We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

WIRELESS VILLAGE - Can you hear me now (DEFCON)? Wireless communication for pentesters

00:00

Formal Metadata

Title
WIRELESS VILLAGE - Can you hear me now (DEFCON)? Wireless communication for pentesters
Title of Series
Number of Parts
322
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Using cheap commodity RF hardware to act as secure or backchannel communications for security research and pen tests. Wireless communication is getting cheaper and hobby projects are integrating long range low powered communication to link devices in all sorts of unique ways. But what about in the world of information security? This talk will cover the acronym soup of current communication systems including LoRA, RFM, Satellite, ASK, and many others to identify what protocols make sense when you are trying to communicate either stealthily or in remote areas. In addition, this talk will cover how to improve reliability of wireless communication and the costs associated with making your super pen test box. Or perhaps even what evil things can be done with these and how to protect yourself. The aim for this talk is to be interactive, and allow people to share experiences.
CAN busWireless LANTelecommunicationInternetworkingForm (programming)Wireless LANTelecommunicationInternet der DingeQuicksortInformation securitySpeech synthesisInformationFrustrationInternetworkingComputer animation
Type theoryMicrocontrollerCommunications protocolSoftwareSoftware testingTap (transformer)MereologyLine (geometry)Quicksort1 (number)AreaDirect numerical simulationWeb 2.0Computer animation
Computer networkWeightRange (statistics)Goodness of fitSoftwareSoftware testingPivot elementData storage deviceNeuroinformatikHacker (term)RoutingComputer animation
2 (number)Presentation of a groupDuplex (telecommunications)Line (geometry)TelecommunicationMultiplication signView (database)Computer animation
View (database)WindowMultiplication signRule of inferenceTelecommunicationDuplex (telecommunications)Communications protocolInternet der DingeComputer animation
Data managementOverhead (computing)Term (mathematics)Power (physics)Power (physics)Communications protocolData compressionDifferent (Kate Ryan album)Level (video gaming)Internet der DingeComputer animation
Different (Kate Ryan album)File formatQuicksortCommunications protocolCharge carrierCodierung <Programmierung>Computer animation
Power (physics)Software-defined radioProcess (computing)CuboidConnectivity (graph theory)Computer hardwareLine (geometry)Goodness of fitPoint (geometry)Right angleTrailTelecommunicationComputer animation
QuicksortMultiplication signExpert systemTelecommunicationWireless LANBand matrixNeuroinformatikVirtual machineComputer animation
Form (programming)Axiom of choiceComputer animation
Power (physics)Data storage deviceBitQuicksort1 (number)NeuroinformatikTelecommunicationModule (mathematics)Power (physics)Different (Kate Ryan album)
Open sourceTelecommunicationSoftwareProjective planeType theoryNeuroinformatikComputer wormScripting languageConnectivity (graph theory)Computer animation
Overhead (computing)Software testingMereologyGroup actionMicrocontrollerTelecommunicationInheritance (object-oriented programming)InformationModule (mathematics)Computer animation
Core dumpTelecommunicationPhysical systemNeuroinformatikMultiplication signoutputCoprocessorLine (geometry)PiSoftware protection dongleEnterprise architectureKernel (computing)Power (physics)Computer animation
Normal (geometry)Meta elementFrame problemMessage passingRange (statistics)TelecommunicationModule (mathematics)Multiplication signRange (statistics)Software testingFile formatSoftware developerDifferent (Kate Ryan album)Time zoneFrequencyComputer animation
Dynamic Host Configuration ProtocolRegulator gene2 (number)Module (mathematics)Multiplication signPower (physics)InformationAdditionComputer animation
ImplementationCore dumpPower (physics)Dynamic Host Configuration ProtocolCore dumpMicrocontrollerPower (physics)CASE <Informatik>Revision control2 (number)Multiplication signPoint (geometry)Exception handlingMulti-core processor
Modul <Datentyp>Musical ensembleRange (statistics)Range (statistics)TelecommunicationCommunications protocolCASE <Informatik>ImplementationDifferent (Kate Ryan album)Latent heatPower (physics)Default (computer science)MathematicsRaw image formatMultiplication signSatelliteLevel (video gaming)Computer animation
Wide area networkEncryptionImplementationDuplex (telecommunications)Configuration spaceSoftwareFlow separationDifferent (Kate Ryan album)Social classSound effectWindowComputer configurationLattice (order)Bit
Wide area networkData transmissionCartesian closed categoryImplementationModule (mathematics)Range (statistics)Data transmissionBit rateAreaCommunications protocolModemService (economics)Analytic continuationAsynchronous Transfer ModeComputer animation
Open setComputing platformMusical ensembleCommunications protocolSoftware testingBitSparse matrixOpen setTelecommunicationComputing platform
Uniformer RaumRange (statistics)Software testingModule (mathematics)InformationDistanceMicrocontrollerTelecommunicationRange (statistics)Doubling the cubeSerial portFigurate numberConfiguration spaceBand matrixComputer animation
Communications protocolMereologySoftware testing1 (number)Module (mathematics)HoaxConnectivity (graph theory)Asynchronous Transfer ModeGoodness of fitTracing (software)Polygon meshDifferent (Kate Ryan album)Computer animation
