were getting ready forthe podcast.
You were talking about ourrecent experience at Secure360.
And I believe we had somecontention around the
(01:04):
preparation and the winner.
Do we need to rehash that?
Is there anything we want totalk about?
Eric Brown (01:08):
I don't know if we need to rehash it.
I mean, I think we've acceptedthat we were beaten by the next
team.
Nick Mellem (01:14):
You didn't even come in top five, so I don't
know.
I think the argument thatyou're bringing up is hold on.
Eric Brown (01:19):
We came in top five, Sam signed delivered, we came
in top five.
Nick Mellem (01:23):
We came in top five .
Sam signed delivered, we camein top five.
Oh, you were top five, you werenumber five.
But we do have to say and bringup how good of a job that Cam
did.
He led the whole thing, thewhole competition, the whole
competition.
For every player.
There was 14 teams, yeah 15.
, 15.
Eric Brown (01:41):
And two weeks prior, cam was on our team.
Nick Mellem (01:45):
Well, we're going to fact check that news.
That's fake.
Cameron Birkland (01:48):
I did do some moving around.
Nick Mellem (01:51):
You don't need a Cam at Com, just keep it to
yourself.
Joshua Schmidt (01:54):
I'm going to switch gears to today's topic.
We're talking about Ponegachi.
So is this like a Tamagotchi?
What do we got going on here?
What is it?
What does it do?
Is?
What do we got going on here?
What is it what?
Jayden Traufler (02:08):
does it do?
Can you explain it to me?
I don't really know a lot aboutit.
Yeah, I'll start here.
Um, tamagotchi, ponegotchi.
They're similar but not thesame.
The Ponegotchi is actually atiny little Wi-Fi hacking tool.
I actually have mine right hereyou can see, just a tiny little
(02:29):
guy, looks similar to aTamagotchi, but its job is to
passively listen to wi-fihandshakes and intercept those,
those encrypted keys that arebeing transferred, and you can
take those offline and crack.
It's quite the little device.
Joshua Schmidt (02:52):
And Cameron, I know you, you did a lot on our
Flipper Zero episodes but maybeyou could speak to like it's got
a little face on it.
Is that actually like showinganything of value or what's
behind the face?
Cameron Birkland (03:04):
Yes, so there's a number of faces on it
that can correspond to eitherwhat it's doing or what it isn't
doing, right Like.
It can be happy if it cracks orif it grabs a lot of handshakes
.
It can be sad If it doesn'tfind any.
It can be surprised.
I believe it can be angry.
It can sleep.
(03:24):
I can see if I can show mine.
Mine is sleeping right now.
It, they don't you know, affectthe functionality of it, but
it's something fun that itdoesn't.
It's it?
Uh, it almost, you know, ismeant to be like a like, like a
tamagotchi, right?
You can almost form anemotional attachment to this
(03:45):
thing.
Nick Mellem (03:47):
Do you have to feed it?
Because, merrill, we're.
Jayden Traufler (03:50):
You can get handshakes.
We all know when I was younger.
Nick Mellem (03:55):
Okay, see, that's good, because when I was younger
I had one.
It was a white one.
Obviously it looked like an egg.
This one looks like a box or asmall box, but you had to feed
it to keep the thing alive.
Looks like a box or a small box, but you had to, like, feed it
to keep the thing alive, right?
Eric Brown (04:06):
Okay so it's like the same thing, yep, you had to
feed it digitally to keep italive.
Nick Mellem (04:09):
This is the hard hitting evidence we're gathering
right now is if you have tofeed your on a gachi.
Joshua Schmidt (04:15):
Eric's pretending like he didn't have a
Tamagotchi Never had one Don'teven know what it is, just cats.
Nick Mellem (04:22):
Okay, so trying to get up here from Texas, brings
three cats with him.
I flew up here with three cats,first class Daddy Cathy over
here.
Yeah, maybe we'll get anappearance from Chatty Boy today
.
We're trying to.
He's ping-ponging off the wallsover here.
