Tagged: defcon

Defcon 25 SDR and Radio Related Talks

Defcon is a huge yearly conference based on the topics of information security and hacking. Some of the talks relate to wireless and SDR concepts. Recently videos from the last Defcon 25 conference held in July 2017 have been uploaded to YouTube. Below is a selection of some interesting SDR and radio related talks that we have found. If you're interested in exploring the rest of the talks then you can find them on their YouTube page. Most of the radio related talks are in the 'WiFi Village' category.

DEF CON 25 Wifi Village - Balint Seeber - Hacking Some More of the Wireless World

The hacking continues on from last year! Three interesting applications will be demonstrated, and their underlying theory and design explained. The audience will be exposed to some novel GNU Radio tips and DSP tricks. INMARSAT Aero will be revisited to show (in Google Earth) spatial information, such as waypoints and flight plans, that are transmitted from airline ground operations to airborne flights. A good chunk of the VHF band is used for airline communications; plane spotters enjoy listening to tower and cockpit communications.

Modern SDRs can now sample the entire band, and as AM modulation is used, it's possible to use a counterintuitive, but simple, demodulator chain (first shown by Kevin Reid's wideband 'un-selective AM' receiver) to listen to the most powerful transmission. This will be demonstrated with a GNU Radio-based implementation. It is also possible to 'spatialise' the audio for the listener using stereo separation, which can convey a transmission's relative position on the spectrum. FMCW RADAR experiments are enhanced to include Doppler processing.

Plotting this new velocity information, due to the Doppler effect, shows whether a target is heading toward or away from you, and often reveals targets not normally seen in range-only information - this demonstrates the true power of full RADAR signal processing. This technique will be applied to the live audio demo, a new live SDR demo, CODAR ocean current tracking, and passive RADAR exploiting powerful ATSC digital television signals (this was used to track aircraft on approach across the Bay Area).

DEF CON 25 - Matt Knight - Radio Exploitation 101

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of radio frequency protocols driven by mobile and IoT. While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think.

Join us as we walk through the fundamentals of radio exploitation. After introducing essential RF concepts and characteristics, we will develop a wireless threat taxonomy by analyzing and classifying different methods of attack. As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

Attendees will come away from this session with an understanding of the mechanics of wireless network exploitation, and an awareness of how they can bridge their IP network exploitation skills to the wireless domain.

Continue reading

More talks from Defcon 23

Some more SDR and RF related talks from Defcon 23. See our previous posts [1][2] for other talks that we posted previously.

Colby Moore – Spread Spectrum Satcom Hacking

Recently there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before – take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I’ll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.

DaKahuna and satanklawz – Introduction to SDR and the Wireless Village

In many circumstances, we all have to wear different hats when pursuing hobbies, jobs and research. This session will discuss the exploration and use of software defined radio from two perspectives; that of a security researcher and Ham Radio operator. We will cover common uses and abuses of hardware to make them work like transceivers that the Ham crowed is use too, as well as extending the same hardware for other research applications. Additionally we will highlight some of the application of this knowledge for use at The Wireless Village! Come and join this interactive session; audience participation is encouraged.

Lin Huang and Qing Yang – Low cost GPS simulator: GPS spoofing by SDR

It is known that GPS L1 signal is unencrypted so that someone can produce or replay the fake GPS signal to make GPS receivers get wrong positioning results. There are many companies provide commercial GPS emulators, which can be used for the GPS spoofing, but the commercial emulators are quite expensive, or at least not free. Now we found by integrating some open source projects related to GPS we can produce GPS signal through SDR tools, e.g. USRP / bladeRF. This makes the attack cost very low. It may influence all the civilian use GPS chipset. In this presentation, the basic GPS system principle, signal structure, mathematical models of pseudo-range and Doppler effect will be introduced. The useful open source projects on Internet will be shared with attendees.

DEFCON 23 – LTE Recon and Tracking with RTLSDR

Back on Dec 5 we posted about some Defcon 23 talks that were released from the Wireless Village set of talks. Recently some more talks from other tracks have been released and one of interest to our blog is the talk by Ian Kline titled “LTE Recon and Tracking with RTLSDR”. The talk’s blurb reads:

Since RTLSDR became a consumer grade RX device, numerous talks and open source tools enabled the community to monitor airplanes, ships, and cars… but come on, what we really want to track are cell phones. If you know how to run cmake and have $50 to pick up an RTLSDR-E4000, I’ll make sure you walk out of here with the power to monitor LTE devices around you on a slick Kibana4 dashboard. You’ll also get a primer on geolocating the devices if you’ve got a second E4000 and some basic soldering skills.

Software defined radio talks from Defcon 23

Defcon is a yearly conference that focuses on computer security and hacking talks. In recent years they have included a “Wireless Village” section that includes talks about all things wireless. This year there were several interesting talks related to Software Defined Radio in some way. Recently some of these talks have been uploaded to YouTube and below we present the ones we have found – let us know if we missed any interesting ones.

Balint Seeber – SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

The workshop will cover many common techniques used to reverse engineer the physical layer of a wireless communications system:

– Blind signal analysis on a signals re-broadcast from a satellite transponder: modulation type, order, symbol rate, error correction,scrambling, differential coding, visualization

– Applying auto-correlation to interesting signals on the HF band: RADAR, OFDM, symbol timing

– Frequency hopping: wide-band, real-time spectrum visualization

All with GNU Radio!