Library (computing)Module (mathematics)Different (Kate Ryan album)TelecommunicationMusical ensembleModule (mathematics)Polygon meshInformation securityPoint (geometry)Regular graphNeuroinformatik1 (number)Data transmissionComputer animation
Implementation1 (number)Disk read-and-write headLine (geometry)Power (physics)Greatest elementRange (statistics)Maxima and minimaCommunications protocolRevision controlNoise (electronics)VirtualizationBitFrequencyVoltmeterOffice suiteComputer animation
Power (physics)FrequencyGame controllerRange (statistics)TelecommunicationImplementationPersonal area networkInternet der DingePower (physics)Connected spaceThread (computing)Communications protocolComputer animation
SatelliteConnected spaceTransmissionskoeffizientComputer animation
Digital object identifierModule (mathematics)1 (number)Normal (geometry)SatelliteBitLaptopCuboidSoftwareChainBlock (periodic table)Computer animation
Internet der DingeDevice driverThermal expansionCellular automatonModemTouchscreenComputer-assisted translationMetropolitan area networkTowerBuildingDevice driverCASE <Informatik>Range (statistics)Web pageCommunications protocolTelecommunicationDifferent (Kate Ryan album)SoftwareParameter (computer programming)1 (number)ImplementationQuicksortVideo gameModule (mathematics)Power (physics)Web 2.0ExistenceCausalityComputer animation
Computer iconCommunications protocolDifferent (Kate Ryan album)Bit rateDuplex (telecommunications)Computer animation
Communications protocolInformationTotal S.A.Particle systemPlanningFreewareComputer-assisted translationPlastikkarteRange (statistics)Execution unitSoftware development kitCellular automatonComputer animation
Range (statistics)Software development kitPlanningBitRight angleSoftware testingTelecommunicationCommunications protocolMoving averageWireless LANComputer animation
Embedded systemCloningComponent-based software engineeringPhysical systemLogical constantImplementationCommunications protocolComputer animation
Logical constantComputer animation
Transcript: English(auto-generated)
Alright, welcome to Wireless Village. I'm going to be giving you guys a brief rundown in a second on the various IoT communication forms that exist now and what you can do with them. So, come join me on a journey. About me, my name is Wasabi, spicy Wasabi. The
reason I'm speaking here today is because there is another Wasabi in the room and it's frustrated Wasabi. So, if you're around now, make sure to see me at the end. If you're not, that's the reason why I'm speaking here today, but also to give you guys some interesting information about embedded devices and wireless communications. And if you're not interested in wireless communications here, please, you've come to the
wrong place. Uh, but anyway, I've focused on embedded things, internet of things, and all sorts of things for the last four years. I have participated in a bunch of competitions related to embedded devices and security and all sorts of things like that. And that's led me down a path of looking at what can you do with embedded
devices that exist nowadays and how can you get them to do what you want. So, what we'll be looking at today is the existing technologies that are out there, the possible uses and challenges of those technologies, and what types of protocols are in use
today. Uh, we'll also be looking at some of the radios and microcontrollers you can pick from to do what you want to do, but it's up to you on what you pick on, uh, for all this obviously. So, let's get started. Way back when, if you wanted to send data out of a network, you're, you're doing a penetration test or you're doing something along those lines, uh, you will have the need to get out of the network. And in the old days,
that was, and is still heavily used, you're doing some sort of exfiltration using the network. You're on the network as it is. And that's great, it works pretty well because most, you know, corporations, most businesses and, and places don't really
secure their network very well. Some newer ones are also using 4G to allow you to communicate out. That's pretty good, it's, you know, a relatively large area of support you can use from. The problem is that it's not very stealthy. If someone's actively looking for you, they will find you. Even, um, if they're, you know, monitoring DNS, if they're monitoring web traffic, you will not be undetected. So,
some of them do support passive tap capabilities, but for the most part, they don't. So not very useful. True and proven is wifi. If you want to send data out of a network, you use wifi. If you want to use a network, use wifi. It has pretty good pivot capabilities because you can just use any device you buy at the store on eBay
and just let it connect in. Pretty great. It is sometimes capable of tapping a network because you're using basically a Linux computer to run your routing. So you have the capabilities on there, but again, it's not very long range and it's not necessarily very stealthy. If you're running, you know, hacker net and you're
running a test, that, that doesn't really make it stealthy. But that comes into where we're using wireless communications. So, if you're familiar with wireless, you have half duplex and full duplex and that's pretty good. Uh, so for half duplex, you send data and then you receive the data. For full duplex, you're sending and
you're doing it more or less at the same time, which is great for us because if you want two lines of communication, you now have them both working actively. And uh, hold on one second. Uh, I, where's the presenter view? Okay, hold on one second, the
monitors are misconfigured. And, alright, did the monitors just go away? Great.
