 Welcome. Welcome. This is the first talk of the day, so I knew there might be some hiccups with stuff, but so far so good. Thanks everybody for coming. This is hacking with GNU radio. Essentially, you know, I don't know who all knows what GNU radio is here. Ah, fair number of people. Good. Good. Who knows what the USRP is? Not not so many, but still good good amount of people. All right, so The title is talk how to have or have how to have fun with wireless transmissions I'm David Bryan security consultant by day mild manner hacker by night. No CSC ISP ham radio enthusiast. I have ham radio license hacker and I Volunteer at DEF CON so I actually imparted the the network team that sets up the network for DEF CON so that you can use your wireless laptops and and Speakers can speak with their laptops and get internet access and all that fun stuff. So without getting hacked ideally So a couple of months ago I think it was March we went my wife and I went down to CCC KC, which is Cowtown Computer Congress of Kansas City Yeah, Cowtown Computer Congress. So this is I don't know if you can see this, but this is Mitch Altman He's a sort of the the creator of noise bridge, which is a hacker space out in San Francisco I'm I'm really enthused to see these places coming to light because it gives people a place to to go and work on projects and Work with other people who are maybe more experienced or maybe have actual tools in place to help others so Mitch stopped in and was selling a bunch of kits. He had his TV be gone kits. I don't know if you've seen them they're Little things about yay big and we'll turn off TVs from about 300 feet away So I was playing around with this in the hotels last night. It was quite fun You turn off the TV and they go TV's off. Oh, I got to turn that on and turn it off TV's off. I got to turn. No, you don't have to turn it on You're violating my space. Just shut the TVs off. Anyway, this is Vegas. So that's gonna happen But so I wanted to give props to that the hacker space is out there I think this is a really great idea great concept if you can participate in these and you know even bring bring together multiple groups, you know the make group makers groups the make groups The that I want to say 2600 groups the DEF CON groups those kind of things if everybody could come together Create a space. You're gonna have a lot more resources and a lot more talent. So All right, how many know what this people know what this is. I got one person here What do what is it? All right ultrasonic motion detector. Well, what else does it have on it? Well, it's all right. So what's that? Well, it's got infrared It's called the request to exit sensor and so Oftentimes what'll happen is, you know, like let's say the the back door to a data center You'll have one of these RTEs or request to exit sensors that essentially you walk up to it And if the the security company was really nice They would program it such that it would unlatch either the magnetic lock or the the door strike That's on the door. Does everybody know what a door strike is? Just I got one person. All right So door strike is a you know physical mechanism to or electronic physical mechanism to lock the door So, you know, you on the outside you present your access card to this this reader the door unlocks and it opens the door latch So some security companies that implement it, you know thought it was a really great idea to You know have it so that if you come up to the door it opens the door and away you go However, oh It's gonna jump on me again. However, I figured out you can go to the the local Store and you know a drugstore or a large chain big box get yourself a nice hot pack Put it on a really long ruler And sort of slip it under the door and You're in so I guess some some countermeasures would be mind the gap, you know, don't have a really big gap Although I haven't done it yet, but there's also hand warmers I come from northern Minnesota or from Minnesota, you know the north where it's cold and we we use hand warmers in our Gloves and our boots so that we don't freezes our butts off and have frostbite. So that might be another one They're really flat. Oh compressed air. Well, except it's looking for heat though not Really? Are you sure? Oh, it's looking for a change in heat. All right. Ah, well, so we'll have to test that So compressed air would be like the Freon or the propellant that would send it a change But it's looking for a change in temperature, but it's also looking for motion So the the big deal that I have heard, you know, I sort of a story for a long time was oh Well, you know, you take a mylar balloon you fill it with helium You know you shove it under fill it with helium and it floats up and boom. It opens the door Well, that doesn't really work because I took a balloon Went out to the again went out to the local big box store got a rubber hose got a bunch of balloons got some tin foil got All sorts of materials and started hacking away it. All right. Can I get into this door with this? Nope Can I get into the door with this? Nope. Oh, hey, you look can I get into the door with this? Yes, the hot pack so And it it kind of came to me as I was, you know exiting the door, you know, this is more Authorized pen test I guess rather than a a black box pen test But essentially you walk up to it and if if your hands moving it, you know I had long sleeves on your hands moving it sees that little bit of heat and that little bit of movement