Operational Wireless - Alex Sanders

Hello everyone. Morning. We ready to learn about some black magic? Yeah. Okay. We've got a few things to discuss. I'm going to try and run through it and not confuse everyone. If I need to stop anywhere and answer a question, something's not clear, you don't understand what I'm talking about, I don't explain an acronym, stop me. Is anybody in the room, someone that was at Colonel Con? And also, watch this. Oh, one. Cool. Got a fan. All right. About me, about us. I am Alex Sanders. I am a Marine Corps veteran. Uh, father. I do all the things. I have way too many animals, too many instruments, too many interests, too many things. I do work for Stack Titan as a security

consultant doing all kinds of things offensive. If it can be broken, we probably break it. Um, some of the folks in here maybe here to heckle me about wireless. I mentioned offensive stuff. When we talk about offensive engagements with wireless, you typically think of Wi-Fi. And a lot of people hate it. They hate it. Well, you probably hate it because you got no Wi-Fi.

Hi. Why me? Why are you listening to this? Well, I hate Wi-Fi pin tests, too. They're awful. Hey, that's not supposed to happen. Get back there. All right. I hate Wi-Fi pin test, too. Um, you you go in, you deos some clients, capture a handshake, wait for it to crack, and then you write a report on that. It's boring. If you're in this room, you probably understand that we have so much more going on at all times, so many other signals, and there is risk behind all of it, especially when you introduce it to any kind of sensitive environment that has something to protect even the individual. So, I want you to see this invisible infrastructure. I want you to

understand the attack surface, build better defenses against it, and um hopefully I don't put you to sleep and uh help you achieve death by PowerPoint this morning. So, little demo here. Audio is not important. What I'm doing here showed that the car is locked. Got a flipper zero down there. replaying a set of unlock uh presses on a on the key fob and then I get into the car. Now, this is an older Honda. Honda is notorious for these issues. In modern vehicles, we have rolling codes from our key fobs. So, you press the unlock button and there is a unique code that is transmitted with that data that says yes, this is the correct signal.

And that is why that is not typically possible what I just demonstrated in in modern vehicles. However, Honda, the solution in this particular vehicle was to have a static set of codes. The codes would change, but they were always the same. So, if I got enough button presses, I just replay all of them and eventually I'm in. And the same is true for a lot of models that are still being put out today. They aren't all this way. Some of them are. Some of them it's a matter of bit flipping in the signal. It's It's nothing crazy. All right. So, how does this all relate to you? Are you just some rando sitting here thinking I'm not interesting? Maybe

you think you're very interesting. Are you a small business, some kind of startup? Are you a large enterprise? I know we've got Cisco in the building somewhere. where you at? Uh, they're scared. Are you a manufacturer? Are you a celebrity of some kind or some other kind of high net worth individual? That's what H&I is. High net worth individual. Somebody with like an executive protection team. It's all relevant to all of you. All right, little bit more housekeeping before we get into the good stuff. Sorry, there are going to be some people in the room that don't know what I'm talking about with some of these terms. Two key terms you need to know if you're

not familiar with wireless. First one is frequency. I try to relate this as the address of a signal when I'm talking to somebody new to wireless. So all of these transmissions are waves. This thing, somebody hijacked signal. Somebody's messing with me. It's why we're here. So it's it's really how often the transmission wave occurs. That's the frequency. So if I say something like 2.4 GHz, that is a measurement of frequency that occurs really really fast. The waves pass a certain point in space really really fast over a certain period of time. The modulation is how a signal changes in a pattern. we have something like frequency modulation where that frequency will actually change just a little bit while it's

being sent out. So it's not a steady 2.4 GHz, it may change to 2.412, right? We also have amplitude modulation. So amplitude, I didn't throw it up there, but that's uh you can kind of think of that as how hard the signal is pushing out. And that can also change. There's there's there's all kinds of different modulation. All right. Radio. Don't know why that's sideways. Whatever. So, when we're talking about wireless, there's all kinds of different technologies out there. It all falls within what's called the electromagnetic spectrum. And what you're probably familiar with is is radio technology. that is kind of on the lower end of the electromagnetic spectrum. Has things like Wi-Fi, Bluetooth, Bluetooth low

