Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog

0
426

In his first-time Defcon presentation, Tenacity Solutions’ Gene Bransfield shares his hilarious experience of making a ‘volunteer’ cat and dog go technical.

Good morning Defcon! I can’t tell you what a pleasure it is to be here. I’d wanted to present here for a while. I’d like to start the speech with an impromptu announcement: I promise never to say “big data”, “APT”, “cloud” or “cyber”. So, I never said those.

Intro
Intro
Good morning! I’m weaponizing your pets, let’s get started. My name is Gene Bransfield. I am the Principle Security Engineer at Tenacity Solutions. If you spend enough time with me, you’ll figure out I love my job. It’s a fantastic thing to get a wakeup in the morning and say: “Let’s get to work and get paid to do cool stuff!” People that hang out with me are like: “Hey, tell me more about your job.” They want my job. But they can’t have my job. I’m going to be the guy that dies on, like, a Friday of a long weekend and I’ll come in Tuesday morning – and there I am in the corner, clean me up and don’t step on that stain over there, that’s the Gene Bransfield memorial stain on the carpet.

So, what’s this talk about? This is a talk about having a humorous idea, bringing that idea to fruition, stories of triumph and woe, and valuable lessons learned. I’ve got a lot of slides, so let me get started.

What’s the incentive?
What’s the incentive?
Weaponizing your pets – why in God’s name would you want to do that? The background is that 15% of the world’s Internet traffic is dedicated to Cats. That’s right, we have the whole world’s knowledgebase at our fingertips when we watch cats and other things online. I find most tech briefings boring, and I know lots of people find it boring, so I started including pictures of cats and humorous stories around cats. In fact, this (see middle image below) is the picture that started it all. Oh, shut up! That’s awesome and you know it!

Final stimulus
Final stimulus
You just can’t stay indifferent
You just can’t stay indifferent
Bare facts
Bare facts
 

I just finished one such presentation and somebody came up to me and said: “I’m going to give you my cat collar,” and they told me about it – it had a GPS chip in it, a cellular component, and it could track where the cat was. If you were nervous, you could send it a text message and it would text you back the GPS coordinates of the cat. And I said: “Well, add a WiFi sniffer and we’d have a WAR KITTEH!”

Origin of the Denial of Service Dog
Origin of the Denial of Service Dog
And the Denial of Service Dog (see right-hand image): I was at Outerz0ne, LadyMerlin walked in with a dog that had saddlebags on it reading “Denial of Service Dog”. And I’m like: “Oh, cool! Is there a Pineapple in there or something?” She’s like: “No! It’s just whenever you try to use the computer he jumps in your lap and you can’t do it.” But the Pineapple is a great idea.

So, working animals are nothing new, we’ve got military and law enforcement dogs (see leftmost image below) and we have bad ass dogs that jump out of the back of military aircraft into the water (see middle image below). Then we have badder ass dogs (see rightmost image below): see the guy who’s wearing a gas mask? The dog is wearing a gas mask too! This guy jumped out of an aircraft at 30,000 feet. That’s a bad ass dog!

Badder ass dogs
Badder ass dogs
Bad ass dogs
Bad ass dogs
Really helpful animals
Really helpful animals
 

Seals used by the NAVY
Seals used by the NAVY
Spy dolphins
Spy dolphins
And then we have a real NAVY seal (see opposite right-hand image). And this is the truth: the NAVY uses marine animals for harbor defense and finding mines and doing things like that. You think you’re all stealthy and you’re going to swim in and blow up a harbor – and all of a sudden a flipper jumps out with a GoPro (see image above).

'Genious' idea
‘Genious’ idea
There are other things that happen. Apparently, back in the 60s – this is Acoustic Kitty (see right-hand image), and there’s a lot of pot going around the CIA. So, imagine sitting around a table smoking: “We’re going to take a cat, we’re going to put a transmitter on his chest, a microphone in his ear and an antenna wire, and we’ll call this the Acoustic Kitty.” This actually got funded! I’m not kidding here. There were all kinds of science and experiments, and they did the first operational test, they had a couple of guys over there that put the cat down: “Go listen to those guys,” the cat ran right out in the traffic, and that was the end of Acoustic Kitty. And at that point they defunded this, not because it was a bad idea but because all the scientists quit, they’re like: “Screw this! Cats are too hard to work with!” That’s a very interesting thing they found; we’ll get back to that later.

