Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSides Lisbon 2017 - Fantastic Signals and Where to Find Them

102 views

Published on

Presentation on information security and software defined radio

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

BSides Lisbon 2017 - Fantastic Signals and Where to Find Them

  1. 1. FANTASTIC SIGNALS AND WHERE TO FIND THEM Luis Grangeia & José Moreira BSides Lisbon 2017 1
  2. 2. During the day we love to cyber at S21sec! Hello! I’m Zezadas! Mobile Hacker, Reverser, Linuxer, biker. Love to watch the world burn. @0xz3z4d45 2 I’m Luis! I like ones and zeros of all combinations and to hack embedded systems and airwaves! @lgrangeia
  3. 3. Oh boy, we love signals! What about you? 3
  4. 4. ● We are not RF experts! ● We are not lawyers! ○ Although we’ve consulted one :) ● The main objectives of this talk are: ○ Show you the amazing potential of SDR research ○ Give you the minimum knowledge necessary to start hacking ○ Show you our fails so you don’t repeat them. Disclaimer & Objectives 4
  5. 5. Motivations Why are we doing this and why should you? 5
  6. 6. A world of signals - on a phone! ● GSM / LTE ● WiFi ● Bluetooth ● GPS ● NFC 6
  7. 7. A world of signals - on a car! ● FM / AM Radio ● Wireless Key Fob ● E-Toll system (Via Verde) ● DSRC ● Bluetooth ● GPS ● TPMS (tyre pressure sensor) ● Sometimes also: ○ WiFi ○ GSM/LTE 7
  8. 8. A world of signals - on a plane! ● Air Traffic Control (voice) ● Secondary Radar: ○ ADS-B ○ ACAS (anti-collision) ● ACARS (reporting) ● In-flight WiFi 8
  9. 9. A world of signals - on a house! ● WiFi ● Bluetooth Speakers/TV ● Alarm ● Garage door ● Baby Monitors ● TV (DVB-T) ● Satellite (DVB-S) ● Dog chip ● Wireless Keyboard & Mouse ● Wireless Doorbell 9
  10. 10. A world of signals - others! ● Iridium Satellite ● NOA Weather Station ● Number Stations ● POCSAG (Pagers) ● AIS (ship tracking system) ● RDS (Radio Data System) ● ANT Sensors (sports devices) ● Medical Devices, Insulin Pumps, Pacemaker ● Unintentional Radio Emissions 10
  11. 11. Why do security research on SDR? 11
  12. 12. Recent vulnerabilities using RF signals ● BlueBorne (2017): Remote code execution against unpatched devices running Android, Linux, or Windows via Bluetooth; ● KRACK (2017)*: Breaking WPA2 security by manipulating the WPA handshake; ● MouseJack (2016): Injecting unencrypted keystrokes into a target computer that uses proprietary RF mice; ● Broadpwn (2017): Remotely compromising Android and iOS via a bug in Broadcom’s Wi-Fi chipsets; ● Baseband Exploits (2017): Buffer overflow to Huawei baseband processor exploitable by specially crafted LTE packets over the air. 12
  13. 13. Other known attacks “Amplifier Attack” (2011): using an amplifier/transmitter to extend the range of a car wireless key to open it (or start it) remotely ● Done in restaurants by evil waiters (with accomplices on the street) 13
  14. 14. Other known attacks GPS Spoofing (2011): Steal a US military drone by jamming / spoofing GPS signals 14
  15. 15. Other known attacks GPS Jamming (2017): Russian jamming GPS over norway 15
  16. 16. 2G/3G/4G Attacks 2G/3G/4G eavesdropping and interception is quite common in some countries: ● Passively capturing cell phone identifiers (IMSI, IMEI); ● Actively intercepting calls, spoofing SMS’s ● Can work with 2G/3G (GSM) and 4G (LTE): Zhang Wanqiao, a Chinese researcher from Qihoo 360 has demonstrated an active 4G LTE vulnerability that allows any dedicated attacker to intercept your calls and texts as well as track your location. (RuxCon 2016) 16
