 All right. So first and foremost, my name is Brad Antonowitz. I'm part of Open Security Research which is a project sponsored by Foundstone. And so I've done some wireless work in the past and when Rob started getting really interested in 4.9 gigahertz, it got really attractive to me. So Rob got extremely attractive. Look at that. Look at that body. He works out. Wiggle, wiggle, wiggle, wiggle, wiggle. Yeah. So I joined Rob and here we are presenter. So I'm Rob Portfleet. I'm a wireless service line lead at Foundstone and I also contribute to the Open Security Research blog. So I kind of stumbled across the 4.9 gigahertz spectrum a while ago and pretty much things like I wonder what's out there. So that sort of spawned the whole thing. And then certain aspects that I could have used Brad's expertise in. I asked him to help me and he graciously accepted. So here we go. So I guess the very first thing that we should mention is when we started looking at this, this is all like licensed FCC bans. And so this was really kind of concerning for us. You know, there's definitely some laws around interacting with these bans. We tried to look some of it up. We looked in the Code of Federal Regulations and the Communications Act of 1934 and all types of all these ridiculous statutes that all seem to be, you know, kind of contradict each other back and forth. And it was kind of difficult for us to understand where the boundaries were. So before you look into any of this stuff, probably the best thing you should do is really proceed with caution. You know, we're masking all types of data that we found. We're not, you know, talking about any particularly damning information. It's all kind of general war driving stuff that you'll see here. And, you know, so just really be careful with this kind of stuff. You know, nobody likes pat downs or, you know, dropping some pets. Freedom. Or yeah, getting maced or anything like that. So just be careful, okay? So one thing I just wanted to add real quick is, you know, we didn't do any transmitting. It's definitely verboten to transmit and license bans. Unless you have a license. So there's no transmitting or interaction or cracking of anything that took place with any of these networks. It was just a case of passive monitoring strictly. So a quick outline of our talk. So we'll talk a little bit about what the hell this public safety thing is all about. And we'll go into kind of this different spectrum allocations for four popular public safety spectrum bans. And then we'll also take a specific look at 4.9 gigahertz and, you know, how to find these type of networks, how to interact with them and see what we found on just three different networks. So first and foremost I guess we should talk a little bit about what the hell public safety is. So there's always been a public safety spectrum out there. Essentially this public safety spectrum was mostly dedicated for kind of voice communications so police officers would have conversations back and forth and, you know, talk about how their wives suck and all this stuff. And then what ended up happening is after 9-11 and Katrina and all these other issues the 9-11 commission found out that all like these first responders were having all these problems communicating because everybody's on different frequencies and nobody could hear each other and it was a problem. So in the last probably about ten years or so the FCC has been taking a special interest and trying to put, you know, extra effort into allocating bans for public safety. And by public safety I mean what's written on the bottom of the slide there basically to protect the safety of life, health or property. So that's basically, you know, everything I guess. So to summarize basically the FCC's and public safety's main concern was interoperability amongst the networks so there's no real interoperability communication that could take place between different public safety agencies so that was part of the reason for this whole push. So the frequency allocations that we'll look at and again these, the 800 megahertz spectrum has been around for a little bit. These other ones have kind of gotten a lot of appeal in the last ten years or so. So we'll look at the 700 megahertz spectrum, the 800 megahertz spectrum, special look at 4.9 and then we'll also talk about the 5.9 gigahertz spectrum. First up is 700 megahertz spectrum. Now this spectrum was actually reallocated after the digital TV cut over so you probably heard a lot about that. You had to help your grandmother figure out what to do with her TV and all that good stuff. What they did was they took two blocks out of the spectrum in 700 megahertz range and allocated them for this and they split each block into two categories broadband and narrowband. And then there was a garden between to kind of help protect the two. And we'll talk about each one of those real quick. So the 700 megahertz broadband, this is an awesome picture. This is a unicorn peeing a rainbow. I think they could figure out where it is. So to self-explanatory. There's no horn there. You might think that's just a very fancy horse but in fact it is a unicorn peeing a rainbow. That's exactly what I'm saying dog. I don't know. All right so anyway 700 megahertz broadband is basically the new hotness. Everyone is getting super excited about municipalities are going crazy all over the place. And they're super happy because it's this nationwide LTE network. So they actually hired these telecommunications providers to build this whole thing out. And it's going to all run LTE and blah, blah, blah. It's supposed to be great. It was initially supposed to be a backhaul only network so you'd have kind of individual municipalities and uses like on the scene type of networks that would communicate using this backhaul network. But then everyone you know saw that LTE can do a whole shitload of stuff. So they really kind of are getting excited about it. The important thing to mention about the broadband is it's only in a very infant deployment now. So there's actually one here in Vegas and then there's also another one out in Denver. But outside