 Travis Goodspeed is a very well-known man, and I really think he needs no introduction, but because I get to stand here and do it anyway, I'm gonna... I've been a big fan of his ever since his neighborly belt buckle, to be quite honest, and it just keeps going into the crazier and crazier stuff from random replay attacks on unknown radios to packet-and-packet technology, and apparently today we're talking about Matroska dolls, so everybody give Travis a big welcome and enjoy. They're released for this? Or is it just the tape? No, just the tape. Cool. Now I get to run around and do the gangster rapper thing. So, like any gangster rapper I need to do a shout-out to my homies, has anyone read A Canicle for Leibovitz? Right, right, two of you. Okay, so only two of you in the audience have read the greatest work of science fiction ever written, or the greatest religious book ever written by an atheist. A protocol for Leibovitz is about the Blessed Saint Leibovitz of Utah, who shortly after a nuclear holocaust, before the bombs started falling, he was a Jewish electrical engineer. After the bombs fell, people got really weird, and they started burning books. So what he did was he joined the Catholic Church, and he founded an abbey, the abbey of Saint Leibovitz, and this little abbey was... He created an order of monks, and he designed them into two parts. The first part were the memorizers, and it was their job to remember as much of the meaning of the books as possible, and of science and technology and literature, and those sorts of things, as they could. They're like the book people from Fahrenheit 451. The other group were the book leggers, and it was their job to drive out into the desert and to bury oil drums filled with physical artifacts of books, the positions of which were memorized by the memorizers. So when the memorizers weren't violently killed by the peasants, they would know that in a few hundred years they could go out and dig the books up and rebuild civilization. The book is in three parts. It walks all the way from the rediscovery of of writing itself to the rediscovery of the light bulb in its second part, and then in the third part there are starships again, and I won't spoil the ending, but a bunch of bombs fall and a bunch of people die. It was like a very good time for the carrying eaters. So Sergey and I were talking about this book, and we were also talking about radio. So again, I started working together when he got me blind drunk at recon, and the next day I missed my flight, and I had to hitchhike back to the United States of America with him, and while we're like waiting in line for customs, he tells me that I agreed to be part of a wireless fingerprinting project. It seemed like a bad time to say no, so we continued with that. This resulted in an attack called packet in packet that allows you to remotely inject a level one wireless frame if you control layer seven data without a software bug. It's a protocol bug in the way that noise damages a packet. So when you think of a radio, we sometimes think of a parser. The receiver is a parser. It's parsing the signal, but it's different from the parsers that you work with in computer science in that a radio receiver is dealing with a noisy signal. Very few other places in computer science deal with damage because we do everything in our power to abstract that away. So we do packet retransmissions to pretend that our sockets never lose anything. So that if you're programming at a higher level, you never know that it happened. Our hard disks automatically identify damaged regions and move data to other regions, so it looks like they're perfect. But this damage still happens under the hood, and in the same way that you can have parser bugs in software, you can have parser bugs in hardware or in radio. And the assumption was that because these machines were so simple, there wasn't anything you could do with them. Like usually when you're trying to exploit a parser, you're trying to get native code execution. But there's this other style of security called Langsec started by Len Sassman and Meredith Patterson. And in this style, you don't need memory corruption. All you need is a difference of opinion as to the meaning of the signal. One of the earliest examples of this was an X509 certificate that had a null byte in the Pascal string. Now, Pascal string has a length and then that many bytes. And this is valid for the host name in an X509 certificate. But in C, the string ends in the first null byte. So if you put a null byte into a domain name in a certificate, there was a point in time in which some certificate parsers would think that the string ended on that null byte, and others would see the full thing. So you could create, you could purchase a certificate for Microsoft.com, null byte.travisgoodspeed.com. And to the Pascal string ones, I can prove that I own that domain. And to the C ones, I can prove that I have a sign certificate for Microsoft.com. This no longer works, of course. This was fixed a while back. I think Moxie Mylon Spike and Len Sassman separately discovered this. But the idea here, the overarching idea is that this difference of opinion is something that we should pay attention to because you can get exploits out of it. So these parser differentials are exploitable. We're just not talking memory corruption code execution exploits here. Like the world is a larger