 This talk is the ham sandwich talk. It's a replacement talk. So if you look in your guide in the paper guide, we're replacing a talk that was canceled. What we're really replacing is a talk that was in the press about two weeks ago and that it was a big deal that people thought that somebody else's talk was canceled. And so we're really a replacement for that talk. Could you turn that off? So we are two researchers, Dave Maynard and Robert Graham. And we've been doing a lot of SDR things. SDR is software definable radio. But what it really is, is hacking of the Internet of Things. Lots of stuff these days, your car, your phone, your gun, all these things connected to the Internet over radio waves. And so a big deal these days is learning how to use computers and the software definable radio in order to hack everything that talks radio. So I'm Robert Graham. I do a lot of blogging, Twitter. I'm famous for a couple of things like black ice, mask scan, type jacking. And I do lots of conference talks. My partner here is Dave Maynard. He's also notorious for the Apple hack from several years ago. Some DMA hacks. And he's one of the awesomest pentesters in the world. And he's also done lots of conference talks. And we've done many of our talks together. He'll be setting up the demo here if he can get it to work. We only have a 20 minute slot here so we don't have much time. The talk that we're replacing is this proxy ham talk. Where a guy put together a box, or two boxes in order to create a point to point link with the idea that one might be in some place next to a bar or a Starbucks with an open Wi-Fi. And the other box would be up on the hill somewhere with your laptop. So as a hacker, you could be five miles away from the bar on using their Wi-Fi. And when they track back the IP address that they hack or they wouldn't be able to find the real hacker. That talk, though, was canceled under suspicious circumstances. There was suspicion that it was the FBI or the government tried to suppress the talk. And that was sort of our motivation for talking about this. There's things like NSL, national security letters that have quieted people, suppressed things. There's been lots of things in our industry that tried to suppress research. So this was our philosophy. And this really should be the philosophy of DEF CON. When we see that talk has been canceled and it isn't in the area of our own expertise or something we've been researching lately, people ought to step up and say, no, I can do something similar to that. It's like that rapid transit thing from Boston when that talk was canceled. There have been other people who do research along those same lines for my fair card hacking, for example. So when we see a talk that's been canceled, people ought to step up and say, hey, I can do something similar. However, what we found was that this talk in particular, though, wasn't so dramatic. We don't know why the talk was canceled, the proxy ham talk was canceled. But we guess that the agency that was involved was probably the FCC rather than the NSA or the FBI. If you see here, we'll get to that in the next picture. So what he probably did was boosted the transmit power. And the FCC is a very prickly agency. They have people staffed in every major city in the United States who sold job it is to hunt down people who transmit power radio frequencies at too high a power. Or who interfere with other stuff. So we suspect what happened is that the FCC caught them, they came to his door, and they probably gave him a letter. And that's what the FCC does. The big thing that they do, they don't want to prosecute people. They don't want to hurt people. But they do want people to stop causing interference. So one thing they do have is like a consent decree, which is to say you sign here and agree that you won't do this stuff anymore ever again and then we'll let you off with a small fine or ignore the situation. Also, I'm guessing that the real reason this guy was quiet was just because his lawyer said, hey, if there's a legal situation, the first thing your lawyer is going to tell you is just to shut up and stop talking about it. So it's probably something simple like the FCC coming down on him rather than the FBI trying to stop hackers or something like that. So this was the picture from the Wired article, from Wired Magazine. And what we see from here is that he's using actually just standard off the shelf equipment. This device he's got a Yagi antenna for the directional antenna. And you see this little white box on the back of the antenna. Well that's just a ubiquity device. Ubiquity is a company that sells point-to-point internet links. And this is a picture from their website. And if you look at it, it's essentially the same thing. It's just a little box plugged into the back of a Yagi antenna. So, this is a great lesson actually for all the kind of security touch you see. A lot of times when people do press ahead of time, they give away enough details where you should be able to reproduce what they're doing. Like in this example, all it took was Googling for Yagi's and 900 megahertz to find a ubiquity device he was using in the photo. Yeah, as Dave said, from the press we can often tell what the talk is actually about. So we went online and we bought the same sorts of devices from Ubiquity. The Rocket M that he was using was