>> I am Chris Littlebury, and this is all about automating home defense. A little about me, I am a senior penetration tester with knowledge information group. We are hiring, if you have skills, let us know, and I like building stuff. Couple of pictures there, it's an Xbox Live Controller that ummm did a randomization thing on it, so you can do rapid fire and it won't be detected on Xbox Live cause it had a randomizing cadence to it, yea it's cheating, I used it once and it just sat on the shelf, but ‑ ‑ one of my first really your own ‑ ‑ and the other picture is swapping out the 5th gear on my car to get better mileage, anything I can do with my hands, on stuff, so ‑ ‑
>> A quick disclaimer. During this talk, providing ideas, codes that worked for me, things that haven't worked, pretty much just a trial and error thing, afterwards, definitely open to questions, suggestions. I like to hear what other folks have to say.
>> I am not getting paid to endorse anything, there's a bunch of products I will be talking about, they work well, some have strength and weaknesses, we will go over that. Nobody is paying me to be here. And I definitely not promising an end to burglaries especially if you live in high‑risk areas, sorry you're screwed ‑ ‑ but you can try to stack the odds in your favor. Definitely not advocating setting up booby traps in your house. This is a big federal no‑ no. A lot of people approached me, yeah, I want to build a moat and have a spike pit ‑ ‑ and shit come flying down with spikes when you open the door when I am home alone ‑ ‑ you will go to prison. So please ‑ ‑ I am not advocating that. Please don't do it. Don't do anything that can result in hurting other people or property damage. It's something ‑ ‑ doing something to somebody's car that's on your property or something, just use your head, don't break shit.
>> Lastly, a live example from my place, stuff I have done, please don't come and test my home, again, I would love to talk with folks afterwards and have you thought about this and wow ‑ ‑ I haven't thought about this, thank you for ‑ ‑ let's open up a cool discussion about it instead of showing up at my place at 1:00 in the morning, standing over my bed freaking me out. Which somebody of yall deviant bastards would do such a thing.
>> So, store starts out once upon a time in South Texas. I was living in San Antonio, below the poverty line and they like to have a great tourism, Riverwalk, nice place to visit, family affair and everything, and ‑ ‑ completely talking trash. Anybody here from San Antonio?
>> Thank you. Yes. So anybody else from San Antonio? I will talk shit so I apologize, I spent 10 years there, I feel adequately qualified to do so. The crime map in San Antonio is just terrible. Their local pastimes are DUIs and home invasions, just what they are known for. It's bad. So they ranked number 3, I forget what year this was, but they were like the third least safe city in America. So ‑ ‑ at the time I had this little Honda Civic, and again ‑ ‑ anybody have a Honda Civic, or had a Honda Civic ‑ ‑ keep your hands up if it was stolen. You are my people. Okay. At the time it was the most‑ stolen car in America and I happened to have it. Air conditioning, good mileage, worth about $1500, that's all I needed, right? I came out one morning and the doors were unlocked, people had gone through my stuff but the car was still there and I was like yeah, this sucks, I would like to be able to do something. I should be able to out‑smart them. I like to soldering stuff ‑ ‑ I should be able to out‑smart them. I had an idea.
>> They have a main fuel relay up near the kick panel. You unbolt it, it's like a 12-pin connector ‑ ‑ you take this with you and the car completely is immobilized. Sure, there's a chance somebody breaking in like oh gee, I happen to have one of those and I will look there, but I roll the dice. Pretty safe bet.
>> I also got cheap alarms that pages you, so I hooked it up without sirens, lights, anything, I removed the relays in it to trigger the lights and turn signals, so I removed everything. All it does is page you.
