Tuesday, July 14, 2015

How to build your own ProxyHam

"ProxyHam" created controversy because the talk was supposedly suppressed by the US government. In this post, I'll describe how you can build your own, with off-the-shelf devices, without any code.

First, head on over to NewEgg. For a total of $290.96, buy two locoM9 repeaters (for $125.49 each), and two WiFi routers, like the TL-WR700N for $19.99 each.

Grab your first WiFi device. Configure it in "client" mode, connecting it to the "Starbucks" SSID. In this mode, you can then connect your laptop via Ethernet to this device, and you'll have access to the Internet via your WiFi device to Starbucks. In other words, it acts as a WiFi dongle, but one that you attach via Ethernet instead of USB.

Now grab your two locoM9 devices and configure them for "transparent bridging". In this mode, whatever Ethernet packets that are received on one end get sent over the air to the other end. Connect each localM9 via the TL-WR700N via the supplied Ethernet cable.

Now grab the second WiFi device and configure it as a normal WiFi router.

Now, assuming you aim the localM9's correct toward each other with reasonable line-of-sight, you've got a "ProxyHam".

The reason this works so easily is that everything has been designed to work this way. Bands like 900 MHz, 2.4 GHz, and 5 GHz are the "ISM bands" that are largely unregulated by the government. Unregulated means that if somebody is causing interference in those bands, you can't complain to the government to make them stop.

The 900 MHz band is attractive because the signal will go a lot further than 2.4 GHz. On the other hand, it's a smaller band, so can't carry the same speed as 2.4 GHz band or the 5 GHz band.

Industrial equipment use the 900 MHz band extensively. There are an enormous number of devices that'll bridge two wires in this band. Most of them are for simple serial protocols like RS232. Some are for Ethernet, like the locoM9. They tend be industrial grade things that cost a lot more. The locoM9 is the cheapest device that does this from Ubiquiti, but they have a lot of more expensive stuff to choose from, often with better directional antennas that'll go farther.

WiFi, too, is supposed to work this way. When you buy a WiFi router, you normally set it up in "access-point" mode. But virtually every router supports other modes, such as the "client" or "bridging" mode described above. It's supposed to work this way.

The point of "ProxyHam" isn't that there is some new magic out there, but that hackers can take existing stuff, for their expected purpose, but achieving an unexpected outcome.


Samuel A. Falvo II said...

As long as your power levels comply with Part 15 regulations, you cannot be asked to remove your signal. As soon as you exceed the Part 15-allowed levels of power, or otherwise disobey part 15 regulations, you are no longer bound by that contract, and are legally liable for your signal. Those are ISM bands, but remember that M stands for "Military," so if you interfere with military operations, you can be in some deep schiht.

Thomas Hoffecker said...

M in ISM stands for medical!


Paul said...

The FCC has the equipment and the experience to quickly track down the location of the remote transmitter. There may be an element of surprise if the FBI were not expecting something like this, but otherwise it should prove to be just another minor impediment to tracking the user down. Amateur (Ham) radio operators actually make a game of finding hidden transmitters called "fox hunting".

Paul said...

My hypothesis for why they might have had to pull this project is that IIRC, encryption for confidentiality is forbidden to unlicensed stations on the 900MHz band in the USA. So, forwarding encrypted Wi-Fi over 900 MHz could land you in trouble once the FCC found you and manufacturing and distributing a device that transmits encrypted data could land you in worse trouble.

Jason said...

Paul, I don't think that's true — for example, ZigBee uses symmetric encryption out of the box and operates in (among other frequencies) the 900 MHz band. Am I mistaken?

tzs said...

@Samuel A Falvo II: that is not quite correct. ISM users (Part 18) are primary users of 902-928 MHz. Hams (Part 97) are secondary to Part 18 users.

Part 15 users are at the bottom of the totem pole. 15.5(b) says that their operation is subject to the conditions that "no harmful interference is caused" and that " interference must be accepted that may be caused by the operation of an authorized radio station, by another intentional or unintentional radiator, by industrial, scientific and medical (ISM) equipment, or by an incidental radiator".

Harmful interference is defined in 15.3(m) as "Any emission, radiation or induction that endangers the functioning of a radio navigation service or of other safety services or seriously degrades, obstructs or repeatedly interrupts a radiocommunications service operating in accordance with this chapter".

For Part 15 users in 902-928 MHz, this means they are not allowed to cause harmful interference to ISM users or ham users. It doesn't matter if they are under the power limit for Part 15, or in compliance with all of the other technical requirements for antennas, modulation, bandwidth, and so on.

(Hams in 902-928 MHz are not allowed to cause harmful interference to ISM users, and must accept interference from ISM users)

Unknown said...

one question, the post says: "Grab your first WiFi device. Configure it in "client" mode, connecting it to the "Starbucks" SSID. In this mode, you can then connect your laptop via Ethernet to this device"

Then later: " Connect each localM9 via the TL-WR700N via the supplied Ethernet cable."

This to me is confusing. What is the actual flow of hardware?

Laptop connected via ethernet to one TL-WR700N, with this TL-WR700N connected to SSID "Starbucks" One locoM9 connected to this TL-WR700N via ethernet

Someplace else: a locoM9 connected to another TL-WR700N via ethernet, and this connected to the internet?

That doesn't seem right. What am I missing?

Paul said...

Jason, the twist seems to be that Part 15 (section 203) only authorizes you to use a Part 15 approved device with the antenna it was certified with. So, if you replace the antenna with a higher gain one more suited to the needs of this project (the Yagi), the setup is no longer authorized to transmit under Part 15. You could use the Yagi if you are licensed under Part 97, but Part 97 explicitly prohibits encryption. Otherwise, you would be operating an unlicensed transmitter.

HaQue said...

@Unknown: "This to me is confusing. What is the actual flow of hardware?"

The part "In this mode, you can then connect your laptop via Ethernet to this device"
was a comment, not actually part of instruction I believe. The flow of hardware:

[Secret Laptop]-[TL-WR700N]-[locoM9]-))))))))((((((((-[locoM9]-[TL-WR700N]-[Starbucks Wi-Fi]