Rachel Jones & Scott Jordan - Don’t Flip Out: RF Hacking Basics Explained

Cube sets I don't know if you've ever played around with Cube sets I have and this is a really neat setup I mean if you have like 20K that you want to spend for your RF investigations but if you don't we're glad to you're here for our presentation because today we're going to go over what is RF hacking some fun case studies yes because we have to see what trouble other people have caused we're also going to tell you how you can build your own RF lab for 30 to I think $1,500 yeah give or take and then we're going to go into if anyone has I don't know what are they called flipper zeros yeah boys I mean I think you might have even had the chance and opportunity to win one so we're going to go in-depth design on flipper zeros and some of the cool things that you can do with those so without further Ado what is RF now I I know I'm I don't have any of my slinkies with me um as I would for the K through 12 students but RF is essentially one portion of the electromagnetic spectrum in layman terms waves RF are waves and it's usually measured in Herz so if you look at this gorgeous NASA image we're like dealing with the portion here on the left but what can you do with RF well thankfully a lot of our devices for their convenience or ours are now RF controlled I have a lovely joke what's the what do pacemakers and satellites have in common one both are hard to operate once deployed and two both are vulnerable to RF haha I don't know if that's such a great joke but a lot of things are vulnerable to RF or controlled by r RF we have drones we have skaus systems we have iot devices oh did I just use a bunch of buzzwords yes I did huh all right moving on your car garage your light bulbs in your house all of these have RF involved usually if like well not mine because I'm paranoid but most people's do now there have been a lot of cool case studies of things that have been hacked by RF now this is one of my favorite case studies one because it involves a teenager who learned too much information and two because of its devastating impact here's how the story goes and yes I'm dramatizing it for our audience members here we have a teenager who attends his local electronics class thinking it'd be cool high school fun right well he gets out his universal remote programs it I think he spent like what 3 months developing I forget exactly but you can read all about it on the miter uh website he reprograms his local train tracks uh you know the that switch that out there that tells the train to go this way or that way after he derails a couple of trains they investigate it and find out oh man maybe his Mischief isn't that great so first case study hacking trains how you can have fun too all right now this is my focus area in love cyber security of satellites and I'm so glad that Ed mentioned Defcon because they had hack aat for oh my gosh there was these teams up there that are actually hacking a satellite that's in orbit okay you probably don't know this but remember how servers are like one U two U well satellites have a similar styling guide we call them one U which is 10 cm x 10 cm x 10 cm they launched a 3u satellite into orbits and who is they that's the Air Force research lab now we have prizes to give out and for my first question for one of the prizes and no I'm not telling you what it is does anyone know the name of the satellite that they launched yeah the name of the cube set I thought this was such a good question all right well I guess I'll save that to the end then it's uh it's called Moonlight I thought it was a pretty name but I have a thing for satellites well if you go back to the side those three teams that you see featured there were not only able to access Moonlight they were able to use the payload of Bob Moonlight to take pictures of the earth and send it down now thankfully these are good guys doing good things but imagine that is in a malicious category moving on pacemakers you knew I was going to throw in medical devices didn't you of course I am pacemakers Just Like Satellites have a lot of vulnerabilities and they're controlled wirelessly fantastic now thankfully there's a lot more people looking out for medical devices than there are for satellites makes me sad but it's true and they actually had a recall of over 350,000 pacemakers that they had to update their firmware because was they were slightly vulnerable to a man in the middle attack kind of a problem uh especially with the academic paper I was reading telling me how they don't really investigate pacemakers after the fact if someone dies from them I'm like oh so you're telling people how to get away with murder oh my goodness moving on before I get in trouble now how do I break this down for you how do you get involved or you get you know kind of information on RF hacking well yes this is a very very oversimplification of schematic so people that are actually in this field please forgive me people that are not in this field please let me break this down even further you have really two parts something that's hardware that allows you to detect receive or interpret radio waves in this case typically it's an antenna and then something that's software that allows you to analyze the information that you've detected or collected now what's really cool even though it's been around since the' 60s our software Define radios or sdrs these devices allow us to Simply and in a way detect or receive radio signals next slide now I've promised you for $30 right for $30 you can buy one of these off of Amazon this is an rtlsdr now what what's really great about them is they were made famous because a oh wait another hacker was able to go in and walk wow this device made to actually interpret TV channels can be used and reprogrammed that's super cool and thus the RTL SDR became even more popular than it is today that small device can allow you to receive only signals but what signals can you receive Noah weather satellites information from your local Airport oh other satellites really anything like I had a couple of guys that were on their radios walkie-talkies around me and I'm like oh I'm just listening into their conversation oh this is fun this has the capability of amazing things and it's a great starter Hardware device you actually get a if you buy the packet you get these cute little rabbit eared antennas I've seen them in movies I think people used to use them to actually watch TV whoa so cool other devices we got the hack RF this is a little bit more expensive but great Scott gadgets makes a