 Again, thank you all for coming. A couple of years ago, I was doing some work as a consultant and I was approached by a power company saying, we're deploying these smart meters and we hear that you like to break things. We'd like them broken and they paid a good amount of money to invest in a lot of things including standards on how to do secure computing and, yeah, I know, boring. But it paid the bills and they got me lots of gear and they paid me to poke at it and have fun. So I figured the standards work was kind of the crap of the job and I got a whole bunch out of it. One of the things that I ran into, in fact, that's one of the things that got Mr. Cutaway here and I do work together some who here went to his eye of the meter talk at Black Hat or DuffCon. Have you seen that? Sweet. Very good. Oh, Saturday, what? Yeah, get your time machines. If you don't have one, you do have time to build one if you head over to the hardware hacking workshop. But, yeah, Sunday at noon, he's given the talk again here about using optical ports to break into meters. Today, hi. We'll talk more about the wireless side. One of the most annoying parts about attacking a power meter or coming up with actually a plan of attack because there was no such thing three years ago. The annoying thing was all the attacks that we could do, there really wasn't a tool that you could build on very easily and turn it into a network adapter to talk to power meters. And since the majority of what was interesting about power meters was over their wireless mesh networking, this is a pretty big gap. In fact, trying to scope gigs became a real problem because how do you wrap in a ton of research into one engagement? Well, turns out, power company that came to pay me was more than happy to invest in a great deal of that. Oh, you're going to do that? Okay. Getting screwed up here. And they invested in me working with a team growing us in sub gigahertz radio. Why? Because like one tenth of all power meters are running in over a gigahertz and everybody else is running in typically 900 megahertz. So what the heck is this sub gigahertz thing? Many of you know that the FCC and actually outside of them globally, the international ITU have put down regulations on frequency. This is so that your cell phone, for example, doesn't get cut out by somebody's hair dryer and an overpowered CB doesn't tend to break into your television. They realize that broadcasting into the air is kind of a freedom, a rights, a liberties issue, right? I have the right to transmit but rights have to end when they stop on somebody else's rights, right? Unless they're mine, of course, because my, no, sorry, just kidding. So the FCC has regulated many of the frequency bands that we use in the United States and probably will as we discover new bands and probably move into quarks and other really cool things that we don't know much about yet. And they have designated several bands ISM. Who can tell me what ISM is? Just shout it out. I love that it's like a round. Industrial, scientific and medical. Yes. This is unregulated band that the FCC says as long as you are within these guidelines, you don't transmit more than this amount of power or if you're going to go over that up to this amount of power and you hop over a spread spectrum, we don't need any licensing. Ham radio folk, what's that about licensing and the ISM bands? Well you see, we hams, we get to abiding by other rules, we are allowed to transmit with more power, we get to do other cool things and we have a lot more frequency at our fingertips. But most companies don't have that, they have to pay a lot more for it. So they like to stay in the ISM bands. Your original cordless telephone, for example, 900 megahertz, then they bumped into one of the upper ISM bands, the 2.4 gigahertz range and your microwave started, your cell phone and your wifi access point and your cordless phone were all competing for band and then the microwave took them all out. So what else is using ISM? We have insulin pumps and other medical devices and trust me, not everybody who wears them is that. Good looking. We have the little CB replacements, you know the ones that we use, thank you my son, you may go in peace. Yes, that is mine. Suitcase, big, big, big, big freaking suitcase. Sorry, this will get more amusing, trust me. So a little pink girl toys, a little instant messaging, you know, hey, not on the real internet so that stalkers can't get, oh what the heck, stalkers can buy IMEs too. Power meters, our own devices, the things that we create, especially in this audience right here, the things that we create is a big deal. I got a buddy of mine here who likes do-it-yourself copters and he's built a great deal of really cool things and he just hands me something in black and he says, that's my target. Show me how to go break it. So really cool stuff. TI is making a push. Their TI Chronos watch is a evaluation kit, you know, not because everybody wants to wear around something that bulky but it shows developers how they can implement MSP430 based radios much like what we're going to be talking here today and transmit or receive in sub gigahertz. Now it's kind of lame, they have a boot loader that they can flash the watch wirelessly. Yay. I'm thinking wirelessly attacking power meters from my watch. Don't bother. It should be going. Is it number two? I am a game one. Very cool. So how do we play with it? I mean it's really cool to