Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Harshit Agrawal - On The Wings of Time: Past, Present and Future of Radio Communication


Published on

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. Today, cyber threats have grown not just in its depth (more sophisticated) but also in its breadth (expanded scope). It has grown from threats in Enterprise IT systems to Operation Technologies (OT) and Industrial Control Systems (ICS).

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Harshit Agrawal - On The Wings of Time: Past, Present and Future of Radio Communication

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur On the Wings of Time: Past, Present and Future of Radio Communication Hacking Harshit Agrawal @harshitnic
  2. 2. SACON 2020 ● IoT: Transformational Impact across Verticals ● RF Fundamentals ● Joys of the Past ● Current status of Industry & Sutra for Mitigation ● A glimpse of the Future ● Case Study and Demos ● Reference and Learning Agenda
  3. 3. SACON 2020 ● This is for people who are: ○ Just starting out ○ Thought WIFI hacking was cool ○ Saw a few HAK5 videos and wants to get started ○ Saw a DEFCON Video on Wireless Stuff ● You need to know, how a thing works to defeat a thing. ○ It’s not just about the hack ○ If you don't know what its is doing and why it's doing it you won’t know why your attack did not work ○ Fundamentals but for the purpose of pulling it apart ● Pay attention to dates and specifics ○ There is so much white noise and outdated info on the internet ○ Then there is stuff that is older and still good information Intro
  4. 4. SACON 2020 IoT: Transformational Impact across Vertical Sectors
  5. 5. SACON 2020 Internet of Things Model 1 Controlling Device Smartphone, tablets and other smart devices can control all types of “things” 3 Global Network Most “things” connected to the Internet, except for power grids or classified government systems 5 Things “Things” can be remotely controlled or viewed, and they can send telemetry for analysis. 2 Cloud Service Cloud services provide the repository and access control between the “things” and its controller. 4 Local Network This may be a controller area network (CAN) in connected cars, a local network in homes, etc
  6. 6. SACON 2020 IoT Security Challenges - A perspective Security Challenges?! ● Long IoT Device Lifetime ○ High effort to update devices in the field ○ Outdated security mechanisms needed or legacy devices. ● Badly maintained IoT devices ○ How many users really care as long as it works? ● Signaling Storms ○ Normal IoT device signaling footprint will often be low.
  7. 7. SACON 2020 Why Focus on RF Security?
  8. 8. SACON 2020 History 1984: “Software Radio” Coined by E-Systems 1995: “The Software Radio Architecture” Article published in IEEE Communications Magazine Earned Mitola the nickname “The Godfather of Software Radio” 2001: GNU Radio Project is Founded 2006: First USRP Released First programmable & general purpose SDR available publicly. 2011: RTL-SDR Explosion
  9. 9. SACON 2020 Processing is defined by programmed algorithms, not HW. (‘Software-Defined Radio’ [SDR] is the same thing) History
  10. 10. SACON 2020 ● Using SDR to replace most of Hardware for implementation of Radio Networking ● SDR can act as VSAs when connected to a computer ● Implementation as SoC (System on a Chip) ● Higher end SDRs have FPGAs for on-board DSP ● Most signal processing and all display functions take place in external computer, e.g., using GNU Radio ● Shuttles RF I/Q Samples to DSP or host SDR as Spectrum Analyser
  11. 11. SACON 2020
  12. 12. SACON 2020 What are the Trade-off? Your budget may allow you to buy one of these (Vector Signal Analyzer) Using a single well-equipped device measuring one location at a time 20 of these (SDR + single board computer) A network of configurable low-cost sensors spread over a wide geographical area. Versus
  13. 13. SACON 2020 Inside the Radio Wave Spectrum 3 KHz 1 GHz 3 GHz 4 GHz 5 GHz 2 GHz AM Radio 2.4 GHz band Used by more than 300 consumer devices, including microwave ovens, cordless phones and wireless networks (WiFi and Bluetooth) Broadcast TV Garage Door Openers Door Openers Auctioned Spectrum Cell Phones Global Positioning System Wireless Medical Telemetry GSM Network Satellite Radio Weather Radar Cable TV Satellite Transmissions Highway Toll Tags 5 GHz WiFi Network Security Alarms Most of the white area of this band is reserved for military, federal government and industry use
