ATGP - I Amateur Radio (And So Can You!) - Kat Sweet

thanks Emily um that better no now whoa okay hold my shirt down a little bit she's been a really good speaker liaison by the way so Emily before I get started I'm just curious who here is a ham already awesome well we're going to have a lot of fun so without further ado who wants to light things on fire yeah who wants to make the drones fly sideways okay file under jokes that have officially jumped the shark who wants to turn their Wi-Fi up to 11 who wants assert that they can actually be proud of what do all these things have in common ham radio so a little about me I've been ham since 2013 so only a

little over two years but I've learned a lot and it's been a very very good and very inexpensive way to stuff for me to start learning about security I'm going back to school for it soon so I got into radio before I started really getting into security but there's a lot of overlap and concepts this was hacking before we had a word for it and it's a good way for me to connect with geeks of all ages help out my community and disasters it's been fabulous and there's a lot more to learn and it's 100 years old before I go any further I'm just as a disclaimer you may be thinking do I really need to be licensed to do these

things we're crowd that likes to bend the rules normally I'd encourage that however in this case yes you do need a license believe it or not there are people out there who have nothing better to do all day than listening for illegal radio transmissions and narc on them I've been told that the FCC warningly letters are referred to among some hams as love letters from Laura named for the woman in charge of the FCC's enforcement Bureau so don't get a love letter from Laura you will not be happy pay fifteen dollars for licensed or risk paying a ten-thousand-dollar fine think of it this way you can listen all you want going in it costs extra also I can't

emphasize this enough [ __ ] do not [ __ ] swear on the goddamn radio so what do hackers have to do with ham radio well there's already been a lot of great info SEC related research being done so I'm just going to go through a few recent examples to give you a random sampling of what can be done RFID has been researched a lot in the past few years so what do you think is the maximum read range that you can read an RFID tag 10 20 meters something like that yeah 600 meters Wow punch line spoiled so at black hat in 2010 Kristin Padgett using just a directional antenna and a ham radio read RFID tags at 500

feet and she used only one watt of power to do this which is already more than unlicensed people can use hands on that band can use up to 1500 watts on the 33 centimeter band with which she would estimate a one-mile read range don't use 1500 watts to read that because you could cook chicken with that wattage but you could so this happened last year at Def Con and Der Beek on Maggie how to ease talk girl fault interrupted she was an electrical engineer who got a hen radio licence for the exclusive purpose of lighting things on fire and this is this amazing scientific discovery as a complete fluke while transmitting on walkie-talkies that weren't amateur she

discovered that she could trip the ground fault interrupter outlets in her bathroom so she got a ham radio license and she was able to hone this too precise frequencies she would pointy yagi antenna at a blow dryer and Paul magic smoke released and she the science behind this is she made the solenoids in older GFCIs resonates Faraday's law they resonated their frequency so she blew them up and started fires so ok he ruined a few blow dryers no big deal but GFCIs are also acquired in medical devices like respirators and dialysis machines so this has implications for remote kill you don't want to start a dialysis machine on fire speaking of hot things Toys Toys Micah Scott reverse engineered

a high-end Swedish vibrator by lelo it had a lackluster remote control there are some vibrators that are remote-controlled without a cord she sniffs the radio transmissions between the remote and the vibrator then she reverse and she built a better remote that was longer stronger and with sonar so there's a lot of work out there like this basically you have a real weird radio device that you need to work better it doesn't work very well so reverse it and build a better one and amateur radio gives you a much better understanding of how to go about doing that speaking of toys you do need some tools to be able to do this so there are just there are tons of tools that the

hackers have made for radio hackery has anyone seen this before it's getting famous this project was originally a real men and women carry pink pagers by Michael Osman and Travis good speed this it's very hard to find these now because the word is out I looked they don't make them anymore they took them off the market but this is basically a little girls pink pager texting device the IM made by girl tech so girl tech is forever in my browser history well until I clear it but basically the radio chip and it wasn't frequency locked so you can turn a $13 texting machine into a thousand-dollar spectrum analyzer the frequency range overlaps with the centimeter seventy centimeter and thirty

