We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.

1. Keiichi Horiai
Fujitsu System Integration LABs.
CODE BLUE 2015
Wireless security
testing with attack

2. Agenda
 Circumstance
 In the IoT (Internet of Things) era
• key : Wireless Security
• To analyze wireless security,
SDR （ Software Defined Radio) technology is
effective.
 Introduce GNU Radio, a SDR tool
 Powerful tool to test wireless security
 Easily available, work with inexpensive peripheral
hardware
 Wireless security testing with attack
 Attack#1 Key logging wireless keyboard
 Attack#2 The replay attack for ADS-B2

3. Recent release of wireless security
 Abuse/Falsification of software and firmware
 Drone attack by malware and network
• http://www.slideshare.net/codeblue_jp/cb14-dongcheol-hongja/
 RF signal level interception/injection
 SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE
GLOBALSTAR SIMPLEX DATA SERVICE
• https://www.blackhat.com/docs/us-15/materials/us-15-Moore-
Spread-Spectrum-Satcom-Hacking-Attacking-The-GlobalStar-
Simplex-Data-Service.pdf
 Low-cost GPS simulator – GPS spoofing by SDR
• Lin Huang, Qing Yang, DEFCON23
• https://media.defcon.org/DEF%20CON%2023/DEF%20CON
%2023%20presentations/Lin%20Huang%20&%20Qing
%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf
3

4.  In 2001, Eric Blossom in US started a free & open-source
software development toolkit about radio.
 Multi-platform (Linux/FreeBSD/OSX/Windows)
 Run on personal computer. cf. Many software radio
technology run on FPGA on exclusive hardware.
 Create flow graph to use GUI on GNURadio Companion
 flow graph -> XML file -> Python -> C++
 License GPL ver3
http://gnuradio.org/redmine/projects/gnuradio/wiki
About GNURadio
4

5. GNURadio Component
 Elements of the flow graph
SOURCE BLOCK SINK
Software
or
Hardware
Software
Python
C++
Software
or
Hardware
Input OutputProcessing
5

6. Sources
 Software
Waveform generation (Sin, Cos, Triangle,
Sawtooth, Square ）
Various noise
File
 Hardware
PC Audio
Other peripheral hardware
•RTL-SDR, HackRF, BladeRF, USRP
6

7. Blocks
 Operator(Logical, Bytes, Integer, Real, Complex...)
 Constant, Variable(slider), Type conversion
 Calculation (add, sub, multiple, div, Log, RMS, integral...)
 Filter(LowPass, HighPass, BandPass, Reject, FFT, Hilbert,
IIR, Decimation...)
 Modulation and demodulation （ AM, FM, FSK, PSK, QAM,
OFDM…)
 Level control (AGC, Mute, Squelch, Moving average...)
 Network (TCP, UDP, Socket...)
 and more
7

8. Sinks
 Software
 Hardware
 PC Audio
 Other peripheral hardware
• HackRF, BladeRF, USRP, ... etc.
SCOPE FFT Water Fall
Histogram Constellation Plot
Other Files
8

9. Peripheral hardware (e.g.)
RTL-SDR HackRF BladeRF USRP
Frequency
range [MHz] 24-1800 1-6000 300-3800 70-6000
A/D convert
bits 8 8 12 12
Band range
[MHz] 2.8 20 28 56
Transfer /
Receive RX Tx | Rx Tx & Rx Tx & Rx
Price $20 $300 $420 $675
9

10. FlowGraph (e.g.)
Available
tools
10

11. VHF receiver
 A VHF receiver composed of RTL-SDR and GNU Radio
RTL-SDR
11

12. ISM 2.4GHz band
 WiFi/Bluetooth frequency allocation
http://www.digikey.com/es/articles/techzone/2013/jun/shaping-the-wireless-future-with-low-energy-applications-and-systems
12

13. ISM 2.4GHz band monitoring (e.g.)
HackRF
13

14. Attack wireless devices
 Survey attack target
Search FCC ID in FCC site
Photos, someone else put on view?
Overhaul by myself
 Necessary information
RF chip data sheet
•Frequency band, Modulation, Transmission
speed, Data format
 Observe and analyze the signal
14

