Hacking RF: Breaking What We Can't See

um i think that introduction covered the ring well so i'm not going to spend too much time on this slide uh if anyone wants to contact me um my twitter's there brains933 email address and also um if you ping me in them uh on the swap card app i'll be about all day anyway so i have feel free to uh to ping me there let's get rid of this and just for anyone who has ocd my desk is an absolute mess so um i'm sorry you're just gonna have to deal with it unfortunately so make myself smaller so this is where we're going to be working for the most part i'm going to be going through and

doing some demos of rf attacks usually i try and do these talks with the expectation of no prior knowledge required i am still going to try and do this but i don't have a lot of time to go through and do a preamble of okay what's rf what's frequency all that stuff and so hopefully i'll just try and explain things as and when i get to them and uh again hopefully you don't need to know anything to see how these attacks work so uh hopefully we'll all be okay uh quickly going through what i've got on the uh on the desk this here is the circuit that we're going to be attacking so this is our

our victim device effectively and this is just a simple remote control circuit um now i'm using lights to demonstrate when a signal goes off and when it doesn't so just in case anyone has any um photo sensitivity issues or any issues with flashing lights i'm going to make sure not to strobe them or do anything like that but just i'm using flashing lights just so you're aware but whenever i press a key fob you can see that i've got red blue green and yellow and each of them corresponds to a different signal so that's the um device that we're going to be abusing the kit that i'm actually using um is things like this so this

is an rtl sdr this is a software defined radio device little usb device you plug into your computer and it lets you to view uh signals and capture them uh something like this is what an attacker would typically use because these are quite cheap they're about 20 quid or so um to transmit our signals i'm using this it's a hack rf1 an attacker typically won't use something like this just because they're expensive this is about 100 pounds or so for one of these and generally an attacker is going to make these devices throw away so um this is type of device is good for us for testing and tinkering and breaking things an attacker isn't really going to use

something like this typically and they're probably more likely to use something like this and this is a little device that i made on um the b-sides london badge for a few years ago and it's cheap it's throwaway i mean you can make about five or six of these devices for about 20 pounds it's just an arduino and a little um transmit module to preload these with their attacks stick them near the device that they want to attack and away they go this i'm going to talk about a later on same with these so the first attack that we're going to look at is called a replay attack and it it works very much like it sounds

you capture a signal and you replay it at a later date so in this case i would hit that and i want to capture that signal and repeat that action a a common defense that companies use whenever they are um presented with this device as vulnerable to such an attack they they usually give the excuse or the argument no that's not possible because my device um the the communication is encrypted that does not help you here because the way that these devices work especially remote control devices they have a physical effect in the real world so me as the attacker i don't need to see what's in the in the packet of information i just need to see the

effect so i look using a sdr or similar device look for the signal and look and see what it does in the real world so in this case if i look for the signal and hit the button i can see that it turns the red light on that's all i need to know i don't need to know what is inside that packet of information i just need to be able to see its results so let's actually have a look at what this looks like and for this i'm going to take away my face and we will go to here now hopefully you can still see the desk okay i just like that up yeah there we go so this is a little

tool called um universal radio hacker and it's fantastic for people who are wanting to get into fiddling about radios and stuff like that and attacking things because it's this is almost like the equivalent of a script kitty for radios it's a really simple tool and uh it can be um it can be used by anyone believe me if i can use this anyone can and it allows you to capture signals and also replay them and also do some analysis but i'm not going to cover analysis too much now because that that could be a whole talk in itself but for this we're going to assume that this is a simple signal which it is and we're going to uh take a look at it

at what it looks like on the rs spectrum and then we're going to replay it but just before i go to the rs spectrum you can see here i've got these labeled blue green yellow these are all the signals that i've captured um offline because i trying to avoid falling victim to the live demo demons so i know that these work and that they're all good so these are the ones i've saved earlier but i'm going to show you what it looks like on the rf spectrum as to when i'm actually trying to capture a signal so if i get rid of this there we go and i'll make you a little bit smaller there