  14. 14. SACON 2020 Importance of Frequency selection
  15. 15. SACON 2020 ● Depending on their size, the radio wave loses energy every time it passes through a medium ● Subject to Electromagnetic Interference (EMI) ● The higher the frequency, they more likely there will be interference and distortion ● Ground Waves vs Skywaves vs Line of Sight (LOS) ○ Atmospheric Conditions, Reflection (Scatter), Refraction, Absorption ● Line of Sight & Path Loss ○ (signal strength)20log(4[pi][r]/lambda) == Ptx/Prx (Ptx > Prx) Ptx is sometimes called budget RF Propagation & Interference
  16. 16. SACON 2020 PHY Layer ● Lowest layer in communication stack ● In wired protocols: voltage, timing, and wiring defining 1s and 0s ● In wireless: patterns of energy being sent over RF medium
  17. 17. SACON 2020 ● Humans analyze complex signals (audio, images) in terms of their sinusoidal components ● we can build instruments that “resonate” at one or multiple frequencies (tuning fork vs piano) ● the “frequency domain” seems to be as important as the time domain Python code The intuition
  18. 18. SACON 2020 can we decompose any signal into sinusoidal elements? yes, and Fourier showed us how to do it exactly! Fundamental question Analysis ● from time domain to frequency domain ● find the contribution of different frequencies ● discover “hidden” signal properties Synthesis ● from frequency domain to time domain ● create signal with known frequency content ● fit signals to specific frequency regions
  19. 19. SACON 2020 ● we can use complex numbers in digital systems, so why not? ● it makes sense: every sinusoid can always be written as a sum of sine and cosine ● math is simpler: trigonometry becomes algebra Example: change the phase of a pure cosine with complex exponentials ● sine and cosine “live” together ● phase shift is simple multiplication ● notation is simpler The advantages of complex exponentials
  20. 20. SACON 2020 Initial Profiling of our Device ● What does our device do in normal operation? ● How do they connect? ● Determining the frequency?
  21. 21. SACON 2020 Phases of RF Attacks Frequency Transmission Information Gathering Modulation
  22. 22. SACON 2020 Information Gathering ● A good starting point – if you have some luck –search for the FCC ID: ● search-page ● Demo:
  23. 23. SACON 2020 Information extracted from FCC ● FCC also publishes internal images, external images, user manuals, and test results for wireless devices.
  24. 24. SACON 2020 Frequency Use a Spectrum Analyzer (GQRX) ● FFT plot and waterfall ● Record and Playback ● Special FM mode for NOAA APT ● Basic Remote Control through TCP
  25. 25. SACON 2020 Modulation ● Modulation is like hiding a code inside a carrier wave ● Representing digital data as variations in the carrier wave. Source:Attify Inc
  26. 26. SACON 2020 Modulation ● Carrier Wave ○ Amplitude Modulation (AM) ■ On/Off Keying (OOK) ● Angle Modulation ○ Frequency Modulation (FM) ■ Frequency Shift Keying (FSK) ■ Multiple FSK (MFSK) ■ Code Division Multiple Access (CDMA) ] ■ Time Division Multiple Access (TDMA) ○ Phase Shift Modulation (PSM) ■ Phase Shift Keying (PSK) ■ Bi-Phase Shift Keying (BPSK) ■ Quadrature Phase Shift Keying (QPSK) ■ Quadrature Amplitude Modulation (QAM) ● Pulse Modulation ○ Analog ■ Pulse Analog Modulation (PAM) ■ Pulse Time Modulation (PTM) ● Pulse Duration Modulation (PDM) ○ Pulse Width Modulation (PWM) ● Pulse Position Modulation (PPM) ● Digital - Pulse Code Modulation (PCM)
  27. 27. SACON 2020 Modulation: pick your parameters Make data appear random (increase entropy of structured data) Support multiple data streams, drop-and-insert Encode changes in data (receiver can be non-coherent) Create signal suitable for uplink Protect integrity of data (corruption from noise on channel) Turn binary into symbols for baseband RF (0/1 → combinations of waves)
  28. 28. SACON 2020 Demodulation: easy when you know Possible to determine if it is scrambled (calculate stats), but what is scrambler? Is it additive or multiplicative? How is it synchronised? Are there multiple streams? How are they multiplexed? Is it differential, or what defines a 0/1? What is the modulation? Symbol rate? Require coherence? What is the phase difference? Need to conjugate complex plane? Which FEC(s) is used? Is it a concentrated code? What is the code rate? What is the block size? How is it synchronised?