Cool, technical difficulties are wonderful. Uh, the monitors have gone out. Yeah, uh,
wrong view entirely. Yeah, windows is my problem. There we go, sorry about the delay.
Alright, so, okay, we're talking about duplex and half duplex. So, what happens if we need just slow communication? We don't care about receiving and sending at the same time. We have the ability to just send data or receive it. A lot of IoT protocols use the method of half duplex because it's very efficient. Well, they don't even use just
half duplex, they just have receive windows, where the device is allowed to receive data. All other times, it's send only. So, that, there's a lot of opportunities here for sending data, but the problem is, well, even Wi-Fi is half duplex. And so, you may not necessarily notice a problem. But the general rule is, regardless of the protocol, the
more power you use, the more data you can send, the more data you send, the more power you need. If you're running on a battery, the problem is you're going to run out of power a lot quicker if you're sending a lot of data versus something that's, you know, more embedded. When you're using Wi-Fi, it's more, it uses more power than something that's designed specifically for low power use such as IoT protocols. So, if,
and you have to think about compression. Uh, it may not think, be, it might, you may not imagine it's a lot, but when you go from 128 bytes down to 64 bytes, that's a huge difference in the amount of data that you're sending and the duration that you can operate for these devices. So, very, very quick high level overview of what
wireless will look like. This is very simplified, there's a lot of different ways you can format data over a wireless signal. But the general idea is that you have high and low sending data and receiving data and you can have different ways to send it. You have a carrier and then you can do different encodings such as ASK, FSK,
ODFM, all sorts of different formats. So, that's good, but how would you implement some of these protocols? Well, you have the, the SDRs. Now, these are great for general use, SDRs are very, very powerful, but they're big. They're getting smaller, but for the
most part, if you're going to be using this, this is something very obvious. If you're going to have a box that has an SDR and has the enough processing power to use an SDR, you're not looking at being very stealthy again. It is getting better though. This is the Lime SDR Mini. This is a pretty good device. I've actually been seeing some people use it over there. The problem is with this device is that it does
not support a lot of things that are just point and click. So, if you're trying to do something quick, not necessarily true. And what I mean by point and click here is that you can program the FPGA and other components on there, but now you're developing for the hardware and it requires a little more knowledge versus just running the devices. And versus the full blown SDRs, which are usually about $400, this one
runs about $150. So, it's very cheap and it's much smaller, so we're going on the right track. But of course, there are other methods of communication. Um, this one was probably one of my favorite that I've, I've seen. This is, we're going into ham radio here. And ham radio's been doing this sort of work for a very long time. In
fact, I'd say they're probably the experts in implementing, if you're a ham radio operator, you're basically the expert in implementing communication over very small amounts of wireless bandwidth. And this computer over here is basically a TNC machine, which is sending serial data over the radio. And it allows, so this technology is not
new, but it is extremely useful and relevant. And why, you may be wondering? Well, what happens if you're trying to get into like that power plant in the middle of nowhere? Well, you can't use Wi-Fi then because you're not going to be just sitting in your car next to the wire, the power plant and being like, hey, cool, I'm just here. You know, it's a nice place to sit down. You're going to be far away where
you're not getting detected. So that's good. But what happens if you're in a regular business? You know, can you hear me here? So this is a, this is an easier form, but why not make something that can be used for both? So now we got to get creative. And there's a lot of choices with these devices. Because of IoT is so
popular, you can go from any, any preferred embedded device that you can work with. You can work with Zigbee in the top, that's Zigbee. You can work with the silicon technologies modules that do 4G, they do all sorts of different communication ones. There's also the ESP modules. ESP modules are by far the cheapest modules