of that it's really not been deployed anywhere. So there's been a handful of like preliminary deployments of it. It's really like Brad said it's pretty much not out there. It's still in infancy. But there was a couple like preliminary deployments of it and like the FCC and the National Public Safety Telecommunication Commission. But it's all these guys will hold on because we're trying to get this whole thing straightened out as to how we're going to deploy it. And basically what it comes down to is it looks like they're like just completely dragging their feet on this right now. And then in the narrow band side with 700 megahertz that's all your nationwide P25 stuff. So if you've done any research into P25 you'll know there's been a kind of a good bunch of hacks coming out for them. People found out that there's some weaknesses in the decryption schemes that are encryption schemes that are being used. And some other Travis Goodspeed came up with a little IME denial service attack for them. So there's definitely some stuff out there. It's used for state and local government. So you'll see like everybody from parks and recreation using it to secret service and FBI. Again all talking about their wives. I don't know how anybody gets anything done. For 800 megahertz instead, it's actually a whole reconfiguration. So 800 megahertz has been around for quite some time. The weird thing about 800 megahertz is the way it was broken up it kind of allowed for some interference. And so next tell actually started building their network, the whole next tell network in this band. And when the band, when their allocation got kind of a little low, what they did was started buying licenses from other people. And then they basically bought all of these licenses up, started transmitting a higher power and that was starting to interact with all of the public safety stuff. So the FCC got pissed about that. Did this whole reconfiguration thing where they put public safety on one side and next tell all the way on the other side of the spectrum and built out all of these guards and protection bands and all that stuff. This is all going to be another more P25 work. Reconfiguration is kind of almost done and people are starting to use P25 on that area. So what really exacerbated the problem with next tell having all these transmitters was that public safety uses what's called a high site architecture where it's a minimal amount of transmitters on really high sites like I think very tall buildings, hill tops, things of that nature. Versus next tell's EMSMR architecture which is known as like a low site architecture where it's on like 30 to 50 foot monopoles, two to three story building, stuff like that and much more transmitters. So it was really getting completely in the way of the public safety spectrum. All right. And then 4.9 gigahertz got a lot of attention. Does anybody know what the background image is from? Dr. Obvious strikes again. All right, fair enough. I'll just leave that as there. If you know what it is, let me know. It's really obscure. Anyway, so the interesting thing about 4.9 gigahertz was that a lot of municipalities gave first responders the ability to start communicating traffic at high speeds. So that was really interesting, especially when you think of accident on the scene network. So, you know, the police arrive, they take a bunch of data about everything. As the ambulance arrives, they transmit that data and they can all kind of have this little network amongst themselves and do all this stuff. And so this got a lot of attention by municipalities and local government. And what they ended up doing was going out and buying up or actually applying for all these different licenses. And what we found was that actually not everybody who has a license even uses this stuff. It was almost like an arms race to a certain extent for everyone to get all of the 4.9 gigahertz amazingness. It's kind of a general use spectrum. So that means they can use it for basically anything they want. It's been used for everything like the G20 summit to emergency warning systems to, of course, they put SCADA on it. Everyone puts SCADA on everything. So of course SCADA exists on it too. And it's basically been used for almost everything. Yeah, so they were pushing to use it for a lot of different things. Traditionally or originally it was slated that they, you know, it was thought that they were going to use it for on the scene response like ad hoc networks between first responders at a particular scene of an accident or fire or whatever. But what it seemed to have gotten most use from is for point to point fixed links like backhaul and mesh type architectures for metropolitan area networks, municipal wireless. So it seemed that its actual purpose evolved over time. Yeah, so the FCC kind of breaks things down into two types of devices. They have high power and low power devices. So low power devices, they don't really put too many regulations on it. It's roughly anything that transmits under 20 DBI. And there's some changes based on channel widths and how much stuff you're putting on there. But the FCC doesn't basically pose really anything there. But for the high power devices, they kind of put together this very loose channel plan. So there's basically 10 one megahertz channels split in the middle by eight, five megahertz channels. And you can kind of bond these however you want. So what you'll end up seeing a lot in the real world is different vendors have different channel widths and different kind of organization of the spectrum. And so it gets to be kind of a pain in the butt when you're driving and trying to figure out what's out there because all of these different channels are all different sizes and you have to make your card work with all of that different stuff. There are some recommendations by the National Public Safety Tele Communications Commission, which is pronounced Nipstick, which is kind of a odd acronym name. Sounds dirty. It definitely sounds dirty. But at any rate, there are some recommendations and you can follow that if you wanted to. But generally vendors seem to do kind of whatever they want as long as it follows this thing. So generally we'll talk about this in a little bit. The best way to look it up is pretty much look at the vendor documentation and FCC as a site search. We'll talk about in a minute. But basically, even though there was recommendations, they're all over the map in terms of where the channel centers are. But generally it's either going to have to be a 5, 10, or you can be 15 or 20, but I've never really seen 15 megawatt wide channels in use. So once you figure out what the channel centers are, or the likely channel centers, then you can experiment with different channel widths. But it varies wildly per vendor. Another really, probably the most annoying thing that FCC did was impose different spectrum masks on the different bands. So the outermost spectrum mask is what you use for low power devices, which means it's totally 802.11 compatible. You can use a standard 802.11 adapter to view it all and everything's fine. But the inner moor line up there is the spectrum mask that it puts in place for high power devices. And that's just enough to mess with everything that we're doing. So, you know, the idea was to prevent against kind of interference and stuff with high power devices. But it's just been a nuisance to hackers all over. So you can think Motorola and other equipment vendors for this one. Basically, they were pushing very hard early on when the spectrum is allocated to have to use a strict mask that wouldn't be compatible with 802.11 equipment. The public safety interests fought back hard against this because they wanted to be able to use pretty much commercial off-the-shelf equipment like 802.11A equipment may slightly modify to be able to do this to keep costs down. Well, the vendors wanted to be able to sell stuff at a high price, you know, because the government's got the big bucks in their minds. So that was pretty much a compromises reach and that low power devices would be 802.11 compatible while these high power devices wouldn't. So it was at least a partial victory for the public safety advocates or spectrum advocates rather. The last kind of cool public safety allocation was the 5.9 gigahertz intelligent transportation system allocation. And so this is really kind of cool stuff. It deals with, it's all based on this 802.11P standard and it deals with all of this stuff in the way that we travel. So it can help do things like accident avoidance for anybody who drives badly. You know, it detects that you're about to almost hit someone so it re-corrects you and fixes everything. It also does really cool things like, you know, if they're emergency vehicles approaching some sort of major intersection they need to change the light. They don't have to rely on those weird pulses they use anymore. Apparently they can use this stuff as well. And so it's really kind of really interesting stuff. So I mean there's like a bunch of stuff they're doing with this now and then there's a bunch of stuff that they're hoping to do with it down the road. As of right now, they're definitely using it in New York for instance for electronic toll collection, there's some implementations. And then also for inspecting commercial vehicles, you know, like trucks on the fly. So it uses a system of what's called onboard units, OBU's, and then roadside units, RSUs. So that any trucks equipped with these onboard units will be able to transmit to these roadside units what their manifest is, like what they're carrying, and even down to stuff like what the condition of the trucks breaks are. So they actually have an implementation of that up in upstate New York. Going forward, once these become somewhat ubiquitous in vehicles, it'll be used for things like collision avoidance, like it'll tell you if somebody's in your blind spot, you're about to move over into them. All the way up to things like what they call platooning. So assuming that someday driverless cars become the norm. So think of this, you guys would be very uncomfortable, I'm sure, driving two feet off the bumper of the car in front of you unless you live in New Jersey, in which case that's completely normal behavior. But that aside, a computer might like me not be. So once DSRC, which is the technology using this, will be able to detect the cars in front and to the sides of you, and assuming driverless cars become the norm, cars will be able to drive very close together in what would be called platoons. And this would be for two purposes. Number one, to be able to hopefully alleviate traffic, you know, you always get the one slow guy and then you've got other guys driving fast, so we'd be driving at the same speed. And then number two, for fuel economy, because the aerodynamics of the air passing over whole fleet or stream of cars instead of each individually would lend itself to much higher fuel economy. So these are some of the things going forward down the road, no pun intended, that they're looking to do. Yeah, it's going to be really fun to hack on some of that stuff. I think there's been some work done in the past with it, but not very much. All right, so the next thing that's kind of really important with this whole, you know, all these public safety networks is to find out where the hell they are. And so reconnaissance is actually a really important phase because sometimes, again, it's hard to tell which channel widths are being used, so you have to know that. You know, when I was doing, going out and doing our war driving, I was in New York City on a bicycle with an antenna hanging off my back and having to drive, you know, through Times Square and hope nobody thinks I'm a bomber of some sort or anything like that. And then I would stop in front of police stations and pull out my laptop and, you know, that's just scary stuff. So reconnaissance is a very important thing. You don't want to be fudging with all your commands and messing around with everything beforehand. So, and we'll get into this in a minute. So sometimes finding sites is a bit of pain in the butt. In major metropolitan areas, like New York City or Las Vegas, it's fairly easy, given that