 This gentleman, his name's Eric Escobar. Apparently he goes by Justice Beaver. One word, not two, but camel case. Uh, he's the principal consultant to secure works and he likes raspberry pies and long walks on the beach. I, I actually, I, I'm not reading his bio, it's, it's boring and standard. The truth of the matter is is this man can actually fly. I am not kidding at all. If you go on the DEF CON press pages, you can see his picture from last year after his second first place victory in the wireless capture the flag. He's actually flying in the picture. It is absolutely amazing. You can't miss it. So if anything else this man has ever done isn't fun, just check out that picture. He can fly, ask him about it after the show. He's really going to appreciate it. Try the feel. This is Eric Escobar and my personal, uh, one of my favorite talks that we've approved, uh, SDR replay attacks against home security systems. So please enjoy. Hey Rick. Rick. Can you do me a favor? Can you take a picture for me? I don't know if my guys are going to do it. Hey thanks, appreciate that. Watch him. Uh, hey guys, my name is Eric Escobar. I got started here, um, couple, I think this is my fourth year here at DEF CON. Uh, when I started out here first it was trying to find the Fox and after that I've grown to, you know, breaking WPA2, breaking web and then getting a gig, breaking into really big companies and assessing all their wireless. Um, so right now I work for SecureWorks. I'm a principal consultant where we do, uh, pen testing. We do internal, external, um, wireless and everything in between. Uh, so I did not go to school for any of this. So people are saying, oh, you know, why'd you go to college for? How did you get involved in, you know, doing all these wireless attacks and, you know, learning all this? Literally, all of it was Google and talking to people that are like doing the CTF. That's how I learned pretty much everything that I know. Uh, my original schooling, I went to go civil engineering, so doing like dirt, water and bridges. Uh, really boring stuff compared to what I do now. Um, so now I'm a consultant, this is my fourth DEF CON. Uh, so okay, so I'm going to be talking about wireless replay attacks. And so replay attack is exactly what it sounds like. So it's, I'm catching a signal and I'm just playing it again. That's all that it is. It's, uh, it's pretty simple. It's like if you overheard somebody say a password to get into a club, you say that same password, boom, you're in. That's all that it is. Uh, there's nothing more complicated than that. Um, and so basically you wonder like, well, how can that be a thing? That seems like the most insecure thing in the entire world. Well, the reason that's the thing is it's really easy to program into. It's really easy to code. It's really easy to troubleshoot. You know, there's no timing. There's no salts. There's no encryption. It's just you send one, you know, serial or one byte of tech or, you know, one string of text. And that's it. You know, that goes across the wire and it's really easy, uh, to debug and do stuff. And so that's why it's a thing. You have cheap electronics that come from China and, uh, you know, they want to do it as easy as possible and keep costs as low as possible. And for the most part, it's not a problem until one of us comes up, right? Um, so in doing this I use something called software defined radio. If you're not familiar with it, software defined radio or SDR. Uh, it's basically just a tool that allows you to analyze frequencies. Some will allow you to send and transmit. I'm not going to go super deep into that, but, uh, you know, if you want to Google something or look at something for later, uh, you're going to look for SDR software defined radio. And it makes things way easier. I don't need to like tune a physical radio. Uh, it plugs right into my laptop via USB. It just makes life a lot easier. And they're coming in a smaller and smaller form factors now. Now I have some, you know, some SDRs that I have that look like a USB stick with an antenna or just like a normal wireless, uh, adapter for your laptop. Um, okay, so, so this, you can't see the front of it, but on the back of this, there's an FCC ID. This FCC, uh, that, that red box is moved or should be moved over. But you can see the FCC ID on the back of any electronics sold in the United States. Legally it should be there. And, uh, there's a lot of information on the FCC website. So if you don't want to go looking around analyzing streams, you know, analyzing a waterfall display and trying to see, you know, Hey, what's happening here? It's super easy. If you go to FCC website, they'll say how it's encoded, what frequency it's supposed to be on. It'll give you all the information that you really need to know. And that's kind of cheating, right? But at the same time, if you're just getting started out, if you want to understand this and you want to minimize how much time you're doing to do this stuff, you know, it's a real easy and nice way. And plus it's kind of fun to look around and see, Hey, what else do these vendors have? You know, what other stuff uses this scheme? Because you could find something that like, okay, well, maybe this is for like a motion detector. But also maybe it's for like, you know, an insulin pump, right? You don't know where the schemes are used. And so it's really interesting just to go through and look. And it is kind of cheating, you know, but if it's yours and you're doing testing, you know, a lot of these things, if you were to look at them on the table for the wireless capture of flags, you can go up and you can look at the back and see an FCC ID on them. And you can pull it all up and get all the information from it. And you don't have to do really any analysis because you know exactly what it is