15. FCC ID Search
https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=Al
%2FFPgcInlgHLjNZvXbPTQ%3D%3D&fcc_id=A6O60001058RX
15

16. How to monitoring and analyzing the signal
 Receive radio waves
 Check the signal : GNU Radio, SDR#
 Write the received signal to file ： GNU Radio, rtl_sdr
 Analyze
 Monitoring the waveform in detail ： baudline
 Cut the area where you need （ The area selected and
write to file ） ： baudline
 Demodulation: GNU Radio | in-house scripts
 Decode / Parse / Decrypt
• Convert to bits (0/1) （ Hex dump is unreadable ）
• Find the characterized bit pattern
16

17. Signal monitoring tool
 Baudline
Baudline is the signal time-frequency
visualization and analysis support tool
Requirements
• Linux(x86_64,PowerPC)
• Mac OS X
• Solaris SPARC
Select the area
and write to file
http://www.baudline.com/index.html17

18. Monitoring the signal (e.g.)
18

19. Attack demo #1
 Keylogger for Microsoft wireless keyboard 800
At first, try to reproduce “keysweeper”(*1)
It can’t work the MS Wireless Keyboard 800
Japanese edition
Demonstrate process from investigate the
cause using the GNU Radio to work
(*1) https://github.com/samyk/keysweeper
19

20. Keylogger for Wireless Keyboard
 27MH ｚ band
It is easy to snoop because (in)secure
End of sale in the 2000s
 2.4GHz band
Same as Bluetooth/WiFi frequency
Bluetooth specification is secure?
What about the proprietary specification
keyboard?
20

21. Relation Project
 Travis Goodspeed, 2010
 The GoodFET is an open-source JTAG adapter, loosely based
upon the TI MSP430 FET UIF and EZ430U boards
 http://goodfet.sourceforge.net/
 KeyKeriKi Project (CanSecWest 2010)
 Developed some device with ARM Cortex MPU and radio module
which can keyboard sniffing and remote command execution.
 http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html
 Keysweeper (January 2015)
 Make efficient and systematize processes
• Focus on a part of device address fixed 0xCD
• Embedded in USB charger and logging to EEPROM
• Detect keyword and mobile module send SMS
• Forward keystroke to another device in real time ... etc.
 https://github.com/samyk/keysweeper
21

22. Experiment on breadboard
Sniffer hardware
USB
control PC
Microsoft Wireless
Keyboard 800 Arduino nano
•Scan 2403-2480MHz by 1MHz step
•Inspect 1 byte (=0xCD) in device ID
•If next 2byte are (0x0A38 | 0x0A78),
stop scanning and start logging
about 1500 lines Arduino program
nRF24L01
・ 2.4GHz ISM band
・ GFSK modulation
・ 1Mbps or 2Mbps
22

23. Success ?
Radio setup
End radio setup
scan
Tuning to 2480
Potential keyboard: AA AA 5A A9 CD 27 55 49
Tuning to 2403
Tuning to 2404
Potential keyboard: E4 AA AA A5 CD 55 A5 5A
Tuning to 2405
Tuning to 2406
Tuning to 2407
Tuning to 2408
…………………
No !!
23

24. Wireless keyboard wave form
24

25. Baudline (cut the area)
25

26. Demodulation
- 50
- 40
- 30
- 20
- 10
0
10
20
30
40
50
1 51 101 151 201 251 301
- 50
- 40
- 30
- 20
- 10
0
10
20
30
40
50
1 51 101 151 201 251 301
I/Q
Vfm
Vfm = ( I ( dQ/dt) - Q ( dI/dt)) / (I ^2 + Q^2)
preamble
bit = Vfm > 0 ? 0:1bit
26

27. Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111
111111111110010101010101010010011001111100101000101101100111001000
000000001010011110000001110100000001010011100001110110100110001100
111010100111101110000010001110010100110011100111001110011100011110
111110100111000111111111111100110010000000000001111111011111111111
111101111111101111111111111111111111111111111001010101010101001001
100111110010100010110110011100100000000000101001111000000111010000
000101001110000111011010011000110011101010011110111000001000111001
010011001110101001110011100111000111101111101001110101111111111100
110000001000100010001111111111111111111111111011111111111111111111
101010101001011001111100101000101101100111001000000000001010011110
000001110100000001010011100001110110100110001100111010100111101110
000010001110
……….
27

28. nRF24L01 Packet format
 Preamble
 0xAA | 0x55
 Address
 3-5 Byte
 PCF
 9 bit
 Payload
 0- 32Byte
 CRC
 1-2 byte http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01
28

29. KeyKeriki Project results
・ Microsoft Wireless Keyboard 800’s device address is composed
of 5 byte start from 0xCD
・ Keystroke is encrypted by simple XOR operation using this device
address
http://www.remote-exploit.org/content/keykeriki_v2_cansec_v1.1.pdf
29

30. Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111
111111111110010101010101010010011001111100101000101101100111001000
000000001010011110000001110100000001010011100001110110100110001100
111010100111101110000010001110010100110011100111001110011100011110
111110100111000111111111111100110010000000000001111111011111111111
111101111111101111111111111111111111111111111001010101010101001001
100111110010100010110110011100100000000000101001111000000111010000
000101001110000111011010011000110011101010011110111000001000111001
010011001110101001110011100111000111101111101001110101111111111100
110000001000100010001111111111111111111111111011111111111111111111
101010101001011001111100101000101101100111001000000000001010011110
000001110100000001010011100001110110100110001100111010100111101110
000010001110
……….
find to “0x0A78 (0000101001111000)”
Packet control field 9 bit
Devie ID
Preamble 8bit + address 5 byte + packet control 9bit + payload
30

31. Device ID detection
{ P.A. } { [p0] p[1] [p2] [p3] [p4]}
AA A9 33 E5 16 CE
10101010 10101001 00110011 11100101 00010110
11001110
{PktCTL Bit} 0A 78 1D 01
010000000 00001010 01111000 00011101 00000001
{ payload .......
0100111000011101101001100011001110101001111011100……
// From keysweeper_mcu_src https://github.com/samyk/keysweeper
if (radio.available())
{
radio.read(&p, PKT_SIZE);
if (p[4] == 0xCD) // 0xCD -> 0xCE for Japanese KBD
{
sp("Potential keyboard: ");
DEVICE ID
31

32. Behavior after (0xCD->0xCE)
{………………}
Tuning to 2479
Tuning to 2480
Potential keyboard: A9 33 E5 16 CE 43 5 3C
KEYBOARD FOUND! Locking in on channel 80
2setupRadio
16: 0A 78 1D 01 56 03 43 00 00 1E 00 00 00 00 00 8F <- Key 1 Press
> 1
8: 0A 38 1D 01 56 03 00 84
16: 0A 78 1D 01 57 03 43 00 00 00 00 00 00 00 00 90 <- Key OFF
16: 0A 78 1D 01 58 03 43 00 00 1F 00 00 00 00 00 80 <- Key 2 Press
> 2
8: 0A 38 1D 01 58 03 00 8A
{………………}
(*1) USB HID usage table: http://www.freebsddiary.org/APC/usb_hid_usages.php
(*1)
32

33. Key Logger DEMO
33

34. Summary #1
 Using GNU Radio, find the device address KEY
(0xCE) of the Microsoft Wireless Keyboard 800
Japanese edition
 Change the device address KEY to 0xCE, then
monitor keylogger Behavior.
 Don’t use wireless keyboard, when the operation
with sensitive information. Especially, warn against
using proprietary specification device.
Caution
 Experiment in Japan, signal from nRF24L should be invalidated
• boolean shoutKeystrokes = true; -> false;
34

35. Attack demo #2
 Replay attack for ADS-B(*1) mounted on
aircraft
Aviation is part of the critical infrastructure
ADS-B is next generation air traffic control
system
Attack demo played in Blackhat2012,
DEFCON20, ...etc.
Applying SDR technology, tried to replay
the attack
(*1)Automatic Dependent Surveillance–Broadcast
35

