SlideShare ist ein Scribd-Unternehmen logo

Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final

P
pricemcdonald

hacking security thotcon software defined radio

Technologie
1 von 29
Downloaden Sie, um offline zu lesen
Fun with SDRs, Sorry No Profit Thotcon 0xA Price McDonald Justin Berry
#USERID 0,0 pkm • 15 years InfoSec Experience • Senior Manager, Rapid 7 • Certifications: • GPEN,GWAPT,GREM,GXPN, GPYC, OSCP • Enjoys long walks to Micro Center #USERID 0,0 justin • 8 years InfoSec Experience • Director, Coalfire Labs • Certifications: • OSCP, OSCE, OSWP, GXPN, CEH • Probably has whiskey in-hand rn.
What is an SDR? Reverse Engineering
• RTL-SDR • 500 kHz - 1.7 GHz • RX Only • $25 • HackRF One • 1 MHz - 6 GHz • RX/TX @ Half-duplex • $315 • USRP • 70 MHz - 6 GHz • RX/TX @ Full-Duplex • $900 ifferent Types of SDRs
Tornado Anyone? Reverse Engineering Only way to stop the noise was “to unplug the radio systems and the repeater” Could have recorded the commands during a system test or actual tornado, and then played them back. Source: https://arstechnica.com/information- technology/2017/04/dallas-siren-hack-used-radio-signals- Controlled by tone combinations used by the Emergency Alert System broadcast over the National Weather Service's weather radio – Spoofed? Can also be controlled by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a dispatcher or command center terminal sent over UHF radio frequencies -- 700 MHz range.
Common Radio Frequencies https://www.rfpage.com/what-are-radio-frequency-bands-and-its-uses/
Frequency Analyzers https://github.com/xmikos/qspectrumanalyzer
SDR Visualization Reverse Engineering
GNURadio Reverse Engineering
DEMO: Let's Listen to the Radio
DEMO: Let's Listen to the Police Radio
Frequency-shift Keying (FSK) • Frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier signal. • • Introduced for use with mechanical teleprinters in the mid-1900s. The standard speed of those machines was 45 baud, equivalent to about 45 bits per second. • • Used by fax modems
POCSAG (Post Office Code Standardisation Advisory Group) • Asynchronous protocol used to transmit data to pagers. • Uses FSK with a ±4.5 kHz shift on the center carrier. The frequency at +4.5 kHz represents a 0 where the -4.5 kHz represents a 1. • Generally transmitted at one of three data rates; 512, 1200 or 2400 bits per second. • Those restaurant coaster things
FLEX FLEX (Flexible Wide Area Paging Protocol) • Protocol developed by Motorola and used in many pagers. • Provides one-way communication only (from the provider to the pager device), but a related protocol called ReFLEX provides two-way messaging. • Supports increased transmission speed and has quadruple the capacity of other paging protocols • Significantly improves messaging reliability.
Why buy the cow Shodan when you can get the milk OSINT for free?
Why buy the cow Shodan when you can get the milk OSINT for free?
Why buy the cow Shodan when you can get the milk OSINT for free?
Why buy the cow Shodan when you can get the milk OSINT for free?
SOX + Multimon-ng = LOLZ nc -lu 7355 | sox -t raw -e signed-integer -b 16 -r 48000 - - e signed-integer -b 16 -r 22050 -t raw - | multimon-ng -t raw -a FLEX -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -
DEMO: Decoding and viewing Pager Signals
Alarm Demos
Surely a Simple Replay won’t work
Making it not Suck
What else is on 433mhz? https://github.com/merbanan/rtl_433
What is ADS-B? Automatic Dependent Surveillance-Broadcast is a primary technology supporting the FAA’s Next Generation Air Traffic Control System, or NextGen, which will shift aircraft separation and air traffic control from ground-based radar to satellite-derived positions. https://www.aopa.org/go-fly/aircraft-and-ownership/ads-b
Why does ADS-B Matter? https://media.blackhat.com/bh-us-12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_WP.pdf The ADS-B system that is the cornerstone of the FAA’s NextGen ATC modernization plan is at risk of serious security breaches, according to Brad Haines, a hacker and network security consultant who is worried about ADS-B vulnerabilities. Haines first outlined his concerns during a presentation he gave at the Def Con 20 hacker conference in Las Vegas in July.
Watching Planes Fly (not sideways) https://github.com/mhostetter/gr-adsb
Contact Information Reverse EngineeringPrice McDonald Twitter: @pricemcdonald Email: pricemcdonald@gmail.com Justin Berry Email: jkberry924@gmail.com

