Hacking Wireless Home Security Systems

awesome so my name is Eric Esther I work for SecureWorks and today and talk to you about software-defined radio replay attacks and how they affect home security systems so first of all I didn't go to school for literally any of this I went to school to get a degree in civil engineering which is like building bridges dams and like big earthworks structures and I ended up hating it I was out in the field too much so I said you know I'm out of it and then so I had an opportunity to join the InfoSec community and you know I kind of started coming to conferences like this sort of meeting people started talking you know

about different things that I've learned and just started googling around and now I'm the consultant SecureWorks it's one of those things that definitely people say like Oh where'd you learn how to do all the super cool stuff literally just Google you know people will say like oh we need free education free University free all this stuff but really Google is one of those powerful tools out there that's how I've learned almost 90% of what I know that and coming to conferences like these and meeting people like you guys because everybody knows something so it's it's always good to talk to people and see what everybody else knows so me and my coworker ray we have one or so we've won the past three

DEFCON Wireless to capture the flags and then we got a black badge along the way so it's been one of those things we love Wireless and it's something that we we really like to do a lot so okay so we're talking about replay attacks and specifically how they work in home security systems and so what does replay tech well it's exactly what it sounds like an attacker captures a signal and then plays it back at a later point in time so it's just like if you're you know outside of a fancy Club and they ask hey what's the password and you overhear somebody say the password hey you can just go walk up right behind

that person say the password and it'll let you in just the same as that person did so it's literally just repeating a radio frequency that you heard broadcast again and again and again to get the same output and so people often wonder like well that seems really stupid you know there's no encryption there's no security there's not even a rolling code how can this be a thing well with cheap Chinese electronics that you can go buy for like ten cents on the dollar you know and get shipped in like a hundred you know one hundred count bulk straight from China these things are really easy to code they're really easy to interact with other things there's not a lot of

you know stack that you have to deal with when programming them is one of those things that just spits out a code and then it goes from there and that's pretty much all there is to it and so to kind of illustrate this example we have there we go so the way that these sensors work typically is you have someone like Steve Carell here and they're yelling out of value and somebody's listening on the other end that's your base station that's your receiver that's your you know your alarm home system the problem with this is that Steve Carell he can yell as much as he wants the same code over and over and over again and if

nobody's on the other end to hear it there's nothing that happens the person on this other end they could never hear him yelling the code and their being to be none the wiser so if you you know happen to take the batteries out of a motion detector or out of a door alarm before it triggered there'd be no way of knowing that that sensor was offline which is a part of the problem they have better security systems now that they cost a lot more than their in a lot more industrial situations and basically what they do is they have kind of like an axe and act response so code will get sent and someone say yep heard you loud and

clear you know I got the message you're good to go and so this way if a sensor goes offline if something happens you know then there's some information there to say hey that sensors gone or hey that sense there's low on battery as opposed to the way that almost home security systems work now in which they don't listen back at all to their sensors they don't keep tabs on any of their sensors they just sit there and wonder hey I haven't heard from that sensor in a long time I wonder what happened to it you know I guess nobody's open that front door in a really long time and so that's just that's just kind of these

things work and and so kind of going off without like a illustrating last example is they use the same code over and over and over again now if you have a like a new garage door opener or you know a car that has a wireless clicker on it these typically have were called rollin codes and the way the rollin code works is that there will be one code that will get transmitted and then the next code will be a completely different code that gets transmitted and it rolls in a sequence that's really hard to brute force because the next Randor the next the next number is random in that sequence and so this this prevents

somebody from just replaying the attack now these still have some other vulnerabilities there's something called a roll jam that's seen the cam car came out with and that that takes advantage of another piece of how roll jam works or I mean however rolling code works but essentially these aren't vulnerable to what we're talking about they're not vulnerable to a replay attack directly so the way that we exploit these is using something called software-defined radio so software-defined radio is like you know normal hardware radio like a normal piece of equipment that you would buy except a software-defined radio is much more malleable it has a range of frequencies that it can go off of you know it can go somewhere you know in the

sub megahertz level all the way up into the gigahertz level you could have multiple samples you know per second that you can do and so there's done of different things that you can tune to this and the reason that you get something like this is to prototype and so I could test say something on 434 megahertz and then something on 277 megahertz and then something on 900 megahertz all with one device as opposed to what would happen about a decade ago is I would need to go by some purpose vil purpose-built radio software to tune to something in order to do the testing which made things a lot more expensive so let's see so this is another example