That's why we went mute asecond ago to try to get there's
(04:43):
Chatty Boy.
Joshua Schmidt (04:49):
Oh my gosh, we got tamagotchi and cats.
Nick Mellem (04:50):
Today we got chatty's little bat over here
just living the life.
He was engaged about thisepisode, or he still is so
jayden?
Joshua Schmidt (04:59):
um, I was reading on the ponagachi.
It claims to be like.
It claims to learn from itsenvironment.
Is it actually like machinelearning or is that just kind of
a branding thing that they cameup with?
Jayden Traufler (05:10):
Yeah, it's more so like reinforcement learning.
It learns based off of itsenvironment and how well it's
doing it.
Can, you know, determine ifit's you know what channels are
are the best to scope out?
Um, you know it prioritizes itsbattery life.
It knows when it needs to worka little less hard.
(05:32):
Um, and what's really cool is,with these devices, um, they can
actually detect each other andwhen they do, they can share
that, what they've learned inthe environment.
And, like I said, littledevices but very powerful.
Nick Mellem (05:49):
Do you have to approve the connection between
the two, or are they just, likeall, interlinked like an AirTag
is?
Jayden Traufler (05:56):
It's like a setting you can configure prior
like prior when you're making itto allow those connections, but
you can block it if it's notsomething you want to do.
Eric Brown (06:08):
Jayden, the output of it.
It's on an e-ink screen right.
Jayden Traufler (06:12):
Yep, yes, that is what these are, and it's not.
You don't need the screen, butit definitely makes it better
and the face makes.
Eric Brown (06:24):
the face changes a little bit when it gets a
handshake or you know it haslike when it's getting
handshakes and you can even seeon the screen, it'll tell you.
Jayden Traufler (06:33):
You know, in the process of getting a
handshake from SSID blank, um,so yeah, the screen is
definitely helpful in that sense.
Eric Brown (06:41):
So do you just kind of throw it in your backpack or
what do you?
How do you use it?
Jayden Traufler (06:47):
Um.
You know there's different waysto use it, different places to
use it.
Um.
I worked at a company thatallowed me to use it in
production, um and I had it runfor about a day and captured a
significant number of handshakesfrom all sorts of personal
(07:09):
devices, corporate devices,anything that is trying to
connect to Wi-Fi.
But yeah it's very portable.
You can put it anywhere.
Nick Mellem (07:20):
Jaden or Cam.
Both of you can jump in on this.
Is there places you shouldn't?
This is not an omission ofguilt if you have done anything
nefarious.
Cameron Birkland (07:32):
Well, for me I'd say, technically, you're not
really supposed to use itanywhere, but at home, right,
like you can set a whitelist onit to just do your home network,
which is what you're supposedto do, because there's, you know
, I don't the laws andeverything are kind of a gray
area there as far as, like youknow, is it legal?
(07:55):
You can, I think, things thatare traveling through the air
like this that are unencrypted,you know it's a.
I don't feel like it wouldnecessarily be illegal to
capture them.
But the Ponegachi also activelydeauthenticates devices so that
it can grab the handshake whenthe device reauthenticates.
So that's where it gets alittle more shaky.
Joshua Schmidt (08:17):
Could you expand on that, cameron?
So like, how is a hacker goingto use this or a threat actor
going to use this and maybe,jaden, you could fill in any
gaps but how are people going touse this in a nefarious way?
Cameron Birkland (08:28):
Yeah, I mean.
This is a device where ifthere's a particular Wi-Fi
network that you want to getinto, you have to get the hash
for the password right to beable to crack it.
So the Ponegachi goes out anddeauthenticates any devices that
it can find in an attempt tocapture the handshake when it
(08:50):
goes to reconnect.
And if there's a particularnetwork you're targeting, you
can set the Ponagachi to do that, or you can just turn it on in
range of the network and justlet it run until it captures a
handshake.
Eric Brown (09:01):
What's the difference between the Ponagachi
and the Flipper Zero?
Cameron Birkland (09:07):
Yeah, the Flipper Zero is more they call
sub-gigahertz, right, like thethings like garage door
transmitters and so on, like notwireless.
