Software-Defined Radio applied to security assessments
This is a four-day training. It takes place online on March 22 to 25, 2021.
In this 4-day training, students will learn about software-defined radio applied to security and will get survival reflexes and methods to test real-world radio devices (intercoms, cars, industrial modules, mobile phones, various remote controls, as well as other IoT systems).
Compared to other courses that teach how to use public tools, this class is more about understanding how these tools work and also how to build proper tools to analyze and attack targeted systems
All techniques here will demonstrate real uses-cases encountered in pentests and Red Teams, but also techniques that aim to be applied to future systems, by teaching important steps when dealing with unknown targets.
All students will also receive a Software-Defined Radio kit to send and receive in full-duplex to continue hacking in the wild.
What we will teach
With this class students will learn how to find interesting radio-communications and ways to attack targeted systems:
-
Learn how radio works and about actual technologies using this interface
-
Find and analyze a signal
-
Modulate and demodulate a signal
-
Encode and decode data meant to be transported over-the-air
-
Capture, generate, replay and analyze a signal
-
Interface with a signal using SDR devices and software
-
Get primary reflexes to attack embedded and IoT systems
-
Create your own tools with the GNU Radio framework and its alternatives
-
Learn how to use SDR and classical attacks on mobile 2G/3G/4G, RFID/NFC, LoRa(WAN), wireless mousses/keyboards/presenters, sub-GHz remotes/alarms, and other similar or custom technologies
Day 1 - RF preliminaries
Day 1 is an introduction to radio that will help students to learn its concepts and the techniques used today to receive and transmit signals, but also the constraints that we have to deal with in heterogeneous environments:
Theory
-
Introduction to radio
-
History
-
Evolution, and EU regulations
-
Radio waves
-
Modulation techniques
-
Encoders
-
Digital Signal Processing
-
Software-Defined Radio
-
Antennas
-
Amplifiers and connectors
-
Software-Defined Radio devices
-
Specifications
-
How to choose them
-
Few tips and hacks
Assignment 1
-
Waterfall and spectrum analyzers
-
Finding interesting signals
-
Capture it for later identification
Assignment 2
-
Setting a radio environment
-
Use of different software for depending on the context to monitor signals
-
Listening to AM and FM
Assignment 3
-
Building a cheap Faraday cage/shield
-
Testing the Faraday cage/shield
-
Making proper captures
The first day will introduce toolkits to develop Software-Defined Radio tools like GNU Radio, but also alternatives such as Pothos, Redhawk SDR, or MATLAB and Simulink.
Day 2 - Hands-on radio
Day 2 will put the student in the playground of the Software-Defined Radio, where every idea can be written on software to be simulated, and then concretized to realize receivers and transmitters depending on the chosen hardware limitations.
Assignment 1
-
Practice with GNU Radio Companion
- Block schemas
- Parameters
- Generators
- Sinks and sources
- Operators
- Simulations
- Modules
- Features to process samples
Assignment 2: Analog modulation
-
Creating a FM/AM station
-
Sending the signal over-the-air
-
Listening to this station
Assignment 3: Numeric modulation
-
Creating a custom signal to send a message
-
Simulating the custom signal
-
Sending the signal over-the-air
Assignment 4
-
Installing Out-Of-Tree blocks
-
Creating your own block + tricks & tips
Day 3 - Attacking physical intrusion systems
Day 2 will put the student in the playground of the Software-Defined Radio, where every idea can be written on software to be simulated, and then concretized to realize receivers and transmitters depending on the chosen hardware limitations.
- Common sub-GHz Remotes
- Introduction
- Capturing data
- Replaying saved samples
- Analyzing samples (manually and with powerful tools)
- Rolling codes security
- Devices using the mobile network (2G/3G/4G)
- Introduction
- Monitoring
- Mobile security
- Existing tools
- Interception techniques
- Our feedback in missions
- Tooling with GNU Radio
- Fuzzing and triggering bugs with 2G, 3G and 4G protocol stacks over-the-air
- Red Team tips
Day 4
Following day 2, day 3 will focus on attacking custom RF devices but also devices used in industrial systems using LPWAN technologies such as the LoRa(WAN), but also other technologies like Power-Line Communications systems, and how to manage to do testbeds many current technologies. We will also introduce devices that could act like unexpected implants and ways to analyze them. Then we will finish with an introduction to hardware hacking that could be complementary to RF hacking by talking about survival and practical reflexes, as well as methods to interface with hardware.
Theory
-
Radio communications used in industrial environments
-
Introduction of nRF based devices and common attacks
-
Hardware Hacking
Assignment 1
- Attacking unknown/custom devices
- Identification (looking at devices’ references, components, etc.)
- Sniffing signals
- Decoding signals
- Analyzing RFID communications with SDR
Assignment 3
- Attacking LoRa communications
- Detect used bands
- Capture signal
- Optimize the interception process
- Decode data and payloads
- Security of LoRa and ZigBee
- Transmit packets
- Case of Zigbee
Assignment 4
-
Monitor PLC devices
-
Analyzing captures of a Power-Line Communications devices
-
Exploit old and new vulnerabilities on the HomePlug standards
-
Talk to cars and charging stations
-
Take advantages of your electric lines that behaves like an antenna
Prerequisites
-
Knowledge of Linux and a programming language such as C, C++, C# or Python is necessary
-
Understanding of pentesting (network and applications) or Red teaming
-
Basic knowledge of radio is not mandatory but is a plus
Who should attend this training
-
Security researchers and pentesters
-
Embedded developers who want to improve the security of their products
Requirements
- All attendees will need to bring a laptop capable of running VMware virtual machine (8GB of RAM is a minimum)