energy, RFID or NFC. You got your access control systems with a badge. You've got your tap to pay, NFC, cellular or some IoT, OT stuff is is typically radio as well. Then you have infrared. Again, this is still electromagnetic signals, slightly higher frequency than what radio is. These can be things like your passive infrared or your uh rec sensors, your request to exit. You ever walk to a locked door and you hear a click and it's unlocked? That's what that is. Your cameras. Well, when a camera is operating at night, there's no light to come into the lens. So, they have infrared that can measure ambient light. You've got things like door remotes, uh, access controls,

environmental controls, things like that. Ultrasonic. This is sound. Very, very, very high frequency sound that we typically cannot hear unless you're under the age of like 12. I don't see anybody that fits that description in here, but it is used in in technology to do all kinds of things. We had a service called Google Nearby in some of your older or cheap Android phones. It would use Google nearby for location services or to silently communicate with other devices. Um, Android also had a thing where you could uh when you get a new phone, you want to transfer all the data from your old phone to your new phone. You can do that with ultrasonic sound.

If you've ever seen a prompt that says to keep it nearby your other phone in a quiet area, and that's why you've got things like Alexa and Google that there have been a few attacks put out there um using ultrasonic sound to initiate commands with those devices. You have proximity sensors that can measure um how far away something is from something else. All right. When I'm talking about risk with everything I'm about to show you, this is how I kind of categor categorize it all for each of the groups of people that I mentioned or groups of entities that I mentioned. We have likelihood of exploitation and impact. Impact starts all the way at the

bottom. Disruptive. Well, that's the top. Whatever. Um, that that can just be annoying. You got a flipper zero. You're changing channel in in the bar, turn the TV off, you're popping uh a Tesla charger, port open, disruptive. It's whatever. It's not really a big deal. Then you've got all the way at the bottom, which is actually the worst. Non-reoverable. You exploit this and your mom and pop shop is out of business forever. They got to shut down. They go bankrupt. Likelihood of exploitation from the least likely at the very top they're target of a nation state threat actor. A lot of people worry about their cell phones getting hacked. You're not that interesting. I'm sorry, but you're

not. Then at the bottom, most likely imminent opportunistic. If you're a wireless nerd like me, you see something running web and you're going to crack it whether you should or not. Allegedly. Allegedly. We got a lawyer on retainer, right? Ah, yeah. High net worth individual. I mentioned these earlier. Um, celebs, again, people with executive protection teams, they are likely to have just as much, if not more technology than each of us do. They may be running a business from their home. They may have any any myriad interest that we would as a regular person, but they've got the money to fund it all. So, they have all the things. I don't know if you've ever

been in one of their houses or been in one of their compounds, but they have all the things. But because of the nature of these people, just like the average person, they don't always understand the technical vulnerabilities. And these executive protection teams often are only focused on their physical security and privacy. They're not worried about a lot of digital aspects. That is catching up to an extent. just like everything else, but they're still behind the curve. Fortunately for them, again, they have less financial restrictions. So, with these people, this is just a subset of things that could be going on. We are concerned with privacy. You've got a celebrity going to see Hollyy in May.

I guarantee you one of her big things is privacy. She does not want some weirdo hiding out in the bushes waiting waiting to snatch her. Right? Then you've got your assets, right? Everything in your house. You want to keep that safe. You may have a business like I mentioned some of these people run their core business operations from in their compound. Physical security kind of in it ties in with all of it. You can I did a talk last year wireless for teams heavily augments physical security wireless does you can you can keep an eye on every aspect of physical security with wireless technology so I don't have any kind of ratings or anything associated with this

with with these this group because it's so disperate there's so many different factors but in general it's it's all the same stuff that we carry around in our pocket every day you've got Wi-Fi you've got infrared, uh, TPMS, tire pressure monitoring system, Bluetooth, Bluetooth low energy, Amazon Sidewalk, Thread, NFC, ANT Plus for fitness tracking. A lot of these people are big into fitness and they're so busy, they got to have something to keep track of it. So, they have ANT Plus watches and Nike sneakers with ANT Plus chips in it. All kinds of stuff going on there. So, look at something a little more technical. I don't know how well you can all see this.