of how of how signals are encoded so there's typically AM and FM modulation so if you listen the radio right there's you know that's where AM and FM get their name and then the type of that these cheap electronics have is called on-off keying which is a type of frequency modulation and so you can see that that it has zeros and ones indicating you know where it goes high and low and then our our amplitude modulation and so when it goes high and low that's when you'll notice okay that's how they're encoding the data in the stream and so it's it once you decode the signal you're basically just getting you know beeps and Boop's that

go in one zero one zero one zero one and if you replay that signal exactly it's going to work exactly like it does for a sensor or for an attacker so now there's one really easy way to do this so a lot of times you can get a software-defined radio you can look at a plot you can see all the data you know that's coming in you can see you can try and see okay what kind of modulation is this you know what the frequency is and all the different aspects that this radio transmitter or have or you could turn your device over and on the back of it every country requires some sort of ID

in the United States require what's called an FCC ID if you look on the back you can just go look this up and go online and you can just see all the characteristics about radio has because by law has to be available and so the hard way would be actually analyzing the signals looking the FTT plot looking at the waterfall display and seeing okay what's the modulation what's the frequency what's the bandwidth whereas if you just go look at the FCC ID that's all you need and so if you go to if you go to FCC i/o you can just type in whatever the CC ID is on the back of your device and then you can download all the test

reports the user manuals you know the chips that they're using so it takes all of the guesswork out of it now it's kind of cheating from the standpoint of you know you're not actually a blackbox in it you can see what's going on because they provide it to you and so a lot of times if you're you know driving by and you see on the poll that hey there's a box with an antenna on it if you look underneath it typically there's gonna be some sort of ID you can just Google that ID and find information like this so it takes a lot of the guesswork out of trying to figure out what's that doing

instead of sitting there for days and days with the software-defined radio trying to you know key on when you know when the frequency gets released or what intervals and what frequency and you know what kind of modulation is there you can just look at this and then boom you have all of that information at your fingertips and so here's some of the software that I use to do these attacks and I'll go over you know step by step how I do them with a couple of different of these so hacker of tools Michel Osmond he makes the hacker up I don't know if you guys have ever seen it if you haven't it's an awesome

software-defined radio has a huge wide range of frequencies it's half duplex and it's one of these things that for $300 you can do pretty much any challenge or you know you can break into pretty much anything you want to with some three hundred dollar piece of equipment which in the past this would be something that you know would be reserved for only multiple thousands of dollars and so he has this hacker of tools which is built-in and so it allows you to use that then there's also a few are running Windows SDR sharp it has a lot of built-in tools where you can like see the radio codes that are coming off of airplanes so you can see as an

airplane goes by they've beacon out their radio frequencies their radio signals and it's one of those things that you can say oh hey this this plane is coming in from you know Las Vegas it's coming in from the UK and here's its altitude its wind speed and all this stuff and that's that's all you can just see it all in SDR sharp so that's one of those really cool things there's RF cat and oh okay tools so we're talking about cheap electronics and how they you on/off king that's what I use okay tools for its perfectly suited to do that and then there's RF cat RF cats another thing that works for the dongle that I'll discuss later and then the

huge Swiss Army knife of all of them is good new radio it's the biggest beast that you have to master in terms of how difficult it is and all the different plots that can generate and there's just so many options that it's one of those things that it's it's a there's there's a ton to it but once you master it you can do pretty much anything you can imagine with it so this is what I was mentioning before the hack RF goes around 300 dollars it has a huge range of bandwidth that it can go from it's half duplex and what half duplex means is it's kinda like a walkie talkie you can either talk

or you can listen you can't do both cell phone is a good example of full duplex and there are software-defined radios that can do full duplex but there are multiple thousands of dollars whereas the hack RF it's a great entry level and you can still perform many of the texts that you could with anything that's multiple thousands of dollars and Michael Osmond has a free series that I'll shown the links later on and it's a free hey this is how I use this going from I don't know anything about software-defined radio to where I can perform these attacks in probably about two days and if you've ever gone to blackhat you know it's a multiple

thousand dollar year conference to get into he does a two-day class at blackhat that's exactly what's that are online so it's a really good resource just to get started and something that people spend up to 10 grand to go take and then you have the yardstick one it's a it's cheaper it's around one hundred forty five dollars but it has a narrow range of frequencies that it can do but if you're looking just to get your feet wet $145 is extremely cheap to get your to get started in it so before I mentioned okay tools and this is using this yardstick one so if you have this yardstick one you compare it with your laptop a Raspberry Pi pretty much any

Linux based computer and you can install okay tools and again there's links at the end of the slide so you can see where to download it and how to go from there but this is literally all you have to do in order to perform one of these attacks is you do okay tools signal record and this is multiple lines but this would normally just be in one line and like a Linux command prompt kind of a deal so you have you record the signal and the frequency that's in megahertz the frame count that's just how long look at like how many seconds it's going to record and then the destination that's the file that's gonna go out too and so basically

you say okay I'm gonna start recording you hit what button that you want to record kind of like you're programming a universal TV remote and then all you do is when it's done then you can play back that file as many times as you want and so that's all that is required for one of these attacks and so you're talking $445 you break into a lot of security systems you can break into a lot of things that you normally wouldn't really think of and.and I have a lot of videos that I'll show you here in a little bit that kind of illustrate how terrifying it is that some things still use really really cheap and terrible programming so

now if you have the hack RF this is the same way to do it just a different command line so there's using the hack RF tools and basically what you're doing is you're recording to whatever frequency in megahertz or this is a frequency in megahertz and that's the file and then so the - ours to receive - T is the transmitted and that's the frequency and so that's all it is you just catch the signal and play it back and you can get way fancier with this if you use something like a new radio and mess with all those blocks but to get started this is honestly the easiest way to do it and it doesn't really require any knowledge

pass you know you're receiving a signal on a certain frequency and you just want to transfer the same signal on the same frequency so if you were to throw out the output of something that you recorded into an audio player it would kind of look like this and this kind of goes back to what I was showing you before with the on-off keying as you can see you know highs and lows and the beeps and the Boop's as they go through and so this is just kind of what it would look like if you were to plot it up just to give you a visual representation of it so okay so what you can also do with this too is because you

can transmit you can also do jamming attacks and so what happens is we go back to the example of the sensor just yells at the base station to say hey someone open the door hey motion was detected well if you play a sound or if you just play anything on that frequency louder than that doors transmitting then that base station has no idea that someone's yelling hey the door open or hey the motion went off or hey your smoke alarms going off it has no idea that anything happened and so it's one of those things that if you're if you realize hey somebody has a vulnerable alarm system you could just play this yeah you know you could just play a

jamming frequency or play a music or just create noise on the same frequency that those transmitters go off of and your base station will never hear the door open and will never hear a motion alarm go off it'll never know that your smoke alarm went off it basically just disrupts the communication between the base station and the sensor which is kind of terrifying that you think for $145 you could essentially break in somebody's you know house and they would have no idea and then you also have replay tax so what I was saying off saying before is you know replay tax so I can make somebody think that hey all of the doors opened at once all of their doors closed

all of their windows got open you know if I if I can just sit there for a while and know this is what each sensor does I can just program those and drive somebody crazy so much so that they don't trust their alarm system you know they just think ass being buggy and so when you actually go to open a door then they'll think I don't trust it like if this things been going on the fritz for a long time and so yeah if you replay that same string over and over again the base station thinks that the sensor went off and what I showed you before in the earlier examples if we go back to it

let's see we're just recording these two files so you can script this up however you want and you can replay the files back at any time you want you can create a bash script Python script whatever you want you can create it and script it up to work however you want it to and because these things work at the Raspberry Pi this is something you can just deploy and just program it to at any point in time you just want it to go off so it's one of those things that you can use it for pranks and you know people could use it for some real harm and they have let's go back to where we

were so let's talk about some of the sensors that are vulnerable to this so this is a cheap sensor that you can get online a lot of people have them to interface with their alarm system say you already have an existing alarm system and you want to add some cheap unit this is typically one of the cheapest ones that people buy why because it's wireless and it comes with a full 12 volt battery in there and you just mount it up either with tape or you screw it in your wall and it just says hey the door is open you program them into your alarm to say anytime you know alarm that you see this signal know that

