Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. Today, cyber threats have grown not just in its depth (more sophisticated) but also in its breadth (expanded scope). It has grown from threats in Enterprise IT systems to Operation Technologies (OT) and Industrial Control Systems (ICS).
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
(SACON) Harshit Agrawal - On The Wings of Time: Past, Present and Future of Radio Communication
1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
On the Wings of Time:
Past, Present and Future of Radio Communication Hacking
Harshit Agrawal
@harshitnic
2. SACON 2020
● IoT: Transformational Impact across Verticals
● RF Fundamentals
● Joys of the Past
● Current status of Industry & Sutra for Mitigation
● A glimpse of the Future
● Case Study and Demos
● Reference and Learning
Agenda
3. SACON 2020
● This is for people who are:
○ Just starting out
○ Thought WIFI hacking was cool
○ Saw a few HAK5 videos and wants to get started
○ Saw a DEFCON Video on Wireless Stuff
● You need to know, how a thing works to defeat a thing.
○ It’s not just about the hack
○ If you don't know what its is doing and why it's doing it you won’t know
why your attack did not work
○ Fundamentals but for the purpose of pulling it apart
● Pay attention to dates and specifics
○ There is so much white noise and outdated info on the internet
○ Then there is stuff that is older and still good information
Intro
5. SACON 2020
Internet of Things Model
1
Controlling Device
Smartphone, tablets and other smart devices
can control all types of “things”
3
Global Network
Most “things” connected to the Internet,
except for power grids or classified
government systems
5
Things
“Things” can be remotely controlled or
viewed, and they can send telemetry for
analysis.
2
Cloud Service
Cloud services provide the repository and
access control between the “things” and its
controller.
4
Local Network
This may be a controller area network (CAN)
in connected cars, a local network in homes,
etc
6. SACON 2020
IoT Security Challenges - A perspective
Security
Challenges?!
● Long IoT Device Lifetime
○ High effort to update devices in
the field
○ Outdated security mechanisms
needed or legacy devices.
● Badly maintained IoT devices
○ How many users really care as long
as it works?
● Signaling Storms
○ Normal IoT device signaling
footprint will often be low.
8. SACON 2020
History
1984: “Software Radio” Coined by
E-Systems
1995: “The Software Radio Architecture”
Article published in IEEE Communications
Magazine Earned Mitola the nickname “The
Godfather of Software Radio”
2001: GNU Radio Project is Founded
2006: First USRP Released First programmable
& general purpose SDR available publicly.
2011: RTL-SDR Explosion
9. SACON 2020
Processing is defined by programmed algorithms, not HW.
(‘Software-Defined Radio’ [SDR] is the same thing)
History
10. SACON 2020
● Using SDR to replace most of Hardware for implementation of Radio
Networking
● SDR can act as VSAs when connected to a computer
● Implementation as SoC (System on a Chip)
● Higher end SDRs have FPGAs for on-board DSP
● Most signal processing and all display functions take place in
external computer, e.g., using GNU Radio
● Shuttles RF I/Q Samples to DSP or host
SDR as Spectrum Analyser
12. SACON 2020
What are the Trade-off?
Your budget may allow you to buy one
of these (Vector Signal Analyzer)
Using a single well-equipped device
measuring one location at a time
20 of these (SDR + single board
computer)
A network of configurable low-cost
sensors spread over a wide
geographical area.