Empfohlen

Icecrypt
IcecryptIcecrypt
IcecryptTELE-satellite ned
 
Icecrypt
IcecryptIcecrypt
IcecryptTELE-satellite bul
 
RFID based Smart Voting System
RFID based Smart Voting System RFID based Smart Voting System
RFID based Smart Voting System DEEPAK LODHA
 
Black Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsBlack Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
 
superTruck
superTrucksuperTruck
superTruckChuck Spoto
 
Pro mark 220
Pro mark 220Pro mark 220
Pro mark 220Budi anto
 
ES'HAIL 2/QO-100 Reception
ES'HAIL 2/QO-100 ReceptionES'HAIL 2/QO-100 Reception
ES'HAIL 2/QO-100 ReceptionRadiojitter Concepts Lab LLP
 
Software Defined Radio Workshop
Software Defined Radio WorkshopSoftware Defined Radio Workshop
Software Defined Radio WorkshopRadiojitter Concepts Lab LLP
 

Empfohlen

Icecrypt
IcecryptIcecrypt
IcecryptTELE-satellite ned
 
Icecrypt
IcecryptIcecrypt
IcecryptTELE-satellite bul
 
RFID based Smart Voting System
RFID based Smart Voting System RFID based Smart Voting System
RFID based Smart Voting System DEEPAK LODHA
 
Black Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsBlack Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
 
superTruck
superTrucksuperTruck
superTruckChuck Spoto
 
Pro mark 220
Pro mark 220Pro mark 220
Pro mark 220Budi anto
 
ES'HAIL 2/QO-100 Reception
ES'HAIL 2/QO-100 ReceptionES'HAIL 2/QO-100 Reception
ES'HAIL 2/QO-100 ReceptionRadiojitter Concepts Lab LLP
 
Software Defined Radio Workshop
Software Defined Radio WorkshopSoftware Defined Radio Workshop
Software Defined Radio WorkshopRadiojitter Concepts Lab LLP
 
RF Experiments in Raspberry Pi
RF Experiments in Raspberry PiRF Experiments in Raspberry Pi
RF Experiments in Raspberry PiRadiojitter Concepts Lab LLP
 
Software Defined Radio (SDR)
Software Defined Radio (SDR)Software Defined Radio (SDR)
Software Defined Radio (SDR)Drew Fustini
 
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way RadioIntroducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way RadioIcom UK Ltd
 
Espruino - JavaScript for Microcontrollers
Espruino - JavaScript for MicrocontrollersEspruino - JavaScript for Microcontrollers
Espruino - JavaScript for MicrocontrollersDrew Fustini
 
Sy tech ispace icd telex products
Sy tech ispace icd telex productsSy tech ispace icd telex products
Sy tech ispace icd telex productsSyTech Corporation
 
AeroGear Linecard 2015
AeroGear Linecard 2015AeroGear Linecard 2015
AeroGear Linecard 2015Zenie Noon
 
Getting started with digital modes
Getting started with digital modesGetting started with digital modes
Getting started with digital modesskutaboot
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1Daud Suleiman
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiJonathan Singer
 
Worksheet for Introduction to Software Defined Radio (SDR)
Worksheet for Introduction to Software Defined Radio (SDR)Worksheet for Introduction to Software Defined Radio (SDR)
Worksheet for Introduction to Software Defined Radio (SDR)Pamela O'Shea
 
MagneTag Presentation Winter Quarter V3.0
MagneTag Presentation Winter Quarter V3.0MagneTag Presentation Winter Quarter V3.0
MagneTag Presentation Winter Quarter V3.0John-Paul Petersen
 