this door open and so that's that's all the programming that happens and again this kind of comes back to you why they're programmed the way that they are because there's such cheap electronics that they need to be able to interface as easily as possible with an existing alarm system that's already there this is not the top of the you know top-of-the-line market even things that are on the top end still suffer from some of these vulnerabilities so here for example is like an Augmented motion sensor and so all play this video hopefully demo demos work so this is you'll notice that motion sensor went off with the battery completely unplugged and so that's me just performing the replay attack of hey

look there's not even a battery in there how is that even happening so it's one of those things like okay you could drive somebody crazy now on the inverse this is it jamming so you can see okay the first time it works and you'll notice there's a little red light right here that'll go on here in a second come on so you'll notice that light comes on meaning that motion got triggered but you'll notice it's sitting right next to it and nothing is happening there and it's plugged in having power so that's that's kind of transmission power you're talking about is clearly you know the antenna that I have is somewhere back off here and there's close to each other

as they could possibly get and still nothing's happening still they can't communicate back to one another and so okay you think a door opened or closed sensor who cares motion sensor all right I guess that's kind of troublesome at some points but hey whatever but then you look at like some nice residential community that has one of these gates well the problem is everybody has a clicker to these gates so all I need to do is just sit and wait for somebody to you know you know open a gate well there's there's audio to this and you can see oh okay this is just using a Raspberry Pi in that yardstick one I can open a security gate and so I

can come back at any time during the day any month and it whatever and that code is always gonna work because it has to work for everybody that lives in that community in that subdivision so now effectively I can open any one of these gates that are out on the market and I mean this is not a neighborhood that you know you would expect to have you know riffraff coming into so if somebody just bought you know less than $200 worth of equipment they could let themselves into these kinds of security gates and this goes into things like covered parking you know if you're in a large suburban area where you know maybe there's a metal

gate that lets you in and out of parking pretty much anything that's automated that uses a gate there's some kind of security system like this with multiple people going in and out is vulnerable to some attack like this so something else as vulnerable is smoke alarms their smoke detectors and people think like okay why does a smoke detector need to be wireless and it's so that it can turn on all the other alarms so if you know so basically this is designed for like say a large house or like a large office building and when one you know one corner of the office you know say somebody burns popcorn in the kitchen and it wants to alert all

the other you know smoke alarms in the vicinity they all communicate via radio saying like hey I'm shouting that there's a fire so all of you guys should just shout that there's a fire and so you could essentially evacuate a building and cause panic in a building now you think about hey this could be that terrible now if you're a burglar or somebody who wanted to get in maybe you're on a red team you want perform a pen test what better way to get everybody out of a building or having that somebody not pay attention to you then turn off all of their alarms wirelessly and you can do this from you know from the car if you have a big

enough transmitter you can do this from blocks and blocks away and no one would be the wiser especially because if you know what model they have you know say you just go in there and you look and say hey I know what model this is you know you go back to do some research go find the FCC ID and you know you say okay I already know this can transmit on you can pretty much just just know exactly how this is gonna work now this is one of my favorite ones and now this is a doorbell is not really security device sure somebody comes and opens their door but this makes for a hilarious prank when you can doorbell

ditch someone and they have no idea that they're being doorbell ditch and you can just sit you know a couple hundred yards away and just mercilessly wring somebody's doorbell and they can stand out there by their doorbell and you can still ring it and they will have no idea how this is happening and again for $200 I mean you can make it even cheaper for for you know for less than $200 but I mean just as a general base set up or you just buy the transmitter and and keep it with you in your laptop I mean that's almost worth it just for the prank alone I'm just saying so so again the next thing is shock collars anything okay

this is not necessarily a security device except I would disagree in that your dog your dog is a security device and if you can mute the dog you know there's bigger problems there now this actually was stemmed out of a tower out of a challenge that was at DeShawn's Wireless CTF and the way that it worked is two contestants we do kind of like a like a duel so every or so two people will go back-to-back and maybe have a shot-caller strapped to them and they'd have to go to their laptops and they would have to try and shock the other person first which sounds terrifying but it gets even worse and really so we're

