SlideShare ist ein Scribd-Unternehmen logo

RF Hacking Red Pill 2017

â€Ē
â€Ē
K
Keerati Torach

Playing with radio frequency that presented on Red Pill 2017 (30.09.2017)

Bildung
1 von 37
Downloaden Sie, um offline zu lesen
RF HACKING: IT’S NOT JUST FM/AM BROADCAST RADIO Anocha Upontian, PTT Digital Solution Keerati Torach, KPMG Thailand
CAUTION & DISCLAIMER ▩ Be careful for using Software Defined Radio peripheral that signal will be transmitted on illegal frequency (depend on country regulations) ▩ Signal interference (Jamming) is illegal ▩ Content on this presentation for EDUCATION PURPOSE ONLY ▩ It’s recommended to test on permitted system or laboratory environment ▩ You are responsible for using this stuff legally http://www.thedailysheeple.com/wp-content/uploads/2014/08/faraday-cage.jpg http://www.wovenwirecloth.org/img/shielding-screen.jpghttps://greatscottgadgets.com/hackrf/ https://nuand.com/ https://www.crowdsupply.com/lime-micro/limesdr
AGENDA ▩ Thailand’s spectrum regulations ▩ Radio frequency in communication ▩ RF security assessment tools ▩ Gnu Radio Companion ▩ Case study 1: Wireless doorbell ▩ Case study 2: Beyond a doorbell ▩ Case study 3: Dealing with rolling code ▩ Lesson learned
THAILAND’S SPECTRUM REGULATIONS ▩ āļžāļĢāļ°āļĢāļēāļŠāļšāļąāļāļāļąāļ•āļī āļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļž.āļĻ. āđ’āđ”āđ™āđ˜ ▩ āļĄāļēāļ•āļĢāļē āđ‘āđ• āļœāļđāđ‰āđƒāļ”āļāļĢāļ°āļ—āđāļēāđƒāļŦāđ‰āđ‰āđ€āļāļīāļ”āļāļēāļĢāļĢāļšāļāļ§āļ™āļŦāļĢāļ·āļ­āļ‚āļąāļ”āļ‚āļ§āļēāļ‡āļ•āđˆāļ­āļāļēāļĢāļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄāđ‚āļ”āļĒāļĄāļīāđ„āļ”āđ‰āđ€āļˆāļ•āļ™āļē āđ€āļˆāđ‰āļēāļžāļ™āļąāļāļ‡āļēāļ™āļœāļđāđ‰āļ­āļ­āļ āđƒāļšāļ­āļ™āļļāļāļēāļ•āļŦāļĢāļ·āļ­āļœāļđāđ‰āļ—āļĩāđˆāđ„āļ”āđ‰āļĢāļąāļšāļĄāļ­āļšāļŦāļĄāļēāļĒāļĄāļĩāļ­āđāļēāļ™āļēāļˆāļŠāļąāđˆāļ‡āđƒāļŦāđ‰āļœāļđāđ‰āļ™āļąāđ‰āļ™āļĢāļ°āļ‡āļąāļšāļāļēāļĢāļāļĢāļ°āļ—āđāļēāļ™āļąāđ‰āļ™āļŦāļĢāļ·āļ­āđƒāļŦāđ‰āđāļāđ‰āđ„āļ‚āđ€āļ›āļĨāļĩāđˆāļĒāļ™āđāļ›āļĨāļ‡āļŠāļīāđˆāļ‡āļ—āļĩāđˆāđƒāļŠāđ‰āđƒāļ™ āļāļēāļĢāļāļĢāļ°āļ—āđāļēāļ™āļąāđ‰āļ™āđ€āļŠāļĩāļĒ āļŦāļĢāļ·āļ­āđƒāļŦāđ‰āļĒāđ‰āļēāļĒāļŠāļīāđˆāļ‡āļ”āļąāļ‡āļāļĨāđˆāļēāļ§āļ™āļąāđ‰āļ™āļ­āļ­āļāđ„āļ›āđƒāļŦāđ‰āļžāđ‰āļ™āđ€āļ‚āļ•āļĢāļšāļāļ§āļ™āđ„āļ” ▩ āļĄāļēāļ•āļĢāļē āđ‘āđ˜ āđ€āļžāļ·āđˆāļ­āļ•āļĢāļ§āļˆāđ€āļ„āļĢāļ·āđˆāļ­āļ‡āļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŠāđˆāļ§āļ™āđāļŦāđˆāļ‡āđ€āļ„āļĢāļ·āđˆāļ­āļ‡āļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŠāļ–āļēāļ™āļĩāļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŠāļīāđˆāļ‡āļ—āļĩāđˆāļāđˆāļ­āđƒāļŦāđ‰āđ€āļāļīāļ” āļāļēāļĢāļĢāļšāļāļ§āļ™āļŦāļĢāļ·āļ­āļ‚āļąāļ”āļ‚āļ§āļēāļ‡āļ•āđˆāļ­āļāļēāļĢāļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŦāļĢāļ·āļ­āđƒāļšāļ­āļ™āļļāļāļēāļ• āđ€āļˆāđ‰āļēāļžāļ™āļąāļāļ‡āļēāļ™āļœāļđāđ‰āļ­āļ­āļāđƒāļšāļ­āļ™āļļāļāļēāļ•āļŦāļĢāļ·āļ­āļœāļđāđ‰āļ—āļĩāđˆāđ„āļ”āđ‰āļĢāļąāļšāļĄāļ­āļš āļŦāļĄāļēāļĒāļĄāļĩāļ­āđāļēāļ™āļēāļˆāđ€āļ‚āđ‰āļēāđ„āļ›āđƒāļ™āļ­āļēāļ„āļēāļĢāļŠāļ–āļēāļ™āļ—āļĩāđˆ āļŦāļĢāļ·āļ­āļĒāļēāļ™āļžāļēāļŦāļ™āļ°āļ‚āļ­āļ‡āļšāļļāļ„āļ„āļĨāđƒāļ”āđ† āđ„āļ”āđ‰āđƒāļ™āđ€āļ§āļĨāļēāļ­āļąāļ™āļŠāļĄāļ„āļ§āļĢ https://broadcast.nbtc.go.th/data/document/law/doc/th/560400000027.pdf
RADIO FREQUENCY IN COMMUNICATION ▩ Absolutely, it’s wireless ▩ Long distance communication https://en.wikipedia.org/wiki/Radio_frequency
RADIO FREQUENCY IN COMMUNICATION ▩ Analog Signal Processing ▩ Amplitude Modulation (AM) ▩ Frequency Modulation (FM) ▩ Phase Modulation (PM) https://en.wikipedia.org/wiki/Amplitude_modulation https://en.wikipedia.org/wiki/Phase_modulation https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png https://www.scienceabc.com/wp-content/uploads/2016/08/Illustration_of_Frequency_Modulation.jpg
RADIO FREQUENCY IN COMMUNICATION ▩ Digital Signal Processing ▩ Amplitude Shift Keying (ASK) ▩ On-Off Keying (OOK) ▩ Frequency Shift Keying (FSK) ▩ Phase Shift Keying (PSK) OOK ASK https://www.owasp.org/images/2/29/AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf https://web.stanford.edu/class/ee102b/contents/DigitalModulation.pdf
RF SECURITY ASSESSMENT TOOLS (HARDWARE) ▩ RTL-SDR with dongle ▩ Only RX (simplex) ▩ 24 MHz – 1766 MHz ▩ 433 MHz or 315 MHz transmitter (only TX) module ▩ Usually come together with receiver (only RX) ▩ Modulation: ASK/OOK ▩ 3-12 working voltage ▩ DIY antenna ▩ Appropriated length ▩ Raspberry Pi 3 Model B ▩ Controlling transmitter ▩ Electronics prototype maker ▩ Breadboards ▩ Jumper wires ▩ 9 Voltage battery ▩ Resistors ▩ YARD Stick One with female antenna (buy separately) ▩ Transceiver (able to half duplex) ▩ Modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK and MSK ▩ 300-348 MHz, 391-464 MHz, and 782-928 MHz operating frequencies
