[00:32.370 --> 00:36.930]  So we're talking about attacking wireless devices with software-defined
[00:36.930 --> 00:45.470]  radio today. So a little bit about about myself. I've been programming for about
[00:45.470 --> 00:54.250]  18 years. Mostly hacky and mathy kind of stuff. So machine learning, AI, and
[00:54.250 --> 01:00.350]  security stuff. Ontologically, I call myself like a Christian mystic. It's kind
[01:00.350 --> 01:05.210]  of a weird description, but I think it fits pretty well. I like arts, weird,
[01:05.210 --> 01:14.830]  mostly weird stuff. My day job, I work at FireEye slash Mandiant. And I was
[01:14.830 --> 01:18.870]  trying to think how to describe what I do. And so
[01:18.870 --> 01:23.250]  Mandiant consultants are like incident response. So someone gets hacked, they
[01:23.250 --> 01:28.170]  come in, fix it up. So if this is the Mandiant consultants, this is kind of
[01:28.170 --> 01:35.670]  what my team does. So we're basically cyber weapons makers to help combat the
[01:35.670 --> 01:42.430]  people who hack in, pretty much. And so this talk, it was kind of hard to title
[01:42.430 --> 01:48.710]  this talk very well. One of the titles I thought about was how digital data is
[01:48.710 --> 01:52.370]  transmitted wirelessly. We're gonna be talking about that. We're gonna be
[01:52.370 --> 01:57.230]  talking about how how data is transmitted. And this is it's kind of
[01:57.230 --> 02:00.530]  cool if you like computers, if you like the Internet, because this is how it
[02:00.530 --> 02:06.570]  works everywhere. So it's pretty pretty interesting to know. So another way to
[02:06.570 --> 02:10.370]  put it is we're gonna be at the OSI physical, like layer one, the physical
[02:10.370 --> 02:16.090]  layer. So you know you got TCP IP up on like what layer three and four or five
[02:16.090 --> 02:19.670]  or something like that. And then below, you know, like layer two, you've got the
[02:19.670 --> 02:25.270]  data layer like 802.11. And then below that, how the data is actually
[02:25.270 --> 02:32.410]  represented through physics, kind of. And of course the other title is attacking
[02:32.410 --> 02:36.850]  wireless devices with SDR, which sounds a little more sexy maybe, and more than
[02:36.850 --> 02:44.470]  like how data is transmitted. So I I kind of came in to this topic from three
[02:44.470 --> 02:49.030]  different directions. So just kind of kind of give you guys some background on
[02:49.030 --> 02:52.470]  that. So you know I've kind of been into like the IOT stuff before I knew it was
[02:52.470 --> 02:57.990]  called IOT. I did like a home security system with Raspberry Pi a few years ago.
[02:58.970 --> 03:03.450]  You know, basically had these wireless outlets, broke them open, broke open the
[03:03.450 --> 03:09.410]  transmitter, and like soldered in some some transistors and then connected that
[03:09.410 --> 03:16.710]  with the Raspberry Pi. It's a really simple home controller. The other, so so
[03:16.710 --> 03:21.510]  basically the IOT stuff was kind of one direction I came in from. Another
[03:21.510 --> 03:28.230]  direction was was music theory. So I I remember looking at a keyboard and being
[03:28.230 --> 03:33.790]  like, why in the world are the black keys not evenly spaced? It really annoyed me.
[03:33.790 --> 03:37.210]  Like I remember it was like over Thanksgiving, so I had some time to like
[03:37.210 --> 03:41.370]  think about it. I was like, why in the world? Like cuz cuz it's like every every
[03:41.370 --> 03:45.890]  key is like a half step. So you could just have six black keys and six white
[03:45.890 --> 03:51.370]  keys. So why are there like, why is it there seven and five? It looks very
[03:51.370 --> 03:55.850]  disorganized. Anyway, so it's like this whole foray into like music theory and
[03:55.850 --> 04:02.290]  analyzing sound with, you know, like things like the Fourier transform and
[04:02.290 --> 04:05.990]  stuff like that. So you can convert to the frequency domain and look at stuff.
[04:06.270 --> 04:12.410]  So like this is this is me singing Do-Re-Mi-Fa-So-La-Ti-Do. So music theory
[04:12.410 --> 04:15.930]  was kind of another area. And then the last area was wireless hacking in
[04:15.930 --> 04:22.430]  general. So I found wireless hacking to be a pretty cool topic for a while. I was
[04:22.430 --> 04:25.350]  just talking to someone earlier today and they were like, yeah the security
[04:25.350 --> 04:28.770]  thing is kind of annoying because you find, you know, you find oh there's this
[04:28.770 --> 04:34.530]  cool vulnerability but it's been patched three years ago. One cool thing that I
[04:34.530 --> 04:40.050]  found with wireless security is typically typically bugs in in wireless
[04:40.050 --> 04:45.390]  stuff are systemic and they're not easy to patch. So it's kind of cool because
[04:45.390 --> 04:50.250]  you learn you learn about how it works and then you can exploit it and that
[04:50.250 --> 04:55.810]  knowledge kind of sticks around pretty well. So you know I've done I've done you
[04:55.810 --> 05:01.190]  know back in the day stuff you know with TCP IP. Recently I've been doing some
[05:01.190 --> 05:07.410]  stuff with like 802.11 monitor mode where you can basically just open your Wi-Fi
[05:07.410 --> 05:11.930]  adapter up in a way where it receives every packet from every access point and
[05:11.930 --> 05:17.830]  device. I recently wrote a program called tracker jacker that's that exploits that.
