 All right, you guys, you finally made it. This is the final talk of the day. And of course, we saved the best for last. And this is basically Chris Rock. He's been here for quite a while. It's probably the third time I've seen you here, third time. And he's been my personal favorite speaker, because the topics and the way he approaches problems are the most interesting ones. And I hope you enjoy it, like I will. So please give a big hand to Chris. And you guys are in for a big treat, all right? Thanks for coming to my talk, everybody. Killer Hertz. You hear me all right? Yep, awesome. So for those who don't know me, I've been a cyber mercenary for 30 years. And I'm also the CISO and co-founder of Seamonster. I was at Defcon 23, where I presented I Will Kill You. This was a talk on vulnerabilities in the death industry. And I was also at Defcon 24 on how to overthrow our government with Simon Mann. So the reason I'm doing this talk is, as a kid, I grew up with terrorists on the news all the time. We had the IRA, Hezbollah. And in later years, we had Al-Qaeda, ISIS, and Jama'i-Zamir. But it seems to have gone quiet. So where are all the good terrorists gone? Let's have a look at the numbers. Death from terrorism down 39% in Mina, Middle East North Africa in the last three years. And terrorist attacks in the West down 68% since 2018. So something's going on. The National Intelligence Report had terrorism as just a footnote. So we're going to have to give these guys a bit of a helping hand. And we're going to have to give them a bit of a hand, because if it's not considered a risk, we're not going to get a budget to do what we need to do. Just to give you some reference, in 2016, they were number one as the world risk. So they've had a bit of a downfall. So we need to give them a bit of a hand. In the good old days, you could just walk into a house of worship and pull the trigger. And if your guy didn't have the balls to pull the trigger, you could do it yourself remotely. But you can't do that anymore because of jammers. Jammers are being installed in churches, synagogues, and mosques. Not so much for the terrorist aspect, but to keep the audience from using their mobile phones. I originally got this idea from the talk when Julian Assange was in the Ecuadorian embassy, and they were using jammers to stop him communicating. So I reached out to Julian's team and said, what's the problem? And I said, we've tried everything, but we're being jammed. And that was a bit of a challenge for me. How do jammers work and how do you get around them? The thieves are using jammers to block signals going back to security monitoring stations. So for those of you who know jammers, there's a wide variety of jammers out there. There's jammers to protect military convoys, as the Humvees on the left. Also personnel. There's also jammers to protect the corporate sector as well, whether it be boardroom secrets leaking out. Drones, the spying. And also the prison systems using jammers as well to stop the prisoners from using mobile phones. So here we have an example of a Humvee jammer and being protected by using jamming signals to stop the ID from blowing up the Humvee and also the Talus Eclipse being protected by a wave to stop that jammer being targeted to being going off. So I'll give you just a basic overview of jammers. It's a complex topic but I'll just give you the basics. So we have what's called a spot frequency where if you know the frequency of the target like a mobile phone, you can just blast out a signal to that mobile phone frequency to block it. That's called spot. We have sweep where you're sending out signals across a wide range of targets whether it be garage door openers, baby monitors, digital phones, stuff like that. Or we have something called barrage where we send power across all signals all at once. Jammers are actually pretty smart and have evolved over the last 10 years where they actually have active intelligence where they'll actually look for a signal, record the signal and then play back the signal. So if there's something that the jammer's never seen before it can be used to record and play back for even pre-denonation. Here's an example of a jammer being used. We've got the Hurt Locker on the left there trying to disable the ID and we've got the terrorist on the balcony of Link trying to target to blow up the guy and he's got no protection. But on the right hand side we have again the Hurt Locker with a jammer protecting him from a detonation of that ID. Some of the big manufacturers of jammers, you guys will know these names. And the counter ID market is a $2 billion industry. Here's an example of a personnel jammer that the military will use and you'll notice the different antennas there, high, medium and low. We'll get into that more detail and you can see the specs beside it. Jammers need a lot of power so you'll actually see things like runtime and stuff like that. The commercial sector is exactly the same. You'll actually get spec sheets on what frequencies they protect and also runtime and wattage used per channel. Here's an example of a personal convoy, VIP jammer, to protecting VIPs and you can see the specs within there. I'll just expand on that a little bit there. You can see the channel one has a frequency between 20 and 60 megahertz. That gives you a 40 megahertz. Now if each receiver on an ID can be configured down to 10 kilohertz, that's 4,000 channels that this jammer must