OCR of the Document

View the Document >>

United Kingdom Government, EXTENDING Use Guide, Feb 28 2014

SECRET STRAP 2 UK EYES ONLY EXTENDING User Guide Issue 1 1 Date 28 02 2014 1INTRODUCTION 2 2KEY FEATURES 4 3IMPLANT CONFIGURATION 5 4INSTALLATION 9 5PLATFORM COMPATIBILITY 10 6SETTING UP THE WI-FI HOTSPOT 11 7SETTING UP THE WEB SERVER 13 8AUDIO EXFILTRATION 15 9UNINSTALLING THE IMPLANT 18 10TESTING TROUBLESHOOTING 19 11KNOWN ISSUES AND LIMITATIONS 20 12HISTORY 21 APPENDIX A – ENCRYPTSETTINGS ERROR CODES 22 PAGE 1 OF 31 SECRET STRAP 2 UK EYES ONLY 1 Introduction The EXTENDING tool is an implant designed for Samsung F Series Smart Televisions The implant is designed to record audio from the built-in microphone and egress or store the data The implant is configured on a Linux PC and then deployed onto the TV using a USB stick Audio files can then be extracted using a USB stick or setting up a Wi-Fi hotspot with-in range of the TV It is also possible to listen to audio exfiltration live using the Live Listen Tool designed for use on a Windows OS The implant can be uninstalled by inserting a USB stick into the TV or configuring a Death Date Known Issues can be found at the end of this Guide The EXTENDING system consists of the following components These components can be found or generated from the “EXTENDING Settings and Installer” CD • An Installation Application which installs the implant to the target TV • An Implant Executable which runs on the target TV and records audio This is installed by the Installation Application • An Encrypted Settings File which configures the implant • A Linux application called encryptSettings which will encrypt an unencrypted Settings file and check that the XML contents are valid • A Linux application called rsakeygen to generate rsa keys The EXTENDING application is shipped as two folders The first folder “Support” contains the default unencrypted settings file a tool to generate rsa keys and a tool to encrypt Settings files The second folder “TV” contains the Application Installer The application installer folder is called “Update” This should be loaded onto a USB stick that can then be used to deploy the implant onto a target TV The only modification that should be made to the installer is to add the encrypted settings file for each deployment To support the EXTENDING deployment the following tools can be used These tools can be found on the “EXTENDING Tools” CD • A Windows audio decrypt application ECDLive exe that can be used to decrypt audio files and Live Listen to an audio stream • A wifiConnect folder that should be placed in the root directory of a Web server intending to receive files from the EXTENDING implant • A windows web server called XAMPP offline installer included • An Android web server called PAW Server apk and pre-configured EXTENDING folder “PAW2” included 2 SECRET STRAP 2 UK EYES ONLY • A wlan bat batch script that can be used to configure a Hosted Network Virtual Adapter on a Windows laptop • An Ubuntu 12 10 ISO file used to create a Linux VM for generating encrypted Settings files • Oracle VM Virtual Box Windows Installer that can be used host the Ubuntu VM created from the 12 10 ISO file above PAGE 3 OF 31 SECRET STRAP2 UK EYES ONLY 2 Key Features Close Access Installation The EXTENDING implant can be installed using a Close Access method The EXTENDING installer is loaded onto a USB stick This USB stick is then inserted into the target SAMSUNG F Series TV and the installer is run The installer deploys the implant and Settings file onto the TV EXTENDING begins to run when the TV is next powered on Close Access Uninstall The EXTENDING implant can be uninstalled either by Close Access installation or at a pre-configured time To remove by Close Access a USB stick must be loaded with a certain file containing a certain string as set in the configuration file When this USB is inserted into the TV the implant uninstalls Close Access Audio File Retrieval The EXTENDING implant can exfiltrate audio files to a USB stick To exfiltrate files by Close Access a USB stick must be loaded with a certain file containing a certain string as set in the configuration file When this USB is inserted into the TV files are copied onto it Remote Audio File Retrieval The EXTENDING implant can exfiltrate audio files over a Wi-Fi hotspot To exfiltrate files over a Wi-Fi hotspot the hotspot must be setup within range of the TV with a preconfigured SSID set in the config file Files are then exfiltrated over this Wi-Fi network to a server as configured in the configuration file Live Audio Listening The EXTENDING implant also exfiltrates audio over a Wi-Fi hotspot to a Live Listening Tool running on a laptop The Live Listening Tool can save files locally to disk as well as playing the received audio through the speakers Fake-off Recording EXTENDING will continue to record audio even whilst the TV appears to be off This is achieved by intercepting the command for the TV to switch-off and turning off the TV screen leaving the processor running 4 SECRET STRAP 2 UK EYES ONLY 3 Implant configuration 3 1 Configuration