RF SECURITY ASSESSMENT TOOLS (SOFTWARE) ▩ Gnu Radio Companion ▩ Powerful signal processing blocks ▩ Support any SDR peripherals (RTL-SDR, HackRF, BladeRF) ▩ SDR# ▩ Analyze ▩ demodulation ▩ streaming ▩ GQRX ▩ As well as SDR# ▩ Rfcat ▩ For controlling Yard Stick One ▩ Audacity ▩ Pulse analysis ▩ Buadline ▩ Spectrum analysis ▩ Rtl_433 ▩ Demodulation and decoding data automatically ▩ Python (basic) ▩ General purpose input output (GPIO) of Raspberry Pi ▩ Rfcat
GRC ▩ Signal source ▩ RTL-SDR ▩ File sink https://en.wikipedia.org/wiki/File:Signal_Sampling.png Sampling is conversion process from continuous to discrete
GRC ▩ Digital filtering ▩ Filter only interested bandwidth http://www.aimagin.com/learn/images/thumb/7/72/Transferfunction.png/600px-Transferfunction.png https://en.wikipedia.org/wiki/File:Butterworth_response.svg https://upload.wikimedia.org/wikipedia/commons/7/76/Butterworth_lowpass.png
GRC ▩ Rational Resampler ▩ Adjust to appropriated sample rate ▩ Interpolation -> Reconstruct the signal with given sample rate ▩ Decimation -> Reducing sample rate
GRC ▩ Demodulator ▩ Usually convert data type from complex to float ASK Demodulator FSK Demodulator â€Ķ1011001â€Ķ â€Ķ10110â€Ķ
GRC ▩ Instruments
GRC ▩ Video: Listening FM radio vimeo.com/236269734
GRC ▩ Easier one: GQRX or SDR#
CASE STUDY 1: WIRELESS DOORBELL ▩ Fixed key transmission ▩ It’s great for beginning study ▩ Low cost
CASE STUDY 1: WIRELESS DOORBELL ▩ Information gathering
CASE STUDY 1: WIRELESS DOORBELL ▩ Capture transmitted data and save to file
CASE STUDY 1: WIRELESS DOORBELL ▩ Capture signal from original remote and determining a modulation ▩ Buadline https://greatscottgadgets.com/tr/gsg-tr-2016-1.pdf
CASE STUDY 1: WIRELESS DOORBELL ▩ Demodulation
CASE STUDY 1: WIRELESS DOORBELL ▩ Pulses analysis using Audacity ▩ Decoding data (Pulse Width Modulation?) 0 0 1 http://pcbheaven.com/wikipages/images/pwmmodulation_1236701204.jpg https://learn.sparkfun.com/tutorials/pulse-width-modulation
CASE STUDY 1: WIRELESS DOORBELL ▩ Hardware interfacing https://www.raspberrypi-spy.co.uk/wp-content/uploads/2012/09/Raspberry-Pi-GPIO-Layout-Revision-1.png Monopole antenna: Length = Îŧ/4 m where v = fÎŧ Îŧ = (v/f)
CASE STUDY 1: WIRELESS DOORBELL ▩ DEMO: Ring doorbell with captured signal using Raspberry Pi vimeo.com/236267585
CASE STUDY 1: WIRELESS DOORBELL ▩ Alternatively ▩ YARD Stick One ▩ Buad rate (bit/sec) instead of time delay ▩ For example, 1 bit -> 0.001 s ▩ Buad = 1/0.001 = 1000 1 0 1 1 10 0 0 0
CASE STUDY 2: BEYOND A DOORBELL ▩ What about key fob use to lock, unlock, arm, and disarm a car?
CASE STUDY 2: BEYOND A DOORBELL ▩ Car Alarm System
CASE STUDY 2: BEYOND A DOORBELL ▩ Information gathering
CASE STUDY 2: BEYOND A DOORBELL ▩ Low cost jammer ▩ ~ 140 āļŋ exclude breadboard 9 Voltage Battery
CASE STUDY 2: BEYOND A DOORBELL ▩ Video: Interfere car’s key fob ▩ DEMO: Unlock/Lock car with captured signal using Raspberry Pi + transmitter module or YARD Stick One vimeo.com/236269836 vimeo.com/236268296
CASE STUDY 3: DEALING WITH ROLLING CODE ▩ A rolling code for preventing replay attacks ▩ Always send out different data for each time Rtl_433 https://www.youtube.com/user/Hak5Darren
CASE STUDY 3: DEALING WITH ROLLING CODE ▩ Defeating rolling code ▩ Samy Kamkar’s RollJam that publish in DefCon 23 (2015) https://samy.pl/defcon2015/2015-defcon.pdf
CASE STUDY 3: DEALING WITH ROLLING CODE ▩ Improper rolling code implemented on automatic sliding gate opener ▩ Sets of code store in pool ▩ Code will rotate every time when receive a valid length of code whether match or mismatch P O O L 1001 1101 0101 0011 1111 1000 1011 P O O L 1101 01010001 1001 0011 1111 1000 P O O L 0101 0001 0111 1101 1001 0011 1111 P O O L 0001 0111 0000 0101 1101 1001 0011 0101 0101 0101 0101
CASE STUDY 3: DEALING WITH ROLLING CODE ▩ Video: Open automatic sliding gate using Raspberry Pi vimeo.com/236268904
LESSON LEARNED ▩ Frequency hopping implementation in order to prevent pulse jamming ▩ Spread spectrum ▩ Bidirectional communication (challenge-response) instead of unidirectional ▩ Along with encryption
SPECIAL THANKS ▩ Low cost project due to â€Ķ ▩ Mr.Krit Saengkyongam – Raspberry Pi ▩ Mr.Prathan Phongthiproek – YARD Stick One ▩ Mom - Everything
HAPPY HACKING !!! http://fb.com/boazus

