Hackers show off long-distance Wi-Fi radio proxy at DEF CON

The device uses the 900 Mhz band but hides the data in the background radio noise

HamSammich doesn't generate a clearly visible signal that can easily be tracked

HamSammich doesn't generate a clearly visible signal that can easily be tracked

A talk about a radio-based privacy device dubbed ProxyHam that promised to allow hackers to connect to Wi-Fi networks from as far as 2.5 miles away was abruptly pulled from the DEF CON schedule by its creator a few weeks ago.

The incident, which some speculated was the result of pressure from the FBI or the NSA, outraged the security community. But as hackers are not the type to give up easily, they quickly came up with a replacement that in many respects is better than the original.

Called HamSammich, the new device is the creation of security researchers Robert Graham and David Maynor and can proxy data over the 900 Mhz radio band from 20 miles away at up to 56kbps -- the top speed of a dial-up modem from the late 1990s. It was presented at the DEF CON hacking conference on Friday.

The idea behind ProxyHam and HamSammich is that a user can install the device in a public place, connect it to a free Wi-Fi hotspot and then relay the connection over the 900 Mhz band to a computer that's equipped with a powerful antenna pointed at the location of the first device. This would make the user appear to be physically in one location while in fact he would be miles away.

The problem with the ProxyHam concept is that its creator, a researcher named Ben Caudill, believed that no one monitors the 900 Mhz band, but in fact it's quite easy to see the signal and track it, Graham and Maynor said.

The two researchers believe that the more likely explanation for the talk's sudden cancellation was that Caudill's activity was discovered by the Federal Communications Commission because he boosted the transmit power to levels that are not allowed. He was also using encrypted signals over the 900 Mhz amateur (ham) radio band, which is also against regulations.

The FCC has people watching the radio frequencies in all cities, so the agency probably tracked him down and made him sign a consent decree that prevents him from engaging in this type of activity in the future, Graham said.

HamSammich takes a different approach. It uses a very weak signal, but spreads it out using many software-defined radios. The signal is kept behind the noise floor, which puts in the range of radio interference caused by natural phenomenon like thunderstorms and man-made devices -- the background noise one hears when tuning a radio.

This severely limits the device's connection speed, but increases its range. And while the signal can still be tracked with specialized equipment, there's a good chance that no one is looking.

Nobody will complain if your added noise is below the background noise, Graham said. The transmitted data is not encrypted, but that's not of great concern if no one knows it's there, he said.

Caudill's company, Rhino Security Labs, which announced the talk's cancellation in July, did not immediately respond to a request for comment.

However, Caudill told Wired in an interview last month that the FCC had nothing to do with it. At the time, Rhino Security also said that it was immediately halting development of ProxyHam, that it wouldn't release any more details about the device and that existing units would be "disposed of."

Join the CSO newsletter!

Error: Please check your email address.

Tags Defconsecurityprivacy

More about FBIFCCFederal Communications CommissionNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place