Tagged: IoT

RSA Conference Talks: IOT Hacking with SDR, Tracking Rogue RF Devices & Wireless Offense and Defense

RSA Conference is an information security event that was recently held on March 4 - 8 in San Francisco. The talks have been uploaded to YouTube and from what we see there are three interesting SDR/RF related talks that may be worth looking at, which we show below. The full list of videos can be found on their YouTube channel.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Harshit Agrawal, Security Researcher, MIT Academy of Engineering, SPPU

Himanshu Mehta, Team Lead (Senior Threat Analysis Engineer), Symantec

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. SDR is changing the game for both offense and defense.Learning Objectives:1: Become familiar with common security concerns and attack surfaces in a wireless communication system.2: Understand the ease and prevalence of wireless exploitation, with sophisticated examples.3: Learn to view IoT devices, security and privacy collectively.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Hunting and Tracking Rogue Radio Frequency Devices

Eric Escobar, Principal Security Consultant, SecureWorks

Rogue radio frequencies pose a substantial and often overlooked threat to both organizations and targeted individuals. This talk will explore the dangers of rogue radio frequencies and highlight tactics, techniques and tools which can be used to identify and locate potential threats.Learning Objectives:1: Understand the major ways rogue wireless frequencies can impact an organization.2: Develop a basic understanding of how to locate a rogue wireless signal.3: Gain a conversational knowledge of ways to identify and track a wireless signal.Pre-Requisites:Basic understanding of security principles. Basic understanding of wireless communication. Basic understanding of computer networks.

Hunting and Tracking Rogue Radio Frequency Devices

Wireless Offense and Defense, Explained and Demonstrated!

Rick Farina, Senior Product Manager, WLAN Software Security, Aruba
Rick Mellendick, Chief Security Officer, Process Improvement Achievers LLC

This session will discuss the use of radio frequency, often overlooked for network enumeration and attack. The techniques to be discuss are used to identify authorized and unauthorized signals in an organization. Without understanding the offensive attacks an organization can’t perform effective defense. The talk will explain and demonstrate how to enumerate and gain access to resources through RF signals.Learning Objectives:1: Understand that wireless doesn’t just mean WiFi.2: Understand that the Bluetooth protocol can allow for direct attacks against phones, PCs and other devices.3: Learn that other RF attacks are very difficult to detect, and gain an understanding of what they look like.Pre-Requisites:The biggest prerequisite for our talk is an open mind and the ability to understand risk, and after the talk to better assess risk on your environment.

Wireless Offense and Defense, Explained and Demonstrated!

Helium: The SDR Based Cryptocurrency for IoT

Helium is a cryptocurrency being designed for internet of things (IoT) sensors which will be based on low cost software defined radio (SDR) technology - that's a lot of buzzwords!. The idea is to design a system that will pay people to run an internet connected gateway which will receive data from wireless sensors, and put that data onto the internet. A use case that Helium has already developed is providing services to track and monitor medicine and food supplies. The linked article gives a good example of this use case:

...let’s say you have a gateway in your house: if a vial of medicine were to enter your coverage zone, it would send its location and temperature data to your gateway, which would then send it to its proper destination in return for a previously agreed upon cryptocurrency fee. These steps would then be cryptographically verified and recorded in the distributed ledger.

In terms of IoT network competition, LoraWan and SigFox IoT networks are already popular and established in several places in the world, but wireless coverage isn't great because these networks rely on companies to build gateway infrastructure. Helium crowd sources this infrastructure instead, which could result in greater coverage.

Most cryptocurrencies base the security of their network on the 'proof of work' process, which is a way to ensure that the miners get rewarded for the heavy cryptographic computations that they do in order to secure the network. Instead of proof of work, Heliums idea is to use a 'proof of coverage' system, where other gateways will confirm if a gateway is providing coverage and is in the correct location. Helium cryptocurrency 'miners' will be the people running the internet connected gateways, and they will be paid for any devices that use their wireless coverage.

According to one of their latest blog posts, the wireless gateway radio system is to be based on a software defined radio architecture. The reasoning behind using SDR is that they need to support potentially thousands of wireless sensor channels, require the sensors to be able to be geolocated, and require the radio to be low cost and energy efficient. For geolocation of sensors they are considering the use of radio direction finding techniques that we assume will be based on pseudo-doppler, or alternatively they will use the time difference of arrival (TDoA) technique which requires the signal to be received by multiple gateways. The SDR will be developed on a dual core TI SoC, with four programmable realtime units (PRU), which they'll use to interface with the RF chips.

At the moment Helium is just a whitepaper, and we haven't seen any concrete evidence of a working SDR design yet, but according to their website they plan to launch gateway hardware in Q4 2018 for a cost of $495. 

The Helium Network
The Helium Network

Video on Hacking 433 MHz Devices with an RTL-SDR and Raspberry Pi

Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators. 

Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.

Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.

Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.

How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)

The LimeSDR Mini Grove Starter Kit

LimeSDR have partnered with Seeed Studio to develop a low cost SDR starter kit for learning SDR basics and experimenting with IoT applications. The kit costs US$249 and includes a LimeSDR Mini and the Grove Starter Kit. The Grove kit is simply a set of various sensors such as temperature, sound, light, ultrasonic, touch, rotary as well as interface components like buzzers, an LCD screen, and LEDs. It also includes the GrovePi+ which is a board that allows you to easily interface the Grove sensors with a Raspberry Pi. Adding a LimeSDR Mini as well as the Grove kit to a Raspberry Pi could allow for easy wireless and IoT experimentation. To make it even easier the LimeSDR team have created a ScratchRadio extension that supports the LimeSDR and Grove kit combination. ScratchRadio is a kid friendly visual programming environment.