Environment The Settings file should be configured on an Airgap or secure machine Please ensure the unencrypted settings file encryptSettings tool and rsakeygen tool are always stored securely The encryptSettings Tool and rsakeygen Tool need to be run in a Linux environment We suggest that this is performed in a Linux VM on a Windows machine Oracle VM VirtualBox and an Ubuntu 12 10 Desktop ISO are provided on the “EXTENDING Tools” CD Please refer to VirtualBox Documentation for guidance on setting up the Ubuntu VM from an ISO file In VirtualBox devices attached to the Physical machine can be attached to the VM through the “Devices” tab in the top left corner Once the Ubuntu VM has been created copy the Support and TV folders from the “EXTENDING Settings and Installer” disk onto the Desktop of the VM Then follow the instructions below to configure a deployment 3 2 Settings file With each deployment a Settings file must be deployed This Settings file configures the operation of EXTENDING If the configuration file is missing or configured incorrectly EXTENDING will not run Correct configuration of the Settings is very important 3 3 Settings file configuration The Default Settings file can be configured on a Linux machine using a text editor Navigate to the Build Folder provided In the “Support” folder the unencrypted settings xml file encryptSettings tool and rsakeygen generation tool can be found To allow you to execute the encryptSettings tool and rsakeygen tool you may need to add the execute permission PAGE 5 OF 31 SECRET STRAP2 UK EYES ONLY To edit the settings file use the “nano” or “gedit” text editors For a list of Settings and what can be configured see the “Configuration Options” Section 3 4 Public Key Generation A different rsa key pair should be used with every deployment The public rsa key is used to encrypt audio files on the TV The private half of the rsa key should be stored securely and is used to decrypt audio files in a secure environment To generate the public key type the following This will generate two files private_key pem and public_key pem The whole contents of public_key pem should be copied into the “PublicKey” setting field The private_key pem will be required to decrypt the audio files generated by this deployment 3 5 WPA Passphrase generation To ensure the passphrase required to connect to our hotspot is not stored in plain text on the TV it must be de-obfuscated in the settings file This is performed using the wpa_passphrase command on linux Where SSID is the SSID of the Wi-Fi hotspot you wish the application to connect to and passphrase is the plain text passphrase for that SSID The resulting psk output produced by this command should then be pasted into the “WPAPreSharedkey” setting 3 6 Encrypting Settings File Once the Settings have been configured the file needs to be encrypted This is done using the encryptSettings tool provided The settings encrypter tool will verify all the Settings in the XML file before Encrypting The table in Appendix A give a list of error codes and their meaning The encryptSettings tool will place the encrypted settings file called config xml cmk in a folder numbered with the deployment id 6 SECRET STRAP 2 UK EYES ONLY If you try to encrypt a settings xml file with the same deployment ID as a file already encrypted you will be warned and asked if you wish to overwrite the old file 3 7 Setting File Location Once the Settings file has been encrypted it needs to be added to files zip in the Installer application This is most easily performed on a Windows machine Copy the config xml cmk file into the files zip folder next to UEP d UEP f and libt so PAGE 7 OF 31 SECRET STRAP2 UK EYES ONLY Configuration options SECRET STRAP 2 UK EYES ONLY Default Explanation 3 8 Value Range These options can be configured on a per-deployment basis if desired Option This is the unique deployment ID to be deployed with each installation of EXTENDING 28- 2 Audio Stored to disk Exfiltration by USB or WiFi 1 Audio Stored to disk Exfiltration by USB only 0 No Audio Recording This setting specifies how audio will be exfiltrated by the EXTENDING application This is the Death Date of EXTENDING It should only be used in situations where an NTP server is to be used and available The Death Date should be configured in the format hh mm ss DDMM-YYYY e g 15 23 50 17-07-2013 1 1 15 23 59 07-2013 0 – 65535 0–3 deploymentID deathDate audioRecordingMode 3 Audio Stored to disk and streamed Live to Live Listening Application Locally stored files can be retrieved by USB This Setting controls when EXTENDING records audio from the built-in microphone 0 Records at all times 1 Records when TV in Fake-Off mode only The public RSA key associated with this EXTENDING Deployment Generated during the set-up of the base end 1 Dummy key The name of the key file EXTENDING should look for on a USB stick when performing a manual uninstall EXTENDING will only manually uninstall if the “usbDeleteKeyFileGUID” is contained in the “usbDeleteKeyFile” on the USB stick 0–2 PublicKey delkey The GUID that must be contained in the “usbDeleteKeyFile” for