that you can get. If you need to throw them on anything, there's the ESP 8691, or I'm bling on the name. But it is 8285, 8285, that came to me. It is designed specifically for being very lightweight. It has embedded storage on it so you can
actually program it, have it running stuff, and do a little bit of data storage while you buffer to send out if you need to. So that one's very good. But the things you have to think about are what IO do you need? If you're connecting to an actual computer, do you have what you need to connect to that computer? Do you
need it to be stealthy? Do you need it to be battery powered? If it's battery powered, you need to be able to relay the data. If you have a lot of data being sent and you're using all your battery, you're going to lose power very quickly. So here's one that I saw online. This is the Wi-Fi ducky. It's an open source project. It looks very open source. But it's very powerful. And this is the
type of stuff that is very exciting to me because this is someone taking multiple components, putting them together, and building something that is actually very useful for work. But the only problem with this device, and obviously it's easy to fix if you build an enclosure, is it looks somewhat sketchy. If
you were to plug this into someone's computer to drop a payload, they're probably going to notice. And that's problematic. And the other problem with this is it doesn't have full communications. You can't receive data out. You can, you can launch scripts, you can make it pivot over the network, but once you've executed the commands, uh, and you've triggered it from wireless, it's not sending data back to you. And again, the problem is you
don't want, you don't want the party, this dance crew coming out to see you when you're doing a pen test. So we need something a little more subtle. That's where you get into the microcontrollers. The microcontrollers nowadays are very, very good. Um, you, obviously again, ESP modules, they're super cheap. That's why you're going to see them again and again for every
device, uh, and release thing that you're going to see. Um, the other thing you may see is, uh, Mutt and Narrow, um, I think that's how you pronounce it. These devices are absolutely stunning. They're very, very low power. They have a Hope RF module built in. They have an Arduino built in. You just basically start flashing them and you have a device that can run over
battery relay information and do anything you need it to off of a very small package. Uh, in my test, this thing actually lasted for over, I think two weeks in, uh, doing timed communication with just running off of a small little battery. That's pretty good. But there's others. If, if you need
something a little more powerful and you, you want, instead of using a full computer, you want to just embed and you want to have one device that you can just drop in. That's where the system on a chips come in. Linux has been getting on smaller and smaller devices for a long time now and the hobbyist community has been growing. So, the top device is the Vocore. How
many people have heard of a Vocore before? Okay, more than I actually expected. For those of you who are not aware of what a Vocore is, it's a very cheap embed- uh, system on a chip device that's running open word. And they've exposed all the IO lines, um, they've exposed all the IO lines out. So, basically what you can do is you can add radios, you can add other
communication, um, mediums. It also has Wi-Fi built in. So, that's good. And it's pretty powerful. It, it, again, it runs Linux. So, you can embed things on it and make it do things. And it's about $10. Uh, the other one is the Orange Pi. Orange Pis are very interesting. The, the interesting thing
on, about Orange Pis is they, they basically run a stock kernel now and they're a fairly powerful processor. They're running about, uh, one gigahertz. So, it's basically running a Raspberry Pi in a little tiny dongle that has Ethernet, Wi-Fi, and IO that you can access. So, if you're needing something that you need to just embed into something
small, these things are the size are smaller than the Raspberry Pi. So, you know, we, we can do a lot of stuff. Uh, communication is important. And we're gonna get into how and what technologies work for different situations. I went through and started going on eBay a while
ago. And went through and bought every single wireless module I could find. Some of them work better than others, as you will see. And it turns into a very interesting experience when you're trying to deal with some of these devices. There's some quirks that exist. If anybody's done any hobbyist or IoT development, you'll start seeing things where the radios don't work as expected in every situation. So,