so this is what my sdr is seeing this is the uh what the radio waves around us look like um the the fuzzy lines that you're seeing there at the minute that's just background noise that's just their ambient radiation and what i would do as an attacker if i'm looking for a device i would do a bit of research on the device to find out roughly what frequency it operates on which is sort of like the address of it um and this this is all usually well documented and and for the devices in question this little key fob i know that it is roughly in the 433 megahertz range which is quite a common one for remote

control devices and i would watch and wait for the signal and if i press the button you can then see that signal and you can see that's fairly easy to spot you know if you're looking for a signal and you're watching for something you'll be able to find that quite quite quickly now what i can then do is see if that signal so you can see down here a little uh button hopefully it's it's visible and basically it says start recording and i just start recording what i see this gray column here it'll start grabbing everything that's in there and then i can take that um signal analyze it and do whatever i'm i'm needing to do with it

now if we go back to this you can also um capture the signals in universal radio hacker the reason i'm not showing you that right now is because it's simply for recording purposes it's the screen is not the best for viewing but it works in exactly the same way but we want to now look and transmit one of these signals so we've got here blue which is here's one i've i've captured earlier and if i go to replay the signal and i need to choose window capture hopefully this will there we go so this is the window that will appear here you get a more exploded view of the actual signal that you can see and up here i

select my device that i want to use to transmit in this case i'm using the hack rf and you ask for the frequency that you want to transmit on so you can replay these signals on a different frequency to what you picked up on typically you're not going to want to you're going to want to use the exact same frequency and if i hit start it will then replay the signal and what i'm going to do is i'm just going to make the desk a little bit bigger just so that you can see the light going off

and if i hit run on that the signal turns on that's it hit it again and it'll turn it off it's as simple as that it really is um now i mean i slowed that down for demonstration purposes but if i was an actual attacker one thing to do that you could do that in you know a couple of minutes it really doesn't take a long time to do and a lot of devices are vulnerable to this style of attack the scariest uh that would be uh vulnerable is likes of industrial equipment so jcb's diggers likes to them cranes so those uh you know construction cranes and possibly most scary of all i was talking to an australian at another

conference and he mentioned to me that the demolition equipment that they use in quarries is also vulnerable to this style of attack so an attacker could in theory detonate explosives while their workers still in a mine if they were that way inclined no completely a dick move and um i don't see any way to get any monetary value from that but you know there could be industrial sabotage or just you know a threat you know give us money or we're going to blow up your minds or destroy your building site or things like that so um quite scary attacks i think and also very very um easy to do they um they can be defended against

and if i get rid of this they can be defended against and a lot of people is probably going to have a device that will defend against this in your home and that is your car keys your car keys use a thing called a rolling code and and that can defeat or at least help defeat this style of attack and if i turn myself back on we're back to the screen so a a rolling code can defeat that and it basically means that you're sending a different code within the signal each time so whenever i press the key fob here on this and press it again it's sending the exact same signal there's no difference

between the two it's just the same code each time a rolling code there's a pre-shared list or a pseudo random number generator between the car and the uh car key and so each time you press it it's a different signal there is a way to defeat that as well as with everything there's there's always a way around it and it's called a roll jam device i'm not going to cover it much here google it it's a very interesting um device and it's basically a way of getting around rolling codes so the next attack we're going to look at is a replay attack sorry wrong repeater attack we just looked at replay attacks a a repeater attack is

as it sounds you take a signal and you repeat it and it's usually done in real time it's not a case if you store it and then use it later this type of attack is commonly used to steal uh keyless entry keyless start cars so you might have seen some of these things where you know they they run a device near the start of the car and it then transmits the car key signal to the car the car opens and to show you how easy this is to do i have a little demo here anyone who's in that mature radio i apologize but yes i i am using bofangs which are cheap chinese radios and most people in the amateur radio

world hit them because they're cheap and a bit nasty but i have two radios here and a little relay box in the middle and what this is going to do is quite simply one of these is going to receive the signal and the other one is going to transmit it now typically whenever they're doing this they're going to send and receive on the same frequency so they're just trying to amplify the signal for the purposes of demonstration i'm going to go back to the radio and the sdr spectrum that we were looking at earlier and i've got them to transmit on slightly different frequencies just so that you can see the the actual replay effect