protect against just within that channel one frequency. So we're talking about five watts per channel. You're looking at 20 kilowatts of power just for that channel one. So that's why jammers will use different techniques whether it be spot sweep or barrage for protection. You guys would have seen this diagram before. It's a pretty much a radio frequency diagram all the way up from VLF to EHF. In the middle there you'll see stuff that we use every day for radio, wireless, mobile phones, shortwave radio and stuff like that. And you'll see the jammer essentially blocks out that frequency. You notice I haven't covered the low frequencies. I'll get into those a little bit later on. So jammers effectively block anywhere between 20 megahertz and 6500 megahertz. There is some specialist jammers that'll block down to one megahertz such as like radio frequencies. But that's huge scale jam protection. They're static, they're not mobile like we saw before on the Humvee. So I was interested in watts below 20 megahertz. Here's an example of an ID, how an ID is put together. Obviously we're not gonna go into all the details of an ID and we're gonna focus on the switch component but just so you know what we're looking at here. We have a container which essentially encompasses the ID. That can be anything, it can be a cigar box, it can be a steel box, it can be a dead cow on the side of the road or a vehicle. Obviously the shrapnel, the switch, the power source and essentially the explosives down below. I'm only gonna focus on the switch component. And you can see there, there's some military ordinance there that makes a good ID because essentially has some of those parts already whether it be the container, the shrapnel and the main charge. So all we need to do is add a power and a switch. So let's have a look at the different types of switches. We're not gonna go into all of them. I've written a paper, you can have a look at the other ones later on. But going from the bottom up, we have victim operated. This could be like a cigar box similar to what the unibomber used where the victim opens it up and gets blown up. And we have a timer which is gonna be anything from a kitchen timer, that can be a washing machine dial or it can be something as complex as a number 10 delay pencil which they use in World War II which is essentially a pencil with a copper section with a glass vial inside that when you crush the copper section, the vial would break and cupric chloride would then melt a striker and then kick off the detonation. The one we're looking at today is the command, the remote control component. So looking at the command, obviously we have things like tripwires and stuff like that. No, we're not looking at that today. We're looking at the radio control section. So in the red box there, you'll see things like cordless phone, mobile phone, garage door opens, baby monitors and things like that. Something that can be triggered remotely. Now the beauty of these technologies is when you're using things like mobile phone or cordless phones, digital phones, is they're been designed to put up with interference. So if they're being jammed, I'll actually switch frequencies. So jammers need to look at that and then move frequencies to support that. So I'm a bit of a practical guy. I'm happy to do the theory, but I like to look at the prac side together. So I've actually built the switch component of an ID with a garage door opener. But instead of having an initiator to kick the explosive off, I've just used a flashing light that seemed a little bit safer. So you can see there's no container there. There's the power source, the 12 volt battery, the initiator, which is actually the light in this case and the remote control garage door, which is the switch component. I've done the same with a mobile phone. In this case, I haven't used a light. I've used a piece of nichrome wire, which is to access an initiator. And I don't know if you can see that clearly, but it just lit up. So now that's the switch component. And then I'll show you how jammers work with that. So let's test our IDs out in the field. First with a garage door opener and then with a mobile phone. So that was shot with a phantom camera that does 1,000 frames per second to get that footage. So let's look at the counter measures. Let's look at the jammer. How does the jammer operate against these IDs? Again, here's our garage door and let's have a look at what a jammer does. So it completely kills the signal. Again, let's have a look at the same example with a mobile phone. So you can see the jammer is very effective. This is just a portable jammer, but very effective in blocking the signal from the phone. Now the jammer will either block the transmitter or the receiving device. Next we'll have a look at the jammer in the field. This case I've used a more powerful jammer just because the ranges that we had to do. So this is based on a Pelican suitcase jammer. So that jammer essentially blocks the communication. It's essentially a 10 to one mute ratio. So now that we know how jammers work, where are the holes in the technology? So we can see the jammer blocks those frequencies. We talked about it before, the 20 to 60 to 500 megahertz. But what about these other frequencies? VLF all the way down to ELF. You can see the wavelength size. I think that might be the problem of why jammers are not configured to work at those sort of ranges. Taking a closer look at