place. This sort of bug was also responsible for the Android master key. Zip files, hey, come on in. So zip files were originally intended for use on like tape archives. So in a zip file, the index is actually at the end. So zip file is read from the end of the file backward. If you make a small zip file and you just append that to a PDF file, you have like a valid polyglot that's both a zip file and a PDF file. But another reason for this was that, you know, you've got your file. It's very large. It's spread out over multiple floppy disks, or like a long stretch of tape. And you want to update one file in it. Well, in the zip file format, this was thought of. There's no need to rewrite the entire file. You don't have enough storage. So what you do is you just append your new file and then a new index at the end. And you happen to have a garbage index in the middle. And you happen to have two copies of the file. But you've saved time because you've not had to insert and remove 26 floppy disks. Or waited for the tape to rewrite itself. So the Android master key bug was that you could actually have two copies of the same file. And the way that Android would work is that it would validate that every file had been properly signed. And then it would extract the files. But the validator and the extractor saw different versions of the same file. One of them would always look at the first copy and the other would always look at the second copy. So you include one copy of the Angry Birds thing that is properly signed by the DumaJakey Threatbutt people. And then you have another version that's backdoored. And the validator sees that the signature is correct for the first and then it installs the second. These are useful. So we started playing around with this in ZigBee and in Wi-Fi. And we started looking for like what the good target was. And the good target that we found is the start of frame delimiter. So we did a trick called packet in packet. In packet in packet, you assume that as the wireless packet goes out in the air, you control layer seven. And if you remember the silly little OSI model fiction thing, fairy tales have their purpose, right? So at layer seven, you have like the application data. That's the cat picture. Generally, your phone will trust me to send it a cat picture. It won't trust me to allow you to send a random packet. It won't allow me to write anything at the low level. And we're assuming that I have no radio. But I can send like the layer seven data. So in doing that, we realized that the collision avoidance in 2.4 gigahertz wireless protocols is almost non-functional. And this exists for physical reasons as well as for protocol reasons. The first is that these protocols don't avoid each other. So Wi-Fi is based on the principle that you politely ask to speak. And then you give a very long message. That's what I'm doing right here to you, right? So I've asked for permission to take an hour of your time. Hopefully, afterward, you'll think that that hour is worth it. But you won't interrupt me until I've finished the transmission. You might walk out, but you won't interrupt me. Wi-Fi is more like a casual conversation with an overactive 14-year-old. Sorry, Bluetooth is more like an overactive conversation with a 14-year-old in that the different radios just interrupt each other all the time. And they repeat the same thing so many times that one of them is guaranteed to get through. And they have immediate acknowledgments. It's like, can I have my allowance? No. Can I have my allowance? No. And this, like, bounce back works very well for avoiding serious congestion. And at the same time, asking permission to do a long transmission asked very well, unless you combine the two, in which case, as I'm giving a lecture, someone's bouncing up and down and saying, hey, hey, can I have my allowance? Can I have my allowance? Can I have my allowance? And that, that, like, breaks the flow of things, right? So what we found was that because these collide, there is damage to the encapsulation. So a ZigBee packet begins with 00A7. This is the starter frame delimiter. In Ethernet, we would call this a sync field. In Wi-Fi, it's a little bit more complicated because you've got, like, a prepacket in the real packet, but that's a different lecture. In ZigBee, though, 00A7. So if you damage that 00A7 at the beginning of the real packet, then the receiver thinks it's listening to background noise. And if the attacker controlling layer seven inserts 00A7 and a valid packet with a valid checksum, the receiver, which is in the state of being in background noise, will accept that packet and will forward it up the stack. This allows you to remotely inject a layer one frame controlling only layer seven data and without owning a radio. There are other ways of doing it. In the International Journal of Proof of Concept or Get the Fuck Out, we presented a version in which not a single byte is in common, because we create a string that when viewed, one eighth of one nibble off becomes the valid attack string. This paper is called a defense mitigation bypass for packet and packet, or I burned Ode to use the phrase eighth of a nibble in a paper. So what we'd like to do here is a little bit different. Here we're talking about ham radio. In the leave of its paper that'll be available here at the Nostarch press booth in a few other places this afternoon, we set up this