taking place so let's get back to the sdr

there we go okay oh and uh you're in the screen let's move you away all right this is up here in there so we're back on the sdr spectrum and as per usual if i press the key fob you can see the signal coming through now if i turn these radios on and hopefully don't upset any amateur radio people in the local area and i press the key fob now you can see the signal going also when i'm hitting this uh fun thing with electromagnetic compatibility which is devices interfering with each other something is disconnecting from my computer when i press this key fob okay good example of a jamming attack there this is messing with my computer

somewhat so we'll press this too much but you will see whenever i press and hold this in and let go you can see that the signal is actually being retransmitted here which is where i've programmed it to so the original signal happens on frequency 433.92 give or take and i'm getting it to retransmit on 433.1 that's it it's as simple as that you're taking a signal and replaying it and in some cases you're amplifying it to give it a bit more range again predominantly used to defend or to steal keyless star keyless entry cars but there are other styles of attacks for this um and there is also um legitimate uses for things like this

so your mobile phone effectively uses repeaters like this and so does a new likes of amateur radio and things like that you use a repeater to get a signal to go somewhere that it typically wouldn't so there are legitimate reasons for using things like this but this is obviously a malicious way of doing it there are defenses and uh one of which which i believe tesla have done is that they have put in a sort of two-factor authentication with the car key there is a low frequency signal and a high frequency signal so the frequency that we've been looking at at the minutes high frequency actually it's it's uhf ultra high frequency and what they've done is it essentially

waits for the low frequency signal to come through before it begins transmitting the high frequency or the ultra high frequency signal again that makes it a bit more difficult but all it means is that an attacker needs to have two transmitters and receivers one for the low frequency signal one for the um uhf signal so it makes it a bit more difficult but it's still not a uh you know it's not a perfect system it just makes it that little bit more difficult now how we did for time cool we're good so the last attack that we're going to look at is a jamming attack and a jamming attack i'm sure some of you might have heard of or know what

that is you're basically jamming the signal you're stopping the signal from working now jammers are illegal in almost everywhere to either own or to use um the little device that i talked about i said i would talk about a little bit later on which is this one here let me just show my desk this little one here this is a commercially bought jammer okay i do have permission to have this by the way before anyone starts calling the fss fcc i i see not going in the chat i do have permission to have this um i am not going to turn this on because this sets off my house alarm and this is a good example of why these

devices are illegal and it's because they're indiscriminate um if you've ever heard of mines or grenades being called equal opportunities killers a jammer is the same thing it doesn't care what signal is on there it will jam it and interfere with it another issue part of the reason why my alarm system gets set off is because of a phenomena called harmonics and direct pickup don't worry about what they mean the the basic gist of that is whenever you use a transmitter that isn't well designed or well filtered it will also transmit on other frequencies so it won't just jam what you think it will it'll also bleed over onto other um ranges and other things so you don't

know what else you might be jamming and the direct pickup is just electrical cables any cable can be an antenna and a device like this can cause interference on it and an alarm system it then triggers it so that is what a jamming device a commercial one can look like they can get a lot bigger um or a lot smaller there is also um discriminate jammers so there is the um get rid of this nut the way to jam like mobile phone signals some of you may have heard of the uh american military around area 51 when they were doing the area 51 raids or they were attempting to do the raids a lot of people started losing signals

and they noticed drones about and what they were doing is i believe it's called a stingray attack where the um they set up essentially a mobile phone tour and they have a predefined list of devices that they allow on that tar to communicate so it's effectively jamming it's stopping some devices communicating and letting others through but it's discriminate it's very targeted those kind of jamming devices are legal under the right circumstances but generally speaking um most jamming devices are illegal so for our very last demonstration just going to make that a little bit smaller