going let's do a heaviness slides I don't have it in the slides but basically you see how how right here how it shows that there is a 100 there that's actually a 255 bit key space so even though the transmitter only goes up to 100 you can technically transmit 255 so 2.5 times what could put a German Shepard on this but and that's what you're dealing with when you go with it and to make matters even worse it says since this is a replay attack the person who was in charge of setting up the the challenge they basically set it up in such a way that they didn't know what or you didn't know what

buttons were being pressed so essentially what happened is you could be shocking yourself or you could be shocking the other person which added added to it so those are one of those things that you think okay this is really funny in the context of like okay we're a Def Con and like somebody's gonna get shocked somebody's gonna hurt them there's gonna be a hilarious YouTube video that's gonna be posted somewhere later on but but in all honesty if you think about this if you know that somebody's dog uses this and you want to go try and break into their house what better way to make that dog submit to you than to have a portable

you know shock collar on them already that you can control and you can wield so in all seriousness this is a security issue if you can make somebody's dog stop or leave you alone and they think hey this this dog is gonna protect my backyard that's actually not the case you can make the dog to submit and I mean and these are like I think the number one dog shock color is on Amazon you know and so you think like okay well you know what's out there so if you go to this this github right here this is one of the guys that has a great tutorial in a great write-up so this is something

you're interested in and doing these replay attacks he goes through it you know from explaining what literally everyone and every zero means from you know identifying what collar it is to identifying hey this is you know what vibrates it this is what makes it make a sound - you know what makes it you know actually do the shocking and he goes through step by step piece by piece from how the modulation works you know it goes in weighed up so this is Tim he's a great guy and I I really recommend that you guys check this out because he was definitely mentor to me during this event even though I eventually had to compete against him in

it so I don't I don't just like to break things I also like to build things and so that's why you know if you know the weaknesses associated with how some of this stuff works you can build your own stuff pretty cheap so basically what you see here is this is if you wanted to make your own super cheap alarm system knowing what you know now so you have a receiver so this is just a high-powered receiver so you can receive something from a couple hundred yards away and Arduino and a Raspberry Pi and with that that's your entire base station that you need for an alarm system so you could totally just buy this like there are

things on the market you buy this for but again I like to build things the hardware is really cheap and you can adapt this to any number of projects so maybe maybe you just don't want to see when a door opens or a door closes maybe you just don't want to know when you know there's motion detected outside maybe you want to detect how many times your neighbor is shocking their dog this could do that this could detect any of these you know transmissions going you could use it as an intrusion detection device to where hey maybe somebody is is trying to do a jamming attack you could use this to also discover hey somebody's

performing a minute a cuz I can't receive my own signal so it's one of these things that you know you can use things that you've learned that you've broken to be constructive and they're easy integrate with other projects so basically in a nutshell this is how it works is you have you know you have your your door alarm let's say signal goes off just like we talked about before where it'll just you know scream out one signal you receive that goes to Raspberry Pi dumps it into a cheap little sequel light dead database when I say cheap like light on resources totally free and then you can have it you know SMS email you whatever you want

totally programmable you know it's it's super easy to do and there's like if you're not like a hardware guy there's like four wires and actually one of those wires is a USB so it's it's as simple as it gets this is literally the wiring diagram of it and so kind of talking about these sensors and other ones that are also vulnerable so we talked about you know the smoke alarm going off we talked about the motion alarms we talked about the doorbell and the door sensor there's tons of other sensors that are out there on the market like this this is like a leak detection so you know maybe somebody thinks that they have a sump

pump in their basement and they have a leak this will detect that and that alarm will go off think if somebody had a remote property out in the middle of nowhere and you triggered their leak detection now all of a sudden that person's gonna have to go like to say their you know their family cabin because this leak was detected and so these just this insecurity is one of these things where people don't necessarily associate it with with what the damage could actually be and people think like hey it's cheap electronics I know what I'm getting myself into but really you know the whole spectrum of the implications that can happen really aren't addressed that well so if you

ever want to look at you know this is that 4:34 alarm system that I made so it's just a real quick and dirty you know this is how you make your own little Raspberry Pi so that I can receive a signal so that you can you know pretty much do whatever you want it's online if you want to meso that by all means my emails on there if you want to email me with questions about it again this is a fun project for me but it also under lit underlies how something that's weak if you use in the proper way you can make into something that's a little bit better and you know you surf your own