Boom the door opens. So anyway any questions on that one? I See one way back there. I can't hear you Yeah, thin foil heating elements. All right. So the other thing I thought about was what is it the? Oh Now I'm totally blanking on it But essentially where you've got one side that's hot one side that's cold Peltier yeah, I accept you might burn it out because you have to have a heat sink on the other side in order to Get it to cool turn on but you know, maybe if you're trying to get in you just run it three seconds at a time It's not going to burn it out All right Crash bar pushed exit. So, you know if you actually are going to exit you push a button instead of doing that All right now on to the main topic I do have a two-hour slot here. So if people Want me to talk faster? That's fine I'll probably go for about an hour hour and a half that the original talk is slated for more an hour But all right. What is GNU radio? so Oh, actually talk talk about what is GNU radio what you need some of the requirements some of the cost behind the hardware So GNU radio is software for the most part, you know, it's an FPGA that sits on a board That has a bunch of well eight digital and or for digital analog for analog to digital converters You know essentially it runs Python, you know, Python is good because it's compiled bytecode At least before it runs And it uses software. So does anyone have any questions on Python? No, all right, Python's good Makes you use or makes you Code properly so that you can read it when you're done Anyway, all right, so this is the USRP version one. This is what I have sitting up front here It's a lower bandwidth Wireless radio tool, but you know it it works Some of the the daughter boards. This is actually a picture of the main board As you can see it's got a transmit and receive side and an a and a b side Essentially, you know the daughter boards plug in on a or b and then on transmit or receive so and here's here's a Look at the top side of some of the boards. So let's see we've got the flex 2400 which is a 2.4 gigahertz wireless and We've got oh, what's that one down there? It's the 800 to 2400 receive board and Then a basic rx basic to receive board. I just have the 2.4 gigahertz and 900 megahertz or 8 800 to One gig board because it'll do transmission All right, so how can I use it? Well get the hardware USRP? I Would recommend highly recommend installing a boot to I'm not going to go off on the OS wars However, there are packages that work for a boot to so you can install a boot to install the Dependencies and get the stuff up and running in about an hour I tried for several days to get it to work on What was it fedora and sent OS? It was just dependency hell I mean several days of you know working at an hour at a time and doing other work and coming back and working at it Finally, I gave up and said all right I'm just going to install a boot to and you know, but essentially like I said, there's a there's a package tree in that In there for the dependencies. It just goes out grabs everything you download the stuff or pull it out of subversion Does everybody know what subversion is here? So subversion is basically a source tracking tool allows you to check code in check code out And most subversion repositories have an anonymous feed So you can go to the the subversion repository pull out the latest and greatest code Which is more than likely going to work properly and then compile it from there The biggest part is getting all the dependencies in so you can compile the new radio software All right, it does require USB 2.0 Which is a big bummer cuz and I think it's the what is it high speed versus fast or something full speed versus yeah, so I Found out the hard way on my my MacBook at home that it doesn't work on there because it doesn't have the full speed USB 2.0 But and that was after hours and hours of getting all the dependencies and compiling and going oh crap anyway The new version is is much faster and requires much more processing power And so they've gone to using a gigabit ethernet interface. So you essentially are using a raw ethernet frame Component between the usrp and your your computer to talk to it Makes it so you can do a lot a lot more bandwidth Because the USB bus is limited to The amount of bandwidth that you have between the two systems. So All right, so some costs The usrp 1 is about 700 bucks right now The usrp 2 is about 1400 bucks. It's pretty expensive in my opinion I mean not for the mild manner hacker to go out and purchase The daughter boards that run anywhere from 75 dollars up to 400 dollars Screws in the case. I think the case is probably a good thing But unless you have a lab or a bench, you're gonna be testing it on so And the biggest thing about this is it's not specifically FCC part licensed Does anybody know what that means? I got one person. I got two people three. Maybe anybody want to say so FCC part licensed is Basically a a class license where for example my ham radio can transmit on certain frequencies If I modify the radio to transmit on other frequencies, it's now not FCC part licensed Which means that it's an illegal radio essentially by FCC standards The other thing is I can now transmit on Just about any frequency that I want since it's a research tool, right? I mean, that's that's what it's it's been used for And because of that you can own your neighborhood network skater Priceless right Anyway, I guess the the concept is that because