these, the frequencies or wavelengths, you can see that they're used by the military, VLF, ELF and ELF. And you can actually see that it's actually used from a military point of view for things like navigation. There's also a way of communicating to submarines underwater. So these wavelengths actually travel around the world. In the 60s there was actually a project called Project ELF, where they actually built these arrays. And you can see the sizing there's 6,000 miles of buried cable and 240 mile antennas to actually transmit. So you can see now why the jammers are pretty much not configured below 20, just because of the size of the antennas required. Just to give you a visualization of how VLF works. Here's a cross section of the earth, 400 kilometers. On the top, Z, that's our ionosphere. That's 40 kilometers above the earth's surface. On the y-axis, the lowest point is the earth's surface. And you can see the VLF wavelength actually propagating or going around the earth's surface. So it's great for communication around the world. Okay, ULF, lower than VLF, range from 300 hertz to three kilohertz, wavelength 1,000 to 100 kilometers in length. And the two kilohertz which is gonna come up during this talk, the wavelength is 150 kilometers long. And you can see by the antenna size of the half wavelength, we're looking at a 75 kilometer antenna. Now having an ID with a 75 kilometer antenna up is pretty obvious. The signal travels through earth and through water. I need to explain something called near field and far field. Some of you will already know what this is, but I need to cover this in depth so you can see what technology we're using here. I'll use the duck in the water example. So picture a dead duck that you chuck in a pond. When you chuck the duck in the water, it will bounce left and right up and down. Away from that duck, you'll see ripples or waves, away from that target. That where the duck's moving left and right up and down, we call that near field. Where it has those nice waves, consistent waves, we call that far field. When we're talking about far field, we're talking about all the wireless crap that you guys on a daily basis, mobile phone, garage store, and the baby models, everything. That's radio comms, but it's the near field part that I need to communicate to you guys on what this tech that I'm using. So here's a more technical than the duck view of near versus far. In this case, instead of the duck, we have the antenna. We have the wavelength reactive. I'll get into that a little bit later. Moves into fractional pattern, then far field. Another technical view, we have just before the transition period, that's our near field range. And you can see something called an E field, electrical field, and also H field, magnetic field. Essentially, the antenna's getting a shit together. It's 90 degrees out from phase, as it moves into far field, which is essentially two wavelengths from the antenna. The reason I wanted to show you this is the H field is something that we're looking into, the magnetic field. We're not interested in the E field, it's the magnetic field we're after, before it reaches far field. Again, another diagram there. The point that I wanted to show you this diagram for is just where you can see where two wavelengths out for far field and one to two wavelengths for near field. And that reactive zone there, near the antenna, is actually a transmits power. So we can actually transmit power in that reactive zone. And this is the far field. This is what we use pretty much every day with wireless comms. You can see we've got the electrical field and the magnetic field working at right angles, perpendicular to each other, with a clear path. This is like the waves from the duck. It's just a clear communication path. And we use near field every day. You guys use it for payment processing or proximity cards running at 13.56 megahertz or the older 125 kilohertz. You notice the antenna is a coil. And that coil used to pick up that H field that we were talking about before in the near field range, not the E field. Now all our lives in security, we were taught near field, great for security communications at short range. And that's true. It's got a great range from one to five centimeters. But what happens if we change that? What happens if we use two kilohertz? Our near field range is 75 kilometers. Now I can work with 75 kilometers. That gives me a communication channel that I can use as long as I can get a large enough antenna to communicate at that range. So how do we create a wavelength without the massive antenna? Something called earth mode. We're essentially using the earth as an antenna. So NATO defines earth mode as three separate ways. We've got to make sure that you guys know which one's which. The first one is up and over. A large antenna is inserted into the ground and the VLF, that large wavelength or ULF, will move up, across and then down. That's not what we're using today. We have our deep strata mining comms, the one that actually goes through the earth. This is used in the mining industry. Up to eight kilometer loops on the surface of the earth and uses a magnetic field to communicate down to minus. You guys may or may not be aware that you can't use radios underground. So there's ways of getting around that using magnetic fields. It can also be used for blasting as well. So if you've got a blast caps underground, you can actually send a signal which is safer