radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE...
Transcript of radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE...
![Page 1: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/1.jpg)
RADIO EXPLOITATION 101MATT KNIGHT // MARC NEWLIN // BASTILLE NETWORKS
CHARACTERIZING//CONTEXTUALIZING//CLASSIFYING RF ATTACKS
THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
![Page 2: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/2.jpg)
APPLICATIONS OF SDR IN
SECURITY RESEARCH
![Page 3: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/3.jpg)
OFFENSIVE WIRELESS TECHNIQUES PHY && MAC LAYERS
![Page 4: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/4.jpg)
WIRELESS THREAT TAXONOMY
![Page 5: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/5.jpg)
DEF CONAbridged from
![Page 6: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/6.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
WHO ARE THESE GUYS▸ Matt Knight
▸ Software Engineer and Security Researcher @ ▸ Reverse engineered the LoRa wireless protocol in 2016 ▸ BE & BA from Dartmouth
▸ Marc Newlin
▸ Security Researcher @ ▸ Discovered Mousejack vulnerability in 2016 ▸ Finished 3rd in DARPA Spectrum Challenge in 2012 ▸ Finished 2nd in DARPA Shredder Challenge in 2010
matt@ .net @embeddedsec
marc@ .net @marcnewlin
![Page 7: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/7.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
AGENDA1. Historical retrospective of wired and wireless security tech development
2. Methods of Wireless Exploitation
‣ Techniques, impact, and defenses
‣ Analogues to wired networks
‣ Examples and demos
3. How to apply this information
![Page 8: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/8.jpg)
EVOLUTION OF NETWORK SECURITYHISTORICAL BACKGROUND
https://frostedpress.files.wordpress.com/2016/09/4286297.png
![Page 9: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/9.jpg)
1990sPacket sniffing in the
![Page 10: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/10.jpg)
802.3802.5
Protocols:
![Page 11: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/11.jpg)
http://s202976374.onlinehome.us/ebay/test_equip/analyzers/Dolch_PAC_64_05.jpg
NETWORK GENERAL PACKET SNIFFER$8,000+ (in 1990s dollars)
Installed on a Dolch lunchbox computer
![Page 12: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/12.jpg)
http://s202976374.onlinehome.us/ebay/test_equip/analyzers/Dolch_PAC_64_05.jpg
NETWORK GENERAL PACKET SNIFFER$8,000+ (in 1990s dollars)
Installed on a Dolch lunchbox computer
👎 PROPRIETARY
![Page 13: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/13.jpg)
1998Packet sniffing in
![Page 14: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/14.jpg)
ETHEREAL // WIRESHARK$0
https://blog.wireshark.org/wp-content/uploads/2013/10/ethereal-0.2.0.png
![Page 15: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/15.jpg)
ETHEREAL // WIRESHARK$0
https://blog.wireshark.org/wp-content/uploads/2013/10/ethereal-0.2.0.png
👍 COMMODITY
![Page 16: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/16.jpg)
2000sPacket sniffing since the
![Page 17: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/17.jpg)
LTE-MGPS
802.5802.11WiMaxEnocean
DMR
802.3HSPALTECDMA
GSMBluetooth
Bluetooth LE
Z-Wave802.15.4
GPRSEDGEDECTLoRa
SIGFOX 802.16
nRF24
NB-IoTProtocols:
![Page 18: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/18.jpg)
TONS OF WIRELESS
![Page 19: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/19.jpg)
EARLY SDRS>>$100K
![Page 20: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/20.jpg)
EARLY SDRS>>$100K👎 PROPRIETARY
![Page 21: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/21.jpg)
2012Wireless sniffing in
![Page 22: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/22.jpg)
RTL 2832 USB STICK$8
(not pictured: promiscuous mode driver)
![Page 23: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/23.jpg)
RTL 2832 USB STICK$8
(not pictured: promiscuous mode driver)
THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
+ Free Software
![Page 24: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/24.jpg)