ComNet NWKED Data Sheet
ComNet NWKED Data SheetComNet NWKED Data Sheet
ComNet NWKED Data SheetJMAC Supply
 
Nemo fsr1 scanner user manual
Nemo fsr1 scanner user manualNemo fsr1 scanner user manual
Nemo fsr1 scanner user manualBoonlert Aramworaphaisan
 
N5AC 2015 06-13 Ham-Com SmartSDR API
N5AC 2015 06-13 Ham-Com SmartSDR APIN5AC 2015 06-13 Ham-Com SmartSDR API
N5AC 2015 06-13 Ham-Com SmartSDR APIN5AC
 
Krypto500
Krypto500Krypto500
Krypto500Rony Hosen
 
r3-4-2009f_xts5000_new
r3-4-2009f_xts5000_newr3-4-2009f_xts5000_new
r3-4-2009f_xts5000_newBob Imbrigiotta, PMP
 
V30 Brochure(EN)-s
V30 Brochure(EN)-sV30 Brochure(EN)-s
V30 Brochure(EN)-sMaher Ghandour
 
All your wireless devices belongs to me
All your wireless devices belongs to meAll your wireless devices belongs to me
All your wireless devices belongs to men|u - The Open Security Community
 
Krypto1000
Krypto1000Krypto1000
Krypto1000Rony Hosen
 
Software Defined Radio
Software Defined RadioSoftware Defined Radio
Software Defined Radioveerababu penugonda(Mr-IoT)
 
Gigabit to the Home
Gigabit to the HomeGigabit to the Home
Gigabit to the HomeCisco Canada
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinEC-Council
 

Weitere ähnliche Inhalte

Was ist angesagt?

Software Defined Radio (SDR)
Software Defined Radio (SDR)Software Defined Radio (SDR)
Software Defined Radio (SDR)Drew Fustini
 
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way RadioIntroducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way RadioIcom UK Ltd
 
Espruino - JavaScript for Microcontrollers
Espruino - JavaScript for MicrocontrollersEspruino - JavaScript for Microcontrollers
Espruino - JavaScript for MicrocontrollersDrew Fustini
 
Sy tech ispace icd telex products
Sy tech ispace icd telex productsSy tech ispace icd telex products
Sy tech ispace icd telex productsSyTech Corporation
 
AeroGear Linecard 2015
AeroGear Linecard 2015AeroGear Linecard 2015
AeroGear Linecard 2015Zenie Noon
 
Getting started with digital modes
Getting started with digital modesGetting started with digital modes
Getting started with digital modesskutaboot
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1Daud Suleiman
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiJonathan Singer
 
Worksheet for Introduction to Software Defined Radio (SDR)
Worksheet for Introduction to Software Defined Radio (SDR)Worksheet for Introduction to Software Defined Radio (SDR)
Worksheet for Introduction to Software Defined Radio (SDR)Pamela O'Shea
 
MagneTag Presentation Winter Quarter V3.0
MagneTag Presentation Winter Quarter V3.0MagneTag Presentation Winter Quarter V3.0
MagneTag Presentation Winter Quarter V3.0John-Paul Petersen
 
ComNet NWKED Data Sheet
ComNet NWKED Data SheetComNet NWKED Data Sheet
ComNet NWKED Data SheetJMAC Supply
 
N5AC 2015 06-13 Ham-Com SmartSDR API
N5AC 2015 06-13 Ham-Com SmartSDR APIN5AC 2015 06-13 Ham-Com SmartSDR API
N5AC 2015 06-13 Ham-Com SmartSDR APIN5AC
 

Was ist angesagt? (20)

RF Experiments in Raspberry Pi
RF Experiments in Raspberry PiRF Experiments in Raspberry Pi
RF Experiments in Raspberry Pi
 
Software Defined Radio (SDR)
Software Defined Radio (SDR)Software Defined Radio (SDR)
Software Defined Radio (SDR)
 
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way RadioIntroducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
Introducing the Icom IP730D Hybrid LTE/Licenced Professional Two Way Radio
 
Espruino - JavaScript for Microcontrollers
Espruino - JavaScript for MicrocontrollersEspruino - JavaScript for Microcontrollers
Espruino - JavaScript for Microcontrollers
 