>> It's a car, sure, but my car, I wanted to drive it to work. I kept it that way three months and sure enough, it worked. Early one morning the alarm goes off and I go running down stairs and there's two respectable gentleman going to work on my steering column. I persuade them to exit the vehicle, one of them runs, the other tries to establish a kind dialogue with me. I was able to, through power of persuasion, maybe you should lay down on the ground and wait until the cops come. I was effective in doing so, they came out, arrested him and ‑ ‑ I was like you know what? I think it's time to move away from the shithole, because ‑ ‑ other neighbors, tons of anecdotal evidence that it was just a bad place. Case in point, I found this on Reddit a year or so ago, I said that looks like a lot my old apartment complex and sure as shit, it was my old apartment complex. So somebody got upset, set their ex's car on fire, burned down a few other things, it was terrible. So I moved up to a nicer area. Actually this picture is one of the three times in the history of mankind it snowed in San Antonio and I mean it just dusted a tiny bit, people were trying to sled on it.
>> Anyway, it was a nicer place. I moved up to the third floor, tried to get as high off the ground as possible, okay, that ‑ ‑ you make it more difficult to get into, lock exterior doors, even sliding doors, third floor on the balcony, that kind of thing, stacking the odds in your favor. You won't keep everybody out but, everywhere I looked, there were all these tips from cops, and the number one thing that kept popping up was "make your home look occupied." If people come by, knock on your door, make it look like somebody is home. Lights on timers, leave TVs on, just stuff that makes it look occupied. You see the other stuff, lock your doors, basic stuff.
>> That got me thinking. Everybody has seen the movie Home Alone, right? Yeah. So I steal off of that during this talk a little bit, so ‑‑ I thought okay, I work a weird schedule, at night, ‑‑ during the day sometimes, all over the place, but I wanted something that would make the place look normal all the time. At the time the cheapest automation stuff was the Extent hardware. I am waiting to hear groans. Anybody done that before? It's terrible, yeah. It's been around since the late 70s, and really cheap hardware, works off of sending data over your home power line. What it does, included on 120‑ hertz carrier, transmits during the zero crossing, and it sucks so much that it sends the command three times every time it ‑ ‑ it knows it's not reliable, but if you are in a small apartment complex or older house where the wiring is not that complex, it worked.
>> They had this God‑awful GUI you can program, macros, certain things, none of it worked really well but some of the timers had a cool feature, security feature you can time, say, you want everything to turn on at 5:00, every day. They had a security feature where it would turn on anywhere between like 4:50 and ‑‑ and it would be raining every day. It's a cheapy company, the tech is terrible, but it's doing what I want it to do. So eventually I moved to a house. Excuse me.
>> I moved to a house, started doing it with exterior lighting ‑ ‑ So I had lights would come on at different times, some would use photovoltaic centers, some using the Extend, but it wasn't anything special, but ‑‑ is this wooden? So knock on wood, I never had issues. It seemed to be occupied all the time. The neighbors got broken into but mine ‑ ‑ I didn't have issues.
>> But, eventually, I moved away. So I moved back to Colorado after a 10‑ year hiatus, crime is a lot better there, I will do it right this time. So, I will do it right.
>> Of course I have to advocate, do not set up booby traps in your house. It would be cool as shit, but, what are they going to do? My wish list was I wanted efficient lighting. Most of the stuff out there for doing wall switch and lighting and things are all incandescents, 60, 80, 100 watt bolts per can, the equivalent of a microwave or something. That just wasn't cool. I wanted efficient lighting, granular control over it, do individual zones, turn things on and off whenever I choose, have some sort of centralized way to control it ‑ ‑ adaptive timing, not always the same schedule, randomization and things. Again, I wanted it to look like it was lived in as much as possible. Do some geofencing, anybody done the if-then stuff? No? Okay.
>> There's some if‑then geo fencing, I have read it's a 20% success rate. You establish a geo fence on your phone and leave, once you leave certain actions happen. Arms your security system or turns lights off, people leave their house and lights are just on until 10:00 at night.
>> I wanted to do my own that I had control over and, yes. I wanted to be able to do defenses against wireless home automation attacks. Everybody all around for last year's DEF CON? The Z wave enabled door locks are encrypted. Instead of breaking the encryption you just did a replay attack ‑ ‑ replay the exact same thing over RF and the door was like "welcome home, buddy." Everybody was just ‑ ‑ holy shit. Funny anecdotes, a week after that I had a dude come to my door, trying to sell that, Comcast, other places, building out home security system and have that sort of thing where it's on your smart phone, gee, I can look at cameras, know when my kid's coming home ‑ ‑ I can spy on my baby at night with infrared cameras, straight up Skynet shit, but they love it. I can open my garage, unlock my front door. That seemed like a terrible thing to me. I wanted to be able to defend it.