it's not part licensed or part typed You can actually have it transmit on frequencies that you wouldn't normally be able to Which we'll sort of talk about in a little bit here Does anybody have any questions on the cost or the hardware? No, all right So what can we do with it? What's it? Oh? Skater. Oh boy. You have to it's an acronym that is. Oh, what is it it is? It's basically control man control networks, it's for Yeah, thank you control and data acquisition Of course someone's going to ask me that and it's it's a very long acronym But essentially it's a skater network would be you know like at your power plant or your water plant or Some sort of utility that has devices out there monitoring the flow of water or the flow of electricity and you know either will Turn things on or off based on that or Make decisions based on what they see from those devices out in the the field All right, so some wireless attacks that you can perform or that people have performed with can you radio RFID payment cards the the my fair cards They've absolutely been cloned And they can replay that those cards back to the subway attacks GSM attacks Bluetooth Using multiple devices to do some frequency hopping Following essentially and then MAS multiple access system All right, so now RFID Essentially the RFID tag reading the Boston subway hacks where they used a USRP as well My fair card attacks that's been a long long published one I think it's about two or three years now Two or three years old and they use a USRP essentially or we're using USRP originally to do a lot of the attacks And then there's the possibility of doing long-range tag reading with Something like this because you can you know put a linear amp in front of it and jack up the signal that you're you're using to Read that at that tag. I think there was a talk or there's a contest this week to do a Read a long-range read on RFID tag if I remember correctly, so All right, there's GSM attacks A5 cracking A5 is the encryption algorithm or the older encryption algorithm that has been used in GSM A lot of companies have upgraded to I think the the next standard which isn't as easy to break But that was the old standard The other thing you can do is you can create your own microcell So essentially if you wanted to route all cell phone traffic through you Set it up or a cell-free zone, which is my favorite So Yeah, all right, so the other other components or other attacks are Bluetooth You know does everybody know how Bluetooth works, it's it's a frequency hopping Which means that so like your your traditional 802.11 wireless is direct secret sequence sped Spread spectrum Which means that it follows a line and you can fairly easily follow that signal and go back And actually do a network dump or some sort of a wireless dump of that signal as it's going in direct sequence Whereas the frequency hopping will take that bandwidth or that that set of channels and it'll hop around the channels really fast That there's been some research with the USRPs where they can essentially Dump all the frequencies all at the same time Using eight USRPs all in parallel and then decoding the data. So essentially they can they can track Like a Bluetooth headset for example track where it's at dump all the data and then crack it offline very quickly Just with the way that it it sets up the connectivity between the two Yeah, so that yeah the USRP version one lacks the bandwidth really to do that But you could put up a denial of service attack just to do some sort of a wide band Broadcast on the 2.4 gigahertz and everybody's Bluetooth goes away All right, so this is my custom research that I've done MAS system it's called multiple access system It's what SCADA companies will use to set up a network to transmit data in between points Or to move data in between points from you know a pump for example What I found is in Doing the research basically we were engaged with one of our utility clients to figure out Hey, what can we do with this network? Is it vulnerable to attack? I went and found out in this 1992 issue of IEEE. Hey look there's there's this thing about This 900 megahertz spectrum and talking about. Oh, yeah, it uses 928 and 952. Oh interesting All right And I mean it's a simple 1992 repeater style technology. Does everybody know what a repeater is here? Few people know all right, so repeaters generally have an input frequency and an output frequency The input frequency would be coming from in this case the head end and Then the output frequency is the blue lines here Going to all the remote sites anytime You know traffic happens on this like for example, they they want to they want to check the status of you know Pump B over here. They would they would send to the repeater The repeater would then rebroadcast that signal The head end would stop transmitting The all the endpoints would receive that message and the the endpoint that actually was supposed to respond Would then pick up and transmit back to the repeater and the repeater would transmit it back to the head end Does this make sense Understandable all right Yeah, the reply message essentially going back to the repeater and the head end then receiving it All right, so what do you think are some attack methods in this particular instance attack the repeater? To be a repeater that would be a good one, but that requires a lot of power I mean, I think this is a 50 watt transmitter, which is Pretty big. I mean you can go 25 30 miles with 