elaborate story of Alice and Bob trying to smuggle data across the US Canadian border. Christopher Segoyan becomes dictator of the United States and the outlaws Ode. The Canadians would like to share some literature with us, but it's illegal to import it, so you've got to sneak it across the border. Ham radio really shouldn't be used for doing this until there's an evil dictatorship, but as long as you don't use cryptography, and as long as you're not intentionally obfuscating it to hide the meaning of the signal, it's completely legitimate to play around with the protocols that would allow you to do such things if you flipped two switches. So what we propose is that you treat this as sort of like a game, and then you start creating signals for your friends and then swapping them back and forth and playing around with reverse engineering them. And in doing it that way, you're sticking to the spirit of ham radio and the spirit of exploration, of trying new things out. So part of this is stenography and that you're trying to hide that you have a second message, but we're not doing it in a style focusing on stenography. We're doing it in a style focusing on weird signals. So like one of the things that I'll show you is a polyglot that is valid as both Morse code and as PSK 31. Because in Morse code, your channel is so wide that if it wobbles a little bit, the receiver still knows what's going on. That your tone is 60 hertz wide instead of 1 hertz wide doesn't matter because the older transmitters weren't that stable anyways. So the idea here is that you can smuggle your traffic on the back of an older signal. So how do you actually create a radio in Matryoshka? We don't want to just do protocol tricks that might be found or when you do, you want them to be in a clever way. In image stenography, there's this issue where there are all sorts of false assumptions. My favorite is the false assumption that the least significant bit of an image is random. You can actually take a picture and try this yourself if you like image stenography. Take just a regular photograph and then with Python or whatever, select only the least significant bit and draw that in black and white and you'll actually see an outline of the picture itself because the less significant bits get biased. The analog to digital converters are not perfect. So every receiver is built for a certain modulation, but it also has to ignore noise. So it ignores the other styles of modulation if they're orthogonal to the original. If the receiver knows that the signal is encoded in a phase change, it generally ignores a change in amplitude, especially if you do the change in amplitude slowly or at an expected time. You can also do tricks with error correction. There was a talk on hemorrhage stenography here at DEF CON last year by some folks from Boston and they flipped, oh, howdy, guys. We should grab a beer later. So what they did was they flipped the error correction bits of a very strongly error corrected signal, one that was intended for weak signals or moon bounce or things like that. And they figured out which ones were safest to change in order to cause the received signal through error correction to produce the clear text signal while leaving their cipher text signal in the corrected bits. So error correction helps you. There's also encoding, which for hem radio is very loose and forgiving. Postel's principle, the idea that you should always transmit perfectly within spec, but you should receive as liberally as possible, like be conservative in your implementation and liberally what you will accept. This is terrible for security. But it works out pretty well in hem radio because in general people are polite. I mean, except for that one guy in your local repeater who keeps playing pooping noises. The things, like, my Yasu can talk to your Baofeng and there's not that much trouble with it. So I'm going to quickly review some radio concepts and some of those will be like lies to children. But that's how teaching works. And there's only an hour, so forgive me for that. You basically have, like, a raw signal, and that is the waveform that goes out over the air. And you want to put some data on that so you modulate it. One way to do this is in AM, where you're changing the amplitude. There are variants of this, like single sideband modulation, which are more efficient or which have some other benefits. FM, your actual, like, the height of your wave, your amplitude is staying the same, but you're scrunching it down and spreading it out. So your frequency is changing in order to encode your signal. There's also this phased thing. Like, phase shift keying, I used to describe in lectures as just this phase shift thing. But the general idea, and this is not really what it would look like on the air, because this change is too abrupt. But you can imagine it as, like, a sign abruptly becoming a cosine. So you're sort of jumping off by half of a wave. If you do it this way, you get audio and radio artifacts. It spreads the signal out. So instead, what you do is you sort of scrunch down the amplitude of nothing and raise it back up. And in doing it that way, the actual changeover point is when your signal is at the least strength. So even though you're creating noise, it's too quiet for anyone to hear. And then mathematicians look at this, and they've got, like, all the fancy symbols and stuff. But what we