a manual uninstall to take place fakeOffMode usbDeletekeyFile 1234-09876asdf-wert 2 Records when TV on only usbDeleteKeyFileGUID loadkey The name of the key file EXTENDING should look for on a USB stick when exfiltrating audio EXTENDING will only copy files to the USB stick if the “usbDownloadKeyFileGUID” is contained usbDownloadKeyFile PAGE 8 OF 31 SECRET STRAP 2 UK EYES ONLY Option usbDownloadKeyFileGUID IP Value Range NTPServer Valid address SECRET STRAP 2 UK EYES ONLY Explanation The GUID that must be contained in the “usbDownloadKeyFile” for USB exfiltration to take place Default 0987-poiu4567-vcxz in the “usbDownloadKeyFile” 127 0 0 1 This should be set to the IP address of an NTP server that EXTENDING is to connect to This should be used in conjunction with the “ignoreMissingNTPServer” setting WARNING If EXTENDING is configured to need an NTP server and it cannot connect to the NTP Server in this setting on TV boot it will self-delete 0 NTP Server Required EXTENDING will self-delete if it cannot connect get NTP from the Server stated in the “NTPServer” setting This should be set to the IP address EXTENDING will send audio files to When EXTENDING connects to the Wi-Fi hotspot configured in its settings it will exfiltrate audio files to this IP address if “audioRecordingMode” 2 1 127 0 0 1 This should be set to the Port that EXTENDING will send audio files to When EXTENDING connects to the Wi-Fi hotspot configured in its settings it will exfiltrate files to this Port at the “baseURL” if “audioRecordingMode” 2 0-1 Valid address 80 The Quality of the audio recording to be performed A higher quality will use more space but will record at a higher bit-rate giving a better recording ignoreMissingNTPServer baseURL 1 - 65535 5 1 run without NTP Server EXTENDING will still try to get NTP from the Server set in “NTPServer” however it will not self-delete if NTP is not available basePort 0–7 IP speexQuality 700 0 Stop Recording Audio This controls what EXTEDING does when the audio storage folder is filled up 0 – 800 0 storageFolderMaxStoreage 0–1 The maximum size of the audio Storage Folder in MB When this folder is filled up EXTENDING will delete the oldest file or stop recording audio depending on the “audioFolderDeleteOldestFiles” Setting” It is important to keep this folder a sensible size as it will affect the user’s experience if all the TV storage is clogged up with audio files audioFolderDeleteOldestFiles 1 Delete Oldest Files PAGE 9 OF 31 SECRET STRAP 2 UK EYES ONLY Option wifiADHOC Value Range 0–1 Default 1 1 – Connection being made direct to device E g Virtual Wi-Fi hotspot setup on phone or laptop 0 – Connection being made through Router This controls the Wifi Connection method attempted by the TV Explanation SECRET STRAP 2 UK EYES ONLY testwifissid dcaf6e0856b5 0df984cefa48 a9613aff9feb def66b783e12 21a8c74bb684 8a40 This should be set to the IP address EXTENDING will send UDP audio packets to When EXTENDING connects to the Wi-Fi hotspot configured in its settings it will send UDP audio packets to this IP address if “audioRecordingMode” 3 wifiSSIDname WPAPreSharedkey 127 0 0 1 This should be set to the Port that EXTENDING will send UDP audio packets to When EXTENDING connects to the Wi-Fi hotspot configured in its settings it will exfiltrate UDP audio packets to this Port at the “uploadServerIP” if “audioRecordingMode” 3 The name of the Wi-Fi SSID EXTENDING will connect to for exfiltration of audio files or live audio packets When this SSID comes into range EXTENDING will connect and will start either sending audio files to the “baseURL” or sending audio packets to the “uploadServerIP” depending on the “audioRecordingMode” uploadServerIP 8080 where SSID is the wifiSSIDname variable and passphrase is the unencrypted passphrase the Wi-FI hotspot is configured with wpa_passphrase SSID passphrase The value entered in this setting is generated by running the linux command uploadServerPort Option 1200 Default This is a number between 0 -32767 Higher values require louder sound to activate recordings Explanation There are also a number of “engineering” settings in the XML file Under no circumstances should these be changed without consulting the Design Authority as in most cases the effects of changing these values will not have been tested The default settings provided with the implant should be suitable for most deployments silenceLevel PAGE 10 OF 31 SECRET STRAP 2 UK EYES ONLY silencePeriod Option dtv usb 1000 Default The folder the TV mounts the USB devices into This is a number between 0 – 2147483647 Lower values stop recording sooner after a silence level is encountered Explanation SECRET STRAP 2 UK EYES ONLY usbFolder audioDevicename storageFolder audioMaxFileSizeKb audioBuffSizeKb wlan0 hw 0 mtd_rwcommon tempS 100 100 The period in seconds which the TV collects the names of all Wi-Fi SSIDs in range The name of the internal Wi-Fi Device The name of the internal Microphone The folder that audio files are stored to The size of an individual audio file stored to the TV’s storage area The size of the audio buffer on the TV