AERMORed Blog

AERMORed Blog

Red Pandas Unlocking the Future

Tools

In the constantly evolving realm of cybersecurity, staying ahead of potential threats is not just a goal; it’s a necessity. In our digital age, where wireless communication is omnipresent, grasping the nuances of sub-GHz radio signals can be the linchpin for safeguarding your digital fortress. Join us as we embark on a journey into the enigmatic realm of sub-GHz radio signals and uncover their pivotal significance in the world of pentesting and cybersecurity.

The IoT Connection: Picture a world where your thermostat chats with your fridge, and your car shares secrets with your home security system. This intricate web of interconnected devices constitutes the Internet of Things (IoT), and a significant chunk of these devices communicate using sub-GHz radio signals. As a pentester, deciphering the security of these IoT devices stands as a critical mission. We will illuminate how these signals are instrumental in scrutinizing the vulnerabilities of smart homes and industrial automation systems.

Wireless Protocols Unveiled: Behind the scenes, numerous wireless protocols like Zigbee, Z-Wave, and LoRa rely on sub-GHz radio frequencies. These protocols are the lifeblood of smart cities, industrial control systems, and more. Our exploration will delve into these protocols, shedding light on their vulnerabilities and revealing how malicious actors might exploit them.

Beyond the Digital Realm

Physical Layer Attacks: Cybersecurity is not confined to coding and algorithms; it extends into the physical domain. We will embark on a journey to unravel how sub-GHz radio signals can fall prey to physical layer attacks such as jamming, signal manipulation, eavesdropping, and replay attacks. These real-world threats have the potential to disrupt or compromise wireless communication, and comprehending them is a prerequisite for every pentester.

Let the Red Pandas Step In

One intriguing facet of sub-GHz radio signals that captured my attention involves a string of criminal activities where miscreants would pull up to gas stations and clandestinely alter the fuel prices to their advantage, siphoning off gallons of fuel for personal use or illicit sales. The question that loomed large was, “How on earth did they manage this?” The answer lies in an unsuspecting system designed for convenience at gas pumps – a “TV remote”-like device working on sub-GHz frequencies, communicating with the pumps, signs, and registers to set fuel prices.

This discovery set my mind racing, prompting me to ask, “What else operates in the sub-GHz realm?” To my unsurprise, the answer was “a lot.” Here’s a thought-provoking list:

  1. Wireless Doorbells: Many wireless doorbell systems utilize sub-GHz frequencies to communicate between the button and the chime.

  2. Remote Controls: Some remote controls for televisions, audio systems, and various devices operate on sub-GHz frequencies.

  3. Car Key Fobs: Keyless entry systems in cars often rely on sub-GHz frequencies for unlocking and starting the vehicle.

  4. Smart Home Sensors: An array of sensors in smart homes, including motion detectors and door/window sensors, communicate through sub-GHz frequencies.

  5. Home Security Systems: Some home security systems hinge on sub-GHz frequencies to link sensors, cameras, and alarms.

  6. Wireless Thermostats: Smart thermostats communicate via sub-GHz frequencies to control heating and cooling systems. list

  7. Garage Door Openers: Many garage door openers operate on sub-GHz frequencies for remote operation.

  8. Wireless Water and Gas Meters: Utility meters with wireless capabilities often use sub-GHz frequencies to transmit consumption data.

  9. Smart Lighting Systems: Some smart lighting systems, encompassing light switches and bulbs, employ sub-GHz frequencies for control.

  10. Wearable Fitness Trackers: Certain fitness trackers and smartwatches sync data with smartphones through sub-GHz frequencies.

  11. Wireless Headphones: Specific wireless headphone models connect to audio sources via sub-GHz frequencies.

  12. RFID Tags: Radio-frequency identification (RFID) tags, prevalent in access cards and inventory tracking, often operate on sub-GHz frequencies.

  13. Baby Monitors: Many baby monitors transmit audio and video between the baby unit and the parent unit through sub-GHz frequencies.

  14. Wireless Weather Stations: Some weather stations use sub-GHz frequencies to transmit weather data to displays or apps.

  15. Industrial Control Systems: Industrial machines and control systems in manufacturing often utilize sub-GHz frequencies for data transmission.

