DEFCON Conference 27. Hack the police. Part 2
Raise your hands if you know what this could lead to! OK, all this is interesting, but if you look closely at the 65 mph example, you might find a small problem. My device constantly transmits this speed, since it works at a certain fixed frequency, but what if I drive past a school where the speed limit is applied? In addition, we never know for sure at what frequency the police radar transmits a signal.
However, friends, I must say that we live in interesting times. We live in the future, when all world information is in our hands, and we can do whatever we want with it. New car radar detectors, in particular Valentine One and Escort 360, detect the signals of a radar located about 2-3 miles in front of your car and use Bluetooth to display information on what frequency the police radar emits these signals (applause).
I will interrupt for a minute to express my gratitude to Trey Woolf, she’s sitting there, because she provided me with a very convenient place for several tests, completely legal and official.
(23:50) So, all we have to do is create an application that tells us the current speed limit, such a road API. The modern generation of radar detectors perfectly recognizes the frequency of radiation of waves of police radars at a distance of up to 2 miles. Based on this, you can calculate the current speed limit with which your vehicle should move, and the transmission frequency of a signal indicating this speed.
All we need is a very, very small processor. On the slide you see the microcontroller ESP 8266, it is quite enough. However, the problem is that SDRs, or software-defined radio systems that are generally available today, do not work in this high-frequency or microwave space, they are designed for the low-frequency spectrum. But if you take the hardware seriously, you can assemble the device we need for about 700 bucks. Moreover, most of this amount will be the cost of upgrading the SDR for high-frequency transmission.
(25:10) However, the FCC does not want you to do this. Using the device to interfere with radar is a crime for which there is a risk of a $ 50,000 fine or 5 years in prison, or both. Radar jammers have been banned in the United States since 1996, so anyone who uses or sells these devices is a federal criminal.
The Federal Communications Commission takes this so seriously that you don’t even have the right to advertise these devices or to promote their use. If you look closely at this device at a cost of $ 700, you will see that it really is not so cheap. But knowing how to make a radar jammer, we make it available, and then you can already make the right decision whether to use it or not.
So, the FCC will not allow us to speed up this process. So let’s see what effective and legal countermeasures are available to us? They exist and are represented by public things. If you do not have the opportunity to use modern electronic radar detectors, use other devices, their choice is simply huge.
Modern radar detectors Uniden R3 / R7, Escort Max360, Radenso Pro M or Valentine One w / BT perfectly capture any radio emission, all these reflected and direct radio waves, at a distance of 2 miles, but are completely unable to detect the laser. However, most people are aware that cops use a laser as a device to measure speed. And here we have a loophole! The fact is that the regulation of the use of lighting devices, that is, devices that emit light, which are lasers, does not even fall within the competence of the FCC – this is the prerogative of the FDA, the Food and Drug Administration. So let there be light!
It turns out that these laser guns are very different from their RF cousins. They use the viewfinder to highlight a specific target. Looking at the picture, you will see that the manual laser radar has two lenses. The smaller one is a transmitter lens that emits light waves, and the larger lens is used to receive waves reflected from the target. In a second you will understand why this is important.
What I really love about the laser is that the officer has to treat him like a weapon. That is, this device must be stable, must allow you to aim and find the reflective surface on your car in order to get the signal back.
In fact, the cop should aim at the headlights, license plate or other, shiny and luminous place of your car. This video clip shows what the officer sees through the viewfinder when he is aiming a laser detector at the car with the help of luminous reticle.
Since the lasers are regulated by the FDA, these devices must be class 1 lasers. This is the same class as ordinary laser pointers. Simply put, a laser detector is the same laser pointer. They should be safe for the eyes, so their power is quite small, and the amount of radiation returning to the police radar is just as small.
In addition, thanks to FDA regulation, these devices are limited in frequency of light waves using an infrared laser with a wavelength of 904 nanometers. This is an invisible laser beam, but even more remarkable is a standard wavelength beam.
This is the only standard allowed, its supporting devices are low-power, and you and I can also buy them.
(29:40) Remember what the radar measures? Speed. But the laser does not measure speed; it measures distance. Now I am showing you a very important slide and giving you time to write this amazing formula: speed is equal to distance divided by time. I noticed that some people even took a picture of this slide (laughter).
The fact is that when laser guns measure distance, they do it at a very high frequency, usually from 100 to 200 measurements per second. So while the radar detector is already turned off, the laser gun continues to measure your speed.
You see a slide that shows that on 2/3 of the territory of our country the use of laser jammers is considered completely legal – on the map these states are highlighted in green. The states where the use of these devices is illegal are shown in yellow, and I just can’t imagine what the hell is going on in Virginia, where everything is forbidden at all (laughter in the hall).
(31:10) So, we have a couple of options. The first option is to use a car with hiding headlights in the “showed-hid” mode. Not very effective, but it’s ridiculous and very difficult for the officer to take him on the sight.
The second option is to use your own laser gun! To do this, we need to know how it works. Before we begin, I will show you examples of timings. The timings that we will talk about are not applicable to all existing laser radars, but they are applicable to the frequency that they use. Once you understand how they work, you will understand how to attack each of the laser radars, because it all comes down to the timing issue.
So, especially important parameters are the pulse width, that is, how long the laser has been on, and the cycle period, that is, how often it shoots. This slide shows the pulse width: 1,2,3,4,5 – pulse-pulse-pulse-pulse-pulse, this is what the pulse width is. And the cycle period, that is, the time interval between two pulses, is 5 ms.