Versus
13. SACON 2020
Inside the Radio Wave Spectrum
3 KHz
1 GHz 3 GHz
4 GHz
5 GHz
2 GHz
AM Radio
2.4 GHz band
Used by more than 300 consumer devices, including
microwave ovens, cordless phones and wireless
networks (WiFi and Bluetooth)
Broadcast TV
Garage Door
Openers
Door Openers
Auctioned
Spectrum
Cell Phones
Global
Positioning
System
Wireless
Medical
Telemetry
GSM Network
Satellite
Radio
Weather Radar
Cable TV
Satellite
Transmissions
Highway Toll
Tags
5 GHz
WiFi Network
Security
Alarms
Most of the white
area of this band is
reserved for
military, federal
government and
industry use
15. SACON 2020
● Depending on their size, the radio wave loses energy every time it
passes through a medium
● Subject to Electromagnetic Interference (EMI)
● The higher the frequency, they more likely there will be
interference and distortion
● Ground Waves vs Skywaves vs Line of Sight (LOS)
○ Atmospheric Conditions, Reflection (Scatter), Refraction,
Absorption
● Line of Sight & Path Loss
○ (signal strength)20log(4[pi][r]/lambda) == Ptx/Prx (Ptx > Prx) Ptx
is sometimes called budget
RF Propagation & Interference
16. SACON 2020
PHY Layer
● Lowest layer in communication
stack
● In wired protocols: voltage, timing,
and wiring defining 1s and 0s
● In wireless: patterns of energy
being sent over RF medium
17. SACON 2020
● Humans analyze complex signals (audio, images) in terms of their
sinusoidal components
● we can build instruments that “resonate” at one or multiple
frequencies (tuning fork vs piano)
● the “frequency domain” seems to be as important as the time
domain
Python code
The intuition
18. SACON 2020
can we decompose any signal into sinusoidal elements?
yes, and Fourier showed us how to do it exactly!
Fundamental question
Analysis
● from time domain to
frequency domain
● find the contribution of
different frequencies
● discover “hidden” signal
properties
Synthesis
● from frequency domain to
time domain
● create signal with known
frequency content
● fit signals to specific
frequency regions
19. SACON 2020
● we can use complex numbers in digital systems, so why not?
● it makes sense: every sinusoid can always be written as a sum of sine and
cosine
● math is simpler: trigonometry becomes algebra
Example: change the phase of a pure cosine with complex exponentials
● sine and cosine “live” together
● phase shift is simple multiplication
● notation is simpler
The advantages of complex exponentials
20. SACON 2020
Initial Profiling of our Device
● What does our device do in
normal operation?
● How do they connect?
● Determining the frequency?
21. SACON 2020
Phases of RF Attacks
Frequency Transmission
Information
Gathering
Modulation
22. SACON 2020
Information Gathering
● A good starting point – if you have
some luck –search for the FCC ID:
● https://www.fcc.gov/general/fcc-id-
search-page
● Demo: https://fccid.io/Y8PFJ17-1
23. SACON 2020
Information extracted from FCC
● FCC also publishes internal images,
external images, user manuals, and
test results for wireless devices.
24. SACON 2020
Frequency
Use a Spectrum Analyzer (GQRX)
● FFT plot and waterfall
● Record and Playback
● Special FM mode for NOAA APT
● Basic Remote Control through TCP
25. SACON 2020
Modulation
● Modulation is like hiding a code inside a
carrier wave
● Representing digital data as variations in
the carrier wave.
Source:Attify Inc
27. SACON 2020
Modulation: pick your parameters
Make data appear random
(increase entropy of structured data)
Support multiple data
streams, drop-and-insert
Encode changes in data
(receiver can be
non-coherent)
Create signal
suitable for
uplink
Protect integrity of data
(corruption from noise on
channel)
Turn binary into symbols for
baseband RF
(0/1 → combinations of
waves)
28. SACON 2020
Demodulation: easy when you know
Possible to determine if it is
scrambled (calculate stats), but what
is scrambler?
Is it additive or multiplicative?
How is it synchronised?
Are there multiple streams?
How are they multiplexed?
Is it differential, or
what defines a 0/1?
What is the modulation?
Symbol rate? Require coherence?
What is the phase difference?
Need to conjugate complex plane?
Which FEC(s) is used?
Is it a concentrated code?
What is the code rate?
What is the block size?
How is it synchronised?
29. SACON 2020
Transmission
● Generate the message from above extracted details (Frequency, Modulation,
Bitrate, Sync word, Preamble...)