The kit packages a LimeSDR Mini with antennas optimised for 433/868/915 MHz unlicensed bands, plus a GrovePi+ and selection of incredibly useful Grove sensors and outputs, many of which are supported by a Scratch extension. When combined with our ScratchRadio extension, this will allow the creation of simple and fun applications that integrate SDR capabilities and peripheral I/O.

Of course, use is not limited to Scratch and educational environments, and we’ll also be putting together examples that demonstrate how the kit can be used to develop applications that integrate with existing off-the-shelf systems, such as wireless thermostats and remote controls.

Kit Contents

  • 1 x LimeSDR Mini
  • 2 x Antennas optimised for 433/868/915MHz unlicensed bands use
  • 1 x Acrylic base plate
  • 1 x Short USB extension
  • 1 x GrovePi+
  • 1 x Grove - Ultrasonic Ranger
  • 1 x Grove - Temp&Humi Sensor
  • 1 x Grove - Temperature Sensor
  • 1 x Grove - Rotary Angle Sensor
  • 1 x Grove - Button
  • 1 x Grove - Light Sensor v1.2
  • 1 x Grove - 3-Axis Digital Accelerometer (±1.5 g)
  • 1 x Grove - Relay
  • 1 x Grove - Sound Sensor
  • 1 x Grove - LCD RGB Backlight
  • 1 x Grove - Buzzer
  • 1 x Grove - Red LED
  • 1 x Grove - LED Bar 2.0
  • 1 x Grove - Touch Sensor
  • 1 x Grove - Piezo Vibration Sensor

Just add your own Raspberry Pi, power supply, and microSD card!

The kit costs US$249 and is currently available for preorder on the LimeSDR Mini CrowdSupply page.

The Grove Starter Kit with LimeSDR.
The Grove Starter Kit with LimeSDR.

Identifying Issues that can be used to Disable IoT Alarms

Seekintoo cybersecurity researcher Dayton Pidhirney has been investigating security flaws in wireless IoT (Internet of Things) based alarm systems, and has identified six issues that can be used to bypass or disable an alarm. Five attack the RF portion of the IoT device, and one through the traditional IP network.

In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.

Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:

  • Brute-force attack on the alarm system device source addresses.
  • Remotely clone authenticated devices used to interact with the alarm system security features.
  • Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
  • RF Jamming.
  • Assisted replay attack.

The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.

The iSmartAlarm IoT wireless alarm system
The iSmartAlarm IoT wireless alarm system

Reverse Engineering Honeywell 345 MHz Home Automation Sensors with an RTL-SDR

OpenHAB is an open source home automation software program which is designed to interface and manage all the various sensors and systems in an automated house. One problem however, is that many wireless sensors and actuators utilize a proprietary communications protocol that is not supported by OpenHAB.

In his home, Dan Englender had several Honeywell 5800 series 345 MHz wireless security door sensors, all of which interface using a proprietary protocol that is not yet implemented in OpenHAB. In order to get around this, Dan decided to reverse engineer the protocol and implement a decoder into OpenHAB himself. 

Dan’s four part write up covers the RF capture & demodulation, protocol reverse engineering and implementation into OpenHAB. First he looked up the frequency and bandwidth of the signal via the FCC filing information on fcc.io. Then he captured some packets from a door sensor using his RTL-SDR and GNU Radio, and then wrote a short Python program to decode the protocol and transmit the door open/closed information to OpenHAB. In the future he hopes to optimize the decoder so that it can comfortably run on a Raspberry Pi as the GNU Radio script uses quite a bit of computing power.

The final project is called decode345 and the code is available over on his GitHub.

Honeywell 345 MHz Door Sensor
Honeywell 345 MHz Door Sensor
Custom Door Sensor Status in OpenHAB
Custom Door Sensor Status in OpenHAB

[Also seen on Hackaday]


CNxROOT Two Posts: How to Build an RTL-SDR Server with OpenWRT, Creating a GSM BaseStation with OpenBTS and a USRP

Recently security researcher cnxroot wrote in to let us know about two of his posts that may be of interest to readers. The posts are written in Chinese, so please use Google Translate to read them in English – it translates okay to some extent.

The first post shows us how to run the RTL-SDR on an OpenWRT capable router server. OpenWRT is a Linux firmware/OS that can be installed on several compatible router devices which extends the usefulness and features of the router. Since it is running Linux the RTL-SDR drivers can be installed onto it, and then rtl_tcp can be run, providing a remote RTL-SDR.

The second post is a bit more advanced. It is about creating a pseudo GSM base station with a USRP SDR and intercepting IoT devices which connect over GSM/GPRS. The post shows how to set up OpenBTS which can be used to create a base station.

RTL-SDR running on an internet router with OpenWRT.
RTL-SDR running on an internet router with OpenWRT.

LimeSDR CrowdFunding Closing in Four Days: 80% Funded

The LimeSDR is a new transmit capable software defined radio with a 100 kHz – 3.8 GHz frequency range, 12-bit ADC and 61.44 MHz bandwidth which is currently seeking crowdfunding. At the time of this post there is about four days left to reach the $500k goal, and it is only 80% funded. To try and reach their funding goal they have released another batch of discounted units which cost only $249 USD. After the crowd funding campaign the price will rise to $289/$299 USD. If the LimeSDR is not funded in time, they write that the project will unfortunately be put on hold and it’s future may be uncertain. We believe that this product is shaping up to be a very good TX/RX capable SDR, like the HackRF and bladeRF, but much better overall and for the same or even lower price.

Recently they also released some new updates that show off some LimeSDR features. In a post previously featured on our blog beta tester Alexandru showed how he was able to get the LimeSDR to transmit DVB-S2 HDTV. In later updates they showed how the LimeSDR can be used to:

The LimeSDR Board
The LimeSDR Board