this was done, uh, last year. I started getting all these modules. What I did was I started going farther and farther with about a thousand packets as a test. They were sent over a short period of time. Uh, the packets were a normal format that was used across
every single radio. So, if one works better than the other, it's not a difference in the packet that was being sent. There's no time different, there's no different data for each packet. It's all the same. The same, and I was testing range and the signal quality being sent and received by each of the devices. So, we're back to ESP modules again. They are very powerful. They use about 70
milliamps of power. If you're plugged into a real device, that doesn't matter. But if you're running off of mobile, you're trying to relay information, this gets a little, uh, problematic. They use about some, uh, they use about 60 milliamps spiked in addition. So, it goes up to about 80 milliamps, 85 milliamps when
you're powering up. So, if you're running on an extremely low power battery, you could reset the device and then you will lose the capabilities you have. It also, um, uses that amount of power for 3 to 5 seconds as it's doing DHCP. So, every time you need to connect and as it re-refreshes the least, it will be using it more power. Uh, it has a fairly high transmit draw
instead of receive. So, it's good. They're reliable in the sense that they are everywhere, they're cheap. And if you buy one and you buy another one from another vendor, they're still going to work the same. They speak Wi-Fi. And that's, that's something that's good about them is that they are so standardized. Uh, the ESP32 is another interesting
technology, uh, from Espressif. It's a dual core version. It's pretty common now. The problem that I've found with the ESP32 is that it has a low power core. It's one of its selling points. And so far, I have not seen anyone successfully implement the low power core except for
one person who was writing raw assembly in a C-struct to, and then writing that directly to the microcontroller. It's very complicated in that case. And that's not ideal for something that we're trying to just deploy quickly. And again, they have, um, they're very low power. Uh, the ESP32s are actually slower by a couple of seconds to connect via DHCP
every time. You can set them statically, but it's not necessarily ideal. Uh, and then again, they also have the high transmit draw when they're working. But then we get to LoRa. Uh, if you've done anything in the embedded protocol range, LoRa is a very powerful protocol. It's,
it's sub-gigahertz in most cases. There's a couple of different ranges that it works. Um, but it by default has a one to two mile range. It's, it's licensed. It's designed off of some, uh, of technology called Chirp Spread Spectrum. That's how it does what it does with the range. It's used in not only, um, raw radios, but it's also used for,
in some cases, people have been experimenting with satellite communication using LoRa, which opens up a lot of possibilities. If you design a device that's going to use LoRa for communication and you add in satellite implementations, you don't have to rewrite everything that you're implementing in the first place. So there, it is
just the, the lower level. It's the, the implement, the actual protocols implementations. There's a couple of them. LoRaWAN and Haystack. These are both implemented, um, by licensing and they have a couple of different, uh, specific changes that they, um, they do vers-, uh, for how you transmit to
them or receive from them. Um, again, LoRa is the Fi implementation and it uses about 30 milliamps to receive and about 100 milliamps to transmit. So we're looking at something that's very, very low powered. If you're running on battery, this thing can go for a very long time. So LoRaWAN,
um, it's self-configuration and join. You build a device, you build it, it's gonna join to the LoRa network. Now where is the LoRa network? Well, interestingly, it's all around us if your city supports it. They're having some, they're slowly rolling out to different cities. It's much like a cellular network in the sense that you have to have coverage where you're going to be deploying. In the
middle of nowhere, you're not going to have coverage. LoRa will still work but LoRaWAN will not. It's encrypted with a AES 128 bit but there, it, it's not necessarily the most effective encryption. Um, if you've looked online, there's, there's problems with their encryption, uh, implementation.