[05:18.190 --> 05:21.670]  So if you see me at a coffee shop I might look like this picture that a
[05:21.670 --> 05:28.830]  friend took of me with a bunch of antennas to scare people. So yeah again
[05:28.830 --> 05:36.270]  you know TCP IP is up up here 802.11 is here. We're talking about physical
[05:36.270 --> 05:44.590]  layer down here today. So I think that it's it's one cool thing about wireless
[05:44.590 --> 05:48.750]  hacking also is that it feels kind of magical. Like there's all like even in
[05:48.750 --> 05:52.330]  this room right now you know it sounds kind of like very Jedi. There's like this
[05:52.330 --> 05:58.490]  invisible energy all around us. Penetrates us. Things like that and but
[05:58.490 --> 06:05.190]  it carries interesting information. You have to know how to tune into it to
[06:06.890 --> 06:12.650]  harness that information. And if you write these like spells into a computer
[06:12.650 --> 06:17.050]  you can make things in the physical world do your bidding through the air. It
[06:17.050 --> 06:20.770]  feels very magical to me. It feels like you know back when I played Diablo 2 Lord
[06:20.770 --> 06:26.670]  of Destruction. I spent a lot of my life on that game. But it feels kind of like
[06:26.670 --> 06:31.150]  that. It's like you know building my wireless hacking skill tree. And so
[06:31.150 --> 06:34.570]  hopefully today you'll come away with a couple you know maybe another point or
[06:34.570 --> 06:42.630]  two into your wireless hacking skill tree. And this is an interesting time
[06:42.630 --> 06:47.870]  right now. Because obviously IOT stuff, the Internet of Things, is blowing up.
[06:47.870 --> 06:52.510]  There's all these new devices that communicate wirelessly. So this is kind
[06:52.510 --> 06:56.730]  of like in Diablo 2. Probably none of you played that. But you get a rune and it
[06:56.730 --> 06:59.490]  would like increase all your attack damage by some percentage. Well it's like
[06:59.490 --> 07:05.830]  that kind of with IOT. Like these skills, they're kind of dangerous. And you know
[07:05.830 --> 07:10.970]  you need to be careful if you're doing this kind of stuff too. Obviously be
[07:10.970 --> 07:16.870]  responsible. Because everything works through radio. I mean almost every type
[07:16.870 --> 07:21.630]  of wireless communication is radio. So virtually all wireless communication
[07:21.630 --> 07:27.930]  happens through waves. So you know like a sine wave. But a lot of them are radio
[07:27.930 --> 07:34.750]  specifically. So what we call radio, AM FM radio, TV, cell phones, Wi-Fi, Bluetooth,
[07:34.750 --> 07:43.610]  GPS, all kinds of things are wireless. Are wireless radio waves. You know I remember
[07:43.610 --> 07:47.870]  scanning Milwaukee and I could see these big industrial control SCADA systems
[07:47.870 --> 07:56.570]  with their frequencies just publicly available. So the the tool that we use
[07:56.570 --> 08:00.890]  that that's the current modern tool for playing with a lot of these wireless
[08:00.890 --> 08:06.310]  devices is called software-defined radio. Now if you're doing Wi-Fi hacking, you
[08:06.310 --> 08:10.030]  know 802.11, well you probably use a Wi-Fi adapter. Or if you're doing
[08:10.030 --> 08:13.790]  Bluetooth hacking, you probably use a Bluetooth adapter. But for a lot of other
[08:13.790 --> 08:19.450]  devices, a lot of IOT devices, a lot of sometimes some big industrial control
[08:19.450 --> 08:25.650]  systems down to really small, you know like wireless outlets are controlled not
[08:25.650 --> 08:30.670]  through Wi-Fi 802.11 or Bluetooth but through other sometimes proprietary
[08:30.670 --> 08:38.510]  protocols. Another thing would be like keyless entry on your car. So software
[08:38.510 --> 08:44.450]  defined radio is basically a radio where a lot of the a lot of the parts of the
[08:44.450 --> 08:48.490]  radio that would have been implemented in hardware are now implemented in
[08:48.490 --> 08:52.890]  software. Which makes it where it's a lot more flexible. So for instance the hack
[08:52.890 --> 08:57.670]  RF can transmit on like a huge, it can actually transmit and receive on a huge
[08:57.670 --> 09:01.730]  range of frequencies. Something from like I think a few megahertz up to six
[09:01.730 --> 09:06.270]  gigahertz. Which covers pretty much everything. Almost everything is in that
[09:06.270 --> 09:13.630]  range. So there's like the hack RF, I think it costs around $300 and you can
[09:13.630 --> 09:22.430]  transmit and receive. The RTL-SCR is I think around $20. The downside of that is
[09:22.430 --> 09:30.690]  that it is receive only. So that's kind of the, you know, think of it almost like
[09:30.690 --> 09:39.430]  the magic wand if you're doing this wireless hacking. So two demos. I wanted
[09:39.430 --> 09:44.950]  to show you this demo. I'm not gonna do it live because I couldn't bring my Jeep
[09:44.950 --> 09:52.050]  here. But like, so I got, I got like this, I got my hack RF, you know, I got it out
[09:52.050 --> 09:57.090]  of the box. And like the first thing I wanted to do it, I was like, you know,
[09:57.090 --> 10:02.310]  keyless entry, you know, that's radio. Okay, what's the frequency? 315 megahertz. So I
[10:02.310 --> 10:08.470]  looked it up and I ended up trying to do a simple replay attack. So this is a very
[10:08.470 --> 10:13.430]  common attack with wireless stuff, with SDR especially. You can basically just
[10:13.430 --> 10:21.210]  record the signal and replay it. That, that simple. One of the, one of the, one
[10:21.210 --> 10:26.930]  of the Capture the Flag things today, actually a couple of them that I did, it
[10:26.930 --> 10:31.310]  took like literally 10 seconds. You know, you just are recording it and then
[10:31.310 --> 10:38.490]  replaying the same thing. Nothing super difficult or anything like that. So I'm
[10:38.490 --> 10:44.550]  gonna play this video. Hey, Caleb here. No, I'm gonna be demoing. I'll skip ahead. I already told you that.