the majority of the sites that we found are down low using like omnidirectional antennas and they're on lamppost and things of that nature. So they're down low and fairly ubiquitous. But in this instance, like New Jersey, where I am, there's a large amount of licenses, but not a large amount of actual implementations. So, you know, doing reconnaissance, proper reconnaissance will save you a lot of time and effort because you know, otherwise spend a lot of time driving around finding absolutely nothing and wondering if your radio works. Yeah, we were driving around New Jersey for way too long. I grew up there, but I'm the hottest day of the year. I left for a reason. All right, so for radio reference, if you're a ham radio enthusiast or have ever probably looked into any kind of, you know, radio, you probably have heard of radio reference. It's a site that'll handle all the 800 and 700 megahertz bands. Super easy site to use. You'll see everything that's up there. So that's kind of an easy, obvious one. Another thing that's really cool is this thing called CAPRAD. And so CAPRAD was used, so if you wanted to deploy any of these public safety networks in your area, you had to go to a regional planning committee. And a regional planning committee would oversee the licensing of all of this good stuff and blah, blah, blah. And so what they would do is they'd register in this CAPRAD database and to see what sort of use was in that area so they wouldn't step on each other's toes and knew who to talk to kind of work together between everything. So CAPRAD works for 700, 800, and 4.9. But for 4.9 it kind of sucks. 700, 800, it looks, it works kind of good. What it'll do is it'll provide you kind of high level areas of this particular region. One thing to note is it does require username and password, but it's super simple to get one of, all you have to do is register for the site and then it's a manual process, somebody has to approve you, but literally, you can register dongs at whitehouse.gov and they'll be okay with it. So it's not that bad. So what I found CAPRAD to be most useful for is sort of an aggregate of data. You can figure out, they have these regional planning committees, right? So all the sites in a given area will fall under a given RPC, right? So you can see what RPC, your area falls in under what region you are. Like for instance, Region 8 is New York City in Northern New Jersey and maybe some of Connecticut or Southern New York State. But anyway, it'll show you all that data and it'll show you good aggregate of data for like 7 and 800 megahertz. So it's a good first place to look. If you're searching for specific sites, it really just passes you through to the FCC site search, which we'll talk about in a second. But for 7 and 800, pretty useful and good as a first step anyway. Yeah, probably the most, you know, useful thing for us was this FCC advanced license search. It's super easy to use. You basically just define the 4.9 gigahertz spectrum range in its options. So it's 4.940 to 4.990. And then just look for active licenses and press search. It'll come back with a huge list of stuff. You can narrow it down to a specific area or anything else that you want to do. So if you're lucky, depending on the records, so the records will vary somewhat wildly actually. Certain records, if you're lucky, you'll get the actual, so you'll be looking for a specific transmitter site. Some will give you an actual physical address. Some will give you an address down to, say for instance, certain airports. It'll tell you it's on pole number 2 southeast corner. So it'll be very specific. In other cases, it will only give you GPS coordinates. You'll have to look up the GPS coordinates. In some other cases, they'll have what they call a city-wide or municipality-wide license. We'll just say valid for everything within the municipality of, you know, X, X. In which case, you're going to have to do a little bit more digging and it may involve some driving as well. Yeah, so especially if you're trying to figure out what areas to look at or what to target, sure enough there's some really, really useful information like Rob mentioned, things like GPS coordinates, exactly where you need to go. If you do more specific searches, you'll see some really oddly named things which may be appealing to an attacker. So you can get an idea of what it's being used for and all that good stuff. So before we continue on it, I guess nobody ever told some of the people that submit for licenses here that you don't have to tell them exactly what it's for because that's going to go into the record. So if you look through there, there is some different erroneous and additional information that might be very interesting and that's not the only one. So that'll tell you under frequencies what the channel centers are of the different transmitter sites, which can be, is very useful because in order to be able to sniff traffic, you have to know the channel centers and as I said earlier, they vary kind of wildly between different vendors. So that can be very useful to you. Also, it seems, and this is not always the case but it is more the rule than not, that the more information in a given chain to, you know, if they have physical addresses listed, if they have specific frequencies listed rather than just say 4940 to 4990, is the more likelihood that they actually have an implementation rather than having a license and no implementation. So like you can see here, these are the specific frequencies that this particular location is using. So if you're trying to figure out the channels, that can be super helpful. So that's exactly one major metropolitan area that said site-wide license 4940 to 4990 and they have the most implementations I've seen so far. Yeah, as mentioned, I mean some of these things are just complete falsehood, right? At some point somebody was like oh, I want 4.9 gigahertz in my town because, you know, the governor Bob next door or whatever did the same thing so they ended up just buying licenses or getting licenses for no reason. It was such a waste of time for us. I hate you guys. The other