Empfohlen

TTN (The Things Network) Dallas - April 17, 2019
TTN (The Things Network) Dallas - April 17, 2019TTN (The Things Network) Dallas - April 17, 2019
TTN (The Things Network) Dallas - April 17, 2019Marta Soncodi
 
Webinar: Tecnologia LoRa – Do dispositivo à nuvem
Webinar: Tecnologia LoRa – Do dispositivo à nuvemWebinar: Tecnologia LoRa – Do dispositivo à nuvem
Webinar: Tecnologia LoRa – Do dispositivo à nuvemEmbarcados
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
Ss r164 d4eb4em212t
Ss r164 d4eb4em212tSs r164 d4eb4em212t
Ss r164 d4eb4em212tsecuritall
 
R84 d3fb3f 1t
R84 d3fb3f 1tR84 d3fb3f 1t
R84 d3fb3f 1tsecuritall
 
WO price list 7.6.2 version (1)
WO price list 7.6.2 version (1)WO price list 7.6.2 version (1)
WO price list 7.6.2 version (1)syed wakil
 
Ansee Smart Home Security Products201610
Ansee Smart Home Security Products201610Ansee Smart Home Security Products201610
Ansee Smart Home Security Products201610Royce Heung
 
A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018
A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018
A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018Jiunn-Jer Sun
 

Empfohlen

TTN (The Things Network) Dallas - April 17, 2019
TTN (The Things Network) Dallas - April 17, 2019TTN (The Things Network) Dallas - April 17, 2019
TTN (The Things Network) Dallas - April 17, 2019Marta Soncodi
 