[10:44.550 --> 10:53.750]  I'll skip ahead to where it's like. All right, let's see. So let's see if that works.
[10:54.490 --> 11:02.570]  Ready, go. This is unlocking. There we are. And then, and then lock one. It'll make it,
[11:02.570 --> 11:10.810]  it'll make it a toot the horn as well. Good job, Caleb. There we are. So we just,
[11:10.810 --> 11:15.810]  that's enough, that's enough. So what happened was the first script. Yeah, so yeah, so you
[11:15.810 --> 11:22.930]  know, really simple replay attack, but very powerful, right? A lot of things are
[11:22.930 --> 11:28.090]  susceptible to that. Basically, now a lot of modern cars, this won't work on every
[11:28.090 --> 11:32.410]  vehicle. A lot of modern cars have a rolling code. And so if you try to, the
[11:32.410 --> 11:39.050]  whole point of that is simply to deter this type of a very simple attack. But it
[11:39.050 --> 11:44.470]  works on some, but the same idea work, can work even with rolling codes. You simply
[11:44.470 --> 11:50.310]  have to jam the receiver so it doesn't receive that code. That's, that's the
[11:50.310 --> 11:55.710]  workaround to the rolling codes. So it's, it's almost as simple to do it even, so
[11:55.710 --> 12:03.290]  this will work on almost any vehicle, in other words. The next one, so I was gonna
[12:03.290 --> 12:10.650]  demo a lot of jamming attack, except that jamming is illegal. So we can't do that.
[12:12.390 --> 12:22.690]  But we can maybe do something similar. So I've got, I've got some ham radios that
[12:22.690 --> 12:30.050]  I am licensed to operate on the frequencies that they transmit on. So
[12:30.050 --> 12:35.130]  let's say you're at like a bar or restaurant and there's some music that
[12:35.130 --> 12:39.410]  you know, you don't, you don't like, you don't love, you know, maybe you don't love
[12:39.410 --> 12:49.370]  Nickelback and you're like, man, if only I could somehow silence that noise. So
[12:49.370 --> 12:53.110]  what we're gonna do here, let's see if this works. So I'm gonna play this, I'm
[12:53.110 --> 13:01.510]  gonna run this new radio script. Oh, hey, there we go. What do you know? Now this
[13:01.510 --> 13:04.950]  looks like, this looks a lot like jamming. I understand it looks a lot like jamming.
[13:04.950 --> 13:13.770]  Let's go ahead and close that. Anyway, but it wasn't jamming. Like that was just, I
[13:13.770 --> 13:17.410]  wanted to transmit a sine wave at that particular frequency. It happened to
[13:17.410 --> 13:22.030]  coincide with frequency that the radios were operating on. But it wasn't
[13:22.030 --> 13:27.610]  technically jamming. You, what you heard was some noise, a sine wave at 400
[13:27.610 --> 13:33.190]  megahertz. So anyway, but that's, but it's really interesting though. Theoretically
[13:33.190 --> 13:40.510]  you could do jamming attacks. And so, you know, I've got a, I've got a wireless
[13:40.510 --> 13:46.090]  security system. And I was wondering, well what if, you know, so you got like the
[13:46.090 --> 13:51.450]  the door, the door sensor, right? And then you got the hub. And if the door is opened,
[13:51.450 --> 13:55.670]  it sends a signal to the hub. And then if it's armed, it'll sound the alarms, kind
[13:55.670 --> 14:01.610]  of idea. So well what if it doesn't receive that signal? Well, nothing
[14:02.650 --> 14:09.410]  happens, theoretically. And then the last, last little demo I wanted to show you,
[14:09.990 --> 14:14.890]  let me just go ahead and, so I have, so it's actually the same outlets that I
[14:14.890 --> 14:20.090]  was using for my home security system a while back. So I'll show you, I got this
[14:20.090 --> 14:29.090]  remote. It, you know, on off switch, there's a little receiver back here. So that's,
[14:29.970 --> 14:34.530]  the little bulb there is plugged into that. So I can turn it off and on with
[14:34.530 --> 14:42.090]  this remote. So let's see, now I could do a jamming attack. Sorry, not a jamming
[14:42.090 --> 14:46.700]  attack. I could do a replay attack for this. I could potentially record it and
[14:47.210 --> 14:52.430]  replay the signal. But what if I didn't know the signal initially? You know, what
[14:52.430 --> 14:58.210]  if I think that it's a, you know, it's a pretty simple signal and I think maybe I
[14:58.210 --> 15:03.030]  could brute force attack it. Maybe I could, you know, maybe I've seen some
[15:03.030 --> 15:08.590]  signals to similar devices and I know the key space is 10 bits. And I'm like,
[15:08.590 --> 15:14.530]  well, I want to generate those, that signal from scratch. So let me do that
[15:14.530 --> 15:31.280]  really quick here. So I have a script I'm gonna run here. That's really small, one
[15:31.280 --> 15:50.600]  second. Try to make this a little more readable for you guys. So it's, so you're,
[15:50.600 --> 15:55.720]  this is like, this is not using GNU radio or anything like that. It's just a simple
[15:55.720 --> 16:02.560]  Python script I'll show you in a few minutes. And we're gonna run that in a
[16:02.560 --> 16:07.500]  pipe. It's out, converted its output to another format. And then let's see if
[16:07.500 --> 16:18.360]  this turns on, this should turn on the outlet. No. See here. Oh, because my hack RF
[16:18.360 --> 16:26.760]  is not plugged in. It would be a reason. All right, let's try it now. There we are.
