Mobile Mesh RF Network Exploitation: Getting the Tea from goTenna

Presented at DEF CON 32 (2024), Aug. 9, 2024, 10 a.m. (45 minutes).

False sense of security in devices that guarantee security is worse than no security at all. One device used by personnel who require communication security is goTenna Pro radio that creates an "off-the-grid" encrypted mobile mesh network.This network does not require any traditional cellular or satellite infrastructure and they may be found locally in your community. The datasheet says it is using AES-256 encryption. Has anyone bothered to verify that it is being implemented in the most secure manner? We examined this device and found that it was possible to fingerprint and track every off-the-grid message regardless of encryption. We also identified vulnerabilities that result in interception and decryption of the most secure encryption algorithm AES-256 as well as injection of messages into the existing mesh network. We don’t just trust what datasheets say, we verify it for you. We will explain our testing methodologies and demonstrate exploitation in a live demo. We will discuss the operational implications of these vulnerabilities and safe ways of using these devices that decrease the chance of a compromise. The tools developed as part of this research will be released open-source to inform what was possible to inspire future research against similar devices. We will discuss how we worked with goTenna to remedy these issues.

Presenters:

• Woody
  Woody thinks Linux is a member of the Charlie Brown gang who can lift heavy things but not always spell them. He has had some success with RF exploits in the past with the first ever goTenna exploit talk in the RF wireless village as well as the first attack against Ford Raptor key fobs with RaptorCaptor exploit. Woody’s unique background, familiar to some, gives him a creative aspect to the impact of goTenna Pro research in the physical and RF world. Woody is also a staff member in the RFHacker Sanctuary, a member of Security Tribe, and has appeared on a few episodes of Hak5 describing novel device attacks.
• Erwin Karincic
  Erwin is an experienced security researcher specializing in both hardware and software reverse engineering, binary analysis, and exploit development across a range of processor architectures. He has notable experience in implementing complex Radio Frequency (RF) waveforms using Software Defined Radios (SDRs) for cybersecurity applications, complemented by his proficiency in designing, simulating, and fabricating antennas tailored for such applications. His past work includes extensive TCP/IP networking experience, designing worldwide secure communication systems. Erwin holds a number of prestigious certifications, including OSCP, OSCE, OSWE, OSEE, and CCIE Enterprise Infrastructure.

Similar Presentations:

• THOTCON 0x4 (2013) / Meshing Stuff Up
• A New HOPE (2022) / The Mathematical Mesh
• Black Hat USA 2022 / BrokenMesh: New Attack Surfaces of Bluetooth Mesh