But there's a wirelessattachment for the Flipper Zero
that can give it all thecapabilities that the Ponegachi
has.
Nick Mellem (09:27):
So if you have a Flipper Zero, you're good
Essentially, and I did hear thatsomebody had some sticky
fingers at Secure360.
Eric Brown (09:34):
Really.
Nick Mellem (09:35):
We got an email yesterday or one of the last two
days that if you took a FlipperZero, you're supposed to return
it to booth.
Whatever number it was oh,somebody swiped it from the
booth.
It might have been Cam, but wecan't, we don't know.
We're not sure.
Joshua Schmidt (09:53):
I think it might have been one of Nick's cats.
Nick Mellem (09:55):
Mr Miyagi took it.
Joshua Schmidt (09:57):
I'm allergic to these things so yeah, can you
think of anything that we missedthere?
That like, or maybe you canexpand upon, like, how threat
actors could use this in avarious way, like once you get a
handshake, then what do you golike?
Try to crack, crack passwords,or, or after that what happens?
Jayden Traufler (10:14):
yeah, so you are just capturing any and every
handshake you can get yourhands on.
So I, even if you're justtrying to get into one network,
you have the potential to getinto tons.
And you're getting all of theseencrypted hashes that you can
take offline, go crack and thedoor's wide open after that.
Joshua Schmidt (10:37):
You mentioned that you got to use this at
another project.
How did you use it to make suresecurity was shored up, or how
did you use it to make suresecurity was shored up, or how
did you use it in a good way?
Jayden Traufler (10:48):
I think it was more so, just to show how easy
it was to do.
I mean, you can build one ofthese things with a few pieces
of hardware in an hour of sparetime and it I had it on for one
day and was able to get hashesfrom you know significant
(11:09):
numbers of SSIDs.
So I mean, although, yes, it'sgood to you know, defend
yourself against that.
And that's one way to look atit and that's how we took it was
.
How do we defend against that?
But it's also, you know, alsoshowing how simple of a device
(11:29):
this is and yet it can be sopowerful.
Eric Brown (11:33):
Was it true, Jaden, that on the plane to DEFCON that
maybe somebody had thePonegachi on?
Nick Mellem (11:41):
That's what I was trying to get into when I said
you shouldn't do that.
Jayden Traufler (11:44):
There was a rumor that somebody took one on
a plane.
I cannot confirm or deny.
Nick Mellem (11:53):
You don't know who that would be.
Jayden Traufler (11:55):
I don't know who it was, but I did hear that
they were very successful andhad 600 handshakes by the time
the plane landed.
Nick Mellem (12:07):
So for anybody listening out there, jadenden or
cam, can you guys comment onhow you would protect yourself
against an attack like this?
Are you just turning your wi-fioff, or what are we doing here?
Jayden Traufler (12:16):
yeah, I mean, obviously wi-fi off is priority,
um, but you can't always dothat, so I think turt or
deleting old ssids out of yourphone is always good.
Any SSID that your personaldevice or any device has
connected to, it's consistentlytrying to make that connection
(12:38):
all the time.
I mean, if you think about it,you go to work and all of your
devices automatically connect toWi-Fi.
It just knows it's alwaysattempting to make those
connections.
Cameron Birkland (12:47):
Yeah, yeah, don't use Wi-Fi is what it's
always, you know, attempting tomake those connections.
Yeah, yeah, don't, don't usewi-fi.
Is is what it comes down to.
But, um, but in actuality, thethe ponagachi.
I think the main concern iswith home and business networks
right, public networks.
You're already allowing anybodyand everybody to access it,
even if it has a password.
(13:08):
So in the Ponegachi's real goalis to get handshakes with
password hashes.
So public networks aren'treally of concern as much.
But for your home network andeven your business network,
there's a number of things thatyou can do to protect yourself
against a Ponegachi attack.
(13:30):
The biggest one is switching toWPA3.
Right now, a lot of ournetworks are still on WPA2.