a little bit more expensive and required an external antenna. And I'm cheap though, so I bought the cheaper units. I'm going to see if this goes here. So we bought these units. So you can see these units. I'm going to pull them out of my bag here. I probably should have brought them out when I was waiting. So Rob's doing this. The basic premise of our theory here is that the original researcher assumed that because the ubiquity would do its point to point connection over 900 megahertz instead of 2.4 gigahertz, it would somehow provide an additional layer of obfuscation that would make finding the signal in its source harder. That's kind of really what our talk is all about. I'll go ahead and go to the next one. So you can actually buy these ubiquity devices from Newegg for $125. Not much at all. You got to get two of them though. So 900 megahertz if you don't know, it's ISM band, like 2.4 or 5.8. It can do longer distances because the wavelength is longer, penetrates things better. They go through buildings and trees. As an interesting note, because of the demo that we're going to do, I ended up getting my amateur radio exam, actually my ham radio license, just so we could do this demo. And I don't want to brag, but I knocked the technical, the general in the extra out in one sitting. So Dave actually cheated. Well, I say cheated. He'd actually been studying for an exam for like two years. So he didn't really just go up there and just do the tests. He has been studying for it. Rob thinks that reality I just learned how to use STRs. And only stuff I really had to study for was the procedures. So 900 megahertz band and these are the devices right here that Rob has. I didn't really want to set them up in the hotel because they actually cause a lot of interference. But yeah, they're just two boxes. And as I saw, as you see in the previous picture, you just set them up. And what the connection is, is on the left-hand side, you see one of these bridges connected to a little Wi-Fi device. Almost every Wi-Fi access point can act as a wireless bridge or a wireless client. So you go to a bar or a Starbucks, you find some power outlet outside and maybe bring a battery pack and you can just configure a little Wi-Fi access point to then connect and log on to the Wi-Fi at Starbucks. And then you connect that access point to the bridge to the 900 megahertz bridge and then point it, I don't know, five miles up a hill where you can see line of sight with the hill. And then up on the hill you sit there with your laptop and the other bridge pointed back down toward the Starbucks at your other device. And then you can log on remotely from really, really far away. I used to live in the Bay Area where you had the hills up between the ocean and the Bay Area, they had views over almost entire, the entire Bay Area. And this would really go really, really, really far. So yeah, so the reason, by the way, that you used 900 megahertz is that it goes further than 2.4 gigahertz. So we got time. By the way, these boxes though, they're still just Wi-Fi boxes. So one of the critical features of this proxy ham thing was whether it's an encrypted connection. And it is, it's just using WPA2. The configuration of those boxes is the same as the Wi-Fi access point. And actually when you pull them apart, we see if they're using the same atheros chipset. The only thing different between these and a 2.4 gigahertz Wi-Fi device is that they've got a little converter on it that converts the signal, the whole block of that range from 2.4 gigahertz down to 900 megahertz. And that's why they're more expensive. Ubiquity sells the identical devices that run at 2.4 gigahertz. And that's really the only difference. These boxes come with a flat panel antenna. So when the flat side faces you, that's the directional antenna. And this is the shape of the communications. So directional antenna means less radio frequencies on the sides or behind and more out front. And that's why they're directional. That's why you point them at each other. And you have two directional antennas pointing at each other that improves the signal. So at the maximum rate when I set this up, I got 22 megahertz per second download. And I'm not quite sure, even if that was the limitation of those devices or that little Wi-Fi access point that I was using. By the way, is your demo ready? Yeah. Okay. So this is the picture of what I set this up last night in my hotel room. And I then used an SDR to go look at the 900 megahertz spectrum and to see what it looked like. So I walked out of my hotel room down a ways to a bar in order to then see how much of that signal I could actually see from pretty far away. So through many buildings with these devices not even pointed at me, this was a signal I got. And what you see slightly to the right is that bump. And that bump is a very obvious 900 megahertz signal. Even with concrete buildings in the way, I can still see that this is very visible. And that's the problem with the proxy ham concept is that I think the original talk believed that 900 megahertz that no one was watching. But in fact, we are watching. We can actually can see the signal and it's very easy to track the signal back to its location. The FCC has vans in every city with all the equipment necessary to point the antennas, do the directional finding. It goes someplace, stops, scan, goes