devices right like maybe you already have one of these broken alarm systems right so so say this alarm system doesn't work or you know that you're worried about it now being jammed that you're worried about it being a replay attacked well if you build this now you can have your own intrusion detection system saying like hey I can monitor when you know any alarms go off if I didn't do it I can I can know if somebody's performing a jamming attack because this is basically a listener that's smarter because you configured it and again they totally sell things that are on the market like this but this is cheap and it's kind of fun so now let's

talk about some of the features that would make this more secure and and some things that you want to look for if you're gonna go buy a new alarm system or a new home security system so pretty much what you're looking for is you're looking for communication between the sensors so before what would happen again we talked about it is that that sensor it's just yelling it's just saying hey this door is open if nobody's there to receive it it doesn't know but there are some sensors now that what they do is they talk back and forth so if you look at something like d-wave or ZigBee these types of protocols they know if a sensor is gone

if sensor is missing they they keep track of where that sensor is so it's one of those things it might be a little bit more money but it's a lot better to know that hey this sensor dropped off and you get a notification saying hey maybe that sensors battery died or maybe somebody you know smash that sensor and knowing that that piece of information is is more powerful than just assuming that like well maybe it's there nobody's open that door in a long time the other thing that's coming out is or that I guess is out now our mesh networks and the way a mesh network works is so so if you can think of this there's a base

station and then all your sensors around it so typically your base station is centered you know in the middle of your house and all of your sensors are spread out around the yard and you know in the around the house and the perimeter and it works more like a central point and you know a bunch of you know devices out in the perimeter that all talk to a single device well with mesh networks you can have multiple devices all talking to each other all relaying all relaying information to each other the benefit to this is that there's no device that can get taken out you know or destroyed or damaged because the mesh network will then talk to multiple

devices and so if one device say it loses a connection gets broken or something like that all the communication channels basically form around it and so you'll notice that they've been using these in a lot of a lot of larger cities that have to have interconnected you know devices like say if you have like you know there's all the smart meters they have something similar to this and then one thing that we really didn't talk about it all is encryption or just any encryption at all you know it's one of those things that that a replay attack if there was any encryption at all you know any kind of randomized encryption there's absolutely no way that I would be able to perform a

replay attack because any good encryption would randomize every time so that even if there was a replayed string that went over and over to me it wouldn't appear that anything that happened to appear to be rant or you know random data going across the wire and I couldn't replay it at all so so I mean good encryption is definitely something that you want but that's one of those things that it's kind of hard to know right how do you know what's a good encryption what the bad encryption because you look at the box of anything or you look at any security vendor and they say government level encryption and you know and and a lot of times those are junk so there's

one of those things that one of the best things you can do is just hey if you were gonna try and break it you know pentest at yourself say vulnerabilities in Ex security system right and just do ten minutes of googling and see there are any known exploits against it but typically if there's some encryption you know that's gonna be way better than something that you could just normally perform a replay attack against and next is intrusion detection this is something that you really don't see in the wireless space but there are some higher-end devices that have this and typically they're used in government and and really with intrusion detection what you get is if somebody does perform a

jamming attack if somebody does try and do a replay attack if somebody does try and add a node into your mesh network if somebody does try and ylim brute force an encryption key intrusion detection will prevent that and that's something that's not really out but you have the tools if you go back and look you know if you go back and look at these slides hey this with this no no not with that with this repository this is something that you can roll your own in a matter of hours right I mean you have all the tools at your disposal this is something that you want to do and and that's something that really isn't out on the

market is an intrusion detection for all these wireless sensors because you think about just in your life in general if it's not wired and it's some device think of all these IOT devices that are on the market now I mean people have fitbit's you know those are Bluetooth I can identify a Fitbit from you know maybe 50 meters away you look at you know stuff like I've seen the insulin pump that's Bluetooth that's kind of terrifying when you think of you know some of the vulnerabilities that are associated with Bluetooth and so it's not just security devices in general it's all devices that use wireless and this is this is one of the most basic

attacks that you can perform against it but you'd think that in the year 2017 that we would have a way you know around it or that this would just be some laughable thing that happened in the past but you can literally go to any major department store today and buy a security system off the shelf that's vulnerable to literally all of this and so this is one of those things as a consumer to be worried about as a hacker you know to be interested in and just as just as a more informed citizen to just know what you're getting into so now talking about learning learning a little bit more and how all the stuff