50 watts Any other attacks? Intercept it. That's a good one. That's very easy to do Act as a head end Absolutely, so essentially evil hack store comes along and you know This is what I did. I Pretended to be a head end or a remote agent in the field Yeah, okay Decode decrypt the traffic. That's one potential inject DOS I I went for the easy one DOS. I mean I can DOS this network repeater I know that they're not that their network isn't going to function anymore And that's really that's a pretty big component in my mind as far as security is the availability of that data In this particular instance confidentiality not so much integrity absolutely You want to make sure that you're getting accurate readings from your remote sites You also want to make sure that when you send a command to the remote site that the integrity is maintained throughout your network Confidentiality not a big deal I mean who cares if they know that the tank is at 320 feet, you know of water and in what whatnot, you know All right, so evil hacks or First attempt was with a little tiny antenna. I was like well, let's see if we can get this to work you know, I got right underneath the repeater keyed up and It didn't work I was like damn. All right, so a second attempt So it's a little bit bigger antenna. This is my ham radio antenna for my mobile or my my car unit I think it's got a eight decibel gain on it. I think at 900 megahertz And it didn't work. So I was like, all right You know, there's got to be a better way I got a I got to find a way to do this because this is insane, you know, the third third time is the charm However, I used an antenna that was much Much bigger And in fact here it is I'm sitting outside the curb with this big antenna and a tripod and Also, I'm doing is keying up on that that input frequency. I'm not actually sending messages spoofing status messages Whoop, nothing. Well, there we go. Nothing. I'm just keying up on the frequency and Come fail come fail come fail come fail. So You know essentially I created a dial service they now can no longer manage these these devices Great. Oh, that's not so good. All right However, you know, I'm talking with the guy on the phone saying hey, all right, can you can you get to your stuff? And he says well No, no, it's all down. Okay. Can you turn a pump on? Nope. Can't do that. All right. I Said well, you know this that's that's not a very good thing in this particular case He said well, yeah, but we all you know There's there's PLC's in the program logic controllers that are in all these pump houses that you know at three o'clock in the morning They'll turn on they'll pump up water to a certain level and we'll turn off. I said, oh, that's great Except if they're in admin override mode, I went oh, so If they're an admin override mode, they don't turn on they don't turn off and someone has to go into the You know 50 or so pump houses and turn the pumps on it, you know, three o'clock in the morning That's not a very good or efficient system So Essentially evil hacks your own the system if I had more time. Yeah, I don't know Do you guys know how consulting sometimes works consulting engagements? generally you'll you'll try and say all right, I think it's going to take this amount of time and the you try to go towards an intended target and If you go beyond that you're kind of out of luck. You don't have a lot of a lot more time to put into it In this case, I spent a lot of time getting can you radio working getting all the components ready And at the end of the day, I couldn't actually sit down and start to decrypt or decode the packets However, it's not encrypted So it's not very hard to to go back and actually do a lot of those attacks and then start spoofing that the Traffic from the head end putting things in maintenance mode, etc. etc So Yeah Some of the issues it's wide open. There's no authentication period no integrity period It's got a single point of failure Essentially from the fact that the repeater is doing all the work in that network If it was a mesh network or some some sort of fail-safe network, you'd at least have a backup if someone DOS the repeater In my opinion, this is a very poor design The there should be much stronger controls in place. I got a hand over here All right So what are the consequences of a pump not turning on at three in the morning? You don't have water or you run out of water halfway through So it's not a denial of service of the network could create a denial of service of the utilities Which could create an outage for people, you know and you know depending on if it if it were a Multi-thread attack, you know might cause some Unrest to the community, you know Another question All right. I didn't hear the question. Well. Oh Boy, so that's another question. All right question is how close was I to the head end and how would you go about finding these head ends? well So I was very close to the head end within about a block How would I go about finding them? Well the FCC has this wonderful database Hey, does anyone ever heard of ULS universal licensing system? Yeah, so essentially you can go to ULS I think you can enter in GPS coordinates lat long and It'll show you what the transmitters are around you I mean, you know as any typical radio engineer would need to know this stuff so that they could figure out why their signals being impeded on, right? Or You could just go look for the name of the company because generally they if in this particular