You will need some hardware. But the selection depends on the device to be tested.
This page contains a summary of available hardware that can be useful in testing wireless networks, such as Wifi, Bluetooth, 802.15.4, Zigbee, etc.. In particluar, I include devices that use the 2.4Ghz and 900Mhz frequency bands, along with some Software-defined radios. These devices can be stand-alone, USB dongles, Arduino shields, or stand-alone devices.
I have also included the frequency range and cost, and a short summary. IN particular, if you are investigating industrial networks, I hope you find this useful.
I use "Hacking" in the original sense - a clever bit of programming. Hacking requires deep knowledge of a system, which is often required for security testing and research.
One of the first steps is to determine the frequency of interest. I've tried to put on one page the hardware and where to putchase it, with the approximate cost, and the frequency/application of each unit.
At a future date I will add more information on the available software.
The wireless spectrum is divided into several categories, as describes in Wikipedia. Research into wireless security generally falls into several specific frequencies. If you wish to do research, please make sure you follow all laws that apply to your location.
Generally - researchers of wireless security often find the following frequencies interesting:
The following table came from Wikipedia:
| Frequency range | Bandwidth | Center frequency | Availability | |
|---|---|---|---|---|
| 6.765 MHz | 6.795 MHz | 30 kHz | 6.780 MHz | Subject to local acceptance |
| 13.553 MHz | 13.567 MHz | 14 kHz | 13.560 MHz | Worldwide |
| 26.957 MHz | 27.283 MHz | 326 kHz | 27.120 MHz | Worldwide |
| 40.660 MHz | 40.700 MHz | 40 kHz | 40.680 MHz | Worldwide |
| 433.050 MHz | 434.790 MHz | 1.74 MHz | 433.920 MHz | Region 1 - Europe, Africa, parts of the Middle East, Russia, etc. |
| 902.000 MHz | 928.000 MHz | 26 MHz | 915.000 MHz | Region 2 - North and South America |
| 2.400 GHz | 2.500 GHz | 100 MHz | 2.450 GHz | Worldwide |
| 5.725 GHz | 5.875 GHz | 150 MHz | 5.800 GHz | Worldwide |
| 24.000 GHz | 24.250 GHz | 250 MHz | 24.125 GHz | Worldwide |
| 61.000 GHz | 61.500 GHz | 500 MHz | 61.250 GHz | Subject to local acceptance |
| 122.000 GHz | 123.000 GHz | 1 GHz | 122.500 GHz | Subject to local acceptance |
| 244.000 GHz | 246.000 GHz | 2 GHz | 245.000 GHz | Subject to local acceptance |
If you are exploring the RF spectrum, a very useful reference that can identify licenced ISM frequencies in your area (i.e. Zip Code) is Radio Reference - which lists the "owners" of certain frequencies based on your location/ZIP code.
The ISM bands can be used by consumers as well.
Here are some popular protocols and frequencies used by consumer devices.
There are fourteen GSM bands defined in 3GPP (formerly IMT-2000), as shown in this table from Wikipedia. I added the US Carriers by name as a convenience.