I may support WPA3, but areusing both WPA2 and WPA3.
Wpa3 can't be touched by thePonegachi.
(13:50):
That's the latest Wi-Fiencryption security standard.
Nick Mellem (13:55):
Well, we were talking about this the other
night.
At that event, we were what wasthe mode?
It was called, was it?
Eric Brown (13:59):
listener or transition mode, transition mode
.
So after Secure360 on Wednesday, brian Johnson, who's been on
with us before from 7 MinutesSecurity, was having a gathering
and he was talking about goinginto an organization doing a pen
test and one of the things thathe's finding is that
(14:19):
organizations leave their ifthey're using Meraki.
Meraki has the ability to leavethe APs in transition mode and
transition mode then stillallows for those legacy
authentication methods.
So if you leave the APs withtransition mode enabled, the old
(14:41):
attacks still work.
So the advice or the guidancewas turn off transition mode.
But if you do that, then thelegacy or older devices may not
work.
So then you may hear from usersand I think the consensus at
that thing, nick, was the bestway to do it, or kind of the
only way to do it is just do it,pick a day and time and do it
(15:01):
and then have the screen test.
Nick Mellem (15:04):
All hands on deck for all the tickets that are
coming.
Cameron Birkland (15:07):
I mean we're at a point where almost every
device that we're using on Wi-Finow supports WPA3, right, we're
just the routers and you know,access points are just kind of
still holding on to that old,you know WPA2.
Just in case.
Eric Brown (15:24):
So what I was just going to share was, off of this
computer, the networks that ithad, quote unquote, known.
And if I took this computerinto a Starbucks or into another
location, turn it on, like whatJaden was saying was, it's
going to beacon out and it'sgoing to say you know IT audit
labs, are you there Becausethat's one of the known networks
(15:46):
and it's going to broadcastthat out.
Are you there Because that'sone of the known networks and
it's going to broadcast that out?
So if I was at a Starbucks andthen I see that the wireless is
connected to IT audit labs, Iwould know that there was
someone with a device that wasspoofing IT audit labs,
something like a Wi-Fi pineapple, for example, or, you know,
(16:06):
maybe even a flipper zero thatwas spoofing the network and
then trying to capture that,that handshake.
Joshua Schmidt (16:17):
So, cameron, I know you you're really
proficient at the flipper zeroand you're kind of our go to
tech guy when it comes to thesekinds of episodes.
When it comes to these kinds ofepisodes, are there any other
like tools you can pair with thePonegachi to like up its
abilities or anything like that?
Or is that just kind of astandalone device?
Cameron Birkland (16:35):
Yeah, I mean, there's, you know, more complex
devices out there that you canuse, and I think the Flipper
Zero is actually one of them,just by a bit.
But the Ponegachi is just sodead simple is is why it?
You know, I don't know ifthere's something that can
compare to it because this is aseasy as getting a, you know,
(16:59):
raspberry pi and a screen andyou know, in my case, a battery,
um, flash the firmware onto ansd card and you're running,
maybe some minor settings,adjustments, but it just goes
and does what it does and youdon't have to do anything to it.
Joshua Schmidt (17:16):
So it's kind of a one-trick pony for hackers.
Then the tool does specificallyone job.
Cameron Birkland (17:23):
Yes, it does one thing, but it does it well.
Nick Mellem (17:26):
I guess either of you, if you were going to buy
one of them right now flipperzero or a panagachi would you
buy one versus the other, orwould you just want them both?
Jayden Traufler (17:34):
I think I would want both of them personally,
yeah, yeah, I think the thepanagachi is so easy to just
build yourself too, like it'snot, you know, hard to have both
.
Reclipper Zero has so manydifferent parts to it and it can
do so much more.
It's probably a cooler device.
Cameron Birkland (17:53):
but I mean just for one example.
Like you know, the Flipper Zeroon its own has no wireless
capabilities.
So you get the Wi-Fi dev boardclips on the top and this gives
it similar capabilities to thePonegachi.
