Hacking RF: Breaking What We Can't See

so my name is grant and I'm a technical consultant for a information assurance company in Northern Ireland I'm not there I'm not here on their behalf or anything like that they asked me to be here this is just something I enjoy doing a meantime so they will be getting on the advertisement from me and I'm also an amateur radio operator and which a lot of people think is you know an old guy sitting in a shack talking to another old guy in a shack few miles away and I can see where you get that are you from there is a bit of that but the the main goal of amateur radio as a hobby is electronics and experimentation

just using radios and which again is where I got a lot of my knowledge from for this talk over Twitter there if you want to follow me I don't do a lot on it but go ahead YouTube because of course I do YouTube because any excuse to not do a real job the key point there is my email address if you have any questions you want to contact me that's the best way to get me and these details will be up at the end anyway so go get them so starting off as wanna talk briefly what is RF no it was a quick show of hands who here has hacked RF before okay yeah more than what I was expecting kill

and so who here has hacked Wi-Fi everyone okay if you put your hand up for Wi-Fi you should have put your hand up for RF they're the same thing any wireless communication is our F so that's Bluetooth Wi-Fi RFID all that if it communicates wirelessly it is really your frequency and I not send this to say okay yes that's just a new thing that you can call Wi-Fi whenever you're attacking it just to make it sound cooler I am specifically omitting and Wi-Fi from this talk because you could go into any cybersecurity conference around the world and there'll be someone up here talking about how to bridge Wi-Fi so I'm specifically avoiding that topic and so whenever you think of it as

RF whenever you start thinking of it instead of just Wi-Fi or Bluetooth or whatever whenever you start thinking as as RF communications there are a lot of tools right there that can make your life a lot easier now I know I said I was admitting Wi-Fi and some of you might recognize that bottom on yeah I know but the one on the top it'll be your right is an SDR a software-defined radio they're very cheap or about 20 quid or so they're not expensive and they allow you to listen to the airwaves that gives you the ability to look and see what's going on around you the pineapples up there because that is all it is it is an SDR

but it has some program and another hardware and there to make it more suited to Wi-Fi but at its core it's software-defined radio with the SDRs a lot of attackers will use them for information gathering because they're cheap they're throwaway and they don't need a sophisticated hand testing device like the hack RF one which is about 200 quid and the cheap SDR is only allow you to listen they don't allow you to listen and transmit the dear ones the hack RF one for example allows you to transmit as well which is useful for the likes of us we want to try and break things in a legal way but for an actual attacker he wants to I don't know unlock your car or

do whatever and that's too expensive they're going to use an SDR and build a small kit using an Arduino or some device thereof they're very easily built now a lot of these attacks have relationships to cybersecurity attacks so in this case replay and repeater attacks basically man-in-the-middle attacks and in some cases quite literally there is a guy standing in between you and the device you want to get with an SDR lifting all of the communications so a replay attack is as it's signs you capture a signal and you replay at a later date and there's a surprising amount of equipment particularly industrial equipment that is vulnerable to this type of attack moreso than what you might imagine

a lot of Koreans and I have remote-control devices to operate in four three three megahertz which I'm sure probably means nothing to you but it's a very common bond and it's very cheap to get em transmitters and receivers for and there's a company who took the transmitters and receivers I'd have a Korean and attached it to a Lego set to demonstrate that even though the remote controls are sitting over there but they could sit on their laptop with a SDR transmitter and be able to move that Korean and all they've done is they've sat and pressed on the remote pressed up with a nasty are sitting there and captured that signal and see if that the press down they've captured

that signal and they've just labeled the file they've labeled okay that file means up that file means down that's it they then went to the company who manufactures these and says look we were able to do this here's her notes and the company did a great thing as all companies do they said I know that can't be done our stuffs encrypted you're like okay and this brings me on to a very key point with RF communications on whenever you think of them like this encryption does not help you if it is doing a single command and it is sending a code even if that code is encrypted you don't need to know because the Tran the