RTL 2832 USB STICK$8
(not pictured: promiscuous mode driver)
😏THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
+ Free Software
![Page 25: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/25.jpg)
2017Wireless sniffing in
![Page 26: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/26.jpg)
ALL THE SDRS$8 -> $1150
https://www.nuand.com/blog/wp-content/uploads/2013/05/DSC0063.pnghttps://www.ettus.com/product/details/UB210-KIT
https://cdn.sparkfun.com//assets/parts/9/9/5/3/13001-04.jpghttps://cdn.itead.cc/media/catalog/product/i/m/im141027001_5__1.jpg
http://www.nooelec.com/store/media/catalog/product/cache/1/image/1200x/040ec09b1e35df139433887a97daa66f/n/e/nesdr_mini_1b.jpghttps://www.ettus.com/content/images/USRP_B200mini_Front_Diagonal_Large.png
THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
+ Free Software
![Page 27: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/27.jpg)
ALL THE SDRS$8 -> $1150
https://www.nuand.com/blog/wp-content/uploads/2013/05/DSC0063.pnghttps://www.ettus.com/product/details/UB210-KIT
https://cdn.sparkfun.com//assets/parts/9/9/5/3/13001-04.jpghttps://cdn.itead.cc/media/catalog/product/i/m/im141027001_5__1.jpg
http://www.nooelec.com/store/media/catalog/product/cache/1/image/1200x/040ec09b1e35df139433887a97daa66f/n/e/nesdr_mini_1b.jpghttps://www.ettus.com/content/images/USRP_B200mini_Front_Diagonal_Large.png
THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
+ Free Software
👍 COMMODITY
![Page 28: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/28.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
WIRELESS IN 2017▸ 802.11 is just one piece of the puzzle
▸ Explosion of IoT and Mobile means…
▸ There’s a PHY for every use case
▸ Embedded systems are everywhere
http://postscapes.com/internet-of-things-technologies
![Page 29: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/29.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
EMBEDDED == DESIGN BY COMPROMISE
▸ Battery powered
▸ Limited user interaction
▸ Lack of crypto
▸ Unsuitable pipes for firmware updates
▸ Performance, UX, cost, and delivery are more important than best practices
https://www.thestar.com/content/dam/thestar/yourtoronto/the_fixer/2013/11/08/cyclists_cant_trip_the_light_if_the_sensor_doesnt_work/the_fixer.jpg.size.custom.crop.867x650.jpg
Literal embedded systems
(or is it Compromised by Design?)
![Page 30: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/30.jpg)
SECURITY THROUGH OBSCURITY
Industry reliance on
means…
![Page 31: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/31.jpg)
[PIÑATAS]
![Page 32: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/32.jpg)
METHODS OF EXPLOITATIONCLASSIFYING RF ATTACK METHODS
![Page 33: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/33.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
CLASSIFYING RF ATTACK METHODS▸ For each attack category, we’ll show:
1. Method: how the attack is performed
2. Impact: what the attack enables
3. Analogue: equivalent attack on wired/IP network, if one exists
4. Limitations: mitigations, whether incidental or intentional
5. Example: relevant examples of this type of attack
6. Proof: demo
![Page 34: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/34.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
RF ATTACK CATEGORIES
1. Sniffing
2. Wardriving
3. Replay
4. Jamming
4.1. Smart Jamming
4.2. MAC Layer Reservation
5. Evil Twin
6. Firmware Updates
7. PHY Layer Targeting
![Page 35: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/35.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
RF ATTACK CATEGORIES
1. Sniffing
2. Wardriving
3. Replay
4. Jamming
4.1. Smart Jamming
4.2. MAC Layer Reservation
5. Evil Twin
6. Firmware Updates
7. PHY Layer Targeting
![Page 36: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/36.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
RF ATTACK CATEGORIES
1. Sniffing
2. Wardriving
3. Replay
4. Jamming
4.1. Smart Jamming
4.2. MAC Layer Reservation
5. Evil Twin
6. Firmware Updates
7. PHY Layer Targeting
![Page 37: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/37.jpg)