from above the ground to blow it up. You can also communicate to miners on one way communication or use for asset tracking as well for objects that are under the ground. And the third one is the one that we're looking at today. It's an adaption of something called conduction current mode where two electrodes are inserted into the earth with a voltage applied to both electrodes and a magnetic field is created in the earth's surface to a receiving target. Now that can be either picked up by an E field and another two probes at the other end are not interested in that. That was used by Morse and in World War I to communicate between bunkers. Or the one that we're using today is a magnetic field loop antenna. So before we create some hardware, we're gonna have to do some simulations to find out what's the best frequency, what's the best distance between electrodes and what's the best voltage to apply. So I use three different programs to do this. One's called ANSYS, one's REST2MOD and one's CS2Studio. You can see the block of the earth we use for the simulation, nine by nine by two kilometers, the two kilometers deep. And we use electrodes that were two meters in length, one meter into the ground and they were started off as 10 meters apart from each other. This will give you an idea of what the signal actually looks like. So from the simulation, you can actually now visualize to see that the signal not just travels along the surface of the earth, it travels in the earth itself. Again, radio frequencies don't travel underground, but at least low spectrum, it does. So the first three frequency we use were 73 kilohertz, nine kilohertz and 0.1 kilohertz. And that shows you the bit of the range that we use. So 10 meter electrode separation, only one amp was applied. We're using no modulation, no preamps. This is just basic, which frequency can generate the most amount of indistance for signaling. And the 0.1, as you can see, was close to a kilometer in length. Here's a spreadsheet, more details in my paper, about 73 kilohertz. We can effectively get a range of 1600 meters using 1000 meter separation between electrodes, 3600 watts of power, and that's the usable distance. At nine kilohertz, you can see we can get further distance. We can get up to 2,800 meters with nine kilohertz. Again, this is with no modulation. This is with no impedance matching. We'll get into that a little bit later. And finally, 0.1 megahertz. You can see there we're getting ranges of up to five kilometers in length. And that was the simulation based on 0.1 megahertz. Now, why don't we just use 0.1 megahertz? It obviously goes really far. The problem we have is that at that range we're dealing with all the other nonsense in the world. So we're dealing with natural and man-made noise, natural being lightning strikes. So a lightning strike, I couldn't even believe this figure, eight million strikes per day hit the earth. And like I showed you with that VLF wavelength that goes around the earth, exactly the same thing happens with lightning strikes. And we're talking like a billion volts. So the signal goes pretty far. Man-made noise we're talking about things like utilities, transformers, stuff that is a side effect of man-made equipment. So instead of using 0.1, which has a lot of noise, the best range was one to four kilohertz. In this slide you can have a look at what it looks like between low power versus high power. Obviously the more power you submit, the longer the signal. So you can see one kilometer at 20 watts, whereas we got 2.5 kilometers at 3,600 watts of power. Also TX electrode separation. We've got one at 10 meters and one at 100. So we're starting to see a pattern here. Something I'll get into a little bit later, but it's something called normal versus tangential. Normal means an antenna is lying flat on the ground. That is that loop antenna lying flat on the ground. Tangential is when that antenna, that loop is actually vertical, 90 degrees from the earth's surface. Now why don't we use tangential? I'll get into that a little bit later. We obviously get more distance, but we absolutely have some issues with an up and down. Especially with an IED, I don't want that standing above the earth's surface, but there's other reasons as well. We did some e-field tests as well. You may remember from the picture I showed you before, and actually there's a tiny little picture there where we've got the e-field up the top in near field and also the H-field. This was done previously through history, as I said, Morse during World War I. The range was not as good. Another thing we had to take in effect before we designed our hardware was impedance matching. Impedance matching means matching the soil to what you're using the device in. By matching the impedance on the receiver and the transmitter, we actually got further gain from the hardware device and also within the simulation. So we can see we got 1.5 kilometers in dry soil with matched impedance, but we only got 0.7 with non-matched. So in the hardware, we needed to actually put in some impedance matching. Another thing to take into account because we're using frequencies which have a lot of noise is modulation techniques. The best one to use through the earth is something called ANC, adaptive noise cancellation, MLD, maximum likelihood detection, and DAFB, decision-aided feedback. We could double our distance by using the right modulation techniques. In the paper that I've