Initial requirements
Initial requirements
So, requirements… The CONOP is to put a collar or harness on a cat with stuff in it and have the cat do a walkabout and get data. Well, number 0 is I don’t want to harm the cat. I don’t like cats but I don’t want to wantonly harm an animal, that’s just not who I am. Rule number 1: the cat shall be able to wear stuff comfortably and should not be harmed by stuff, speaking of the form, fit and function; but also we don’t want any blinking lights. Rule number 2: the GPS is going to record waypoints. Rule 3: the WiFi sniffer is going to bring back all my stuff.

And there are actually other products out there (see leftmost image below) to deal with your cat here: Mr. Lee CatCam, where there’s a little camera that hangs on the bottom of the collar; there’s also Pet Tracker and stuff. None of these solutions do WiFi sniffing though, so I’m good there.

The tiny Cotton Candy
The tiny Cotton Candy
The GumStix solution
The GumStix solution
Products that could help
Products that could help
 

RockChip 3066
RockChip 3066
So I thought about all kinds of different ways to do this. Here’s the GumStix solution (see middle image above), really cool computer on a stick, small form factor, but kind of expensive. Cotton Candy – again, computer on a stick, very cool solution (see rightmost image above). The RockChip 3066 (see right-hand image) is an open source thing that you can attach to the back of your television and do HD streaming. There’s also a Linux image that you can put on this thing. And I was having trouble doing that.

Why not?
Why not?
Some contemplations
Some contemplations
I sat there, I had a beer and I thought about it. I need some small form factor, GPS, WiFi, and cellular. Any idea what that could possibly be? How about a phone? It was in my pocket the entire time. So, okay, cool, I got to do some Android coding, get to make an APK, right?

A great wardriving tool
A great wardriving tool
They already thought of that. It’s called WiGLE, and you can just download this from the Android store and do wardriving with your phone in your pocket anywhere anytime, that’s pretty cool (see right-hand image). So, now we need a volunteer cat. This is Skitzy (see leftmost image below), and this is the cat that belongs to my friend Reeves. There’s 22 inches from the base of neck to base of tail, 20 inches in the chest, and 12 inches on the neck. This is a big damn cat! So I’m not worried about putting crazy things on him and his friends making fun of him, because he’ll just smack them around a little bit.

Small dog coat should work
Small dog coat should work
Kinda sucks...
Kinda sucks…
Meet Skitzy
Meet Skitzy
 

Now we need a cat coat. And if you google “cat coat” on the Internet, you get pictures of girls wearing coats that have cats on them. And if you google “kitty coat” on the Internet, you get pictures of other things – don’t google “kitty coats”. But I finally figured out that if the cat was big enough I could get a dog coat in a smaller form factor so that it would fit (see rightmost image above). That’s what I did.

The War Kitteh plan
The War Kitteh plan
So, now the plan is: put the tech in the coat, coat on the cat, send the cat on a walkabout, recover data when the cat returns, and then – profit! So, step 1: put the tech in the coat (see leftmost image below). Step 2: put the coat on the cat, and you can see he’s thrilled (see middle image below). Send the cat on a walkabout, and then profit, right? No! That’s the backyard (see rightmost image below). What could have possibly gone wrong here? It’s obvious: we didn’t put the coat on tight enough.

Fail
Fail
Looking sort of thrilled
Looking sort of thrilled
Put the tech in the coat
Put the tech in the coat
 

So we put the tech in the coat, put the coat on the cat, slap it real tight this time, send him out on a walkabout, and we wait and we wait and we wait… It’s like 18 hours later, people are freaking out, and finally we hear “meow” somewhere by the backdoor, and we open the door – and there’s the cat (see leftmost image below). I’d like to draw your attention to the form factor of the cat going out the door, and then coming back in. So we failed on that, and the last known GPS location of it was right here (see middle image below). We went that way – and it’s not there.

Preliminary takeaways
Preliminary takeaways
Last known location
Last known location
The comeback
The comeback
 

So far we have learned (see rightmost image above) that cats are really hard to work with. You should always test your expensive stuff out before sending it on a cat someplace. I’m going to need an Amazon Prime account. And they were worried about the cat, so no more coat. And so I have to think about something different.

Benefits of Arduino
Benefits of Arduino
Friends are helpful
Friends are helpful
I was talking to my friend Bill about this, and he laughed. He said: “Why don’t you try Arduino? It’s a small form factor, low power consumption, does exactly what you need – no more no less, and there’re all kinds of chips and solutions out there.” My first question was: “What the hell is Arduino?” It turns out Arduino was a project by some researcher in Italy. It was his master’s thesis. The idea is, like, there’s open source software out there, so why not open source hardware? It’s really cool, it comes in a small chipset, they can stack them on top of each other (see rightmost image above).