Sy tech ispace icd telex products
Sy tech ispace icd telex productsSy tech ispace icd telex products
Sy tech ispace icd telex products
 
AeroGear Linecard 2015
AeroGear Linecard 2015AeroGear Linecard 2015
AeroGear Linecard 2015
 
Getting started with digital modes
Getting started with digital modesGetting started with digital modes
Getting started with digital modes
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry Pi
 
Worksheet for Introduction to Software Defined Radio (SDR)
Worksheet for Introduction to Software Defined Radio (SDR)Worksheet for Introduction to Software Defined Radio (SDR)
Worksheet for Introduction to Software Defined Radio (SDR)
 
MagneTag Presentation Winter Quarter V3.0
MagneTag Presentation Winter Quarter V3.0MagneTag Presentation Winter Quarter V3.0
MagneTag Presentation Winter Quarter V3.0
 
ComNet NWKED Data Sheet
ComNet NWKED Data SheetComNet NWKED Data Sheet
ComNet NWKED Data Sheet
 
Nemo fsr1 scanner user manual
Nemo fsr1 scanner user manualNemo fsr1 scanner user manual
Nemo fsr1 scanner user manual
 
N5AC 2015 06-13 Ham-Com SmartSDR API
N5AC 2015 06-13 Ham-Com SmartSDR APIN5AC 2015 06-13 Ham-Com SmartSDR API
N5AC 2015 06-13 Ham-Com SmartSDR API
 
Krypto500
Krypto500Krypto500
Krypto500
 
r3-4-2009f_xts5000_new
r3-4-2009f_xts5000_newr3-4-2009f_xts5000_new
r3-4-2009f_xts5000_new
 
V30 Brochure(EN)-s
V30 Brochure(EN)-sV30 Brochure(EN)-s
V30 Brochure(EN)-s
 
All your wireless devices belongs to me
All your wireless devices belongs to meAll your wireless devices belongs to me
All your wireless devices belongs to me
 
Krypto1000
Krypto1000Krypto1000
Krypto1000
 
Software Defined Radio
Software Defined RadioSoftware Defined Radio
Software Defined Radio
 

Ähnlich wie Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final

Gigabit to the Home
Gigabit to the HomeGigabit to the Home
Gigabit to the HomeCisco Canada
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinEC-Council
 
SigfoxGettingStarted October2018
SigfoxGettingStarted October2018SigfoxGettingStarted October2018
SigfoxGettingStarted October2018Aurelien Lequertier
 
SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisAurelien Lequertier
 
transforming-wireless-system-design-with-matlab-and-ni.pdf
transforming-wireless-system-design-with-matlab-and-ni.pdftransforming-wireless-system-design-with-matlab-and-ni.pdf
transforming-wireless-system-design-with-matlab-and-ni.pdfJunaidKhan188662
 
Mototrbo Overview Dec 2014-Pennine Telecom
Mototrbo Overview Dec 2014-Pennine TelecomMototrbo Overview Dec 2014-Pennine Telecom
Mototrbo Overview Dec 2014-Pennine TelecomAndrew Trickett
 
Osc ftth solutions v1.0 20160922
Osc ftth solutions v1.0 20160922Osc ftth solutions v1.0 20160922
Osc ftth solutions v1.0 20160922Guisun Han
 
Sora- A High Performance Baseband DSP Processor
Sora- A High Performance Baseband DSP ProcessorSora- A High Performance Baseband DSP Processor
Sora- A High Performance Baseband DSP ProcessorHarshit Srivastava
 
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriais
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriaisWebinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriais
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriaisEmbarcados
 
cisco-c9120axe-h-datasheet.pdf
cisco-c9120axe-h-datasheet.pdfcisco-c9120axe-h-datasheet.pdf
cisco-c9120axe-h-datasheet.pdfHi-Network.com
 
Huawei eRAN 7.0 VoLTE feature deep dive_20140515.pptx
Huawei eRAN 7.0 VoLTE feature deep dive_20140515.pptxHuawei eRAN 7.0 VoLTE feature deep dive_20140515.pptx
Huawei eRAN 7.0 VoLTE feature deep dive_20140515.pptxQasimQadir3
 