36. Congestion in the Skies
http://www.flightradar24.com/
36

37. ADS-B overview
 Because old radar’s positional accuracy was 1-2 NM, there was a need
to widen the service interval to ensure the safety of aircraft operation.
 To keep up with aircraft increasing, new system is needed. ADS-B,
using GPS, to provide a highly accurate position information, has been
developed as next generation air traffic control system in 1980-1990.
 Now, about 70 % of passenger plane have ADS-B
(Source http://www.flightradar24.com/how-it-works)
 Required to equip until 2017 in Europe, until 2020 in the United States
 Point at issue
 No encryption
 Broadcast with no authentication
 Simple encoding and simple modulation scheme
37

38. Mechanism of ADS-B
 ADS-B
Automatic Dependent Surveillance–Broadcast
Using broadcast datalink, Aircraft transmits own
location, speed, altitude, and so on obtained
from measuring system such as GPS.
Image http://www.enri.go.jp/news/osirase/pdf/e_navi10.pdf
38
GPS location
Broadcast
Datalink
Control Center Ground Receiving
Station

39. Papers related to ADS-B
 About Vulnerability
 Donald L. McCallie, Major, USAF (2011)
• http://apps.fcc.gov/ecfs/document/view.action?id=7021694523
 Andrei Costin, Aurelien Francillon, BlackHat2012
• https://media.blackhat.com/bh-us-
12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_Slides.pdf
 Brad render, DEFCON20 （ 2012 ）
• http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-
RenderMan-Hackers-plus-Airplanes.pdf
 Hugo Teso, CyCon2013 (2013)
• https://ccdcoe.org/cycon-2013.html
 About Countermeasures
 Martin Strohmeier, Ivan Martinovic 、 (2014)
• Detecting False-Data Injection Attacks on Air Traffic Control Protocols
• http://www.cs.ox.ac.uk/files/6604/wisec2014-abstract.pdf
 Kyle D. Wesson,Brian L. Evans, and more. (2014)
• Can Cryptography Secure Next Generation Air Traffic Surveillance?
• https://radionavlab.ae.utexas.edu/images/stories/files/papers/adsb_for_submission.pdf
 Seoung-Hyeon Lee , Yong-Kyun Kim, Deok-Gyu Lee, and more. (2014)
• Protection Method for Data Communication between ADS-BSensor and Next-Generation Air
Traffic Control Systems
• http://www.mdpi.com/2078-2489/5/4/622
39

40. Expected threats
Snoop (Eavesdropping)
Jamming
Fake aircraft’s wake injection
(Fake track injection)
40

41. How to receive ADS-B?
 Receive the radio waves
USB stick for receiving overseas digital TV
It’s about 1000 JPY to 2000 JPY
 Process the signal
and display
PC
•Windows, Mac, Linux
Smartphone, Tablet
41

42. ADS-B receiver software
 Decoder
 ADSB# http://airspy.com/index.php/downloads/
 RTL1090 http://rtl1090.web99.de/
 Modesdeco2 (w/ display function)
• http://radarspotting.com/forum/index.php/topic,2978.msg13471.html
 dump1090 (w/ display function)
• https://github.com/antirez/dump1090
 Display
 Virtual Radar Server http://www.virtualradarserver.co.uk/
 adsbSCOPE
• http://www.sprut.de/electronic/pic/projekte/adsb/adsb_en.html#downloads
 PlanePlotter http://www.coaa.co.uk/planeplotter.htm
42

43. Receivable area
Antenna
43

44. ADS-B format
 Format
 Actual received I/Q signals
https://media.defcon.org/DEF%20CON%2020/DEF%20CON%2020%20slides/DEF%20CON%2020%20Hacking%20Conference
%20Presentation%20By%20RenderMan%20-%20Hacker%20and%20Airplanes%20No%20Good%20Can%20Come%20Of%20This
%20-%20Slides.m4v
44