I'll try to outline it for you. Tire pressure monitoring system. So, there are two types that you have in your vehicles, indirect and direct. Your indirect TPMS is if your tires low, you might have a light pop up on your dash. You got you got a nail in there. You got a light that pops up in the morning. You get out, you're like, "Crap, I do have a flat." Or you've got direct. You can actually see exactly how much pressure you have in the tire. Direct TPMS is what we're worried about here. Now, for for the average person, this is not a big deal. People with a high net worth, absolutely. So, this was all captured in my hotel

room yesterday. I was being real sketchy. We have the model of the vehicle. So, like right here, I've got a Toyota or a Ford or whatever PMV 107J is. Then we have an ID, a unique ID associated with each sensor in the wheel. That's how your vehicle knows which wheel is low on pressure, right? And let's see. I didn't Yes, I did. Okay. So, ID moving. You can tell when the vehicle's in motion on some of these. Yeah, exactly. It's crazy. You can track all of this. Now, this operates at 433 MHz or 315 meghertz and it is not very powerful. But since it's a lower frequency, I know some of you ultra RF nerds are going to correct me and say,

"No, it's it's it's HF or whatever." I don't I don't remember which one it is. Sorry. But it's kind of a low frequency in terms of other technologies that we're typically used to seeing compared to like 2.45 GHz, right? So it will travel quite a ways. All this data I captured from the fourth floor, the very top of my hotel room, probably 100 yards from the parking lot through a glass window with lots of things that can obstruct the signal. I'm still getting it. And you can take a little little hardware um CC101. It's it's a little chip that you can program, get like 10 of them that all communicate back to a central device,

place them in strategic locations, and triangulate where a vehicle is at all times. If you're trying to watch someone, even on like a community college campus or a large university, we can do that. Mentioned I was being sketchy. That's what what that looked like. I've got it unplugged. I took that picture this morning. Um, without running too much into my talk, I want to point out, so with signals, it's important to know the properties of the element that's measuring the signal, which is why I have it laid out perpendicular to the road here and at a certain length. Um, I think here I had it set up for 315 MHz. I didn't have a ruler, but essentially

each element needs to be about the size of two monster cans. Convenient. I've got a I've got a monster can sitting there and it needs to be elevated. The wire needs to be away from the uh the antenna as much as possible, a little slack, which all makes it uh ideal conditions for me to capture data from so far away. But with something like an LNA uh low noise amplifier, I can pick up signals from further away. I could probably pick up with with the equipment that I brought signals from the other end of the parking garage way way back there if I wanted to. Didn't have time for all that, so I didn't. All right, moving on. Small

business. Typically, these have less tech, right? You've got a restaurant, you've got um maybe a a small new CPA firm, you might have three or four wireless technologies, maybe if that, but you've got more outsider opportunity. You think of like a downtown KC area, all these small businesses, people are in and out all the time. You got a bar, people are in and out all the time. And you cannot keep track of where everyone's at all the time. You just can't. So, if anybody wants me to explain these ratings that I've labeled this on uh labeled on these, I I can. Um but essentially with a small business, a lot of things like I mentioned, you got a restaurant, you got

a bar. We're worried about that those transactions. We have to have the cash flow, right? You have to have your point of sales system operable. Worried about day-to-day operations. Can you move throughout the business? and you get the things that you need to get to to provide to your customers. Um your your systems are heavily integrated with that. You've got your point of sale systems, your tablets, your phones, your uh network gear, then physical security, of course. So for example, in a small business, I'm saying that Wi-Fi is probable or expected to be exploited in some manner. And the risk, depending on what you do with it, is maybe low, but it could be not