receiver the device in the Korean it knows how to decrypt it all you're doing is taking that signal and pass an honor elite earlier it's a very easy attack um there are mitigations to help it ideally a ruling code so making sure that it's not the same code that you're sending these time but with all Grid and defenses someone's worked out a way around it and I talked about that in a bit a repeater attack again it's houses signs it's like a Wi-Fi access point in your house that teach your Wi-Fi signal booster and transmits it again it's exactly the same and there's new defense against this there are companies that will tell you there is there's not

because you are not actually tracking the device I've got another slide on it we choose it in a lot better detail later on but whenever you take the signal and you transmit it on the receiver is looking for a signal it is not looking for the device which is something people seem to deviate from they think oh it's tricking it because the keys not really there say to unlock your car it doesn't matter the car doesn't care whether the keys there it's looking for a signal key could be 10 miles away as long as it's getting the signal that it's expected it'll open so in my mind it's not really a trick it's showing the

car what it wants it's a freak of the technology so I said in the replay attacks there's a way around it with a ruling code now this device here is called a rule jam that was made by a very intelligent guy I cannot remember his name and he came up with this and this helps defeat ruling codes so in your car car keys are a common use of ruling codes whenever you press the unlock button it'll send a signal to the car and it'll be for sake of argument zero zero one car sees that signal goes cool that's what I want to say crosses off less moves off you press the key fob again it goes okay sense

zero zero two we're going to keep changing through a predefined list of air codes simple enough and that will defeat most common replay attacks of just capturing the signal and send on but what you can do here a car and most common types of receivers have a wide receive window they have a wide window on the frequency that they look up now they have to do this because of varying things but the common one is manufacturing and deviations so if you have again we'll stick with the car you have a manufacturer that prints I work prints I love my print them right these days who knows they manufacture three keys and they're all meant to transmit in the same

frequency for the same car because of variations in the manufacturing process and other deviations they will all transmit on very slightly different frequencies either side of what they're expecting and over time the components will break down become old and so that will also cause frequency drift so to mitigate this cars have a wide window so that your car key doesn't suddenly stop working on you because it's slightly drifted out of its listen window because it does this we can attack it because in the world of radio generally speaking the strongest signal wins I know there's maybe some RF engineers I there he just started twitching when I said that but as a general rule of thumb the strongest

signal will win in that case what you have is you have a device that has two transmitters and a receiver and whenever it gets signal in its Rosa a jamming signal somewhere on that and receive bandwidth the car has to check that signal it can't ignore it because it's a stronger signal so it's what it cares about then in the other bombs you'll have your other receiver set to the specific frequency of the key foe so you'll have gotta know your SDR or whatever you're using to look for the specific signal that not frequent or that key fobs coming in on and you can narrow your transmitter down on that because you're not constrained by mass

manufacturing the frequency is not going to drift that much from one key press to another so you can narrow right and on and in that case they're gonna be a massive jamming signal beside you and provided it's not bleeding over into your frequency your receiver doesn't care you're not jammed so you send by the jamming signal and you capture the key fob signal know everything and that's all well and good but the car doesn't opener so what do you do well the person's gonna press the key fob again or don't think about working press it again same thing happens again the jamming signal goes up and you capture the next signal again will say you've

captured zero zero one on the first one second signal comes in at zero zero to what your device then does as it drops the jamming signal and transmit zero zero one it transmits the old coot that you captured which as far as the car is concerned is a legitimate code because I hasn't seen it before and you've got another code in storage that you can use and that keeps going for as many times as they keep pressing that button you will keep cycling through and unlock in the car as far as the person the user victim what are we gonna call them is concerned it only field unlocked once which I mean let's face it how many times have you done

that you press the button lowest times you've gone right up beside it that's not the deal I mean no one would bat an eye it's a very easy we're getting rounded but as soon as you're ready you can just go up and you can lift the device because it's gonna be a cheap device I think I taught up you can make one for about four pounds ish if you're that way inclined and you just stick it somewhere near the car so in the wheel arch or somewhere like that you can duct-tape it in there have it sitting whenever you're ready you can come lift the device hit a button on the car unlocks and you're away there's very