sort of want is, like, Python code or something that we can play with that is related to these symbols, but with fewer Greek letters. The other thing to keep in mind is this idea of a Fourier transform, which converts from time domain to frequency domain. That's what produces these lovely little waterfall diagrams in which you can visually see how much of the spectrum is taken up by the signal. So a ham thinks about a digital signal in rather different ways. And I'm talking here mostly about HF digital radio. In VHF and UHF and Wi-Fi, as the data rates become faster, it becomes harder to visualize what's happening under the hood. So these tricks might apply to those signals, but the barrier to entry is very high. When I implemented 802.11's Scrambler, I was, like, speaking in tongues for a week. So dates really don't like it when you start talking in Verilog. So Upper Sideband has some specific, like, filtering definitions to it. But the gist is that you're taking a chunk of spectrum that's at radio frequencies, let's say 28.120 megahertz, and you yank that entire region down to the audio frequencies so that you can hear it. And if you have an audio tone of one kilohertz, that means that the actual radio wave is one kilohertz higher than the zero point that you've tuned to on your radio. Is this making sense? So Upper Sideband is really cool because all of this radio problem suddenly becomes an audio problem. You run an audio cable from a 1970s ham radio to a laptop, and you can receive these digital signals. At the same time, you can record them on a tape recorder and play them back, and they're still legible. Now FSK and PSK are whether you're changing the frequency or the phase. If you change the frequency, you have like a high frequency and a low frequency, and you just bounce between them. The high frequency is a one, the low frequency is a zero. Phase shift keying, you are flipping the signal upside down. So as the wave is going like this, you just abruptly bounce it off, like the singing bouncing balls on 30s cartoons, you know, where it bounces on each word, and then sometimes it gets stuck when the words are sung wrong. And this is very low data rate because it has to fit into the audio channel. Another cool thing about it fitting into the audio channel is that, you know, the audio channel digitally contains a lot more information than you would use in a voice channel. So like a conversation at a normal not really stressed typing speed takes about 31 bot. So PSK 31 is 31 and a quarter bot, bot in symbols per second. So this is only 60 hertz wide in the spectrum. You can fit a lot of those into a 1500 hertz audio channel or 2500 hertz audio channel. So what you do is you transmit on one frequency, I transmit 100, 150 hertz higher than that. And in Upper Sideband, these signals just combine and then they're both available and they don't interfere with each other. And in this way, you can have a single audio channel that supports a lot of conversation. You'll commonly see 15 or 20 conversations going on at once, and your computer is powerful enough to parse out all of them and show you what everybody is saying. Upper Sideband was initially created as a response to the epidemic of band spreading. In full AM modulation, you actually send two copies of your signal, one in the Upper Sideband and one in the Lower Sideband. And then there's this giant peak in the middle. And this peak in the middle is very handy because it tells you where the signal is if you have a poorly designed or if you have poorly designed components in your receiver. So what you can do is you can feed this back into itself and use that to center in on the signal. This is why when you are in like you're driving around in a stew to baker, you're having a good time, you got the windows down and you're turning the knob on the AM radio, you don't have to be exactly on the station. And the reason why is that you can correct by finding this peak. But as proper gentlemen ham radio operators, we have much nicer equipment that anyone at the Crosley Corporation could have imagined. The Crosley brothers made radios and one of them would just go through the assembly line and he had a pair of wire cutters. And when an engineer was really proud of his design and he's like, look, you know, I came up with this great radio, Crosley would go, oh, cool. Take out his wire cutters and he would just snip a component. And if the radio did not break, he would send the engineer back to cut off some components and save some money. So in single sideband modulation, what you do is you only send this upper half or you only send the lower half. And this has the advantage of using half the spectrum. It also has the advantage that you're getting more for the power that you're pushing out. So this is originally done as like a power thing. So now we're going to get to the good stuff. You've got Alice, Bob and Eve. Alice is trying to transmit some ode to Bob. Bob lives in the like fundamentalist hellhole, right? And Eve works for the Fairness Communications Commission. And she's trying to make sure that net neutrality is maintained at all times. And she has a special mandate from the ACLU that no exploits or articles about exploits are ever shared over this medium, because baby killers are something. So one protocol that they can use to speak to each other is RTTY. Over here on the right is a picture from the