Last year we presented the keynote presentation at Kids SecuriDay 2019 in Canberra on Privacy and Hacking Pokemon Go. Sorry it took us so long to put it up here. Here is the transcript, slides and videos from our keynote speech. Let us know in the comments what you think. Enjoy!
Mos: Good morning everyone and welcome to SecuriDay, we are so excited to be here this morning. My name is Mos and this is my little sister Boo.
Boo: Hello everyone.
Mos: The first thing you may have noticed apart from my sister being really short, is the title of our presentation, it has changed… Why you ask?
Boo: When we first started thinking about this talk, we made a decision to talk about security and hacking plus a little extra. But when we saw the conference had Pokémon for the CTF, we were so excited as our little something extra was on Pokémon – so we just had to change our title.
Mos: Today we are going to talk about privacy, security, hacking and Pokémon, and how they are all linked together. We live in an amazing world of technology. Our generation has grown up with the Internet, mobile devices and access to almost any information we want access to. But this access to information also has a dark side, and sometimes this dark side is called a hacker.
Boo: This isn’t actually an evil hacker. This is our friend Topy who runs a security conference in Melbourne and works with our dad. He is a hacker, but he is not evil. Which may lead you to ask, what actually is a hacker?
Back in the dark ages, like 40 years ago, a hacker was someone who had lots of computer skills and used their skills to solve problems. Now days most people think of a hacker as someone evil who breaks into computer systems. At our old school we had a few people say our dad was a criminal because he was a hacker, but he actually works in security doing good things. Luckily the use of the original term is coming back, that is someone who hacks away until they work out how to make technology do what they want – especially in the STEM or STEAM world where you have hack or maker days, where kids try and create things together, or hold competitions. There are tonnes of websites out there about hacking together solutions to problems or even hacking together crazy robots. Today we want to encourage you all to learn and become old school hackers, because hacking is all about wanting to know how everything works and learning everything you can.
Mos: Good hackers like Topy get paid to break into computers for people, so they can find problems and fix them before real criminals break in. Such a cool job! But Hackers aren’t always good and some do break into computers, and one of their prize finds is people’s personal information such as your full name, address and date of birth.
Boo: It is not just hackers that want our personal information, online everyone seems to want our full names, date of birth and location. Most of the time we don’t even know what they want it for. We also don’t know if they are keeping it safe from those evil hackers.
Mos: Privacy and security is a huge topic and pretty complex, it can be especially confusing to kids. We are told always to be polite, answer questions and don’t ask questions, but this is not always a good thing. We thought today we would talk about a couple of ways people collect your information and why this can be bad. Hopefully it will inspire you to do some Googling of your own and get interested in protecting yourself. It is important that our generation recognise that giving our personal information away online to everyone is not a good thing. We should also tell adults, especially our grandparents as they can do some pretty silly things with technology.
Mos: Who here has played Pokemon Go? (Wait for show of hands)
Boo: When you first start Pokemon Go for the first time, this is the first thing you see.
Boo: You see screens like this in lots of games you download from the App Store. Screens like this are there to try and stop kids playing games they shouldn’t cause they have violence or something else that isn’t good. The problem is, your date of birth is an important piece of personal information. Its not something you should give out to anyone. In Pokemon Go, they don’t want kids under 13 playing for safety reasons but they don’t really need to ask your date of birth. They could just ask for your age instead. Knowing your age isn’t as personal and can’t be used for identity theft or other uses if its stolen.
Mos: Next time you start a game and it asks for your date of birth, either don’t play the game or put in a fake date. If we keep using fake data at least all the info they collect on you won’t be real. If you are uncertain ask an adult like your mum or dad.
Boo: Who here has seen or used FaceApp… that app that makes you look old? (Wait for hands)
Mos: If you haven’t seen it, the app will take a picture of you and make you look really old. Have you read the terms of service? We haven’t either.. we made dad do it (laughs) but it says that basically they own your photos and any data they get from your phone. For it to work, you give the app access to your photos, but are they taking just the one photo you want to make old or are they taking all your photos? And what are they doing with them? It’s pretty scary. I have a lot of potato photos on my phone, and there are some really strange pictures of boo… but don’t tell her shhhhhh
Mos: While Boo contemplates this new conspiracy theory, let me tell you about Pokemon Go’s terms of service – There were 4 different policies and over 21,000 words to read.
Boo: Poor dad.
Mos: Boo is right, who is going to read that much every time they want to use a new App? Most adults won’t and no kid will. We just want to click yes and start catching Pokemon. Even after reading it dad said it isn’t very clear what they are doing with your information. So don’t click away your life when you start a new app. Again ask an adult to check what you are agreeing to.