(18:14):
I'm pretty sure that I don'tknow if you can run the
Ponegachi firmware on here, butyou might be able to.
I mean, this can essentially doall the same things, right, but
you have to get the FlipperZero, which comes at a little
bit of a cost, and then thisboard is extra, whereas this is
probably less than half theprice.
Nick Mellem (18:33):
Unless you stole that Flipper Zero from the
conference this week.
Did that happen?
Hey, I can't say so.
What I'm curious about is if Iwanted to get a panagachi right
now, where am I going to go tobuy one?
Cameron Birkland (18:49):
so you, you know you can.
I believe you can buy thempre-built at a cost, you know,
because somebody else builds itfor you.
But essentially this, this is aproject right?
You buy the parts and build ityourself.
You can go out to a fewdifferent places, buy each
component and build it.
The case in my case is 3Dprinted and I think that goes
for a lot of people.
(19:09):
You can buy all kinds ofdifferent 3D printed cases.
Print it yourself.
You know you can do differentconfigurations Like mine is
extra tall because I've got aparticularly large battery in it
so it can run for at least afew hours on its own without
having to charge it that's itonly a few hours with that big
battery it's it.
(19:29):
Um, it actually runs a littlewarm, you know, once, once it
starts going, and I think mybattery is also a few years old,
so it's not as good as it was.
Joshua Schmidt (19:40):
So doubles as a hand warmer here in Minnesota.
Have you taken this out intothe wild at all?
I mean, I know you said you'resupposed to use it at home, but
what are some of the ethicallike implications, Like can you
just have this on you and is italways looking for a handshake
or?
Cameron Birkland (19:56):
Well, I think that's how people generally use
it.
And for myself, I would kind ofsay yeah, I've captured a
number of handshakes with mine.
I recently, you know, reset itand put new firmware on it, so
the count isn't there, but Ithink I'm up to like 80
different handshakes.
Eric Brown (20:16):
What's your number at Jaden?
Joshua Schmidt (20:22):
I deleted mine off, I'm back at zero.
Say, you're doing a blue teamkind of a deal and there's a
Ponegachi on the premises, likeat Secure360, someone snuck one
in.
What would tip you off?
Is there a way that you cantell if there is one looking for
handshakes?
Are there any any other devicesthat could help guard against
that sort of a thing?
Cameron Birkland (20:43):
I think that there's a um there is.
There's not really a great wayto, but I know of a um sort of.
It's an enterprise sort ofprogram, I believe called enzyme
, where it it uses uh, you use,I think you can use Raspberry
Pis, wireless ones and use themas like sort of access points,
(21:05):
put them around.
It keeps tabs on the airspacefor wireless and if it can see a
bunch of you know DIA packetsbeing sent out, it can send you
an alert.
You know, because that would becoming from a Ponegachi.
But overall there's not alwaysa great way to tell when
(21:26):
something is happeningespecially if you're not
specifically set up to detectthat.
Eric Brown (21:32):
So, josh, if you're going to a security conference,
you're pretty much guaranteed torun into it.
You're pretty much guaranteedto run into it.
At DEF CON, they used to havethis thing called the Wall of
Sheep, and they would publiclypost whose device they were able
to compromise.
A little public shaming in thetown square, then at the
(21:59):
conference.
If you're going to the probablythe, you know, the premier
hacking event in the world,probably pretty safe to assume
that there's some charactersthere that are not doing all
white hat work.
Nick Mellem (22:11):
So nefarious activity for sure.
Cameron Birkland (22:14):
Yeah, I wouldn't even want to use a
mobile hotspot there.
Joshua Schmidt (22:17):
Right, so is this something a VPN would guard
against?
I guess, speaking aboutconferences and then more
specifically Ponegachi, ifyou're running on Wi-Fi and you
have a VPN, does that make yousafe, or is that just?
Eric Brown (22:31):
Well, this is going to work at a lower level than
the VPN right, a lower levelthan the VPN right.
This is going to operate at thenetworking layer, where it's
going to work to grab thesession token, if you will, that
(22:52):
handshake, when the device isconnecting to the wireless
access point.
