Around the RF world in 60 minutes

Dionysis Grigoropoulos

BalCCon 2k24

Slides: https://f.erethon.com/balccon2k24

Who am I

Dionysis Grigoropoulos (dgrig or Erethon)
https://erethon.com
SRE by trade, hackerman at heart

email: dgrig@erethon.com
matrix: @dgrig:erethon.com
SV1TBT amateur radio callsign

Radiowaves

A fascinating and invisible world around us

What is RF and RadioWaves

Electromagnetic Radiation and Radio Waves

Electromagnetic Radiation: Waves of electromagnetic fields propagating through space
- Synchronized oscillations of electric and magnetic fields
- Propagating at the speed of light (c) in a vacuum

We apply this current at an antenna

Electromagnetic Radiation and Radio Waves

Theorized by James Clark Maxwell in 1865
- Maxwell's equations
Demonstrated in 1887 by Heinrich Hertz
First practical application in 1894 by Guglielmo Marconi

Electromagnetic Radiation and Radio Waves

Frequency, measured in Hertz (Hz)

Wavelength, measured in meters

λ = υ/f

As the frequency increases, the wavelength decreases

Electromagnetic and Radio Spectrum

EM_spectrum_updated.svg.png

Electromagnetic and Radio Spectrum

Noise floor

Cosmic background radiation, noise from electronics, thermal radiation, etc

The spectrum is a "Finite Resource"

ITU established in 1865, became part of United Nations in 1947

Publishes the ITU Radio Regulations
- It's an International Law that countries follow and enforce
- Regulates the 9 kHz to 300GHz spectrum

ΕΕΤΤ in Greece, RATEL in Serbia, FCC in USA, etc

Legality of radio equipment

Varies wildly by country
Consult your local laws

Very blurry situation nowadays since the laws haven't kept up with technology

How does one transmit then?

You pay for the right to transmit (TV Stations, Mobile Carriers, etc)

You get licensed as a Radio Amateur operator in your country

Your line of work or other reasons allow you to (Firefighters, boats, etc)

You transmit in a part of the spectrum that's free for everyone to use (under conditions)

ISM Bands

Introduced during the 1940s because of microwave heating

Reserved for Industrial, Scientific, Medical purposes only, no telecommunications allowed

However, most electronic devices use these bands nowdays
NFC, WiFi, BT, ZigBee, LoRa, 433/868 keyfobs, etc

Antennas

Antennas come in all shapes and sizes

Size depends on the frequency (wavelength) of signal
- Bluetooth, WiFi, etc, 2.4GHz -> 12.5cm
- Analog FM broadcasting, 87-108MHz -> 3m
- Submarine, 76Hz -> ~4.000km

Antennas

Exploring and capturing this world

Radiowaves are the definition of untrusted input!

Lots of radio related software is not written in memory safe languages or with security in mind

Hardware

Hardware that's built to receive/transmit signals of specific frequencies and modulations
- Usually locked down, communicate with it via a higher level interface
- Bluetooth, WiFi, ZigBee, LoRa, CC1110, CC2531, etc

Hardware

Software Defined Radio

The hardware is now "dumb" and only captures the analog signal of the carrier, digitizes it and passes it to software on the computer.

The computer then does all the "smart" and computational heavy processes, like demodulation, decoding, etc.

Works on smartphones…

A revolution in cost and accessibility

RTL-SDR, a driver for a cheap (20-30$) USB digital TV receiver

Software

GNU Radio is the golden standard, but requires lots of know-how

Software

gqrx, CubicSDR, etc

Software

Inspectrum and Universal Radio Hacker for inspecting and reverse engineering signals
rtl_433 for decoding a lot of cheap sensors/protocols (263 currently)

"Gamified"/handheld solutions

Flipper Zero

"Gamified"/handheld solutions

Smartphone works just fine

HackRF with a portapack

Privacy

Most electronic devices transmit some kind of signal (on purpose)

TEMPEST is out of topic

Transmitting == can be located

Security, not privacy

Cellular

The elephant in the room

Most of us carry a cellular device with us

Not the easiest signal to capture

Bluetooth

Classic Bluetooth in 1998, 4.0 (BLE) in 2011, 4.2 in late 2014, 5.0 in 2016

Some privacy protections exist since 4.2, but devices fail to properly use them

Bluetooth devices

Practically everywhere today

Toothbrushes

WiFi

Similar issues as Bluetooth BSSID uniquely identifies a device

MAC Address randomization helps somewhat

Wigle.net, Google and others are tracking Access Points.
- Cameras often setup an AP

RFID

RFID tags are used for access control, sharing information, anti-theft devices, athlete identification, etc.

Three major versions, 125kHz, 13.56MHz, ~868/900MHz

Easy to detect from a distance, hard to protect against.

RFID

Drones

RemoteID required by EASA & FAA since 1/1/2024

WiFi and Bluetooth Long Range, can be received by smartphones

SDR projects for decoding popular alternatives

Cars

V2X, vehicle to everything

Bluetooth (multiple devices)

RFID for tollways/parking/access

Cellular for safety and firmware updates

Cars - TPMS

TPMS_warning_icon.svg.png

Tire Pressure Monitoring System

Cars - TPMS

{
  "time": "2024-09-17 06:16:32",
  "model": "Renault-0435R",
  "type": "TPMS",
  "id": "fafe00",
  "flags": "c0",
  "pressure_kPa": 249.333,
  "temperature_C": 36.000,
  "centrifugal_acc": 70.000,
  "mic": "CRC",
  "has_tick": 0,
  "tick": -128
}

Smart Home

Multiple different protocols and approaches in interconnecting appliances

ZigBee
- Extremely popular for sensors and buttons

433/868/900MHz
- Doorbells, temperature sensors, smart plugs, blinds

Smart Cities

Smart Power Meters

Modern power meters are RF capable, part of the smart city

WiFi, custom protocols, ZigBee, LoRa, mesh protocols

Data granularity of readings is very important for privacy

Cars and Pedestrians

Tracked by the state for calculating road traffic and mobility of people

Users who have privacy concerns are also able to turn off
the Bluetooth discovery function of their device which
prevents it from being read by AWAM at all.

Rich industry that seems very localized

Cars and Pedestrians

Conclusion

This is not science fiction!
Wireless technologies (RF) have permeated daily life and have increased technological complexity
It's a battle of privacy vs convenience

Thank you - Questions?

email: dgrig@erethon.com
matrix: @dgrig:erethon.com

Bonus slides

Information must be encoded in a carrier signal that is suitable for transmitting

Spectrogram

Visualization of spectrum of frequencies over time

Spectrogram

What happens if these two signals overlap?