recoverable. If you manage to hop into a point of sales system from the Wi-Fi, steal all their funds, and maybe just start wreaking havoc, or maintain some sort of persistence, get a bunch of information on them, trash them, they can go bankrupt, all because Wi-Fi wasn't secure. Amazon Sidewalk. Anybody in here heard of Amazon Sidewalk before? Couple folks. Okay. I hate it. I hate it so much. Every Amazon device, your Alexexas, your Ring doorbell cameras, your uh uh flood lights that you've got in front of your house, they're all part of the sidewalk network by default that's on. So, what it does is when it does not have a direct internet connection, say maybe you're

one of those people that has a a Ring doorbell, but you don't have Wi-Fi for whatever reason, you can still access your your your stuff. You ever stop to think to wonder why? How? It's because of sidewalk. They hop onto other devices that they can reach using three different wireless technologies and use other people's connection as a backall. Now, there's a boundary there supposedly. I'm still digging into all the all the specs, all the documents. I've got like five dev kits that I ordered from them to test and crap under different names. Um, but does that sound like a good idea to just have other people's data transmitting through your network that you cannot control unless you just turn

the service off? Probably not. All right, can move on. startup, you might have a little more variety depending on what the industry is. If you're if you're like a tech tech startup and you want to do all the things, you're Silicon Valley, you've got all the things, right? Maybe less budget, maybe more. I don't know. There's a lot of variety to it, but there's greater potential access. A lot of these startups are in co-work spaces. I uh I I took a physical security course down in Tampa last year, and it blew my mind. It was in in a co-work space. Now, it wasn't just super, you know, sensitive stuff and it wasn't like they all their core operations happened

inside of that building, but everything was in a co-work space and there were like four different startups that were operating in there. A lot of them, all their operations happen in that area. And I could walk throughout the whole building and get hands on anything. I could have plugged anything in. I could have sat there and hacked away at whatever I wanted to. And nobody would have batted an eye, especially since we were there for a security course. They' have been like, "Oh, that's probably just part of the course." So, Enterprise, this is the one we're all familiar with. I I'll try not to harp on this too much, but I've got a little bit

of a what I think is unique perspective here. So, you should have your defense and depth strategy. Not just one or two or three, but 10, 15, 20, 30 different controls, whether they be technical, human, policy, whatever, that should be protecting your assets. With wireless, maybe not so much, though. And with an enterprise, like you've got a large health care system that is all over the Midwest, they have wireless everywhere and they're not keeping track of it. They don't even know that they have it. I know because I did no send uh assessment against them. They don't even know they have it. So, how are they supposed to protect it? A lot of these systems you set up, they

work, you forget about them until something breaks and then you don't even know who to contact to fix it. So, how are you supposed to secure it? We have a handful of things that we can target with this. Um, it is what you're probably typically used to seeing Wi-Fi, RFID for your access control, NFC in a few places, sub gigahertz. Sub gigahertz is a big one. Uh, that is a broad term for technologies that operate at less than one gigahertz in frequency. For those of you unfamiliar, I was talking about TPMS 433 and 315 meghertz. That's a sub gigahertz technology. So you you might have like a a biosciences lab that has a physical security team that's armed carrying

radios sub gigahertz. Uh yep sorry manufacturing you've got some of your traditional things right a lot of the things that apply to an enterprise or small business will apply here. Didn't want to mention those a whole lot because there's a whole brand new attack surface here. You've got wireless heart, you've got Olink, you've got ISA100.11a. What What is that? Does anybody off hand know? Probably not. Probably never heard of a lot of these things, right? You've got wireless modus. If you're familiar with regular Modbus, it's it's just as bad. But it's wireless, so it doesn't even need to be connected to anything, right? And with manufacturing OT ICS, you have kinetic consequence to those to those