because the specs that the manufacturer provided are on the FCC's website. So by law, it's all there. Anyway, so let's see. And so this is an example you go to the FCC website for this motion detector and boom, look what I can download the test reports, the user manual and test setup photos. So I can see exactly what it is. Now the FCC website is incredibly hard to use like any government agency period. So somebody did some awesome work and they have FCC.io. FCC.io, you can just slash right off the end of it and put the FCC ID and it will forward you to the exact page you need to be on on the FCC website. So it's a really cool, really easy way to do it instead of spending, you know, days and days, not days and days, like more than a half an hour looking for exactly what you're looking for. And so yeah, you can see all the stuff like frequency, modulation and just kind of go from there. So if you guys don't know what modulation is, again, you know, there are beginners. I didn't know any of this when I started out. There's frequency modulation, these are just too many types. Amplitude modulation, frequency modulation. A lot of the attacks that I've done or that I've seen are they do amplitude modulation and that's on off keen or it's a form of amplitude modulation. And you can probably think of AM and FM, that's, you know, AM radio, FM radio, that's how these things are modulated. And so what I'm specifically talking about is on off keen. Yeah, and just kind of going back here that this is what a lot of cheap, you know, wireless 434 megahertz electronics have. So if you're looking for software on how to do this stuff after you have the tools, you know, this hack RF, it's amazing for like $300. It sounds kind of pricey. It was definitely pricey for me when I was starting out and doing this all on my own shoestring budget. But that thing, I mean, I still use it to this day. It's awesome. And then there's GQRX, SDR Sharp, if you just are Windows user and you just kind of want to get your feet wet, but you don't want to have to install a brand new operating system. That works really well. And there's some pretty cool things you can do with it. With just the $20 TV dongle with SDR Sharp, you can decode air traffic. Air traffic is going over the beacons. You can decode that with that. It's kind of neat. There's RF cat. There's one that I just found recently called OOK tools, or OOK tools for on off keen. And then GNU radio is just the Swiss army knife of you can pipe anything to do whatever you want. And it's, there's definitely a steep learning curve to it, steep learning curve to it, in my opinion, but once you get the hang of it, you know, it can do pretty much anything that you want with whatever inputs you want to give it. So this is the hardware that I use the most. HackRF one, like I mentioned before, $300 software to find radio. And then you have the yardstick one. That is like maybe a hundred something dollars. I have links to all this later in the slides that you'll be able to see in download. But these two things, that's what I primarily use for all of this. HackRF is a little bit more expensive, but it gets you a bigger frequency range and it gives you a little bit more stuff. The yardstick, if you're just starting out and you don't want to drop a ton of money on it, you can still do a bunch of awesome hacks with this. So, okay, so this is, oh, okay, tools. And this is one that, that I've been using recently. It's, it's just this simple. So say you're trying to record for something. You found the frequency on the FCC website. So you know, okay, this isn't megahertz. That's why it's so long. So when I say 434 megahertz, the M is million. And so you can see that's, you know, that's, you know, 4.333, you know, million. That's the frequency. Frame count is just how long is it going to pull and listen for something. The destination signal.json. That's just sending it to a JSON file, you know, somewhere on your hard drive. And all you have to do is, so you set this and it will go for, you know, maybe around 30 seconds to record how it's actually, you know, what it's going to. You set it to record, you hit the play button like you're programming a universal remote and then wait for it to finish. And then all you have to do is go back in, type in signal play and give it the file that you just played to. And you can literally just play it right back. So the signal that happened, it's literally just two lines. I broke them up into multiple lines just so it was easy to read. But that's two line command and a little bit of time to wait. And that's all that it really takes. So that's if this, this is what I use with the hackRF, or not the hackRF, with the yardstick. Then there's, this is with the hackRF. Same thing, just easy. Two lines. You give it, you know, where, the frequency and where it's going to go to. And same thing, you just, you know, dash r's for receive dash t's for transmit. Just that easy. And again, the reason why this is possible is because it's the same, it's the same, you know, code that's going across. You know, it's the same string of text that's going across every time. So all you're doing is replaying it. How this is different from something like say, like newer garage door openers or something like that, is they'll have a rolling code. So every time, you know, a code goes through, a new code will come up the next time. So it's, it's not, it doesn't lend itself well to being easily attacked with the, you know, with a replay attack. There are ways that you can do with like, you know, jamming a frequency or something like that. But, but really for the most part, this is only for like the cheaper electronics where security is thought to typically not be an issue. So this is like, you know, the raw data. If you do it, you can see the blips kind of lends