three centimeter bands and this pic pager a lot in infosec related research it was recently used in the garage door hack Open Sesame they were able to sniff the opening codes of the openers using the pager and then reprogrammed to the garage door openers this is a great example of taking somebody else's obsolete technology and making it do your bidding which is something that hackers have been doing for years software-defined radio software-defined radio basically is when your computer stands for separate hardware components like mixers amplifiers other peripherals so there are a lot of st this str is out there the holy grail is the one on the left the hack RF designed by michael osman it can transmit and receive

anywhere between 1 megahertz and six gigahertz which is pretty much all the frequencies you would ever hope to need that actually just changed i learned this last night it used to be 10 megahertz now it's down to 1 megahertz it does need an amplifier for transmissions because it runs on USB power but more transmitting power is a privilege that only hams have because of power level regulations from licensed people also similarly but only for Bluetooth is the uber tooth one which he designed a lot of really good Bluetooth work has come out of that and nothing like it existed before I'm not a tooth protocols but it solves a lot of problems of why you couldn't research

Bluetooth beforehand so that's the hardware here's some of the software there's a ton of open source software tools available for playing around with radio these are just a few examples FL digiti is software for digital modes it's open source it's on sourceforge so you know your mileage may vary it interprets digital signals into ASCII text and transmits text into digital modes so these are the cheat codes if you want to transmit in Morse code or digital modes like psk31 this this translates it into things that you can read and translates things that you can read into things you can send out digitally echolink is a voice over IP style system for amateur radio stations connects all over the place so you get

out of here and I could listen to a repeater back home in Madison chirp is the thing that will save you so much time it's a very easy way to program radios using a USB to audio cable it's also it's one of the tools that's included in cali in general it's very good for uploading and downloading information can handle several different kinds of radios and without chirp a five-minute process can take hours programming is a [ __ ] when you're only working with buttons so why all of this interests why are hackers interested in amateur radio this is a map of all of the frequency allocations in the u.s. everything amateur radio cell phones maritime

military you name it there's a lot of overlap to unlicensed bands are unlicensed because they're so short range and many radio things within that short range we'll assume that they're the only things on the band so they don't necessarily need to follow security protocols there are a ton of devices crowded around the is M bads 900 megahertz and 2.4 gigahertz or 33 and 13 centimeters which overlap with ham bands Wi-Fi Bluetooth XP cordless phones RFID some drones these are everywhere everything has a radio in it I have a radio on my wrist I may or may not have a radio in my pants I'm not wearing pants and this works late it's like is having a secured area if you only talk

in the secured area anyone you talk to you must be okay to talk to right we're cleared no one is ever social engineered their way into somewhere that they're not supposed to be never happened ever obviously this is not the case unlicensed bands are not a secured area unlicensed spectrum is everywhere out there and as Kristin pageant and others after her own ham radio can pick up on all of it this is just a zoom in so you can see the overlap for a good proof of concept of this and see how unsecured some things are see the Travis good speeds party mode belt buckle basically he walked around in fuzz an entire city's power grid just for fun because

his belt talked to other stuff that it wasn't supposed to talk to so you may be wondering why things on the IM bands aren't encrypted part 97 of the FCC rules states that it is illegal to obscure the content of a message so that someone listening can to ascertain its original meaning and digital modes are not encryption by the way they're just different means of communication Morse code isn't encryption psk31 isn't encryption just as converting this very important message on the bottom and it to hex is not encryption encrypted transmissions are also are illegal and amateur bands except for communicating telemetry data with RC aircraft and for satellite control and only on the RC aircraft

bands does that apply just mostly 6 meters 70 centimeters some of the I SMS steganography however is more of a gray area it's not encryption per se just obfuscation so the rules aren't quite as clear for a good talk on the theory behind this watch Paul drapeau and Brent Dukes is def con talk last year steganography and commonly used hf fans so with that in mind who wants to be a ham yay it's now I'll go through the process of what the licenses are and then how you get them there are three license classes in the US technician is the lowest level the technician exam is very easy by design you don't spend months studying for the tech exam you