Webinar: Tecnologia LoRa – Do dispositivo à nuvem
Webinar: Tecnologia LoRa – Do dispositivo à nuvemWebinar: Tecnologia LoRa – Do dispositivo à nuvem
Webinar: Tecnologia LoRa – Do dispositivo à nuvemEmbarcados
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
Ss r164 d4eb4em212t
Ss r164 d4eb4em212tSs r164 d4eb4em212t
Ss r164 d4eb4em212tsecuritall
 
R84 d3fb3f 1t
R84 d3fb3f 1tR84 d3fb3f 1t
R84 d3fb3f 1tsecuritall
 
WO price list 7.6.2 version (1)
WO price list 7.6.2 version (1)WO price list 7.6.2 version (1)
WO price list 7.6.2 version (1)syed wakil
 
Ansee Smart Home Security Products201610
Ansee Smart Home Security Products201610Ansee Smart Home Security Products201610
Ansee Smart Home Security Products201610Royce Heung
 
A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018
A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018
A More Reilable LAN by MSR Redundant Ring - Redundant Technology 2018Jiunn-Jer Sun
 
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon LabsWebinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon LabsEmbarcados
 
MTX Tunnel v8
MTX Tunnel v8MTX Tunnel v8
MTX Tunnel v8MTX M2M
 
Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Mail Box Production
 
Ansee Security Products Introduction
Ansee Security Products IntroductionAnsee Security Products Introduction
Ansee Security Products IntroductionAnn He
 
R84 d2fb4fm18 2t
R84 d2fb4fm18 2tR84 d2fb4fm18 2t
R84 d2fb4fm18 2tsecuritall
 
R164 d4eb4em21 2t
R164 d4eb4em21 2tR164 d4eb4em21 2t
R164 d4eb4em21 2tsecuritall
 
R84 d2eb4em18 1t
R84 d2eb4em18 1tR84 d2eb4em18 1t
R84 d2eb4em18 1tsecuritall
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887whendygarcia
 
Make The Impossible Possible - Industrial PoE Brochure 2014
Make The Impossible Possible - Industrial PoE Brochure 2014Make The Impossible Possible - Industrial PoE Brochure 2014
Make The Impossible Possible - Industrial PoE Brochure 2014Jiunn-Jer Sun
 
20171106 - Workshop lille
20171106 - Workshop lille20171106 - Workshop lille
20171106 - Workshop lilleAnthony Charbonnier
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Jiunn-Jer Sun
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distroMike Saunders
 
SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017Mike Saunders
 
GSM GPRS sim900 a modem with aurdino compatible
GSM GPRS sim900 a modem with aurdino compatibleGSM GPRS sim900 a modem with aurdino compatible
GSM GPRS sim900 a modem with aurdino compatibleRaghav Shetty
 
4 camera cctv quotation bangladesh
4 camera cctv quotation bangladesh4 camera cctv quotation bangladesh
4 camera cctv quotation bangladeshJamField Solution
 
4 camera cctv quotation www.unicodebd.com
4 camera cctv quotation www.unicodebd.com4 camera cctv quotation www.unicodebd.com
4 camera cctv quotation www.unicodebd.comJamField Solution
 
Tk116 user mannual min gsp vehicle tracker
Tk116 user mannual min gsp vehicle trackerTk116 user mannual min gsp vehicle tracker
Tk116 user mannual min gsp vehicle trackerShenzhen Diwei Machinery Co., Ltd
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - finalThotcon 0xA-fun-with-sdrs-sorry-no-profit - final
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - finalpricemcdonald
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
SigfoxMakersDay Total
SigfoxMakersDay TotalSigfoxMakersDay Total
SigfoxMakersDay TotalAurelien Lequertier
 

Weitere ÃĪhnliche Inhalte

Was ist angesagt?

Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon LabsWebinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon LabsEmbarcados
 
MTX Tunnel v8
MTX Tunnel v8MTX Tunnel v8
MTX Tunnel v8MTX M2M
 
Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Mail Box Production
 
Ansee Security Products Introduction
Ansee Security Products IntroductionAnsee Security Products Introduction
Ansee Security Products IntroductionAnn He
 
R84 d2fb4fm18 2t
R84 d2fb4fm18 2tR84 d2fb4fm18 2t
R84 d2fb4fm18 2tsecuritall
 
R164 d4eb4em21 2t
R164 d4eb4em21 2tR164 d4eb4em21 2t
R164 d4eb4em21 2tsecuritall
 
R84 d2eb4em18 1t
R84 d2eb4em18 1tR84 d2eb4em18 1t
R84 d2eb4em18 1tsecuritall
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887whendygarcia
 
Make The Impossible Possible - Industrial PoE Brochure 2014
Make The Impossible Possible - Industrial PoE Brochure 2014Make The Impossible Possible - Industrial PoE Brochure 2014
Make The Impossible Possible - Industrial PoE Brochure 2014Jiunn-Jer Sun
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Jiunn-Jer Sun
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distroMike Saunders
 
SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017Mike Saunders
 

Was ist angesagt? (14)

Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon LabsWebinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
Webinar: Criando SoluçÃĩes LoRaWAN Otimizadas com Silicon Labs
 