talk about things but unless I can twiddle with it, I don't really find it that interesting. I'm that kind of a learner. Well in the early stages of my research into sub gigahertz talking, I thought it would be really easy and in my crew and I were sitting down with a little pink toy saying how do we make that break into a meter? And it set us down a road which ended up with me actually cut away here showing up with this stupid little green thing instead of a really cool pink thing. The stupid little green thing had these pins sticking out of it. It looked like something out of Frankenstein's wireless brochure. And it turns out it's a chip con 1111 microcontroller, radio and USB controller all wrapped up into one. After about two months of banging our head up against pink stuff, I just started writing a library and thinking yeah I can do that. I've written emulators, I've written dissimilars, blah blah blah. Let's just follow this back and read the documentation. And it was a great learning experience. It was amazing actually. I still have my head shaking and it's distracting. But it was not easy. The documentation covered the semantics of how the thing did its task and expected me to know everything there is to know about USB and I knew nothing at the time. So that begat the CC 1111 USB project probably up on Google code still that basically allows the computer to talk to this microcontroller and that's about it. I mean it's just poke memory here, peak memory there, whatever. It was a good base. And I started adding some more functionality into it and I came up with what I affectionately call RF cat. RF cat supports the little ugly beautiful thing up there in the corner of the green one. That is a chip con 1111 evaluation module. If you've bought a TI chronos watch, you'll recognize this picture down here in the lower right corner. The watch, a CD and two dongles, one to flash wired and one that's just really awesome hacking wireless toy that's used to flash the watch. And then I still really have an affection for the pink girl toy. So we have invested a great deal of work into its firmware as well. You see the picture there. That is Mike Osman's spectrum analyzer's firmware actually running. He's an amazing guy. And you'll notice also in the lower right hand corner a good fact. Travis, good speed if you're here. Chow, awesome. There's some catches to sub gigahertz wireless. It's not all fun and games. The tool that I'm putting out will allow you to go learn and attack. But it may take some tweaking. It may take some coding on your part. Why? Because everybody thinks that their way is the best. And they've done about a bazillion different ways of sub gigahertz wireless. It's very interesting with frequency hopping spread spectrum which we'll talk about in a few minutes. One thing to point out, just because we're in the sub gigahertz range, the 900 megahertz range or what not, does not mean that we will be able to talk to everything. There are two different types of frequency hopping that I will get into later. And one is simply not compatible with RFCAT at this time. So why do you care? Why are you here and not walking out? Well apparently some people are here and not just kidding. I personally think that most of us, if we have any technology bent at all, we marvel at the power of radio frequency. I do. It's distracting. If you're a security researcher you may find that you like I have need to go poke at stuff. And even if you're not a security researcher but you maybe are a security professional at a large manufacturing plant perhaps that runs Telsang gear, you may find that you need to prove your bosses that the Telsang gear is running Telnet. Clear text over the wire. Hello. All right. Since we are crammed in time anyway and I didn't want to cut the value from the slide deck so that you can take this with you, I'm going to blow through slides. My email address and my, did you see my email address on the front slide? If not, we'll go back to it later. Email me. Seriously. This is an awesome area. I want to keep working on it. Anybody who is familiar with 8051 core will know most of what that means. It is the most popular microcontroller in the world. It's been sucked into everybody. It's like the BSD license of microcontrollers. The microcontroller is the thing that you control and you write code for and you control its entire execution. However you have this peripheral that's called a radio. It's the 1101 radio core that TI chip con puts out and it has its own state engine. It's got its own code that it follows. So you and your firmware have to tell it go into TX mode. I want to transmit and then wait for it to actually get there. Then you tell it to go to idle mode and you have to wait and at times it has its own error modes that it will go into. So keep in mind, there are two different things going on within the RF cat. Configuring this thing is actually very interesting. I like low level programming because I like the idea of sticking bits into a register and having them actually make real things happen. So these registers are the ones that make the radio work the way that it does. TI basically took everything that they wanted to do in a sub gigahertz range in almost every kind of modulation that they wanted to use and they wrapped it all into one radio and let you just configure this knot out of it. And then they gave you smart RF studio which after many hours of banging our heads up