So it doesn't necessarilymatter if you are using a VPN or
not, because the session hasn'tnecessarily been established.
So once the session isestablished and you have that
(23:13):
wireless connection, and thenthat wireless connection is
allowing you to the internet,that's where you could build the
VPN tunnel and everything thatflows in that tunnel is then
encrypted.
But if these handshakes arebeing acquired during the setup
phase, so the VPN tunnel doesn'tcome into play yet.
(23:33):
Does that make sense?
Joshua Schmidt (23:35):
Yeah, absolutely , that's a good tip.
So, eric, we all know that youlike to travel like four laptops
deep.
When you're going on vacation,are you taking any precautions?
Yeah, or when you're going to aconference, I'm sure you're
fully loaded as well.
Maybe, Nick, you can speak tothis, since you're taking a
flight tomorrow.
Are there any things that youguys do before going to a
(23:58):
conference or going on anairplane?
We mentioned a few things, butI wanted to dig a little deeper.
Nick Mellem (24:05):
I think we've talked about it before just a
few different things but I thinknotably is we talked about the
VPNs.
I don't connect to a publicWi-Fi without it.
No Starbucks or anything likethat.
When I did fly up here with thethree cats, I did use the Delta
Wi-Fi.
Without it, you know, noStarbucks or anything like that.
When I did fly up here with thethree cats, I did use the Delta
Wi-Fi.
Did you get it working?
Joshua Schmidt (24:26):
I got it working .
Nick Mellem (24:27):
It never worked for me.
Joshua Schmidt (24:29):
I've paid for it and it sits there like with the
pinwheel of death spinning andlike the loading sign.
Nick Mellem (24:34):
I got it to work.
First shot, first shot.
But I think, like one otherthing we talked about before too
was checking the country you'regoing to see what restrictions
they have Because, like Ericsaid, mexico you probably don't
want to go to Mexico with fiveor six devices.
Two is the limit, two is thelimit.
So this is the kind of thingswe want to look at.
Joshua Schmidt (24:57):
People obviously want to get on the internet,
but the VPN you've got to usethe VPN.
How about you, jayden?
Are there any precautions youtake before getting on an
airplane or going to publicspaces with your gear to work?
Jayden Traufler (25:04):
Yeah, I mean I'm going to turn my Wi-Fi off
whenever possible, especiallyknowing how this device works.
But, yeah, always using a VPNfor everything and, honestly,
just powering down machines whenyou're not using them.
Even if they're just locked,they can still be transmitting
lots of handshakes or, you know,reaching out to other things.
(25:27):
So turning off completely willmitigate that.
Nick Mellem (25:30):
That's a good one, that's a good one.
Joshua Schmidt (25:33):
I got a tinfoil hat moment for everyone here.
Let's see, I wanted to see ifyou guys followed this rule.
So here we go, folks.
Cell phones emit RF radiation.
Are you all putting this inyour pockets, in your laps, by
your head at night, or are youfollowing some of the emerging
recommendations to safelydistance yourself from your
(25:55):
phone, from your head at nightand things like that?
I like to turn mine on theairplane mode when I'm thrown in
my pocket on a walk or whatever.
It also helps kind of justcreate a little space and a
little quiet, which is great.
But are you guys hip to that atall, or are you not concerned?
Nick Mellem (26:12):
You should get a Faraday cage throw it in there.
You know so you can't betracked.
But no, no, you know, josh, Ican't say I have that there.
You know so you can't betracked.
But no, no, I.
You know, josh, I can't say Ican't say I have that luxury.
You know, we're alwaysavailable for our clients here
at IT Auto Labs.
Joshua Schmidt (26:23):
Nice, well, you can still be working on your
laptop, but just when yourphone's in your pocket, or more
more so at night um you you'reon a nap at lunch.
Nick Mellem (26:32):
Yeah, I kept to keep the ringer on.
Joshua Schmidt (26:34):
How about you, Cameron?
Are you concerned about RFradiation?