>> Not only that, if somebody really wants to get in it's just smash and grab. If you have a great alarm system you have a big giant ADP sign, prominently displayed, it's like please, please, don't screw with this house. If they really want to, they will do if anyway. I am sure everybody in the room has friends that during the day people kick in the front door, alarm goes off, they grab stuff and take off. That's how it is. I wanted to be able to do something that would immediately react to that and try to mitigate what they can carry. If they kick in the door, alarm goes off, they are freaking out and something that they have never seen before happens inside the house that might be like, you know what maybe we should GTF out.
>> That was my wish list. One of the first things I did was Wi‑Fi enable lightbulbs ‑ ‑ did anybody get in on the LiFX kickstarter? No? Awesome. So they did, started a while back, took a while to ship the bulbs, had a bunch of regulator ‑ ‑ regulation things to do, but in the grand scheme of things their Wi‑ Fi enabled LED bulbs, big claim to fame is they will do 1000 lumens ‑ ‑ they are bright as shit. They will always do full color, their full color representation is fantastic if you are into that, the picture with the blue is my living room, two of them in the ceiling, it's, yeah, cool. Side note to that, I will talk about later, if the alarm goes off one thing it can do is the whole house can start flashing red. So ‑ ‑ [laughter] upstairs, down stairs, entry way, chandelier, everything, the whole damn house will just light straight out of aliens sort of thing. Everything ‑ ‑ if I can rig up a fog machine too ‑ ‑ leave her alone, you bitch. So they are great bulbs, at full power draw 17 watts, fits into their ‑ ‑ i'm not drawing a ton of power. And you can dim them down, do it all through software. They recently released an API, so any Ruby fans out here? Good. Good.
>> No. Anybody from Python? You are my people. All right. And I will get to that with the open source, but several different libraries to work with. The official API is in Ruby, not that bad to work with, you can port over to python, but yeah. The down side to these bulbs is they are large. They have some heft to them. You can't put them in normal fixtures that sit sideways. They will start sagging down when they come in contact with the globe ‑ ‑ look terrible and heat up a bit. You can't enclose them.
>> The other option is the Philips Hues ‑ ‑ really easy to work with, great API, has python, so ‑ ‑ python people. Even lower power consumption 8.5 watts at full brightness, a little cheaper. Their power output is not the same. You put three in a fixture, it will be like three 60‑ watt light bulbs, but it's a good option. The color representation isn't as good, but if you are looking at lighting up a side room, dining room, if you want to be able to control that remotely, still have the thing flash red, freak the hell out of people, it's a fantastic choice.
>> Couple pictures. Fourth of July at my place, the camera didn't do it justice. The purple are actually blue and red ones are red, that was LiFx and Hue bulbs. My living room just, messing around and ‑ ‑ during my perfect ‑ ‑
>> Audience question/comment. [Laughter]
>> We're hiring.
>> So yeah. Other devices out there, WeMo devices, they had vulnerabilities last year that are really not good. Fair enough? They had them come out last year where there was a vulnerability where if they rapidly cycled them there's a hack where you can recycle, hook up for a load, like motor or something like that, initially a really large amperage and then settles down.
>> Are we distracting you?
>> No just concerning me ‑
>> To our first time speaker ‑ [applause]
>> Thank you.
>> We have been doing this four days. Three talks, every hour, I have lost track.