Video game cheating
Video game cheating
Copied motions
Copied motions
Freezer stuff
Freezer stuff
 

Really tiny
Really tiny
There are lots of expansion shields. You can make robots, remote control cars, etc. This guy (see leftmost image above) used it to check the food in his freezer. This guy (see middle image above) puts the glove on, he moves the glove, and the robot hand moves. This guy (see rightmost image above) used it to cheat on his video games. It’s a really small form factor (see right-hand image).

The good news with Arduino is it’s open source and relatively inexpensive, until the cat starts losing it and you have to buy nine of them.

Hurdles
Hurdles
The bad news is it’s sometimes poorly documented, and it can take forever to get to you if it’s an expansion shield; and questionable performance sometimes.

Well, okay, cool, that’s great, but I’ve never done anything with Arduino. I’ve never worked with small firmware, chipsets or anything like that. I’m not a professional coder. And I’ve never soldered before. And my friend says: “Don’t worry, it’s easy!”

Things to do
Things to do
So the plan (see right-hand image) was to get some basic Arduino stuff, decide on the most accommodating form factor, put it all together in a collar, and then figure out something for the Denial of Service Dog. So I went out and I bought the how-to book on the Arduino stuff (see leftmost image below) that came with an Arduino Uno – a whole bunch of guides, a whole bunch of learning and reading up on engineering and electronics and stuff. I get the flashy things flashing when they’re supposed to flash, and the non-flashy things not flashing when they’re not supposed to flash.

Jeremy Blum helped a lot
Jeremy Blum helped a lot
More advanced stuff
More advanced stuff
Getting to know Arduino
Getting to know Arduino
 

So I started, okay, I’m ready to go get the more advanced stuff (see middle image above): I need libraries for WiFi – they got it; GPS – they got it; SD card stuff – they got it. Fantastic! Let’s get a little bit higher now. Jeremyblum.com has a lot of videos on making these things work (see rightmost image above). So now I did all my research and background investigation, and I’m now an expert!

The plan
The plan
GPS Shield
GPS Shield
WiFi Shield
WiFi Shield
 

So I went out and I got a WiFi Shield (see leftmost image above) and I got a GPS Shield (see middle image above). The plan I had now (see rightmost image above) was to get the WiFi collecting stuff and writing it to an SD card, get the GPS stuff writing to an SD card, combine the two – and then profit.

The WiFi Shield was really cool. It was easy to set up; drivers worked right away – it was even talked about on the Arduino website. Messing around with some parameters and variables, and I’ve got my solution right there for that. That was easy!

GPS issues
GPS issues
GPS – not so much easy (see right-hand image). The NMEA string is what satellites are broadcasting out there, stands for National Marine Electronics Association. This comma-separated value right there is what the satellite is actually sending out. The GPS boot process is it starts up and it doesn’t know where it is on the planet – it could be your back pocket, it could be in Timbuktu. So it has to listen to space, get at least three satellites listening to figure out the NMEA string. This whole process can take 2-15 minutes, and if somebody is looking over your shoulder it’s going to take 15 minutes.

Documentation shortage
Documentation shortage
The GPS Shield was rather poorly documented (see right-hand image); there were no docs, really, in the kit; and it took me a good several weeks of “What’s wrong with this? Why is it not working?” Finally, at the really long end of the research effort I found out that the baud rate is supposed to be 34800. And I wanted to get some demonstration of how it was poorly documented, but now I go online and I can’t NOT find that the baud rate is 34800, I don’t know why.

So I put all the components together (see leftmost image below). The WiFi Shield, as you see, is sitting on top of the Arduino. The GPS Shield is off to the side because I wanted to reuse some of the pins. And so, I put this all together and I combined the code strings, and I got this weird error about 80% memory utilization (see middle image below). And I’m like: “I see that on the news all the time; blow it off, go for it!” And after a little while I was like: “No, they were telling me the truth – with 80% memory utilization the chip can’t work anymore.” There’s only 32K of memory on an Arduino Uno. The Arduino Mega, however, has 256K of memory.

Another shot with the Mega
Another shot with the Mega
Memory error
Memory error
The assembled stuff
The assembled stuff
 

So I purchased the Mega, put that all together (see rightmost image above), played around with some variables, did some stuff – and woohoo! It works! Now I have a working prototype. So, the Arduino Mega 2560 is mo memory – mo betta; mo ports – mo betta; but mo size is not mo betta.

The Adafruit WiFi
The Adafruit WiFi
Never received it
Never received it
So I searched all over the Internet trying to find something that says “Tiny Arduino 2560”, “Tiny Duino 2560”, from JKDevices.com (see leftmost image to the right). JKDevices.com is a complete rebuff, and I told them I was going to mention that during my talk. They never sent me my stuff. So, Defcon now knows about that. But I didn’t know about that at the time, so now I need a WiFi chip, the Adafruit WiFi chip breakout board right there (see rightmost image above).