little you can do about that there are some companies that are working on ways of fixing that I have not seen a funkier so hopefully this works this is an example of a replay sorry a repeater attack which I'm sure some of you might have seen guy there is going up to the house with a receiver and the other guy is standing close to the car with a transmitter and all this is is a very simple receive and transmitter system with a directional antenna so he's standing there and he will we have that in front of the house and the door in the round that area until he gets a signal his mitt as you'll see will stand

next to the car with the transmitter and as far as the car is concerned at seeing the signal that it needs and this car in particular I believe is a mercy at least so he'd be very sort of losing his keyless start keyless entry so not only could the unlock the car that could start it and drive off didn't need the keys no west midlands police yes it's them god bless them they did try and give a bit of advice in this they said the only way to stop this is by putting your car keys in a metal container I mean they tried strictly speaking they're not completely wrong they're just slightly wrong the the frequency

that these use is usually UHF some of them Tesla in particular also has a two-factor authentication which uses low frequency and high frequency or well low frequency on UHF but again a two-way communication it just means you have to have two receivers and transmitters on each end and you still get in with you hf the more things you can put in its way the better essentially so just putting it in a we metal container and putting upside your door they're still gonna get up easily still well within range your best bet if you must have a keyless start keyless entry car which I would not recommend is either one turn it off or put it upstairs have it up on

the second floor of your house that way for one it will take them longer because they'll be scan and packing forward on the ground floor trying to find it and if they do want to start scanning up if they think you've maybe got on the second floor it's then got another wall and floor to get through to get the signal so if we keep it far away from things you can help mitigate this but again I just wouldn't have a keyless start method car because once it starts you're not stopping up don't we say no no okay jamming which is a denial of service attack similar to the rule jam it is technically a replay and jamming device

rule in the one I did want to bring an actual jamming device with me here today to show you how every jamming devices are illegal and I have permission to from Afghan the office communication to do experiments with jamming devices under very strict criteria so I message them I send them an email and said look I'm gonna talk I would really like to bring a jamming device with me to show them you know how easy they are to build and not to educate you how to build jamming devices but you know I'm sure how easy they are to build and the makeup off them and they replied fairly quickly saying yeah okay well that that

shouldn't be a problem we just need to make sure that you have you know loop our levels and you don't leave it on for very long worth the talk I said I'll ask cool-ass brilliant Edison London and they replied almost instantly she's never a good thing they replied almost instantly and different no you're not bringing a jamming device into the middle of London okay cheers guys so what I done was I set up my SDR in the house software-defined radio this is the sort of there are many different it's a software for and looking at the spectrum but this is the one that I use this generally will hi they look and I recorded my

jamming device no bear but it's terrifying to look up that's it that is it that is what a jamming signal looks like a signal strong enough to overpower the signal that you're targeting no that is very loop are because to stay within my licensing right I have to have loop art and I can't show a high par one because this has been recording some of them are calm might see it so this is a little par one and surprisingly I mean that is probably less than 300 milliwatts if it's very low par but that if I put that in between me and my car it will stop me unlock in my car all it is is a signal that is enough to

interrupt the signal that you're wanting to sound so it doesn't need to be overpowering it just needs to get in its way enough now as I said damming devices are illegal and they're illegal for very good reason because they're indiscriminate you have a lot of people who say that jamming devices are illegal because the man wants to keep a track off yeah these people obviously don't understand how they work because if someone was one to track you and you turned on the jamming device I'll be able to see you very very quickly you would be lit up like a Christmas tree isn't it now they are illegal because they're indiscriminate so you Jam one signal you don't know what else you're

jamming also with homemade ones like this one you will see my amazing construction you will say that there's lead on other frequencies that's because it was pretty me I have wires that are not properly insulated running from the Arduino which I used to make it and to the the transmitting device all an antenna is is a wire so all of those wires effectively become and small antennas which is how you get the bleed over on these other frequencies so people making a pearly constructed jamming device even if they are intending to only block this one signal so it's okay I won't be interfering with everyone else they could be the signal could be bleeding over into another part