  29. 29. SACON 2020 Transmission ● Generate the message from above extracted details (Frequency, Modulation, Bitrate, Sync word, Preamble...) Option 1:- Use a flow graph Option 2: Command Line RF tool
  30. 30. SACON 2020 How Transmitting Works HW Address Sequence Number (other stuff) Layer 3 Frame MAC Frame PHY Frame Preamble Start of Frame Delim. PHY Header CRCMAC Frame API Call Modulation (Maps 1s and 0s to electrical phenomena) (to antenna/RF frontend) Layer 2 (MAC) Layer 1 (PHY) - Matt knight, Marc Newlin
  31. 31. SACON 2020 How Receiving Works HW Address Sequence Number (other stuff) Layer 3 Frame MAC Frame PHY State Machine API Call (from antenna) Layer 2 (MAC) Layer 1 (PHY) - Matt knight, Marc Newlin Present to Layer 2 Check CRC Extract N bits (optional) Inspect PHY Header Wait for Preamble Look for SFD
  32. 32. SACON 2020 GNUradio ● GNU Radio is a framework that enables users to design, simulate, and deploy highly capable real-world radio systems.
  33. 33. SACON 2020 SDR#
  34. 34. SACON 2020 Types of RF Attacks Wardriving Wardriving is type of sniffing that refers to discovering of non-802.11 RF networks. Example: killerbee 802.15.4 framework Replay Attacks Involve retransmitting a previously captured raw PHY-layer payload or the synthesis of a new frame based on decoded data Sniffing The passive observation of wireless network traffic, noteworthy as wireless domain enables truly promiscuous sniffing with no direct physical access. Jamming Can be conducted by transmitting noise within the target network’s RF channel with sufficient bandwidth and power. Evil-twins Attack Standing up a decoy device or rogue access point that mimics trusted infrastructure, such that it tricks victims into connecting into it.
  35. 35. SACON 2020 Replay Attack Replay Attack against PKE system of Cars ● RECORD hackrf_transfer -r 43378000.raw -f 43378000 ● TRANSMIT hackrf_transmit -t 43378000.raw -f 43378000
  36. 36. SACON 2020 Smart Light Demo
  37. 37. SACON 2020 Car Demo
  38. 38. SACON 2020 Safety Features Description Issues prevented LimitationSafety Feature Knowledge of the pairing code allows complete impersonation of a legitimate transmitter. Transmitter and receiver are paired with a (fixed) pairing code, which is used to recognize and accept commands only from known transmitters. Interferences: Multiple transmitters (e.g. of the same model and brand) can work together in the same RF band. 1 Pairing Mechanism Knowledge of the passcode allows anyone to use a transmitter. The operator needs to enter a sequence (passcode) to operate the transmitter. The sequence enables the transmitter and starts the receiver. Unwanted commands and unauthorized operations: Machinery can be controlled only upon entering the correct passcode. 2 Passcode protection RFID and equivalent factors can be stolen or cloned. The transmitter implements an access control model that selectively enables or disables advanced features according to the level of the operator, who is identified using radio frequency identification (RFID) or an equivalent factor. Inexperienced operators who might issue complex commands that could cause injuries. 3 Authorization Knowledge of the out-of-band virtual fencing protocol allows mimicry of it. Transmitter and receiver communicate via an out-of-band channel (e.g., infrared) in addition to RF. When the transmitter is out of range, the receiver does not accept any commands. Machines cannot be operated outside the “virtual fence” created by the out-of-band channel (e.g., the infrared range). 4 Virtual fencing Overview of the safety features implemented in radio remote controllers for industrial applications.