Um, it supports OTA configuration, uploading and downloading. There's several different, um, implementation classes if you wanna use LoRaWAN. If you're trying to send-only, uh, that's class A. It has two timed windows every so often. I forget if it's a day or a week but there's two
windows where it will pull updates to reconfigure itself. Otherwise, it's just gonna sit there and re-send all the data. You have no idea if you're gonna ever get it back. Uh, class B has higher downlink speeds but otherwise is unchanged. Class C is always listening except when it's transmitting so that's where you go into the
half-duplex. Class C seems like the best option to do but there's also, uh, problems with having availability in the windows that you're transmitting for the, the, the LoRaWAN implementation. Oh, okay, just change on your own. Um, there is a small licensing cost for anything that you use with LoRa. It's not, not very big but it
is something that exists. So, Wi-Fi is free, LoRa is not completely free. So, you also have Sigfox. It's both a protocol and a company. Sigfox, Sigfox is very interesting because there's a module cost, there's a licensing fee to have the module, modem. There's also a service fee for the modem. So, you're constantly paying
money to use this and it is primarily transmission only and only in areas that Sigfox has covered. So, if you're trying to use this in areas that are long range, even though it has a longer range than LoRa, you may not be able to get reception. And it, it has the transmission usage of LoRa. It only uses about 40
milliamps, um, during transmit and, um, it can send a whopping, um, 14 bytes at 600 bits per second. So, you know, you're talking a lot of data here. Um, unfortunately for us, that probably isn't good enough. But if you need something that's just to ping back and
say, hey, I'm still here, that, that does work. Um, it has a continuous TX mode, which is good if you're just trying to, you know, do location. And, um, but again, it's, the licensing fees really kill it. Dash 7 is the, is supposed to be the solution to both LoRa and Sigfox. It's an open alliance, open platform. Also
uses sub gigahertz, uh, communication. It only uses about 10 milliamps to receive. And the, it, you can run your own nodes to receive data from. So you can implement something that goes over any radio protocol from this if you need to use it. That's really good.
Uh, the only problem is that the documentation is a bit sparse on it. If you're trying to implement something using it, you have to go to someone who already implements it, a vendor. And that's a little expensive because we're, usually if we're doing some kind of pen test, it's one offs, not thousands. So what else can we look at? Well, here's probably one
of my favorite modules. If you're doing some kind of communication pen test or, uh, or you need to communicate during a pen test where you can't use wifi or any other communications, the HC 12 is this amazing little module that you can buy off eBay. It's cheap. It works very well. If you get, they come in pairs and as long as you're using the pairs, they can, uh, work up to about 3000 feet
distance in range. They're very, very powerful. Um, they have a built in, uh, uh, microcontroller on them that you can configure. Um, they communicate over raw serial. So basically you can plug them into anything and they will just work. They will send and receive data and you'll be sending and receiving serial data, which is great because now you're not using super slow
bandwidth, but you're using serial. So if you need data and information out or something else that you're getting, it's slow, but it's manageable. Um, the cool thing about these radios is that they're very small. The bad thing about these radios is that no two pair are alike. If you're going to buy a lot of them, be prepared to buy, um, double. When I was doing the test on these,
um, I would buy one, I would receive it and I could not get them to communicate. I couldn't figure out why they were not communicating. And I would go through, I'd try to see why it wasn't working. They'd both turn on, they both said they were configured and sending data, receiving data, nothing would come out. And it occurred to me
finally, let me turn on my HackRF and just take a look. What it turned out to be was the crystals on these chips are not quite up to par. None two are alike. So what happens is you get offsets that are just enough that you will not be able to communicate over these devices. So they work great in pairs because the same crystals are
used, but you have to keep an eye on what crystals use. They have markings on them. So these are very good, but be prepared to buy a lot of them. And on a similar note, the NRF 24 modules are very good, but they also have the same crystal problem. No two crystals are alike. Luckily, these are a little easier to remove the crystal from, but they also, if you buy
them in pairs, which they normally come with, they'll work great. But if you try to get them working in a mesh mode, which is something they actually support, you will have a problem because none of them are genuine usually. Um, they, they fake the markings fairly well, but if you look at them, um, through either a microscope or something like that, you'll see trace differences. So you never necessarily
getting a genuine one. So they're using parts sometimes different. The really cheap ones are very obvious when you get a fake one because they're, they'll miss be missing resistors or other components that are actually fairly important on a, on a radio, but they don't have them. So, but if you get one of the fairly good ones, they may still be fake, but the crystals may not be up to par again. So these are very good, but be prepared to buy a
