#Codemotion Rome 2018 - In our everyday life we are accustomed to use radio communication devices: car key fobs, remote controls, toys etc. Unfortunately these devices are often designed without security in mind, and this is true also for radio communication protocols spread all over the world and often mandatory. In this talk we will get a chance to see how SDRs work and what are the tools they lay out to enthusiasts who are willing to play around a little bit and break things apart to understand how they work. There will be also some live demo with SDRs in place.

1. Software Defined Radios:
Hacking the Invisible
Davide Papini
Daniele Provenziani
ROME - APRIL 13/14 2018

2. Who We Are
• Davide Papini, Cyber Security researcher:
• R&D Elettronica S.p.a.
• PostDoc at Royal Holoway
University of London
• PhD at Technical University of Denmark
• Daniele Provenziani, System Engineer:
• EW COMM Elettronica S.p.a.
• Solid Background in COMM ES and EA System
• M.S. degree in Telecommunication Engineer
at Tor Vergata University of Roma

3. Agenda
• What are SDR
• Applications (e.g. GSM, AIS, ADSB etc)
• Hardware
• Spectrum Background
Demo Time
• Mangling with radio mics
• Spoofing GPS
• Looking at Drones
• Hacking remote controls

4. What are SDR
• RF signal is directly digitalized at BaseBand
• Processing is done in Software (digital and analog
modulations).
• Simple RF management e.g. sample rate, bandwidth, gain.
• Easy prototyping (everything is SW)

5. SDR usages
• Mobile e.g. 2G/3G/4G sniffing and BTS
• Radio Broadcasting
• GPS spoofing
• Ship and Aircraft tracking
• Radar
• Direction Finding
• Drone Detection and Interception
• …Only your imagination can stop you…

6. Back in 2013: AIS Spoofing
• New/Existing Ships Position Spoofing
• Allows for false impact alerts
• Can deceive authorities in finding target ship
locations
• Man-in-water spoofing
• Distress beacon
• SART (S.O.S.) alerts
• Induces target ship to sail into hostile waters
• Frequency Hopping DoS:
• Induces target to change AIS frequency thus
disappearing from legitimate systems
Balduzzi et al @ Blackhat 2013

7. HW
• Ettus Bus and Networked Series
• Winradio
• Nuand Blade RF
• HackRF
• PlutoRF
• RTL-SDR
Different specs:
• Freq (30MHz-6GHz)
• ADC resolution (8,12,14,16 bit)
• Bandwidth (2MHz – 120 MHz)
• Number of Channels

8. Spectrum Basics LTE
BW = 20MHz

9. Spectrum Basics GSM
BW = 200KHz

10. Demo Time
• B210
• 2 TXRX, 2 RX channels
• 56 MHz Bandwidth
• 70MHz – 6GHz Frequency
• N210
• 1 TXRX, 1 RX channel
• 50 MHz Bandwidth
• DC – 6GHz
• Larger FPGA with RFNOC
support (applications up to
100 MSps)

11. Radio Mics
LIVE DEMO

12. GPS Background

13. GPS Ephemeris
• Each Satellite transmits its own
navigational status
• It transmits also the almanac: the
status of the entire network
• Need to know the ephemeris if you
want to spoof a credible signal.

14. Looking at Drones
LIVE DEMO

15. DRONE backgroud
Remote Control
(Uplink)
Telemetry, Video data
(Downlink)
FPV Goggles
FPV and Telemetry OSD

16. DRONE Remote Control RF
Analisys
RC Frequency Hopping
Drone Video Streaming
FSK modulation

17. DRONE RC Digital Modulation
e.g. FSK
Preamble SFD
Payload
(RC data/Telemetry
Data)
CRC

18. Remote Controls
LIVE DEMO

19. Wrapping up
Q & A