lot of great things uh it's about 350 but what really is important when you talk about these devices is what frequencies can you interact with the two devices I just made I'm thinking more you know high-end FM radio AM radio I'm thinking in those spectrums but if you have look look at our Wi-Fi pineapple or your Pini you you'll notice that they have specialized frequencies that they are used to interact with one thing when buying your antenna buy the antenna to interact with the frequency that you want to collect or investigate very important next slide we have software now what's really great about these two software sets they're free I like the price I think it works really really well I also like to recommend these two subset of software is because they have a lot of tutorials that will walk you through step by step on how to get started so we have the new radio up here and I actually have the tutoral page right here it's great videos walking you through how to use it and how to set it up but if you if you want to get it kind of an idea it's kind of like drag and drop I want to Signal processor cck click oh I have one I'm going to connect it to a receiver wow it's really fun and it's an easy way to get started and with this you can actually build a device using your antenna to sniff radio signals I actually had a coworker his wife bought a car and it's really interesting it's a brand new car from the dealership he was sniffing it with his little device CU you know most of the people I work with are super cool and invent things all the time and he found out they actually left a GPS locator device in his wife's car car that he's been driving around for the week of course they immediately went and took it back to the dealership and they had them remove the device cuz they paid for the car out right and he didn't like the fact that his wife was being tailed and trailed Minor Detail but with this you can actually de make signal processors that allow you to analyze the signals detect the signals repeat the signals and other things universal radio hacker um for those of you that went to Defcon this year there's a great uh information on how to hack uh restaurant pagers uh make those go off I don't know the point of it but if it can get me in front of Olive Garden sooner huh maybe but now for the moment you've all been waiting for I'm going to turn it over to Scott we're going to go over the flipper zero all righty so this is kind of like a little multi-tool for tons of cyber and a lot of RF so it's capable of RFID NFC Bluetooth sub gigahertz transceiver stuff and you can add more to it with the gpio on top these are running about 169 so that's kind of like your middle of the road but the good thing is they've got open source firmware so there's been tons of tools built for it so these capabilities the RFID you can handle your basic low frequency high frequency uh NFC you can read you can write you can emulate your own key cards and it handles all the popular myair protocols you use and as far as sub gigahertz goes you've got three bands that the Hardware's capable of um the lower 300 400 MHz that's where all your access control is so this is garage doors car key fobs and then like swing arm Gates stuff like that and then you've got a little bit of uh higher frequency and that's where pox sag this is a pager message coming through you can sniff those but if you want more you can add Wi-Fi to it spin up your own malicious access points with login pages on them uh you can run dooth attacks all kinds of fun stuff the Laura module that's kind of a long range low bit rate iot protocol you can sniff all the traffic there the mag spoof here if you give it magnetic track data from a card it's got a coil in it and it can replicate that and then there's a lot of uh multi-purpose ones this one's got Wi-Fi it's got a camera on it an NRF module for 2.4 GHz stuff and then an external antenna for even greater range so what can we actually do with it um right out of the box you can use the rollback exploit this was unveiled last year at black hat it's kind of a clever replay attack for car key fobs only some manufacturers are vulnerable um but essentially you can capture a couple lock commands and an unlock and if you replaying back right you're in the car um lots of gates and doors lots of Access Control um a lot of these swing arm Gates you can Brute Force the protocol they use pretty easy there's built-in tools for that um even brand new modern garage doors a single capture and you've got the key you can get in the house and then and kind of a fun one the little handicap door buttons that you bump open them up they're all 433 MHz capture that replay it mess with people spook some people and then you've got kind of an older one uh open sesame was about 10 years ago Samy cam car found a way to Brute Force border garage doors um he actually implemented it on the imme uses kind of a similar radio to The Flipper but it's just a kids toy they modified but the fun stuff is when you get into Wi-Fi um you can pop an esp32 on top of it put the wi-fi Marauder firmware on it and now you can run dooth attacks knock people off of networks create your malicious APS fake login Pages you can even do packet captures and dump the pcaps later to uh check out what's going on and if you throw a GPS module on it you can go War driving with it you can also put an NRF module on there check out the 2.4 gz Spectrum um someone's written a driver for it and a sniffer and if you can find the address of a wireless mouse you can hijack that connection and appear as an HID device to whatever computer it's connected to and there's also a really nice looking Channel scanner for finding those devices but you're not going to get very far with without a custom firmware for it you got a couple good options here the Unleashed firmware um removes all the transmit restrictions higher power more bands um opens you up to a couple more sub gigahertz protocols on top of the built-in just am and FM basic stuff and gives you a separate pack of all the little programs and plugins that you need to run but if you're lazy like me you're going to want the rogem because all that's rolled into one and it's like a two-minute in install and you're Off to the Races and it's updated usually daily sometimes twice daily it's pulling from dozens of Open Source projects so you're getting kind of the bleeding edge of what people are working on and you also might want an asset pack this is holding tons of little sub gigahertz files you can replay infrared default NFC Keys um he's got one that's paywalled