couple of them until you get pairs that work. The one nice thing about the NRF modules is they also support both Linux and Arduino natively. Well, I guess Linux and Arduino support them natively, but not the other way around, but they're very good. And if you can get enough pairs that work, they support a very good mesh protocol and they work for about 500
to 600 feet, um, in my tests. But again, the crystals were what really killed it. But if you're looking for something that just works and you don't have to pay licensing, uh, fees necessarily, the Hope RF modules, they support LoRa, which again, you're gonna have that licensing, but they also support just regular RF
transmission over, um, a couple of different bands. I'm blanking on which ones they are right now, but they're very doc-, well documented. They support both Linux and Arduino, again, both support them. It's $10 a module, but these things are appearing everywhere in the security community. If you have any of the, um, uh, the DC darknet
badges, they use these. They've used them for the last couple of years. So, they're definitely showing up in the community. They're very good modules, they're very good quality, and that's the difference between some of the other communication modules, is that these are actually very well built and you can use them pretty much anywhere and guarantee that they're, if you're gonna get a mesh, they're gonna work. If
you're gonna communicate, uh, point to point, they're going to work. They're spy based, which isn't a big deal, uh, if you're gonna use them on a regular computer, that makes it a little more complicated, but you can also get cheap modules to communicate over spy to a regular computer or use in a Raspberry Pi or anything else. Uh, but that's about it. And they use about 50 milliamps, so they're fairly low
powered. And then, let's go to simple. If you want something that's literally just a throwable device, you just want a radio. You don't want something that does any of the, you know, protocol or anything else, you just want something that transmits. And ASK radios are very good at that, they just transmit. They, the more power you provide them, they can go up
to about 12 volts, the more range you're gonna get on them. They, uh, are supported by virtual wire and radio head in Arduino. You can also just write to them using Linux, um, if you have any spare IO lines. They have a max range of about 200, 250 feet, they're not spectacular, but they're cheap. You can buy a pack, a 10
pack of them for less than $5. And they do work. Unlike the other ones, they don't really have the crystal problem, but they're just very cheap and not very good. I have 3 different versions of, uh, just cheap ASK radios. The ones on the bottoms are the ones you're gonna see most common. The one on the top left is the
LR43B, if you're curious about it. It is designed a little smaller, it's a very small package, but it's, it has a little bit better range, it's a bit, a little bit better quality, it doesn't have so much noise interference. And then the other side is the H34C, and that one also has good, uh, better noise quality than the bottom one. But, um, they're not very good. They,
they work at about 433 megahertz, which is about the same frequency that you get when you get those cheap thermometers. So, they're not very fancy, but they're not gonna be detected, because people in their offices or anywhere have those devices already, so you can just transmit freely on those. And then there's Zigbee. Zigbee's pretty much showing up
everywhere in IoT devices. It's, there's a couple of implementations based off of this. Zigbee's one of the implementations of 802.15.4. There's also six low pan. Uh, they're all very low power and very low range. Usually you have a hub and other communication methods. And the reason I'm putting on this on here, even though it's such low range, is the fact that
you can use these to relay. So if you got control of an IoT device and it had Zigbee, you can transmit out to another device and another device, and if you have control along that path where they're all meshed together, you can send data out, even if you don't necessarily have control of the direct connection to the device that you're starting with. So that makes it
very good for that, but again, they're very low range. There's, um, there's Thread Protocol, which is made by Google. It is encrypted. I don't know of much that you, uh, you can use with it, um, that's open, but it is something that also exists on the same frequency range. And you may be thinking, why not just use satellite? Satellite's really good.
You know, you always have connection to a satellite, it's, they're up in the air. The problem is that they're expensive. Very, very, very expensive. For $28, you can get 10 kilobytes of data. So it's very good on the budget. Unfortunately for us, that's not very good, but the upside is that they're universally accessible. The, the other
interesting about the, uh, satellite transmitters is they're fairly large. This is the smallest module I could find. In the corner is the, uh, is a normal size module. It's about, it's basically the size of a small laptop that you transmit, and those are small. The smallest ones I've found, they're, they use a specific one, um, satellite, uh, chain. Uh,
they're called rock box, uh, rock blocks. They use the Iridium network, and that's where you get that high cost. There's other ones that you can use, um, that are actually continuous uplink and downlink versus just sending data for a small fee. Um, those work, but they are not very affordable. It is, uh,
$90 for 30 megabytes of data. So you can use it, but if you're using them, you're probably, you probably have quite a bit of money. So what's the next best thing to cellular? Well, I don't know what that guy's wearing, but it's cellular. So cellular is fairly good with this