thing obviously with all of anything that's on the internet, you can just use Google for it. So when these regional planning committees need to apply for a license, what they basically do is write this nice detailed letter out to the FCC and say hey, we want to use 4.9 gigahertz, we're going to use it for this reason. Sometimes they'll even say what these channels are for, you know, the channel allocations. It'll even give you some of the hardware that it's used and all types of good information. Simple search on 4.9 gigahertz NYPD and sure enough we came up with all these letters right off the bat that gave us pretty useful information when looking around. So as Brad was saying, you know, if you are planning to implement 4.9 gigahertz within your area or your municipality, you'll fall within a regional planning committee region. So you have to submit a letter to them in order to let them know that you are planning to use this at a given site and generally, I don't know if they were specifically specific in this or didn't know that these would end up being public because if you could search the certain text that you can probably figure out from there that's unique for the same between each letter. So if you Google that, you'll find all these different letters specifying their intent. They're usually on the local homeland security websites of the local area state and region. So at any rate, they generally contain a lot of information pertaining to channel widths, the areas and locations of where the transmitter will be and the number of, down to the type of equipment, Cisco 3300s, et cetera, Proxim, whatever, that they're going to be using. So again, being overly specific, and maybe they weren't sure, you know, knowing that it's going to be public. So I guess the first thing that we wanted to do before, you know, when we were messing with all this stuff and trying to get into it, we wanted to build kind of a little test lab, obviously in a Faraday cage in a foreign country where transmitting on this stuff is entirely legal. So we did what any normal person would do and go on eBay and see what kind of 4.9 gigahertz stuff is up on eBay. And surprisingly enough, we found a whole crap load. There was a lot. So we saw these three particular ones and we ended up buying them all just because they were semi-affordable and hopefully maybe I can expense this, I don't know. So we bought all of these things, but then we surely realized that in fact a lot of people on the internet don't know what the hell they're selling because we would get them and then we'd look at them and they didn't have 4.9 gigahertz radios. Then we had to contact them to return them and like the guy on the bottom refused to take it back so I had to start screaming at him, say bad things about his mom. It was like a whole situation. But at the end of the day we did find something nice on eBay which was a box on Quickbridge. And this thing was only 100 bucks and all of the other ones were a thousand. So that was a pretty good deal for us. Going back to my earlier comment about the vendors banging the government for tons of money because I figured the government's got deep pockets. Generally eBay is your friend for this. You'll generally be able to find something somewhat reasonably, hopefully. Yeah, but make sure you're careful and contact the vendor to make sure they actually know what they're selling first. And then I came across this picture on the Internet and this is a picture of a surveillance system that the NYPD has deployed everywhere. And if you take a close look, it looks like something that's extremely similar from a physical standpoint as the actual initial listing. So that really made me super excited. I picked that one up right away and kind of continued our search for other access points we can play with. So as you start doing this, if you do start doing it, you'll eventually find yourself noticing all sorts of APs and antennas on light posts that you never noticed before. And after a while you'll be like, oh my god, that's Motorola, that's Proxima. That's Alvarian. And you start scaring yourself. And basically all your friends hate you because you don't have conversations anymore. You just point out things that are in the air that they don't care about at all. So another interesting thing that we found when we were looking for other 4.9 gear stuff was this forum post. It was actually NanoStation M5. And so this is just a standard access point that ubiquity sells, but when we search for 4.9 gigahertz this came up and the specification sheet doesn't say the newer specification sheet doesn't say that this supports 4.9. But apparently if you put this in a compliance test mode it transmits on 4.9 gigahertz. So that was really interesting to us. So we wanted to buy one of those pretty quickly. So we did buy one, but what ended up happening is there was no compliance test mode. So we started going back through old firmware's. Maybe it was there, we couldn't figure it out. And then Rob did some searching online and found out that in May of 2011 basically ubiquity split the NSM5 into two different models. One a US version and another one a world version. And so we had the US version, we had to return it and buy the world version and share enough that compliance test mode was there. So I did a little digging into it. I'm actually looking on the FCC site where they list all the complaints. So as we'll see in a minute when we start getting into driver modifications ubiquity equipment only uses atheros chipsets which can be opened up all the way from like 4 to 6 gigahertz. And some of their equipment including their APs have these sort of chipsets. Hence why those like the NSM5 and the bullet M5 can do 4.9 gigahertz. So anyways looking on the FCC site of complaints because that's what I do for fun. And I noticed that like previous to May 2011 and not that far before it there was a complaint of an investigation against the wireless ISP in Miami and then against one also in Utah in both cases they were running ubiquity equipment like bullet M5s and whatnot outside of the without dynamic frequency and