second release of PakoGTFO. This is from a mechanical ticker tape machine. This is a photograph of the style of the machine. FenderView were at OHM, the Dutch hacker camp four years ago, two years ago, six years ago. They had two of these and they actually ran a cable between them and you could send teletype messages on this sort of ticker tape. The middle row is just to keep everything centered. And then you have five dots, three on one side and two on the other. These are five bits of the Bodo code. Now in a modern style, I live in a third world hellhole called Manhattan, so I can't afford to have a giant ticker tape machine in my cramped hellhole of an apartment. So what you can do instead is you can just run a program called FL Digi to receive it. Over here on the top left, you have the frequency that the radio is tuned to, 1407.0. This is the frequency that your radio is actually set to. A little bit to the right of this, 1407.1.085, that's like the radio frequency plus the audio frequency. That's where the signal is actually centered. And the signal consists of two different frequencies and it's bouncing between them. And it bounces between them to send a serial port waveform. It's five bits, no parity two-stop bits. So like five and two at a particular BOD rate. The BOD rate is, I think, 70 symbols per second. I forget exactly which means which. But so in the 70s when this was popular, they started doing artwork with it, just like we would do ASCII artwork. This is a horse. This is Seattle Slew who won the American Cup that year. RTTY is based on an alphabet of five-bit symbols. One thing that you'll note about this alphabet is that the letters and the numbers are in typing order. So Q maps to one, W maps to two, like QWERTY. The reason for this is that the symbols and the letters had to share physical keys in the keyboard. There are a couple of special ones, though. So in addition to cares you turn on line feed, like they, I still don't know whether they used both or just the one, like civilized people. So you know, you've got like a figures symbol and then you've got a letters symbol and you'll note that they don't have like matching ones, right? So figs says to jump to the figures side and letters says to jump to the letters side. And this is like a state change. Okay, so you actually send like a thing saying that the next thing will be a letter or the next thing will be a number and that's how it knows. Thank you kindly. So teletypes brandos. So then they need to extend this a little bit because there was this war and Germany was acting up and Russia couldn't manufacture anything for itself. So the United States stepped in and built a bunch of radios for the Soviet Union. And they need some vodka, you know, like Chateau de vodka, but all this stuff. So the, this is a transliterated Cyrillic, right? So this isn't really Russian. This is just the Russian alphabet. Now in letters, you have four vodkas. But if you have a figures bite and then you send the rest, you just get like those, like, who are you symbol, the bell symbol. So they realized they could just add a null symbol, which previously wasn't used for anything, and make that a shift to the Cyrillic alphabet. And in that way support all three. So little bear gets his vodka. And letters is kind of special in that it's an idle tone. They call these ditties or diddles or all sorts of other words. So basically you've got like five ones in a row. And you just keep sending that. And the receiver is just switching to the letter style constantly. And you can do this in a live mode so that the operator like has time to think. Because these can be used for recorded messages, but they were intended to be at about the rate that we type. And the reason was that these were great for live conversations. So you wouldn't have to use Morse code in order to have a live conversation over a narrow bandwidth. So other idle tones are legal. You can do letters to figures to figures to letters. And the standard receiver will ignore everything except for the last one. So your idle tones that are being ignored can instead be used to hide information. So your bears can pass to the village and they can have some books on them. I bet you guys can't tell at all which slide Sergei wrote. So then PSK 31 for the modern style of it. So this was a 1990s replacement for RTTY. You can actually sort of tell by the technology that I'll get back to that a bit. So it's 31 and a quarter bod. And this is also normal for human typing speed. So you can use this for a live conversation. So you get on and you're like, CQ, CQ, is anyone out there? And then the guy will reply and he'll say, yeah, yeah, I'm calling you from Bogota. And you're like, cool, I'm just contesting by. There really ought to be an alternative to CQ. Like it's illegal by the full force of part 97 to reply to it, except in like a proper rat tube conversation. Anyways, there are a couple of things to notice here. First, we still have like the frequency at the top. We got the offset for it. So here one kilohertz above the radio signal is the audio signal. The other thing is that instead of having two peaks, we only have one. Because PSK 31 is changing the phase and not the frequency. Now a phase change of this is the same as a frequency change of about one hertz being rather abrupt for weird reasons. So the actual line is a little bit wider than a Morse code line