stuff. The only problem is, again, you, you run into the problem where you're not in range of a cell tower, or you're in a building where you don't have range. If you're at Def Con, you know, you, you've probably been noticing where the signal's going out. It's, in many cases, not someone actually trying to hack you. What's happening is there's just so much communication going on here, you're, we're
not getting any signal out. And that's problematic. And that's one of the problems that you can run into with these devices. But there's a couple of protocols that exist. You can communicate on different, uh, I'm gonna say protocols now, but, so you have 3G, 4G, 2G, those are all the standard ones that most people have heard of. But what's coming out now is
CAT0, CAT1, CATM1, and NB-IoT. These are all over cellular networks. They're getting, uh, deployed worldwide and they're really, really, uh, useful. Um, for example, CAT0 and CAT1, they have limited messaging support, but they have a dedicated, uh, ser-, basically serial downlink and uplink. So you can send data
continuously using a cellular network. In the screenshot, uh, of the picture of the person holding it, that's in, uh, CAT1, uh, radio. So they're very small. And then NB-IoT, that's the bottom corner. Those are about 50 kilobits a second, so very small, but they're also, it has higher latency, but it's a lot bigger
coverage. I don't know why NB-IoT is gaining so much popularity, but it is. So if you can use it, it's fairly, uh, deployed all over the world now. And then if we go back to what most people use, that's 4G and eventually 5G. It's very, uh, flexible, but you're gonna have to
have a baseband, you're gonna have to have all sorts of things. If you get lucky, you can actually use add commands on the modem, but that's gonna be very complicated and not necessarily very useful, cause you're gonna have to write a lot of driver support. Then you have 2G and 3G. They're really good, because the protocol implementations of 2G and 3G actually
support web, uh, requests directly over the modem. You don't have to implement anything else, you just use an add command to say, hey, get this page, if that page has request parameters in it, you're now sending data out. So it's a very good way of using it. They're end of life, they should be all, uh, you know, removed by around 2022 if I hear correctly, but it just depends. So
don't rely on it, but those are very useful now. You can get the modules for very cheap, they're about 30 bucks, and you can just deploy them and go. They, they're fairly low power. What else is there? Okay, so here's a breakdown, I'm looking for the monitor over there, here's a breakdown of
the different protocols that are supported on cellular and the different data rates. As you can see, CatM supports more data, uh, millibits per second versus kilobits, but you don't necessarily need that. And then this comes back to the half duplex and full duplex, you can, you can see where they come in where you can
send more data or less. But who provides it? Well, I'm only listing two, these are the only two companies that got back to me. Verizon, T-Mobile, and all the others also, uh, say they support these, uh, you know, NB-IoT, Cat One, and they will sell you with dev kits. But it turns out they'll only sell them to you if you make thousands of
units and you're a corporation that can, you can afford to do that. So it's, it's a little problematic. These two, on the other hand, they replied to me very quickly. They were able to give me information on how to use the protocols, how to use the radios that were going over cellular. So that was very nice. Uh, for, for particle, it's a little expensive. Um, they give
you a free card, but it's three megabytes included only. Uh, 21 megabytes is, um, a total of 40 cents. So if you wanted to use 200 megabytes a month, it's about a hundred dollars, or you can just buy the one gig plan, which is about 400. Uh, again, it gets, the prices are steep for the IOT communication protocols that
are long range, but they do work. Alright. So here's a dev kit. The dev kits are fairly cheap. You can get them for about a hundred bucks, actually, from AT&T. But they, uh, again, unless you're planning on using, you
know, only a little bit of data, you have to be considerate of how much the, the actual plan costs versus implementing them. But what is the goal? Why, why, you know, do this talk right here? Well, the goal is to implement something that does not get detected. How good would it be if you could go into your pen test and roll in a coffee maker that has wireless, you
know, 4G, 3G, or you know, it's using LoRa, any of these communication protocols I've listed today, and you just roll it in, someone's like, oh look, a new coffee maker. They won't suspect anything. And then you have, you know, either wireless or some other thing that it's plugged in, it's monitoring and sending the data out via the IoT communications. Nobody's
going to suspect a thing. It's gonna sit there for a while. Probably you will never get it back, but at least you have something now that's easily rolled in. And so the goal here, uh, again is that we want something that works that's small, not easily detected, send, you know, the data out very easily. We don't want to do a lot of implementation, but we
want it to go remote and maybe send it multiple paths. If we can do mesh, it's also good. And that's about it. Um, I hope this was a good summary of the IoT communication protocols that exist today. There's quite a few of them. I know this has been mostly high level, um, for what was actually
supported. There's more stuff online that I've worked on, um, that you can see, but this hopefully will just give you an idea of what technologies you can use now and where you can use them. Uh, it's up to you in the end, but again, hopefully this covers most of them that exist. And if you have any
questions, feel free to find me at the end, but thank you guys for being here today.