  17. 17. Attack Surface: A comparison On the OS side: ● Android OS ● Sandboxed processes ● Memory isolation ● ASLR / KASLR, NX stack ● Per process permissions ● SELINUX Exploitability Difficulty: 17 On the RF (baseband) side: ● Simple OS ○ (VxWorks, FreeRTOS, HNDRTE) ● No memory randomization ● No memory isolation ● Executable stack Exploitability Difficulty:
  18. 18. Tools 18
  19. 19. Tools of the Trade HackRF One BladeRF x40 RTL SDR (RTL2832U) URSP B200 LimeSDR Mini 19
  20. 20. Comparing Receivers RTL-SDR R820T HackRF one BladeRF x115 Ettus B205 mini Price 20€ 300€ 570€ 834€ SampRate 2.4MS/s 20MS/s 40MS/s 56MS/s Freq. Range 24-1766 Mhz 1-6000 Mhz 300-3800 Mhz 70-6000 Mhz 20 cheaper than an IDA Pro license!
  21. 21. Specific Devices 21 ● Ubertooth One ● YARD Stick One ● IM-ME ● Raspberry PI (GPIO Pins) ● Proxmark (NFC)
  22. 22. 22 Affordable and easy to use tools + unexplored and wide attack surface = Golden age of SDR hacking
  23. 23. 23 Theory no math because we suck at it
  24. 24. Radio transmissions 101 24 ● Choose a carrier wave ○ Usually a sinusoid at a specific frequency ● Encode information into that wave by modulating it
  25. 25. FM/AM Modulation - Theory 25
  26. 26. AM/FM Modulation - Practical Inspectrum 26 Frequency Time
  27. 27. Phase Modulation 27
  28. 28. Software Defined Radio Basics 28
  29. 29. 29 SDR vs Normal Radio
  30. 30. Spectrum 30
  31. 31. Antennas 31
  32. 32. GQRX - Sniffing Waves 32
  33. 33. Gnuradio - FM Receiver 33
  34. 34. Gnuradio - Listen FM Radio 34
  35. 35. Gnuradio - FM Transmitter 35
  36. 36. 36 Practical Cases
  37. 37. 37 Restaurant Pagers
  38. 38. Easy Hacks - Replay - Restaurant Pager 38 Active GPS Anti Theft… 😂
  39. 39. Easy Hacks - Replay - Restaurant Pager 39
  40. 40. Open GQRX 40
  41. 41. 41 Open gnuradio - Record
  42. 42. Exploiting the Restaurant... 42 Pager will beep two Times: 1. Chips 2. Sandwiches
  43. 43. 43 Replay before the Sandwiches are done
  44. 44. 44 Christmas will happen... And Someone will get mad.
  45. 45. 45 Quick look at the signal - Inspectrum Frequency Modulation.
  46. 46. 46 Work in Progress ● Get more samples. ● Get the meaning of the dataset. ● Understand in what part of the signal it identifies the pager’s number. ● Bruteforce all possible numbers and buzz all the pagers at once. ● ??? ● Profit!!
  47. 47. Watt is love? Baby don’t Hertz me Don’t Hertz me No Morse 47
  48. 48. 48 Garage Doors / Key Fobs
  49. 49. 49
  50. 50. 50
  51. 51. 51
  52. 52. Transmit 52
  53. 53. 53 SIRESP
  54. 54. SIRESP Sistema Integrado das Redes de Emergência e Segurança de Portugal ● TETRA Protocol: ○ Digital Protocol ○ Designed by Motorola (now a standard, mostly) ○ Loosely based on GSM ● In Portugal: ○ Used by Police, Firefighters, Ambulance Services ○ 380-385MHz / 390-395MHz ■ Lower frequencies allow for longer range 54
  55. 55. SIRESP Sistema Integrado das Redes de Emergência e Segurança de Portugal ● Encryption is optional ○ Four encryption modes ○ Mostly used in Portugal / Europe: TEA2 ○ Encryption algorithm is not freely available ● Communications metadata is not encrypted ● There is an app for that! ○ Telive: https://github.com/sq5bpf/telive ○ Jacek Lipkowski 55
  56. 56. SIRESP 56
  57. 57. SIRESP Sistema Integrado das Redes de Emergência e Segurança de Portugal Future work: ● Publish a docker file for a configured telive install ● Reverse-engineer a Tetra terminal ● Obtain encryption algorithms and keys ● Investigate authentication modes and encryption key rotation in Portugal ● … ask for permission first! 57
  58. 58. 58 Via Verde
  59. 59. Via Verde ● Portuguese e-toll system ● Used to in freeway toll checkpoints but also in other payments (gas, parking, McDonalds) ● Unpublished protocol ● Operating Frequency: 5802,5 MHz ● Out of reach for most radios… ○ But not the HackRF! ● First step: capture some exchanges 59
  60. 60. Via Verde - The pieces 60 Reader Gates