would be. And that's how you can visually tell the difference. PSK 31 uses a phase inversion to mark as zero. It's a fancy way to say that like sine becomes cosine, or that cosine becomes sine. Always in phase shift keying, you're dealing with a relative change. So you don't know whether it's sine or cosine, because like everything is sort of sliding by, you just know that it's not what it used to be one symbol before. The phase is inverted to mark as zero, and it is not inverted to mark a one. So the non-inverted one is just a sine wave. This is the same thing that you would do on your TI-86 in high school or your HP 48 if you were actually cool. But I said the 48. Is that Bluetooth? So you got like the sine waving, and then at this point we just abruptly change it. We just abruptly say, nope, we're doing it the other way. So the thing sort of hops around, and that's the phase shift. This is sort of a lie to children though. If you do it this way, everyone in the band will start yelling at you, and you will get reported more than the guy who plays pooping noises on the local repeater. And the reason why is that if you actually listen to it, this really hurts your ears, and it also physically hurts the speaker. Because if you think about it, the speaker is sort of wobbling in and out with the wave, and then just abruptly as inertia is carrying it out, you yank it back, and that creates like a little pop. And the pop happens to air pressure, and it happens 31 times a second, and it's really loud, and my iMac needs new speakers. So instead what you do is you drop the amplitude. So this actually drops the amplitude, and then here is when it does the phase change. And then it grows back up so that at the time it makes the phase change, there is like nothing important going on. Now you have to raise it back by the middle of the symbol. Then the idea is that the receiver just checks like the middle of the symbol to see if the phase has changed, and ignores the borders between the symbols. So when you open up a PSK 31 message in audacity, we're talking a clean one, like no background radio noise. Just one party talking centered at exactly one kilohertz, like a clean signal. You can actually look by the amplitude to see where the zeros are. So you'll see like the amplitude drop for a zero or not drop for a one. To decode this, I know we're getting back into the fancy math here, but you remember that a positive times a positive is also positive, and a negative times a negative is also positive. So the only thing that will actually like multiply to become negative is when you have a negative times a positive. So what you do is you multiply the signal by a time delayed version of itself. When they were first implementing this in hardware, they had to have like a speaker and like a little tube of mercury and then a microphone at the end, and they would actually use that for the delay because the sound goes slower through mercury than through error or an electric wire. I love living in the future. On the other hand, I still don't know what to do with my half liter of mercury. So you multiply with its delayed self, and the result of that is that the result is positive when the phase has changed, but it's negative in all other cases. And then you wind up with a new signal that's only hops above the zero line for a phase change and stays beneath the zero line if there's no phase change. And that's very easy to filter out because then you're just looking to see whether it's positive or negative. PSK31 uses a varicode alphabet, which is different from the one that's in RIDI, RTTY. So ASCII is not very efficient for English text. I mean, it's great for screwing up unicode quotation marks that you copy and paste from open office. I used to love freedom, and then I tried open office. No, I'm not so sure. So in varicode, common letters are short. So just like in Morse code, E should be shorter than W. Also, lowercase letters are far more common than uppercase letters. So instead of wasting an entire bit to declare whether the letter is uppercase or lowercase, varicode just assigns them different codes, and the uppercase ones are longer. For Morse code, that trick wouldn't have worked because the operators would then have to learn twice as many symbols. But for PSK31, we can make the machine learn whatever we're stubborn enough to program it, and adding extra entries to a table doesn't cost much. So this is the PSK31 varicode alphabet. I'm leaving out some symbols here, but this is what you need for a conversation. So punctuation marks and that sort of stuff will come later. So you'll note that A is much shorter than uppercase A. You'll also note that E11 is not the shortest letter. The shortest letter is a single one, which is a space. Now zooming in on these so that you can actually read the numbers, there are a couple of properties of this that you'll notice. For example, nowhere in this entire table do you ever see more than a single zero in a row. The reason for that is that zeros delimit the letters. So a letter keeps going until you see two zeros at once, and then you lop those off and the letter is whatever came before it. So if you keep sending zeros, the next letter hasn't begun yet, because the next letter begins on a one. This makes it very easy for live letters to, at most, delay by a single bit. So as it's idling, if you hit the space key, the very next symbol