in Kb The period in seconds which EXTENDING checks for the “usbDeleteKeyFile” or “usbDownloadKeyFile” wifiDeviceName 10 The php script used to control upload of audio to the Server 10 wifiConnectionPollSecs wifiConnect upload php usbConnectionPollSecs wifiServerUploadScript PAGE 11 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 4 Installation 4 1 Installing the Implant For each deployment an Installer folder should be created This installer can be found inside the TV folder provided in the “Build” directory Copy the whole “Update” folder onto a USB stick Make sure that the encrypted settings file config xml cmk file for the deployment has been added to the files zip The Implant is installed onto the TV using the USB stick Follow the steps below to install 1 Check that the “Update” folder is present on the USB stick with the config xml cmk file in the Update data files zip files folder with UEP d UEP f and libt so 2 Turn on the Target TV 3 For EXTENDING to run Voice Recognition must be turned off This can be done by pressing the Menu button on the remote then Smart Features - Voice Control 4 Press the Smart Hub menu icon 5 Our application can’t be installed until the Smart HUB has been set-up The TV must be supplied with an internet connection the first time the Smart HUB is used to allow a license agreement to be accepted 6 Use the remote control to open the “More Apps” section of the Smart Hub at the bottom of the Apps page 7 Once you are in the “More Apps” Section insert the USB stick into the TV 8 If a pop-up appears press the “RETURN” button 9 A new application called “Update” will pop-up on the screen 10 Select the “Update” application 11 Watch the progress bar 12 When the progress bar has reached the end the installation is fully complete 13 Press the power button on the remote to restart the TV 14 The implant is now installed and will operate using the provided settings 15 If the target’s TV remote has a History button press this and clear the history of installed applications PAGE 12 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 5 Platform compatibility 5 1 Operating systems 5 1 1 Implant The EXTENDING implant supports the following Samsung Smart TVs • 5 1 2 Samsung F Series Live Listen Tool The EXTENDING Live Listen Tool works on the following Windows Operating Systems • Windows 7 32 64bit • Windows 8 32 64 bit PAGE 13 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 6 Setting up the Wi-Fi Hotspot A Wi-Fi hotspot is required for Remote Access Audio Retrieval and Live Audio Exfiltrating The section below details the method to create a WiFi hotspot on a Windows laptop and Android phone These devices should be configured to use the values configured in the Settings file for “wifiSSIDname” and the plain text passphrase used to generate “WPAPreSharedKey” in the WPA Passphrase generation section 6 1 Windows - Configuration of a Wi-Fi hotspot A Wi-Fi hotspot can be set up on a Windows laptop in the following ways 1 By running the wlan bat script provided on the “EXTENDING Tools” CD with Administrator rights Use the Enter key to step through the script Read all output to ensure the hosted network is stopped configured and then started again PLEASE NOTE THIS SCRIPT WILL NOT WORK WHEN a Airplane Mode is ON b It is run without Administrator rights c The Virtual Wireless Appliance is Disable in Device Manager 2 Alternatively run the command individually with admin rights netsh wlan set hosted key YOURKEYHERE network mode allow ssid YOURSSIDNAMEHERE netsh wlan start hostednetwork If you look in the “Network Sharing Centre” a new Adapter should have appeared To control the IP address that is served by this hotspot you can change the following registry setting PAGE 14 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet services SharedAccess Parameters Standalone DhcpAddres By default the laptop will give itself 192 168 173 1 as an IP address and any device that connects and IP address in the 192 168 173 0 24 address range 192 168 173 1 or the alternative value set in the registry settings should be set as the baseURL or UploadServerIP in the settings depending on the mode the implant is being deployed in 6 2 Android – Configuration of a Wi-Fi hotspot A Wi-Fi hotspot can also be configured on an Android phone in the following way Settings - More - Tethering portable hotspot - Portable Wi-Fi hotspot settings When the Portable Wi-Fi hotspot is turned on the phone will give itself 192 168 43 1 as an IP address and any device that connects an IP address in the 192 168 43 0 24 range 192 168 43 1 should be set as the baseURL in the settings as the Android phone can only be used to receive file transfer from the implant audioRecordingMode 2 6 3 Router – Configuration of a Wi-Fi hotspot Finally a Wi-Fi hotspot can be configured on a HUB or Router and the receiving laptop phone can also be connected to the device When deploying through this method please test the setup before deployment to ensure IP addresses are configured correctly in the settings file The set-up of Wi-Fi routers is beyond the scope of this project PAGE 15 