>> I really want to get me one of those little rascals. So, the WeMo devices, you can rapidly cycle and depending on where the device is hooked up, they can catch fire and burn the place down. It's bad. So they have since pushed out a firmware update for them, but still not that secure ‑ ‑ what I have read, lock down IPv6 on the routers, don't have anything else and just lock down everything you have. With that said, they are extremely useful for if you have exterior lighting where you have CFL bulbs, like all around your house, hook up one of these, talking about 20 watts worth of draw all night, then you can switch it with one of these switches. The problem being they have timers built in, their own app and own timers built in, both of which completely suck. Their app is not reliable and their timers, well they work, sometimes, if you have, like say your external lights you want to turn on at 8:00 at night and keep them on until 6:00 in the morning, when it comes up on midnight they will shut off a few seconds, midnight five seconds later they will come back on and there's no rhyme or reason for it so if somebody is casing your house or whatever, it's a pretty good indicator ‑‑ and again, yes, terrible security. There's a link to that exploit on there too ‑ ‑ and the slides will be available and everything.
>> So, creating a home defense server, available 24/7, low power consumption, hook up to an UPS, integrate with sensors, be able to pull your own sensor network, and integrate with your existing home security system. It would be more of a supplement. Can you build one on your own, and have it respond, do stuff, but I am of the mindset I like someone monitoring. If they call the cops, the cops come out. Whereas if I see something in a text message, hi, I am Chris, I built this Rube Goldberg system at my house, can you go check it out. Sir, this is 911, don't ever call back. If it supplements your home security system you at least have a little bit of clout.
>> Couple of slides integrated in, but the raspberry pi is a good choice. And again, how many people mess with raspberry pi? they're fantastic, they're wonderful.
>> I had a little experience with pis before. I built a Wi‑Fi enabled barbecue smoker just because, shit, I didn't know if I could. I got some meat probes, a probe for a GE oven that I found, all the other therma probes I could find were worthless after 240 degrees. I found one good to 400, put a rail server on there ‑ ‑ what's that? Sorry, ADD. I put a rail server on the front end, I had rails experience at the time and just didn't know any better. Any rails coders here?
>> Good. But it worked and it was one of those proof of concepts where I could build not only the sensor portion, but have a front‑ end riding on the same hardware, all self‑ contained, on wireless and do fun stuff with it.
>> So, creating a home defense server, anybody familiar with wiring in just regular home systems where you have a long line of sensors and everything has to be ‑ ‑ for it to be okay ‑ ‑ yeah. There's two different ways of doing it. You can have a closed loop or open, and either way most of the newer ones you can program them through ‑ ‑ to do either way. Stick the pi online with that and put it in the mix and put relay ‑ ‑ the power you want to wire in and have it connected to its own network, say you have your own PIR sensor, or your own what‑ have‑ you. You can then send a signal to that pi, it can trip it and fire off the security system. Another thing you can do, they have a panic button, wireless panic buttons, take one of those apart and solder on, run transistor over that, something happens you hit that, when it goes to the alarm company it will go in as silent alarm instead of oh a motion or door alarm. Straight across. Silent alarm, old Betsy fell down or old Betsy is being robbed by hoodlums, whatever.
>> A lot of ways to graft it in and I highly recommend grafting it into the alarm system. There are a lot of different open source out there for ‑ ‑ Magic Monkey did the original version ‑ ‑ the big giant LED bulbs, and great, great tool, only thing is it wouldn't do multiple bulbs, if you want to flash your entire down stairs red it would be one bulb, one bulb, kind of sucked.
>> And then ‑ ‑ sorry, he was the job scripter on that and Sharp did the LiFX Python which was built off of that, later on, LiFX came out with the official API, written in Ruby, we have all been over this. You can make it work. It's a good API, I just have this thing against, and there is ‑ ‑ I can't pronounce this guy’s name or project name, but they have an API for the WeMo devices and it works fantastic. Code support and command line support. It's great stuff. You can control all these things just from command line or different scripts. So from there I created a front‑end service where I wanted something like weights to control the stuff, front end. You can do rails, rails sucks. It's heavy. Python has flask ‑‑ Ruby has Sinatra ‑‑ back end services for each of the tech screen readers, their own services and on their own ports. So if one of them fails, then just that service fails, so I don't lose everything in my house sort of thing.
>> Also, I wanted to have a database keep track of it all ‑ I ended up put up on separate pi, really light weight, fast, and not that complicated. I wasn't looking for giant enterprise‑ level stuff, just wanted something quick. On a separate pi, separate room. If you go that route I highly recommend you put external swap on, get a powered USB hub, hard drive on it and set up swab, even if you have a great SD card, you look at the log, just swapping out all the time and all those read/writes, are hell on those cards, so ‑ ‑ finally creating a monitoring service with alerts and one of the services go down, be nice to know about it.