can become a one and then two zeros. You don't need to queue it up very far, as you would if you were synchronizing a longer symbol. The other thing is that the letters have no maximum length. So unlike ready, where every symbol is five bits long, here in PSK 31, we could have a million bit letter added to the code sequence. So every letter begins with a one. No letter contains more than a single zero in a row, and wherever you see more than a single zero, that's a delimiter between letters. This makes sense. So we can do tricks with this. We can vary the idle count to hide data. So as I'm sending you a long message, in PSK 31, it's traditional to send a computer-generated list of who you are and where you are and what sort of antenna you have and what model of radio you have, and then to say, k, thanks for contesting, bye. And all of that is done by the operator just hitting a single button and a pre-recorded message goes out. Well, when you're doing this pre-recorded message, you can space the letters out slightly differently. Like, two zeroes is standard. So you could send three for a one and four for a zero and hide your message that way. Also, illegally long letters are ignored, and this is how the designer of the protocol added support for Hayaski. He happened to be British, and the British enjoy stubborn standards of their own, like this weird Celsius stuff. And so they have the pound symbol. But as God-fearing Americans were in charge of creating the ASCII table, well, we're not going to put the Queen's money in there. We fought a war over this. Then we fought another war with Canada over it, and Canada thinks they won. So what he decided to do was to just have longer letters, because he figured that the pound key wasn't very common, and it would only be used by two Brits talking to each other. So what he could do is he could just make longer sequences that meant the upper half of the ASCII table, which in older styles of Windows would be like the region-specific letters. So the E with an acute accent for French, or the O with an umlaut for German, or the pound key in British, and that way all of these things could go through without having to break compatibility with older implementations. An older implementation would just be missing a letter, but the message would still be clear. So then you could do some physical tricks. This is a screenshot of how PSK31 is operated. You have a ASCII radio on the right and a laptop on the left, and the PSK31 is generated as audio with a cable that runs into the sound card. All of this is audio, and all of this can be dealt with entirely in the audio domain. So what you do is in Python, you just specify your audio rate and your volume. Then you divide that into how many waves per second you want. This is your audio frequency. In our case, one kilohertz. And then the length of your symbol is that audio rate divided by 31.25, because there are 31.25 symbols per second. So if we have 48,000 audio samples per second, we want 131.25 of that. Now you note that I'm using 48,000 instead of 44,100. I'm not doing CD audio. Why? Yes. It divides nicely. PSK31 was written in the 1990s when PCs were not quite fast enough to do this live. So instead, all of the early implementations were done as firmware that would run in a digital signal processing board. Digital signal processing being less than CD quality was based around an eight kilohertz sample rate. 48,000 is the modern equivalent of that. So it's at these rates that you get more even division and then fewer audio artifacts. You also have your symbol index, you've got a value, you've got a phase. And if you just create the wave and you invert the phase that way, you will get a horrible sounding PSK31 implementation that actually works. This little loop is enough to produce the samples at those points. You dump that to a wave file and you have something legible. Then you need to filter it. So to filter it, you attenuate it in order to sort of scrunch down the volume as you're changing the phase. Again, this isn't a terribly hard addition to it. The left is as we're filtering and the right is as we're not filtering. Which would you rather listen to? So in real PSK31, the filter only happens when the phase changes. Remember, I told you that the receiver is only looking at the middle of the symbol. It doesn't look at the borders between the symbols. So no filter is used where the phase remains constant. So I was describing some of the earlier tricks to Craig Hefner and he started tooling around with it. And he came up with this idea of doing it in that he had written a PSK31 receiver the lazy way. Do you remember how I told you that you could look at the audio recording and by the dips in the amplitude you could tell where the zeros were? That's how his receiver worked. So what he did was he made a signal in which you would drop the amplitude inside of a one even though it's not required. This creates a symbol that real PSK31 interpreters see as the one that it really is. But his PSK31 interpreter would misinterpret as being a zero. So you can drop the amplitude anyways. It does not break the signal at all and it actually gives the thing like a distinctive tone if you drop it all the time. So most receivers don't notice the difference but it's measurable if you look for it and that's what you need to hide some information. So these two symbols mean, these two