[16:34.840 --> 16:39.040]  And actually I want to show you guys another thing real quick. So the signal
[16:39.040 --> 16:43.320]  that was generated looks very similar to the signal that I, that I was looking at
[16:43.320 --> 16:49.860]  prior. But one cool thing with these radio signals, you can actually open them
[16:49.860 --> 16:55.340]  in programs like Audacity. So probably a lot of you are familiar with Audacity.
[16:55.340 --> 17:00.180]  It's a sound, it's a free sound editing program. And so let me show you what it
[17:00.180 --> 17:04.000]  sounds like. This is actually, this is actually the signal that was generated.
[17:09.970 --> 17:16.650]  It's not coming out of the sound. Let's see. Let me just, I'm gonna unplug this
[17:16.650 --> 17:23.710]  cable and then play it through my speaker. Actually, built-in output. Yeah,
[17:23.710 --> 17:29.170]  I'm gonna just do that. Just because it's kind of cool to hear. I know you can't
[17:29.170 --> 17:39.780]  see this anymore, but let's see if you can hopefully hear it. And it's just, it's
[17:39.780 --> 17:51.600]  just a repeating signal. Stop that. Fully plugging it back in works. And I didn't
[17:51.600 --> 18:02.060]  ruin the rest of the presentation. Yes. So and again, you can look at this up
[18:02.060 --> 18:08.020]  close. And you know, so ultimately when I did this, when I was trying to do this
[18:09.480 --> 18:15.000]  signal generation, I cheated a bit. You know, I'll be honest. I looked at this or
[18:15.000 --> 18:21.010]  I looked at the similar, at the signal that I captured. And I was like, well I
[18:21.780 --> 18:27.380]  can look at it and I can see the bits. Right? So this is, we're gonna look at
[18:27.380 --> 18:33.060]  different types of modulation, but this is what's called ASK or OK modulation.
[18:33.060 --> 18:41.640]  It's simply varying the amplitude. And so a short pulse means it's a zero. And a
[18:41.640 --> 18:45.780]  long pulse means it's a one, basically. And that's it. And it's so cool because
[18:45.780 --> 18:50.600]  you can intercept the signal and you guys can see very clearly the bits there.
[18:50.600 --> 18:54.560]  Which is, to me, really cool. You know, I don't know if you guys, like when you were
[18:54.680 --> 18:58.200]  a kid and like you heard him hear the modem connecting to the internet back in
[18:58.200 --> 19:02.320]  the modem days. And you're like, you hear this sound. You're like, what is going on?
[19:02.320 --> 19:15.140]  You know? So it's cool to see it. To me it's really cool to see it. Sweet. So yeah,
[19:15.140 --> 19:20.780]  that's what, that's what the signals look like. So I want to, I want to try to
[19:20.780 --> 19:27.820]  quickly here go into what, you know, kind of a bit more of how this works. So if
[19:27.820 --> 19:33.240]  you understand the fundamentals of how, how like radio waves work, that's a
[19:33.240 --> 19:39.340]  really good foundation for doing any of this kind of hacking. So what are waves?