Looking into another form factor, this is the Spark Core (see leftmost image below). I call it the “Arduino mullet” because it’s got WiFi in the front and Arduino in the back. And of course we need a GPS chip, the GP-635T (see middle image below), and SD card breakout board for writing all the stuff down (rightmost image below).

SD card breakout board
SD card breakout board
GP-635T
GP-635T
Another form factor
Another form factor
 

So, Arduino Mega worked, but the MegaMini says it’s going to be four weeks to ship, and other solutions are too big in size or too small in memory, so I went with the Spark Core, which is also having problems shipping. So I borrowed one from my friend Bill who got me started on this in the first place.

What's under the hood?
What’s under the hood?
The tech on the Spark (see right-hand image): the ARM is 32-bit M3 CPU – that’s cool; 128KB memory – more than I need; SPI and I2C compliant – those are connection protocols between chips and peripherals, it’s got, like, the intranet between microcontrollers; a TI CC3000 WiFi chip – it had that; Arduino compatible – no. People say: “Yes it is,” because they are chip heads and they know the difference. But me, I’m not a chip head yet, and when you say it’s Arduino compatible that means it will work with my external components, and I can just cut and paste the code from one thing to another. But that’s not how it works. Arduino is one thing, the Spark Core is another; and long story short – I’m going to have to start all over again from scratch. And that made me not happy.

Spark Core is cool
Spark Core is cool
But despite all this problem with the Spark, it’s very-very cool; it had a really dedicated core group of developers, and I’d be looking on the forums, and one guy came in and said: “You know, I’d really like to see it do ‘blaah’…”, and some developer would stay up all night, and then next morning – boom, there it is! Shout out to peekay123 who helped me a lot on my project. And so I figured all this stuff is getting updated, let’s see what happens.

So, libraries: somebody posted SD card libraries to the forums – they compiled for me, great! Somebody posted GPS libraries to the forums – they compiled and they worked with my GPS Shield, cool! WiFi libraries – not so much, because the Spark Core builds itself as an “Internet of Things” device. So WiFi is really in the background as a service: you’re supposed to do the coding upfront, and they’re just supposed to connect you to the Internet for your stuff; it’s not there to mess with.

Trying Adafruit board
Trying Adafruit board
Hurdles with WiFi libraries
Hurdles with WiFi libraries
SD card and GPS libraries
SD card and GPS libraries
 

But I want to mess with it. So, the Adafruit board that I bought (see rightmost image above) had the exact same chip on it, and Adafruit had their libraries available for download. So I figured, since it’s the same chip, I could download these libraries. And I’d messed with it before, because, you know how Thomas Edison said: “I found 100 ways not to make a light bulb before I finally found a way to make a light bulb,” – I found a lot of ways to not make a kitty collar. So I messed with these things and I made some SSID scanning stuff; I just copied and pasted, put it in there – and bang! It worked!

Soldering tip #1
Soldering tip #1
So, now I got the GPS working on the Spark; I got the SD compiled on the Spark, and I got SSID collection working on the Spark. Now I got to start working with those tiny components that I bought, and that means soldering. Who out there knows how to solder and likes it? Soldering is my new least favorite activity. For those of you who are getting ready to learn how to solder, I got some rules for you. Rule number one is: don’t touch the pointy end – that’s where the hotness is (see right-hand image). Rule number two is: always remember where you put the soldering iron down (see leftmost image below). If you violate rule number two, you are going to violate rule number one. Rule number three is: everything looks so easy on the Internet, and it’s not (see middle image below).

First attempts
First attempts
Soldering tip #3
Soldering tip #3
Soldering tip #2
Soldering tip #2
 

That notwithstanding, my first attempts at soldering went rather well (see rightmost image above). I got the SD card breakout board here, this is all my breadboard stuff. The chips on the left-hand side – there’s a cord of the SD breakout board, and I had to solder headers onto the end of the cords for the GPS antenna. So, that went pretty good.

Home vs. car ride testing
Home vs. car ride testing
In the home testing, everything went great: I was getting the sniffing, I was doing the stuff, I took it out to my yard, I watched my neighbors’ WiFi. Then I took it in a car ride – and there was massive failure, I didn’t collect anything. Why not? Well, again, Spark is an “Internet of Things” device. It’s never meant to be not connected to the Internet. So I was talking to the guys on the forums about how to do this. For example, speaking about power consumption, you always have to turn that chip on and off because it’s just going to suck power. But when you turn it on, make sure you encase all further code in a “If status = = WIFI_ON” clause. “If status = = WIFI_ON” only returns “true” if it’s connected to a known WiFi access point, and if I’m a half mile down the road, that’s not going to happen.