basically what they were doing is they were interfering with the Doppler radar at the local airports. The FAA got pretty pissed off the FCC was then brought in and the FCC came in and basically bent these guys over. So anyway I kind of get the feeling as we'll see in a minute that ubiquity caught a little bit of heat about this and it probably brought this on. Yeah the really interesting thing is if you try to buy one of these world versions of the FAA contact they may actually ask you to sign this thing here. And now keep in mind the NSM-5 is not supposed to be transmitting on 4.9 GHz it just so happens that the chipset in the access point supports that if you mess with it a little bit. So what's kind of interesting is if you want to buy one of these APs that doesn't support transmitting on a licensed band you have to sign this thing saying you have an FCC license. Before you buy any of these things. We didn't sign that. Alright so next thing is adapters. So what kind of adapters can you play around with in this 4.9 GHz spectrum? The first one that seemed extremely interesting to us was the ubiquity SR4C. This thing says public safety on it. It was kind of marketed for public safety networks and especially the 4.9 GHz spectrum. The thing with this is it uses the Ath5K drivers and the Ath5K drivers don't actually support 4.9 right out of the box. You have to do some changes to it. So while that was kind of cool and Rob spent some money on it I wasn't so easily convinced. Then we started looking at an adapter that we all use pretty regularly for 802.11 hacking called the Ubiquity SRC300. And so the specification sheet in this one just says it supports 2.4 GHz and 5 GHz. But after doing some searching we discovered that this guy Kugetsumen actually discovered that the chipset on the Ubiquity SRC300 supports anywhere from 4.910 to 6100 GHz right? So quite a whole bunch of frequency that it can support that's outside of the actual spectrum. So he created this debug reg domain patch with which enabled all of this access. The problem was that he created it for mad wifi a long time ago and so it didn't really work with all of the latest stuff. And some people have done some additional work let me move this out of the way here. Some people have done some additional work oh no I just messed everything up. Rob here we go. Yeah so he released the patch and then there was some modifications that you know refinements made. Zero chaos released a couple of patches a little while ago and then. Yes actually zero chaos did a whole bunch of work on this and released the patch that did it but the thing that was hard for us is it didn't support the different channel widths and that was really important to us especially 4.9. And then Spench which is the greatest guy ever. If you ever meet this guy buy him lots of beer he does everything awesome. What he did was super kind of I use awesome too many times but it was awesome basically this patch that allowed for all of this kind of radar work and it supported 4.9 gigahertz and supported a different channel bandwidth but it was kind of complex and it didn't currently work for the drivers that were the latest version and it was kind of overkill to what we really needed it for. Yeah so the problem with the 5k driver and compact wireless in general is that it changes significantly over time so a patch that you've done even a year ago may not work as changes to the kernel and the wireless stack are made. So what we did was we looked at compact wireless really quick to figure out is there any changes that we can make that would kind of help us out. So basically compact wireless is a package of all of the Linux drivers and all of the 802.11 stack and so the way it works is compact wireless has this regulatory module that queries the cards eProm from one of the places one of the ways it figures out where you are is by querying the cards eProm for a regulatory domain. So if you bought a card that's meant for use in the US you queries it, it gets a US regulatory domain. That domain is then used to figure out what channels are allowed in your area. So compact wireless is a regular module either query its driver channel definitions, it has some internally or look at something called the central regulatory domain agent. And what the CRDA does is it's a user land agent that ties to a local database that looks up all the different channel frequencies and all that kind of good stuff. You're supposed to be able to kind of override your eProm's regulatory domain with the IW reg set command but that never seems to work anywhere. So it was kind of an issue for us so we wanted to figure out an easier way to make everything work but still use CRDA so we had some flexibility and make things right. So there was like a couple patches that were released a few years ago that actually specifically addressed that functionality to allow you to set a reg domain allowed to actually respect using IW reg set because as I take it it seems to be like purposely broken so you're not able to fudge around with things that can be naughty you know. So what we ended up doing was we looked into the drivers really quick and it's surprising how much of this function a lot of the functionality is there just not really used in the drivers. So looking through basically the way that it works is there's this ath is 4 9 gigahertz allowed function that is queried to define and depending on the regulatory domain it will either define the lower boundary of the channels to be 4 9 2 0 and if that regulatory domain is not allowed instead it will be somewhere 5,000 5. So you know that was a bit of a thing so all we did was kind of just return true for that function and then you know we have always 4.9 access all the time on you know anything. The other thing that we had to do again was support those different channel widths so it was surprising in the actual code comments of the drivers exactly how much stuff was detailed there so by default everything is pretty much hard coded for 20 megahertz channels you can't really do too much past that but it's like you know the person who was writing the