Option 1:- Use a flow graph Option 2: Command Line RF tool
30. SACON 2020
How Transmitting Works
HW Address Sequence Number (other stuff) Layer 3 Frame
MAC Frame
PHY Frame
Preamble Start of Frame Delim. PHY Header CRCMAC Frame
API
Call
Modulation (Maps 1s and 0s to
electrical phenomena)
(to antenna/RF
frontend)
Layer 2 (MAC)
Layer 1 (PHY)
- Matt knight, Marc Newlin
31. SACON 2020
How Receiving Works
HW Address Sequence Number (other stuff) Layer 3 Frame
MAC Frame
PHY State Machine
API
Call
(from antenna)
Layer 2 (MAC)
Layer 1 (PHY)
- Matt knight, Marc Newlin
Present to Layer
2
Check CRC
Extract N bits
(optional) Inspect
PHY Header
Wait for Preamble Look for SFD
32. SACON 2020
GNUradio
● GNU Radio is a framework that enables users to design, simulate, and deploy highly
capable real-world radio systems.
34. SACON 2020
Types of RF Attacks
Wardriving
Wardriving is type of sniffing that refers to
discovering of non-802.11 RF networks.
Example: killerbee 802.15.4 framework
Replay
Attacks
Involve retransmitting a previously captured
raw PHY-layer payload or the synthesis of a
new frame based on decoded data
Sniffing
The passive observation of wireless network
traffic, noteworthy as wireless domain enables
truly promiscuous sniffing with no direct
physical access.
Jamming
Can be conducted by transmitting noise within
the target network’s RF channel with sufficient
bandwidth and power.
Evil-twins Attack
Standing up a decoy device or rogue access
point that mimics trusted infrastructure, such
that it tricks victims into connecting into it.
35. SACON 2020
Replay Attack
Replay Attack against PKE system of Cars
● RECORD
hackrf_transfer -r 43378000.raw -f 43378000
● TRANSMIT
hackrf_transmit -t 43378000.raw -f 43378000
38. SACON 2020
Safety Features
Description Issues prevented LimitationSafety Feature
Knowledge of the pairing code allows complete
impersonation of a legitimate transmitter.
Transmitter and receiver are
paired with a (fixed) pairing code,
which is used to recognize and
accept commands only from
known transmitters.
Interferences: Multiple transmitters
(e.g. of the same model and brand)
can work together in the same RF
band.
1 Pairing
Mechanism
Knowledge of the passcode allows anyone to use a
transmitter.
The operator needs to enter a
sequence (passcode) to operate
the transmitter. The sequence
enables the transmitter and starts
the receiver.
Unwanted commands and
unauthorized operations: Machinery
can be controlled only upon entering
the correct passcode.
2 Passcode
protection
RFID and equivalent factors can be stolen or
cloned.
The transmitter implements an access
control model that selectively enables or
disables advanced features according to
the level of the operator, who is
identified using radio frequency
identification (RFID) or an equivalent
factor.
Inexperienced operators who might
issue complex commands that could
cause injuries.
3 Authorization
Knowledge of the out-of-band virtual fencing
protocol allows mimicry of it.
Transmitter and receiver
communicate via an out-of-band
channel (e.g., infrared) in addition
to RF. When the transmitter is out
of range, the receiver does not
accept any commands.
Machines cannot be operated outside
the “virtual fence” created by the
out-of-band channel (e.g., the
infrared range).
4 Virtual fencing
Overview of the safety features implemented in radio
remote controllers for industrial applications.
39. SACON 2020
ADS-B data is not encrypted (broadcast location and altitude
information)
Recommended Windows Setup: DUMP1090 + Virtual Radar
Server
● A vertically polarized antenna tuned to 1090 MHz.
● Software for receiving and decoding ADS-B.
● Software for displaying ADS-B location data.
● (optionally) An LNA and filter for optimizing reception.
ADS-B Receiving Guide (Tracking Aircraft)
41. SACON 2020
IMSI Catcher
In 1996, German company Rohde & Schwarz
launched the first IMSI catcher GA090 in Munich.