So, what I did is I noticed that I could turn on the chip and then do my SSID scan real quick before it actually made a connection. And that worked perfectly. So I removed that code from live stuff, and that’s all I needed anyway. Now I’m back on track.

Wrong GPS libraries
Wrong GPS libraries
I took it for a drive and I got data back. I started looking at the GPS coords and popping them into Google Earth, and I was driving on the highway – and they had me off in a lake. I was sitting at my house, and they had me halfway down the block. And I’m like: “What’s going wrong?” Well, whoever posted the GPS libraries they did the media conversion incorrectly. So, now I’m back to having no GPS libraries (see right-hand image).

A workaround with TinyGPS++
A workaround with TinyGPS++
So, when I was working with the Arduino stuff I had the TinyGPS++ stuff that I’d really liked to use. I loved to use TinyGPS++ because it was very easy to interact with and it had everything I need. So I need to find someone to put this GPS++ into the Spark stuff. I talked to my friend Bill and he said: “Well, why don’t you just port the libraries?” I’m like: “How do you port libraries?”

And he explained it to me in a way similar to my rocket science story, which is having drinks in a bar with somebody and this guy joins our conversation and he is a pretty cool guy. So eventually a question comes up: “What do you do for a living?” He’s like: “I’m a rocket scientist.” And I go: “No, seriously, what do you do for a living?” He’s like: “No, seriously, I’m a rocket scientist.” And so, that’s cool. “What do you think about the phrase ‘It’s not rocket science’?” And he’s like: “Well, I laugh at that, because, you know, there’s some science and engineering that goes into building the rockets and putting the fuel in them, but at the end of the day you just put the rocket on the launch pad, hit the red button and hope for the best.” Sometimes it blows up, sometimes it falls over and blows up, sometimes it gets all the way to space and then blows up. The hard part is not getting new rockets – the hard part is getting more monkeys to put in the rockets.

Anyway, that’s how you port libraries, as it turns out. You change the Arduino stuff out with the Spark stuff, you hit Compile, listen to it scream actually, then you go fix what it’s screaming about, and you keep doing that until it doesn’t scream at you anymore. And if the compiler screams at you and you scream back, you’ll only really succeed in scaring your wife. So I did that for a couple of hours – and bam! It works! I have now ported libraries!

Taking care of the power consumption hurdle
Taking care of the power consumption hurdle
The next problem is power consumption (see right-hand image), and my buddy Ricky Hill hooked me up with the E-flite batteries that are used for model airplane stuff: 3.7v, 500mAh batteries – enough to get the kitty thing going. So, now I’m testing for the optimal power consumption, and the first thing you think of is: “Oh, I’ll just turn everything on, get the stuff and then turn everything off.” But remember I told you before that it can sometimes take 2-15 minutes to get the GPS lock, and if you turn off the GPS antenna it loses the satellites. And the cat runs under a bush, and then you burn through your power without getting any data. So I found the best solution for me was to turn the main microcontroller on and off, keep the GPS chip powered, and that worked much better: collections every 30 seconds, the whole solution lasted 4 hours. Every 10 minutes – it lasted 8 hours (see leftmost image below).

Lots of help from Nova Labs
Lots of help from Nova Labs
The desoldering pain
The desoldering pain
Some testing
Some testing
 

So, now I have to make a collar. And if you thought soldering was fun, desoldering is twice as much fun as soldering ever was (see middle image above). Oh my God, I destroyed so much crap trying to desolder things. The Internet, again, is not helpful, and YouTube makes everything look too easy. So I talked to my friend Joey, and he said: “Yeah, head out to your local MakerShop and Nova Labs and they will help you out.” So, shout out to Nova Labs in Western Virginia! Ted – mad scientist/evil genius, helped me learn how to do EAGLE; and Brian was my soldering tutor, he showed me the right iron and the right solder and made my life a whole hell of a lot easier (see rightmost image above).

Need to sew ribbons together
Need to sew ribbons together
Now I actually have to make the collar itself. That’s hard stuff. I don’t know how to make a collar. I can go code things and learn how to solder, but this is, like, ribbons… So I talked to my friend Joe, and he’s like: “Why don’t you just get a couple of ribbons and you sew them together, and then you can put your stuff inside of it.” I’m like: “Cool!” So I went down to my gals and I got myself ribbon: “It’s leopard skin print, it’s so in this year for all the cats” (see leftmost image below).

