11 Signal Safari

a lot of fun if you are interested in that talk that's actually someone else from my company but he did that talk two years ago so if you ping him maybe he'll share that information still he's a pretty cool guy um so sorry to let you down but are you okay with being streamed absolutely yep streaming is cool so um thanks all for coming out I know it's late uh today in b-sides and there's you've already learned so much and I'm sure your brain is already exploding with how much you've already learned but I hope you'll bear with me just a little bit more this is a topic that's kind of near and dear to my heart so it's RF controls with software defined radio sort of uh blending the two in an investigation I found that software-defined radio is a topic that a lot of people are curious about but they don't always necessarily take the chance to go play with it so I thought I'd kind of uh cut out the middleman and give you a chance to see what it's like playing around with these controls how affordable it can be and uh just kind of how it's a great way to use the hacker mindset even if it doesn't directly apply to your work right away so to get us started um has anyone of course my clicker doesn't work that's how it works right oh there we go um has anyone here used a software-defined radio before awesome that's a lot of hands um I'm guessing but just for fun uh who's been curious about software defined radios but not got a chance to play with them yet excellent that's that's great so if you're looking for new projects if you're looking for fun things to do if you've been curious about some of the radio research that's come out recently and it just seems like maybe it's a topic where you you'd almost get it but you haven't gotten there yet then this is definitely great there's a lot of signals out there in the world around us um so I do want to stress the air is well it's it's uh kind of silly to say the air is full of signals but I like to think of it that way because it's got this magic ring to it um everything you do everything you use to communicate these days is over the airwaves in colloquial terms but we don't really investigate it all the time so taking the chance to step back and see what's out there there's this whole world it's almost like there's signals of different types and different flavors and uh you know they've got different categories and attributes that some of them are more difficult to understand than others some of them are practically legendary and uh sometimes I do wonder if we can catch them all I apologize for the bad Pokemon joke but not really um there's a lot of Pokemon stuff in the slide deck so I hope you'll bear with any uh corniness to come I enjoy it for a little bit of an overview for what we're doing today I'm going to give an overview of RF fundamentals so some of you might already know some of you might not but I'll keep it pretty quick either way um and then we're going to look at how to tune around with software defined radio that's quite affordable after that we're going to look into a few different signals with different tools that I really like that are all free and available on Linux so you can play around with them without too much investment at all we'll close by sort of reflecting on the state of RF security and you know what makes it tricky what makes it you know maybe something we want to look into more in the future and what you should do if this has sparked an interest and maybe you want to spend a little more time with this topic so to get us started um RF all travels as electromagnetic waves electromagnetic waves by definition all go the speed of light so they're all going the same speed the length of the wave is what changes and that's what we call the wavelength and based on that if you have a longer wavelength then you have a oh wow then you have usually I don't lose on this one um if you have a shorter wavelength you have a higher frequency if you have a longer wavelength then you have a lower frequency so you're probably used to hearing terms like megahertz or kilohertz and uh that's where those terms come in for denoting frequency quick way to remember that relationship is that if you multiply the frequency by the wavelength you'll always get back to the speed so they're very similar these are the tools that we're using in our theoretical investigation today we've got what's called an RTL SDR it's about a 30 USB dongle that you can get online it comes with a little antenna you plug it into your computer and that provides all the hardware you need to receive the signals and then your computer will provide all of the software elements so that's the software defined radio part for processing those signals and displaying it back to you and of course when you get the combination of one would argue anything with open source you get magic but uh software defined radios plus those tools can lead to some pretty interesting times there's good tools for Windows as well but today is just Linux so let's take our first steps we're starting out uh we're just knowing a little bit about radios and RF signals and we know they're around but we don't really know what they look like or where they hide or how they're different from each other so let's get started with gqrx I really love this tool it's super simple you just fire it up and you can tune your software-defined radio around like you would a normal radio and you get this beautiful view that's called the waterfall that shows you the change or it shows you what amplitudes are happening so what signal strengths at different frequencies so you can see a big chunk of Spectrum which we call like different ranges of frequencies and what's happening at different frequencies so I've got a little bit of a demo to show on that it is just a video that I've taken but you can see once you fire up gqrx you immediately can see what's going on here the frequency I've got it tuned to right now is 89.9 megahertz so it's just an FM radio station and you can see the rise and fall of the signal with someone's Voice or with the music um and you've got different filters a lot of different tools and little uh settings that you can tweak within there you can change the gain if you want to make it louder though sometimes that can get a little bit weird since it's slightly different than volume you can change the color if you don't like a blue radio signal for whatever reason um and you get the opportunity to you know you can type in new frequencies to look at maybe I want to listen to a different station or maybe I want to tune around I can pull the bar back and forth