really don't want to the idea is you get licensed first and then you learn your way around amateur radio not vice versa you basically they want to make sure you can pass simple common sense and rules reading test and the tech license is restricted to VHF and UHF bands which means above 30 megahertz these are shorter range frequencies so this just means that you can't cause an international incident okay pointed about that you want to cause an international incident you'll need to go up to General General is the second one it's kind of like the junior varsity of the licenses it's like technician but has some hf privileges below 30 megahertz so you get longer ranges it

doesn't have access to all of them but the vast majority the highest level is amateur extra something usually just called extra this gives you all privileges on all bands one thing that extras only get is reciprocal international operation that means you can take your radio to an other country that has an agreement with the US which is a lot of them and operate there obviously if you're in the US and licensed in the u.s. you can talk to other countries I'll get into that later but to actually operate while you're in another country you need to be an extra the extra exam you may have heard is very hard however the number of extra licensees has increased

dramatically since the Morse code requirement was dropped from the exam in 2007 no more morse test so altogether there's over 700,000 hams in the US which is the most it's ever been I think handful of other countries that have more hams in the u.s. I know Japan is one of them so let's catch up with them so 700,000 rumors of its death have been completely exaggerated the exams themselves are all multiple choice and they're all unlimited time tekken general 35 questions extras 50 questions so it's easier and more useful than the cissp that was almost like cyber so i'm going to drink see you i don't think the ham exams give you see ears oh you said

there are there more useful than CEUs oh

no ham exams don't have any continuing education once your license you never you to retest unless you let your license expire you never need to take continuing ed and the exam process is very low-tech if you take your exam you'll notice that it looks completely outdated and this is on purpose it's so that exams can be given anywhere at any time they make they want to make it as easy as possible for people to get in and the tech in general exams are usually concerned I shouldn't say usually because they're standard questions they're concerned with things like rules and common sense very basic electronics safety band plans as far as calculations there are really only two

types you'll need to use does anyone know the speed of light speed of light 300 million meters per second and radio waves travel at the speed of light through air so the Freak the frequency wavelength calculation just get good at dividing 300 by things and the only other formula is Ohm's law who knows Ohm's law somebody say it yep current times resistance equals voltage voltage times current equals power so that's really all you need to know and these things can be studied very quickly if not the extra exam is more electronics heavy things like radio design circuit theory stuff that you might not actually use in your everyday ham practice but like I said again the

Morse code requirement is no more for those of you who follow me on Twitter this is the duck if they throw things slide however just because just because the Morse code has no has no testing anymore doesn't mean that it's not used Morse code is very useful it's more easily detectable than voice or data when signals are poor because it uses so little bandwidth a lot of repeaters use Morse code for station identification it's also shown up in CTFs and puzzles for example it's been a part of DEFCON badge challenges in the past I think possibly besides ones as well so it's just when when you need it it's there it's easier to detect you can't hear

voice signals very well when the signal is poor but you can still hear the universal distress call SOS I almost did bourbon is awesome i almost didn't spell SOS so the process of the exams is pretty straightforward you walk in you pay fifteen dollars you take the test yes fifteen dollars it's also cheaper than a cissp and if you pass you can take the next one and then the next one after that the exams need to be taken it and passed in sequence you can't skip over the tech in general you can take all three in this if you pass them all but you can't skip straight to extra no matter how late you think you are so the

fifteen dollars your license is paid from that fee for ten years and after that you just renew it online for free so it's very easy you'll be assigned a call sign and then you can later go back and get a vanity sign I got once k7 FTW sorry unfortunately and 0 0 B is taken as well as all the other naughty ones like w four ng vanities used to cost money but they're going to be free as of September first volunteer examiner's by the way don't get paid for the exam fee we work for free the money all goes to the a double are l the american radio relay league which is the big test

organizer and resource provider occasionally the exam team gets expenses too so where can you be made a ham a great way to do it is to get tested as a security con a lot of cons are starting to offer them and if you're free to besides is offering them in the training ground room which is sienna upstairs from seven to nine p.m. bring a photo ID and fifteen dollars in cash or check and we can get you tested even though it's a two hour window it's not going to take you two hours expect maybe 20-30 minutes tops if you can't come tonight a lot of other cons have them Def Con is going to run them via DC 40 h skydog Khan has had

