Last modified: Thu Apr 23 15:47:43 EDT 2015

Table of Contents

Introduction to Wireless Security Testing

You will need some hardware. But the selection depends on the device to be tested.

This page contains a summary of available hardware that can be useful in testing wireless networks, such as Wifi, Bluetooth, 802.15.4, Zigbee, etc.. In particluar, I include devices that use the 2.4Ghz and 900Mhz frequency bands, along with some Software-defined radios. These devices can be stand-alone, USB dongles, Arduino shields, or stand-alone devices.

I have also included the frequency range and cost, and a short summary. IN particular, if you are investigating industrial networks, I hope you find this useful.

I use "Hacking" in the original sense - a clever bit of programming. Hacking requires deep knowledge of a system, which is often required for security testing and research.

One of the first steps is to determine the frequency of interest. I've tried to put on one page the hardware and where to putchase it, with the approximate cost, and the frequency/application of each unit.

At a future date I will add more information on the available software.

RF Frequencies

The wireless spectrum is divided into several categories, as describes in Wikipedia. Research into wireless security generally falls into several specific frequencies. If you wish to do research, please make sure you follow all laws that apply to your location.

Generally - researchers of wireless security often find the following frequencies interesting:

The Industrial, Scientific and Medical (ISM) Bands

Industrial, Scientific, and Medical Bands

The following table came from Wikipedia:

Frequency range Bandwidth Center frequency Availability
6.765 MHz 6.795 MHz 30 kHz 6.780 MHz Subject to local acceptance
13.553 MHz 13.567 MHz 14 kHz 13.560 MHz Worldwide
26.957 MHz 27.283 MHz 326 kHz 27.120 MHz Worldwide
40.660 MHz 40.700 MHz 40 kHz 40.680 MHz Worldwide
433.050 MHz 434.790 MHz 1.74 MHz 433.920 MHz Region 1 - Europe, Africa, parts of the Middle East, Russia, etc.
902.000 MHz 928.000 MHz 26 MHz 915.000 MHz Region 2 - North and South America
2.400 GHz 2.500 GHz 100 MHz 2.450 GHz Worldwide
5.725 GHz 5.875 GHz 150 MHz 5.800 GHz Worldwide
24.000 GHz 24.250 GHz 250 MHz 24.125 GHz Worldwide
61.000 GHz 61.500 GHz 500 MHz 61.250 GHz Subject to local acceptance
122.000 GHz 123.000 GHz 1 GHz 122.500 GHz Subject to local acceptance
244.000 GHz 246.000 GHz 2 GHz 245.000 GHz Subject to local acceptance

If you are exploring the RF spectrum, a very useful reference that can identify licenced ISM frequencies in your area (i.e. Zip Code) is Radio Reference - which lists the "owners" of certain frequencies based on your location/ZIP code.

The ISM bands can be used by consumers as well.

Consumer Standards in the ISM bands

Here are some popular protocols and frequencies used by consumer devices.

Global System for Mobile Communication (GSM) Bands

There are fourteen GSM bands defined in 3GPP (formerly IMT-2000), as shown in this table from Wikipedia. I added the US Carriers by name as a convenience.

System Band Uplink (MHz) Downlink (MHz) Channel number US Carriers
T-GSM-380 380 380.2–389.8 390.2–399.8 dynamic
T-GSM-410 410 410.2–419.8 420.2–429.8 dynamic
GSM-450 450 450.6–457.6 460.6–467.6 259–293
GSM-480 480 479.0–486.0 489.0–496.0 306–340
GSM-710 710 698.2–716.2 728.2–746.2 dynamic 4G (AT&T, Cellular)
GSM-750 750 747.2–762.2 777.2–792.2 438–511 4G (Verizon)
T-GSM-810 810 806.2–821.2 851.2–866.2 dynamic Voice (Sprint/US Cellular), 4G (Sprint)
GSM-850 850 824.2–849.2 869.2–894.2 128–251 US Voice (AT&T, Verizon), US 4G (AT&T. US Cellular)
P-GSM-900 900 890.0–915.0 935.0–960.0 1–124
E-GSM-900 900 880.0–915.0 925.0–960.0 975–1023, 0-124
R-GSM-900 900 876.0–915.0 921.0–960.0 955–1023, 0-124
T-GSM-900 900 870.4–876.0 915.4–921.0 dynamic
DCS-1800 1800 1,710.2–1,784.8 1,805.2–1,879.8 512–885 Voice (T-Mobile), 4G (AT&T, T-Mobile, Verizon)
PCS-1900 1900 1,850.2–1,909.8 1,930.2–1,989.8 512–810 Voice/3G (AT&T , Verizon, Sprint,T-Mobile, US Cellular), 4G (Sprint)