recordings have the same meaning in legitimate PSK31 and anywhere say in this region where we drop it down even though we don't have to because that can be measured on the other side we can selectively drop it only to encode a bit and thereby hide information. You can also do a PSK31 Morse code polyglot because PSK31 is about phase and Morse is about the existence and the non-existence of the symbol of the signal. So you can drop the amplitude in order to throw a Morse code in order to throw a PSK31 signal on top of a Morse code signal. This is what it looks like in a waterfall. This is the da-de-da. The E is short enough to fit inside of a dit. On the left this da-de-da is Morse code for K and the first da actually contains the letter K in PSK31. You can combine the two. This is what it looks like in Audacity. So you can do a Morse PSK polyglot in order to combine these two. You can also, although it's a bit trickier, do a PSK31 RTTY polyglot. RTTY expects you to completely drop out the power on one of the bit channels. So the lower one is completely turned off when you're sending a 1 and the upper one is completely turned off when you're sending a 0. The PSK31 is very tolerant to changes in power because it only cares about the phase. So what you can do is you can combine these two and you can have two PSK31 messages and change which one of them is stronger in order to encode your upper message. And then you have two PSK31 channels that are also a valid single RTTY channel. Error correcting codes are added in the faster versions of PSK31. This is QPSK. It goes on forever. And because some of these bits can be flipped safely, you can do the same trick that Drupal and Dukes did last year in JT65 in this PSK31 message. There are the folks over there who are waving at me. You can also do bit flipping in forward error correction. Oh no, this is the same style. So you just let the error correction take care of it. So I'm nearly done, but I have one last trick for you that is fucking incredible. Okay, so data runs over Ethernet. I as the attacker control a little bit of data, but I don't control it very well. Let's say you're doing HTTP over Tor and you're downloading a large file from me. I can change the rate limiting of how fast I'm sending that file in order to control the congestion on your local area network. And let's assume it's a home network, so you're like the only user. Now I want to exaltrate a signal. Like I want to say the guy's here, guys. Like that's physically where he is. Well, if the Ethernet wiring is bad, so I'm kind of lazy and you know how like in Ethernet the wires are like sort of wrapped around each other. And if you're a good IT guy, you'll know to unwrap them as little as possible. But if you're a Southern Appalachian neighbor just trying to get off Wi-Fi, then you'll notice that it's a lot easier to crimp them if you just completely unwrap them and have really long leads to push in. So if you combine that with like a kind of noisy Chinese router, I'm not man yet, but Threat Butt tells me that China might be responsible for this. This is the letter K sent over Morse code by me changing the screen that I'm looking at while in a VNC session as received by my neighbor down the block. Isn't that cool? So if you would care to play along, I think it'd be pretty cool if we did like a wide area CTF. Again, you got to do this in like a neighborly way. I intended to do this as a 10 meter beacon, and then I kind of got distracted and then the sun decided that it doesn't like me. So instead I'll be doing this as a like locally monitored transmission scheduled on like 20 or 40 meter. You can receive this by upper sideband in much of the Western Hemisphere, and the actual signal is a lecture on PSK31 in multiple parts about how to implement PSK31, how to implement PSK31 polyglots, and how to implement PSK31 steganography with messages hidden inside of the lecture. There are a couple of kinks to work out, but this should be finished in another few weeks. In conclusion, the the file layer is something that you can mess with. And when you're starting, you really should start with the simpler protocols like PSK31 and RITI. You should do this for a couple of reasons. Not least of all, you'll actually have someone to talk to about it. I don't know how many of you have met folks who know like the really nitty gritty details of Wi-Fi's file layer, but they're all too traumatized to speak about it. And I mean, I know it's rude to like bring things up with a victim like that. But with the simpler protocols like PSK31 and RITI, these are fun and you can implement them in a very short time. You can implement a PSK31 generator in a weekend. Just get yourself a cup of coffee and sit down at the computer and look at the standards and you can do it. And it works. And you will have built your own modem from scratch. And you can't do that for things like Wi-Fi yet. Also, these parser differentials are everywhere. And we should be spending the time to understand them, both for like art project reasons and also for exploit writing reasons. So whether you're a hobbyist or an ode selling baby killer, this is something that you should pay attention to. And these polyglots are fun. So you're not just able to combine file types and digital files. You can also combine protocols in digital radio. Thank you kindly for your time and attention. I'm going to have a beer now.