them Circle City con had them for the first time this year I was the team liaison some other besides events had them including Boston Rhode Island if you know of any others let me know if you can't get tested at a con or you just don't go to cons that much there are a lot of local exam sessions most major cities law for at least one session a month so check the a double RL s website a double RL org for local exam sessions to find one in your area studying for exams is there's a lot of information out there and this is because the entire exam pool for all three levels is given away completely

for free by the ADA therefore there's a lot of study material out there that's been developed by hams for hams there are some books a double RL puts out a series of very comprehensive exam prep books to cover both the ham exam themselves and ham radio culture and I'm putting this in scare quotes because the book is full of scare quotes for some reason Gordon West's also makes study guides that have the exam material and audio book form so you can listen on your commute which is awesome there are a lot of online study guides and practice practice exams just in general Google amateur radio study guide and you'll be fine when I put my slides up

online I have some links in the last slide there are also a lot of mobile apps out there for pretty much every platform you can think of even windows phone which is barely a platform I just learned recently too that the ubuntu hams IRC chat has an exam question about that will feed you random questions and actually also a ham exam ubuntu package that you can install if you want to learn in person and with the group there are also ham radio boot camp classes out there one day 1 2 2day crash course that covers all of the exam material they'll often have an actual test at the end if not at least a pressed practice test

defcon in the past has held them I've been told they're not going to have one this year but the wireless village may have other offerings just as an important warning the question pools do change every four years they're staggered so general just changed last month just make sure you're working with the most up-to-date material there usually aren't too many drastic changes like it's not like they found a new speed of light or anything but maybe they will who knows so there's a lot of different ways to go about it and my own study process varied quite a bit for the three eggs while I was preparing for the technician exam i used the a double RL manual more

being new to the ham world I want it really helpful having some context for the exam material for general two months later I spent a little longer focused more on the test material than on the actual ham culture by the time I got two extra I basically just said [ __ ] it memorized the question pool by taking a practice test every day when in did fine I knew that there were large portions of the exam that I would never have to use again in real life and how his right and nine months later I still know what vestigial sideband is and I don't know what other knowledge that pushed out of my brain but I'm scared to find out so

now that you've gotten your license what next first step get a radio the beauty of ham radio only as expensive as you want that to want it to be and I mean that a good HT which is the handheld transceiver or handy talky starts around thirty dollars the example I have on the screen is the bell Feng uv-5r it's a great starter radio I've used it a lot and it's thirty dollars and it comes in technicolor bazan has lots of radios electronic stores usually have at least a few if you got a car here there's a ham radio supply store around here somewhere um the but HTS vary greatly in price and this is because uh it they

have other features depending I depends on the frequency range depends on the maximum power most of them are dual band some our tribe and but you don't need the fanciest model you can get the fanciest model if you want but you don't have to because you don't need a radio that does everything the radio that you take out into the day star with you needs to be a radio that you aren't afraid to lose break or spill beer on I've done all of these things and you will too so don't invest in the top of the line and HT is a great starter it lets you talk to people at cons join eros which I'll get to in a minute just

generally explore even if you are an extra like I said they're mostly UHF and VHF but even if you're an extra this is variably spending most of your time this is where your local repeaters are this is where most your local hams are you've had your hand up for quite a while the cheap Chinese radio to make a really good chinese ready I've never tried before do you want to try I don't know that's an excellent question probably okay the question by the yeah a side in a hall people here the question was can you hack a cheap Chinese radio to make a good radio and the answer is there's a community for that so cool learn

something new every day yeah also get the USB programming cable they're like 10 bucks and they will save you so much time i mentioned chirp earlier it's so much easier than trying to program in all of your local repeaters and all of the weather stations which is a pain in the ass because you have to set so many different settings programming cable will save your life if you're a quick draw with a soldering iron you can also build a radio a great place to start is the soft rock kit this is $80 SDR it gives you access to a lot of different hf bands unfortunately the comic is only a slight exaggeration there are a lot of