>> Again, all the code we are talking about here will be available on a GetHub after the conference. I am going to do a disclaimer right now that my code is terrible. I am not a developer. I am a pen tester, so my code works, not pretty, for the ones that are professional Devs, like nice polished code, it may be offensive to you. So just ‑ ‑ but it works.
>> Moving on. I wanted to be able to determine if I am walking into a room and things happen. I want my place to know if I am there or not. Originally I wanted to do Bluetooth, pair to my phone and know if I am walking into a room, it will see my phone, okay, he's here, and then whatever else happens, update it in the database I am there, certain other things. So I played around with it, it was kind of a pain in the ass. You have to create a connection, open the device after it's been paired ‑ ‑ while being pulled, you have to do the request for the RS ‑ ‑ the signal strength identifier. You do that, pull it, while being pulled say oh by the way what's the signal strength, come back with a number and from there you say oh the phone is within this amount of distance. You put a couple of those in different rooms and you can determine where something is but if you get to aggressive with that it will break your wireless interface on your phone. Not just Bluetooth but regular 802.11 as well. That was a fun one to find out when I ‑ ‑ but it worked, for a bit.
>> From there I went to do it with 802.11, your phones will ‑ ‑ beacon every 60 seconds if you are not doing anything but as soon as you turn them on, start doing stuff your MAC address will be all over the place.
>> There's a command line utility where you can go through and parse out what MAC is being seen and what signal strength it is. If you have neighbors and stuff that you don't care about, I will be lower signal strength and you can grit that out. But if you have a certain set you want to keep track of, significant other, kids, whatever, a list of things that it will look for.
>> If you are really curious about it, the Tshark command on the very bottom will bust out just way more information than you will ever want to know about wireless packets and you can do all sorts of magic with it. I did a python way with scapy and it's ugly, it's very, very ugly, but it works and so what I have been doing, I have a flat file of MAC I want to keep track of. It fires up, starts looking for those, when it sees it, it updates the database that okay, it's been seen, what time it's been seen and a separate process goes through the database to look at time stamps, outside of certain time, okay, it hasn't been seen in this amount of time so I am not there, other rules now apply. Lights will be turning off, at pre‑determined times, still random, that way it knows if I am home so I am not sitting watching TV and the whole living room goes dark.
>> Again, proximity monitoring looks for a ‑ ‑ signal strength actually, I just went over all that. Adaptive scheduling. I created a SmartCron system ‑ ‑ everybody familiar with weather integral ‑ ‑ they have a fantastic API free for developers. Every day at 1:00 my ‑ ‑ will pull down the source schedule for the day, sunrise, sunset, that sort of thing and from there block off randomized times of, okay, I want to turn off my outside lights sometimes around sunrise, turn them on somewhere around sunset, bunch of other stuff. It shifts every day, and things are built in, cloud cover, UV index, moves interior lights if ‑ ‑ again ‑ ‑
>> So, for the fun stuff. Defenses against wireless based attack. You saw this last year. Does anybody go to the fox hunting thing on Thursday? Really early on Thursday, I went to the Wrapping 7 party before and was not able to get there. No? So the fox hunting is RF direction finding, really cool stuff. The only way I can think of to defend against these sort of Z wave attacks, a replay attack or somebody trying to jam 345 Meg sensor data ‑ ‑ newer alarm systems that use those, should be able to determine if somebody is transmitting on the band and where from. Anybody familiar with the Doppler effect?