[19:39.340 --> 19:42.820]  So we're gonna get into a little bit of, hopefully some pretty light math. I'm not
[19:42.820 --> 19:48.700]  like really a math major. I like it. But I found that I like it when there's
[19:48.700 --> 19:52.200]  something useful that I can do with it. You know, I control things in the
[19:52.200 --> 19:57.600]  physical world through radio. So I'm, I'm gonna try not to get too deep into any
[19:57.600 --> 20:03.520]  of the math and just try to keep it very practical, you know, application
[20:03.520 --> 20:07.900]  driven. So waves, you know, they're simply these, these forms that, like a sine wave,
[20:07.900 --> 20:14.080]  right, goes up and down. You know, a sine, if you, if you spin around a circle, you
[20:14.080 --> 20:17.900]  know, if you look at just the y-direction or just the x-direction, well that's the
[20:17.900 --> 20:23.340]  shape of a sine wave. And they're really interesting for a variety of
[20:23.340 --> 20:27.400]  reasons. You know, as I already said, they're found everywhere. But I would, you
[20:27.400 --> 20:30.940]  know, try to think of one form of wireless communication that does not
[20:30.940 --> 20:36.280]  happen over waves. So I'm speaking to you and you're hearing, you're hearing sound
[20:36.280 --> 20:40.500]  waves, which are vibrations in the air, which can be represented as waves. All
[20:40.500 --> 20:45.240]  wireless communication is radio waves. So they're everywhere. I mean, they're, it's
[20:45.240 --> 20:49.180]  just crazy. They're everywhere. You know, if you look at temperature over time, it
[20:49.180 --> 20:55.160]  looks like a sine wave because of the rotation of the earth. Patterns of
[20:55.160 --> 21:00.360]  breathing, you know, breathing in and out, the all-zen. It's all over modern
[21:00.360 --> 21:05.320]  physics, if you think physics and stuff is cool. You know, quantum field theory,
[21:05.320 --> 21:11.960]  there's theories that basically model all particles as some form of waves. You
[21:11.960 --> 21:15.340]  know, with the string theory, they think maybe all matter is made of vibrating
[21:15.340 --> 21:19.960]  strings. There's probably some of you guys have heard of the uncertainty
[21:19.960 --> 21:23.740]  principle, like the Heisenberg uncertainty principle. A cool thing
[21:23.740 --> 21:28.580]  happened when I was doing some audio hacking. I kind of, like, discovered it
[21:28.580 --> 21:33.900]  for myself accidentally. So, like, I had the same slide I showed before. This is
[21:33.900 --> 21:41.500]  basically a spectrogram. So the x-axis is time. The y-axis is frequency. So lower
[21:41.500 --> 21:46.100]  frequencies are lower. And then the intensity, like the color, is the
[21:46.100 --> 21:52.040]  amplitude, basically, of that component. And one thing with things like
[21:52.040 --> 21:56.400]  audio is there's all these harmonics. That's why you see not just a single
[21:56.880 --> 22:01.140]  thing, but you see a bunch of them, right? Like here, you can see a bunch of...
[22:01.140 --> 22:06.140]  basically, it's multiple. So if this is 100 Hertz, this would be 200, 300, 400, 500.
[22:07.100 --> 22:13.860]  But when you're analyzing waves like this, basically, the longer period of
[22:13.860 --> 22:19.480]  time you analyze it, the longer period of time, the more precise you can be in how
[22:19.480 --> 22:24.440]  in the frequency that it is. So if you monitor a wave that's like this, and you
[22:24.440 --> 22:28.460]  only get the first part of it, that could be a variety of different waves. You
[22:28.460 --> 22:33.580]  don't have enough data to know for sure what wave it is. So it's... you can't be as
[22:33.580 --> 22:39.800]  sure. But the more you spread out your time, the less sure of exactly where in
[22:39.800 --> 22:46.360]  time you are. So let me show you what spreading out time looks like with that.
[22:46.360 --> 22:53.000]  Basically, it's increasing the size of the spectrogram. So this is 256 by 12. You'll
[22:53.000 --> 22:58.060]  see it's spreading out horizontally. And, you know, you get to something like this,
[22:58.060 --> 23:02.540]  and it's like, you can see we're very precise on what the frequency is, but we
[23:02.540 --> 23:05.580]  are much less precise on what the time is. So I think it's kind of cool. It's
[23:05.580 --> 23:10.640]  kind of a cool, like, rediscovery of, like, the uncertainty principle. So it's cool
[23:10.640 --> 23:14.060]  because it helps... waves are cool because they help you understand the universe
[23:14.060 --> 23:18.340]  overall. They're also the epitome of change. I don't want to go into this too
[23:18.340 --> 23:24.420]  much, but the derivative of a sine wave is itself another sine wave, which is
[23:24.420 --> 23:31.160]  pretty cool. Let's not get into that too much. So here's a really cool thing, all
[23:31.160 --> 23:38.060]  right? It's called the superposition principle. So I'm talking to you right
[23:38.060 --> 23:43.500]  now, and if I'm also, like, knocking on the table at the same time, you can hear
[23:43.500 --> 23:47.500]  both things at the same time, right? But what's actually happening... imagine you
[23:47.500 --> 23:53.700]  cover one ear. You could still pick up my voice and the knocking on the table, but
[23:53.700 --> 23:58.500]  what's happening is your ears are essentially pressure sensors. And so
[23:58.500 --> 24:03.800]  those... the waves of the vibrations in my voice are actually getting added to the
[24:03.800 --> 24:07.800]  waves of the sound of me knocking on the table. And it's called
[24:07.800 --> 24:12.200]  convolution. You're just adding these waves together, and your ears and
[24:12.200 --> 24:17.420]  your brain are able to basically deconvolute those sounds. It's amazing
[24:17.420 --> 24:19.980]  when you think about all these sounds. You can hear people talking in the
[24:19.980 --> 24:23.260]  hallway and all these things, and you're able to deconvolute those really
[24:23.260 --> 24:27.620]  complicated waves. What that looks like is, you know, like, let's say you have
[24:27.620 --> 24:31.580]  these simple waves, the sine wave, a few of these. You add them together and it
[24:31.580 --> 24:34.620]  looks like this. So it's a more complicated thing. Well, you're able to
[24:34.620 --> 24:38.820]  basically break that out into each component wave. But the same thing is
[24:38.820 --> 24:45.360]  true in the radio world, right? If there's... if there's data being transmitted at
[24:45.980 --> 24:50.860]  900... at 2.4 megahertz for Wi-Fi. Well, there's also Bluetooth being
[24:50.860 --> 24:55.020]  transmitted around that frequency. Maybe off a little bit. There is also, in this
[24:55.020 --> 25:01.880]  air right now, FM radio waves and all... many other types of radio waves. And these
[25:01.880 --> 25:09.860]  are all being added into this really complex electromagnetic radiation. But
[25:11.300 --> 25:15.800]  you're able... your radio is able to deconvolute that by tuning into a
[25:15.800 --> 25:21.180]  specific frequency, basically. And that's how that works. And the reason that works
[25:21.180 --> 25:27.280]  is because the waves are orthogonal, which is kind of a confusing idea. But
[25:27.280 --> 25:34.760]  basically any wave of differing frequency is orthogonal. I won't go into
[25:34.760 --> 25:40.500]  that too much right now. Anyway, a simple view of this is like a time domain or
[25:40.500 --> 25:46.000]  time domain. This is like me saying the ah sound. This is what it looks like.