45. Waveform monitoring with GNU Radio
(I2
+ Q2
)I/Q
45

46. Received ADS-B (e.g.)
*8d7583a5585b575a9ebc4bbb3f04;
CRC: 000000 (ok)
DF 17: ADS-B message.
Capability : 5 (Level 2+3+4 )
ICAO Address : 7583a5
Extended Squitter Type: 11
Extended Squitter Sub : 0
Extended Squitter Name: Airborne Position …….
F flag : odd
T flag : non-UTC
Altitude : 17125 feet
………….
Raw data in hex
Aircraft
location data,
...etc.
I/Q signal after A/D convert
Demodulation / Decode
Parse the data
46

47. Attack Vector
IP NetworkIP Network
ADS-B
Receiving
Station
ADS-B
Receiving
Station
ADS-B
Receiving
Station
ADS-B
Broadcast
GPS Satellite
Actor V2
V3
Image http://www.mlit.go.jp/koku/koku_fr14_000007.html
V1
47

48. Replay Attack (V1)
 Intercepted raw data （ File name: xxxx.raw)
 Inject the raw data via IP network
$cat xxxx.raw | nc target_IP target_PORT
※In reality, the adversary needs to find a way to get through the
authentication in order to connect to the target server.
*8d869210581fe3bf4350dfd62439;
*5da40455385715;
*8d86dca29914ee0f20f410ef2595;
*8d780c3c581db79c18a4b0ffc872;
*8d867f609914b993e8700ba91251;
*02a1839b9e229d;
*……………
48

49. Replay Attack (V2)
 Create an ADS-B pulse signal file from the raw data
 $cat xxxx.raw | ./adsb-pulsegen test_file.bin
 Use the file to generate a RF signal modulated
 $hackrf_transfer –f 1090MHz –s 2MHz –t test_file.bin –x 0
*8d869210581fe3bf4350dfd62439;
*5da40455385715;
*8d86dca29914ee0f20f410ef2595;
*8d780c3c581db79c18a4b0ffc872;
*8d867f609914b993e8700ba91251;
*02a1839b9e229d;
*0261819c1d1e5a;
……………
49

50. DEMO
 Injection via IP network (V1)
Real-time interception of ADS-B signal and
display on map
Inject the raw data received in the past
 Injection via RF channel (V2)
Generate an I/Q signal file from the received raw
data
Inject the RF signal modulated by the I/Q signal
50

51. ADS-B network injection
http://www.flightradar24.com/
Network injection demo Screen shot
51

52. ADS-B RF injection
RF injection demo screen shot
52

53. Security of air traffic control?
 Why doesn’t it get renewed?
 Threat not being recognized
 To preserve safety and
interoperability
 International discussion
takes a long period of time
• Forming consensus
• Development
• Deployment
Image http://www.jatcaonline.com/SSR_system.JPG
https://upload.wikimedia.org/wikipedia/commons/f/fe/D-VOR_PEK.JPG
ASR/SSR
ILS ( glide slope / Localizer )
VOR/DME
53

54. Summary #2
 Technically, an attack against ADS-B is extremely easy
 Not only ADS-B but any air traffic control system that relies on radio
waves are vulnerable to jamming attacks.
 Possible attack scenarios
 Terrorists or nation state actors injects false flight paths or performs
jamming attacks to confuse the air traffic control as one of the ways to
accomplish an objective.
 Is it hard to implement early countermeasures? （ Requires an
international consensus ）
 A mitigation plan such as detecting interception or using tracking
algorithms must be considered
 Create an environment that enhances virtual trainings and incident
response plan
54

55. Conclusion
 Due to the emerge of the software defined radio experiment
tool GNU Radio and the low cost RF related hardware, the
technical threshold to carry out an RF attack has been
lowered
 The existing systems that relies on radio waves such as the
air traffic control system, has not been able to follow the
modernization which the commercial technology like WIFI or
smartphone has gone through
 A fundamental countermeasure will require a long period of
time
 Compensating the lack of countermeasure with operational
practice will require an enhanced incident response plan and
trainings
55

56. Thank you !
Questions ?
56

57. 57 Copyright 2010 FUJITSU LIMITED