This document discusses radio frequency (RF) hacking beyond just broadcast radio. It begins with warnings about legal restrictions on signal interference and jamming. It then provides an overview of RF communication technologies and spectrum regulations in Thailand. Several RF security assessment tools are presented, both hardware tools like software-defined radios and software like GNU Radio Companion. Three case studies are described that demonstrate capturing wireless signals from devices like doorbells and car key fobs and retransmitting them using Raspberry Pi. Issues like rolling codes that change signals over time are also addressed. The document emphasizes that RF hacking skills require responsible and legal use.

1. RF HACKING: IT’S NOT JUST
FM/AM BROADCAST RADIO
Anocha Upontian, PTT Digital Solution
Keerati Torach, KPMG Thailand

2. CAUTION & DISCLAIMER
▪ Be careful for using Software Defined Radio peripheral that signal will be transmitted on illegal frequency
(depend on country regulations)
▪ Signal interference (Jamming) is illegal
▪ Content on this presentation for EDUCATION PURPOSE ONLY
▪ It’s recommended to test on permitted system or laboratory environment
▪ You are responsible for using this stuff legally
http://www.thedailysheeple.com/wp-content/uploads/2014/08/faraday-cage.jpg
http://www.wovenwirecloth.org/img/shielding-screen.jpghttps://greatscottgadgets.com/hackrf/
https://nuand.com/
https://www.crowdsupply.com/lime-micro/limesdr

3. AGENDA
▪ Thailand’s spectrum regulations
▪ Radio frequency in communication
▪ RF security assessment tools
▪ Gnu Radio Companion
▪ Case study 1: Wireless doorbell
▪ Case study 2: Beyond a doorbell
▪ Case study 3: Dealing with rolling code
▪ Lesson learned

4. THAILAND’S SPECTRUM REGULATIONS
▪ พระราชบัญญัติ วิทยุคมนาคม พ.ศ. ๒๔๙๘
▪ มาตรา ๑๕ ผู้ใดกระทําให้้เกิดการรบกวนหรือขัดขวางต่อการวิทยุคมนาคมโดยมิได้เจตนา เจ้าพนักงานผู้ออก
ใบอนุญาตหรือผู้ที่ได้รับมอบหมายมีอํานาจสั่งให้ผู้นั้นระงับการกระทํานั้นหรือให้แก้ไขเปลี่ยนแปลงสิ่งที่ใช้ใน
การกระทํานั้นเสีย หรือให้ย้ายสิ่งดังกล่าวนั้นออกไปให้พ้นเขตรบกวนได
▪ มาตรา ๑๘ เพื่อตรวจเครื่องวิทยุคมนาคม ส่วนแห่งเครื่องวิทยุคมนาคม สถานีวิทยุคมนาคม สิ่งที่ก่อให้เกิด
การรบกวนหรือขัดขวางต่อการวิทยุคมนาคม หรือใบอนุญาต เจ้าพนักงานผู้ออกใบอนุญาตหรือผู้ที่ได้รับมอบ
หมายมีอํานาจเข้าไปในอาคารสถานที่ หรือยานพาหนะของบุคคลใดๆ ได้ในเวลาอันสมควร
https://broadcast.nbtc.go.th/data/document/law/doc/th/560400000027.pdf

5. RADIO FREQUENCY IN COMMUNICATION
▪ Absolutely, it’s wireless
▪ Long distance communication
https://en.wikipedia.org/wiki/Radio_frequency

6. RADIO FREQUENCY IN COMMUNICATION
▪ Analog Signal Processing
▪ Amplitude Modulation (AM)
▪ Frequency Modulation (FM)
▪ Phase Modulation (PM)
https://en.wikipedia.org/wiki/Amplitude_modulation
https://en.wikipedia.org/wiki/Phase_modulation
https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png
https://www.scienceabc.com/wp-content/uploads/2016/08/Illustration_of_Frequency_Modulation.jpg

7. RADIO FREQUENCY IN COMMUNICATION
▪ Digital Signal Processing
▪ Amplitude Shift Keying (ASK)
▪ On-Off Keying (OOK)
▪ Frequency Shift Keying (FSK)
▪ Phase Shift Keying (PSK)
OOK
ASK
https://www.owasp.org/images/2/29/AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf
https://web.stanford.edu/class/ee102b/contents/DigitalModulation.pdf

8. RF SECURITY ASSESSMENT TOOLS (HARDWARE)
▪ RTL-SDR with dongle
▪ Only RX (simplex)
▪ 24 MHz – 1766 MHz
▪ 433 MHz or 315 MHz transmitter (only TX) module
▪ Usually come together with receiver (only RX)
▪ Modulation: ASK/OOK
▪ 3-12 working voltage
▪ DIY antenna
▪ Appropriated length
▪ Raspberry Pi 3 Model B
▪ Controlling transmitter
▪ Electronics prototype maker
▪ Breadboards
▪ Jumper wires
▪ 9 Voltage battery
▪ Resistors
▪ YARD Stick One with female antenna (buy separately)
▪ Transceiver (able to half duplex)
▪ Modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK and MSK
▪ 300-348 MHz, 391-464 MHz, and 782-928 MHz operating frequencies

9. RF SECURITY ASSESSMENT TOOLS (SOFTWARE)
▪ Gnu Radio Companion
▪ Powerful signal processing blocks
▪ Support any SDR peripherals (RTL-SDR, HackRF, BladeRF)
▪ SDR#
▪ Analyze
▪ demodulation
▪ streaming
▪ GQRX
▪ As well as SDR#
▪ Rfcat
▪ For controlling Yard Stick One
▪ Audacity
▪ Pulse analysis
▪ Buadline
▪ Spectrum analysis
▪ Rtl_433
▪ Demodulation and decoding data automatically
▪ Python (basic)
▪ General purpose input output (GPIO) of Raspberry Pi
▪ Rfcat

