1 Rage Against The Radio Stefan Kiese, [email protected], @net0SKi 04.11.2016 – IT-SeCX, St. Poelten, Austria
1
Rage Against The Radio
Stefan Kiese, [email protected], @net0SKi
04.11.2016 – IT-SeCX, St. Poelten, Austria
2
About Me
o Security Analyst andResearcher at ERNW in Heidelberg, Germany
o Background in electronics
o Love to play around with technical stuff; not only electronics
5
SDR – A Definition
6
Wikipedia says:
o “Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system.”
Source: https://en.wikipedia.org/wiki/Software-defined_radio
7
…or even shorter:
o "Radio in which some or all of the physical layer functions are software defined”
Source: http://www.wirelessinnovation.org/assets/documents/SoftwareDefinedRadio.pdf
8
Pros and Cons
Mostly depend on specific use case.
9
o Very cheap (when RX only! E.g. RTL-SDR ~15€)
o Still cheap (starting between 300 - 800€) considering capability
o High flexibility
o …
o Expensive considering mostly used/needed features
o Not easy to use without RF knowledge
o Difficult, when it comes to timing sensitive things (e.g. frequency hopping)
o Often time intensive
o …
Pros Cons
10
Tools
What you need to get started.
11
Hardware
o RTL-SDR (RX-only)
o HackRF One (half-duplex)
o bladeRF
o USRP
12
Software
o GNU Radio Companion
o GQRX
o Baudline or Inspectrum
o Audacity
o Python
13
o GSM
o LTE
o GPS
o Bluetooth (LE)
o DVB
o Zigbee
o Z-Wave
o TI CCxx
o NRF24
o …
Open Source Modules / Implementations
14
Targets
What could be attacked?
15
Targets
o Everything “smart” (dogs, cats, babies, phones, watches, houses, cities, meters,…)
o Everything “IoT” (dogs, cats, houses,…)
o Everything connected (also wired! Like your cable TV @home)
16
War Stories
17
The Stories
o GPS Spoofing
o Unlocking a car
o Disarming an alarm system
o Keystroke injection over the air
o Tire Pressure Monitoring Systems (TPMS)
o GSM
18
GPS Spoofing
19
Setup
o HackRF One or another SDR
o (Signal generator)
o gps-sdr-sim (https://github.com/osqzss/gps-sdr-sim)
o Smartphone or GPS mouse + app
20
22
How to Open a Car – 90s Style
…and what shouldn’t be possible anymore.
23
Setup 1
o Some TX-capable SDR
o Software
o GNU Radio
or
o Simpler solution: Software delivered with the SDR’s driver, like hackrf_transfer
24
Simple flowgraph to
record a signal w/o any
filter
25Simple flowgraph to replay
a signal w/o any filter
26
Setup 2
o Yardstick One
o rfcat
27
Setup 3
o Arduino (3 – 25€) or Raspi
o 433MHz Transmitter and Receiver (5€)
o Firmware
28
Setup 4
o Some 5€ RF keyfob from e.g. ebay
Easily clone other keyfobs
30
Why does this *technically* work?
o No use of rolling code or other security mechanisms
31
Disarming Wireless Alarm Systems
32
What’s possible?
o Jamming signals from sensors, like on the windows, doors or even motion detector
This often works, because many of the alarm systems work unidirectional only or are w/o sth. like “still alive” signals
o Replay attacks
Many lack rolling code implementations
o Analyze signal and do whatever you want
That’s why we use SDR!
o DoS them
33
Setup 1
o Some TX-capable SDR
o Software
o GNU Radio
or
o Simpler solution: Software delivered with the SDR’s driver, like hackrf_transfer
34
Simple flowgraph to
record a signal w/o any
filter
35Simple flowgraph to replay
a signal w/o any filter
36
o Same setups as mentioned before.
o Same problems as mentioned before?
o It’s even worse!
o Many alarm systems on the market are imported from e.g. China and sold under $brand, which often means bad support (and no reaction on vuln disclosure), because nobody wants to be responsible
41
Your Wireless Desktop
Please don’t use wireless keyboards or mouses at work (or at home)!
42
Why you shouldn’t use them?
o Ever thought about the difference between wired and wireless? ;-)
o Let’s assume:
o Wired == local
o Wireless == remote
o So, one does not need to tamper things locally on your PC
o Don’t blindly trust “AES” imprints on boxes
43
Setup
o SDR
or
o Some custom radio dongle, regarding the target
44
Example Setup for Logitech /
Microsoft
o (SDR – similar to BT LE; AFAIK not easy regarding channel hopping)
or
o USB radio dongle with NRF24 chipset, like Logitech Unifying Dongle or Crazyradio Dongle
or
o Some other radio with NRF24 chipset w/o USB + Raspi or Arduino
o Bastille’s excellent NRF Research Firmware
45
What’s possible with this?
o Jamming…
o Eavesdropping in some case
The most interesting thing (from my perspective):
o Keystroke injection!
That’s why I don’t use a wireless presenter today ;-)
46
TPMS
(Tire Pressure Monitoring System)
47
Facts
o Sensors need 125kHz signal to wake up
o Data transmission via 433MHz signal
48
What could you do?
o Wake the sensors up (only short range)
o Well, that’s boring…
o Spoof them.
o Fuzz them. Effects to the car? Unknown, should differ ;-)
49
Setup
o SDR and GNU Radio or some custom tool
or
o Arduino and 433MHz transmitter
50
GSM
Source: sysmocom.de
51
What could you do?
o Build up a fake cell (BTS)
o IMSI catcher
o IMSI catcher catcher ;-)
o Sniff GSM
o Fuzz sth. over the network
o …
52
Setup
o SDR
o When sniffing only, cheap RX-only SDR works fine
o Full duplex needed to act as Base Transceiver Station (BTS)
o Dedicated BTS
o Sure, some software, e.g. from osmocom
58
Demo Time
59
www.ernw.de
www.insinuator.net
Thank you for your Attention!
Any questions?
@net0SKi