TV White Space Webinar presented by Dorin Goldfeder, Sales Director
TV White Space Webinar presented by Dorin Goldfeder, Sales DirectorTV White Space Webinar presented by Dorin Goldfeder, Sales Director
TV White Space Webinar presented by Dorin Goldfeder, Sales DirectorDorin Goldfeder
 
Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Sharon Cheung
 

Ähnlich wie Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final (20)

Gigabit to the Home
Gigabit to the HomeGigabit to the Home
Gigabit to the Home
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
 
SigfoxGettingStarted
SigfoxGettingStartedSigfoxGettingStarted
SigfoxGettingStarted
 
Sigfox Euratech Workshop
Sigfox Euratech WorkshopSigfox Euratech Workshop
Sigfox Euratech Workshop
 
SigfoxGettingStarted October2018
SigfoxGettingStarted October2018SigfoxGettingStarted October2018
SigfoxGettingStarted October2018
 
SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParis
 
transforming-wireless-system-design-with-matlab-and-ni.pdf
transforming-wireless-system-design-with-matlab-and-ni.pdftransforming-wireless-system-design-with-matlab-and-ni.pdf
transforming-wireless-system-design-with-matlab-and-ni.pdf
 
Mototrbo Overview Dec 2014-Pennine Telecom
Mototrbo Overview Dec 2014-Pennine TelecomMototrbo Overview Dec 2014-Pennine Telecom
Mototrbo Overview Dec 2014-Pennine Telecom
 
8051 zigbee interface
8051 zigbee interface8051 zigbee interface
8051 zigbee interface
 
SigfoxMakersDay Total
SigfoxMakersDay TotalSigfoxMakersDay Total
SigfoxMakersDay Total
 
Osc ftth solutions v1.0 20160922
Osc ftth solutions v1.0 20160922Osc ftth solutions v1.0 20160922
Osc ftth solutions v1.0 20160922
 
Sora- A High Performance Baseband DSP Processor
Sora- A High Performance Baseband DSP ProcessorSora- A High Performance Baseband DSP Processor
Sora- A High Performance Baseband DSP Processor
 
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriais
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriaisWebinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriais
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriais
 
cisco-c9120axe-h-datasheet.pdf
cisco-c9120axe-h-datasheet.pdfcisco-c9120axe-h-datasheet.pdf
cisco-c9120axe-h-datasheet.pdf
 
Huawei eRAN 7.0 VoLTE feature deep dive_20140515.pptx
Huawei eRAN 7.0 VoLTE feature deep dive_20140515.pptxHuawei eRAN 7.0 VoLTE feature deep dive_20140515.pptx
Huawei eRAN 7.0 VoLTE feature deep dive_20140515.pptx
 
Новые коммутаторы QFX10000. Технология JunOS Fusion
Новые коммутаторы QFX10000. Технология JunOS FusionНовые коммутаторы QFX10000. Технология JunOS Fusion
Новые коммутаторы QFX10000. Технология JunOS Fusion
 
Distributed IP-PBX
Distributed IP-PBX Distributed IP-PBX
Distributed IP-PBX
 
TV White Space Webinar presented by Dorin Goldfeder, Sales Director
TV White Space Webinar presented by Dorin Goldfeder, Sales DirectorTV White Space Webinar presented by Dorin Goldfeder, Sales Director
TV White Space Webinar presented by Dorin Goldfeder, Sales Director
 
Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016Wireless Catalog - Inter. Clouds 2016
Wireless Catalog - Inter. Clouds 2016
 
Zigbee 802-15-4
Zigbee 802-15-4Zigbee 802-15-4
Zigbee 802-15-4
 

Kürzlich hochgeladen

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Thotcon 0xA-fun-with-sdrs-sorry-no-profit - final

