Wireless wardriving: discovering vivid

tl;dr- there's a heap of Arduino devices and an opportunity for more discovery.?

I enjoy Vivid, not so much for the flashy lights and music (I have TV, Las Vegas and the Coca Cola Billboard for that) but for the engineering, creativity and thought that goes into the creations that are there. I work in Cyber security for similar reasons - I hack to learn, I don’t learn to hack, and the environment that Vivid creates makes for a wonderful place to discover ideas, inspire the mind and stimulate intellectually. Beneath the hours of work is a rich tapestry of technological awesomeness I wanted to explore.?

OH ZOMG You can Haxx vivid!?

Yes, I work in cyber security. Before some muppet goes on unqualified rants about how China is hacking our chakras because a cyber company has run an app through an automated scanning tool (can we haz 50 million dollar company valuation?), we need to get some of our appreciation of the environment straight such that we can ensure an objective view, but also not be disappointed when we find nothing or worse yet make things up to get on Sky News or A Current Affair:??

1. Most of Vivid is actually wired or standalone. This is not due to security considerations but out of practicality; there's no need for data exchange in most of the exhibits. Where data is required, the throughput is massive and requires high availability, so wireless tech is not always going to be a valid option.
2. The risk profile isn’t really there: with the exception of the drone light show, there’s no major risks to the environments present.? Most of the program is static displays; there's no personal data, credit cards, critical functions or safety systems that would warrant compliance with the ASDs essential 8.?
3. Control measures are important during our exploration. The same way we wouldn’t leave trash strewn around a campsite or turn up to a picnic space blasting bad music to the detriment of those enjoying the environment, we’re not going to spin up Wi-Fi pineapples or do denial of service conditions.?

Unfortunately, as the cyber security industry has inherited management consultants who couldn’t perform in their original industry, israeli military veterans who conflate their conscripted service as tire changers as being members of a secretive intelligence agencies, or spray tanned real estate agents come cyber security thought leaders who get easily excited. If you are one of these folks, settle down, stop inciting panic and just enjoy the exploration for what it is.?

Approach/Method

I employed two methods of discovery:

1. Physical Identification of antennas and known systems. This simply involves looking for antennas.?
2. Bluetooth/802.11 discovery with my iPhone, followed by wireless wardriving kit where appropriate. I did have a directional antenna, kismet and the aircrack suite, as well as a pair of alfa cards (2.4ghz/5ghz) and an ubertooth one.?

This kept the process unencumbered, ensured I wasn’t sticking out and attracting attention from the excited individuals mentioned above, and that I could enjoy my evening without getting technologically caught up. I was also joined by Gabi Espensen who provided an extra set of eyes. She made our first discovery with some of the APs beaconing out.

Spirograph

It was around Spirograph, located between piers 8&9 at Walsh bay, that we’d been observing a consistent naming convention shared amongst a bunch of espressif ESP devices “CDFN_**” which I’m guessing are ESP32s or ESP8266s (note: the devices may be any mix of arduino based system, however I will be referring to the devices as ESP32s out of brevity). At spirograph itself, we’d also observed that the broadcast system uptime was consistent with a 6pm boot time. The network was using a WPA2 Pre Shared Key and had a single client connected. A temperature sensor was detected in range of the exhibit. Whilst I could not fully qualify, it appears the weather sensor on Spirograph was communicating to the ESP32 over 433mhz to communicate inputs from a sensor above the exhibit.?

Dune

Dune was 12 moving dunes which appeared to be controlled by 24 ESP32s each hosting an open network called FaryLink_XXXXX. This is consistent with what appears to either be the lights or the control function moving the devices- 24 devices on tracks moving around. The FaryLink prefix is the default name that is generated from programming ESP8266 or ESP32 devices, which probably leads us to the conclusion that this was just left on. Unfortunately no data was observed entering into these networks, so these do appear a little superfluous which also reinforces the conclusion?they probably aren’t doing anything.?

Murmuration

The coolest installation from a wireless tech standpoint was Murmuration. This had some 500 odd ESP32s suspended providing audio and video, and were connected to a wireless network called _bloom that was communicating to all of these devices using an IPv6 multicast packet. As the network is using a pre-shared key, we’re unable to actually work out what it is sending, but this exhibit was pretty awesome. It is likely this is triggering the devices to emit audio or light, but this would need a bit more observation.

Other observations and moving forward

CDFN_57, CDFN_17b and similar ESP32 devices were present as well and sending some data. Best guess is these were controlling the lights attached to the lamps throughout the 8.5km vivid walk; keeping these synchronized as a meshed network but possibly without wired connectivity would be a challenge, for which an ESP32 would make sense.?

I’m yet to discover the zoo, “our connected city” , lightscape or dark spectrum, but will probably look to dive into these in coming days.