Done!
Done!
Grandma did the trick
Grandma did the trick
There's the ribbon
There’s the ribbon
 

But now I need to sew it together. Who knows how to sew? It’s, like, 2014, we don’t sew stuff, we just go buy new stuff. It’s a grandma skill, right? So, what do you do? You get a grandma (see middle image above). This is my wife’s grandmother, her name is Nancy, she’s “really nice to meet you”, and she was very happy to help me out, and here’s the final collar assembly (see rightmost image above). We have a dollar bill followed by the E-flite battery, the actual collar, and then the components all wrapped up not only to get protected from weather, but the Spark has a lot of flashy bits – I didn’t want to put that on the cat.

Back to Skitzy
Back to Skitzy
So, now we’re back to our volunteer cat (see right-hand image). This bastard still owes me a cell phone. We’re going to send him out with some practice stuff first to see that he comes back with it, and then I might let him play with my tech. So we put the collar on to see if he tolerated it, and he tolerated it marvelously. Reminding you of what it looked like before (see leftmost image below), and what it looks like now (middle image below). It’s all cool, except – you see that little bit behind his head, that little metal bit – that’s the name collar, it’s supposed to go on the bottom because the GPS is directly opposite. So we have to put a weight on it, so I went down to Ranger Supply. It’s a War Kitteh, it gets a bullet (see rightmost image below).

Bullet for the weight
Bullet for the weight
Now
Now
Before...
Before…
 

Something went wrong
Something went wrong
Now the new plan is the tech goes on the collar, the collar goes on the cat, the cat goes for a walkabout – and profit. So, initial deployments were … nothing (see right-hand image). I’m like: “No, no, no! I know this works!” So I grabbed all my stuff and I went out to my buddy Reeves’ house, did all the diagnostic, and everything is working fine, and I’m like: “What’s going on?” So we put the collar on the cat, we had a couple of beers, the cat walked under a bush and he hung out under that bush and licked himself for 20 minutes. People are like: “He’s cleaning himself.” Yeah, with his tongue, he’s licking himself! So I said: “Hey, Reeves, is that the cat under the bush?” He’s like: “No.” And he walked up, walked over the bush and said: “Yes,” and he grabs the bush and he shakes the bush, and the cat goes running out.

Results
Results
Woohoo!
Woohoo!
Another try
Another try
 

But we figured out a better deployment process (see leftmost image above) would be to let the collar sit outside for 5-10 minutes to get that GPS locked, bring the cat to the collar, put it on the cat, and then let the cat go for a walkabout, and this might work, maybe…Success, bitches! Here are the initial results (see rightmost image above), obfuscated for obvious reasons. And I’ve got somebody contacting me off the Internet, and he said: “Hey, I can help you out with visualizing this.” And check this out, somebody did this for me (watch video below). That’s awesome! I’d like to point out that I’d been working on this for a good number of months, and the damn cat never left the front yard.

Visualization of Skitzy’s results
Results for Coco
Results for Coco
New volunteer
New volunteer
Then we went to my grandmother and she said: “Oh, I’d love to know where Coco goes,” so we strapped it up to Coco (see right-hand image). We’ve got some results here. I’d like to point out we still have WAP and we still have open WiFi hotspots in 2014. Oh my God!

Results for Coco
Done with the War Kitteh
Done with the War Kitteh
Coco went a lot further, as you’ll see (watch video above). There he goes. He wandered all over the neighborhood. Yeah, he’s going to take a while. He actually caught a mouse during this deployment; that was very-very cool. You see we got really cool results, the cat has tolerated it brilliantly, and it was the fruition of a long work, and I can’t tell you how happy I was to get the initial results back. So, that’s the War Kitteh, ladies and gentlemen!

Unleashing the V-dog
Unleashing the V-dog
Now I’ll move on to the Denial of Service Dog. So, the Denial of Service Dog, admittedly, is just trolling. There’s nothing socially redeeming about it all. I got a WiFi Pineapple that I bought at ShmooCon. I got a TV-B-Gone that I bought at RadioShack; it’s the Adafruit kit. I also got a doggie backpack with “Denial of Service Dog” patches on it. There’s the WiFi Pineapple – you know what that is (see leftmost image below). I had Karma up answering probes (see middle image below); DNS Spoof to redirect everything to the Pineapple; and then there’s a package that you can download on the Pineapple called RandomRoll, and it just has, like, 5 or 6 RickRolls that it just cycles through as people connect to it – it’s awesome!

