 Hello everyone. Welcome to this session. My name is Wang Kang. I'm from the Libaba group as a security researcher. So today, since you are one of the several of the best hackers in the world, so I will try my best to cut the relevant information out. So today, I will walk you through some of my research fundings during a lookup at several infrared devices. So I called it who said hacking a fund doesn't matter. Me, I am focusing on IoT, V2X and cyberphysics systems and do some security research or stuff. This is a joint work with Dr. Yang from CIICD. Unfortunately, he couldn't make the trip here. So this is the introduction. Since you are hackers, I think no one cares about Outline, I think. I don't care about Outline, just formal Outline. So this is basically the NEC standard of infrared remote control. Basically, you can consider it as a duty cycle modulation, like the 25% versus 50% duty cycle indicates whether it's 1 or 0. So it's not a big deal. So tell me something I don't know, right? The first thing I want to mention is that regularly the infrared light is 940 nanometers or 850 nanometers. So why is it going to use these two bands? Because the spectrum, the water in the air will absorb a lot of light, but this infrared band will be absorbed less. So this is number one reason. And the second one I want to mention is why there is going to need a carrier, which is around 38 kilohertz. I think it's because there are so many infrared in the sun. So in order to reject some false positives, we have to utilize a band pass filter. So the 38 kilohertz is to let the signal pass through the, yeah. So how can we get infrared code? There are regularly, there is very fantastic database called AIRC. You should look at it. Basically, all of your remote controls can be found out there. And you can build up some DIY gauges to record and replay. Or I want to mention is like this one is from AIRC, you basically can fire up a Raspberry Pi Zero and you connect an IR emitter and there you go. So it's not a big deal. So I want to show you something new that recent days there are some new fancy phones such as the Samsung Galaxy S10. This is a commercial off the shelf remote controller. And I want to show you is it has a super slow mode which runs at around 960 frames per second. And usually an iPhone is about 120 or 240 FPS. So you can see the, I will press the play button and you will see the red dot. Did you see that? Yeah, so I was wondering if I can use that as a logic analyzer. So I convert these videos into different frames. And I rename, did you see the four dashes? It's indicated that the light is on. So I cross examine it with logic analyzer. This one is from the logic analyzer. So this line is fire names. So you can see some feet very well. Take a closer look. Yeah, this is the 312 frames. It's feet. Right. And later I want to calculate the timing. So we just 301 minus by 197 multiplied by the frame rates. We get the timing. And from the specification the timing is roughly the same. So far so good. This was a very lucky example. So let's see another not so lucky example. This is another kind of remote control. It's not as the 25% or 50% dirty cycle. This one is way up the Nyquist theorem. So our system cannot sample it precisely. But this can be solved by some modern communication technologies such as basically this problem can be considered as an under-sampled signal recovery. So you can use a video ad trigger or multi-pass samples or some fancy technologies. But I think it's solvable. So the next thing I want to show you is the infrared feeling light. So I'm going to show you how to do it. So I'm going to show you how to do it. So I'm going to show you how to do it. So I'm going to show you how to do it. So the next thing I want to show you is the infrared feeling light. You can see there are so many security cameras out on the street. You can get this one, this one, this one, this one, this one, different kinds. All of them during the night, Whoa, what happened? During the night, the security camera has to emit some infrared light to let the object can be seen in the night. So this is another example on the street. This is on the store, on the shelf. All of them have the infrared feeling lights. I took some apart and found out that this is a socket and only has two power supplied to the feeling light. So what we don't know yet is one. The first is whether it's 940 nanometers or not. And the second is the switching speed. Is it going to be fast as 38 kilohertz so that we can pass the band pass filter? And will higher transmit power matters? So having those three questions, we have done some experiment. So this one is a DIY gauges. Roughly, it's a Raspberry Pi hat with FGM. So this one is a commercial of the shelf for feeling light I bought. So I fired up a signal generator just to test out it. The first two points. So you can see the blue light indicates the infrared signal is received. So from this experiment, we can see that it is 940 nanometers. And second, the circuit of the infrared feeling light doesn't cut our switching speed. So the next experiment is about the larger one, infrared feeling light. You can see the green light or the blue light. So we later on recalled some air conditioners remote control signal and replay it. You can hear the sound and the infrared feeling light can be used as a remote controller. The air conditioner is turned on. And the next question is whether a security camera, how they are wired. So we looked into the manual of the reference designs of some security cameras. And we found out that exactly the LED is connected to the GPIO. Remember, there is a very fancy project called Pi FM to use GPIO to send FM broadcasting. It's used the DMA mode to utilizing the GPIO as a signal generator. So this one, so I done some further experiment that the white one device is