Disclaimer: All information contained in this post is for educational purposes only. This article is a recap from a discussion that took place during DEFCON 27 by Bill Swearingen titled ‘HAKC The Police’.
Hardware hacking is not currently my strong suit. Don’t get me wrong the drive is there to learn, it’s just hard to find a balance between learning new network hacking techniques, mobile and cloud that I keep putting hardware hacking on the back burner. To compensate for that I thought I would write about some of my favorite hacks that have taken place in the last few years. There’s the XBOX, the iPhone and then there’s LIDAR guns.
What is LiDAR?
LiDAR stands for light detection and ranging. All it does is uses lasers to bounce of objects and return it to the source of the laser. Then the distance is measured by timing the speed of the laser and how it long it takes for the laser to return back to its original source.
LiDAR is everywhere nowadays and it’s uses in modern tech is nothing new. Just last year Apple implemented LiDAR technology in their cameras, this enables the phone to make fairly accurate 3D models.
Why does Law Enforcement use LiDAR?
Law Enforcement uses LiDAR for a few reasons, one of them is to avoid detection. See people still think cops use RADAR guns, that’s incorrect but it’s a good time for a quick segue into RADAR and why it’s not used.
What is RADAR?
RADAR or Radio Detection and Ranging allows devices enabled with this technology to detect objects at far off distances and measure the distance by using electromagnetic waves. In more simpler terms, it uses radio waves to measure the speed of an object.
Back to LiDAR…
So yes Law Enforcement uses LiDAR, RADAR if you figured out can be detected by scanners and avoided by using jammers. RADAR is similar to wireless internet or the microwaves coming out of your kitchen when your warming up last nights dinner. So to avoid being spotted, cops switched LiDAR as a way to avoid detection.
CLASS 1 – 904nm (Invisible IR)
This laser is a standardized class of laser. This means it’s “safe”. That means if you were to look directly into the laser, chances are that nothing will happen.
Lets take a trip back to high-school.
speed = distance / time and
distance = C * T / 2
When laser guns measure distance their doing at rate of about 100 – 200 measurements per second. As Bill says, by the time that laser gun has gone off it has already measured your speed (many times over).
Who Cares about the Disclaimer, Laser Jamming is Legal
Disclaimer: Except in California, Minnesota, Utah, Colorado, Oklahoma, Texas, Illinois, Tennessee, South Carolina and DEFINTIELY ILLEGAL in Virginia.
Lets Get Hacking
The first step in any hacking scenario is learning how what your hacking works. How does information travel over a network? How does SMB share files with clients? How does a laser gun work?*
\*we already know how lasers work
So when dealing with different guns, you’re dealing with different manufacturers. With that you will have different timings but the frequency used by each gun is the SAME, and once you understand how they work, you will understand how to attack each and every single one.
Let’s discuss the key things here:
- Pulse width
- How long the LASER remains on
- How often it shoots (Period Cycle)
So when the LiDAR gun sends a series of pulses, it sits there and waits for a return. It is here that gun is measuring your distance. But the funny part about this is, it only knows how far you are away…for now, it’s at the second, third, fourth hits than gun can precisely measure the speed at which your car is traveling. This is why these guns measure hundreds of times a second.
It’s also important to understand that every-time these guns emit a pulse they expect a return signal. So what happens if during that 5ms window we return our own signal and lasers measure distance, not speed. So according to Bill if we can return a pulse quicker than the one that is actually being reflected, we can dictate to the LIDAR gun how far we are.
The Brute Force
Luckily we know what frequency of laser that the gun is emitting (904nm), so every 1ms we can emit a pulse from somewhere on our vehicle. So if we return a pulse in 1ms, we’re not telling the cop holding the LIDAR we are speeding, we’re actually telling them we’re close by.
In this scenario:
A police officer uses a LIDAR gun to measure the speed of a passing vehicle.
LASER goes out.
We emit back a pulse in 1 millisecond.
This registers in the gun as if we’re 100 feet away.
This time it registers in the gun that we’re still 100 feet away
Fortunately, vendors have caught on to this method of brute forcing and the gun will return an error message. The new generation of LIDAR guns are able to identify that they emitted one pulse but got 4 back in return. This is why an error is thrown.
To counter this we need to identify the pulse width of the laser being emitted as each gun manufacturer sets a different time spacing between pulses. Once we do this via brute forcing, we can then implement some countermeasures to avoid having the gun call an error message.
RED = Pulse from LASER gun || ORANGE = Our reflection || GREEN = What we’re returning
So to counter the error handling on the laser gun we can vary our returns. LASER gun emits a pulse, we return and we’re 600 feet away but on the second pulse we know what manufacturer the gun is and how to counter their rules. Our next pulse back to gun shows us now at 1000 feet away or going in reverse. This is how commercial laser jammers work today.
An ESP based WiFi hacking tool.
This can be used to build a laser jammer or your own LIDAR gun for testing.
Once again, all information posted in this article is intended for research purposes only.
Links to PPT/YT: