 So, talk today controlling IoT devices with crafted radio signals. So my name is Caleb Madrigal. By day, I work for FireEye slash Mandiant doing some awesome IR software. My public handle is Metim. You can't know my private handle. Website there. I'm a ham radio operator, WuHack. Bit about me. I've been programming for around 18 years. Mostly for fun originally and then, you know, for pay later. I really enjoy like mathy and hacky kind of stuff. So like signal processing, machine learning, AI, you know, that kind of stuff. I find it really interesting being able to like hear the unhearable or see the unseeable. So you can do stuff like that with math and I'm not like a big math background, but I like it when it helps me do awesome stuff. Ontologically, I guess the best way to describe myself is as like a Christian mystic. And then I like, you know, arts and music and that kind of stuff. This talk was kind of hard to come up with a title for. So, you know, I played around with a few titles like intercepting, modifying and generating wireless signals with SCR. How digital data is transmitted wirelessly. Controlling wireless IoT devices with crafted radio signals which is what I went with. But another way, maybe a good way to describe it is how the OSI physical layer works and how to attack it. So today we're going to be exploring a few different attacks on wireless systems, wireless digital systems which we're going to look at a few concrete examples but these attacks should apply to many, many different areas as you'll see. Bit of background on kind of what led me to doing this talk. So I kind of came in from like three different directions. So the first one, well, so IoT music theory and wireless hacking. So with IoT, I kind of got into IoT before I knew it was called IoT stuff. Obviously buzzword bingo. But so I ended up making like a little home security system out of like a raspberry pi and like this little wireless control system. So like I bought this little $20 pack of wirelessly controlled outlets at Home Depot. You know, it's 20 bucks. You have this remote which you can turn the switches on and off with. So, you know, I was like hardware hacker time. Break it open, you know, take out the little control unit. Basically I snipped off these little tactile switches and soldered in some transistors and voila. You know, you have a IoT device. A little more programming. But the second thing that brought me to this kind of stuff is music theory which would sound probably ironic or not fitting. But like a few years ago I was just like looking at a keyboard. And I was like why are the black keys not evenly spaced? You know, you could have like six white keys and six black keys, but there's five black keys and seven white keys. So like it led me into this whole like rabbit hole of exploring like sound analysis, wave theory. And so, you know, but I kind of learned some of the math of like Fourier transform stuff and all that kind of stuff which really interestingly applies very, very well for radio hacking. And this is like a spectrogram of me singing like do, re, mi, fa, so, la, ti, do. Something like that. The last, here all day folks. The last, and the last thing was just wireless hacking. So for a while I've been into wireless hacking. I think it's really fun. One thing I like about it is that often when you find like a wireless protocol attack, it's not something that you can just fix with a binary patch. It's often, often you're dealing with systemic problems when you're doing wireless hacking, which is really cool because, you know, when you find them, they don't really get patched, which is kind of cool. So for example, I did a talk earlier this year at Cyphercon in Milwaukee on basically like using 802.11 monitor mode to figure out like if a wireless security camera has detected motion even without being connected. So, you know, put out software for that. So anyway, wireless hacking, music theory, and then all the other stuff. That's kind of what brought me to doing this kind of stuff. You know, if you see me in a coffee shop, you might find me looking like this. Fran took this photo a few months ago. People like don't like it when you have huge antennas for some reason at coffee shops. I don't know why, but. And anyway, so, you know, doing the wireless hacking of other types, you know, art poisoning and all that kind of stuff. I always had, you know, looked at the OSI layer and like way down here, the physical layer, it's always been kind of this like black box. And so this talk, the goal is really to demystify that black box for you and show the kinds of attacks that you can do at the physical layer. So this type of stuff is super exciting to me. I feel like kind of like it's like magic or something. So, you know, I feel like saying, it sounds like some kind of like, you know, new age religion or something, like harness the invisible energy all around us, you know. It feels like the Star Wars or something. There's this electromagnetic radiation all around us, right? It's here in this room. It penetrates us. If you know how to make secret, these secret codes, you can like manipulate it to make things happen in the physical world. I mean, it's like the closest thing to like a magician or something like that that I've seen. You know, I used to play like Diablo II Lord of Destruction a lot, the Sorceress. And so this kind of stuff, it kind of feels like that. And, you know, this wireless stuff, it's kind of like adding a new skill tree to your, you know, your hacking tree. So, and it's a pretty cool one. Also, another big thing, obviously you guys know the whole IoT stuff happening. And it's like, it's almost like I got a like a charm or something. It's like all IoT or all wireless attacks now have like way more damage power potentially, because of the IoT stuff, right? I mean, it's just going to be crazy with all the devices attached. But it's also something where it's really valuable to know, even if you're not wanting to attack people, right? So you know what to look out for. You can analyze various wireless devices if you really know how the physical layer works. And so we know, you know, like almost everything operates through radio. You know, obviously we know standard FM, AM radio, we call that radio, but really TV is radio, cell phones are radio, Wi-Fi, Bluetooth, GPS, wireless security systems. I mean almost any kind of wireless stuff is radio. And like, you know, even like looking around in Milwaukee, like you can find stuff like large SCADA sewer systems that have their channels published. I've not looked at those like for vulnerabilities, but there's a lot of stuff. There's a lot of stuff that you can control if you have radio. So the main tool, like if we're doing magic and that kind of stuff, the software to find radio, it's kind of like, you know, it'd be kind of like your wand or whatever. So I have a hack RF, that's what I'm using for these presentation, this presentation. There's also things like the LIME SDR and all that, but RTL SDR for a cheaper version. But it's really cool because like, you know, you got this antenna and like, you're actually transmitting power through it. You know, it feels just like, it's just crazy. I love the metaphor. Anyway. So let's go ahead and do some demos and stop just talking about stuff, right? So the first one, I actually, I've got a video for it. It's actually attacking my Jeep Patriot. And this is like the first thing I did when I got my hack RF. And so let me just try to play a brief video briefly. This is me unlocking my Jeep with the hack RF. And let me try to just see if the sound works here. And if it doesn't work, it's not a big deal. But basically I have a new radio notebook and I'm using it to turn on my Jeep. And you should see the lights blink in the video. I don't know if that's showing up. So I'm about to execute this script to turn on the lights of the Jeep. Talking more in this video than I thought. Come on, Kayla, what's up? Why are you taking so long? Okay, there we go. All right. So, so it's kind of a, and I lock it back or whatever. Thank you. It's really like, I mean, and you know, for me getting a software-defined radio, I was like, first thing I do, I'm like, able to unlock my car. I'm like, wow, this is awesome. And it's of course, if you're familiar with SDR, it's a simple replay attack. This won't work on every car because a lot of them have rolling codes. There are other ways to defeat that. In my case, the Jeep happens to not have a rolling code. So it was very simple. The next kind of vulnerability I just want to demo, and this is kind of just to give you guys a bit of the, you know, a bit of an idea of what kind of attacks you can do with software-defined radios. So I want to demo basically a jamming attack, but, I mean, jamming is heavily illegal. So like, I'm not actually going to be jamming. Well, it depends on your definition. Okay, so I've got, I am a radio operator, so I can operate these little radios. So I'm going to just, what I'm going to try to do is I'm going to try to play some music from this radio to this one. And then out of curiosity, I want to see what a, just a really loud sine wave signal sounds like, transmitted coincidentally at the same frequency as this other one. So like, you know, it's not jamming because we're actually wanting to see what this sounds like, right? So let's see if this works. That's another demo one second. Okay, so let's go ahead and there you have it. So the music just cuts out and I'll stop it. So I wanted to do a Nickelback song, you know, like, you know, like you're at a bar and you're at a restaurant and you hear Nickelback, like, haven't you ever wanted to, you know, anyway, copyrighted, so they told me not to. So anyway, jamming, obviously be very careful doing that. It's highly illegal to actually jam something. Anyway, but it's a good example. I mean, physical layer, it's one of those things where it's like, you think about all these other layers up here and then sometimes we might forget about the very lowest layer and how vulnerable it can be. The last one, the last big demo is, so, you know, I was doing all this stuff and I was like, yeah, this is cool, but like, you know, a software defined radio is almost like a Swiss Army knife for radio hacking. So I don't want to have to like record the signal or just jam it. What if I want to generate it from scratch, basically? Like, how could you generate a signal that controls something? Like in theory, it's just doing these waveforms. So I thought, well, if I can mathematically, if I can just look at what it looks like and then just use math to like, kind of simulate the signal, basically do like the modulation side of a modem, right? Modem, modulate, demodulator. So that was what I was going for with doing this. So I have a script and we're going to go into in a bit how this actually works. But I want to do the demo first just so you can see it. Now, this is really small, but basically it's just this one line script or one line to call the script and I have a configuration file to turn the outlet on. I'll just show you what you guys what that looks like. It's just, you know, you have the bit string, you have the frequency, the baud rate, sample rate, et cetera. So I generate that signal and the outlet comes on. And then I can generate the off signal using the off config file. And we'll see if that works. Someone jamming me. I'll see if I can get a little bit closer. Yeah, it's not going to work. But kudos by the way. This is a hacker conference, obviously expected. But so anyway, you know, you can do this by doing a replay attack, but this signal that I used to turn that on, I never recorded. I looked at another outlet and found the key pattern and I was able to generate the signal from scratch just using math. So I want to go into kind of how that looks, how to do that. Real quick before we do that, though, I want to show you what this looks like. So I want to show you what the signal actually looks like. So this one right here on the bottom, this is the actual signal, this is one of the signals I captured by listening on the SDR. So I'll let you see what it sounds like. And you get the idea, right? It just keeps repeating. But if you zoom in, and this is just an audacity, which by the way, like I mentioned, I did some audio analysis stuff, a lot of the tools actually for audio can be reused for radio hacking. So these are radio waves and we're using a sound editing program to actually see these. You can even edit them in here. And you know, if you zoom in far enough, you can see the pattern just repeats and you have, it's called ASK, you know, on off keying. So you have the short ones which represent zeros, the long bursts represent ones. So the way to read this would be zero, one, one, zero, one, zero, et cetera. And that's the signal. Up here is actually my generated signal. So you can actually hear them a little different. This is the original. And this is I think the generated one here. So it's cool because it actually is a little different. So you don't have to exactly replicate for it to actually be accepted by the outlet. Anyway, you can, I have a few notes on how to open up wave files in audacity. I'm going to skip over that, but those are going to be in the notes in case you guys want to be able to do that. So, alright, so understanding waves. So I want to look at a little bit of the details of how radio waves work, mathematically why some of this stuff works, but I want to emphasize something. You guys do not need to know or do this math to actually do radio hacking. There's programs like a new radio that you can use and you don't actually have to go and like write all this math out. But I personally found it very insightful to see how these radio waves work and how waves work to help me understand how to do this stuff. So I want to like look at some of that stuff, should give you guys a really good foundation and understanding of what's actually happening. And then you have a better idea when you use other tools, what they're actually doing. I mean it's, and a lot of times I know hackers aren't really into math a ton and I'm not really traditionally either, but you know like I don't want to be a script kid, I don't want to be a script kiddie. I want to understand what's really happening. And so that's kind of the purpose of this. So understanding waves, what do we mean when we talk about waves? I mean usually just sine waves, right? Sinusoidal wave. In computers we represent them as simple arrays. So if you look at this graph, this is simply an array where the values are going greater than zero and then they're less than zero. It might be like zero, point one, point two, point three all the way up to one, back down to like negative one, and it oscillates. That's what a wave is. Sine wave, it's related to sine on the circle. So waves going up and down like this, if you just follow one dimension in a circle, it's going to make that shape. There are some really, really interesting things about sine waves, about waves in general. Let's look at these real quick. So first they're everywhere. They are the epitome of change. There's this thing called the superposition principle which is really, really important to understand. We're going to look at convolution, deconvolution, the relation to E which believe it or not is actually useful for programming this. So first waves are everywhere. Like any time you have circular motion or vibrations, that's sine waves somewhere in there. All wireless communication which we already mentioned, motion of pendulums or springs, et cetera. You see it in the temperature of earth. You have a natural sine wave created, patterns of breathing, in and out, yin and yang stuff. It's all over modern physics. So it's really interesting to understand waves. Quantum field theory says that even particles are just simply excitations in fields or waves in various types of physical fields. Which is pretty cool. String theory would say that maybe vibrating strings are the basis of all matter, which is cool. I'm sure you guys have heard of the uncertainty principle, like the Heisenberg uncertainty principle. It was kind of cool. Like when I was doing audio analysis, I stumbled upon it like accidentally. Like basically if you look at a spectrogram like this, you have basically the time dimension in the x-axis and then the y-axis is