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 7 Setting up the Web Server A Web Server is required to receive files from the EXTENDING implant in audioRecordingMode 2 This Web Server can be setup on a Windows laptop an Android phone or any other device that can run an Apache Web Server that supports PHP 7 1 Windows – Configuring XAMPP Server To setup XAMPP server double click the Installer provided on the “EXTENDING Tools” disk Follow the on-screen instructions to install XAMPP When prompted for the location to place XAMPP files select an area you have permissions to read write to e g Your user’s Workspace Once XAMPP has been configured through the installer open the area XAMPP files have been stored on your laptop Navigate to xampp htdocs Copy the wifiConnect folder from the “EXTENDING Tools” CD into this folder location Open the wifiConnect folder Right-click the “audio” folder and create a shortcut to it on the Desktop This is the location audio files will be transferred to by the implant Open the XAMPP Control panel PAGE 16 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY The port that the XAMPP apache server will listen on can be configured by pressing the “Config - Apache httpd conf ” button in the Apache section of the Control Panel Scroll down to the “Listen 80” line of the config The number after Listen is the port number the server will listen on Make sure this matches with the “basePort” setting When you start the Apache web server allow it access through the firewall Received files can be decrypted by the ECDLIVE exe tools usb mode See the Live Listener Section for more details PAGE 17 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 7 2 Android – Configuring PAW Server To setup PAW server move the de fun2code android pawserver-1 apk file onto an SD card with the PAW2 directory Insert the SD card into the Android phone to act as the web server On the phone navigate to Settings - Security - and tick “Unknown Sources” to allow you to install the apk from the SD card Using a File Manager navigate to the SD card Click on the de fun2code android pawserver1 apk to install it and accept the permissions When the app has been installed copy the PAW2 directory from the SD card to the root directory of the phone Next open the PAW application open the Options by selecting the ⁞ in the top right of the screen Change the PAW root directory to the PAW2 folder you have just copied You can also change the port the server is running on PAGE 18 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY Start the PAW server Open the phone Web browser Navigate to 127 0 0 1 8080 This should open the web server home page Log in as “admin” “paw” Close the Warning message Select Plugins from the Left-hand Menu Install the php plugin 5 4 2 and restart paw The web server is now ready to receive files from the EXTENDING implant PAGE 19 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY Audio files received by the phone will be stored in the PAW2 html wifiConnect audio folder They can then be copied onto an SD card and decrypted on a Windows laptop with the ECDLIVE exe tool installed PAGE 20 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 8 Audio Exfiltration 8 1 Close Access Audio File Retrieval Audio Files are recorded by the implant when the “audioRecordingMode” Setting is set 1-3 These files are stored locally on the TV hard drive They can be retrieved by inserting a USB stick into the TV The USB stick inserted into the TV will be authenticated by the presence of a filename on the stick and a unique string held with-in the file These values are set in the “usbDownloadKeyFile” and “usbDownloadKeyFileGUID” Settings To Retrieve Files from the TV 1 Create a file with the same name as the “usbDownloadKeyFile” Setting in the configuration file 2 Edit this file with a text editor and enter the “usbDownloadKeyFileGUID” Setting unique string 3 Save the file onto a USB stick Preferably the stick should have an LED that flashes 4 Turn on the target TV 5 Insert the USB stick into the TV A pop-up may appear asking what you want to do with the TV IGNORE this 6 Watch the USB stick LED flashing Once the LED stops flashing all files should have been transferred Transferred files are deleted from the TV storage area 7 To ensure that files have been copied you can open the USB stick to look at files using the remote 8 Remove the USB stick from the TV 9 The files on the USB stick can now be decrypted using the ECDLIVE tool 8 2 Remote Access Audio File Retrieval Audio files that are stored locally on the disk can also be retrieved over a Wi-Fi hotspot Remote File Retrieval is enabled when the “audioRecordingMode” setting is set to 2 The hotspot that EXTENDING will use for exfiltration is configured in the Settings file and controlled by the “wifiSSIDname” and “WPAPreSharedKey” Settings The IP address and port that the files will be transmitted to is configured by the “baseURL” and “basePort” Make sure a Web Server has been configured to receive the files See Setting up the Web Server To exfiltrate the audio files 1 Set up a Wi-Fi hotspot with the