| System | Band | Uplink (MHz) | Downlink (MHz) | Channel number | US Carriers |
|---|---|---|---|---|---|
| T-GSM-380 | 380 | 380.2–389.8 | 390.2–399.8 | dynamic | |
| T-GSM-410 | 410 | 410.2–419.8 | 420.2–429.8 | dynamic | |
| GSM-450 | 450 | 450.6–457.6 | 460.6–467.6 | 259–293 | |
| GSM-480 | 480 | 479.0–486.0 | 489.0–496.0 | 306–340 | |
| GSM-710 | 710 | 698.2–716.2 | 728.2–746.2 | dynamic | 4G (AT&T, Cellular) |
| GSM-750 | 750 | 747.2–762.2 | 777.2–792.2 | 438–511 | 4G (Verizon) |
| T-GSM-810 | 810 | 806.2–821.2 | 851.2–866.2 | dynamic | Voice (Sprint/US Cellular), 4G (Sprint) |
| GSM-850 | 850 | 824.2–849.2 | 869.2–894.2 | 128–251 | US Voice (AT&T, Verizon), US 4G (AT&T. US Cellular) |
| P-GSM-900 | 900 | 890.0–915.0 | 935.0–960.0 | 1–124 | |
| E-GSM-900 | 900 | 880.0–915.0 | 925.0–960.0 | 975–1023, 0-124 | |
| R-GSM-900 | 900 | 876.0–915.0 | 921.0–960.0 | 955–1023, 0-124 | |
| T-GSM-900 | 900 | 870.4–876.0 | 915.4–921.0 | dynamic | |
| DCS-1800 | 1800 | 1,710.2–1,784.8 | 1,805.2–1,879.8 | 512–885 | Voice (T-Mobile), 4G (AT&T, T-Mobile, Verizon) |
| PCS-1900 | 1900 | 1,850.2–1,909.8 | 1,930.2–1,989.8 | 512–810 | Voice/3G (AT&T , Verizon, Sprint,T-Mobile, US Cellular), 4G (Sprint) |
Another reference that some may find useful is Charles Reid's Link
The hardware and frequency must be compatible. Some of the deciding factors may include:
Obviously, more features cost more.
Now let's look at the available hardware
The hardware you use depends on the target. There are two important characteristics - the frequency and the type of network.
The easier path is to use hardware that is compatible with the target device. The US has various frequencies that are dedicated for consumer devices, such as 900Mhz, 2.4Gz and 5 Ghz. The various WLAN channels are listed here
There are several protocols at 2.4Ghz, such as WiFi, Bluetooth, XBee, ZigBee, etc. Selecting the hardware depends on the target.
There should be no problem getting hardware, as the hardware is highly standardized.
Some of the frequencies are emerging standards, like 3.6 GHz (802.11y), 4.9 GHz (802.11y) Public Safety WLAN, and 5 GHz (802.11a/h/j/n/ac). 5 5.9 GHz (802.11p)
There are specialized and dedicated dedicated devices that are available like the Pineapple ($99), the CreepyDOL which is now available as the F-BOMB ($250), and the Pwn Plug R2 From PwnieExpress ($1095).
The IEEE 802.15.4 radio is commonly used for sensor and mesh networking. Possible protocols include 6LoWPAN and ZigBee.
Hackers prefer open source hardware and software. Some of the available and popular hardware:
Other products that are also mentioned, but I haven't researched in depth:
Other boards (for reference purposes)
Obsolete hardware, but you might find some available
Also check out the Contiki Hardware page
Some older obsolete hardware was used in the past.
Other boards (for reference purposes)
See Wikipedia's entry on the 800Mhz range as it is used in Europe.
This frequency is used in Region 1 - Europe, Africa, parts of the Middle East, Russia, etc.
Another approach is to have a general-purpose radio that can be copntrolled using software to examine any frequency. WHat you need is a software-defined radio (SDR).
Software-defined radios accomplish this. While SDR devices are flexible, they still have specific ranges, and if the frequency you need to study is outside of the range of the radio, you need to find another radio, or some other solution.
I am working on a page describing the software. I'll expand this later.
Here are some of the more popular hardware:
Here is a table of the frequency range of the different tuners for the RT2832-based devices.
| Tuner | Frequency |
|---|---|
| E4000 | 55MHz - 2300MHz |
| FC0013 | 22MHz - 1100MHz |
| R820T | 25MHz-1700MHz |
I would recommend the NooElec devices over the FC0013 devices (I own both). The cost is only a little more, and you will receive the hardware much quicker as well. The NooElec eBay store also sells these devices, and may have free shipping, so that may be the best bargain.
A comparison of the USRP, HackRF, and BladeRF was written by Taylor Killian.