Not Quite ZigBee; or, How to Sniff a Strange Radio Open with “Why should you give a shit?” List of Exploits Travis Goodspeed22 April 2010 -- Source Boston firstname.lastname@example.org
Introduction✤ Wiﬁ✤ Bluetooth ✤ Ubertooth✤ ZigBee ✤ KillerBee, GoodFET, Freakduino Chibi, Daintree✤ What about everything else?
Introduction✤ This is not a USRP lecture.✤ Weird radios are usually one-off designs. ✤ Bad cryptography, if any. ✤ Little testing, quality control.✤ Vulnerabilities inherited from the chipset.
Citations✤ Max Moser and Thorsten Schröder✤ Michael Ossmann✤ Read my articles for the rest, http://travisgoodspeed.com
Example Targets✤ Radio Remote Controls✤ Apple/Nike+ Shoe Pod✤ Garmin ANT+ Watch✤ Microsoft Keyboard
Methodology✤ Dissect a device. ✤ Part numbers, chip die photographs, ﬁrmware.✤ Determine radio encoding, rate, and frequency. ✤ 2FSK, 2Mbps, 2.4GHz ✤ QPSK, 1Mbps, 2.4GHz✤ Build a transceiver.
Part Numbers✤ CC2420, EM250, A7125 ✤ Uniquely identify the part, index the datasheet. ✤ Vulnerabilities are indexed by part number, not product name.✤ Sometimes they are missing or ground off. ✤ HNO3 and H2SO4 are your friends!
Datasheets✤ Describe registers and pins.✤ Sometimes private, but often public.✤ Read the whole damned thing, and you’re secure to ﬁnd bugs.✤ Also read the errata sheets. ✤ For this chip and its ancestors.
Meet the Lineup✤ Chipcon✤ Nordic RF✤ Amiccom✤ Others
Chipcon ISM Band✤ CC1100, 2500 radio.✤ CC1110, 2500 system-on-chip.✤ Very conﬁgurable. ✤ CC1110 talks to anything sub-GHz. ✤ Undocumented 4FSK, use register settings for CC1101.
Nordic RF✤ No promiscuous mode. ✤ There’s a hack, but it’s ugly.✤ Not very conﬁgurable: ✤ Microsoft Keyboards, Mice ✤ 2FSK, ﬁxed deviation. ✤ OpenBeacon ✤ Integer MHz channels. ✤ Sparkfun Keyfob ✤ ANT+, Nike+
Amiccom A7125✤ 2.4GHz, 2FSK✤ Doccos in English, Chinese✤ Unbuffered mode for outputting symbols directly. ✤ 2 million symbols/second! ✤ Handy, but not necessary, for prom. snifﬁng of Nordic trafﬁc.
Modulation Schemes✤ Frequency Shift Keying (FSK) ✤ Cheap digital radios, Bluetooth.✤ Amplitude Shift Keying (ASK, OOK) ✤ Car remotes, garage door openers.✤ Phase Shift Keying (PSK) ✤ Wiﬁ, ZigBee✤ Complicated variations of each.
Frequency Shift Keying✤ Symbol Rate: Integer or ﬂoating?✤ Frequency: Integer or fractional?✤ SYNC: Conﬁgurable? Repurposed as the address?✤ Deviation: Space between highest and lowest symbol.✤ Encoding: ✤ 2FSK: Low frequency is zero, high frequency is 1. ✤ 4FSK: +1, +1/3, -1/3, -1
Getting a radio board.✤ Chips are difﬁcult to use directly. ✤ QFN or BGA chip packages. ✤ Radio layout requires a custom board.✤ Modules are available with radio and analog chain. ✤ Often lack an MCU, so use a GoodFET.✤ Commercial boards are often useful. ✤ GirlTech IMME, Next Hope Badge
Configuring the Radio✤ All digital radios are conﬁgured by Special Function Registers (SFR).✤ Register settings can come from multiple sources: ✤ SmartRF Studio conﬁguring TI/Chipcon radios. ✤ Datasheets ✤ Ask Ossmann
GoodFET Radio Architecture✤ Firmware in C, client in Python.✤ Py2Exe port for Win32. ✤ Only tested on the Chinese build.✤ Firmware is trimmed to support only the needed drivers.✤ New drivers can be written in pure-Python. ✤ Port functions to C as needed.
Turning Point Clicker✤ Classroom remote control.✤ Attendance, Quizzing✤ Nordic nRF24E1G ✤ 8051 MCU ✤ 2.4GHz Radio ✤ External Flash
nRF24E1✤ 8051 Microcontroller ✤ More popular than ARM and X86.✤ Internal nRF2401 Radio ✤ 1Mbps GFSK Radio ✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing✤ No internal Flash. Boots from external EEPROM.✤ No promiscuous mode. (The hack comes later.)
Microsoft Keyboard✤ 2.4GHz Nordic, XOR crypto✤ SYNC varies by unit. ✤ Again, there’s no promiscuous mode.✤ Initial Exploit in Keykeriki 2.0 ✤ Max Moser and Thorsten Schröder ✤ Amiccom A7125, nRF24L01+
Promiscuity is a Citizen’s Duty✤ If the crypto is so bad, why is it hard to sniff? ✤ SYNC ﬁeld is unique to the unit. ✤ Receiver must know the SYNC to receive a packet.✤ Two solutions: ✤ 1) Search raw radio trafﬁc for Preamble. (Keykeriki) ✤ 2) Use the preamble as if it were a SYNC. (GoodFET)
Schröder and Moser’s Solution✤ A7125 samples raw bits at 2Mbps.✤ ARM CPU looks for Preamble.✤ When the MAC is found, ✤ Load nRF24L01+ to sniff. ✤ Dump to PC for interpretation.✤ Can it be cheaper?
GoodFET Autotune✤ Reduce MAC length to two bytes.✤ Disable checksums.✤ Set MAC to 0x0055 or 0x00AA.✤ Count occurrences of 5-byte sequences: ✤ Might by shifted off by a bit. ✤ Filter out noise.