against a wall we realized is the answer to learning how different configuration items impact each other. If you have troubles and you're doing your own really hard core stuff with RF cat like your own firmware and doing really interesting configurations you might want to check smart RF studio and kind of get to know how things relate. For those of you that could be developing I included this slide, we're not going to go over it but it basically lays out the internal firmware API and how to use it. So what do we want to know when we're hacking wireless systems? There's a checklist. If you're going to do some research you've got to know do I know enough to even go poke at this thing? Could I possibly hear it if I just set it a channel and listen? First of all you need to know the frequency or in a frequency hopping system you need to know what frequencies are used and if you can how they're used. I'll talk about that in a bit. Modulation. So who here listens to AM radio? Besides the hams who here listens to like 90 hams go down. You remember AM radio? You remember going to drive no you guys wouldn't remember a drive-in. At a drive-in it was really cool because you used to have this thing you set out the window I mean I was like five years old and you rolled down the window you set this thing there and it'd speak into your left ear. It was kind of annoying. And then they got cool they did AM radio broadcasts and you could hear the movie in AM radio until like whatever distortion might happen to hit and you hear. Hello Batman. AM radio is represented today in wireless hacking. FM radio is represented today in wireless hacking. You may not have heard of it it's called amplitude shift key and frequency shift key see they threw on that SK there so that you didn't think hey my radio cool let's tune into whatever radio station. Intermediate frequency. Anybody heard of super heterodyning or heterodyning and super heterodyning radios? Yeah hams you can show it. This is the idea of slingshotting a frequency from its original up to a target. So let's say that you have a radio that you want to deal with in your it's a low frequency radio signal. This is very common because the components that operate at low frequencies are cheap and they're accurate. And then using heterodyning which means mixing in a different frequency and getting the difference on both sides as transmit or actually receive works the same way. And then filtering out the signal that we don't want we're able to actually just move the frequency to where we want. We'll talk more about that later. Intermediate frequency can impact the quality of your radio signal. Baud rate. We'll talk about baud rate in a minute. Channel width, spacing and hopping. What kind of bandwidth filter you need? These are things that are just really all about radio. And if you don't like radio well you might not want to be on the talk but I think you probably do. Sync words typically to block out noise radios will look for a specific byte pattern or bit pattern and when it sees this bit pattern it says all right this is the start of frame delimiter. It's right here and then anything we receive after that is actually a wireless and RF frame. What kind of length goes into this? We'll talk about this in a minute. CRC data whitening, other encoding mechanisms, things that allow us to reduce error and reduce the number of things that we see that we don't want. Many frequencies are interesting but these are the most at this time. That is the right one sir. Thank you. Everybody give Paul Nelson a hand. Thank you. Or do you go by Duncan. So 315 megahertz. Very popular. You may have 315 megahertz stuff in your pocket right now. Most of you own American cars I'm going to imagine and they almost all come with remote keyless entry systems and they almost all live at 315 megahertz. 433 megahertz also actually a lot of European and other nations they like to put their cars on 433. Medical devices like to live here too. 868, 900, 915 center, it's 902 to 928. They are just like everything. So I told you cordless phones. They cover parts of cell phones and other industrial equipment maybe even your power meters. 2.4 gigahertz. Yeah, you guys have never used that. And 5.8. A little example of modulations here. I cover the three main sections that the chip con 1111 supports. FSK remember? FM radio. Only in a digital world. There's ASK, AM radio of the digital world. And MSK, a minimum shift key. It's something that allows for much higher bandwidth or much higher speed. So look at the top picture. You'll see frequency shift key. You notice in the time domain the waves are really fast and then they slow down. They get really fast and they slow down. That is called a deviation from the frequency. And that deviation is used to figure out when you have bits, zero or one. You're ASK and also another well-known one that's used for everything called OOCH. It's a special form of ASK. So why don't you ASK me a question? What's OOCH? On off keying. Yes. So amplitude shift key as you can see in the picture has high power fluctuations of waves and then lower power and then high power and lower power which is why it's more susceptible to distortion because the power tends to fluctuate anyway by a passing wave of solar activity or whatever. On off keying is basically if there's wave it's one or zero and if it's not then it's the opposite. Now minimal shift key if you look at this bottom thing