  39. 39. SACON 2020 ADS-B data is not encrypted (broadcast location and altitude information) Recommended Windows Setup: DUMP1090 + Virtual Radar Server ● A vertically polarized antenna tuned to 1090 MHz. ● Software for receiving and decoding ADS-B. ● Software for displaying ADS-B location data. ● (optionally) An LNA and filter for optimizing reception. ADS-B Receiving Guide (Tracking Aircraft)
  40. 40. SACON 2020
  41. 41. SACON 2020 IMSI Catcher In 1996, German company Rohde & Schwarz launched the first IMSI catcher GA090 in Munich. Initial design of IMSI Catcher is to identify the cellphone’s geographic location by instructing the cellphone to transmit IMSI ● IMSI: International Mobile Subscriber Identity ● MCC: Mobile Country Code ● MNC: Mobile Network Code ● MSIN: Mobile Subscriber Identity ● LAC: Location Area Code ● CellId: Unique number to Identity (BTS) within LAC
  42. 42. SACON 2020 Prepare the Test Environment: Install the compilation dependencies: Compile “gr-gsm”: Compile “kalibrate” (choose the version based on your hardware) Scan for Base Station with kal git clone cd gr-gsm mkdir build cd build cmake .. make sudo make install sudo ldconfig git clone (for HackRF version) git clone (for RTL version) cd kalibrate-hackrf ./bootstrap ./configure make sudo make install sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy kal -s GSM900 -g 40 //Scan GSM900 band grgsm_livemon -f 945.4e6 GSM Sniffing with “gr-gsm”
  43. 43. SACON 2020 IMSI Catcher
  44. 44. SACON 2020 Live FM Broadcast rec -c 2 -t wav -r 44000 no.wav
  45. 45. SACON 2020 ● Two types of signal leakage ○ Associate signal quality - short ○ Sniff signal quality - long ● Design to limit leakage is often futile ○ Constantly changing office environment ● Modern APs boast increased power ○ Typical 32mW - 200mW Wireless Signal Leakage
  46. 46. SACON 2020 ● Wireless LAN = Shared Segments ○ Think ‘hub’ architecture ● Passive listening on the network ○ Does not require network access ○ Only physical proximity Assume an attacker can capture your network traffic Information Disclosure Threats
  47. 47. SACON 2020 ● WiFi and Bluetooth networks broadcast preferred networks ● Anyone can capture these network names or MAC addresses ● Used to compromise privacy Anonymity Attacks
  48. 48. SACON 2020 Case study: EM-Sense
  49. 49. SACON 2020 Case study: EM-Sense EM-SENSE: FREQUENTLY ASKED QUESTIONS ● Does every object have an electromagnetic signature... even if it's not electric? Is this because it picks up on our own human electricity or what? ● Do similar objects (e.g., similar cameras, but different model) have similar EM signatures?
  50. 50. SACON 2020 ● Don’t just follow hackers ○ Vendors ■ Security Teams ■ Software Engineers ■ Products ■ Security Tools ■ Hardware Engineers ● Pentester Academy, CWNPs and Offensive Security (OSWP) Certifications ● Lots of noise when you search WIFI Hacking or Wireless Hacking ○ be specific (MITM, Packet Parsing, handshakes, hacking) WiFi Knowledge
  51. 51. SACON 2020 ● Just get a freaking HAM License ○ please ○ it will help trying to “work around” transmissions ● RTL-SDR Blog ○ lots of great articles ● HackRF Michael Ossmann Class ● FCC and AARL site SDR Knowledge
  52. 52. SACON 2020 ● The reasons that BT hack is not working for you ○ It was made for that exact chipset ○ It was for that exact keyboard/speaker/mouse ○ It was written for that exact OS with those driver and software versions ○ It was made for a different version of BT. ● The BT 1.0 that that tool or hack was written for is not the same ● BT that's in the BT4.3 LE padlock you are trying to hack today ● I don’t claim to know all the BlueTooth it is still hard for me to do ● You gotta do some reading ○ Bluetooth Knowledge
  53. 53. SACON 2020 ● Design and implement proper security mechanisms and provide secure firmware upgrades to existing devices. ● Continue to build on open, well-known, standard protocols such as Bluetooth Low Energy which offers security by design as part of the protocol. ● Consider future evolutions or iterations when designing next-generation systems. Vendor Should:
  54. 54. SACON 2020 ● Be aware of the basics of the technology. ● Keep computers properly secured and up to date. ● Consider next-generation products System Integrators and client should:
  55. 55. SACON 2020 ● Wasabi (Bsides DC) ● Trend Micro ● Michael Ossmann ● SANS Institute ● Matt Ettus ● Ben Hilburn ● EM-Sense (Disney Research) ● Carnegie Mellon University References
  56. 56. SACON 2020 Thanks Slide Harshit Agrawal (@harshitnic)