SSID and password as set in the configuration file See Setting up the Wi-Fi Hotspot Section 2 The Wi-Fi hotspot can be set up on a laptop phone or a Wi-Fi router 3 When the Wi-Fi hotspot is turned on with-in range of the TV EXTENDING will connect to it and begin to exfiltrate files to the IP address “baseURL” and port “basePort” as configured in the Settings file 4 To receive the files the device with the “baseURL” must be running a Web Server on the “basePort” port number See Setting up the Web Server 5 Audio files will be transferred to WebServer wifiConnect audio on the receiving device 6 Files can be decrypted using the ECDLIVE tool The files should be placed in the “ store” directory and the command ECDLIVE exe –usb run 7 When the WiFi hotspot or web server is turned off EXTENDING will stop transferring files PAGE 21 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 8 3 Live Audio Exfiltration and Listening 8 3 1 Introduction Audio can also be streamed “Live” to a listening application over a Wi-Fi hotspot Live Listen Streaming is enabled when the “audioRecordingMode” setting is set to 3 The hotspot that EXTENDING will use for exfiltration is configured in the Settings file and controlled by the “uploadServerIP” and “uploadServerPort” Settings The Live Listener runs as a Windows Command Line application on the platform presenting itself as WiFi Hotspot For information on the EXTENDING Wi-Fi Hotspot see section ‘’Setting up the Wi-Fi Hotspot” The Live Listener’s primary function is to receive and decode incoming packets from the EXTENDING TV application and play the decrypted audio though the platform’s sound card headphones Received data is also saved to file in a “ store” folder to allow playback at a later date The data files are stored in the same encrypted format as the data is received over Wi-Fi A Public RSA key is stored within the TV application configuration file In order to decode the received data the corresponding Private RSA key must be present in the same folder as the Live Listener application This is the private_key pem generated in the Public Key Generation section The Private key file must be stored as ‘key prv’ The presence of the private key and storage of the data files upon the same platform requires that the necessary security protocols be followed 8 3 2 Live Listener Command Line Options ECDLIVE exe –p port no -d -r -f -l -usb -b Options -p - port number set this to the same value as stored in the TV application configuration file ‘uploadServerPort’ typically 8080 -d - do not store live play data to file -r - replay audio stored in files from previous live listen session -f - save live listener data to file without playing through the sound card -l - set audio latency 1 - 10 depending upon the quality of the wifi connection higher latency may improve the listening experience by reducing the ‘stuttering’ effect of dropped packets By default the latency is set to ‘3’ -usb - playback files downloaded either via USB during close access to the TV or by connection to a mobile webserver The files must be stored in the ‘ store’ folder of the Live Listener platform -b - set the playback bitrate By default the Speex decoder produces an audio stream of 32 000bps By changing this value playback may be sped up slowed down However this is without any pitch correction Example Commands Listen to live in coming audio and save data to file… ECDLIVE exe –p 8080 Replay stored audio from previous live listen session… ECDLIVE exe –r Replay audio from USB or files downloaded via the webserver… ECDLIVE exe –usb 8 3 3 Live Listener Output PAGE 22 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY Whilst running the Live Listener generates text output to provide the user with feedback as to the level of success of the data transfer The first text line displays the ‘mode’ in which the Live Listener is operating ie ‘replay mode’ ‘replay usb files’ ‘live mode storage on…’ etc If listening to the Wifi port or reading packets from previously saved files the application reports the running total of the packets decoded together with the actual packet sequence number from data embedded within the packet The difference between these two numbers gives an indication of the number of dropped packets At the start of each Speex frame being received the application reports the size of the new frame being constructed ‘new frame size 4248’ followed by the packet sequence no s used to create that frame Once the whole frame has been constructed the amount of data stored is reported ie ‘buffering 4248’ Due to the nature of the Speex decoder there is a certain amount of internal buffering within the Live Listener which is outside the control of the Live Listener application thus it is quite normal for 30 to 50 packets of data to be received before the audio is heard This will equate to approx 10 – 15 seconds of latency Dropped Packets The transport protocol used for the audio data transfer over Wifi is UDP Unlike the TCP IP protocol packets are not guaranteed to reach the destination this can result in some frames of Speex data being incomplete