ESP32-Powered Arduino-Compatible Evil Crow RF Offers Easy-to-Use Sub-GHz RF for Pen Testers

Security engineer Joel Serna and colleagues have released a tool designed for red-team penetration testing of radio environments: The Espressif ESP32-based Arduino-compatible Evil Crow RF, based on two Texas Instruments CC1101 sub-gigahertz radio modules and offering operation across three radio bands.

"Evil Crow RF is a radio-frequency hacking device for pentest and Red Team operations," Serna writes of the USB-connected software-defined radio (SDR) board. "This device operates in the following radio-frequency bands: 300MHz-348MHz; 387MHz-464MHz; 779MHz-928MHz. Evil Crow RF has two CC1101 radio-frequency modules, these modules can be configured to transmit or receive on different frequencies at the same time."

The board is designed to make it easy to carry out a range of attacks on the security of radio systems, including replay and brute-force attacks, through a customizable Arduino-based firmware which will gain additional features over time. Interestingly, no software is required on the host: Instead, the Evil Crow RF sets up a Wi-Fi hotspot and provides a web interface for controlling both modules.

Built around the Espressif ESP32 and with two Texas Instruments CC1101 radio modules, the board is also compatible with the RFQuack firmware — "the only versatile RF-analysis tool that quacks," as its maintainers would have it, and designed to "sniff, manipulate, and transmit data over the air."

The tool does, of course, come with a hefty warning: "Evil Crow RF is a basic device for professionals and cybersecurity enthusiasts," its creators advise. "We are not responsible for the incorrect use of Evil Crow RF. We recommend using this device for testing, learning and fun. Be careful with this device and the transmission of signals. Make sure to follow the laws that apply to your country."

The source code for the firmware, and STL files for a 3D-printed case, have been published to GitHub under the permissive Creative Commons Attribution 4.0 International license, though the hardware is closed-source. Serna and colleagues have provided the design files to a Chinese company, which has produced and is selling the board through AliExpress - but at the time of writing the device was sold out.

For those wondering about its capabilities, meanwhile, Luca Bongiorni has published a write-up demonstrating the use of the Evil Crow RF to investigate a dental X-ray machine purchased from China — and using a compact RF remote to trigger the emitter from afar.