  • 1. Fun with SDRs, Sorry No Profit Thotcon 0xA Price McDonald Justin Berry
  • 2. #USERID 0,0 pkm • 15 years InfoSec Experience • Senior Manager, Rapid 7 • Certifications: • GPEN,GWAPT,GREM,GXPN, GPYC, OSCP • Enjoys long walks to Micro Center #USERID 0,0 justin • 8 years InfoSec Experience • Director, Coalfire Labs • Certifications: • OSCP, OSCE, OSWP, GXPN, CEH • Probably has whiskey in-hand rn.
  • 3. What is an SDR? Reverse Engineering
  • 4. • RTL-SDR • 500 kHz - 1.7 GHz • RX Only • $25 • HackRF One • 1 MHz - 6 GHz • RX/TX @ Half-duplex • $315 • USRP • 70 MHz - 6 GHz • RX/TX @ Full-Duplex • $900 ifferent Types of SDRs
  • 5. Tornado Anyone? Reverse Engineering Only way to stop the noise was “to unplug the radio systems and the repeater” Could have recorded the commands during a system test or actual tornado, and then played them back. Source: https://arstechnica.com/information- technology/2017/04/dallas-siren-hack-used-radio-signals- Controlled by tone combinations used by the Emergency Alert System broadcast over the National Weather Service's weather radio – Spoofed? Can also be controlled by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a dispatcher or command center terminal sent over UHF radio frequencies -- 700 MHz range.
  • 10. DEMO: Let's Listen to the Radio
  • 11. DEMO: Let's Listen to the Police Radio
  • 12. Frequency-shift Keying (FSK) • Frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier signal. • • Introduced for use with mechanical teleprinters in the mid-1900s. The standard speed of those machines was 45 baud, equivalent to about 45 bits per second. • • Used by fax modems
  • 13. POCSAG (Post Office Code Standardisation Advisory Group) • Asynchronous protocol used to transmit data to pagers. • Uses FSK with a ±4.5 kHz shift on the center carrier. The frequency at +4.5 kHz represents a 0 where the -4.5 kHz represents a 1. • Generally transmitted at one of three data rates; 512, 1200 or 2400 bits per second. • Those restaurant coaster things
  • 14. FLEX FLEX (Flexible Wide Area Paging Protocol) • Protocol developed by Motorola and used in many pagers. • Provides one-way communication only (from the provider to the pager device), but a related protocol called ReFLEX provides two-way messaging. • Supports increased transmission speed and has quadruple the capacity of other paging protocols • Significantly improves messaging reliability.
  • 15. Why buy the cow Shodan when you can get the milk OSINT for free?
  • 16. Why buy the cow Shodan when you can get the milk OSINT for free?
  • 17. Why buy the cow Shodan when you can get the milk OSINT for free?
  • 18. Why buy the cow Shodan when you can get the milk OSINT for free?
  • 19. SOX + Multimon-ng = LOLZ nc -lu 7355 | sox -t raw -e signed-integer -b 16 -r 48000 - - e signed-integer -b 16 -r 22050 -t raw - | multimon-ng -t raw -a FLEX -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -
  • 20. DEMO: Decoding and viewing Pager Signals
  • 22.
  • 23. Surely a Simple Replay won’t work
  • 25. What else is on 433mhz? https://github.com/merbanan/rtl_433
  • 26. What is ADS-B? Automatic Dependent Surveillance-Broadcast is a primary technology supporting the FAA’s Next Generation Air Traffic Control System, or NextGen, which will shift aircraft separation and air traffic control from ground-based radar to satellite-derived positions. https://www.aopa.org/go-fly/aircraft-and-ownership/ads-b
  • 27. Why does ADS-B Matter? https://media.blackhat.com/bh-us-12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_WP.pdf The ADS-B system that is the cornerstone of the FAA’s NextGen ATC modernization plan is at risk of serious security breaches, according to Brad Haines, a hacker and network security consultant who is worried about ADS-B vulnerabilities. Haines first outlined his concerns during a presentation he gave at the Def Con 20 hacker conference in Las Vegas in July.
  • 28. Watching Planes Fly (not sideways) https://github.com/mhostetter/gr-adsb
  • 29. Contact Information Reverse EngineeringPrice McDonald Twitter: @pricemcdonald Email: pricemcdonald@gmail.com Justin Berry Email: jkberry924@gmail.com