1

Rage Against The Radio

Stefan Kiese, skiese@ernw.de, @net0SKi

04.11.2016 – IT-SeCX, St. Poelten, Austria

2

About Me

o Security Analyst andResearcher at ERNW in Heidelberg, Germany

o Background in electronics

o Love to play around with technical stuff; not only electronics

5

SDR – A Definition

6

Wikipedia says:

o “Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system.”

Source: https://en.wikipedia.org/wiki/Software-defined_radio

7

…or even shorter:

o "Radio in which some or all of the physical layer functions are software defined”

Source: http://www.wirelessinnovation.org/assets/documents/SoftwareDefinedRadio.pdf

8

Pros and Cons

Mostly depend on specific use case.

9

o Very cheap (when RX only! E.g. RTL-SDR ~15€)

o Still cheap (starting between 300 - 800€) considering capability

o High flexibility

o …

o Expensive considering mostly used/needed features

o Not easy to use without RF knowledge

o Difficult, when it comes to timing sensitive things (e.g. frequency hopping)

o Often time intensive

o …

Pros Cons

10

Tools

What you need to get started.

11

Hardware

o RTL-SDR (RX-only)

o HackRF One (half-duplex)

o bladeRF

o USRP

12

Software

o GNU Radio Companion

o GQRX

o Baudline or Inspectrum

o Audacity

o Python

13

o GSM

o LTE

o GPS

o Bluetooth (LE)

o DVB

o Zigbee

o Z-Wave

o TI CCxx

o NRF24

o …

Open Source Modules / Implementations

14

Targets

What could be attacked?

15

Targets

o Everything “smart” (dogs, cats, babies, phones, watches, houses, cities, meters,…)

o Everything “IoT” (dogs, cats, houses,…)

o Everything connected (also wired! Like your cable TV @home)

16

War Stories

17

The Stories

o GPS Spoofing

o Unlocking a car

o Disarming an alarm system

o Keystroke injection over the air

o Tire Pressure Monitoring Systems (TPMS)

o GSM

18

GPS Spoofing

19

Setup

o HackRF One or another SDR

o (Signal generator)

o gps-sdr-sim (https://github.com/osqzss/gps-sdr-sim)

o Smartphone or GPS mouse + app

20

22

How to Open a Car – 90s Style

…and what shouldn’t be possible anymore.

23

Setup 1

o Some TX-capable SDR

o Software

o GNU Radio

or

o Simpler solution: Software delivered with the SDR’s driver, like hackrf_transfer

24

Simple flowgraph to

record a signal w/o any

filter

25Simple flowgraph to replay

a signal w/o any filter

26

Setup 2

o Yardstick One

o rfcat

27

Setup 3

o Arduino (3 – 25€) or Raspi

o 433MHz Transmitter and Receiver (5€)

o Firmware

28

Setup 4

o Some 5€ RF keyfob from e.g. ebay

Easily clone other keyfobs

30

Why does this *technically* work?

o No use of rolling code or other security mechanisms

31

Disarming Wireless Alarm Systems

32

What’s possible?

o Jamming signals from sensors, like on the windows, doors or even motion detector

This often works, because many of the alarm systems work unidirectional only or are w/o sth. like “still alive” signals

o Replay attacks

Many lack rolling code implementations

o Analyze signal and do whatever you want

That’s why we use SDR!

o DoS them

33

Setup 1

o Some TX-capable SDR

o Software

o GNU Radio

or

o Simpler solution: Software delivered with the SDR’s driver, like hackrf_transfer

34

Simple flowgraph to

record a signal w/o any

filter

35Simple flowgraph to replay

a signal w/o any filter

36

o Same setups as mentioned before.

o Same problems as mentioned before?

o It’s even worse!

o Many alarm systems on the market are imported from e.g. China and sold under $brand, which often means bad support (and no reaction on vuln disclosure), because nobody wants to be responsible

41

Your Wireless Desktop

Please don’t use wireless keyboards or mouses at work (or at home)!

42

Why you shouldn’t use them?

o Ever thought about the difference between wired and wireless? ;-)

o Let’s assume:

o Wired == local

o Wireless == remote

o So, one does not need to tamper things locally on your PC

o Don’t blindly trust “AES” imprints on boxes

43

Setup

o SDR

or

o Some custom radio dongle, regarding the target

44

Example Setup for Logitech /

Microsoft

o (SDR – similar to BT LE; AFAIK not easy regarding channel hopping)

or

o USB radio dongle with NRF24 chipset, like Logitech Unifying Dongle or Crazyradio Dongle

or

o Some other radio with NRF24 chipset w/o USB + Raspi or Arduino

o Bastille’s excellent NRF Research Firmware

45

What’s possible with this?

o Jamming…

o Eavesdropping in some case

The most interesting thing (from my perspective):

o Keystroke injection!

That’s why I don’t use a wireless presenter today ;-)

46

TPMS

(Tire Pressure Monitoring System)

47

Facts

o Sensors need 125kHz signal to wake up

o Data transmission via 433MHz signal

48

What could you do?

o Wake the sensors up (only short range)

o Well, that’s boring…

o Spoof them.

o Fuzz them. Effects to the car? Unknown, should differ ;-)

49

Setup

o SDR and GNU Radio or some custom tool

or

o Arduino and 433MHz transmitter

50

GSM

Source: sysmocom.de

51

What could you do?

o Build up a fake cell (BTS)

o IMSI catcher

o IMSI catcher catcher ;-)

o Sniff GSM

o Fuzz sth. over the network

o …

52

Setup

o SDR

o When sniffing only, cheap RX-only SDR works fine

o Full duplex needed to act as Base Transceiver Station (BTS)

o Dedicated BTS

o Sure, some software, e.g. from osmocom

58

Demo Time

59

www.ernw.de

www.insinuator.net

Thank you for your Attention!

Any questions?

skiese@ernw.de

@net0SKi