[25:46.000 --> 25:49.960]  Convert it to a frequency domain. You can see these peaks. Much like this
[25:49.960 --> 25:59.200]  spectrogram we saw before. And I won't go into the orthogonality much. There's
[25:59.200 --> 26:06.680]  another cool thing, how they're related to e and stuff like that. And so
[26:06.680 --> 26:13.960]  basically with Euler's formula, you relate e, raising e to the i pi. And that
[26:13.960 --> 26:18.880]  that basically produces rotation around a unit circle. This was interesting
[26:18.880 --> 26:24.560]  because to get this, to get this radio hacking thing to work, what happened was,
[26:24.560 --> 26:30.200]  and I'll show you a Python notebook in a minute. First I tried creating a sine
[26:30.200 --> 26:34.380]  wave, a simple sine wave. It's just going up and down like this. But the way that
[26:34.380 --> 26:40.220]  most radio devices work is they actually use a two-dimensional electromagnetic
[26:40.220 --> 26:45.340]  radiation signal. So instead of it simply pulsating in one dimension up and down,
[26:45.340 --> 26:50.920]  it actually is like this. It's like a corkscrew kind of shape. And the way you
[26:50.920 --> 26:55.640]  produce that kind of rotation is instead of going sine to the X, you do e to the
[26:55.640 --> 26:59.420]  i X. It was super cool because like for me it was like, I remember back in like
[26:59.420 --> 27:04.760]  high school here learning of like imaginary numbers and that kind of stuff.
[27:04.760 --> 27:08.420]  And it was like, whoa, this suddenly became actually useful. Raising e to this
[27:08.420 --> 27:14.620]  power. I needed that to actually get this freaking outlet to turn on. It was really,
[27:14.620 --> 27:17.980]  like, wow, this math. Like imaginary numbers is one of the classic things you
[27:17.980 --> 27:23.740]  think. They're imaginary numbers. How are they ever gonna be useful? So I thought
[27:23.740 --> 27:26.840]  that was pretty cool. So here's just a visualization of, you know, the simple
[27:26.840 --> 27:34.640]  sine wave versus the complex two-dimensional. Okay, that's that's
[27:34.640 --> 27:39.760]  enough of the math. So just to touch a little bit more on how digital
[27:39.760 --> 27:48.240]  communication happens over waves. So modems. Obviously we all know modems and
[27:48.820 --> 27:53.700]  we have, you know, back in the 56k days, you know, you actually heard them and I
[27:53.700 --> 27:57.320]  think modems were more at the forefront of people's minds. But we saw modems
[27:57.320 --> 28:01.540]  today. Everything, you know, ultimately it's whether it's Wi-Fi on your phone or
[28:01.540 --> 28:05.860]  if it's a cable modem, it's ultimately kind of the same principles at
[28:05.860 --> 28:12.840]  play. So modem stands for modulator or and demodulator. It's kind of like a
[28:12.840 --> 28:16.960]  combination. And there's a few types of modulation. So modulation is basically
[28:16.960 --> 28:22.360]  where you have a some kind of carrier wave and you're changing it to carry
[28:22.360 --> 28:26.820]  information or modulating it. So the some of the main types, this this is not
[28:26.820 --> 28:32.400]  exhaustive, but you've got amplitude shift keying. So you're changing what
[28:32.400 --> 28:36.920]  we'll go through these but amplitude, frequency, phase, and then quadrature
[28:36.920 --> 28:43.420]  amplitude modulation. So ASK amplitude, this is what it looks like. So you have a
[28:43.420 --> 28:51.620]  lower signal and then you increase the amplitude. And that's it. This outlet is
[28:51.620 --> 28:58.100]  ASK modulated. And you could you could make it where when it's really loud it
[28:58.100 --> 29:01.480]  represents a one and where it's really quiet it represents a zero. Or you might
[29:01.480 --> 29:06.820]  do actually it's called on-off keying where it's the length of the time where
[29:06.820 --> 29:11.840]  it's loud. The length of the time where the pulse is high. And that's that's more
[29:11.840 --> 29:17.700]  common. And again you know this signal again you can see clearly the amplitude
[29:17.700 --> 29:23.640]  increasing for longer and shorter periods of time. Another type is
[29:23.640 --> 29:28.580]  frequency shift keying where you're changing the frequency. So this is this
[29:28.580 --> 29:34.780]  is kind of the representation of zero one in FSK. So you know one frequency you
[29:34.780 --> 29:39.160]  know this is a lower frequency maybe it's a thousand Hertz that represents a
[29:39.160 --> 29:45.260]  zero. And when it's at 2,000 Hertz it represents a one or something like that.