case They licensed the spectrum for ten years and it's going to be under their name and then in that ULS Thing they're going to have lat long coordinates That's something I didn't include in the talk here, but I did that as well. I was like, oh look this is all public Ye I don't know that I want everybody to be able to find these transmitters and you know knock them down essentially so All right, so Some MAS or multiple access system radio fixes I you know use encryption on top of it or you know use some sort of hashing mechanism that You now know that there's some sort of integrity between integrity check between the endpoints Another thought is maybe use some sort of 802 type 11 or 802 11 type network where you can put it in a mesh networking configuration so that If one node in the in the network goes down doesn't take all the network out Self-healing networks, I don't know maybe not self-healing, but at least have some redundancy in the path a lot of times if you've if you've got a Tower, you know, you generally could have two or three points to hit between Different towers Excuse me. All right Also use out-of-band management for some of these so that you're not managing this stuff in band In band would be inside the network All right, so I think now we're going to do a little demo And hopefully it works and doesn't crash. I don't think it will but Did there's anybody have any questions about stuff so far? No, all right So that the data that I did collect well really I was looking at the spectrum. I didn't Didn't actually get a protocol block decoder and dump the data to disk yet. Yeah, I just didn't have time, you know It would have taken because first thing I got would have to figure out is, you know How big that the spectrum it's using for the transmission of the data, you know, how do I chunk it up and write it out? Yeah, I didn't It's that 928 952 frequency Yeah, and I don't think it was very wide What's that? Oh, I don't you know, I don't know Yeah, I didn't go that far into it Nobody's got a laser beam pointed at my computer, right? Yeah, I think so All right, so this is the essentially the the attack I use this tool which is a push-to-talk tool Let's see so we'll see if this audio actually comes through I don't think it will but Oh That's it So I've now got a carrier frequency that I brought up via the USRP. That's you know, not part licensed essentially to operate on the frequency So that's it. That was it is so simple To break the system because there's no coded tone squelch or PL tone or digital coded squelch None of that stuff. It's just input frequency transmit out Um Does everybody understand that? So that that's essentially the tool that I used to poem the network. It's so simple that it's kind of like well I mean it it worked though Most networks shouldn't be affected by that. Yes This is 1996 98 implementation of SCADA wireless SCADA so Yeah, a lot of the ones that are Well, I don't want to say everything's easy or more secure if it's on an ethernet run It's has a potential to be more secure. However, a lot of people will put them on public networks, you know or in bad places or poor places Or they'll put them next to their users who might get infected who then you know in turn could be scanning these systems and they crash So you can't buy an off-the-shelf radio to transmit on these frequencies because Because it's part licensed So I would have to go buy an MAS radio in order to transmit on those frequencies because those frequencies are licensed specifically for each Product essentially See So because this product is not FCC part licensed I can transmit on any frequency And so the FCC will only license radios for certain spectrums and certain frequencies Generally you I mean you you probably could it depends on the radio though It's probably wouldn't do it in that spectrum Most of the radios are actually locked in software somewhere as to what what frequencies you can actually transmit on some of the Reprogrammarable ones you might be able to do it, but in this case I don't think you would be able to since it's a closed spectrum or licensed spectrum So another hand over here. No, all right now. Let's go on to the next sort of thing here Ubuntu Yeah, no, it's this laptop Yeah, it is actually this laptop so all right, so now the next thing I have is sort of a If you had a bug in your your house, how would you find it right? And we'll kind of show you here All right, so as everybody see that waterfall it's called a waterfall essentially It's showing And a oscilloscope for all intense purposes. Has anyone ever used why spy a little why spy tool? I see a couple people so why spy is really neat spectrum analyzer It's it used to be 99 bucks now It's 350 or something I think for the pro but it's actually it's kind of a cool tool similar to this only this we can operate on Multiple frequencies. All right, so I brought a little camera along with me a Little wireless camera yay big. We'll take them plug it in. Does anybody notice a difference? So So I Can actually I'll show you that here in a second it sort of Yeah, someone hasn't written the h-sync v-sync for it, but I'll show you Or they haven't they haven't checked it into CVS or a subversion which is kind of a bummer But so now you you could take like a directional antenna I've got a couple of handmade directional antennas up here if you want to see them. That's great I've got a by quad antenna and a dipole They're they're actually tuned for