you'll notice that you really can't tell that there's any modulation going on and that's because it is so fine that it actually is hard to tell. But if you count the loops you'll actually see that it shifts by half of a, by half of a hertz in that picture between the different sections. And GSM actually uses MSK. Intermediate frequency. We mix the local oscillator with our radio transmitter and if we have a, for example, okay example here, power meter system has a 900 megahertz, a sub gigahertz radio actually very similar to what I have. They're operating in the 900 megahertz range by spec. They operate the radio at 400 megahertz and they've got a local oscillator they're mixing in at 1.3 gigahertz. Do the math. Plus or minus 400 megahertz from 1.3. Yell it out when you got it. 900 megahertz and 1.7. So they throw a filter so that 1.7 doesn't actually go anywhere and they've got their 900 megahertz. Now they said that this was for modularity and the ability to change. I think they're just being in pain. Who here had a 1200 Bod modem? How about 300? No, no, no, 1200 that drops to three doesn't count. 150. Yeah, I see still a few hands. Yes, thank you. I'm glad other old people are here. 450. Anybody, anybody 410? Just for the sake of obscurity? 110. All right, cool. Well, the concepts behind the modem that provided you that amazing addiction of computers talking to computers remotely. The addiction has continued, I believe. The same concepts are used here in radio. If you think about it, what are we doing? We are sending analog signal, right? How do we send bits that are digital over analog signal? We modulate it. How do we get the bits off? You demodulate it. Modem. In my research, I've seen a lot of 2,400, 192, 384, and 250,000 Bod. Among a few others, I ran into a couple that I won't mention, but there's some really weird ones out there. Make no mistake, I am working hard to make RFCAT the one tool that you need to attack things. But in reality, I use a Funcube dongle for some of the research that I use and other software-defined radios that allow me to look at and measure the distance between things so that I can tell modulation and baud rate. Channel width. So in a channel hopping system, let's just take, for example, a 902 to 928 channel hopping system. We break up the frequency range into different channels and we give them specific amounts of space. A, because strong signal is going to actually take up more than just that frequency that you're on. And B, because we need to know between different radios where the next guy, where the guy is going to go next. So your Wi-Fi hops over a set number of channels and so does your Zigbee. In fact, a Zigbee and Wi-Fi live in the same frequency range, at least for 2.4. They just have different channel sets. And the Zigbee spec was at 15.4. The 15.4 spec that Zigbee is based on actually chose their hopping pattern or their hopping channel bandwidth so that it would interfere as little as possible with Wi-Fi. Bandwidth filter. What's a filter do? Keep stuff we don't want to see from getting in, right? Anybody with young kids, you may have an internet filter. They typically don't work very well but they can. What's the same here? We will always have noise. There's radio going on all around you even that we didn't create as people. So we want to focus our radio receiver into just what we need to see what we want. If we open it up too far, we have too wide a bandwidth filter, we get too much noise. Or a lot of noise anyway. The higher layers of our programming have to deal with that. If we get too small, then we start clipping and we don't actually get the data as we want. We start getting bit errors. Another configurable part of the radio that helps us only get what we want to get is called a preamble. And I talked about sync words just a few minutes ago. A preamble is defined as a logical bit one and a logical bit zero in succession over and over and over and over and over and over again at a particular baud rate that your modem will understand. The packet subsystem of the radio will look for this preamble. And after a particular preamble quality threshold, in other words a certain number of ones and zeros in succession, then it says okay, I'm going to look for a sync word. Because if there's just a couple, then that doesn't necessarily mean that we've got radio. We can tune the preamble quality threshold to zero if we want. And we can set how the sync word detector works. There's several different things about the sync word detector that need to be understood. We can configure that thing to nothing. So it just doesn't look for anything and hands any bits that the radio wants up the channel. What's this good for? Well, it's good for seeing if all of, if your pipeline of data is working because it just floods into your client. It's also good for generating fairly random noise, right? And what does failure random noise help us with? Crypto. There's also a carrier detect setting. This means I don't care about bits, zeros, ones, sync words, whatever. I just want to see power on the radio band. So even before it receives data, you've got a carrier wave and as soon as it sees the carrier wave, it then starts sending data into your client. You can also set in very commonly, you'll see 15 of 16 bits of what we received in the air match the sync word. So you set the sync word, OC4E is a common sync word for TI. And let's say you get one C4E. In this mode, that