This is further compounded by the fact that it takes approx 2 to 4 packets of data to make up a complete Speex audio frame depending upon the Speex quality configuration setting so a single dropped packet will result in a whole frame of data being discarded The Live Listener monitors the incoming data and can identify missing headers or headers arrived before their expected time in these cases the application will attempt to retrain against the new data and build a complete Speex frame Each Speex frame will contain about 0 25 seconds of real time audio 8 3 4 Troubleshooting Silence at the Listening end could be caused by the following a The TV is not in range b There is nothing being recorded by the implant due to silence c The implant is incorrectly configured d The Live Listen tool is not running PAGE 23 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 9 Uninstalling the Implant 9 1 Close Access Uninstall The implant can be uninstalled by inserting a USB stick into the TV The USB stick inserted into the TV will be authenticated by the presence of a filename on the stick and a unique string held with-in the file These values are set in the “usbDeleteKeyFile” and “usbDeleteKeyFileGUID” Settings To uninstall EXTENDING 1 Create a file with the same name as the “usbDeleteKeyFile” Setting in the configuration file 2 Edit this file with a text editor and enter the “usbDeleteKeyFileGUID” Setting unique string 3 Save the file onto a USB stick 4 Turn on the target TV 5 Insert the USB stick into the TV A pop-up may appear asking what you want to do with the TV IGNORE this 6 Wait for 1 minute 7 Remove the USB stick 8 EXTENDING is now uninstalled 9 2 Time-based Uninstall EXTENDING can be configured to automatically uninstall itself after a set period of time In order to achieve this a reliable clock must be available for the implant This means that the target TV must be connected to the internet so the implant can get a reliable NTP based time from a server If a reliable time source is not available this removal method should not be used to uninstall EXTENDING Instead the Manual Uninstall method should be used To set the time at which EXTENDING should be uninstalled then set the “DeathDate” setting to the desired time Also set the “NTPServer” setting to a valid IP address and the “ignoreMissingNTPServer” setting to 0 This means that if an NTP server is not available to EXTENDING when it starts up then it will automatically uninstall itself This negates the danger of an application missing its Death Date if the TV is disconnected from the internet It also means that EXTENDING will never run if it cannot reach the NTP server when it is first installed PAGE 24 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 10 Testing Troubleshooting 10 1 Incorrectly Configured Settings The most common reason for EXTENDING to not be running is a misconfigured Settings file All Settings must be configured within their valid ranges or EXTENDING will self-delete when it is installed This should be checked by the encryptSettings tool If an NTP Server is required to provide time for Time-based death date and the implant cannot connect to one on start-up then EXTENDING will Self-delete 10 2 Testing the Configuration Before deploying the implant to a target TV it is recommended that EXTENDING is installed to a test TV This ensures that the configuration file is correct before attempting to deploy it PAGE 25 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 11 Known issues and Limitations 11 1 Known Issues Microphone Sharing The current implant cannot share the microphone with other applications Therefore if Voice Recognition is turned on or if an application such as Skype is started our application will close its access to the microphone When the other application stops using the microphone again EXTENDING will start recording again In future releases of the implant we will be able to record from the microphone simultaneously with other applications Fake-off – TV Communications When the TV is in Fake-off mode the processor functionality has not been limited Practically this means that the TV will still flash the LEDs on USB drives when they are inserted and continue to send packets on the network Many Smart TVs do this as part of their functionality however Samsung TVs do not normally As an improvement for the next release of the implant we hope to reduce the processor functionality when the implant enters Fake-off mode This will involve just recording from the TV and only connecting to the SSIDs set in the implant Settings file Fake-off – LED When the TV is in Fake-off mode the “Samsung” LED at the front and centre of the TV remains on Wi-Fi Interference The EXTENDING implant will interrupt a user’s use of the wireless card on the TV If a target is connected to their home wireless network then EXTENDING will break this connection when it detects the presence of the SSID it wishes to connect to audioRecordingMode 0 When operating in audioRecordingMode 0 not recording any audio the implant will stop running when fake-off mode is entered The source of this