[29:45.260 --> 29:48.940]  Someone's gonna do the math and say that's not a thousand Hertz anyway. Or
[29:48.940 --> 29:53.360]  this is another what another signal zero one zero one one zero. And it's just cool
[29:53.360 --> 29:57.240]  it's just cool to see this is what data looks like when it's transmitted in the
[29:57.240 --> 30:01.840]  air or on the wire. And by the way this isn't just wireless wireless
[30:01.840 --> 30:06.860]  communication. Wired communication it's actually the same stuff. It's actually
[30:06.860 --> 30:11.780]  waves as well. Phase shift keying is a little you know maybe a little more
[30:11.780 --> 30:17.760]  complex complicated to understand. You know you're basically changing if you
[30:17.760 --> 30:26.880]  think of the unit circle where you're at on that it's jumping that around. It's a
[30:26.880 --> 30:31.960]  quadrature amplitude where you're basically you basically are changing the
[30:31.960 --> 30:37.940]  phase and the amplitude at the same time. Actually I have a visualization I think
[30:37.940 --> 31:03.880]  for that which is kind of cool. Let's see if I have that. Let's make that bigger. I
[31:03.880 --> 31:09.220]  think it's just from Wikipedia. So you can see it's changing the phase and it's
[31:09.220 --> 31:11.780]  changing the amplitude. And with that you know in this case you're able to
[31:11.780 --> 31:15.940]  represent 16 different values in a short period of time. This is actually
[31:15.940 --> 31:21.020]  what a lot of Wi-Fi uses by the way. Like your 802.11 Wi-Fi. Most of the time it
[31:21.020 --> 31:28.680]  uses this called QAM. Now if it's more noisy you could you could probably tell
[31:28.680 --> 31:33.360]  by looking at this. I mean it's almost amazing it works at all. So if it's
[31:33.360 --> 31:39.140]  really noisy Wi-Fi can like go to maybe like binary FSK if it's really noisy or
[31:39.140 --> 31:43.600]  something like that. Something easier to differentiate between the values. But I
[31:44.300 --> 31:49.280]  think ideally it's using QAM. And there's various you know this is QAM 16. There
[31:49.280 --> 31:53.040]  could be QAM 64 where you have 64 different values. You can imagine noise
[31:53.040 --> 31:58.920]  is going to be more damaging in those situations. But that's how it's modulated.
[31:59.720 --> 32:04.160]  So really quickly I want to go through what it looked like to actually generate
[32:04.160 --> 32:13.740]  this signal from from scratch. How many of you guys and gals are familiar with
[32:14.700 --> 32:23.780]  Jupiter notebook? Could you raise your hands? Okay. Pretty small percentage. We're
[32:23.780 --> 32:27.500]  not gonna go through all this in detail. I do have at the last slide I'll give
[32:27.500 --> 32:30.820]  you a link to this if you want it. This is kind of think of it as like a
[32:30.820 --> 32:34.020]  scientific notebook. This is how I kind of research this. So I was like okay I've
[32:34.020 --> 32:37.880]  got this signal. I kind of just eyed it up honestly. I was like okay it looks
[32:37.880 --> 32:43.020]  like roughly this frequency you know and stuff like that. And I was like okay I
[32:43.020 --> 32:48.840]  need some way to do ASK. So I just wrote some basic code to like modulate you
[32:48.840 --> 32:53.340]  know basically do basic amplitude modulation. And all this code is
[32:53.340 --> 32:56.420]  self-contained in this notebook by the way. We're not gonna go through the code
[32:56.420 --> 33:03.640]  line by line though. And then I was like well okay I've got a I've got a call you
[33:03.640 --> 33:08.720]  know convert a bit of strings you know 1 0 1 1 0 blah blah blah to that. So I
[33:08.720 --> 33:12.860]  tried to do that and I was like oh I need spacing. It's actually on off keying.
[33:13.460 --> 33:18.960]  Tried that. I was like okay that looks really close. I put it in. I outputted
[33:18.960 --> 33:31.000]  that and ended up failing. And you know I open both of them in in Audacity side
[33:31.000 --> 33:35.540]  by side. The recorded signal and then the generated signal. And they
[33:35.540 --> 33:39.680]  look almost identical. I was like and I tried it and it didn't work. And this is
[33:39.680 --> 33:45.820]  that that complex number thing I mentioned. I realized oh yes okay I see.
[33:46.980 --> 33:51.980]  Radios use complex signals. The two-dimensional. So it was it was like
[33:51.980 --> 33:56.900]  one line of code to change it. It was like subbing out sine to the X to e to
[33:56.900 --> 34:03.600]  the iX. It was really cool and it worked. I was like whoa that was sweet. I was
[34:03.600 --> 34:08.320]  because like when I ran into I was like oh man it's gonna be a horrible. But now
[34:08.320 --> 34:13.160]  it worked. Actually no there is I think there's one other issue where I had to
[34:13.160 --> 34:18.320]  like there was like a carry there's like some kind of complicated thing where you
[34:18.320 --> 34:22.780]  had to modulate. There was like you couldn't just you couldn't just keep the
[34:22.780 --> 34:27.840]  signal high. You had to mod you had to like have it going back and forth for
[34:27.840 --> 34:30.740]  the radio to transmit it or something like that. It was a little bit confusing.
[34:31.120 --> 34:35.400]  Anyway it ended up working and you know the signals look you know this is like
[34:35.400 --> 34:40.640]  the generated signal zoomed in and the recorded signal and it look you know
[34:40.640 --> 34:45.160]  they're not exact. You can see that but they were close enough where the radio
[34:45.160 --> 34:55.120]  would actually listen to it and do what it said. So kind of a few conclusions.