itself to the image that I showed before of the on off key and the amplitude modulation. All right, so what can you do with like the RFCAT and the stuff that I showed you? Well, you can, these sensors, the way that they work is they just yell and scream what their code is. And typically what they do is there's no, you know, act, there's no response saying like, hey, I got the code, you're good to go. It's, you know, somebody just, you know, the sensor just yells, this is my code, this is my code a couple of times. And that's it. There's no other information that, that goes across. So if you yell louder with your, you know, software defined radio, then, then you're going to drown it all out and the receiver will not be able to hear anything. So in the real world, if you think about this, if I have a motion sensor and I want to like say break into my parents house who have all these motion sensors everywhere, all I have to do is turn this on and now all of a sudden I can walk up and the sensor will still detect me and it'll transmit the signal saying, hey, somebody's here, but because I'm drowning out, because I'm drowning out all that noise, there's absolutely no way that that sensor is going to hear me because I'm just, you know, sending static or I'm sending junk over the frequency. Now the other thing that you can do, the exact opposite, you can do a replay attack like I just said. And so I could sit in my car and make my dad think that, hey, somebody's open the front door. You know, and so he'll, you know, maybe get a text message on his phone or like, you know, get an alert or the phone or the alarm company will come out. And all I'm doing is doing a replay attack. That's all that's happening. And so if you do a replay attack, the base station thinks that that sensor went off. That's basically all that's happening. So okay, so what stuff is vulnerable? If you just go and search eBay for 434 megahertz stuff, you know, that's that's typically stuff that you're going to see as being vulnerable. And so this, this is a door sensor, you put it on your door and it will send a signal out every time your door opens and closes. Pretty simple stuff. And that's vulnerable to a replay attack. So if you were to catch the signal, then you could make whoever's alarm system think that their door is opening up maybe 100 times a second, you know, maybe in the middle of the night, maybe you want to set off an alarm or maybe you just want to make somebody think that, hey, my alarm system is bugging, it's not working. So I'm going to ignore all those, you know, transmissions that go off. So okay, that one's kind of fun. The next one that you have is motion detectors and doorbells. So this is really fun. If you just want to be a troll and you want to go doorbell ditch somebody is go find somebody that has a wireless doorbell because those trains been on the same thing because there's no security really needed for a doorbell. But it's really funny to sit in your car and hit, you know, play and watch somebody come out and not realize, you know, what's actually happening. And of course, who's going to think that it's some hacker sitting in a car just trolling you, right? But that's something that I would probably do. So this is an example of a motion detector. And so you can see that the battery is out of this detector. Let's see if this plays. Oh, wow, I didn't expect that to actually play. So you can see that this detector just went off even though there's no motion happening. So right? It's a really cheap, easy example to see what's happening there. And so this is this is the reverse of that. This is me jamming it. And so you can see initially the light goes off and, you know, the sensor activates. And then, you know, you jam it and you'll see this little light go off right here, but nothing will happen here. And so that's effectively jamming it and you see how close they are and you see that obviously the radio is not within that vicinity. So that you're effectively jamming that even though they're so close together, this receiver is just being screamed at and can't hear anything else that's happening. This is another really fun one. This is a super swanky gated neighborhood. And it's super vulnerable to this exact same thing. See this video plays. So you can see I'm sitting there, no cars are coming, and I just opened the gate. So you think if you're a thief and you're like, ah, you know what? I'm just going to sit there. I'm going to wait for some guy to come through, caught the signal, and now I'm going to go back by one in the morning. And really there's not a good way to defend against that because they have, you know, hundreds of people that live in this gated neighborhood. So they're, you know, to do a rolling code or something like that. This kind of technology is, you know, there's a reason why it's there because honestly people think, you know, the the risk factors are, well, is somebody really going to go sit out there and do this? Well, I mean, this is, you know, less than $200 worth of, worth of hardware that I have just sitting in my car, right? So that's, that's just talking about all the vulnerable stuff, right? Now, I like to build things. I, you know, started out when college as an engineer. So I like to build things. So I thought, okay, well, if I can receive all these signals, I could surely do something cool with them, right? And so what I have is I got a super cheap little receiver. So this isn't, you know, an SDR. This is an actual physical radio that receives that 433, 434 megahertz ish. It takes that, that signal, puts it to an Arduino, which then decodes it and gives it to a Raspberry Pi. So what can you do with that? Uh, whoa. Did I go too far? No, maybe it, um, okay. So sure, you can make your own security system. You can do whatever you want. But if