and you don't know what it could be interfering with this well keep playing but we don't need to see that because that's all it is oh by the way that is a hello world program that is what is sounding there yeah so how do I see really at this to cyber security and why should any of you actually listen to me anymore and care well for the personal side of things the rise of IOT devices and cheap IOT devices specifically and Raspberry Pi projects that people make in home automation that they do DIY style they're pulling libraries off the internet to do this stuff and even though these libraries might be encrypted again as I said earlier depend

on what you're doing with that signal encryption doesn't help you I can still capture it and send it on contactless cards this is a this is a I mean you're borderline in the RFID RFID is still radio communication but I'm trying to avoid common methods of attack but with that one in particular you don't even need to build something for that if you go to PayPal and ask them for a contactless card reader they will happily send you want and you can just set that to whatever you want and if you've been to the subway here in London you're very close to people you have one of them in your hand you start to swipe

from back pockets you can lift a lot of money very quickly that's RF it's just you're getting a project product that was already built for that purpose the RF ringing Andrea it was actually a bracelet there was a guy I believe he was American who set up some home automation in his house and put a brace on that just constantly sent out a small wireless signal on I believe it was 2.4 gigahertz and it unlocked his front door so whenever he got hosted here whenever he got close to his door it unlocked for him so he could open it in a way and happy days I believe he was at least had a couple of brain cells

because he had a switch on the inside that he could use to turn it off and lock the door whenever he was in the house so I mean well done you tried but I think he had this for about a year before people or someone twigged onto what he was doing maybe someone who had an SDR kicking about and noticed every time he walked past the got a signal they'll wonder what was so radiant about him and they realized what he was doing and it leaked somewhere someone else got ahold of it and someone key him with the signal unlock this door and emptiness house and they're even kind enough to lock the door behind them with a

different signal so this is a DIY aspect he was very shocked by this because again he was like oh but it's encrypted it doesn't help you the fun stuff in business RFID security tags so I'm talking about the ones that you'd use the end of your office if you just have an RFID security tag that you swipe in and go in there's no keypad that can be captured you can put a device near I'm sure you've all heard of it and you put a device near that captures it because those cards don't change the signal stays the same or the the code that they transmit is the same so if you don't have two factor authentication ie card

key code someone could left out and it's very easy to print a new card I'm bugger off and they've got access drones rooms are a funnel there was an explosion of companies and businesses getting drones a while ago whenever they sort of a come and cheap like funeral directors buying up drones because they thought they were cool and thought we can have it carry the casket or something I don't know I think now they find their place a lot of architectural and building work use it for getting photos and look it's a places that would usually be a hard thing to get rooms are also susceptible to replay attacks although they are a bit more difficult to do technically

speaking they're also a vulnerable to German attacks but a lot of high-end rooms have the system in place if they lose the signal or circuit in a signal a aren't familiar with they will either stop or land so I mean yeah you can stop someone flying uploading with two battery dies or something but jamming attacks generally don't do much other than annoyance but that's denial of service relates annoyance isn't but will replay attacks you need a larger sample set so you could sit with an SDR and you can watch someone fly in their drone and you can capture all their signals and all you're looking for is that whenever the drone goes up and you see a signal

you can associate that signal with up that's all you need to do and you can gain control of it now the granularity comes in because of the joystick that they used to fly drones they could be up and slightly left or and slightly to the right or you know vice versa because of that you need to get a large sample set you need to be there for a while and get a lot of files so that you knew for certain whenever you press up on the signal that you've captured and labeled up then it actually does go up and it doesn't start flying off to the side this is where geometers can come in because the sorry I was

probably like and because the GPS devices in them are usually hard to remove for the specific purpose of being difficult to stay so they can't just get it and rip the GPS out of it so what people have started doing they've been getting these sample sets of communications flying the drone over to somewhere where they've got someone set up with a jamming device for GPS the drone flies into that the GPS signal is lost and they just keep the GPS with the drone the GPS jammer with the drone until they get a to work bench where they can strip it down and remove the GPS they've got it they've guy well 300 pound drone a terabytes laughing they