10. GRC
▪ Signal source
▪ RTL-SDR
▪ File sink
https://en.wikipedia.org/wiki/File:Signal_Sampling.png
Sampling is conversion
process from continuous
to discrete

11. GRC
▪ Digital filtering
▪ Filter only interested bandwidth
http://www.aimagin.com/learn/images/thumb/7/72/Transferfunction.png/600px-Transferfunction.png
https://en.wikipedia.org/wiki/File:Butterworth_response.svg
https://upload.wikimedia.org/wikipedia/commons/7/76/Butterworth_lowpass.png

12. GRC
▪ Rational Resampler
▪ Adjust to appropriated sample rate
▪ Interpolation -> Reconstruct the signal with
given sample rate
▪ Decimation -> Reducing sample rate

13. GRC
▪ Demodulator
▪ Usually convert data type from complex to float
ASK Demodulator
FSK Demodulator
…1011001…
…10110…

14. GRC
▪ Instruments

15. GRC
▪ Video: Listening FM radio vimeo.com/236269734

16. GRC
▪ Easier one: GQRX or SDR#

17. CASE STUDY 1: WIRELESS DOORBELL
▪ Fixed key transmission
▪ It’s great for beginning study
▪ Low cost

18. CASE STUDY 1: WIRELESS DOORBELL
▪ Information gathering

19. CASE STUDY 1: WIRELESS DOORBELL
▪ Capture transmitted data and save to file

20. CASE STUDY 1: WIRELESS DOORBELL
▪ Capture signal from original remote and determining a modulation
▪ Buadline
https://greatscottgadgets.com/tr/gsg-tr-2016-1.pdf

21. CASE STUDY 1: WIRELESS DOORBELL
▪ Demodulation

22. CASE STUDY 1: WIRELESS DOORBELL
▪ Pulses analysis using Audacity
▪ Decoding data (Pulse Width Modulation?)
0 0 1
http://pcbheaven.com/wikipages/images/pwmmodulation_1236701204.jpg https://learn.sparkfun.com/tutorials/pulse-width-modulation

23. CASE STUDY 1: WIRELESS DOORBELL
▪ Hardware interfacing
https://www.raspberrypi-spy.co.uk/wp-content/uploads/2012/09/Raspberry-Pi-GPIO-Layout-Revision-1.png
Monopole antenna:
Length = λ/4 m
where v = fλ
λ = (v/f)

24. CASE STUDY 1: WIRELESS DOORBELL
▪ DEMO: Ring doorbell with captured signal using Raspberry Pi
vimeo.com/236267585

25. CASE STUDY 1: WIRELESS DOORBELL
▪ Alternatively
▪ YARD Stick One
▪ Buad rate (bit/sec) instead of time delay
▪ For example, 1 bit -> 0.001 s
▪ Buad = 1/0.001 = 1000
1 0 1 1 10 0 0 0

26. CASE STUDY 2: BEYOND A DOORBELL
▪ What about key fob use to lock, unlock, arm, and disarm a car?

27. CASE STUDY 2: BEYOND A DOORBELL
▪ Car Alarm System

28. CASE STUDY 2: BEYOND A DOORBELL
▪ Information gathering

29. CASE STUDY 2: BEYOND A DOORBELL
▪ Low cost jammer
▪ ~ 140 ฿ exclude breadboard
9 Voltage Battery

30. CASE STUDY 2: BEYOND A DOORBELL
▪ Video: Interfere car’s key fob
▪ DEMO: Unlock/Lock car with captured signal using Raspberry Pi + transmitter module or
YARD Stick One
vimeo.com/236269836
vimeo.com/236268296

31. CASE STUDY 3: DEALING WITH ROLLING CODE
▪ A rolling code for preventing replay attacks
▪ Always send out different data for each time
Rtl_433
https://www.youtube.com/user/Hak5Darren

32. CASE STUDY 3: DEALING WITH ROLLING CODE
▪ Defeating rolling code
▪ Samy Kamkar’s RollJam that publish in DefCon 23 (2015)
https://samy.pl/defcon2015/2015-defcon.pdf

33. CASE STUDY 3: DEALING WITH ROLLING CODE
▪ Improper rolling code implemented on automatic sliding gate opener
▪ Sets of code store in pool
▪ Code will rotate every time when receive a valid length of code whether match or mismatch
P
O
O
L
1001
1101
0101
0011
1111
1000
1011
P
O
O
L
1101
01010001
1001
0011
1111
1000
P
O
O
L
0101
0001
0111
1101
1001
0011
1111
P
O
O
L
0001
0111
0000
0101
1101
1001
0011
0101 0101 0101 0101

34. CASE STUDY 3: DEALING WITH ROLLING CODE
▪ Video: Open automatic sliding gate using Raspberry Pi
vimeo.com/236268904

35. LESSON LEARNED
▪ Frequency hopping implementation in order to prevent pulse jamming
▪ Spread spectrum
▪ Bidirectional communication (challenge-response) instead of unidirectional
▪ Along with encryption

36. SPECIAL THANKS
▪ Low cost project due to …
▪ Mr.Krit Saengkyongam – Raspberry Pi
▪ Mr.Prathan Phongthiproek – YARD Stick One
▪ Mom - Everything

37. HAPPY HACKING !!! http://fb.com/boazus