ah come on live demos could do them so hopefully you can still see the light there and as i said jamming devices are illegal so i can't really demonstrate one but if for sake of argument a signal magically appeared here um we could demonstrate what a a jammer looked like now what are the odds of that that's that's handy so this signal has appeared and it is stronger than the signal of the key fob so if i start hitting this and pressing the button nothing happens the signal's been interfered with if the jamming signal was away like it did let's hand it and i press the signal it now goes on and goes off that's it simple as that jamming attacks

like this in a cyber security way or in a cyber security mindset generally speaking it's not that useful uh a d auth attack a wi-fi d auth attack is probably a lot more um usable or considered but it can be used to actually interfere with wireless security cameras so if you've got a wi-fi camera that is only sending a a stream back to a a dock or somewhere else where it's recording that it's not recorded luckily you can actually interfere with that um camera feed just by jamming the wi-fi and then it's useless you've just got a garbled image so that is it a little bit rushed but i think we got there in the end and

no uh demons came in uh so hopefully that's all good and if i get back up this and move myself back over hide the old picture myself any questions from that okay let's see there's any questions none have come in yet there was a that's good i'm fine with that there was great discussion going on in the chat though yeah i seen the spaceballs reference yes just throw a thing of jam at it that's it that's all you need to do uh there's one question actually came true how would you go about analyzing a signal captured in the wild i.e is it possible to figure out protocol type payload encryption enable etc it is it

is and um the the little program that i was using universal radio hacker uh can can do a lot of that for you it does have some automated things to work out like it's called modulation and um stuff like that and you can you cannot you can't analyze it uh check youtube there's plenty of people on there who have done it um to actually go through and show you analyzing uh that would be a good r i think and of itself but yes it can be done certainly okay um actually that question came in from somebody i met at the sound course hi pablo um so another question uh grant just how good our key fob faraday bikes

bags the sword that you find on amazon for people like me who own a portable bus i've used a couple that are really not good um it really depends what um what one you go for but to be honest your your best bet for my opinion for securing a device like that is keep it away from your front door and windows because the the receive devices that they use are fairly short range and the frequencies struggle to get through solid objects like walls and stuff so honestly just keep the key upstairs even you know not beside your front door that'll help a lot other than that um something i made a faraday cage out of recently is a

the the metal tubs of formula like baby formula um one of them put it into a little ziploc bag and put it in there they're entirely metal and they've got a foil cover they work pretty well so if you know anyone with kids we have two more questions so one is could relay attacks be coupled with the replay relay the signal on a different frequency than the one seen at the known offset and then replayed later this was not look suspicious uh you could do it depends on yeah i mean you could do it it depends on what it is you're trying to attack because um as i said the replay and relay attacks are sort of used for two

different scenarios one is in real time to try and get around the likes of things that maybe have like time clocks or stuff like that to try and stop you from replaying a signal whereas a replay signal if it's the same signal each time you can you can just save it and keep it until whenever it'll never expire as it were but yeah you could sort of do a combination of the two um we have a few more questions loads of questions that's good people were listening then that's good the next one is what resources would you recommend uh for learning more about this sort of thing uh youtube to be honest there are plenty

of channels um i can't remember what they are i will look them up after the thing and i'll put them into the chat um but there are plenty of people who know way more than me um who do some really great youtube videos uh hack spy i believe they're called as a blog website they've got lots of stuff on there as well um yeah they're they're all pretty good okay i i think we'll just have one final look in case there's any final questions um we asked this one we asked this one we asked this one we asked this one um no if there's i guess we can give everybody maybe one more minute in case something comes

up sure uh oh i've seen someone asking about the the software for the waterfall it's a cubic sdr but i think someone else put others in the chat that you can use they're all they're all the same for viewing the waterfall

i think that was in the chat not a question maybe that's my language yeah yeah i just looked in there you're right actually i've got screens open every work so it loses different chats open for other things okay um there's no more questions coming true so um you get three minutes back grand you can go and socialize yep and uh yeah go get a cup of tea thank you very much for your talk it was really interesting and now i can i finally know what i can do with the sdr that i wanted some competition there you go yep now you know brilliant thanks very much all right thank you