JAMMINGDENIAL OF SERVICE // NETWORK STATE DISRUPTION
![Page 38: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/38.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
JAMMING OVERVIEW▸ Method
▸ Transmit noise or conflicting traffic within target network’s RF channel (same frequency)
▸ Impact
▸ Blocks traffic on network
▸ Network state disruption
▸ Wired Analogue
▸ Denial of Service
![Page 39: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/39.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
JAMMING APPLIED▸ Limitations
▸ Jam detection mechanisms
▸ Self-denial: difficult to simultaneously jam and monitor network traffic
▸ Example
▸ Home security system jamming
![Page 40: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/40.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
JAMMING DEMO▸ Honeywell home security system
▸ 345 MHz on-off keying protocol
▸ Transmit wideband noise at 345 MHz
▸ Device jam detection mechanisms will detect after several seconds, so…
![Page 41: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/41.jpg)
SMART JAMMINGEVADING DETECTION 😏
![Page 42: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/42.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
DUTY CYCLED JAMMING▸ Problem: Hardware radios implement “clear
channel” detection features to avoid talking over other radios
▸ Polling CCA is a zero marginal cost jam detector
▸ Solution: pulse jammer on and off at appropriate rate to evade jam detection functions
▸ Examples: Matt’s done this to defeat 802.15.4 jam detection, but doesn’t know of any public examples
http://www.mdpi.com/sensors/sensors-11-03852/article_deploy/html/images/sensors-11-03852f1-1024.png
Jammer duty cyclemust be shorter than this interval
![Page 43: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/43.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
REFLEXIVE JAMMING▸ Problem: Continuously jamming makes
offensive network monitoring hard
▸ Jamming denies both the attacker and the defender
▸ Solution: detect beginning of frame and reflexively jam to target either specific packets or trailing checksums
▸ Examples: Samy Kamkar’s RollJam (left), reflexive jamming built into Killerbee//802.15.4 ApiMote
https://www.wired.com/wp-content/uploads/2015/08/rolljam3.jpg
![Page 44: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/44.jpg)
PHY LAYER SELECTIVE TARGETINGESCALATION // IDS EVASION // DEVICE FINGERPRINTING
http://www.ti.com/lit/ds/symlink/cc2520.pdf
![Page 45: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/45.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
PHY SELECTIVE TARGETING OVERVIEW▸ Method
▸ Chipsets implement PHY standards differently — various degrees of error tolerance
▸ Send standards-noncompliant transmissions that exploit corner cases in specific PHY state machines
▸ Impact
▸ Targeted receiver evasion (IDS evasion)
▸ Device fingerprinting
▸ Wired Analogue
▸ Same (demonstrated on 802.3 chipsets)
▸ Far more practical in RF domainhttps://www.troopers.de/wp-content/uploads/2013/11/TROOPERS14-Making-and_Breaking-an_802.15.4_WIDS-Sergey_Bratus+Javier_Vazquez+Ryan_Speers.pdf
![Page 46: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/46.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
PHY SELECTIVE TARGETING APPLIED▸ Limitations
▸ Network participants must be on different chipsets
▸ Not all chipsets are vulnerable
▸ Example
▸ 802.15.4 receiver evasion
![Page 47: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/47.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
PHY SELECTIVE TARGETING DEMO▸ Selectively evasive 802.15.4 packets
▸ Transmitter: ApiMote w/ CC2420
▸ Receivers: ApiMote w/ CC2420 RZUSB stick w/ AT86RF230
▸ Both receivers receive everything, until they don’t… 😏
*cheers to David Dowd, River Loop Security, Travis Goodspeed, and Dartmouth for original research
Receivers Transmitter
![Page 48: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/48.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
PHY SELECTIVE TARGETING DEMO▸ 802.15.4 preamble and SFD:
▸ 0x00000000A7: 4 0x00s + 1 0xA7
▸ What if we screw with this?