issues. So the problem is just exacerbated enough about those. Let's get into the attack methodology that I typically use for large sets of wireless systems. So I will plan, monitor everything, every phase, reassess constantly, do recon and intel. Just like any kind of offensive GA engagement, you want to look at what you've got out there. Mentioned I did that OSEN assessment. They didn't know what they had. I figured out what they had. I know exactly how I can attack it. We weren't contracted that unfortunately. Didn't get to have that fun. Identify and enumerate. You might be able to pick up signals, but you don't know what they are offend. Maybe uh you're running a tool like RTL 433

that already has decoders built in for these signals, but it picks up something that it doesn't know. Well, you're going to have to pick that apart. Then figure out how you're going to exploit it and exfiltrate whatever you need to get out of it, right? And then communicate and adapt with your team. But on the opposite side of the house, we have a defense methodology that we can use to counteract this. Prioritize your technology, what is most critical to your operations, what has the most consequence if it were to be exploited, and adjust your approach to defense. Inventory, document, see what you have, see who's in charge of that, who's who's the owner of that system,

who can help you secure it, who can help you fix it when it's broken. differentiate differentiate between everything. Um direct detect you want to be able to figure out your direct controls that you can have against these technologies, your detective controls against for these technologies and your deterrent controls. If you've ever done any kind of physical security, not going to assume that you have, but that's that's how I think about a lot of those things. So, if I have a chain link fence with barb wire, I've got guards, I've got dogs, I've got flood lights. The fence and the barb wire are direct controls that keep me from getting in. I've got flood lights. That's a

deterrent control. Just because those lights come on doesn't necessarily mean that's going to stop somebody from trying to get in. Or I've got a detective control cameras. I can pick up what's going on with that environment. assess, see what needs improvement, see what you can do to fix it, and then review everything, start the cycle over again. All right, Wi-Fi. So, again, this is uh 2.45 and 6 GHz. There's all kinds of different technologies that we um have associated with it. You've got your open wireless OWE opportunistic wireless encryption, web legacy protocol for uh securing wireless access, WPA1 through3 um Wi-Fi protected access. It's uh if you've ever entered a password to access your Wi-Fi, that's

typically WPA. Might have been web back in the day. Um WPS is the the push button service. If you push a button to connect or you you get some kind of PIN code to connect, that's what that is. Or management. Um that typically falls under WPA as well. But if you have like a Radius server that's authenticating your access, that's what that is. So attack and defense of Wi-Fi. If you've got an open network, even if it's a guest network, stop it. We have OWE now. Opportunistic wireless encryption. The threat vector on Wi-Fi these days on an open network is not as bad as what some people would lead you to believe. We use encrypted protocols everywhere.

HTTPS, SSH, it's not as bad as what you think, but there are still things that we can do to manipulate that traffic. We can we can still look at DNS if you're not using a secure DNS solution. We can potentially grab keys from somewhere and maybe uh intercept that TLS traffic for your HPS sessions. Use OWE just remove the risk from any of that altogether. You have an encrypted session between your client and your access point. Then even though it's an open network for your for your guest wireless, right? Deoth attack. That's what we're used to with Wi-Fi. get a wireless intrusion detection system. Um, anything that's critical, like an automation device for manufacturing, if that's connected to

Wi-Fi, maybe figure out how to hard wire it. Because if you can just kick that offline off the wireless network and just spam that, you're not making your product. Use a secure password. If you have to use WPA2 or something like that that does not support management frame protected management frames to protect against some of this, use a secure password. It's built into the standard to be able to send the authentication frames and kick a client off of a Wi-Fi access point. And when they reconnect, we can capture what's called a four-way handshake, which is in a way the key to the network. And we can attempt to crack that, get the clear text password. So, use a secure password. Um,

and with Wi-Fi, that's one of the places I do actually recommend rotating your your password every so often. Not as frequently as some people would have you believe. You can ask me questions after. Uh, crack downgrade attacks on on your wireless encryption. See see things in clear text. You shouldn't um downgrade from WPA3, which protects those sessions and essentially turns it back into WPA2. can deoth again, see the clients, uh management, you've got to validate every layer of the trust, certificates, the backend server, everything. So, if you're a small business or an individual that is worried about protecting your wireless and you don't have the money to invest in like a a Cisco WIDS, um you can use a product called Enzyme.