someplace, all the stops, scan, triangulate, and they will find you really, really quickly. You think you're nice and secret and point to point, no one can see you, they see you very quickly. So what we've done, what Dave set up here is an alternative using SDRs. They're more expensive and they're going to be slower. And by the way, when I post this presentation online, here's some links to other people doing similar things. What our technique is, in our case, is to hide that point to point link below what's called the noise floor. Another way of thinking of it is as a negative signal to noise ratio. And what the noise floor is, it's just like the radio static you hear on an FM radio. That's sort of just the background noise. It comes from the atmosphere, from lightning storms, from man-made objects, bad antennas. There's a dark line on this picture here. That's where I just unplugged my laptop from the power and plugged it back in. Unplugging it reduced the noise floor. So in theory, anything below the noise floor you can never catch. You can never have any radio signal that will work. In practice it does. If you tune to an FM radio station with an SDR, you see that, you can find FM radio stations by hearing the music that as far as the SDR is concerned, doesn't exist. There's nothing above that noise floor. So conceptually, what we're doing is, our technique is, instead of building up a strong signal that jumps above the noise floor, as you saw that bump before in the graph, what we're going to do instead is to do lots of little channels all below the noise floor, all cooperating to amplify our signal, but which still hide beneath the waves, like a little submarine thing. By the way, I tried to draw this with PowerPoint. I just gave up and just hand drew it, took a picture. So the problem with this is that it's going to be slower speed. We've got time. We've got seven minutes to go, but I were. So the other, but the advantage of this is undetectability. If they knew exactly what we're doing, they could find us, but in all probability, they can't even detect any signal exists. So I'll let David continue with this and then go onto the demo. So as a young man, I used to look at the moon and I would dream, what would it be like to touch the moon? Since I can become an astronaut after getting my ham radio stuff, I learned that there's a thing called an earth moon mouse or an EME. It's basically how you bounce a radio off the moon. You use a protocol called JT65A. It's actually designed to work with a lot of noise in between. That's really great for our purposes, because that's basically what we're doing. But it was really limited to the amount of data it can transfer. So instead of using basically one carrier, we multiplex it over several different versions of JT65. All right, so this is our demo. Hold on one second. Any questions so far? Comments? Suggestions? We have done about 20 miles. But once again, we're going to show you something really interesting. Is it? Well, one would be less than, basically less than around 2BOD, but with multiple, we can get up to 56K. So the limitation is having lots of SDRs, you can increase the speed. But one of the problems is that signal strength is logarithmic or exponential. Which means you don't really see it on the grass very easily, but that's the easiest way to increase the speed. It's just massively increasing the power. It's really easy. But we're going lengthwise, and that's linear. So the faster you want to go, you need more SDRs and just more faster SDRs. All right, so this is kind of what the signal would look like if it was being broadcast over 900 megahertz using the standard ubiquity gear over a 2 and a half megahertz wide channel. As you can see, if you're looking at that and you have any clue what you're doing, you're not hiding from anything. That's one hell of a spike, right? So what we did, don't look at my password. So what Dave's doing here is we're using one laptop, because mine couldn't get working with the video. He's going to use a VM to actually do the transmit. He's just going to transmit his signal and then use the other to receive on the graph like this to see what the signal looks like. And now it seems to have broken it. He had 20 minutes. He told me to hurry. All right, so many of the audience is jamming us. That's always funny. We really appreciate that. Who wants demos to go right on the first time? You don't go to NASCAR races to see the completion of the race. You go to see the carnage, right? All right, so this is kind of what it looks like normally. If you look at the graph at the bottom, that is the signal. You can see over on the left-hand side, the DV, you can see the peak where the signal is actually rising. This is over time, right? So with the other one, where did it go? So I figured that out. We just put this together with GNU Radio, which is the standard tool kit for SDRs that everyone uses. This is the same spectrum. This is actually us transmitting. And if you look, you'll see there's a much wider and lower profile for the signal. That's because the JT65A modulators, there's currently 1,000 of them running when we recorded this. Basically multiplexing all the data across a little over 2 megahertz to get a 56K single signal, which may seem strange, but you can't be easily located by standard direction finding gear. Now