parts however it's a really good way to learn how radio is constructed and taking a thing apart helps you learn how it works but so does building things once you have a radio see how many times you can answer the standard hacker question what can I make this thing do and get cheap Chinese one so you can build a better one a lot of older ham in particular but also who have been operating since before cell phones in the internet are into dxing which is long-distance communications often international this was the way to talk to Germany and Japan and Australia before cellphones and before the internet and they still do it and you can contact hands all over the world and

send you those qsl cards up on the screen qsl is Q code for acknowledge receipt of transmission there's also con testing contacting as many stations as possible within a given time qrp one water less see how much see how money can be squeezed out of not a lot of power fox hunting she's using radio direction-finding to search for hidden transmitters was anyway a lot of you would probably a beast Las Vegas last year right if you saw people wandering around the wire they were in the wireless essentials class you're wandering around with laptops and antennas and that's what they were doing your fox hunting beef congee I'd bring it to cons it's a very good back channel

14 6580 has become sort of the standard hacker con frequency I haven't been on today so I don't know how much activities going on in there but I'm sure at Def Con there will be a lot of cons going on a lot of cons also have a wireless village or a wireless CTF so go be their friend there are a ton of offerings for that a Def Con and hey there's a whole track here on it this year you can also talk to space anyone know what eme stands for earth moon earth propagation you can bounce signals off the moon it's i love the future there are also amateur satellites you can even talk to the International Space

Station the astronauts there are hams just don't make that go sideways you can make drones go sideways like I mentioned before there are not amateur drones obviously but amateur ones will you'll get better range and better control of your drones so play around with that step 3 non-profit I mentioned Ares before Ares is amateur radio emergency services their motto is when all else fails and it's true when natural disasters hit the first thing that happens is all of the cell towers die public safety incidents the the cell towers are completely overwhelmed and cell towers this because they're built on exposed places like the top of a hill and also on cell towers are police fire

ems radios I didn't say cyber I just feel like a drink so in these disasters Ares teams step in to provide emergency communications to cities counties States the Red Cross other volunteer organizations and to practice we do radio communications at public service events like marathons bike races parades other scheduled disasters practicing for the real thing in the case of the Boston Marathon bombing that was that was a scheduled disaster turned real disaster hams were there and it's a good thing they were there turned into a real emergency deployment but even aside from extreme cases like that emergencies do happen I was doing I was doing Ares deployment for a bike race last year in rural

Wisconsin really bad cell signal and we had a cyclist who need medical attention so we were there and they also Harris does simulated emergency deployments to of like we actually practice transmitting emergency messages but even if you never end up helping out in an actual emergency it's just a really great way to learn about operating and to connect with your local ham community you get to play with equipment that you might not own yourself you get to practice actually talking to people on the same subject of non-profit pay it forward make more hams not like that if you have a general license or above you can get certified to become a volunteer examiner and then you can come help out

on exams with any level of license you can also be a volunteer licensed instructor or online course mentor above all have fun learn from old hands there's a really well-established culture of teaching and mentorship many old hams will have a good stock pile of radio gear that they'll let you play with al runs field day in June this is a huge nationwide and Canada and the Caribbean ham radio avenge everyone talks to everyone everyone gets together outside and geeks out it offers a lot of opportunities for experimentation so especially if you're just getting started and don't own much equipment lets you play around on all over the place and the beauty of ham radio is

that it offers a low barrier for entry into a world of hacking there are a lot of reasons for this the cost is low which makes accessible to more people there's less gatekeeping less questioning of credibility you do have that piece of paper so I'm an extra just like the people who've been doing it since before I was born and yes they know more than me but I'm here to its definitionally a hobby not a profession so all that's left is just a passion for tinkering and sharing knowledge Michael Osman I mentioned him before the hacker of tooth one guy gave a talk at the Dayton hamfest a couple months ago he's about his he's a new ham about his path

from electronics kid to hacker to ham and he talked about how the next generation of ham radio operators will not be the people who are just doing it to talk to people about weather and pacemakers and prostates they will be the they will be the tinkers that the experimenters the hackers and it's absolutely true I mean it speaks for itself you're all here right now we had an amazing turnout at Def Con last year 200 people came to take their exams there's always more to explore and not nearly enough people are playing with radio for info SEC or otherwise and it lets you keep that hacking knowledge alive and create new knowledge interacting with the technology around

