Sunday, 10 August 2014 18:58

The unlikely story of the War Kitteh and a Service Dog that is not a Service Dog At all

Written by

Reading time is around minutes.

DEF CON 22, Las Vegas, NV 2014 – On the last day of DEF CON 22, in oddly empty halls and with very subdued (hung over) conversations going on, I walked into what was probably the most entertaining security talks I have ever seen. To start with the premise of the talk was absurdly enticing. How and, of course, why would anyone want to put a sniffer on a cat or turn a dog into a denial of service station? Even though I had briefly covered the concept I still needed to hear how it all happened and then the real why behind it.

The talk kicked off with the why behind the concept and some of them were interesting to say the least. Tenacity Principle Security Engineer, Gene Bransfield explained that he came up with for a few different reasons. The first is that about 15% of internet traffic is all about cats, despite having a wealth of information at our fingertips we chose to send pictures of cats back and forth to each other. The second was that security talks are generally boring. He had noted this in his own work and had started putting funny pictures of cats in his presentations. At once security convention someone had given him a cat collar with a GPS and Cellular radio, he noted that all it needed was a WiFi Sniffer and it would be perfect for war driving.

For the DOS Dog he noted that there are many bad ass dogs in the world and showed us a few images to prove his point (including a dog jumping out of the back of a helicopter). He also went back to the collar concept and the possibility of putting a WiFi Pineapple in it. In general he showed that the use of animals in the military and as high-performance service animals was not unheard of, so he wondered why no one had thought about this before.

That was before he found out that cats had been the subject of specialized listening. He found a concept that showed a cat with a microphone attached that was dubbed acoustikitty. Apparently this project was actually funded (along with the weed to keep the great ideas going). But that the researchers had discovered something that he would soon find out: Cats are a pain to work with.

To kick off his research he had several goals. First he did not want to hurt or cause discomfort to the cat in anyway. So the technology had to be comfortable. He thought the concept of a coat would be a good idea (you can tell he does not know cats). He needed something to use to collect data an also to keep track of where the cat was. After looking at a number of choices he settled on the obvious choice of a cell phone for the coat.

So he put the tech (the cell phone) on the coat, put the coat on the cat and let the cat go out…. And manage to get out of the coat when going through the back fence. First lesson learned, coat not tight enough. So once again, tech on coat, coat on cat and… wait. After a few hours the cat came back without the coat again. When the checked on its last location the coat was not there. Now we had a lost cellphone. A new idea was needed.

After mucking about with a couple of hardware choices Bransfield settled on a company called Spark. The device was small, low power and seemed perfect for what he needed. There was just one problem, well more than one really. None of the stuff he had really worked with one and he could not actually get one in. There was also the issue of not knowing how to solder and not being terrible proficient at porting code or coding of this type. He also found that most of the devices that he was working with were intended to be put in IoT (Internet of Things) products so they would not properly work if there was no internet connection. He had to make a few adjustments to the code to make sure that it would work without needing to connect to the internet first. Battery life was a problem until he settled on using a power management scheme that turned off the main CPU, but left the WiFi. He would set the polling for every 10 minute which ended up getting him about eight hours of battery life.

He worked with several other people to finally get a device that would work for his purposed. He had a product that would write GPS information to SD and also WiFi information to the same SD. So now he had a device, but what to put it in? He decided to use ribbon to make a collar and put the sniffer into it. As he did not know how to sew he had to enlist someone to help. In his words, he needed a Grandma and he found one.

So, tech in the collar, collar on the cat and set it loose. For the first run, the cat sat under a bush licking himself for 20 minute and they never got any data. The reason for this is that the GPS had not been able to find any satellites (three are needed) so nothing was gained. A new method had to be found. Eventually Bransfield came up with this: Get GPS Lock, take collar to cat, put collar on cat and let cat go for a walk. This worked and he was able to gather data on WiFi in use in the area the cat waked. The sad part of this is that people are still using WEP and have open WiFi.

Now for the concept of the DOS dog things are even more interesting. Bransfield built a harness complete with a patch that said “Denial of Service Dog” granted the words denial of were much smaller than service dog, but who is going to quibble over that? Bransfield also wanted to be a little more active with this one so he dropped in a WiFi Pineapple and also a TV-B Gone that would work from a switch in the leash. He would also use Karma to change DNS and push out a number of returns for any web page someone went to. The TV-B Gone would do what its name implies. It would turn off TVs in the area.

So he put the tech in a vest, and the vest on what might be the world’s most social Doberman Pincer. Besides the fact that Dobermans are almost never used as service dogs, the extremely social behavior should have been a dead giveaway. However, despite the denial of service label and the actual dog itself only one person questioned that the dog in use was actually a service dog at all. According to Bransfield they never actually answered him, so he went away. They took the DOS Dog to restaurants, a sports bar, and even to a big box store. I wish we had the graphics he used in the presentation as they were hilarious when you see them. He made use of the TV-B Gone at each location to great effect and much humor. During this part of the talk the audience was laughing almost uncontrollably.

Both the War Kitteh and the DOS Dog worked as expected and pointed out some very interesting things. The first is that this type of hack can be done by almost anyone. While it did take time to get it all together, most of the information was found on the internet and was not that hard to learn. He also noted the dangers of continued use of WEP and Open networks (he said there is no “Patch for Stupid”). It was extremely entertaining and informative and without a doubt the best security presentation I have ever been to. We will certainly be keeping an eye on Gene Bransfield and see what else his delightfully twisted mind can come up with. For now we will all have to take an extra look at that cat or dog as it cruises by, it just might have been weaponized…

Tell us what you think in our Forum

Read 4276 times Last modified on Sunday, 10 August 2014 19:02

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.