TV-B-Gone taken apart
TV-B-Gone taken apart
The plan
The plan
WiFi Pineapple as it is
WiFi Pineapple as it is
 

So, here’s the TV-B-Gone as it comes with my newfound soldering skills (see rightmost image above). It was supposed to be this (see leftmost image below), and I turned it into this (middle image below), the idea being I was going to get the saddlebag, put the TV-B-Gone in the saddlebag and connect the wires and run them up through so that the LEDs are on the outside of the saddlebag.

Wasn't easy
Wasn’t easy
The transformed version
The transformed version
What it's supposed to look like
What it’s supposed to look like
 

The patch
The patch
So, now I need some patches (see rightmost image above). And wholly crap! How hard it is to get somebody making patches these days – nobody does it anymore except on the Internet. So I beat the streaks for quite a while, and thank God I found Irina & Friends at JoAnn’s Fabrics in Sterling, Virginia, and they made me a Denial of Service Dog patch (see right-hand image). I like the little WiFi thing right there.

I have a video demonstration to prove that it works (watch video below). You see there’s the Denial of Service Dog stuff, and the Adafruit stuff all wired up, and there’s the LED sticking outside of the saddlebags. I ran the wire up the leash, and I have that button in my hand right there. I used a lacrosse tape to tie the wire on the leash. The idea is you hit the button right there, you see the little green light start flashing on the Adafruit kit, and then the TV will just turn off.

Turning off the TV using tech on the Denial of Service Dog

Here’s the demonstration video of this stuff working (watch demo below). I’m outside somewhere, and you will see that the Denial of Service Dog SSID is up, because that was another thing that I did. I’m going to add a WiFi hotspot, it’s going to be called “defcon”. I’m filming with one hand and typing with the other; forgive me how long it took to do this. Trying to connect, and Karma is going to go: “Oh, that’s me over here,” so it’s going to pop up, I’m going to connect, and then I’m going to go out to the Internet. I’m now going to go to CNN. So, that’s how that thing works.

Some cool DNS spoofing
The anti-Doberman Doberman
The anti-Doberman Doberman
Now I need a volunteer dog to be our Denial of Service Dog. And you notice that this volunteer dog (see right-hand image) is a Doberman pinscher. Have you ever seen a Doberman pinscher service dog? No? Well, now you have. So, our volunteer dog is quite possibly the most anti-Doberman Doberman. When I got there, he just loves everybody, and he ran around the yard for 10 minutes: “Oh my God, so happy – new people, new people, new people!” So we dragged him inside the house and put the backpack on him, and he stood like this for 10 minutes (see leftmost image below). And that’s good because it let me take pictures; there are all the service dog patches on here (see middle image below), and he got that good on there too (see rightmost image below).

LEDs in the right place
LEDs in the right place
The patch on the top
The patch on the top
Ready to go
Ready to go
 

The side effect of shaking
The side effect of shaking
So, the first thing that the V-dog did when he stopped being comatose is he shook the gear. And we discovered two things. One – there’re now two ways to deploy the TV-B-Gone once you hit the button; the other is the dog shakes. The other thing I discovered is that I failed to properly secure the TV-B-Gone into the patch, and every time he did that it went flying all over the place, and in the process of doing so completely destroyed my TV-B-Gone to the point that even with my newfound soldering prowess I was not able to bring it back.

The funny thing is, if it says “service dog” on your dog’s backpack, they will let you in. Mine very clearly said “Denial of Service Dog”, and they went: “Service dog? Oh yeah, sure!” Here’s the part where I tell you that one man’s video proof to Defcon is another man’s evidence in court. But the truth of the matter is I was so focused on what was going on with the Denial of Service Dog that I hit the wrong button on the GoPro. It’s got two buttons, I hit the wrong one. So, now I’ll have to go all xkcd on you here.

Scenario #1: restaurant
Scenario #1: restaurant
So, there we are with the V-dog, he’s like: “Oh, I love you, play with me,” I say: “Do you mind if we come in?” Everywhere we went we asked if it was okay to come in, and the guy is like: “Sure! Want something to drink?” And then off in the corner you hear: “Peanut buttah jelly time! Peanut buttah jelly time!” (see right-hand image) I’m taking some artistic license here, but still… So, about the third or fourth time the guy came back to our table, he’s like: “Hey, why does it say Denial of Service Dog?” Props to this guy because he’s the only one all day long that ever asked. But we didn’t answer him and he just went away.