Yeah, I've heard about this.
Cameron Birkland (26:43):
I've been hearing somewhere between like
this is real and you need totake it seriously, or this is
hocus pocus and you reallyshouldn't worry about it.
I don't sleep with my phonenext to my head, but it's on the
nightstand next to my bed, so Idon't know how what that means
for me, but it's there.
Nick Mellem (27:04):
You know, josh, do you?
Do you think, like the the bitof it, radiation or whatever
you're concerned with your phoneis a factor compared to what's
going around, going on aroundyou on a daily basis?
Joshua Schmidt (27:15):
I I mean I think there's a certain amount that's
unavoidable.
But I'm with Cameron.
I've heard the same rangespectrum of advice from.
This is not a problem to don'thave it anywhere near your head
while you're sleeping or makesure it's on airplane mode in
your pocket.
You know I'm always a littleskeptical of like expert advice.
(27:38):
I mean there was a point whereyou know your physician or
doctor would recommend you smokea pack of cigarettes a day to
help your anxiety, or yourdepression.
Those doctors you know, and youknow that goes to alcohol and
pregnancy and all sorts ofterrible advice that they used
(27:58):
to give us right about ourhealth.
So I'm always a bit skepticalwhen there's a so-called expert
weighing in.
And I'm sure there's a lot oflobbyists and there's a lot of
money wrapped up in the cellphone business, right.
But we haven't heard from Jaden.
I want to know what Jaden does.
Maybe you can help me out hereand make me sound a little less
conspiratorial.
Jayden Traufler (28:21):
So what's funny is I actually did a project on
that in college and gave apresentation about the radiation
aspect of our phones.
And it's what I mean honestlynot a ton of successful research
being how new all of thesedevices are and their impacts
are probably not even being seenyet, but what's known is there
definitely is radiation, butit's just a so minuscule amount
(28:47):
that you know it's tough to seeor tough to know what that
impact is.
I specifically did like aproject on who sleeps with their
phones like next to their heads, and for college students it
for when I was testing, um, itwas 75 percent of the college
(29:07):
students actually slept likewith it on their pillows.
Um, so I mean, that was kind ofeye-opening and I don't do that
.
I, I keep mine on a bed, sitthere across the room for me,
but, um, yeah, I think therethere maybe is an impact.
I, I don't have a full like yes, you're on to something.
Nick Mellem (29:28):
I think, yeah, it's just too early to know but so,
josh, do you do anythingdifferent when you rub up your
microwave a couple times a day?
I don't't have a microwave.
Yeah right, it's fake news,don't.
Joshua Schmidt (29:41):
I switched out my microwave for a toaster oven
about a year and a half ago.
Yeah, not because I was afraidof micro radiation or anything
like that.
I just I don't use it and Ithink food tastes better in the
oven.
Eric Brown (29:57):
Quite frankly, and Josh, food tastes better in the
oven quite frankly and, Josh, Iused to have because I hear you
on the radiation and back in theday when cell phones kind of
first came out and we weregetting into the smartphones, I
did have a case or two of thephone cases that purportedly
(30:18):
blocked the radiation.
Don't know how true it was ornot, it's probably more of a
gimmick, like half of a Faradaycage, but it, I mean, it is a
concern.
It's, you know, probably notgreat to be in your pocket all
day long.
But you know, I don't know.
It's one of those things whereI can avoid living underneath
(30:41):
power lines.
But it would be very difficultto avoid operating without a
cell phone because that's myprimary communication device.
Joshua Schmidt (30:56):
Yeah, I'm with you, Eric.
I guess I just keep my ear tothe ground, so to speak, about
any kind of news that's comingout about that and take it with
a healthy dose of skepticism.
But yeah, you can buy stickersthat you can put on your phone
that have some kind ofgeometrical symbol on them that
are supposed to negate anynegative radiation.
Nick Mellem (31:14):
Where are you getting this information from,
Josh?
What subreddit pages are you on?
Eric Brown (31:20):
I mean from a physics perspective.
A little sticker is not goingto get the job done.