▸ 0x00000000FFA7: extra symbols in preamble
▸ 0x000000A7: short preamble
*cheers to David Dowd, River Loop Security, Travis Goodspeed, and Dartmouth for original research
![Page 49: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/49.jpg)
CONCLUSIONSCHARACTERIZING WIRELESS ATTACK METHODS
![Page 50: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/50.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
WIRELESS ATTACK METHODS SUMMARYAnalogue Complexity Ease of Mitigation
Sniffing Unique! Easy Hard
Wardriving Port Scanning Easy Hard
Replay [same] Easy Moderate
Jamming Denial of Service Easy Hard
Link Layer Congestion Unique! Moderate Moderate
Evil Twin ARP Spoofing Hard Moderate
Firmware Attack Malware Hard Moderate
PHY Abuse [same] Hard Hard
![Page 51: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/51.jpg)
NON-EXHAUSTIVE LIST[OBVIOUSLY]
![Page 52: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/52.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
AS ATTACKERS…▸ Look for low-hanging fruit first
▸ Unencrypted comms, replay attacks, cleartext key exchanges, etc.
▸ Complexity goes up in a hurry
▸ Lean on your existing wired/IP network skill set
▸ Analogues exist!
![Page 53: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/53.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
AS ATTACKERS… CONTINUED▸ Leverage Open Source Intelligence (OSINT):
▸ FCC regulatory filings
▸ Data sheets
▸ It will make your life easy
▸ Marc gave an entire talk on this at HITB2016AMS
![Page 54: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/54.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
AS DEVELOPERS…▸ This is the Golden Age of RF Hacking
▸ Software Defined Radio has been commodity for >5 years
▸ Every RF PHY is in scope now GPS802.5DMR802.3HSPA
LTECDMAGSMBluetooth
Z-Wave802.15.4
GPRSEDGE
DECT
LoRaSIGFOX
802.16
nRF24NB-IoT
WiMaxEnocean802.11
Bluetooth LE
![Page 55: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/55.jpg)
TIME TO OWN YOUR AIRWAVES
![Page 56: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/56.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
ADDITIONAL RADIO RESOURCES▸ “So You Want to Hack Radios” series (all about RF Physical Layers)
▸ Shmoocon: https://www.youtube.com/watch?v=L3udJnRe4vc
▸ Troopers: https://www.youtube.com/watch?v=OFRwqpH9zAQ
▸ HITB2017AMS Commsec: https://www.youtube.com/watch?v=QeoGQwT0Z1Y
▸ Matt’s LoRa research
▸ 33c3: https://media.ccc.de/v/33c3-7945-decoding_the_lora_phy
▸ Marc’s OSINT techniques
▸ HITB2016AMS Commsec: https://www.youtube.com/watch?v=JUAiav674D8
▸ Dallas siren attack research
▸ White paper: https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack
![Page 57: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/57.jpg)
RADIO EXPLOITATION 101 // BASTILLE NETWORKS
ACKNOWLEDGEMENTS▸ Balint and Logan from ’s Threat Research Team
▸ at large
▸ community!THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
![Page 58: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/58.jpg)
THANKS
matt@ .net @embeddedsec
github.com/BastilleResearch
marc@ .net @marcnewlin
THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM
![Page 59: radio exploitation 101 grcon · 2020-05-13 · RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS Matt Knight Software Engineer and Security Researcher @ Reverse engineered](https://reader033.fdocuments.net/reader033/viewer/2022060213/5f053e677e708231d411ff12/html5/thumbnails/59.jpg)
QUESTIONS?
matt@ .net @embeddedsec
github.com/BastilleResearch
marc@ .net @marcnewlin
THE FREE & OPEN SOFTWARE RADIO ECOSYSTEM