with that being said, people that have nation state assets can easily find you with this, but not a person worth a $20 SDR. What's that spike we see to the left? The spike here. This is the noise floor. And this is because we recorded what's under it. So without the rest of it, we're basically pushing down the rest of the noise floor. So in addition to being able to hide your signal, the 1,000 or so JT65A encoders that are running actually also collectively cause the noise floor to raise, making it even harder to find your signal. We're planning on putting on this code on GitHub and hopefully one day be able to integrate it into a simple raspberry by based solution so you can do these types of things without having much radio knowledge. Any questions? All right, so the thing that really made this all possible and keep in mind just for a recap, the proxy ham and even the proxy gambit, the proxy gambit still uses a 900 megahertz connection, but they also added a cellular device. And Sammy said he did that because it would make it, you could basically use it from anywhere in the world. Using the same techniques, you know, somebody could find your device with the cellular modem that you're using or point to point link. At that point, your anonymity is kind of blown. So that should be our takeaway. And there are ways to hide yourself. So are there any questions? Any comments? Any suggestions? Question over there? Question. The question is, is why is this illegal? Because the guy was doing it over the ISM band. We don't know the exact details, but we suspect the reason is because he boosted the signal. If you look in the manual for these devices, they are these devices, it says this is, oh, this meets these requirements for part 15, blah, blah, blah, blah, the FCC regulations, but there's an external antenna here. And the documentation quite clearly says if you add an external antenna, you must be a licensed person to do so. Because the regulations monitor, regulate how much power at a certain distance. This is directional, but still spreads, which means the power is less. The more direction you make it, the more you're likely to exceed those regulations. So that's what we suspect happened, is that Yagi is just too powerful, it's beyond the licensed operation, and you can't do it. Also, if you're over the power limit, you're not operating legally as a low powered device, but you're over the regulation. You're not supposed to send any encoded or encrypted data. What he was doing was proxying WPA2 encrypted Wi-Fi, which is against FCC radio standards. In our demo, we're not proxying that. We're actually just sending a message that says send it in ASCII. Yeah, that was a big question. These regulations are complex that way. We have a question over here. So you had said that you can still download data, et cetera, et cetera, across this line, right? So how much data would you be able to send? Up to 56K. Okay. So basically the same as one of the higher speed dial-up modems from the late 90s. Okay, I just wanted to confirm that. And a second question that I have is, if you were to have two of those devices and you're using it on your property, is this still make it illegal? I mean, you're still going to have the FCC showing up at your door? You're in your neighborhood and you're on like a couple of acres and... Well, the FCC controls all the airwaves in the continent, well in the United States. So being on your own property doesn't negate or doesn't stop you from having to adhere to their frequency plans. So the FCC is very specific that although these devices are technically unlicensed, they're only legal as long as they're operated in the correct capacity that does not cause interference with other devices. Once you start doing that, you have to stop your operations. So in practice, you probably can, but if somebody nearby complains of interference, whether or not that you're actually the one in fault, they will probably see that you're transmitting a very high power and come by knocking your door and tell you to stop. But you won't have to pay fines because you didn't damage anybody else. Probably. I'm not here to give legal advice, so I have no idea. We are not lawyers. Question over there. I'm sorry, I can't hear that something about what... There we go. Whoever was doing it stop, we are now... This is what it looks like on a GQRX. Basically when you send it, the peaks are very minimal, but we also have our devices, the two, the one that's transmitting and the one that's receiving very close to each other. But that is what it looks like when you're actually running it. So whoever was jamming us, thank you for stopping. And we'll find you. We're worse than the FCC, trust me. Great. So the big takeaway here is we really wanted to prove that there was nothing pokey or hinky about the talk getting rejected. We actually just... Not rejected, pulled. We actually really do believe that at some point the author just decided or learned it was just a bad idea and it actually wasn't providing the level of anonymity that they thought originally. So that's our talk. We'll be heading out. So thank you very much. If you have a moment when you're done or you're leaving, there's a young blonde woman in the first row named Sophie Koch. If you could spend a few minutes talking to her about IoT, that would be great. Thank you.