It's it's one that I run. It's open source. If you're familiar with Grey Logman, he's he's building this. It's got a fully featured Wi-Fi subsystem that does a lot more than what I see when I'm doing an audit of some of these wireless controllers with their wids. You have fingerprinting of of all your devices. If you're familiar with how any of that works today, a lot of your devices will randomize their MAC address when they're connecting so that you can't keep track of what device is what. It's it's one of those obscurity things, but we can still fingerprint those with the system. We can attack detect anomalies with the way that the Wi-Fi is being used. We can see attack

alerts. So, if there's an active DOTH that's going on, then we can we can see that. We have bandit tracking. You got your flippers with your with your doths. You got your uh doth watch. You got your ponagotis. Well, those have been fingerprinted. Sure, you can change some of the elements to get rid of that signature if you want, but have it in place and we can we can see those things. I tested myself from the moment that I plugged my ponagoti into power. It picked up a bandit alert within 3 seconds. It's quick and it takes way longer than that to start attacking. All right, mention enterprise radios, stuff like this. um F FRS, MURS, GMRS. These

are the radios that you will typically see on on any like uh security guard uh an event like this. You may see somebody with radios walking around. None of this is encrypted. You can intercept it all. It's sub gigahertz. I've got the frequencies listed with there u up there. And you just got to pull it in with with a tool like GQRX or uh Universal Radio Hacker. pull the signal down and then throw it into something like Audacity where maybe you've got the feature for live audio stream and you can hear everything that's going on. So if you've got a large enterprise where you need to keep track of where security is for like a red team assessment,

you're trying not to get caught guard A checking in checkpoint southwest current time blah blah blah moving to blah blah blah. That is pretty standard for physical security operations to have check-ins like that over radio. Well, you'll be able to keep track of where they're at. You just got to listen to it. Um, so this is a set of frequencies. So with the exception of the family radio service FRS, the rest of this requires a license to operate. So you have to register it with the FCC. So, if I have a target organization that I'm going to go try and break into, look at their their security teams registered frequencies, I don't have to look for

it. It's

there. So, we can attack it by scanning and listening. We can encode this stuff, but if you pay for a good license on the uh what is it? the mobile use radio service with certain equipment you can encrypt the signals you can't but people don't pagan flex paging a lot of you are like people still use pagers yes yes healthcare systems universities other enterprises that I can't mention by name but would be good examples they use paging this is all just encoded data sent out over the air. There are repeater towers all over the place, so you can be 100 miles away and still pick up their data. I've seen things like protected healthcare information,

PII, gate codes for certain doors with the location. I've seen a compound access code for a high net worth individual go across the wire. Clear. You can intercept all this. Check your local laws. might be illegal. Might be illegal. Don't do anything illegal. I'm not endorsing that. But if you are allowed to do that, Multimon Hedrammon, you'll see it. All you got to do So, it's it's kind of a broadcast thing, right? It's like me shouting out to you all and it has a specific address that it's going to called cap code, but it's all in the air. So, you just got to set your stuff to listen to all cap codes, listen for all

addresses, and you got it. This is how you can find those paging towers. If you're not picking up any paging data, you can locate uh this is one example. It's not the greatest, but it's citydata.com. This is a list of registered microwave towers in Omaha. So, if you have a target organization, you know, use paging, you're not picking up any paging signals, figure out where the tower is. Get a little closer. and you'll pick it up. Captured all cap codes. Encrypt. Encrypt your coms. I don't know why that's so hard, but encrypt it. Especially this day and age. It's not 1990 anymore. We can encrypt this stuff as it goes through the air. It's just usually a checkbox in