Tim Oshea – GNU Radio Tools for Radio Wrangling/Spectrum Domination

An overview of modern tools available in GNU Radio and the greater GNU Radio ecosystem for building, testing, inspecting and playing with radio system physical layers in gory detail.

Michael Calabro – Software Defined Radio Performance Trades & Tweaks

This workshop is targeted at new and experienced software defined radio (SDR) operators, developers, and enthusiasts seeking a better end-to-end system understanding, and anyone looking to maximize their SDR’s performance. Commercially available SDRs (e.g. USRPs, RTL-SDRs, BladeRFs, etc) are commonly used to fuzz wireless interfaces, deploy private cellular infrastructure, conduct spectrum surveys, and otherwise interact with a wide variety of custom and commercial devices. This workshop focuses on the key parameters and performance drivers in SDR setup and operation that elevate these common platforms to the level of fidelity required to interact seamlessly with commercial devices and networks.

The workshop will begin by surveying different SDR hardware architectures and summarizing the performance tradespaces of several of SDR applications (e.g. collection/survey/transmit). Then the workshop will break down into three main content focuses:

Understanding SDR Hardware: Breakdown common RF frontend and receiver architectures. Identify and derive key performance parameters, and when they will bound performance. Topics covered will include: Noise figure calculation, internal amplification, Frequency selectivity, external RF chains, and noise sources.

Understanding SDR Platform Objectives: Collection, transmission, surveying, and other applications, each present unique challenges to SDRs and will be limited by different dimensions of SDR processing and/or setup configuration. Topics covered include: real-time processing, host buffering, sampling, guard-intervals, framework selection (GRC vs REDHAWK vs MATLAB vs custom), and frequency and time domain signal representation.

Optimizing and Improving Performance: Now that the hardware and platform trade space have been characterized, how do attendees meet and exceed the performance requirements of their application? We will present specific examples for several common platforms (RTL-SDR and USRP). Topics covered will include clock selection, ADC dynamic range, FPGA/SoC offloading, RFIC configuration, CIC filters, sampling, DC biases, antenna selection & pointing, host buffering / processing, and cost-performance trades.

Karl Koscher – DSP for SDR

The barrier to entry in software-defined radio is now almost non-existent. Wide band, receive-only hardware can be obtained for as little as $10, and tools like gqrx and SDR# make it extremely easy to get started listening to signals. However, there is a steep learning curve graduating from an SDR script kiddie to developing your own SDR tools. In this talk, I’ll cover the basic theory behind software-defined radios digital signal processing, and digital communication, including I/Q samples, FIR filters, timing and carrier recovery, and more.

In addition to these Wireless Village talks there was also an interesting talk by Samy Kamkar in which explains how he uses SDR in his vehicle security research.

Samy Kamkar – Drive it like you Hacked it: New Attacks and Tools to Wireles

Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security?

In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced “code grabbers” using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation.

Ladies and gentlemen, start your engines. And other people’s engines.

Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

Videos from DEFCON 22 Wireless Village Talks

Another security and hacking conference that recently finished is Defcon 2014. During this conference there was a “Wireless Village” were there were talks discussing all things related to radio frequency. During this conference there were many talks related to Software Defined Radio.

A list of all talks at the Defcon Wireless Village 2014 can be found on this page. The most interesting talks that we found related to SDR are shown below.

Hacking the Wireless World with Software Defined Radio

Presented by Balint Seeber, SDR Evangelist as Ettus Research. Balint presented a similar talk at Black Hat and the slides to go along with that can be found here.

Ever wanted to spoof a restaurant’s pager system? How about use an airport’s Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there’s ‘printing’ steganographic images onto the radio spectrum…

Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur – widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by ‘blindly’ analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I’ll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service’s Traffic Message Channel. If you have any SDR equipment, bring it along!

So ya wanna get into SDR?

Not explained through erotic interpretive dance, though could be, this presentation will cover the essentials for getting into the software defined radio hobby. Hardware requirements, distributed nodes, architecture designs, tips/tricks, random projects and common mistakes will be explained. This will be a technical talk that will be open for harassment, jokes, interaction and presented in a way that everyone will be able to take something away from it; wait, this is Vegas… but we’re hackers…

SDR Tricks with HackRF

HackRF and some other Software Defined Radio platforms can be used in creative ways. I’ll show methods, including a dirty trick or two, for using HackRF outside the advertised frequency range. I’ll also show how the HackRF design lends itself to use as an oscilloscope or function generator suitable for many hardware hacking tasks.

PortaPack: Is that a HackRF in your Pocket?

The PortaPack H1 transforms the HackRF One software-defined radio into a hand-held radio exploration tool. Spectrum analysis, monitoring and logging, and demodulation and injection of simpler digital modes will be demonstrated by Jared Boone, a HackRF project contributor.

PHYs, MACs, and SDRs

The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.

SDR Unicorns

A panel with SDR Gurus Michael Ossmann, Balint Seeber and Robert Ghilduta.