code just got lazy halfway through and was like you know what I'm not going to write this code I'm just going to write comments on how you do it which you know is probably the comments are probably more code than it was required to actually make it all work so we had to do a little bit more work but nonetheless everything ended up working out pretty fine. So what was cool was at least the 4.9 stuff was a lot of it was in there at least with 20 megahertz wide channels because in Japan there's an amendment for 802.11j because in Japan they actually have a 4.9 gigahertz spectrum that they can use it's not public safety but the support in there somewhat for it just wasn't activated. Yeah so basically what we did was we made the different channel widths defined via a module option or a module parameter we actually used the same name of the module parameter that Spence used it's different code underneath but it's still the same name just to kind of maintain some consistency there and you can just easily define what bandwidth you want to use whether it be 25, 10 or 40 megahertz wide channels and then you can use that there. So to make all this work there's a script the URL is down on the bottom github.com slash open security research and you basically run the script and it'll automatically download, compile everything you don't have to do any work you just dot slash and it'll work fine. If you wanted to manually do stuff after you compile the new Compat wireless with the drivers and with the patch we have all kind of the options there you can kind of use TCB dump or Kismet or whatever you want to use to kind of sniff on that spectrum. A couple of other things that we did was that actual regulatory database we had to add some specific additions to that so we can support the 4.9 and ultimately the 5.9 gigahertz stuff too so we're going to use CRDA rather than making statically defined channels so it's steadily defined ranges so anybody can kind of play with it and not have to recompile those every time. And then finally there's some basic options you need to configure with Kismet so we also provide just a basic Kismet configuration file so that you can channel hop on these channels and not have too much problems associated with it. So in Kismet you can do it a couple different ways you can either set a frequency range and then define within that the number of channels and the channel widths or you can define specific channels so it pretty much depends on how you want to do it so we define a range and channels in that and then the set it to hop so you can hop throughout the various channels in the 4.9 band then once you kind of figure out where you are lock on to a specific channel and find and monitor the traffic there. Alright so the very first thing we did was we checked out New Jersey wow we have 10 minutes left and quite a lot of slides so we're going to try to tear through these but yeah the first thing we did was check out New Jersey we did a lot of driving around but didn't find too much they actually have this whole YMAX implementation there and our drivers weren't our adapters couldn't really support any of that stuff so we did do a lot of driving on the turnpike and the parkway a lot of fist bumping drank a lot of red bull it was great but we didn't find too much the next thing we looked at was again that 4.9 gigahertz mesh network in NYPD so on the bottom here is the channel list that we used to find that network if you were in New York and so basically what you'll notice is they have those again those AP's on the top and all of these things are kind of in line of sight of each other so if you go through a big pedestrian area an area like Times Square you'll see these things all over the place and their antennas are all aligned because they're all point to point networks across everything and you can actually see some of the data the first thing that we noticed was that there were default SSIDs and kind of really obscure SSIDs so the obscure ones seemed to be obvious that those were the network that NYPD was using but the default ones seemed like maybe those AP's were just not configured which has some kind of interesting implications if you think about it if it's a default access point there that's kind of concerning another thing that we noticed is with these networks all we saw was probe requests so that was kind of odd because usually you would see constant beacons out all the time you wouldn't necessarily see probe requests so I don't know what would happen if you responded to those probe requests or if you could do anything like that obviously we weren't going to transmit on anything but it might be something interesting to look into another kind of network that we saw was when you get closer to the stations the actual police stations you'll see an antenna out front and those were transmitting some stuff too and so I was again riding around on my bicycle waiting in front of the police station seeing what I can find and took a look and was able to get an EEP handshake and if you look kind of closely there's something maybe a little alarming to anybody who knows anything about wireless there's some leap that's being used and if you watched a talk by Moxie and David Holton today MSChat v2 handshake that goes across so that could be kind of concerning since they crack that in under 24 hours looking at the equipment that's being used in 4.9 it really seems as though not any additional security measures have been taken place you still see leap in use you still see weapon use so it seems like we're not learning from any of our mistakes or that the implementations have been there for a while and then also you know we did see a lot of Cisco OUIs available to things and things that indicated that Cisco is being used a lot but those Proxom APs looked almost identical to the ones that we bought so Proxom has this proprietary protocol called warp the wireless outdoor routing protocol and so there are some older hacks with warp but when we tried them nothing seemed to work even with our AP we tried to put in DFU mode and we couldn't get anything out of it so it's kind