and see what else is at frequencies nearby if I'm just sort of looking around different spaces of spectrum so now I'm going to look at some am signals this the rtlsdr cannot reach traditional AM radio frequencies but it can reach frequencies that you might be familiar with if you've ever listened to for instance a police repeater scanner or a scanner for repeating police signals so some signals that are communicated um right now if they're not critical usually critical signals will have a higher level of security but you can find conversations people are having for business purposes or if someone's on patrol or something like that up in around like the 470 480 megahertz range so here I've just tuned around you'll notice I'm not really seeing anything yet sometimes you have to go back and forth because people aren't always talking like on the radio they're just kind of you know only talking when they have something to say so here we finally picked up some signals we found it we've gone to this weird area of frequency that we're not familiar with and we've found signals if I was using audio which I'm not today you'd be able to hear you know maybe someone's calling in a patrol situation or they're just saying that it's really boring that night I don't know that's that's their business so for a little bit more of going backwards whoop there we go so for uh more of an overview of the Spectrum in general this is generalized this doesn't show everything but it's just kind of a sense of what lives where in the world of you know the uh the Safari of signals where they all live so at the lower range we've got the um AM radio signals that you're familiar with the next band like region of bands up if is anyone an amateur radio Operator just curious got a couple so 10 meters all the way through 80 meters is in that band that I've outlined so if you're used to speaking with other people over long distances using your own radio equipment that's why you'd be an amateur radio operator and it's a pretty fun hobby too moving up from that we get into What's called the very high frequencies so we have television frequencies we have FM radio which is a bit more compact than AM radio because of how it's communicated you'll also notice that I've got some white boxes there and those white boxes are where the control signals that we're looking at today all hide so everything we're looking at is within those little Stripes you might notice it's all around like the ultra high frequency range um and that's because it's good for near-range communications because it is a shorter or a higher frequency and a shorter wavelength there's more details to that but I won't get too in depth um I'm sure everybody is familiar with the Wi-Fi so we get up into the 2.4 and 5 gigahertz and a lot of cellular communication is around there as well zooming in on those white boxes that I had these are the exact ranges that those tend to live so why these ranges are significant is that they the top four ones you'll notice I wrote ISM there that's industrial scientific and medical so if you have equipment that you want to develop and you need a place to let it operate but you might not want to get it FCC licensed since it's a very long process this is a slice of spectrum that your device is allowed to operate as long as it's within the rules for that section which is basically your device just needs to accept interference if it gets interference it can't do anything nasty you know if something sends it the wrong signal it can't start jamming everything so just sending lots of weird signals so there's those four ISM we've got 433 megahertz 915 megahertz uh we've got you know 2.45 and 5.8 gigahertz and you'll notice I'm referring to them all by the center frequency so there is a lower and an upper bound to each of these ranges and devices if someone says the devices at 433 megahertz it might not actually be there it might be a little bit above a little bit below just means that it's generally in that range and then the last slice I've got is what's called 315 megahertz and that is an unlicensed area of operation for various devices so great we know where our controls are going to be um a little bit about how they operate we have amplitude shift keying and frequency shift keying and these are just super simple ways of saying one and zero so if you're used to you know having like a voltage change for one or zero here we just have a signal difference so for amplitude shift keying it's just based on the length of a pulse if you're familiar with Morse code it's kind of like that but for bits so you have a short pulse here for a zero and a long pulse for a one and then below that it's the exact same data but with frequency shift keying so we have a lower frequency for our zero and a higher frequency for R1 this is our first mystery signal does anyone want to guess our mystery signal sure go ahead a power switch that's pretty much it yeah so I use it as a light switch this is just a super simple RF controller I you know I'm lazy I don't want to get out of bed every day to turn my lights on and off maybe I just want the lights on and stay in bed do that sometimes um and they've got these controllers on Amazon that are super cheap so I don't have to pay for fancy home automation or anything but I'm kind of curious how do these work are these actually secure can I trust that you guys aren't all going to come around my apartment just turn the lights on and off and on and off at 4am I don't know let's find out so I'm holding this controller in my hands and I'm like um well I can see it I know what it is but I don't really know anything about it you know how do I discover information on this and it's almost like I wish I had an encyclopedia or some kind of like a like a signal decks that would be great and just kind of point it at the signal say tell me what this is tell me what it's saying and it would say oh yeah I got that and just translate it for you it would be so cool if there was a tool like that wouldn't there so I looked around there actually is it's amazing there's a tool just like that it's rtl433 I'm a huge fan of this tool it's a command line tool and it will scan around various frequencies and tell you what it finds and decode them into ones and zeros sometimes it has little profiles as well that other people have made so it can decode the signal a little bit more in this case I just used it with uh the dash QA so the dash a is to look around and the dash queue is just making it be quiet so it's an easier demo um and you can see I've pressed the button there and in that box I have the signal that