you so it's over a hundred years old but it's still going strong and we're the ones who are going to keep it going strong and keep it alive so party like it's 1909 does anyone have any questions yeah [Music] okay so but the encrypted communication has an unencrypted claim a geographically unencrypted um I don't know the question was if you if you have encrypted something encrypted that it overlaps with a hand band but sorry is this one still on I'm going to have you you you asked a multi-faceted question so I was curious if a hand band overlaps with some unencrypted where the f a hand band overlaps with encrypted communication but it has an unencrypted frame if you

can jack around with the unencrypted part of whatever's going around and not get in trouble does anyone know the answer because I don't okay no but transmitting is it okay that does count as interference okay answer is no because it's considered interference okay cool thank you yeah

you're in a they don't detect it I don't think they have to charge anything for it they can charge up to $15 that's the maximum and most do to recoup exam related expenses goes back but there are a couple of a double RL is the largest VEC but there are volunteer examiner coordinator at the organization that does it but there are some others and I know Laurel is one that does do them for free yeah you see that she

question was again about encryption whether you see it changing in the future for encrypted transmissions to be allowed especially with medical devices and other just as more things in general or networked I don't know we'll see I mean that's the thing everything is kind of everything is networked now and the protection isn't really going along with it it's like the the desire to connect all the things to each other hasn't has surged way ahead of the desire to actually protect her data so I I don't know that's a good question uh grey shirt first you haven't asked question yet [Music]

sorry what was the first perfect yeah but they overlap a lot of them overlap is M is there unlicensed bands and they overlap with with amateur bands so um so there's a way to do that somebody just explained this to me last night how there's a it it was a little bit over my head but it that it does that they're basically yes it's not encryption but it's it's authentication on both ends basically is how you do it if you're super charging your Wi-Fi hahaha then it's not very encrypted is it you do have to station identify every ten minutes you have to identify your call sign otherwise they get ya better yeah

um if you study and then come if you study now for a couple of hours and then come in at seven you could certainly try I've I had a friend at Circle City Khan who took a two hour exam prep class then studied for a few hours and was able to pass the test same day so tech exam like I said it's pretty low a barrier but you shouldn't go in cold unless you have like an electrical engineering background that's true yeah def cons offering them too so you take a few more days to study yeah

incorrect characters their top it

so [Music] also checking capitalism and hmm yeah if that's what's happening but we're not saying it was should I repeat that for the microphone because this is going to be recorded haha let's get back onto the side of plausible deniability yeah but we don't know yet there are spurious emissions laws so if you test them and they are emitting you got a-you got fix it basically yep but again potentially dangerous 1500 watts is nothing to mess around with just because it's the max doesn't mean the question was what if you wanted to build a big scary transmitter basically

ebay your source for scary transmitters yeah um I think the narcs would find you and they would kill you no no no no I mean you can look up some wheels call signs you get figured out pretty quickly her people who flit with no lives who do that yeah

sorry so that people so

he says be wary of people trying to sell you ham equipment using other people's call sign because amateur radio equipment only be resold for hand purposes by hams yep

okey hola it's a good point just in case anyone yeah if anyone who's worried about doctors themselves or the call sign does have an address associated with it and is in the FCC's public database so you can it doesn't need to be a home address it can be a p.o box oh really but that's good to know because I didn't know that so he says you can there you kind of ply to make it private after it's been public for a month which they should come to DEFCON or besides and have it talking to about privacy I'm sure that can be written very easily okay well there you go such as this for private addresses but it's something it's one

more step it's something again the the the the having everything networked and communicated an open privacy hasn't caught up with that yet that's right what you mean you don't live here this is home away from home yeah yes that is true you do not need a license to purchase ham radio equipment that is a good point actually the circle city con staff all used ham radio is just on an FRS band so it can be done yeah I know but it's yeah alright let's edit that out porfavor edit what out it never happened this is the underground track right right okay yeah all right uh talked a little fast but does anyone have any other questions discussions

points