That's not possible.
Joshua Schmidt (31:27):
I agree.
I agree.
These are things being sold onInstagram.
You start going down theserabbit holes and, all of a
sudden, these things startpopping up on your….
Nick Mellem (31:37):
I mean, hey, good on the people that are making
money off that wait, I meanthat's a scam no I know but hey,
you can make money off thatgood on you just going circling
back on the ponagachi to wrapthings up here.
Joshua Schmidt (31:50):
Um, how do you build?
How do you build it out?
Uh, cameron, like what you said, you had a 3D printed case and
you can source the parts online,I'm assuming.
So is this to kind of give abetter understanding about how
these types of things work?
It's kind of a nerd gadget.
It's kind of part of the fun isputting it together.
Cameron Birkland (32:10):
Yeah yeah.
It's a good project for someonewho wants to build a fun little
tool.
You know that that can teachyou a lot about how Wi-Fi works
and how Wi-Fi attacks work.
And it's easy to do too.
This is mostly just.
The hardest part is flashingthe firmware.
With this thing, everything'skind of just plug and play.
(32:31):
They build it so that you canbuy the Raspberry Pi with the
header pins on it and thedisplay just slides right on.
My battery goes on the bottomand then four screws and that's
it, and it's built.
Nick Mellem (32:45):
So, cameron, if somebody wanted to get into this
, is there a place you woulddirect them to?
Is there a bunch of traction onReddit?
Is there a bunch of what'sgoing on there?
Facebook groups when do youguys go to geek out about this?
Cameron Birkland (32:59):
There's a lot of resources out there.
I think the place to start isthe Ponegachi website.
I think it's ponegachiai.
That's the get started guide.
You know, like, here's theparts you can use, here's how to
build it, here's the firmwareand everything.
It's probably the best way toget into it.
(33:20):
And then for me, I think itjust was a little extra research
to figure out what battery Iwanted and then what kind of
case I needed for it.
And you know, there's I don'tthink we touched on this, but
there's other firmware out therefor the Ponegachi as well.
Currently I'm running a customfirmware on mine that's more
(33:42):
actively maintained than thestock firmware.
Joshua Schmidt (33:46):
Let me ask you what do you think makes I mean
Ponegachi continues to get hitson our videos, like on our
analytics?
Cameron Birkland (34:03):
What do you think makes this such a popular
tool that creates a community ofpeople that are excited to
learn and know about it.
I think it's fun becausethere's not a high barrier to
entry with this.
If you're just starting out andwanting to learn about how
these sorts of things work, thisis know most people will have
the money to be able to buy.
It's less than a hundred bucksto build one of these and that's
everything.
(34:23):
You know that I have here thebattery, the screen, the and it.
You know, essentially, once youinstall the firmware, you just
flip the switch and you're goingright and you can go from there
.
It's a great platform to jumpoff and start learning about
Wi-Fi.
Joshua Schmidt (34:41):
Thanks so much for your time today.
We've been joined by Jaden andCameron and we have Eric and
Nick the usual suspects here.
You've been listening to theAudit presented by IT Audit Labs
.
My name is Josh, your co-hostand producer.
Thanks so much for tuning in.
Please like, share andsubscribe and we'll see you in
the next one.
Thanks so much for tuning in.
Please like, share andsubscribe and we'll see you in
(35:02):
the next one.
Thanks so much for tuning in.
Don't forget to like, share andsubscribe.
If you have a moment, leave usa comment on the youtube channel
or give us a review on applepodcasts.
It really helps others find theshow.
Thanks so much for joining usand we'll see you in the next
one.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cold Case Files: Miami
Joyce Sapp, 76; Bryan Herrera, 16; and Laurance Webb, 32—three Miami residents whose lives were stolen in brutal, unsolved homicides. Cold Case Files: Miami follows award‑winning radio host and City of Miami Police reserve officer Enrique Santos as he partners with the department’s Cold Case Homicide Unit, determined family members, and the advocates who spend their lives fighting for justice for the victims who can no longer fight for themselves.