problem has been located and will be fixed in the next release 11 2 Limitations Lag before application starts The implant is started by the TV when the TV powers on It can take up to 30 seconds from the user turning the TV on for EXTENDING to start running As the exploit relies on being started by the TV then there is no way to avoid this A Side-effect of this is that if the user turns the TV on and then off quickly and before EXTENDING has started up then the TV does not enter Fake-off mode The next time the TV is turned on the implant will still start as normal however we will have missed a period of Fake-off recording Smart HUB setup To install our application the Smart HUB needs to be setup and the license agreements accepted It is only possible to do this with an internet connection Smart HUB Storage Available When on the Smart Hub “More Apps” page the available storage space is shown in the bottom right hand corner If the implant is configured to record audio to the “mtd_rwcommon” folder area then this storage PAGE 26 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY area will appear fuller as the implant records audio However it is impossible to discover what is using this storage without exploiting the TV to gain command line access Limiting the “storageFoldermaxStorage” setting has reduced the potential impact of this PAGE 27 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 12 History Draft 28 02 2014 EXTENDING 2 0 RC 20 1 0 29 04 2014 EXTENDING 2 0 Release PAGE 28 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY Appendix A – encryptSettings Error Codes This table provides a list of Error Codes that can be reported by the encryptSettings tool Each error code relates to the presence of a setting or the validation of a setting Error Code Code Meaning 0 deploymentID setting is missing or has incorrect format OR whole Settings file is misconfigured 1 deploymentID setting is outside allowed range 2 deathDate setting is missing 3 deathDate setting is not formatted correctly 4 NTPServer setting is missing 5 NTPServer setting is not formatted correctly 6 ignoreMissingNTPServer setting is missing or has incorrect format 7 ignoreMissingNTPServer setting is outside allowed range 8 silenceLevel setting is missing or has incorrect format 9 silenceLevel setting is outside allowed range 10 silencePeriod setting is missing or has incorrect format 11 silencePeriod setting is outside allowed range 12 baseURL setting is missing 13 baseURL setting is not formatted correctly 14 basePort setting is missing or has incorrect format 15 basePort setting is outside allowed range 16 speexQuality setting is missing or has incorrect format 17 speexQuality setting is outside allowed range 18 audioRecordingMode setting is missing or has incorrect format Or no Storage Folder Specified 19 audioRecordingMode setting is outside allowed range 20 fakeOffMode setting is missing or has incorrect format 21 fakeOffMode setting is outside allowed range PAGE 29 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 22 audioBuffSizeKb setting is missing or has incorrect format 23 audioBuffSizeKb setting is outside allowed range 24 audioMaxFileSizeKb setting is missing or has incorrect format 25 audioMaxFileSizeKb setting is outside allowed range 26 audioMaxFileSizeKb is smaller than audioBuffSizeKb 27 storageFolderMaxStoreageMb setting is missing or has incorrect format 28 storageFolderMaxStoreageMb setting is outside allowed range 29 storageFolderMaxStoreageMb is smaller than audioMaxFileSizeKb 30 storageFolder setting is missing or has incorrect format 31 usbFolder setting is missing or has incorrect format 32 usbDownloadKeyFile setting is missing or has incorrect format 33 usbDownloadKeyFileGUID setting is missing or has incorrect format 34 usbDeleteKeyFile setting is missing or has incorrect format 35 usbDeleteKeyFileGUID setting is missing or has incorrect format 36 INDEX FILE 37 audioDeviceName setting is missing or has incorrect format 38 wifiDeviceName setting is missing or has incorrect format 39 wifiSSIDName setting is missing or has incorrect format 39 WPAPreSharedKey setting is missing or has incorrect format 40 PublicKey setting is missing 41 PublicKey is not a valid public rsa key 42 uploadServerIP setting is missing 43 uploadServerIP setting is not formatted correctly 44 uploadServerPort setting is missing or has incorrect format 45 uploadServerPort setting is outside allowed range 46 wifiConnectionPollSecs setting is missing or has incorrect format PAGE 30 OF 31 SECRET STRAP 2 UK EYES ONLY SECRET STRAP 2 UK EYES ONLY 47 wifiConnectionPollSecs setting is outside allowed range 48 usbConnectionPollSecs setting is missing or has incorrect format 49 usbConnectionPollSecs setting is outside allowed range 50 wifiServerUploadScript setting is missing or has incorrect format 51 audioFolderDeleteOldestFiles setting is missing or has incorrect format 52 audioFolderDeleteOldestFiles setting is outside allowed range 53 wifiADHOC setting is missing or has incorrect format 54 wifiADHOC setting is outside allowed range PAGE 31 OF 31 SECRET STRAP 2 UK EYES ONLY