Selecting Appropriate Hardware for Wireless Security Testing

The hardware and frequency must be compatible. Some of the deciding factors may include:

Obviously, more features cost more.

Now let's look at the available hardware

Hardware for Wireless Hacking

The hardware you use depends on the target. There are two important characteristics - the frequency and the type of network.

The easier path is to use hardware that is compatible with the target device. The US has various frequencies that are dedicated for consumer devices, such as 900Mhz, 2.4Gz and 5 Ghz. The various WLAN channels are listed here

Hacking at the 2.4Ghz Spectrum

There are several protocols at 2.4Ghz, such as WiFi, Bluetooth, XBee, ZigBee, etc. Selecting the hardware depends on the target.

Hardware for Hacking IEEE 802.11 b/g/n (Wifi) packets

There should be no problem getting hardware, as the hardware is highly standardized.

Some of the frequencies are emerging standards, like 3.6 GHz (802.11y), 4.9 GHz (802.11y) Public Safety WLAN, and 5 GHz (802.11a/h/j/n/ac). 5 5.9 GHz (802.11p)

There are specialized and dedicated dedicated devices that are available like the Pineapple ($99), the CreepyDOL which is now available as the F-BOMB ($250), and the Pwn Plug R2 From PwnieExpress ($1095).

2.4Ghz Bluetooth

Hackware for Hacking 2.4Ghz IEEE 802.15.4 (ZigBee and 6LoWPAN) packets

The IEEE 802.15.4 radio is commonly used for sensor and mesh networking. Possible protocols include 6LoWPAN and ZigBee.

Hackers prefer open source hardware and software. Some of the available and popular hardware:

Other products that are also mentioned, but I haven't researched in depth:

Other boards (for reference purposes)

Obsolete hardware, but you might find some available

Also check out the Contiki Hardware page

2.4 GHz Chip Tranceiver References

Hacking the <1Ghz Range (900Mhz ) Spectrum

Some older obsolete hardware was used in the past.

Other boards (for reference purposes)

<1 GHz Chip Tranceiver References

Hacking the 800Mhz (868Mhz) Spectrum

See Wikipedia's entry on the 800Mhz range as it is used in Europe.

Hacking the 400Mhz (433Mhz) Spectrum

This frequency is used in Region 1 - Europe, Africa, parts of the Middle East, Russia, etc.

Hacking Ultra Wide Band

Hardware for IEEE 802.15.4a Ultra Wide Band (UWB) Hacking

Hacking any frequency

Another approach is to have a general-purpose radio that can be copntrolled using software to examine any frequency. WHat you need is a software-defined radio (SDR).

Software Defined Radios

Software-defined radios accomplish this. While SDR devices are flexible, they still have specific ranges, and if the frequency you need to study is outside of the range of the radio, you need to find another radio, or some other solution.

I am working on a page describing the software. I'll expand this later.

Suitable Hardware for GNURadio/Software Defined Radio

Here are some of the more popular hardware:

Here is a table of the frequency range of the different tuners for the RT2832-based devices.

Tuner Frequency
E4000 55MHz - 2300MHz
FC0013 22MHz - 1100MHz
R820T 25MHz-1700MHz

I would recommend the NooElec devices over the FC0013 devices (I own both). The cost is only a little more, and you will receive the hardware much quicker as well. The NooElec eBay store also sells these devices, and may have free shipping, so that may be the best bargain.

A comparison of the USRP, HackRF, and BladeRF was written by Taylor Killian.

More References