MTX Tunnel v8
MTX Tunnel v8MTX Tunnel v8
MTX Tunnel v8
 
Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01Kaba paxos compact-sales-brochure_en_01
Kaba paxos compact-sales-brochure_en_01
 
Ansee Security Products Introduction
Ansee Security Products IntroductionAnsee Security Products Introduction
Ansee Security Products Introduction
 
R84 d2fb4fm18 2t
R84 d2fb4fm18 2tR84 d2fb4fm18 2t
R84 d2fb4fm18 2t
 
R164 d4eb4em21 2t
R164 d4eb4em21 2tR164 d4eb4em21 2t
R164 d4eb4em21 2t
 
R84 d2eb4em18 1t
R84 d2eb4em18 1tR84 d2eb4em18 1t
R84 d2eb4em18 1t
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887
 
Make The Impossible Possible - Industrial PoE Brochure 2014
Make The Impossible Possible - Industrial PoE Brochure 2014Make The Impossible Possible - Industrial PoE Brochure 2014
Make The Impossible Possible - Industrial PoE Brochure 2014
 
20171106 - Workshop lille
20171106 - Workshop lille20171106 - Workshop lille
20171106 - Workshop lille
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
 
SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distro
 
SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017
 

Ähnlich wie RF Hacking Red Pill 2017

GSM GPRS sim900 a modem with aurdino compatible
GSM GPRS sim900 a modem with aurdino compatibleGSM GPRS sim900 a modem with aurdino compatible
GSM GPRS sim900 a modem with aurdino compatibleRaghav Shetty
 
4 camera cctv quotation bangladesh
4 camera cctv quotation bangladesh4 camera cctv quotation bangladesh
4 camera cctv quotation bangladeshJamField Solution
 
4 camera cctv quotation www.unicodebd.com
4 camera cctv quotation www.unicodebd.com4 camera cctv quotation www.unicodebd.com
4 camera cctv quotation www.unicodebd.comJamField Solution
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - finalThotcon 0xA-fun-with-sdrs-sorry-no-profit - final
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - finalpricemcdonald
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
RAO ABDUL KHALIQ-Probation Presentations-V1.0.pptx
RAO ABDUL KHALIQ-Probation Presentations-V1.0.pptxRAO ABDUL KHALIQ-Probation Presentations-V1.0.pptx
RAO ABDUL KHALIQ-Probation Presentations-V1.0.pptxMuhammadShahFaisal1
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solutionramsharma
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
ISC West 2014 Korea Pavilion Directory
ISC West 2014 Korea Pavilion DirectoryISC West 2014 Korea Pavilion Directory
ISC West 2014 Korea Pavilion DirectoryCindy Moon
 
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...Mikael Falkvidd
 
Android Things Linux Day 2017
Android Things Linux Day 2017 Android Things Linux Day 2017
Android Things Linux Day 2017 Stefano Sanna
 
Pic16F887
Pic16F887Pic16F887
Pic16F887wolf3245
 
Gold Standard Wireless - Broad Sky Networks Oct. 2018
Gold Standard Wireless - Broad Sky Networks Oct. 2018Gold Standard Wireless - Broad Sky Networks Oct. 2018
Gold Standard Wireless - Broad Sky Networks Oct. 2018Maureen Donovan
 
4G to 5G: New Attacks
4G to 5G: New Attacks4G to 5G: New Attacks
4G to 5G: New Attacks3G4G
 
Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)
Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)
Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)Cynthia Wang
 
16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh16 camera cctv quotation bangladesh
16 camera cctv quotation bangladeshJamField Solution
 

Ähnlich wie RF Hacking Red Pill 2017 (20)

GSM GPRS sim900 a modem with aurdino compatible
GSM GPRS sim900 a modem with aurdino compatibleGSM GPRS sim900 a modem with aurdino compatible
GSM GPRS sim900 a modem with aurdino compatible
 
4 camera cctv quotation bangladesh
4 camera cctv quotation bangladesh4 camera cctv quotation bangladesh
4 camera cctv quotation bangladesh
 
4 camera cctv quotation www.unicodebd.com
4 camera cctv quotation www.unicodebd.com4 camera cctv quotation www.unicodebd.com
4 camera cctv quotation www.unicodebd.com
 
Tk116 user mannual min gsp vehicle tracker
Tk116 user mannual min gsp vehicle trackerTk116 user mannual min gsp vehicle tracker
Tk116 user mannual min gsp vehicle tracker
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - finalThotcon 0xA-fun-with-sdrs-sorry-no-profit - final
Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private Phone
 
SigfoxMakersDay Total
SigfoxMakersDay TotalSigfoxMakersDay Total
SigfoxMakersDay Total
 
RAO ABDUL KHALIQ-Probation Presentations-V1.0.pptx
RAO ABDUL KHALIQ-Probation Presentations-V1.0.pptxRAO ABDUL KHALIQ-Probation Presentations-V1.0.pptx
RAO ABDUL KHALIQ-Probation Presentations-V1.0.pptx
 
Sigfox Euratech Workshop
Sigfox Euratech WorkshopSigfox Euratech Workshop
Sigfox Euratech Workshop
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solution
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
ISC West 2014 Korea Pavilion Directory
ISC West 2014 Korea Pavilion DirectoryISC West 2014 Korea Pavilion Directory
ISC West 2014 Korea Pavilion Directory
 
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
 
Android Things Linux Day 2017
Android Things Linux Day 2017 Android Things Linux Day 2017
Android Things Linux Day 2017
 
Pic16F887
Pic16F887Pic16F887
Pic16F887
 
Gold Standard Wireless - Broad Sky Networks Oct. 2018
Gold Standard Wireless - Broad Sky Networks Oct. 2018Gold Standard Wireless - Broad Sky Networks Oct. 2018
Gold Standard Wireless - Broad Sky Networks Oct. 2018
 
4G to 5G: New Attacks
4G to 5G: New Attacks4G to 5G: New Attacks
4G to 5G: New Attacks
 
Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)
Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)
Caimore wireless 3 g 4g mobile nvr mdvr applied in charge pile(station)
 
16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh
 

KÞrzlich hochgeladen

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 

KÞrzlich hochgeladen (20)

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
CÃģdigo Creativo y Arte de Software | Unidad 1
CÃģdigo Creativo y Arte de Software | Unidad 1CÃģdigo Creativo y Arte de Software | Unidad 1
CÃģdigo Creativo y Arte de Software | Unidad 1
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 

RF Hacking Red Pill 2017

  • 1. RF HACKING: IT’S NOT JUST FM/AM BROADCAST RADIO Anocha Upontian, PTT Digital Solution Keerati Torach, KPMG Thailand
  • 2. CAUTION & DISCLAIMER ▩ Be careful for using Software Defined Radio peripheral that signal will be transmitted on illegal frequency (depend on country regulations) ▩ Signal interference (Jamming) is illegal ▩ Content on this presentation for EDUCATION PURPOSE ONLY ▩ It’s recommended to test on permitted system or laboratory environment ▩ You are responsible for using this stuff legally http://www.thedailysheeple.com/wp-content/uploads/2014/08/faraday-cage.jpg http://www.wovenwirecloth.org/img/shielding-screen.jpghttps://greatscottgadgets.com/hackrf/ https://nuand.com/ https://www.crowdsupply.com/lime-micro/limesdr
  • 3. AGENDA ▩ Thailand’s spectrum regulations ▩ Radio frequency in communication ▩ RF security assessment tools ▩ Gnu Radio Companion ▩ Case study 1: Wireless doorbell ▩ Case study 2: Beyond a doorbell ▩ Case study 3: Dealing with rolling code ▩ Lesson learned
  • 4. THAILAND’S SPECTRUM REGULATIONS ▩ āļžāļĢāļ°āļĢāļēāļŠāļšāļąāļāļāļąāļ•āļī āļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļž.āļĻ. āđ’āđ”āđ™āđ˜ ▩ āļĄāļēāļ•āļĢāļē āđ‘āđ• āļœāļđāđ‰āđƒāļ”āļāļĢāļ°āļ—āđāļēāđƒāļŦāđ‰āđ‰āđ€āļāļīāļ”āļāļēāļĢāļĢāļšāļāļ§āļ™āļŦāļĢāļ·āļ­āļ‚āļąāļ”āļ‚āļ§āļēāļ‡āļ•āđˆāļ­āļāļēāļĢāļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄāđ‚āļ”āļĒāļĄāļīāđ„āļ”āđ‰āđ€āļˆāļ•āļ™āļē āđ€āļˆāđ‰āļēāļžāļ™āļąāļāļ‡āļēāļ™āļœāļđāđ‰āļ­āļ­āļ āđƒāļšāļ­āļ™āļļāļāļēāļ•āļŦāļĢāļ·āļ­āļœāļđāđ‰āļ—āļĩāđˆāđ„āļ”āđ‰āļĢāļąāļšāļĄāļ­āļšāļŦāļĄāļēāļĒāļĄāļĩāļ­āđāļēāļ™āļēāļˆāļŠāļąāđˆāļ‡āđƒāļŦāđ‰āļœāļđāđ‰āļ™āļąāđ‰āļ™āļĢāļ°āļ‡āļąāļšāļāļēāļĢāļāļĢāļ°āļ—āđāļēāļ™āļąāđ‰āļ™āļŦāļĢāļ·āļ­āđƒāļŦāđ‰āđāļāđ‰āđ„āļ‚āđ€āļ›āļĨāļĩāđˆāļĒāļ™āđāļ›āļĨāļ‡āļŠāļīāđˆāļ‡āļ—āļĩāđˆāđƒāļŠāđ‰āđƒāļ™ āļāļēāļĢāļāļĢāļ°āļ—āđāļēāļ™āļąāđ‰āļ™āđ€āļŠāļĩāļĒ āļŦāļĢāļ·āļ­āđƒāļŦāđ‰āļĒāđ‰āļēāļĒāļŠāļīāđˆāļ‡āļ”āļąāļ‡āļāļĨāđˆāļēāļ§āļ™āļąāđ‰āļ™āļ­āļ­āļāđ„āļ›āđƒāļŦāđ‰āļžāđ‰āļ™āđ€āļ‚āļ•āļĢāļšāļāļ§āļ™āđ„āļ” ▩ āļĄāļēāļ•āļĢāļē āđ‘āđ˜ āđ€āļžāļ·āđˆāļ­āļ•āļĢāļ§āļˆāđ€āļ„āļĢāļ·āđˆāļ­āļ‡āļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŠāđˆāļ§āļ™āđāļŦāđˆāļ‡āđ€āļ„āļĢāļ·āđˆāļ­āļ‡āļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŠāļ–āļēāļ™āļĩāļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŠāļīāđˆāļ‡āļ—āļĩāđˆāļāđˆāļ­āđƒāļŦāđ‰āđ€āļāļīāļ” āļāļēāļĢāļĢāļšāļāļ§āļ™āļŦāļĢāļ·āļ­āļ‚āļąāļ”āļ‚āļ§āļēāļ‡āļ•āđˆāļ­āļāļēāļĢāļ§āļīāļ—āļĒāļļāļ„āļĄāļ™āļēāļ„āļĄ āļŦāļĢāļ·āļ­āđƒāļšāļ­āļ™āļļāļāļēāļ• āđ€āļˆāđ‰āļēāļžāļ™āļąāļāļ‡āļēāļ™āļœāļđāđ‰āļ­āļ­āļāđƒāļšāļ­āļ™āļļāļāļēāļ•āļŦāļĢāļ·āļ­āļœāļđāđ‰āļ—āļĩāđˆāđ„āļ”āđ‰āļĢāļąāļšāļĄāļ­āļš āļŦāļĄāļēāļĒāļĄāļĩāļ­āđāļēāļ™āļēāļˆāđ€āļ‚āđ‰āļēāđ„āļ›āđƒāļ™āļ­āļēāļ„āļēāļĢāļŠāļ–āļēāļ™āļ—āļĩāđˆ āļŦāļĢāļ·āļ­āļĒāļēāļ™āļžāļēāļŦāļ™āļ°āļ‚āļ­āļ‡āļšāļļāļ„āļ„āļĨāđƒāļ”āđ† āđ„āļ”āđ‰āđƒāļ™āđ€āļ§āļĨāļēāļ­āļąāļ™āļŠāļĄāļ„āļ§āļĢ https://broadcast.nbtc.go.th/data/document/law/doc/th/560400000027.pdf
  • 5. RADIO FREQUENCY IN COMMUNICATION ▩ Absolutely, it’s wireless ▩ Long distance communication https://en.wikipedia.org/wiki/Radio_frequency
  • 6. RADIO FREQUENCY IN COMMUNICATION ▩ Analog Signal Processing ▩ Amplitude Modulation (AM) ▩ Frequency Modulation (FM) ▩ Phase Modulation (PM) https://en.wikipedia.org/wiki/Amplitude_modulation https://en.wikipedia.org/wiki/Phase_modulation https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png https://www.scienceabc.com/wp-content/uploads/2016/08/Illustration_of_Frequency_Modulation.jpg
  • 7. RADIO FREQUENCY IN COMMUNICATION ▩ Digital Signal Processing ▩ Amplitude Shift Keying (ASK) ▩ On-Off Keying (OOK) ▩ Frequency Shift Keying (FSK) ▩ Phase Shift Keying (PSK) OOK ASK https://www.owasp.org/images/2/29/AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf https://web.stanford.edu/class/ee102b/contents/DigitalModulation.pdf
  • 8. RF SECURITY ASSESSMENT TOOLS (HARDWARE) ▩ RTL-SDR with dongle ▩ Only RX (simplex) ▩ 24 MHz – 1766 MHz ▩ 433 MHz or 315 MHz transmitter (only TX) module ▩ Usually come together with receiver (only RX) ▩ Modulation: ASK/OOK ▩ 3-12 working voltage ▩ DIY antenna ▩ Appropriated length ▩ Raspberry Pi 3 Model B ▩ Controlling transmitter ▩ Electronics prototype maker ▩ Breadboards ▩ Jumper wires ▩ 9 Voltage battery ▩ Resistors ▩ YARD Stick One with female antenna (buy separately) ▩ Transceiver (able to half duplex) ▩ Modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK and MSK ▩ 300-348 MHz, 391-464 MHz, and 782-928 MHz operating frequencies
  • 9. RF SECURITY ASSESSMENT TOOLS (SOFTWARE) ▩ Gnu Radio Companion ▩ Powerful signal processing blocks ▩ Support any SDR peripherals (RTL-SDR, HackRF, BladeRF) ▩ SDR# ▩ Analyze ▩ demodulation ▩ streaming ▩ GQRX ▩ As well as SDR# ▩ Rfcat ▩ For controlling Yard Stick One ▩ Audacity ▩ Pulse analysis ▩ Buadline ▩ Spectrum analysis ▩ Rtl_433 ▩ Demodulation and decoding data automatically ▩ Python (basic) ▩ General purpose input output (GPIO) of Raspberry Pi ▩ Rfcat
  • 10. GRC ▩ Signal source ▩ RTL-SDR ▩ File sink https://en.wikipedia.org/wiki/File:Signal_Sampling.png Sampling is conversion process from continuous to discrete
  • 11. GRC ▩ Digital filtering ▩ Filter only interested bandwidth http://www.aimagin.com/learn/images/thumb/7/72/Transferfunction.png/600px-Transferfunction.png https://en.wikipedia.org/wiki/File:Butterworth_response.svg https://upload.wikimedia.org/wikipedia/commons/7/76/Butterworth_lowpass.png
  • 12. GRC ▩ Rational Resampler ▩ Adjust to appropriated sample rate ▩ Interpolation -> Reconstruct the signal with given sample rate ▩ Decimation -> Reducing sample rate
