The Safety Dance: Wardriving the Public Safety Band

Robert Portvliet Brad Antoniewicz

About Us

Rob [email protected] [email protected]

Brad www.opensecurityresearch.com

Twitter: @foundstone

2

WHAT DOES IT ALL MEAN? [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

3

PROCEED WITH CAUTION! [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

4

Outline  Intro to Public Safety  Spectrum Allocations

 Finding Public Safety Networks Focus on 4.9GHz

 Protocols  Interacting with Public Safety Networks

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

5

The Public Safety Spectrum

"The sole or principal purpose of which is to protect the safety of life, health, or property" [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

6

“New“ Frequencies

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

7

700MHz

 Reclaimed from Digital TV cutover [email protected] [email protected]

 Nationwide  May Expand

www.opensecurityresearch.com

Twitter: @foundstone

8

700MHz - Broadband  Nationwide LTE network

 Backhaul - Probably much more

700MHz - Narrowband

 Nationwide Voice w/ P25  State and Local Gov. [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

9

800MHz  “Reconfiguration” in progress  PS Dedicated for voice (P25)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

10

4.9GHz

 

General Use Spectrum Has been used for:  Video surveillance  RNC/DNC/G20  Access to Police cruisers  Emergency warning systems…

[email protected] [email protected]

www.opensecurityresearch.com

  

..SCADA Aircrafts AMR

Twitter: @foundstone

11

4.9GHz

 Recommended for Low Power

 Can be grouped  NPSTC offers recommendations

 Required for High Power [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

12

4.9GHz – Emission Masks

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

13

5.9GHz – Intelligent Transportation Systems

■ 5850-5925MHz ■ 802.11p (IEEE 1609 WAVE) [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

14

Finding a Dance Partner

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

15

Radio Reference (700/800)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

16

CAPRAD (700/800/4.9)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

17

FCC License Search (700/800/4.9/5.9)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

18

FCC License Search (700/800/4.9/5.9)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

19

FCC License Search (700/800/4.9/5.9)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

20

Using Google To Find Implementations  Google

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

21

4.9/5.9GHz Access Points

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

22

4.9/5.9GHz Access Points

LIAR

ANOTHER LIAR

I HATE THIS GUY [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

23

4.9/5.9GHz Access Points

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

24

4.9/5.9GHz Access Points

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

25

4.9/5.9GHz Access Points

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

26

4.9/5.9GHz Access Points

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

27

4.9/5.9GHz Access Points Ubiquiti NSM5-WORLD

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

28

4.9/5.9GHz Access Points

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

29

4.9GHz Adapters

Ubiquiti SR4C [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

30

4.9GHz/5.9GHz Adapters

Ubiquiti SRC300

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

31

Building A 4.9GHz Test Lab Kugutsumen: “DEBUG” reg domain - the SRC has the abilities to support 4910 – 6100MHz

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

32

Extending Drivers  Previous patches [that no longer work]  Zero Chaos 

Awesome – but no channel width support

 Spench <- this guy is fucking awesome 

Meant for RADAR stuff so its overly complex for our purpose

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

33

compat-wireless

Manual regulatory domain override? iw reg set (never seems to work)

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

34

Extending ath5k for 4.9GHz drivers/net/wireless/ath/ath5k/caps.c:

if(ath_is_49ghz_allowed(regdom)) range_5ghz_min = 4920 else range_5ghz_min = 5005 range_5ghz_max = 6100 drivers/net/wireless/ath/regd.c:

bool ath_is_49ghz_allowed() { … } [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

35

Extending ath5k for 4.9GHz drivers/net/wireless/ath/ath5k/caps.c:

if(ath_is_49ghz_allowed(regdom)) range_5ghz_min = 4920 else range_5ghz_min = 5005 range_5ghz_max = 6100 drivers/net/wireless/ath/regd.c:

bool ath_is_49ghz_allowed() { return true; } [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

36

Supporting Different Channel Widths

drivers/net/wireless/reg.c: /* * Note that right now we assume the desired * channel bandwidth is always 20MHz... * To support smaller custom bandwidths such as 5 MHz or * 10 MHz we'll need a new ieee80211_channel.target_bw… */

…Required a little more work.. But not that much

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

37

Supporting Different Channel Widths

# modprobe ath5k default_bwmode=2 default_bwmode option name from RADAR patch

0=20MHz (default) 1= 5MHz 2=10Mhz 3=40Mhz [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

38

Setup # ./49ghz_install.sh

Manual # # # # #

modprobe ath5k default_bwmode=2 iw dev wlan0 interface add mon0 type mode monitor ifconfig mon0 up iwconfig mon0 freq 4.950G tcpdump –i mon0 -X

github.com/opensecurityresearch [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

39

db-ReturnTrue.conf country US: (4910 - 5170 @ 10), (N/A, 23) (5715 - 6100 @ 10), (N/A, 23) ::

kismet-ReturnTrue.conf ncsource=mon0:type=ath5k:forcevap=false channeldwell=2 channellist=ps5mhz:4920-4990-5-.5 channellist=ps10mhz:4920-4990-10-.5 channellist=ps20mhz:4920-4990-20-.5 [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

40

4.9GHz

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

41

NYC 4.9GHZ MESH! channellist=nyc:4950-4950-10-10 [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

42

NYC 4.9GHz – Video Surveillance

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

43

NYC 4.9GHz – At the Station

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

44

NYC 4.9GHz – At the Station

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

45

NYC 4.9GHz ■ Crack LEAP = Own NYPD? ■ See Moxie and h1kari’s talk today

■ Proxim WORP(Wireless Outdoor Routing Protocol)? ■ Older versions – remove driver FCS check ■ New versions – DFU Mode APs?