>> For the ones that aren't, ambulance goes by, high‑ pitched coming and regular pitch as it goes by, lower pitch as it ‑ ‑ same with RF. You have the signal, switch through it fast enough you can get a good idea of where it's coming from. I have a setup that works against 345 and 900 mess ‑ ‑ so if anything does key up, outside of a certain parameter for where it's located, I haven't actually stepped past my front door but anything outside my house will pick up ‑‑ it uses the Agrello DF message format, whereas it's signal quality, the system I use called the picodopp ‑‑ fixed at 7 for signal quality but I don't care, I just want to know where it is. The text there you see is an actual output from a test I was doing ‑ ‑ and the numbers 327, 316, 312, 319, those are all numerical bearings off the antenna array of where the signal is coming from. I was able to sit outside with one of the sensors, one of the 345 sensors, and key it off, the system says hey, there's something coming from outside and ‑ ‑ you can pipe that into a database as well, have that do time stamps, if it's a bunch you know somebody is jamming, it's from outside, up know somebody is trying to do a Z wave attack. The possibilities are endless. If you put two together, correlate the two and have real‑ time triangulation. It's fun.
>> Lastly, again, a lot of folks want to just kick in the front door. Alarm goes off, they don't care. They want to steal things. The best thing you can do is try to make it an inhospitable environment for them. They want to be quiet, anonymous, just get in and out and nothing happen, right? So I talked about earlier on the whole house will flash red, that's a good way to do it, especially if it's at night, the whole suburban house is horrible, you can flash exterior lights as well. Do something that is going to be electronically activated and do something in a safe way. Again, safe way, nobody wants to be sued. One thing you can do is hook up a 12-volt solenoid or ‑ ‑ for door lock, people who ‑ ‑ car handles, these real high‑ powered solenoids you can push/pull with. Have it set up somewhere to knock over something. Alarm goes off, people come in, all of a sudden they ‑ ‑ something upstairs. What the hell was that? It will buy you a few seconds, and don't create anything that can do harm.
>> With that said, so this is purely theoretical. I don't want anybody to ever do anything like this, especially with doors ‑ ‑ everybody knows, don't do this. Don't build your own fireworks either. You can go buy firecrackers, around the fourth of July they are very cheap. Do not break these open or combine them into something, again, this is Chris Littlebury at DEF CON 2014 saying do not create your own fireworks.
>> So they make these things for model rockets, I have a good friend, figuring out a way to light these, dude, they are rocket igniters. I said dude, tell me more about this. This is the middle thing with the black ‑ ‑ wires that come in, really thin wire at the end and spark plug material on top of it. What happens, you put power in, shorts out, ignites the spark plug and it creates fire.
>> If you have it taped up to a bunch of firecrackers like that, it will go boom. For the sake of argument, if I were going to do something like this I would do them one‑ on‑ one, separate channel for each one, fire one off individually, it would be like a bang, bang bang, bang, not something that sounds like the kid from home alone put something in the the thing and lit it all on fire have it sound something realistic. But inside a closed space it will be super loud. Your mileage may vary, may be completely illegal, do it somewhere nothing will catch on fire. These things fly off in the air. I have found them on the roof of my car testing them out. It's a lot of shit. To give you an idea ‑ ‑ [firecracker sounds]
>> That was just 12‑volts with just that one strand that you saw before. Again, you can do that with pi, just drive a relay and apply four volt and boom it goes. So from here, I don't have any Z wave integration yet, it's not open‑source, shit's expensive. I would like to be able to do that. I would like to integrate SDR scanning into the 345 band for the wireless sensors, that sort of thing, to be able to read those on the fly, not just the hard line. If there's any SDR guy that's know how to pull information out of 345 meg AM ‑ ‑ signal, and actually use it, talk to me afterwards. That would be awesome.
>> There's the 345 900 Meg receiver, transmitter that ‑ ‑ wanted to spend time in the hacking village, see how that works out. That came out a day before I got on the plane to come here. I want to hear ideas from you guys. If you have awesome stories that don't include giant pits with spikes at the bottom ‑ ‑ no, no. Question?
>> Shut the door after the ‑ ‑ no, that may be a good idea but that also could be some sort of booby trap, that theoretic firework thing if somebody implemented such a thing, not that I would, but if it did and the door was shut, they were not able to have a timely egress outside the establishment, were to be maybe burned alive, that would be bad.
>> Anyway, I am running out of time, I apologize, any questions, there's my Twitter, e‑ mail, all that. Come find me afterwards. Yes. [Applause]