  61. 61. Via Verde - In pieces 61 Case Antenna Board Components
  62. 62. Via Verde - Signal Hunting ● Wardriving in 2017! ● GNU Radio used to capture the signal to a file ● Unfiltered captures are huge 62
  63. 63. 63 Via Verde - A Wild Signal Appears! Gate request (1.8 milliseconds) Reader Reply (400 microseconds!)
  64. 64. Via Verde ● The whole process takes ~6ms ○ Signal is repeated a few times ● What information is in the signal? 64
  65. 65. 65 Via Verde - Gate Signal analysis Gate request: ● Amplitude Shift Keying ● Symbol period: 16 µs
  66. 66. 66 Via Verde - Gate Signal analysis Gate request: ● Amplitude Shift Keying ● Symbol period: 16 µs
  67. 67. Via Verde - Gate Signal What information is in the signal? ● Gate sends its unique identifier ● Simple binary encoding ○ Amplitude Shift Keying ● Identifiers vary sometimes according to gate ○ Preamble size may vary ● Gate Identifiers appear sequential (per location) 67
  68. 68. 68 Via Verde - Reader reply analysis
  69. 69. 69 Via Verde - Reader reply analysis
  70. 70. Via Verde - Reader reply analysis ● Signal not demodulated yet ● Best guess: ○ OFDM (Orthogonal Frequency Division Multiplexing) ● Signal appears to be constant ○ no challenge/response ● Next step: Simulate a gate transmission 70
  71. 71. 71 Via Verde - Gate setup Faraday cage (not a microwave oven!) TX radio RX radio Reader
  72. 72. 72 Via Verde - Gate signal generator (GNU Radio)
  73. 73. 73 Generated signal Captured signal
  74. 74. Via Verde - Results ● Sadly, we were not able to obtain a signal back from the Reader ● Possible causes: ○ Lack of power (most likely) ○ Signal polarization ■ Antenna used was circular polarized, linear polarization would likely work best ● To be continued… 74
  75. 75. Via Verde Future work: ● Demodulate reader OFDM marker ● Replicate a captured reader marker at a gate ● Obtain and disassemble reader firmware ● Boost the signal (or hardwire antenna to reader) ● … ask for permission first! 75
  76. 76. Other Protocols More fantastic signals ahead 76
  77. 77. Numbers Stations 77 HF
  78. 78. Slow Scan Television (SSTV) 78 HF
  79. 79. Aircraft Communications Addressing and Reporting System (ACARS) 79 HF
  80. 80. NFC (usrp_nfc) 80 HF
  81. 81. 81 VHF Garage Door
  82. 82. NOA - Weather Station 82 VHF
  83. 83. FM Radio 83 VHF
  84. 84. 84 UHF PMR446 && Walkie Talkies
  85. 85. TPMS - Tire Pressure Monitoring System (gr-tpms) 85 UHF
  86. 86. GSM (GR-GSM) 86 UHF
  87. 87. ADS–B Automatic dependent surveillance – broadcast 87 UHF
  88. 88. LTE (gr-lte) 88 UHF
  89. 89. GPS (gr-gps / gps-sdr-sim) 89 UHF
  90. 90. ISM keyboard and mouse (gr-nordic) 90 UHF
  91. 91. Ubertooth 91 ● https://www.davidsopas.com/tag/bluetooth/ ● https://github.com/evilsocket/bleah
  92. 92. Bluetooth Low Energy (ble_dump) 92 UHF
  93. 93. WiFi (gr-ieee802-11) 93 UHF
  94. 94. Iridium (gr-iridium) 94 UHF
  95. 95. Bonus Time - RollJam 95
  96. 96. 96
  97. 97. Profit!!! 97
  98. 98. 98 Bonus Time #2 - Home made GSM Network ● Roll your own GSM network with SDR ● Possible with Full Duplex SDR’s: ○ BladeRF ○ LimeSDR ○ USRP ● Illegal in Portugal ○ Be a good neighbour! ● Configured docker image with YateBTS available: ○ github.com/lgrangeia
  99. 99. Conclusions: 99 ● These are great times to own the airwaves ● SDR hardware is cheap and getting cheaper ● SDR research is fun and allows for experimental understanding of radio: ○ Every engineering degree should provide SDR equipment to students ● Radio transceivers software are full of 90’s style 0days waiting to be found ● ANACOM laws must be respected:
  100. 100. 100 Affordable and easy to use tools + unexplored and wide attack surface = Golden age of SDR hacking
  101. 101. Thanks! Q&A Time! 101

×