you're a tinker, if you're somebody like me that likes to, you know, mess with stuff and make your own custom stuff, the hardware for this is cheap. Raspberry Pi, you can get a Raspberry Pi for $10. You can get that little 434 megahertz module for $4, $5. And then you can get a Raspberry or not a Raspberry Pi in, in Arduino for another three online for, and you're talking for the base station for an entire, you know, wireless based, um, you know, security system, like you could, you could not buy that anywhere else. Uh, and it's adaptable and you can use it for a done different thing. So I know, I know some farmers that I've helped with like, oh hey, do you want to know like, uh, when X, Y, or Z happens, you know, maybe you want to see motion on this road and you, you know, you want multiple detectors to go off before you're alerted, right? Cause there could be a false positive and so you can scale this and build this to do whatever you want. And it's, it's super easy to integrate cause there's all the tutorials on the world for Raspberry Pi. Um, so basically the way that it works is a simplified diagram is, uh, alarm goes off, goes to here, this takes it to the Raspberry Pi which logs into SQLite database and then you can program it to do whatever you want. So SMS, you know, if you just want to get a text message on your phone every time your mailbox opens, super easy. If you want to just get an email, alright, and then woof, if you know woof has been great. Um, this is just a quick little schematic. It's super easy. There's three wires that connect the, you know, the radio to it, to the arduino. I mean, so when I first started out on all this, I was really gun shy about like, oh, there's all these little wires and I don't really know what to do. Um, but I got over it really quick. And when you see these little diagrams it's like, yeah, you literally connect a wire from there to there, there to there. And then that goes to USB. It's, you know, that's literally all the wires that are involved in this. Um, and so all the different sensor types that you can have, I mean there's the door ones, there's smoke alarms and people wonder like, why is a smoke alarm wireless? Why is a smoke alarm, you know, on 434 megahertz? Like that's, that seems stupid. Well, if you have a building or like an office complex and you want all the alarms to go off when, um, you know, one alarm goes off, that's what they're there for. So that could be terrible if you find that frequency and do a replay attack on it, or it could be great in the sense of like, oh, now when my, you know, smoke alarm goes off I can get a text message and it costs me, you know, like three Starbucks strings. Um, some of the other things, door open, door closed sensors, the motion sensors, and then like water sensors, if you have like a sump pump or something like that. Again, this is just like a very small sample. There is a lot of stuff that all operates in this way, you know, uh, with these kinds of uh, modulation of frequencies. Um, so all the code to do that is on, is on that repo and I also posted links to all the hardware that I was talking about and like links to all the software I was talking about. So if you guys want to take a picture of that, that's the like, this is like basically what I did for everything. It's not super clean code because I'm a hacker and not a programmer so I don't really care. Um, my email is also on there. So if you have a question, you know, feel free to shoot me an email. Uh, you know, I'd love to hear feature requests and that kind of stuff. Um, but yeah, this is just something that I think is really cool and kind of fun. And again, if you want to learn any more about this stuff, uh, you know, great scottgadgets.com slash SDR is Michael Osmond's full like software defined radio hack RF class for free. It's normally like, I think a 40 or a two day, uh, um, it's a two day class that I think they maybe offered here this year. Uh, but it's, it's a really great class from like, hey, I don't even really know what, you know, software defined radio is to like, yeah, I can perform a replay attack in no time at all. This will walk you through the entire process. No problem. Um, and then RTL SDR, there's just a ton of good forum posts of people doing, you know, pretty incredible things. Uh, and I, I always reference it for like, whoa, that would be kind of cool to do or like that'd be kind of cool to mess with. Um, so again, RTL SDR and this is just a link to that same GitHub deal. Um, so yeah, I think I have five minutes left so if anybody has any questions, please use the mic. Cool. That was really great. Oh, oh, you have a question. Ron, can I go now? Okay. Sorry. Uh, what about motion sensors that, uh, set, like turn on a light? So for home security, they have it over their garage or something like that. Motion sensors, they're a way to jam that so that it doesn't trigger. So, so no, there's no way to jam it because the circuitry, what that does is the PIR sensor goes off. So PR is a passive infrared, right? Yeah. There's no wireless involved. It's just saying, hey, it went off and instead of triggering a wireless signal, I'm just going to hit the relay to turn on the lights. But if that, if that was connected to their home security system over wireless, then that, yeah, then that would jam it. The other thing that you want to do if you want to bypass that, just get a can of air spray, you know, like the, the can spray clear off your keyboard because it just, because all that's doing is looking for a change in temperature. So if it's just a constant temperature, you know, it won't know that you're there. So same, I mean, sorry, that's not, not how you do. That was not a part of the talk, but that's, if you wanted to, that's how you would do it. Anybody else? Going once, going twice. So.