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

46

VEGAS BABY!!!

channellist=vegas:4980-4980-10-10 [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

47

VEGAS 4.9GHz

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

48

VEGAS 4.9GHz

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

49

VEGAS 4.9GHz

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

50

VEGAS 4.9GHz ■ Motorola MOTOMESH ■ 4 Radios – 2 for 802.11, 2 for MEA ■ If 4.9ghz is not there try 2.4GHz! ■ Saw ARP for public routable IP addresses  Not immediately accessible

■ Mobility Enhanced Access (MEA) ■ Proprietary crapola – needs more investigating

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

51

VEGAS 4.9GHz SkyPilot

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

52

WarDriving Summary ■ Make sure you have channels right ■ Not all networks have data on 802.11 compatible 4.9GHz ■ Lots of proprietary protocols

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

53

Is 4.9GHz Being Targeted?

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

54

Is 4.9GHz Being Targeted?

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

55

Is 4.9GHz Being Targeted?

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

56

github.com/opensecurityresearch

? [email protected] [email protected]

*many of the pics in this presentation were found on the internet – credit goes to images.google.com [email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

57

References and Linkz Previous ath5k Driver Patches: http://wiki.spench.net/wiki/RADAR Supported Atheros chipset list http://wireless.kernel.org/en/users/Drivers/ath5k#Supported_Devices RTL-SDR compatibility list - http://www.reddit.com/r/RTLSDR/comments/s6ddo/rtlsdr_compatibility_list_v2_work_in_progress/ “DVB-T TV Receiver Realtek RTL2832U Elonics E4000 Radio P335” , and “Ezcap EZTV668” used for testing

Ettus Research https://www.ettus.com/product/details/VERT2450 Pasadena Networks http://www.wlanparts.com/product/SF-D49NSR/49GHz-53dBi-Black-Fiber-N-male.html Business Systems Connection http://shop.bizsyscon.com/proxim-orinoco-a4908-4-9ghz-4-99ghz-8dbi-omniantenna/ - Didn’t steal Brad’s credit card, should be ok.. Discone antennas do 25-1300MHz http://www.rfparts.com/diamond/d130j.html Build your own http://helix.air.net.au/index.php/d-i-y-discone-for-rtlsdr/ http://www.ve3sqb.com/s Kind of hard to find. Expensive in most cases.. Horizon 12dBi Omni, 5750-6150MHz http://interline.pl/modules/content/index.php?id=1&s=showcard&code=INT-HOR-12/57-V&lang=english MTI 17/19dBi, 4.9-6.1GHz  http://www.wlanparts.com/product/MT-465019NVD/MTI-Wireless-Edge-MT-465019NVDTriple-Polarity-1719dBi.html – $192

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

58

Weirdness.. MN:

NJ:

[email protected] [email protected]

www.opensecurityresearch.com

Twitter: @foundstone

59

Interacting with APCO P25

■ Attacks: ■ http://www.crypto.com/papers/ p25sec.pdf ■ http://www.nicta.com.au/pub?d oc=5076 [email protected] [email protected]

www.opensecurityresearch.com

RTL-SDR

Twitter: @foundstone

60

Wardriving the Public Safety Band - GitHub

2. [email protected] Twitter: @foundstone ..... Discone antennas do 25-1300MHz http://www.rfparts.com/diamond/d130j.html ... p25sec.pdf.

4MB Sizes 12 Downloads 219 Views

Recommend Documents

Cambium-Public-Safety-Wireless-Backhaul-Solution.pdf ...
Cambium-Public-Safety-Wireless-Backhaul-Solution.pdf. Cambium-Public-Safety-Wireless-Backhaul-Solution.pdf. Open. Extract. Open with. Sign In. Main menu.

15 March 2011 The Safety & Public Interest ... -
Mar 15, 2011 - 1) The conventional lightning protection systems used in national and .... by Dr. Franco D'Alessandro, who is a consultant for ERICO and was.

Mid-Level Public Safety Supervisors Under The ... -
station duties such as sweeping and mopping floors, washing dishes and cleaning bathrooms; and did not earn much more than the employees they allegedly supervised. The Preamble also quotes approvingly from a series of cases holding that law enforceme

15 March 2011 The Safety & Public Interest ... -
Mar 15, 2011 - 1 indeed provided the same degree of protection against ... 4. ESE failure incident at Maripott Hotel in Marco Island, Florida [25.1]. ... Message #1364, http://tech.groups.yahoo.com/group/LightningProtection/message/1364.

[PDF] Master the Public Safety Dispatcher/911 Operator ...
Download [PDF] Master the Public Safety. Dispatcher/911 Operator Exam (Peterson's. Master the Public Safety Dispatcher/911. Operator Exam) Full Online.

LERUKA LERUKA UseCase Specification: View public ... - GitHub
UseCase Name. Brief Description. Mockup. Flow of Events. Basic Flow. Narration. Alternative Flows. Special Requirements. Preconditions. Postconditions.

POSTER: Rust SGX SDK: Towards Memory Safety in Intel ... - GitHub
What's more, the Rust en- claves are able to run as fast as the ones written in C/C++. CCS CONCEPTS ... Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee ..... 1.9/docs/Intel_SG

Network Security on safety-critical systems: a case study ... - GitHub
SFD | Start-of-Frame Delimiter, 1 octet of 0xd5. DA / SA | MAC Destination Address / MAC Source Address ..... 11:56:57.340515 00:00:00:00:00:01 > 00:1f:16:37:b1:3d, ethertype IPv4. (0x0800), length 79: (tos 0x0, ttl 64, id 0, offset 0, flags ..... ht