[34:56.260 --> 34:59.600]  Like I said it's it's kind of interesting because almost all wireless
[34:59.600 --> 35:03.940]  communication happens over electromagnetic radiation which is
[35:03.940 --> 35:11.200]  really cool. And hopefully now you know some of the foundations of how radio
[35:11.200 --> 35:16.760]  communication works and that can be really helpful in doing all kinds of
[35:16.760 --> 35:20.900]  interesting things with it. It's also just cool to understand because waves
[35:20.900 --> 35:25.980]  are like I said the more I learn about them and I have my eyes open I'm like
[35:25.980 --> 35:32.180]  wow these are popping up everywhere. From a security perspective though I think
[35:32.180 --> 35:36.080]  it's really helpful to be aware of the types of radio attacks that are possible.
[35:36.720 --> 35:42.760]  So jamming attacks are very simple. We didn't actually demo one today but you
[35:42.760 --> 35:48.220]  know it's very simple conceptually. So you know you could think about that like
[35:48.220 --> 35:56.160]  if if you know it's kind of a threat model thing right? Like if you have a if
[35:56.160 --> 36:01.100]  you've got a store full of a lot of merchandise and you try to protect that
[36:01.100 --> 36:08.120]  with a security system that's wireless well it's not that hard to do a simple
[36:08.120 --> 36:15.100]  jamming attack and break that. Replay attacks again you know very very simple
[36:15.100 --> 36:20.920]  to do. I mean you can someone could pull it off in literally like 10 seconds and
[36:21.420 --> 36:25.300]  they work in a variety of places so that's good to be aware of. You know this
[36:25.300 --> 36:29.060]  is kind of more of a it's almost more of physical security than like software
[36:29.060 --> 36:33.520]  security I guess but I think it's helpful for any security professional to
[36:33.520 --> 36:41.100]  be aware of that this kind of thing is this simple to do. Brute force attacks so
[36:41.100 --> 36:45.240]  you know I didn't I did like I said I cheated a little bit I actually like had
[36:45.240 --> 36:49.780]  the signal that this thing transmitted and I I just kind of eyed it up try to
[36:49.780 --> 36:53.240]  reproduce it but in theory I could have found a similar model like let's say
[36:53.240 --> 36:57.840]  there was something really valuable that that outlet controlled right and I'm
[36:57.840 --> 37:02.160]  like okay I see it's that outlet and I can look I can just go and get one at
[37:02.160 --> 37:06.300]  the store and I can see what maybe I get a couple of them and I see okay this is
[37:06.300 --> 37:11.660]  what the key space looks like well it wouldn't be a ton of work to just do a
[37:11.660 --> 37:15.780]  brute force attack against that kind of thing so that's interesting to be aware
[37:17.000 --> 37:21.880]  of you could even have some combination of like brute force and replay attacks
[37:22.360 --> 37:27.720]  right so maybe maybe there's like an 8-bit rolling code you know everything
[37:28.580 --> 37:32.520]  So you can replay that part, but you need to generate the combinations for the
[37:32.520 --> 37:36.900]  rolling code. You know, maybe the total signal is 32 bits, but maybe you only
[37:36.900 --> 37:42.820]  have to tweak, you know, 8 bits or something. Well, that's interesting to be
[37:42.820 --> 37:48.660]  aware of. So be wary of wireless communication. I mean, I'm not like, you
[37:48.660 --> 37:52.440]  know, Tin Hatter, where, like, nothing wireless. You can't ever use wireless. But
[37:52.440 --> 37:56.540]  it's kind of a threat model thing, you know. I have wireless security in my
[37:56.540 --> 38:00.420]  house. I'm not, I'm not expecting, hopefully, many of you or any of you to
[38:00.420 --> 38:08.180]  come try to break in. And I'm hoping that people who try to, if they do, don't know
[38:08.180 --> 38:13.860]  this kind of stuff. I have backups in place, though, in case any of you guys
[38:13.860 --> 38:18.380]  are thinking about that. Anyway, but if I had a store with a ton of merchandise, I'd
[38:18.380 --> 38:24.600]  probably not use a wireless security system. And that's, that's all I've got.
[38:24.600 --> 38:31.260]  You know, I have my website here, GitHub, ham radio call sign for any of you. And
[38:31.260 --> 38:33.480]  then I got a link to this, actually, I think it's an old version of this
[38:33.480 --> 38:37.860]  presentation, but very close up to date. And then I have, I'm gonna make this
[38:37.860 --> 38:46.420]  bigger, and then I have, this, this is the scripts that were involved today that I
[38:46.420 --> 38:53.740]  was working with. This is a link to them at the bottom. So with that, I think we
[38:53.740 --> 39:09.420]  have a few minutes for questions, if anyone has any questions. Yes, I actually
[39:09.420 --> 39:15.380]  haven't used it. It seems really cool, though. I like the HackRF because it's
[39:15.380 --> 39:21.900]  just, it covers almost every frequency you might want to do. It's 300 bucks,
[39:21.900 --> 39:28.220]  which I know is a decent amount of money. In my experience, I would say, for me
[39:28.220 --> 39:39.160]  personally, getting, paying at $300 was like a great investment. So are there any
[39:39.160 --> 39:47.830]  other questions, or is that it? All right, thank you for your attention.