written, which is on the DEF CON media server, I've actually got schematics for different modulations so you can try them out. We talked before about using power through the earth. We can actually transmit at 3,600 watts. We can actually move power through the earth at about 50 meters. It's not a huge range, but we can actually move power through the earth. And you might think, well, what's the point of that? Well, it can be used in things like agriculture. We can actually run this across a farm and have sensors underground without power. I talked before about normal versus tangential antenna placement, where tangential had better range than normal. The beauty of normal is if you're lying at flat on the ground, it's immune from jammers. With tangential, in the unlikely scenario that someone's running a jammer that's, we're talking thousands of kilometers away in far field against the one to four kilohertz range, what we need to do is use two antennas at right angles to each other. And sometimes we would need a whip antenna to confuse the jammer. And just using the simulation software, we can actually see that by using the right frequency, the right separation, the right modulation, and upping the power, we can actually get big ranges with this thing. That's 4,200 meters. That's without preamps. Okay, that's enough of the simulation stuff. Let's go to the hardware. This was my prototype using those simulations. So on the left, we have the transmitter, which has got a signal generation power pack modulation. And on the right hand side, we have a circular antenna. I'll get deeper into that. A laptop for doing modulation, as well as de-logging, encryption, and stuff like that. And battery and analog. A lot of this can be replaced by using things like Arduino where we can use pure synthesis. So here's our transmitter with a commercial version where we've replaced a lot of those parts with smaller parts, obviously. When I design hardware, it's always best to build big, make it easier on yourself, and then shrink it down when you know it actually bloody works. So in this case, we're using the Arduino or Pi to do the encryption and processing. And here's the RX component. We shrunk that down quite considerably, again, using a Arduino. You can see on the ground there that circle. I'll give you a close-up on that in a sec. And an LCD display. So you can actually communicate, not only on an IED, but you can actually communicate messages between transmitter and receiver at those distances. And on the one on the left, we have the transmitter. This is the electrodes. In the real world, in an IED setting, you're not gonna use electrodes. You're gonna use things that already exist, stop signs, picket fences, stuff like that. And on the right, we have our antenna, which I'll expand that out. So there's a one-meter diameter antenna with copper wire that's rounded. That is our loop antenna at large scale. Here are the field tests that we did in Australia. TX electrodes 50 meters apart. We only used 20 watts of power because we were in the middle of nowhere. And we received, we got to at 923 meters in distance. And that was with basic ASK modulation. Something interesting that did pop up was this result here. And on closer analysis, you'll see that red line just going across from east to west. That was actually some fencing wire underground. So you'll notice the signal being a H field magnetic field actually transmitted along the wire. The beauty of that is, you can actually get longer distances by using something called utility assisted mode. And there's actually some literature on the internet where you can actually look where hobbyists are using underground pipes in the UK to get longer signals with even basic equipment that I'm putting forward here. So in other words, if you're using an urban setting, you'll get further distances. Everything I've built is homebrew so you can build your own, including the schematics. And again, they're all on the media server. So in summary, this is what we've built. We've got a commercial transmitter with two electrodes in the ground at varying distance. We've got a large scale jammer and we've got our loop antenna under the ground. So let's have a look at it in effect. Besides the ID component, we have other use cases for this technology. Again, agriculture, as I mentioned before, about communicating underground sensors. Again, you don't need power. You can actually communicate short distance with power. Also another use cases spying. We're running at one to two kilohertz. The jammer, like I said, is not listening at 20 to 65 megahertz. And you need large antennas to pick these sort of signals up. Also in a war setting as well. So just to summarize, the device will communicate up to seven miles in length. It operates at one to four kilohertz. Conductive current magnetic field, ULF in near field, not far field. Jammers work in far field. Configurable from 20 watts to 3,600 watts and scale up to 20 kilowatts. Obviously, the more kilowatts you're running, the more difficult hardware it is to manage at the transmitter end. Our RX only runs on 20 watts. Impedance matching for different soil types, whether it be dry, sand, or wet soil. Encrypted message. We've got modulation options, as I said, jammer fruit. And that's the end of the talk. If you've got any, do you want any further details on the tech, you can have a look at the paper on the media server. Thank you very much. Thank you.