of a proprietary protocol and you might not have too much access to it the next thing that we looked at was Vegas so we weren't even going to look at Vegas but then we when we came here we were drunk and you know things come up so we decided to so on the bottom there is again the channel list that you can use to view what kind of data is there and view it so real quick we were actually more or less what happened is I was sitting up in my room and I was just looking at actually 2.4 gigahertz spectrum but you'll see a lot with quite often with the 4.9 gigahertz equipment that's being implemented in these mesh networks is that they're dual band it'll be on 2.4 gigahertz and 4.9 gigahertz and in this case I was beaking a default SSID for that particular type of equipment which on 2.4 gigahertz which led me to go hey Brad let's go take out the 4.9 in Tennessee what we find out was transmitting on both bands and using the same default SSID in both cases yeah so we did see some we did see some beacons here so definitely different technology that's being used and what was kind of interesting is we saw this weird frame here and we weren't really sure what it is and we still kind of aren't we think it's some sort of kind of announcement frame since the areas that are marked out are actually the MAC addresses of the of the sender probably some sort of beacon they were send on pretty regular basis so this is all of this network seems to be I mean basically guessing we're guessing that this is all part of the wireless surveillance network that you see out there but one thing that's kind of interesting is is these particular modal role of mesh networks actually have four antennas one they have two 2.4 and two 4.9 gigahertz and two of those four antennas actually use a proprietary protocol called mobility enhanced access so that you can't have too much access to it one interesting thing is on the 2.4 gigahertz spectrum we saw a lot of plain text ARP unencrypted ARP traffic going out for publicly routable IP addresses so that could be something I don't know if anybody saw Colin Mueller's talk at Black Hat but basically what he did was scan a bunch of public internet IP addresses that turned back into you know devices kind of like the ones that we're seeing transmitting so the mobility MEA or Motorola MEA is something I would like to take a look into in the future it's a proprietary protocol for mesh networks and where it really shines I suppose is in vehicle modems so modems for instance or radios mounted in like a police car for instance because it can do a sort of GPS without using satellites where it can time the pings or the packets that come back through multiple radios or multiple access points from that given radio and be able to detail you know pinpoint where a given mobile radio is so for mesh networks it really shines sadly it's not 802.11 compatible so you're not able to look at it with a traditional 802.11 card but they do have cards available for it so it's something I kind of want to take a peek at in the future and then luckily enough Rob out of all the hotel rooms in Vegas for whatever reason Rob had to be in one that picked up this other network that we haven't seen anywhere else it looks to be a sky pilot network and so if you know anything about mesh networks sky pilot can provide backhaul networks for mesh networks that are a little lower it'll handle all that kind of good stuff so we did find all this ridiculous traffic all over the place that we weren't able to figure out what it was and so that's just kind of letting you know what's out there if you know anything about mesh networks we'd love to talk to you so we can play around with these different captures so really quickly the war drama summary you make sure you have to get your channels right there are some networks are not 4.9 or not on 4.9 are not 802.11 compatible so that could be a problem and there's lots of proprietary protocols out there one last thing that we noticed when we were doing research was that we were wondering if 4.9 of your hearts could be hacked or being targeted or any chance so let me take this one so I don't know if you guys knew about this hack it was in the news like a couple months ago about this town in Illinois that one night their tornado sirens not a thing I'm familiar with on the east coast but apparently it's quite common in the central US all their tornado sirens went off and it was like for an hour and they couldn't figure out why and I remember reading the interview with the police chief and he said yeah for 20 minutes it was the tornado warning sound and then for the next 20 minutes it was the sound for a military attack that I've never heard before I was like gee I hope not it's a red dawn right so anyway I noticed on one of the articles that they mentioned that they brought their vendor in they suspected someone hacked it over wireless and they brought the vendor in and the vendor to fix it which was a federal signal there's no offense against them but that was mentioned in the article so I'm like hmm I'm trying to find why 4.9 Giga its networks was looking for press releases from vendors because whenever vendors do an implementation for municipality they usually put out press releases and crow about it and whatnot and sure enough I saw a press release from a few years previous that federal signal did a 4.9 Giga its network implementation for this town it's like okay then I looked up and I saw that a federal signal also seems to be a prodigious manufacturer of tornado sirens that can be used or communicated to or triggered rather over 4.9 Giga so my interest is peaked so looking at the two there it seemed like it might be quite likely that somebody actually did hack serve them over 4.9 then doing a little more searching I found this so what's going on here guys what's going on I mean this coming for sure no idea well so and notice he said from your home computer because that's definitely where you want to hack something from alright guys well thanks for your time if you have any questions feel free to email us up here and you can get all the code up there thank you