works you can go to great sky gadgets comm slash SDR and this is a full this is that full to date course that I was talking about with Michael Osmond this class you paid thousands of dollars for but he offers it for free comes with homework comes with lectures it comes with basically how to set up your hack RF from the ground you know from the ground up then rtl-sdr this is a great website because they deal with almost anything that's a radio if you want to you know send a signal to the moon and reflect a signal off the moon back to you you'll show you how to do it on this website you know using just just normal hardware

there's some crazy things that you can do on here that people just people find it fun right I find it fun and when you you know people love to share what they found love to share like hey do you know how this works there's been a lot of a lot of specifications that have come out that you know we're closed and people didn't know really how they worked or you know what it was but you know a community like this people you know can crowdsource and fit you know and reverse engineer some protocol and how it works and open up some of this lock down proprietary signaling and software that's out there and again that's my

github repo I'm not a programmer I'm a hacker so if you want to look at it by all means you know I'd love any comments but also just fun so that's it about now does anybody have any questions it's not hard at all actually one of the features if you look into that oh ok tools you can set a higher you know a higher limit or an upper limit in the lower limit and just have it scan all through there just back and forth just waving back and forth till eventually you pick something up and basically what it'll show you is it'll show you frames caught so data caught and they'll show a number and so

you can say okay you know mate because it's over a bandwidth right so you have you have signaling nets there's over a certain band and maybe you got a signal you know on the upper band so say it's you know one one megahertz wide just as an example and you're on you know the upper bound of it that might need that may not be a great signal but the way that it works is since it scans all the way through it can say okay you got one frame here three frames here seven frames here three and then one so you can see kind of the peak and where the center line of that frequency is so just

setting something up to scan on like something like cheap like a Raspberry Pi or Arduino super easy and it's just one of those things just read the documentation and you know it's all right there it's pretty easy

absolutely and in fact one of the projects that I'm working on is so you know I have a bunch of family that lives and like you know they have gated communities do they have X or they have Y they have C so I'm looking to put a GPS module in there so when I just drive up at knows hey you're within the vicinity I'm just gonna start spraying you know that code somewhere so I don't even need to do anything I just drive up and it just lets me in and it just knows based upon my GPS you know what could I do I haven't done it yet but that's something I'm working on but yeah you

can I mean and you figure one of those transmitters you know you if you buy so if you know exactly what the frequency is you can typically get a transmitter really cheap so for 434 megahertz they sell the sensor or they sell those transmitters for like two dollars on ebay so if you know this is the frequency that I want to use it for you can buy an Arduino and that deal and you know and a battery for like four dollars and make your own no problem at all you know and just now you just have one that's programmable right so if you ever lose one or if you ever just want to mess around you have a literally $5 deal

that's programmable that you can make yourself whales so so yes I could use the GPIO pins the reason that the Arduino is there so Raspberry Pi so this isn't being they get into a little bit more advancement of a talk about whatever a Raspberry Pi is what's called 3.3 volt logic meaning the processor can handle a voltage of 3.3 volts across the pins and Arduino on the other hand can handle 5 volts on its pins and I have multiple receivers multiple transmitters and they can use anywhere from 5 volts to 3 volts and so typically the Arduino is there if my if whatever you know transmitter I'm using has 5 volts or if it has 3 volts and I'll just take it out

and go directly to GPIO pins I could also use a logic level shifter but it's just one of those things that that for a lot of people it's easier I take for them to get in Arduino and the transmitter because then they can do a project just with that or you know have them all three in a line so it's one of those things that is more of a modular system unless a purpose-built system for what it is uh-huh yeah mm-hmm yeah it's and that's one of the things too is that the Arduino goes over cereal and so it's easy to process real data right it's it's super easy to do that and in this

way I can just you know swap it and swap it out it's modular so if I'm developing something or messing around with something I just pop it in right there well if I were gonna build something percival purpose-built I would do exactly what you did right have it just interface directly with the GPIO pins you know put in a nice little box and then call it a day and not have to worry about the modularity of it yeah absolutely you do pi0 Wireless the only reason that I like the pi3 for doing this kind of development it's because as for USB is on board and that's that's really the only reason if once you have