In a second you will understand everything, but this part is really important. When a laser gun sends a series of pulses, what does it expect as an answer? What physical characteristic does she want to get? Right, the distance! A pulse measures distance. Therefore, when your car falls under the first impulse, and it comes back, does this mean that the officer recorded your speed? No, he can only find out how far you are from him. He can calculate the speed only by receiving the reflected signal of the second, third and next pulses. You see how the time intervals between the emitted pulse and its received reflection change with the distance: 1000 feet, 800 feet, 600 feet, 400 feet – the closer the car, the shorter the time interval between the emitted and reflected pulses. Changes to these parameters also allow you to calculate the speed of your car. That’s why they take so many measurements per second – 100 or even 200 – to quickly determine your speed.
Let’s increase the distance between individual pulses and talk about some countermeasures. So, these red bars represent the emitted pulses of the laser gun: pulse-pulse-pulse. Only 3 pulses. The orange bars are the returning reflections of each impulse. Between two emitted pulses, we have a “window” 5 ms wide, into which our own reflected pulse returns. What are we measuring? Right, the distance! We do not measure speed directly.
So if we returned our momentum before the real, reflected momentum returned, we could show the radar how far we are from it. What I will show you next is the usual brute force method.
Imagine that you are driving, knowing exactly what frequency the laser irradiates you with – 1 millisecond at a wavelength of 904 nm. The idea is that replacing the reflected laser signal with our signals, we show the cops that we are at a certain distance from them. I don’t tell the radar that I’m traveling at a speed of 97 million miles per hour, no, I make him think that I’m very, very close, for example, 100 feet from it. The first signal says that I am 100 feet, then the second signal comes to it, which again says that I am 100 meters, then the third – again 100 feet, etc. What does it mean? That I am moving at zero speed!
For most laser radars available on the market, using this method results in an error message. A simple brute force in the form of a millisecond pulse causes a measurement error message to appear on the radar screen.
(35:10) There are several devices that allow the use of countermeasures against countermeasures, we will talk about this in a second. Some of the newest laser cannons can recognize that I sent one pulse, and in return I received as many as 4. To combat interference, they use a laser shift, that is, they change the pulse width so that the true reflected pulse fits in the range not affected by the fake ones, distorted signals. But this we can resist. As soon as we understand where the radiated pulse is shifted, that is, what is the value of the laser shift, we can shift our reflected pulses to the same. Interestingly, knowing the pulse width and timing, we can identify the laser gun by the second pulse.
Having received the first impulse, we immediately use the brute force method, we get the second impulse and accurately determine which gun took us in the sight, after which we can use countermeasures against it. I’ll quickly tell you what they are.
The red bars on the slide indicate the emitted pulses of the laser radar, the orange bars represent their reflections from a moving obstacle, and the green bars are the pulses that we return to this radar.
All we can do is vary the pulses of our own laser. We have a 5 millisecond window to send the returned pulses, and first of all we need to return the very first signal received at a distance of 600 feet from the radar. Having received the second impulse, we determine what kind of radar it sent and find out exactly who took us at the sight. After that, we can take countermeasures and report that we are much further away, for example, at a distance of 999 feet. That is, in relation to the radar that spotted us, we will move away. This way we can deal with most laser radar models. Commercial laser jammers do the same. There are a couple of devices on the market that you can freely buy and that implement the same countermeasures. Just keep in mind that these devices are available.
(37:20). A few years ago, I created a device called COTCHA. This is an ESP 8266, based on the principle of Wi-F hacking and built on the Arduino platform. This is a very good solution, on the basis of which you can create other hacker electronic devices. Now I want to introduce you to a more serious device called NOTCHACOTCHA. This is a laser “jammer” based on ESP 8266, using 12V power, which makes it easy to install it in a car. This device uses the brute force mode for light radiation with a wavelength of 940 nm, that is, it generates pulses with a frequency of 1 ms. It connects to a smartphone using a wireless module and can be used in conjunction with an Android application. In some states, the use of this “jammer” is absolutely legal.
This jammer manages 80% of the used laser radars, but is not able to withstand advanced systems like Dragon Eye, which the police use as countermeasures against brute force.
In addition, we make these jammers as open-source, since there are commercial options for such devices, and it is not difficult for us to apply reverse engineering to them. So, this is legal in some states, remember the green areas on the US map? By the way, I forgot to include Colorado in the green states, where laser jammers are also allowed.
NOTCHACOTCHA also works in a mode of emulation of a laser radar that allows you to test other “jammers”, radar detectors and so on. In addition, this device supports MIRT mode, including a green traffic light, but this is a very bad idea. Probably still not worth it (laughter).
I’ll tell you that NOTCHACOTCHA is freedom, it is with its help that we can take control of any systems that are aimed at us. I will quickly tell you about the materials from which this “jammer” is assembled. This is the ESP 8266 model D1 mini, which costs one and a half dollars, a 2.2 kΩ resistor costing 3 cents, a voltage converter 3.3V for 54 cents, a TIP 102 transistor for 8 cents and an LED panel for emitting light flux of a wavelength of 940 nm. This is the most expensive part of the device for $ 6. All in all, it costs $ 8 (applause from the audience).
You can download the list of materials, codes and several other “bad” ideas from the link github.com/hevnsnt/NOTCHACOTCHA, all this is in the public domain. I wanted to bring here such a “jammer”, I have one, but yesterday I broke it when I was rehearsing my performance.
A cry from the audience: “Bill, you suck!”
I know, I know. So, this thing is released open source, and the brute force mode works great. I checked it because I live in Kansas, everything is legal there.
I want you to know – this is only the first round. I will continue to develop the code, and I would be very grateful for the help in creating the open-source laser “jammer” that can compete with commercial counterparts. Thanks a lot guys, we had a great time and I really appreciate it!