can also do it for just destruction and industrial sabotage is a big thing with this stuff because a lot of the industrial kit is large so in some cases they may just do it to crash the device security cameras only wireless security cameras I'm not talking about the wired ones but I have seen far too many companies that don't have hard wired security cameras the wireless security cameras operate on 2.4 gigahertz which some of you may know is the Wi-Fi range again I'm not going to talk about Wi-Fi look that's the range they work in intercepting up so trying to do a replay attack doesn't really work there's new commands being sent it's just data it's

you know video feeds but what it is susceptible to is a jamming attack so if you have a business that you want to rob for whatever reason and you know that they have wireless security cameras you have a jamming device that block so 2.4 gigahertz you turn that on their cameras will not work no it's not like you've seen in the films where it's a shot of a hallway a guy walks into the hallway turns the device on and he disappears but the hallway still there that's bollocks it's not camouflage it doesn't make you predator ok if you've noticed on your digital TV whenever you get a storm or something and signal gets interrupted on its and

like those black squares and it gets juddery that's what happens you just interfering with the signal to the point where possibly not useful and so this person come in do what they want and anywhere they go within range of these security cameras the signal will be corrupted no it's not foolproof they could still get an off the other they get a picture or get an image of someone but it does make life a lot more difficult ruin dust real equipment I talked about in the earlier slide the only other one that I want to talk about is a JCB those you don't know JCB or any Americans here JCB is a digger a big hefty bit of

industrial equipment and someone I don't know who decided a good idea to put remote controls in them so that their workers don't need to actually get into the JCB to drive around I don't know who thought that would be a good idea but someone did because of this using replay attacks someone captured all of the code that they wanted left a device in the JCB with a 4G dongle and they sat in their bedroom and they drove this JCB around a carpark these attacks had said Industrial sabotage that's a prime candidate for these also I'm not going to and I tried to think of another way of saying terrorist attacks because we're all bored to death with them and

all the media is talking about them but it is an it is an option they can get control some very heavy equipment and just drive a JCB down Main Street it's very easy to do and it can be very destructive to infrastructure and people who gets in the way no this is a fun one I did want to do a live demo at this point however bringing all my equipment over here by an easyJet flight I didn't really want to have a conversation with the security guy about what all this RF hacking equipment is and why I'm bringing on a planner I want to do avoid that so I put this in this could be a talking of itself but I

want to talk about it briefly because it terrifies me to the for anyone who doesn't know biohacking is the practice of implanting electronics in your body for whatever reason and it started off with people putting magnets in their fingers so that they could feed magnetism I'm feeling magnetic waves again I don't know why you would want to do this but people did with the rise of small electronics and YouTube I guess people have started doing this more prolifically with RF communication devices to make RFID readers and other wireless communication devices there was a guy it was a BBC documentary I think and there was a guy who had this in his implanted in the back of his hand

much like these guys except they're lit up for some reason where he could use this to unlock his bike and start his motorbike it's terrifying no electronics in your body are not a new thing by any stretch the imagination PS makers are very common robotic arms are also becoming a lot more common and I thought that this is an issue that should be at least looked at in some point because you would like to think that the professional side of implants and so like the peacemakers done by the hospital's you would like to think that they would have security probably not I think a lot of people be out of a job if companies didn't they should but there

you are now with these devices and with the implants it's the DIY part I'm worried about because people are putting these devices into their body to make life easier for whatever reason and they're making their bodies hackable I knew that sounds very dystopian and like something you would see in a film but it is the kiyose they are putting wireless communication inside their body now for the most part and at least at the minute this is RFID so that they can swipe in and swipe out there's no real direct communication with their body but I think the possibility is there as bionics and robotics advanced people are gonna start doing DIY things because that's what people want to do they want

to try things themselves and I think it's going to get to the point or potentially you could have a hacker who could kill someone no I know you're saying I just talking them and I go by people driving JCB's down Main Street would that not to kill people yes yes that is that is an option of where a hacker could kill someone but in my mind this would be more targeted it's say for sake of argument in PS maker that is potentially vulnerable to an RF attack someone could actively stop the peace maker or make it go haywire if the correct securities are not in place it's a targeted attack it's not indiscriminate it's not like driving a