  • 13. GRC ▩ Demodulator ▩ Usually convert data type from complex to float ASK Demodulator FSK Demodulator â€Ķ1011001â€Ķ â€Ķ10110â€Ķ
  • 15. GRC ▩ Video: Listening FM radio vimeo.com/236269734
  • 16. GRC ▩ Easier one: GQRX or SDR#
  • 17. CASE STUDY 1: WIRELESS DOORBELL ▩ Fixed key transmission ▩ It’s great for beginning study ▩ Low cost
  • 18. CASE STUDY 1: WIRELESS DOORBELL ▩ Information gathering
  • 19. CASE STUDY 1: WIRELESS DOORBELL ▩ Capture transmitted data and save to file
  • 20. CASE STUDY 1: WIRELESS DOORBELL ▩ Capture signal from original remote and determining a modulation ▩ Buadline https://greatscottgadgets.com/tr/gsg-tr-2016-1.pdf
  • 21. CASE STUDY 1: WIRELESS DOORBELL ▩ Demodulation
  • 22. CASE STUDY 1: WIRELESS DOORBELL ▩ Pulses analysis using Audacity ▩ Decoding data (Pulse Width Modulation?) 0 0 1 http://pcbheaven.com/wikipages/images/pwmmodulation_1236701204.jpg https://learn.sparkfun.com/tutorials/pulse-width-modulation
  • 23. CASE STUDY 1: WIRELESS DOORBELL ▩ Hardware interfacing https://www.raspberrypi-spy.co.uk/wp-content/uploads/2012/09/Raspberry-Pi-GPIO-Layout-Revision-1.png Monopole antenna: Length = Îŧ/4 m where v = fÎŧ Îŧ = (v/f)
  • 24. CASE STUDY 1: WIRELESS DOORBELL ▩ DEMO: Ring doorbell with captured signal using Raspberry Pi vimeo.com/236267585
  • 25. CASE STUDY 1: WIRELESS DOORBELL ▩ Alternatively ▩ YARD Stick One ▩ Buad rate (bit/sec) instead of time delay ▩ For example, 1 bit -> 0.001 s ▩ Buad = 1/0.001 = 1000 1 0 1 1 10 0 0 0
  • 26. CASE STUDY 2: BEYOND A DOORBELL ▩ What about key fob use to lock, unlock, arm, and disarm a car?
  • 27. CASE STUDY 2: BEYOND A DOORBELL ▩ Car Alarm System
  • 28. CASE STUDY 2: BEYOND A DOORBELL ▩ Information gathering
  • 29. CASE STUDY 2: BEYOND A DOORBELL ▩ Low cost jammer ▩ ~ 140 āļŋ exclude breadboard 9 Voltage Battery
  • 30. CASE STUDY 2: BEYOND A DOORBELL ▩ Video: Interfere car’s key fob ▩ DEMO: Unlock/Lock car with captured signal using Raspberry Pi + transmitter module or YARD Stick One vimeo.com/236269836 vimeo.com/236268296
  • 31. CASE STUDY 3: DEALING WITH ROLLING CODE ▩ A rolling code for preventing replay attacks ▩ Always send out different data for each time Rtl_433 https://www.youtube.com/user/Hak5Darren
  • 32. CASE STUDY 3: DEALING WITH ROLLING CODE ▩ Defeating rolling code ▩ Samy Kamkar’s RollJam that publish in DefCon 23 (2015) https://samy.pl/defcon2015/2015-defcon.pdf
  • 33. CASE STUDY 3: DEALING WITH ROLLING CODE ▩ Improper rolling code implemented on automatic sliding gate opener ▩ Sets of code store in pool ▩ Code will rotate every time when receive a valid length of code whether match or mismatch P O O L 1001 1101 0101 0011 1111 1000 1011 P O O L 1101 01010001 1001 0011 1111 1000 P O O L 0101 0001 0111 1101 1001 0011 1111 P O O L 0001 0111 0000 0101 1101 1001 0011 0101 0101 0101 0101
  • 34. CASE STUDY 3: DEALING WITH ROLLING CODE ▩ Video: Open automatic sliding gate using Raspberry Pi vimeo.com/236268904
  • 35. LESSON LEARNED ▩ Frequency hopping implementation in order to prevent pulse jamming ▩ Spread spectrum ▩ Bidirectional communication (challenge-response) instead of unidirectional ▩ Along with encryption
  • 36. SPECIAL THANKS ▩ Low cost project due to â€Ķ ▩ Mr.Krit Saengkyongam – Raspberry Pi ▩ Mr.Prathan Phongthiproek – YARD Stick One ▩ Mom - Everything
  • 37. HAPPY HACKING !!! http://fb.com/boazus