like whatever you're gonna make you know all set up and good to go you could absolutely use you know PI zero to do pretty much anything that you want for it again I just like I just like the four USB he's just because it makes it nice and convenient and I'm not worried that I'm gonna like Snap twist or break something you know right when it happens so what's it so legally or illegally because I mean because I mean like uh so if you wanted to receive you get a dish antenna and get it from like a mile away like or more than a mile away so it's kind of stupid how far you can get

really the limitation there it's not the hack RF it's the antenna that you're using and for transmission wise you could dump as much power into an intent as you want and I mean you could cover an entire city if you really really want it to I mean you get caught pretty quickly I'm sure by some three-letter agency you know and get put into a dark prison cell that doesn't exist but it's one of those things that you know you're limited really by legality and the power level that you want to transmit and the hardware that you want to use to receive but it is one of those things I've seen people that have used four hundred

thirty four hundred thirty four megahertz in the United States you know with specially crafted antennas transmitting at legal frequencies that can get over ten kilometres like no problem in open air you know in they're using like butterfly antennas and dish antennas to send and receive and it's line-of-sight you know on a clear day kind of a thing but one of the things that I mean we're talking just normal level transmissions of like a couple milliwatts we're not even talking in the walk range yet so it's one of those things that it's really the limitation of your equipment but but typically if you're gonna just mess with a general sensor and like you know one of my general receivers you get

probably about a hundred feet 200 feet depending on really really what it depends on is the thickness of your walls and what your walls are made out of if your walls are made of like chicken wire and like you know RF shielding material you're not gonna get very far but if it's you know just generic home construction you know that has you know plaster or something you know brick or something like that that radio can transmit pretty well you'll get farther so it's one of the things it depends but you get you can get far enough right that's what they're designed for you absolutely could so so there's so I mentioned Samy Kamkar before here and he he figured out so you

have those garage door openers right and they have a rolling code he figured out a way to basically brute force that and so there was I think 4096 possibility of possible codes and he figured out a way to do that to squish it all into the gnome bytes basically space whatever to basically do in like 10 seconds to get open up any garage door ever you know and so he's like test it and there's a great video on it if you want to go google that but yeah that's something you can absolutely like with the dog collar for example you know there are I think 4 bits that are the unique identifier of it and so you could

basically brute force those bits and the shocking frequency to just shock any dog collar on that frequency without having to know its ID so so they're there yeah hey the answer is yes you can absolutely do it

so yes and no those get those get weird especially in the United States because that's what a lot of our phones run off of and so if you start straying into those phone bans people are gonna know and they're gonna know fast and because there's yeah yeah but so so the reason I don't the reason that I haven't really done is much work as I'd probably like to on that is because if you straight if you if you're like Oh accidentally you know hit a five instead of a four you know you're into a band that you should not be in and people are gonna know right away so no yeah really I haven't messed nearly as much with that as I

have with the four 33 plus the hardware's cheaper for the four 33 so that's one of the other reasons and there's a plethora of those devices whereas here in the UK I think you guys are on eight six eight is one of your international bands too and so that's that's something else to look at if you're looking for a transmitter or some frequency or something like that bass the shock the shock collar was really weird I mean that's one of those things that you're like I think that there should be a little bit more you know because I mean that can cause like actual real harm right the other weird things that I that I found there's a lot

there's a lot of control systems out there that should not be there using this you know a lot of like oh we're gonna failover to this and by failover I mean we're gonna use it constantly you know to control infrastructure stuff that shouldn't be controlled and so it's one of those things that you know it's one of those things you never like one when you think you find something that you're like oh this could be really bad you never want to be like well I'm just gonna poke it right like it's one of those things like yeah like there's a lot of receiving you can do because it's on 434 so hey you can absolutely receive

it but when you're like I think I know what I'm not going to touch it so I think the the one that I've messed with the most and play with the most is probably a dog collar and that's probably the one from the standpoint of like oh this is like this could this could actually like directly cause him harm but there's other stuff to you that like they they have a control mechanisms to turn on like like smart light switches and stuff like that and we'll have like crazy things sucked up to those you know they're like oh I have like you know the heat lamp for my turtle hooked up to one of those things

you know and it's like ok I get that you can control it you know remotely like you could also fry your turtle you know take whatever I mean there are there are things like that but I would say the dog college probably the weirdest way else all right awesome thank you guys [Applause]