5. Tornado Anyone?
Reverse Engineering
Only way to stop the noise was “to unplug the radio
systems and the repeater”
Could have recorded the commands during a system
test or actual tornado, and then played them back.
Source: https://arstechnica.com/information-
technology/2017/04/dallas-siren-hack-used-radio-signals-
Controlled by tone combinations used by
the Emergency Alert System broadcast over the
National Weather Service's weather radio – Spoofed?
Can also be controlled by Dual-Tone Multi-Frequency
(DTMF) or Audio Frequency Shift Keying (AFSK)
encoded commands from a dispatcher or command center
terminal sent over UHF radio frequencies -- 700 MHz
range.
12. Frequency-shift Keying (FSK)
• Frequency modulation scheme in which digital information is transmitted through
discrete frequency changes of a carrier signal.
•
• Introduced for use with mechanical teleprinters in the mid-1900s. The standard
speed of those machines was 45 baud, equivalent to about 45 bits per second.
•
• Used by fax modems
13. POCSAG (Post Office Code Standardisation Advisory
Group)
• Asynchronous protocol used to transmit data to pagers.
• Uses FSK with a ±4.5 kHz shift on the center carrier. The frequency at +4.5 kHz represents
a 0 where the -4.5 kHz represents a 1.
• Generally transmitted at one of three data rates; 512, 1200 or 2400 bits per second.
• Those restaurant coaster things
14. FLEX
FLEX (Flexible Wide Area Paging Protocol)
• Protocol developed by Motorola and used in many pagers.
• Provides one-way communication only (from the provider to the pager device), but a
related protocol called ReFLEX provides two-way messaging.
• Supports increased transmission speed and has quadruple the capacity of other paging
protocols
• Significantly improves messaging reliability.
15. Why buy the cow Shodan when you can get the milk OSINT
for free?
16. Why buy the cow Shodan when you can get the milk OSINT
for free?
17. Why buy the cow Shodan when you can get the milk OSINT
for free?
18. Why buy the cow Shodan when you can get the milk OSINT
for free?
19. SOX + Multimon-ng = LOLZ
nc -lu 7355 | sox -t raw -e signed-integer -b 16 -r 48000 - -
e signed-integer -b 16 -r 22050 -t raw - | multimon-ng -t raw
-a FLEX -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -
25. What else is on 433mhz?
https://github.com/merbanan/rtl_433
26. What is ADS-B?
Automatic Dependent Surveillance-Broadcast is a
primary technology supporting the FAA’s Next
Generation Air Traffic Control System, or NextGen,
which will shift aircraft separation and air
traffic control from ground-based radar to
satellite-derived positions.
https://www.aopa.org/go-fly/aircraft-and-ownership/ads-b
27. Why does ADS-B Matter?
https://media.blackhat.com/bh-us-12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_WP.pdf
The ADS-B system that is the cornerstone of the
FAA’s NextGen ATC modernization plan is at risk of
serious security breaches, according to Brad Haines,
a hacker and network security consultant who is
worried about ADS-B vulnerabilities. Haines first
outlined his concerns during a presentation he gave
at the Def Con 20 hacker conference in Las Vegas in
July.