administration system that you got to do. Maybe it's something that you have to do per device on on some of the budget systems, but do it. You ever heard of HIPPA? You don't you don't want to be violating HIPPA just because you were too lazy to enable a setting on a page, right? All right. Infrared stuff. We use this on engagements all the time. We got to go in somewhere. You have again that request to exit sensor that uses infrared. Well, we blow some air under the door to trigger that sensor to break that IR beam. It unlocks for us. We can't really directly control that a whole lot, especially if you don't have the uh deterrent controls

like guards that can be present to to pick that up. But you can use detective controls, you can use cameras, you can use, especially in your more sensitive facilities, temperature alarms. There's a drastic change in temperature in a specific location that is near your infrared sensors. Somebody probably just wrecked in your door. Picked up on that RFID. This is from a course that course out in Tampa. Um, this is us cloning badges sitting in the Dunkin Donuts uh that we got with people that were none the wiser. They were they were just actors. It's it's course they knew what was going on. Um, it's not hard. We can man in the middle. Use something like a a vampire

tap ESP key on the reader itself. If you have a line item for destruction, this will uh hurt things. But if you install these things properly, have it have it caged where you can't just take it apart trivially. We we can't get in there. cloning. Use a secure protocol. Change the default keys in your system or use something like elite keys. Running out of time or I'd explain that a little more. Downgrade. Uh, a lot of these systems have legacy support enabled. So, you might be using something like iClass SC that is a little bit newer, but you've got legacy support enabled. So, we can just use an older protocol and then it doesn't use

any kind of encryption. We get in, right? There's a lot of wireless out there. I tried to cover some of the things that were more directly relevant without harping on Wi-Fi too much because like I said, I hate Wi-Fi pin tests. They're not a good they're not a good uh comprehensive profile of a wireless risk. So, you got to look at more, right? But when you're looking at at these other wireless technologies, maybe you've got you're going to head over to the RF village after this. Hopefully, if you're looking at some of those challenges that they may have for you, there's generally four types of things that we can do with it. We can replay a

signal. I showed you that with the Honda in the beginning. I intercepted those those unlock sequences and just replayed it until I got the right one. Relay. Anybody want to steal my car? It's sitting out in the parking lot. One of the most stolen cars in the United States. It submits RFID. Now, it has rolling codes, which is great. Real rolling codes. The signal doesn't have any kind of known vulnerabilities that I'm aware of. But if I'm hanging this up, Yep. Red key. Is that a red key? I see. You driving the Hellcat, man. Yeah. His His is more likely to be stolen than mine. But you you hang the keys up by your door, right? It's in

your house. You're not worried about it. And it's got rolling codes. You're not worried about it. Relay attack. One antenna by the door to pick up the signal and pass it over to another antenna sitting by your car with the carjacker, they're in. And then they can also start the vehicle because we all have these stupid push to start things these days. Then once they're in, they use a signal jammer to to prevent you from doing anything with your keys. If you've got some kind of wireless tracker in your in your vehicle, like a tile, too bad. They've got a jammer. You're not going to be able to keep track of it. Maybe they'll be lucky and not find a certain

technology in there once they get it to their final destination. And uh that'll still transmit. Easter egg. If you want to try and steal my car, don't don't. Um, and then you have, so I already mentioned interference and jamming. With a lot of like wireless protocols, they don't know what to do when you interfere with them. They don't know what to do when you jam them. So sometimes that can like in an access control system, if you've got something that's wirelessly controlled, if you jam all those signals, well, it's a safety concern. It's got a default open. it. It's not typically a default close system on a lot of these. Then you have protocol specific attacks. I talked about some of

the Wi-Fi stuff. That's that would be what I classify as protocol specific. Just go and research vulnerabilities known with those protocols. Um, thank you all for watching. Anybody have questions?