JCB Diamond Street because you find a script online and all let's try it out it's targeted if you want that person dead so I think biohacking a key and this could be a talking of itself but I think that's something that will become more of an issue in the future and well hopefully I'm long dead before it becomes an issue because I don't wanna deal with it and that's it any questions either of you sagen yeah yes that is that is that is a way around it but again if you have it depends on on what way you mean timing a lot of them don't do real time so they don't know I sent their signal at this time

they could do there isn't any reason but it's probably going to cost that's cheaper to not have to keep our real clock and so a lot of them just stick to a a predefined set of codes that they then cycle through but yes that is a way to get round it yet not a thing it just transmit yeah no I I think I mentioned Tesla Tesla have a two factor authentication they have a low frequency signal that goes out from the car to the key and then that then triggers the key to go okay that's a signal I want to say and then it it then transmits it but again all you need is a transmitter and

receiver on both ends because that signal will always be coming out of the car that's fun stuff Eris yeah that's that's a fun one I had I had many phone conversations for that drone thing and Gatwick yes they could have got got rid of that but the problem is they brought in the army to do it and they just didn't have the kit to do that types of things if they had the kit yes they could have took control of our drum potentially and landed it but they just they just don't have the kit to do it so yeah as far as I close she need to be it depends and you can get a directional antenna and

which a good example is if you ever seen the ones on top of your house the sort of ones with the weak spines coming out of it that's a yogi' antenna which is directional and if you have one of them if you out either the drone or the person probably the person is easier because they're standing still and you could be quite far away and still pick up the signal a similar talk I said ya know I am that's the law it speak to me after I'll happily worry of that yeah to make the a repeater device much the cost I think from Amazon not that I bought or built one you can get enough parts to

build a bike tan for by 10 quid but usually the the parts are that cheap that you buy them in bulk you get like a box of 10 repeaters or receivers and transmitters and it's just an Arduino or if you're willing to do something a bit more complicated Raspberry Pi would work as well yeah they're not expensive yeah yeah you can listen listening is yep yep yeah I said there they're only worried about people transmitting and the only that the radio a people trans money is interference someone who is transmitting he doesn't know what they're doing they could block loads of different signals and cause havoc and especially if you're near an airport that could be very very

bad so you can listen find an SDR is perfectly fine to buy and have a listen yep oh so for like smart cars you mean that sort of communication and yeah I don't know I haven't seen enough about their the the smart cars communication going back and forward and it depends what you want to do because the replay and repeater attacks only work generally with commands so with a smart car if it's a driving and it has a signal that a car in front of it is slowing down really quickly it doesn't get sent a signal over Wireless to stop that's in the computer of the car itself so the only signal of that car would actually

be receiving would be there's something coming really quickly you need to do something about it and if they were sending commands that way then yeah you could you could get in with a replay attack or Jam yeah jamming um is is also a possibility with them you can any any wireless communication regardless you can jam up as as a rule of thumb if you can get more part of on it you can jam it doesn't matter what it is yeah

to broadcast on certain frequencies it depends what you're doing to be honest if you want to em transmit and broadcast and do experimenting things get your how much your radio license the foundation one is very easy to get and it's a simple exam that you said it's just like what do you do to not interfere with people that's that's basically what you need to remember and then that will give you near enough all of the bands still allow you to transmit and you could email them and ask for permission for a very perfect frequency and they might put them in oh yeah Tolu yeah completely yeah you could you can set up a device in there and have it relay to a device

wherever you want in some cases you can even have it connect to say a 4G dongle and have a go to an SPL or not an SQL yes an SQL Server for you and just dump the data up there somewhere and you can access it wherever you want yes yeah if you can get it nearby you can lift down anyone yeah yeah so thank you very much there is one more question you're going to be the last one sir yeah it depends I am currently looking into that to see if there is a way and because if you have a directional antenna you do get quite a lot of DN on it so you can point it out

it but you're still somewhat limited by how much power the actual devices but no so good antenna to receive is only going to help you so much so yeah I'm in the midst of the minute to see if there is a way of sitting on a rooftop somewhere and just scan on the street and lift an RFID codes I'll get back to you on that one yeah okay thanks [Applause]