the frequencies and the intensity of the color is the intensity of the amplitude basically. But basically like if you have a sine wave, if you only listen for like a millisecond, like how do you know exactly what the frequency is? It could be, it's going to be hard to tell. The more data points you have, the more sure you can be. The higher probability you have of knowing exactly what that frequency is. But the more samples you have to gather to get that, the less sure you are in time, right? If you're chunking by one second chunks, you're only going to know within one second where this spot was. So what happens when we up the window size for the spectrogram? You don't have to understand all this, but just look at, watch what it does. You're going to see in the time domain, we're going to be less and less sure it's going to stretch out horizontally. But in the frequency domain, which is the y-axis, it's going to get more and more tight, right? So it's kind of cool. You can visually see the uncertainty principle. So it's cool waves help us understand the universe. Another cool thing I found, waves are kind of the epitome of change. Of any shape, you know, like because the derivative of a sine wave is itself another sine wave. So it's kind of cool. It's like the epitome of change. Not important for radio stuff necessarily, but kind of cool. There's also this really, really cool concept. Now this is true of both sound and radio waves. It's called the superposition principle. So let's try this. So I'm going to knock. Can you hear me and the knocking at the same time? And can you differentiate them? Well, you can. But what's actually happening is in the sound waves. My, the pressure from my vocal cords is getting added to the sound of me like knocking on the desk. And they're being added together into one, into basically pressure that's reaching your ears. Your ears only can determine pressure. Oh. There we go. So the idea is there can be multiple simple waves all added together and stacked together to form a more complex one. So what this looks like visually, you can see these four sine waves. One is flat. You add those together, they look like this, right? This is like, and this is what radio waves look like as well. Look at all, think about all the radio devices all around us that are transmitting. It's making, they're all getting added together and it's making this really big complex wave. But we are able to tune in to one frequency with radios. That is only possible because it's able to deconvolute this really complicated wave of electromagnetic radiation. And so this is important because we have to do that. We have to be able to tune in. We don't want to have the noise from the radio station nearby affecting our cell signal, right? This kind of thing is done with a 48 transform. Not going to get into a lot. You know, it goes from, you know, the time domain to the frequency domain. But, yeah, deconvolution is necessary to actually tune in to a signal. One other little side note that's kind of interesting. This kind of blew my mind, okay? It's really kind of cool if you get it. So if you have two different sine waves, let's say you have an 8-hertz sine wave, so it's cycling eight times a second, and you have a 12-hertz sine wave. And you multiply or take the dot product of those together. They will always, basically any two frequencies, any two different frequencies are going to cancel each other out when multiplied. But to a wave that has the same frequency in it, if you multiply it, take the dot product, you'll actually have a big value. That's actually how you can tune in. That's actually how you can deconvolute a signal. So for example, you know, here I have an 8-hertz wave and a 12-hertz wave. Multiply those and you get something close to zero. You do an 8-hertz wave and an 8.1 hertz wave, and you get a large value. If you're curious, like, does it drop off right away? The graph looks kind of like this. It's kind of crazy. And this is kind of esoteric, but you could imagine every single simple sine wave as one dimension in this really complex Hobart space. And you can actually, like, add vectors together. But anyway, it's kind of interesting stuff, but I'm going to skip over that for time's sake. The last thing, and this is actually going to be, this is actually useful to me for generating the script. If you have a single dimensional sine wave just going up and down, what radios actually take is a complex sine wave. So it actually is oscillating not just up and down, but left and right. So it actually looks like a circle like this going forward. And raising E to the I times some power actually generates a two-dimensional sine wave, which is pretty cool. So let me show what that looks like. So basically like this. So instead of having just one up and down sine wave, you actually have this circle, the spiral shape. And that's actually what radios use. So then how does actual digital communication happen? Well, we know modems, of course. We're doing the mod side of a modem. You know, just to go through it quickly, there's a couple of types of modulation. So there's amplitude shift keying, frequency, phase shift keying, et cetera. Amplitude shift keying, you're just making the amplitude of the wave go up to be louder or down. So this would be like zero one. That's what it would actually look like. The sample, the demo that I did with the outlet, that's an example of ASK, right? You can see where it's really small