a security camera. And the black is the original remote control just placed there to show that I didn't trick it. And you can see it works now. So this experiment shows that even if you think some not smart devices are such a TV set, they are not connected to the internet. But if there is a internet connected security camera, maybe this is the way to break the air gap system. Especially some smart TVs, they are browsers. Android TVs basically. So what could possibly go wrong? Remember the PewDiePie event, the printer thing. Someone hacked a lot of printers to print out advertisement. Maybe this way can be used to turn on the air conditioner at the same time massively. So that the power grid will encounter some power surge or something. So this photo is taken in the Netherlands. I found out that the security camera, the TV is just faced to each other. And this one is just right at the corner, the DEF CON straight. There is a ramen shop. So you can see that the security camera facing the TV with infrared feeling light. And this is a photo resistance. There is another way. I want to show you that some of the designs of the security cameras, they have photo resistance. So that when there is light, the light will be turned on automatically. But it cannot be used because it's very slow, around 30 milliseconds. So it's not usable. But just a try. So look at the bright side. Remember some audio guides in the museums. You can see your point of audio guide onto the wall. The wall device actually is emitting some infrared signal that turns on your audio guide to special specific MP3 files or other things. So maybe you see that one is a security camera. Maybe we could just use that infrared light to do some watermark thing. So one more chapter. I think this chapter is quite interesting. I call it the Paul Mann's Spatial Light Modulator. And the following will be a commercial from Kaspersky. Do we have audio from this HDMI output? Let me try. Basically, let me do this. In the party of ACSO, a hacker hacked the fan and asked him to pay some money. So he said, go hack yourself, hackers. Actually, he is saying that. And so Kaspersky's point is there's nothing left to hack when your business is protected. So hacking a fan doesn't matter. So who said hacking a fan doesn't matter? Remember, there are so many things that are rotating. Let's say the DVD has roughly 10,000 revolutions per minute, right? And the car, the wheels are roughly 700 RPMs. And for electric drill, there is around 10K to 50K. So to get 38KHz signal, if we drill some holes on the disk, let's say 300 holes, we need 7,600 RPMs is enough. And if it's 150 holes, roughly the DVD could handle it. So as for Amazon, Alexa, you can see there are 84 holes on it. It's just a joke. Nothing matters. So this is an electric drill. And this has 150 holes on the disk. So we started with some experiments to calibrate the system and to calibrate the revolutions per minute. And then we done some, let's see this one closely. There are roughly 150 holes on the disk. So we connected it with a drill, electric drill. This is the final result. So this one is an infrared emitter that emits a steady infrared light. And this one will cut the light very fast. And the blue light indicates that it's receiving a valid infrared signal, remote signal. So let's see. Turn on. Yeah. Off. On. Yeah. You see that? So if a fan is hacked, maybe we could turn up these RPMs and we could use it as a special light modulator. It's a bit of sci-fi, but I think it's definitely doable. So what's next? This is a video I borrowed from Twitter. So maybe we could just emit the infrared light to the, some like the film is rotated very fast. So it could be used as a recorder for physical recorder for infrared light. Yeah. And one more thing that iPhone X. You can see the back cell phone is iPhone X. The front one is Samsung Galaxy. So you can see the right dot is the face ID. I haven't got a clue how to use it, but I think it's worth research. And this one is from the Canon. They also have infrared sensors to detect whether your eyes is closed. Maybe you could use some fancy phantom cameras with very, very high speed. Actually, have you seen the YouTube channel called Modern Rogue? The people are just on the next room. I just saw them. They have done some very cool demos. Some other techniques, such as a virtual frame technique, they can be used to compress the sending that increases the frame acquisition rate. So they can use a slow camera to film faster things. But it has to be a motion object. It's not rotating things I doubted. So the next, some opportunity, maybe we could use this technology to do some spy cam detection or infrared video watermarks or anything else. So the key takeaways. So the first is switching rate of the infrared feeling light is enough for infrared remote controlling. The counter mirror is we shouldn't directly connect the infrared feeling light to GPIO. At least we should use some filter to avoid it generally being switched on and off very fast. And the second one is the commercial of the shelf cell phone camera. The high speed camera can be used as a potential logic analyzer. And we made some homemade poor man's spatial light modulator. And final of sci-fi thoughts is maybe we could utilize some supply chain risk so that a regular LED is actually an infrared LED so that every indicator's light is a back door. So we should bring some attention to it. So thank you. Any questions? Any questions? Directions? Questions? Directions? Hi. Regular IR, I think. So the question was a regular LED. Is it available, is it possible to emit some infrared band? I haven't done the research but I highly doubt that because due to the cost of benefit I think the manufacturers will cut the irrelevant emit. Thank you. Any other questions? Okay. Thank you guys. Hope you enjoy the show later.