Mos: This is the last example we will use or we could go on forever. Who has used the touch screen directory at a shopping centre? (Wait for hands)
Boo: Did you know that some of them have cameras at the top that record information about the person at the screen? They use software to identify if you are a boy or girl, roughly how old you are, and even whether you are happy or sad. Companies say they don’t save any pictures but how do we know this is true?
Mos: It is another conspiracy theory!!!!!!!
Boo: An evil company could be tracking and recording everything we do. (Holds pinky up to mouth like Dr Evil).
Boo: We don’t want to scare you, just make you aware of a very important security topic, your privacy!
Mos: There is also not a lot we can do about apps asking as for our personal information, except be aware of the risks and let other people we care about know as well, so they can become more security aware by asking the question, what are you accessing on my phone and what are you doing with my personal information. And if you are not sure you need to ask an adult!!!!! If enough people know and start to question what apps and companies are doing, hopefully we can start to keep our personal information safe.
Boo: If we have made you think about security today, then our job here is done (Mos and Boo pretend to walk offstage)
Nah… just kidding
Mos: How did we start learning about all this stuff I hear someone ask? Was it you? (Points to Boo)
Boo: (Boo shaking head) About 3 years ago our parents took us to BSides here in Canberra. 3 years later we are back here presenting at a conference for kids. This is so awesome.
Back in 2017 we didn’t really watch any talks but we were amazed at the lock picking and tamper evident bypassing stuff. We learnt to pick our first locks and we entered our first ever tamper evident bypassing competition and came about 5th. We loved it so much that we have been to lots of conferences now including BSides Canberra, OzSecCon in Melbourne, Platypus Camp, Kiwicon in New Zealand and even LockCon over in The Netherlands.
Mos: Doing all of this has encouraged us to learn more about technology and security. Physical stuff like lock picking and tamper evident bypassing is awesome and a great way to start to learn about security, cause its fun to physically get past a device. When you hear your first lock click open, its the best. Definitely try it out at this conference. Its not as hard as you think it might be. Just ask Boo, some how she managed to win the lock picking comp over at KiwiCon, against all the adults – I think its because adults over think everything, or Boo could be good at lock picking…. It could go either way! Since 2017 we have also got into basic coding, and coding Minecraft Mods.
Boo: Who here plays Minecraft? (Wait for hands)
Who here knows that you can easily make your own mods and install them in your own games? (Wait for hands)
It’s the best fun and pretty easy to do, even for kids.
So that leads into our latest adventures!
Mos: Our most recent project has been around researching and playing Pokémon Go – yeah I know, it sounds like hard work doesn’t it (in sarcastic voice). A few months back we were having Betty’s Burgers, these awesome burgers you really need to try, with some friends in Melbourne and one of our friends told us how people had hacked Pokémon Go to travel around anywhere they wanted. They even caught Pokemon and collected items automatically while they were “walking around”. We thought this sounded awesome, so we started researching.
Boo: Big Warning with flashing lights and neon sign here – what we are about to talk about, everything we did was all for learning and research purposes, with our parents, who I guess you can call adults, supervising us to make sure we didn’t do anything bad. This project is also not an original idea of ours and it is not new. Other people have done this, we just wanted to learn how, which if you haven’t figured out yet, is what hacking is all about, it is about learning new things, trying them out, breaking things and starting all over again.
Mos: Hacking Pokemon Go, also goes against the rules you agree to when you sign up to the game, as you can use it to cheat, which isn’t fair on other people playing the game. If caught, you can get your account deleted, so we created a test account for the project, with the intention of seeing if we can get the hack to work and catch only a few Pokemon for this presentation.
Boo: Our plan was to be able to do the following while sitting at home:
- Walk around our neighbourhood, catch Pokemon and collect items from Pokestops
- Walk 10 kms to try and hatch an egg
- Have our avatar catch Pokemon and pickup items by itself
Mos: Our bonus plan is to:
4. Be able to control where we walk using our mouse or arrow keys on our laptop.
So far, we have achieved 1 and 2 which we will tell you about now. We will be working on 3 and then 4 after this conference. We expect it will take a lot of work, especially number 4, if it is even possible. We couldn’t find any info on someone doing this, so it means we will have to rely on a little bit of help from dad to figure out how to do it, well maybe a little bit more than a little help, most likely a whole lot of help!