Initial design of IMSI Catcher is to identify the
cellphone’s geographic location by instructing the
cellphone to transmit IMSI
● IMSI: International Mobile Subscriber Identity
● MCC: Mobile Country Code
● MNC: Mobile Network Code
● MSIN: Mobile Subscriber Identity
● LAC: Location Area Code
● CellId: Unique number to Identity (BTS) within
LAC
42. SACON 2020
Prepare the Test Environment:
Install the compilation dependencies:
Compile “gr-gsm”:
Compile “kalibrate” (choose the version based on your hardware)
Scan for Base Station with kal
git clone https://github.com/ptrkrysik/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
git clone https://github.com/scateu/kalibrate-hackrf.git (for HackRF version)
git clone https://github.com/steve-m/kalibrate-rtl.git (for RTL version)
cd kalibrate-hackrf
./bootstrap
./configure
make
sudo make install
sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy
kal -s GSM900 -g 40 //Scan GSM900 band
grgsm_livemon -f 945.4e6
GSM Sniffing with “gr-gsm”
45. SACON 2020
● Two types of signal leakage
○ Associate signal quality - short
○ Sniff signal quality - long
● Design to limit leakage is often futile
○ Constantly changing office environment
● Modern APs boast increased power
○ Typical 32mW - 200mW
Wireless Signal Leakage
46. SACON 2020
● Wireless LAN = Shared Segments
○ Think ‘hub’ architecture
● Passive listening on the network
○ Does not require network access
○ Only physical proximity
Assume an attacker can capture your network traffic
Information Disclosure Threats
47. SACON 2020
● WiFi and Bluetooth networks broadcast preferred networks
● Anyone can capture these network names or MAC addresses
● Used to compromise privacy
Anonymity Attacks
49. SACON 2020
Case study: EM-Sense
EM-SENSE: FREQUENTLY ASKED QUESTIONS
● Does every object have an electromagnetic signature... even if it's not electric? Is this because it
picks up on our own human electricity or what?
● Do similar objects (e.g., similar cameras, but different model) have similar EM signatures?
50. SACON 2020
● Don’t just follow hackers
○ Vendors
■ Security Teams
■ Software Engineers
■ Products
■ Security Tools
■ Hardware Engineers
● Pentester Academy, CWNPs and Offensive Security (OSWP)
Certifications
● Lots of noise when you search WIFI Hacking or Wireless Hacking
○ be specific (MITM, Packet Parsing, handshakes, hacking)
WiFi Knowledge
51. SACON 2020
● Just get a freaking HAM License
○ please
○ it will help trying to “work around” transmissions
● RTL-SDR Blog
○ lots of great articles
● HackRF Michael Ossmann Class
● FCC and AARL site
SDR Knowledge
52. SACON 2020
● The reasons that BT hack is not working for you
○ It was made for that exact chipset
○ It was for that exact keyboard/speaker/mouse
○ It was written for that exact OS with those driver and software versions
○ It was made for a different version of BT.
● The BT 1.0 that that tool or hack was written for is not the same
● BT that's in the BT4.3 LE padlock you are trying to hack today
● I don’t claim to know all the BlueTooth it is still hard for me to do
● You gotta do some reading
○ https://www.bluetooth.com/specifications/bluetooth-core-specification
Bluetooth Knowledge
53. SACON 2020
● Design and implement proper security mechanisms and provide
secure firmware upgrades to existing devices.
● Continue to build on open, well-known, standard protocols such as
Bluetooth Low Energy which offers security by design as part of the
protocol.
● Consider future evolutions or iterations when designing
next-generation systems.
Vendor Should:
54. SACON 2020
● Be aware of the basics of the technology.
● Keep computers properly secured and up to date.
● Consider next-generation products
System Integrators and client should:
55. SACON 2020
● Wasabi (Bsides DC)
● Trend Micro
● Michael Ossmann
● SANS Institute
● Matt Ettus
● Ben Hilburn
● EM-Sense (Disney Research)
● Carnegie Mellon University
References