I've gotten back in video it looks a little bit more exciting so I've started up The Tool and now I'm pushing the button and you can see I've got the signal back I've got something else in there which is I'm going to disregard that because that's not when I push the button and then Yep looks like when I push you know the the one on or something like that I get the same thing back if I push a different button I get that one some of you might be noticing these signals look the same every time hmm interesting so since they look the same I figured what the heck let's map them out let's let's call this a very simple reversing exercise it'll be fun so just arbitrarily I'm going to line up all of the commands for when I push the different buttons we've got lights one through four and then turn everything on and turn everything off and we've got an on and off reach and lining them up I've inserted some spaces based on groupings that I think look significant within here so the first 10 bits are always the same so that must be either you know hey I'm a remote or hey I'm this remote not somebody else's remote listen to me and then it seems like for all lights we've got one bit set up for one light we've got a certain thing and then we've got almost like an ID for which switch should turn on so which Outlet I've got so is it Outlet one is it two is it three and then the on and the off change so we've got like a zero zero one one for on and a one one zero zero for off so now we can sort of translate this into a sentence when I push the button for a specific you know if I'm going for two on I can see what bits mean it's saying this is remote and you know whatever its name is in binary and turn switch 2 on so as simple as it might seem this actually is signal reversing so we made it we've gone from something I was holding in my hand and I had no idea what it was to saying when I push this button this happens in this way and it's always the same signal every time so again those of you with a sort of a hacking security mindset might have already noticed um this is definitely vulnerable to replay attacks so if someone wants to come by with the signal and just sort of play it over and over again yeah I'm gonna have a pretty bad night it's our second mystery signal and I know it's so mysterious you can't even tell what buttons it has or what it does anyone want to guess it's a fan that's actually perfect yeah it's a fan amazing so this is a fan remote it's got more buttons it's a little more complicated you can turn the light on and up and down in different percentages you can make the fan go different speeds cool so I tried running rtl433 on this I'm like all right I've got this figured out this reversing thing pretty cool just push a button get the answer nah didn't work for this one so rtl433 will only with those options give you things at 433 megahertz we don't know what frequency this is at so we could tune around with gqrx but it's still got limited features maybe we want to have a different view maybe we won't want to see once we find the frequency how the signal is changing over time without the waterfall we want to see the ones and zeros a little more clearly um and maybe you know we're we're ready to step out and start using tools that let us make our own radios almost our own software to find radios to run so that if we ever want to build something that can transmit we're ready to do that or give it different views all kinds of exciting things so to kind of line them up next to each other gqrx is a tool that runs using canoe radio which is sort of the libraries and the functions that support all of these tools and gnu radio companion which we're about to use is something it's a visual tool that lets you line up blocks and then create your own software-defined radio to run so I love it a lot I think it simplifies a lot of what could be complicated about this since there's a lot of math you have to abstract and decoding those signals so I've set up a simple um new radio companion file for this and you can see way over on the left I've got what's called a GUI slider and that's kind of like a variable we've declared this variable of what frequency we want to look at and since it's a slider when we hit play and it makes the radio for us we'll be able to pull the slider back and forth and look at different frequencies you can't actually see it in the other blocks here but wherever the um 300 megahertz comes up for the frequency we've defined that is I've actually typed in the settings for that block to use that freq GUI slider instead so it's using that variable to know what frequency we it should be looking at um we've got the RTL SDR source which is very important this is basically just a chunk of code that says how to handle signals from the software-defined radio we're using and then we've got the fast Fourier transform sync so that's kind of like what we were seeing before in gqrx it shows us the amplitude of different signals or different frequencies across a range of frequencies and then this thing we've got down below is new this GUI scope so this shows us the change in amplitude over time for one frequency Whatever frequency we're looking at right now and this might give us you know a little bit of a better idea of what's going on than just looking at you know up down for all the frequencies so I've got this set up and when I press play I get something like this in order to tune this I have to make the scaling a little bit more reasonable so I'm going to zoom out a lot first of all so we can see both a bigger range of time and we can actually tell a bigger range of amplitudes where it doesn't look quite as jumpy once I've got that done I'm going to turn on the peak hold which is kind of nice it shows you what the peak point of a signal that's been seen at the frequencies you're scanning is so if something jumps up and we miss it we might see it down there and now I can just kind of pull along with the GUI slider change the frequency to see what's happening where our fan thing is in the background I'm sort of mashing one of the buttons on the controller here and there we go it seems like we've got an area where it's pretty strong and you'll notice on the bottom there that that Peak is coming closer and closer to the middle of the display as we shift the frequencies over so that's pretty cool once we've got this centered what I like doing is zooming out so we get a better view right now it's still pretty jumpy honestly it's all we know is that it's on and it's off it looks pretty chaotic so once we zoom out you can start seeing that some actually look a