Boo: The first thing we did was Google about GPS and GPS spoofing, and that lead to more and more things to look up and learn about. The great thing about researching and hacking is you learn a whole lot of things along the way which give you more ideas for more projects. While learning to hack Pokemon Go we learnt:
- How GPS works
- The law and why its bad to mess with satellites
- How to spoof GPS
- How to spoof GPS safely so you don’t break the law
- How to use Google Earth and find awesome places to visit, in real life or in Pokemon Go
- How to create walking paths in Google Earth
- That NASA lets you download files of where all the satellites are each day, which is pretty awesome
- There are 4987 satellites orbiting the Earth right now!!!
- How to turn Google paths into satellite paths
- And finally send a signal so our iPad thinks its moving when it isn’t
Mos: We also learnt a lot about how Pokemon Go works, with lots of testing and things not working. One thing we have learnt is things never work first time. And that’s fine cause that’s how we learn. You will learn more from making mistakes than if it all just worked first go.
Boo: WARNING: Before we talk about anything we have to mention that messing with satellite signals is against the law. We did a lot of research and checked with parents before we ever tried doing any testing so we wouldn’t cause any problems. Its illegal cause GPS is used for a lot of important things, like locating people for medical emergencies. Messing with signals could end up with someone badly hurt. We will talk about how we made sure this wasn’t a problem.
Mos: GPS uses a thing called tri-lat-er-ation, which is REALLY hard to say. It basically uses a whole lot of maths we don’t understand to work out the distance between satellites and where you are. If you look at this picture, where the three circles all meet is where you are. If you spoof GPS signals you pretend to be the satellite and send different distances. This moves the circles to another place so you can pretend to be anywhere. Don’t worry if you don’t understand it (whispers) I dont think we really do either. It just works.
Boo: Next we learnt about Google Earth. We have used this at school before but just to look up places. This time we learnt that you can create paths. This can be used to plan out walks or other trips you might go on with your family, but we wanted to make our Pokemon avatar walk from our house to the park down the road where there was a Pokestop and back. We made the path and then saved it to a file.
Mos: We found some free software online called SatGen which we downloaded and installed. It lets you use the file we created in Google Earth to create a new type of file. The Google Earth file just has locations for our walking path. This program adds the time that it would take us to walk to each position. For example, if we leave our house and walk in a straight line at 3 kilometres per hour, what time would we get to the park. We then saved that file. It was about this time that we started to realise how important maths is, so make sure you stay in school!
Boo: It is also important to note, Mos, that it is ok to rely on code and programs that other people have written and made available for use online when you are researching – especially when you are first starting out. No one is expected to know everything, and the hacking community is all for helping each other out.
Mos: NASA provides files of where all the satellites will be each day. Each day you have to download a new file of where the satellites will be for that day. If you create a walking path one day you need to make it again the next day. We did actually forget once and we used the same file 2 days later and it worked. Not sure why. We need to do some more Googling to find out.
Mos: We use the file from SatGen with the NASA file and run another program to work out where the satellites should be as we walk to the park. The guy that wrote this is amazing. There must be so much maths used in it, it blows our minds. (Blown mind hand gesture)
Boo: Finally you have a file that has all the signals that will pretend to be satellites around you. If you run this it should work.
Mos: To spoof the satellite signals we used a software defined radio that our friend Topy leant us, called a HackRF One, we also had to buy some parts to modify it. The most important thing we had to buy is something called an attenuator, along with (the most cutest) special antenna. This makes the signal much smaller meaning it won’t go very far, only about 2 metres, which means it might affect things in our house but no one near by.
Boo: So… it works, but not always. This video is our first night we got it working. This is our iPad walking around the park in Apple Maps. We are sitting at home in our pyjamas at the dining room table and the park is 175 metres away
Mos: Next night we tested in Pokemon go. We took a virtual walk down to the park, went to the pokestop and grabbed some items and then came back. There was a big problem we ran into. It can take a couple of minutes for the iPad to pickup the signal which means it misses the first part of your walk. This happened the first time we tried. When it picked up we were already walking back from the park so missed the pokestop. So sad.
Boo: We fixed this by making our avatar walk around in circles for a minute or two at the beginning so it wastes time while the signal gets picked up. Here you can see Mos picking up items and trying to catch a wild Houndour, all while sitting at home.
It was fun walking around our neighbourhood but then we started to wonder if we could go to other places. So began the Mos and Boo Pokemon Go World Tour!!!
Mos: We generated a bunch of files for different places around the world and then we were off. In the next hour we traveled around the world… Circular Quay in Sydney, Paris, London, Las Vegas, Japan… we went to Hobbiton in New Zealand and found out there were no Pokemon on Mount Everest, well… not when we were there.
Boo: Going back to what we were saying at the beginning of our talk about companies tracking your information. According to Pokemon Go and anyone they share our data with, we spent the last week traveling the world. Good luck with that information!!
Mos & Boo: Thank you!!!