and then it gets really loud, et cetera. Frequency shift keying, you're actually changing the frequency. There's lots of stuff that uses that as well. Actually FM radio would be frequency shift keying. This is what that would look like. So this would be like zero one, zero one, one, zero in FSK. There's also phase shift keying and other crazy stuff like quadrature amplitude modulation. That's actually what Wi-Fi uses. It's kind of a combination of ASK and PSK. Anyway, just to show you kind of what my process was like for actually getting this script developed. So first, this script, it's all online but it's about 120 lines of Python right here. So not really, not bad. But I want to go through kind of what it was like. So basically, I started off with this ASK sample. I kind of just eyed it to try to figure out what is the baud rate, all that kind of stuff. And I said, okay, I need to do basic amplitude modulation. You can ignore all this code. This is a Jupyter notebook, by the way, which basically it's an executable visual thing. So like all the code necessary to do this is in the single document. And it's at the end of the, it's on the last slide. Anyway, so I have this wave and I need to amplitude modulate it. So I wrote some code to do that. And then I basically wrote some code to say, well, I need to make it, I want to make zeros and ones, transmit into low and high. I'm not going to go into all the details there. There's also bit spacing. You notice that if you look at the signal, there's some bit of space in between each bit. So basically, you know, find all those variables and then I have an algorithm to generate a signal from that. I tried this and I was like, hey, sweet, that's like really close to the original. And I tried it and it failed. And actually the reason I failed was I learned the hard way, well, yeah, it's actually got to be a complex sine wave signal. So I basically was able to substitute out raising sine to the X to raising E to the IX and it just worked. Or actually, well, there's one other step that I had to do. And it was interesting, but there's basically when I looked at the waves up close, doing a simple wave, it was almost, you almost couldn't hear it. Basically I had to do another sine wave inside of, so I was transmitting at 315 mega hertz. I had to do another like 1000 hertz wave or something like that. And that's the one I was actually making go loud and quiet. So a few little details if you actually want to do it. Otherwise you can just use the script. It's on GitHub. And there is definitely some interesting obstacles that I had to pass to get that to work. This script, this whole presentation, including these links I'm going to have at the end. So anyway, conclusion. It's really cool because like all wireless communication, like virtually every wireless communication that I could think of happens over electromagnetic radiation. All digital communication rather. The only exception I could think of is sound waves. That's a form of wireless communication that is not radio wave based, right? It's sound waves. Having looked at, you know, the various ways you can attack the physical layer. I mean, hopefully you can be aware of various attacks that are possible. You know, we went through jamming attacks, replay. This stuff I'm doing, generating these signals from scratch. You could use that potentially to brute force, right? Or you may see a sample like in my case, I actually saw a sample of another outlet, not this one, but another one. From that I was able to derive the binary code for this one. Just, you know, a few bits difference. There's also potential for doing things like mixed attacks. So you might do like, there might be a one time rolling code and you want to brute force that, but you replay the other part, right? You see what the key space looks like and then you generate all the possibilities. That's another possibility. And, you know, thinking about this kind of stuff. So like I have a home security system. I have a wireless home security system. So like the jamming attack, you know, you could theoretically jam, okay, so like I have a door sensor and then it has the hub, right? Well, you could jam at the frequency that those communicate with, even if it's armed, open the door, right? And so, well, how could you fix that, right? I mean, you could just do a non-wireless system. That would be one way. You could also, if you're looking at wireless systems, wireless security systems, you might say, well, I'm going to look for one that has maybe active low. So if the power gets cut, we know something's up, right? Or there could be ones that keep track of their state. They actually look for an act coming back from the hub. That kind of stuff would be harder to attack in this way. So hopefully this will give you guys a good basis for how radio works, right? How all the stuff works. You can use various tools. I recommend a new radio, a new radio companion, hack RF. And there's a lot of new cool tools coming out right now. Just recently, you know, there's this whole like software defined radio, you know, movement happening. So, yeah, and then that's all I have for today. I think we may have a few minutes for questions in case anyone has any. The link right here is to this presentation. And the link below is to my GitHub which has the Jupyter Notebook, all the scripts, all that kind of stuff. So let's see, do we have any questions? Yes. I can't hear you. Can you come a little closer?