  16. Wireless Headsets: Certain wireless communication headsets, including those used in customer service or warehousing, rely on sub-GHz frequencies.

  17. Wireless Printers: Some wireless printers use sub-GHz frequencies for printing from devices over Wi-Fi.

  18. Wireless Mouse and Keyboard Sets: Specific wireless computer peripherals employ sub-GHz frequencies for connectivity.

  19. Wireless Security Cameras: Certain outdoor security cameras leverage sub-GHz frequencies for wireless transmission of video feeds.

  20. Wireless Audio Transmitters: Wireless audio transmitters for speakers or headphones may use sub-GHz frequencies for audio streaming.

Unsurprisingly, the security of these communications often became a topic of concern only after someone asked, “I wonder if…?”

Enter the GOAT: Flipper Zero

Flipper Zero, a device that resembles a Tamagotchi but boasts a formidable set of capabilities:

  1. Radio Frequency (RF) Hacking: Flipper Zero is equipped with various RF modules, allowing users to explore and analyze different radio frequencies, including sub-GHz bands. It excels at tasks such as signal analysis, decoding, and transmitting RF signals.
  2. Hardware Hacking: Flipper Zero offers extensive hardware hacking capabilities, enabling users to interface with and manipulate various hardware components. It can communicate through SPI, I2C, UART, JTAG, and more, making it an invaluable tool for hardware reverse engineering.
  3. Device Emulation: This versatile device can emulate various RF cards, such as access cards and key fobs, making it an indispensable tool for penetration testing and access control system assessments.
  4. Tamagotchi-Like Interface: Flipper Zero introduces an element of playfulness with its Tamagotchi-like interface, offering a unique and engaging way to interact with its features. Users can nurture their “cyberpet” while simultaneously employing the device for serious hacking tasks.
  5. Open-Source Firmware: With open-source firmware, Flipper Zero encourages community contributions, customization, and the incorporation of new features. Users possess the freedom to modify and extend its functionality to cater to their specific needs.
  6. Password Cracking: It supports password cracking and brute-force attacks on various protocols and encryption methods, rendering it invaluable for security assessments.
  7. Infrared (IR) Hacking: Flipper Zero can control and emulate IR remote controls, simplifying tasks like analyzing and controlling home automation systems.
  8. SDR (Software-Defined Radio) Capabilities: With the addition of an SDR module, Flipper Zero transforms into a software-defined radio, facilitating wide-ranging radio signal analysis and manipulation.
  9. RFID Hacking: The device boasts RFID card reading and emulation capabilities, enabling security researchers to scrutinize and test RFID-based access systems.
  10. HID Attack and Keyboard Emulation: Flipper Zero executes HID (Human Interface Device) attacks, simulating keyboard and mouse inputs for a diverse array of security testing scenarios.
  11. Extensive Toolset: Loaded with a plethora of pre-installed tools and scripts, Flipper Zero covers an array of tasks, including network scanning, password cracking, and vulnerability analysis.
  12. Firmware Flashing and Exploitation: It serves as an invaluable tool for flashing and exploring the firmware of embedded devices, aiding in the identification of vulnerabilities and potential exploits.

Flipper Zero has garnered a dedicated community of users, many of whom have flashed custom firmware, unlocking its full potential. This thriving community is characterized by its collaborative spirit, sharing discoveries and innovations, and driving the device to new heights.

The Rising Star: CyperPRO Gameboy

On the horizon is a new entrant in the field, the CyperPRO Gameboy, currently fully funded on Kickstarter with a campaign ending on October 26, 2023. This promising newcomer exhibits the potential to shine brightly. Unlike some competitors, CyperPRO Gameboy integrates many features typically relegated to external add-on boards, streamlining its capabilities and enhancing user experience. The project’s creators recognize the maturity of the Flipper Zero’s capabilities and aim to foster compatibility, building on the existing community rather than fragmenting it. As an enthusiast, I’m excited to witness the unfolding of the sub-GHz universe as research and innovation continue to advance.


In the realm of pentesting and cybersecurity, knowledge serves as the ultimate weapon. Understanding the intricacies of sub-GHz radio signals and their vulnerabilities is the cornerstone of securing our increasingly interconnected world. As we unravel the complexities of these signals, we empower ourselves to anticipate and thwart potential threats, forging a path toward a digitally safer future.