would be enough. You've also got 16 of 16 bits so that it's got to be perfect. And you've got 30 of 32 bits which actually says, and this is important, every time I transmit, I'm going to send the sync word twice. And when I receive, I'm going to look for it twice. You'll notice at the bottom of these slides, there are registers and these are the registers that control these things. RFCAT tries to shield as much of this as possible from you, but it's good to know. Every system does its own thing, right? At least in this space. So some systems are set up using what's called variable packet length. Variable packet length indicates according to the TI radio anyway. The first byte that's received after the sync word is a length byte. And then from thereafter, that is the length of that packet. It's very good for dynamic data and not blowing a whole bunch of bits that aren't necessary with padding. It can be kind of arbitrary and not necessarily supported by every radio. But it's a good option to have. Fixed length packets are far more common and when you're doing attacks and finding out what a system's actually doing, you're probably going to actually just want to use fixed length packets and set it to something low but large enough that you can identify. That looks kind of consistent with the packet that I just saw before it. It's about spreading a wide net and then narrowing down as we can determine different aspects of the radio talking. So yes, CRC whatever. We all know CRC right? Well, you see the radio actually implements one type of CRC. One of the systems that I'm attacking in my spare time is actually using no CRC on the radio even though the radio supports this kind of CRC because they've chosen their own method and they do it in software and it doesn't matter. The chip simply makes one particular type of CRC available to you. Cutaway, how many types of CRC have you been working with lately? Smart art studio. Now we had a conversation a couple months ago and he was working with a library that had like 16 different types of CRC with different bit sizes and iterations and starting points. Data whitening, otherwise known as the nine bits of pain for us attackers. Why? Because you get a pseudo random sequence that gets XORed with the actual data. Why? Security? No. Truth be told, the ideal bit pattern to go over radio is random bits because a long set of zero bits can introduce timing errors. So every radio, every computer that's owned, the clocks are all perfectly synced, right? And they all keep track of time at the exact same time. Heck no. There's interference, there's batteries that are dying, there's actually, did you know that on your PC if you run it extra hard at 100% CPU, your clock will slow down? No, that is not a good way to push the hands of time back. So data whitening allows us to XOR with a pseudo random pattern, the data, which makes it pretty cool over the air and pretty easy to identify bit errors, but it makes it kind of a pain for us because we were hoping to see that C12 packet going across the air and instead we got some garbage and have to dig in and do more reverse engineering. There are various encodings that help, also help with bit error rates. The Manchester encoding is actually a very powerful one that says that between any two bits, be they one or zero, there will be, I'm sorry, let me back up, in the timeframe of any bit there will be a transition. So if you have a zero, the transition will, well, follow each spec and as you can tell there are a couple of different specs listed up there. In the top one, there's Manchester encoding according to, I should look at my own instead of yours, according to GE and then they're on the bottom, in the opposite fashion, who knows why, patents probably. The exact opposite, which is put out by some hack known as IEE802.3. The idea being though, you've got a consistent transition that provides its own clock and synchronization problems go away a lot easier with Manchester than any other. Forward error correction. There are a couple different types of this but the idea is you take the raw data, you take parts of the data and you do manipulation calculation on them and add bytes that at the other end, bits can be verified and some bits, a certain number of bits can actually be recovered from. Very similar to what goes on in ECC for your memory and other things like that. The convolutional form of this is supported by the chip for RF cat. I've seen some Reed Solomon forward error correction but I've seen that in firmware because it's not supported by a lot of chips. The chip kind of 1111 also provides you a built in ASIC AES encryption, AES 128. It's good enough for a low power device and I just kind of like looking at the AES crib sheet there. It makes so much sense. Wouldn't want that one during a test. I wanted to give you an example of what it looks like to look at TI documentation for a register. You'll notice this one is for modem configuration two and they've got several bits set off for each field. So the top one is the DC filter and it turns off or on. Modulation is set in bits 4 through 6 and you simply or the register with the bits you want in there and it with the ones that you didn't want and you get a number that matches what you actually are after. I'll leave this to your enjoyment later. So how do we figure this out? Well open public documentation is a great form to start your research. Reconnaissance of for