the 2.4 gigahertz frequency But you know they'll pick up other stuff obviously not so great, but at least it'll be somewhat directional What's that? No, no, no, no, the camera is not mpeg It's just transmitting raw video and raw audio right now, but as you can see it's a wide band application It's using a bolt load of band width and the frequency. Oh Yeah, yeah, I mean to the yeah that actually yeah, I can actually All right, we could do that 850 megahertz. I'm willing to play with this if people want to look at spectrums while we're here. Absolutely all right, so We could also look at Let's see the 2.4 gigahertz spectrum. I'll show you that in a sec so that's this antenna right here I Don't see where is Louise where the access points in here. Oh, there's one over there All right, so it should pop up with some There's one over there. All right, and of course, it's not working I had I was up in the the knock and I was seeing a good solid line of things You know essentially where the center frequency is of this the direct sequence spreads bed that spread spectrum See if I boost the gain on this There we go So you can kind of see my pointer you can kind of see there's one line developing right here So that means that we got an AP Probably on channel eight. I'm assuming since I just I just took the 2.4 gigahertz frequency and centered it on there What'll what'll ideally what'll happen is you'll see, you know a line here a line here a line here an Line here for that the wireless transmissions essentially that you can then say okay, that's DSS direct sequence spread the spread spectrum All right Well, I think this is Yeah, that's fine. All right, so Question about TV, right? Can I can I view the signal coming off of this camera? So like I said, there's no horizontal and vertical sync checked into the archive, but It's the camera. It's just out of sync So if I wave my hand in front of it, you can kind of see Yeah, it's like scrambled porn Well chicken Wow Wow So but that that's that's it So the TV receive a question was what daughter board am I using for the TV? This is just the 900 megahertz one So Essentially if you've got cameras that are in 900 megahertz or 2.4 gigahertz you should be able to pick it up with this Now if someone checks in the code block to be able to do the horizontal and vertical sync, this would show up nice and pretty I worked on this Sunday for a couple hours going. Well, why isn't this sinking? Why can't I not see the sink? Oh, because the block isn't there, you know I actually put it into the python's code and ran the script and it said hey This is in this this block hasn't been checked into CVS yet Anyway, so but at least it gives you an idea of What something would look like when it's transmitting specifically a 900 megahertz video camera and then the fact that you could pick up on it I mean absolutely pick up on it So all right The other thing you could do is you could do you know audio pickups that There's the boards the lower frequency boards Which will receive quite a quite a wide amount of of images and audio and stuff like that and do full HDTV decoding things like that. Oh Apparently it's been pulled out of 3-2 Okay So it's been taken out which is a bummer Hopefully maybe it'll come back working All right, so back to the prezo Come on. Yeah Can I do? It's not gonna do it from that slide. Oh, there we go. Good. Good. All right. So essentially we did, you know, how can you find a bug, right? How to know your friends, right? You know transmitting on frequencies that maybe they're using how to make lots of money I have no clue there, but it's fun. It's fun to do this stuff So one thing I want to I want to say is how can I contribute? Um Definitely, you know go out and pursue hacker space maker space Some of the DEF CON groups. I don't know if people know about DEF CON groups My wife and I run the DC 612 group in Minneapolis Essentially it's a place for people to get together who are like-minded who would come to this type of conference talk about things and you know Do things I think there's talk about doing things like the dark net. I don't know. Do people know what dark net is here? I got one person, two people. All right, so dark net is a place where people can Sort of join in on the network and hack away at each other without having to worry about, you know, either being seen or being sort of Taken down is what I would call it. If your ISP doesn't like the traffic They see they could take you down with a dark net. It's all in an IPsec tunnel between friends So, however, you have to make sure that that box is an ownable box because it may get owned very quickly The other thing is post so if you make code post the code back to the archive You know, I think that's the biggest thing is the contributors from the community that make this software good And I want I want to see people more more people playing with it so that it'll drive some of the hardware costs down I think the the hardware for the USRP is Very expensive in my opinion. I think it should be a sub five hundred dollar product And then we might see more people playing with it and doing cool things And then of course have fun with it because if you don't have fun with it, what's the point? So All right, so that is my talk I'm more than willing to stand up here and and play with The the transmission, you know eight hundred fifty megahertz and see what happens in that certain spectrum Or do whatever people want to do. So thank you