for 10 bucks a month but it's got tons of stuff to get you started playing with and if you're working on something a little weird you might want to make your own assets so flipper toolbox is a collection of Python scripts for analyzing editing and generating um your own NFC cards uh infrared packets and sub gz files and if you want something a little bit easier flipper maker does pretty much the same thing um and it's all web based one of the questions lately has been the legality of The Flipper um earlier in the year it got banned from Amazon storefront because it was coming up as a card skimming device kind of technically right um but it's still perfectly legal here you can buy it from their flippers store online um it's all governed by the FCC in the US these are the bands that the hardware is capable of and FCC says you got to stay in that little sliver in the middle now speaking on that and this is something I want to do very seriously because the lawyer say I have to and I don't want you to get arrested please don't do illegal things yes there are actually people who get paid to listen and monitor radio frequencies to see if there are people doing illegal things I can't believe that's actually a job but it is and there are lots of problems if you do these things fines prison and probably the worst of all loss of RF operating permissions that means no more computers AKA Millennial death I also want to go into one other thing and this was only if we had time oh yeah yes these are all our references cuz yes we referenced everything there are also a lot of things out there right now that might not have happened so you have to be careful there are things you can do and there are things you cannot do for example in this case a gentleman said he used a flipper zero to hack a smart meter now it was really cool because like you actually saw the puff of magic smoke come out of the smart meter I mean that's pretty awesome but it probably didn't actually happen I think uh hack day was uh the one person that poed up there that they're like hey he bought a really really old smart meter he rigged it like this and this is how he made his video still he probably got a lot of views so maybe it worked maybe it didn't but uh when you're using it please investigate what frequencies you are allowed to operate in for the device you can find that usually by looking at the Federal Communications Commission the FCC please do this all right I think that'll get us covered by the lawyers yeah hopefully now with that here are our sources we used a lot of them yes uh on this Source I'd like to also point out there's a really a lot of great free uh learning tools and opportunities please take advantage of them uh they are not made for fun they are are made to help you all right with that questions pick someone you in the front yes yes it does um if I take my credit card out and scan it I can see my number on the screen um the upside is if you're using like Apple pay or something it goes through a proxy so it gives it a kind of a fake number so that's kind of the way to get around that risk I guess you could just like interesting yeah yeah now we need to repeat the question when they asked us just because they can't hear us on the mic so yes you have any experience I do not yeah I can't say I have experience with Amazon sidewalk like you ask but I can say that in in the Art and Science of RF investigation you will often find that not everything has standardized protocols uh for example satellites satellites are a fantastic example of this because if you have a really expensive santaite they're going to use standardized protocol if it's really cheap made by a bunch of students they're usually probably going to make up their own protocols so when you investigate new devices new things don't expect any standardization look at everything like it's a unique magical unicorn because it likely is back there hello yep um on board it's just a microcontroller running a little operating system but it can communicate with a computer um I've used it as like a USB to Art before and there's some NFC cards where you have to pull the keys with the flipper dump it to a computer crack it and then send it back so there's a a lot of that and we also have some prizes we have to hand out if you want to ask your question okay so she alluded to the origin of software defined radio earlier it was way back in the day it was a US military project does anyone know the name of that I don't think so I think we picked twoo harder questions we did no try again because this is for something super cool nope nope you might there it is so you're getting us cat sniffer which is kind of cool now for my question for those that are under 18 is there anyone here that would like to ask me a question someone under 18 because I like helping youth learn and this is the coolest thing to learn with all right what do you got you said back corner of The Flipper of The Flipper um I believe it runs from about 300 megahertz up to 982 I believe so you get a lot of stuff in the three to four that's where most of your stuff's live in sorry for youth starting their own lab you know I'm going to help out all right are there any other questions I think we have five minutes all right her question was on pacemakers and if other medical devices such as hearing aids were also vulnerable to this I'm not going to speak um conclusively because I I haven't done the uh research but I believe it could be feasible that many medical devices are vulnerable to RF attacks and could be one of the uh I guess the most challenging things that most people haven't been able to overcome is your classic jamming attack so most things if I jam it that means creating so much noise that it just pollutes all the other waves around it it's going to stop it no matter what kind of like a DOS uh Yes actually I do have a I can um there's a great paper I can recommend you um I do have some cards and some pens and I can get you that article of what a pacemaker looks like it's pretty cool hey let's keep it down please there's still question and answer going on uh thankfully I think the recall was already handled uh from the news article that I was reading it said do not panic um explicitly what uh it was a in the UK um so I think they've taken care of it hopefully probably not a fun process um the videos are being recorded and I'm pretty sure they post them online all right if there's no further questions thank you so much we really appreciate you being there and please reach out if you have any questions on setting up your own RF lab