example documentation of the device you're hacking. One of my very best friends is a diabetic and it turns out his insulin device was the one that was hacked last year at Black Hat. Yay. And I picked up the document and they include the frequency that the communication goes on at in the user documentation because all diabetics need to know that they're operating in the frequency. If you can find an open source implementation, this is another great way to go after like public specs. Maybe it's an IEEE spec but you can just take the Linux source code and read through and then figure out how it works and implement it yourself. That's excellent stuff. Public but harder to find. There are links on here. They're on your CD. Bookmark them because they were a bitch to find. FCC is not discoverable through Google. Let me say that again. You can't find FCC filings of any real interest going through Google. You need to go to that website. Transition.fcc.gov. In fact I think it might have changed but this points to it so check it out tomorrow. It's no longer transition. Patents. Some of the most amazing frequency hopping systems that I have been reading about have been read about through patents because everyone thinks that theirs is the best way. And even if they don't, they, who knows, sucky stuff has happened and gone public. Ethernet for example. Token ring was way better. Theoretically. Ethernet was cheap and easy. Well, we know who won. I read a French patent on how to talk to one meter. It was in English. And I've found several other meter type patents there for your enjoyment. Reversing hardware. It gets a little bit more intense and it's not as frequent that it's easy. Like finding a patent, it's either there or it's not. Harder reversing. You stick in a lot of time and hope that it works out. If the radio is different than the microcontroller driving it, this is a good thing. Tap the lines. Figure out what data is going back and forth configuration or otherwise and do your own analysis. Hopping pet analysis. This is a long topic I won't be going into today. Trial and error? Well, for radio frequency parameters, trial and error is pretty good actually. If you've got some insight into the spectrum, if you've got a good spectrum analyzer, for example, which I wrapped into RFCAT as of Saturday last, MAC layer. Understanding the MAC layer and the network layer of any device if it's not TCP and Ethernet, you might have to do some digging, looking for, you know, talking to the vendor, see what specs they fulfill. Everybody wants to say how standard they are. So hey, they might help. A little intro to FHSS. The FCC said if you want to transmit over a certain power, then you need to spread out your signal and only spend a certain fraction of time on any one given channel over a 20 second period. This has helped a lot of systems be more resilient to noise and it's been a real fun one for RFCAT folks like myself. The humor behind RFCAT is that it all got started while I was at Distribute Tech a few years back and I'm talking to a vendor trying to see how they are feeling about their security stance and they're like, our frequency hopping spread spectrum is too fast for hackers to hack. And he was trying to sell to me. He didn't even know who I was. Whatever. Oh, my word. So this is how I got the passion and the fire under my butt to get to where this is. I've only got a couple more minutes here so I'm going to leave on a little Neville masculine. Back in 1903, article hit slash about eight months ago. Back in 1903, Giacomo Marconi. Marconi was, same Marconi that you buy equipment today, same company. He was about to give a demonstration on how he could transmit wireless signal from one location to another over a great distance of several miles using a channelized radio signal that was virtually private. You had to be able to tune your radio specifically just right to be able to transmit and receive the signal making it a virtual private network. About five minutes before the demonstration was about to begin. I mean, people peers all over in the industry. They were just in an audience just like this. And Marconi's assistant was sitting there getting the gear already and suddenly five minutes early they start hearing Morse code tapping. Somebody in the audience who was very good at Morse code started listening and chuckling because the Morse code coming across was mocking Marconi. Because Marconi was an idiot. He made tons of money. Let that be a lesson to you. You don't have to be smart to make money. You just need to, yeah, something. So Neville Masculine a couple days later came forward and said, yeah, I did it. Now a little bit about Neville. He was in the circus family. And in the circus he had learned radio tricks because of their entertainment value. You get the tricks where you're able to wirelessly communicate to somebody on stage about who is what or things of that nature. So he was one of the original hackers of wireless systems. So he said, yeah, sure, I did it. You're a fool. You don't have any virtual private network. I just broadcast a powerful signal and took over your current arrangement. And his response, epic, I will not demonstrate to any man who throws doubt upon the system. And on that note, I will leave you with this thought. It is our responsibility to validate the security of the systems that we rely upon. Your best friend may be the first death by medical device attack. Thank you.