Scenario #2: sports bar
Scenario #2: sports bar
So, if you want to go into a sports bar and you hit the button (see right-hand image), the dog says: “Oh, ball! Play!” And it just happens to be the World Cup game, the Argentina semifinal, and you hit the button and it goes away. And the people in the bar are like: “QUE?!” And you hear: “Never gonna give you up…” So, if you go into a restaurant that has 50 TVs on the wall, they are all remotely controlled from some dude in the back, but if you go into a restaurant where there’s one or two TVs on the wall – they are not. Just sayin’…

Scenario #3: box store
Scenario #3: box store
Then we go into a ‘J. Random’ box store somewhere (see right-hand image). And the V-dog is like: “Oh, I love you, I love you!” As we’re walking around, the owner’s got the leash in one hand and he’s got his hand on the backpack: “Stop! Sit!” This is not a service dog… We say: “Hey, do you mind if we come in?” He’s like: “Sure! Make sure he doesn’t poop on anything.” This actually happened. And then we go back to the TV section, and of course the V-dog is like: “Squirrel!” And then we hit the button, the thing goes up – and the television goes away. Yeah! We did wonderful things! And then you hear: “Circus Afro, Circus Afro.”

Denial of Service Dog - results
Denial of Service Dog – results
So, according to the results, several hapless victims connected to the Karma/Denial of Service Dog – logging failed as I cannot definitively prove that anybody connected to it. While we were out I took some artistic license, however when I was just showing this presentation to my company a couple of weeks ago, people were getting owned right and left. Only one person asked about the Denial of Service Dog, most people just said: “Nice doggy!”

Basic takeaways
Basic takeaways
So, what have we learned overall? A tech hobbyist with no prior firmware experience can create a functional War Kitteh Collar in a relatively short amount of time. You can do this too. I didn’t know a damn thing about this stuff when I got started, and I got frustrated but I kept at it – and bam, I got some really cool stuff. In 2014 there are still unsecured WiFi hotspots around. Lots of devices still probe for stuff. There’s still no patch for human stupidity. And cats – and dogs – are really hard to work with.

The 'thanks' list
The ‘thanks’ list
I’ve got to give a shout out to all these guys (see right-hand image). JK Devices – don’t go there, they are terrible. Thanks to Reeves, Bill, Joe, Joey, Nancy, Ricky, V-dog.owners, the Spark.io guys, the Nova Labs guys, V-dog, Skitzy, Coco, Tenacity, and of course Defcon. I’m so proud to be here! Everywhere I go with this community, you guys are willing to help. If you’re not a jerk you’ll be very accommodating and all that good stuff. You should be proud of this hacker community, and I’m proud to be associated with you guys. And because of that, I went out and did some extracurricular activities for Defcon with regard to the Denial of Service Dog and the War Kitteh.

More girls
More girls
A couple of girls
A couple of girls
BadKitty in all her glory
BadKitty in all her glory
 

Defcon 22’s volunteer War Kitteh is the host of Hacker Jeopardy, Bad Kitty (see leftmost image above). She’s wearing the collar, folks! Look at her! We went up and down walking the Strip. There we are with a couple of girls (see middle image above); there we are with a couple more street performers (see rightmost image above); Zach Galifianakis guy showed up; we hit a couple of monuments and did all stuff (see leftmost image below); and we had a couple of really willing participants (middle image below); and a couple of not-so-willing participants (rightmost image below).

Not-so-willing participants
Not-so-willing participants
Willing participants
Willing participants
Cool monuments
Cool monuments
 

But here are the results from walking up and down Defcon, of walking up and down the Vegas Strip (see leftmost image below). And I couldn’t get the Kitty to work because of probably the demo fail, but that’s what we did just for you guys over the past couple of days.

Defcon Denial of Service Dog
Defcon Denial of Service Dog
Video demo fail
Video demo fail
Vegas Strip results
Vegas Strip results
 

Volunteer DoS Dog
Volunteer DoS Dog
And of course, we’ve had the War Kitteh, and we need the Denial of Service Dog (see rightmost image above). So we found a volunteer Denial of Service Dog, everybody’s favorite goon SkyDog (see right-hand image). I was explaining to him what I’d like him to do and all this good stuff, he would listen to me and say: “Gene, Gene, Gene… I don’t need a backpack to denial-of-service somebody. If I want them to sing Circus Afro, they will sing Circus Afro.”

CNN's try
CNN’s try
I got so much attention paid to me. I never expected all this. A lot of cool stuff, this is my best Defcon ever! But I got to leave you guys with this really hilarious funny thing that happened to me. CNN did this to the War Kitteh (see right-hand image). They strapped a GoPro to his back, with tape. Yeah, exactly, and then they’re like: “Okay cat, get up and walk around, do this.” And the cat’s like: “No, I’m not going anywhere, screw you people!” So CNN found out what I had also desperately found out over this whole thing: cats are just damn hard to work with.

Thank you guys very much!

LEAVE A REPLY

Please enter your comment!
Please enter your name here