Tagged: security

Analyzing a Car Security Active RFID Token with a HackRF

Some car security systems from around 2001 – 2003 use an embedded RFID tag inside the car key as an added security measure against key copying. Using his HackRF, ChiefTinker was able to analyse and decode the data from an active RFID token used in a car key. He notes that the same analysis could also be performed with an RTL-SDR dongle.

Upon powering the RFID tag with a power supply, ChiefTinker noticed that the tag emitted a short transmission every 5 seconds in the ISM band at 433.920 MHz. On closer inspection he determined that the transmitted data was encoded with a simple AM on-off keying (OOK) scheme. After importing the audio into Audacity and cleaning up the signal a little, he was able to clearly see the OOK square wave showing the transmitted binary data.

Next he analysed the data and compared the binary output against two different RFID keys. From the comparison he was able to determine that the tag simply beacons a unique serial number, which is susceptible to capture and replay attacks. After further processing he was able to convert the transmitted binary serial number into hexadecimal, then ASCII to find the unique serial number being broadcast in decimal.

RFID Car Key Tokens
RFID Car Key Tokens

Videos from DEFCON 22 Wireless Village Talks

Another security and hacking conference that recently finished is Defcon 2014. During this conference there was a “Wireless Village” were there were talks discussing all things related to radio frequency. During this conference there were many talks related to Software Defined Radio.

A list of all talks at the Defcon Wireless Village 2014 can be found on this page. The most interesting talks that we found related to SDR are shown below.

Hacking the Wireless World with Software Defined Radio

Presented by Balint Seeber, SDR Evangelist as Ettus Research. Balint presented a similar talk at Black Hat and the slides to go along with that can be found here.

Ever wanted to spoof a restaurant’s pager system? How about use an airport’s Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there’s ‘printing’ steganographic images onto the radio spectrum…

Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur – widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by ‘blindly’ analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I’ll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service’s Traffic Message Channel. If you have any SDR equipment, bring it along!

14 Hacking theWireless world with software defined radio 2 0

So ya wanna get into SDR?

Not explained through erotic interpretive dance, though could be, this presentation will cover the essentials for getting into the software defined radio hobby. Hardware requirements, distributed nodes, architecture designs, tips/tricks, random projects and common mistakes will be explained. This will be a technical talk that will be open for harassment, jokes, interaction and presented in a way that everyone will be able to take something away from it; wait, this is Vegas… but we’re hackers…

01 so you want to sdr

SDR Tricks with HackRF

HackRF and some other Software Defined Radio platforms can be used in creative ways. I’ll show methods, including a dirty trick or two, for using HackRF outside the advertised frequency range. I’ll also show how the HackRF design lends itself to use as an oscilloscope or function generator suitable for many hardware hacking tasks.

18 SDR Tricks with the hackrf

PortaPack: Is that a HackRF in your Pocket?

The PortaPack H1 transforms the HackRF One software-defined radio into a hand-held radio exploration tool. Spectrum analysis, monitoring and logging, and demodulation and injection of simpler digital modes will be demonstrated by Jared Boone, a HackRF project contributor.

16 Porta pack is that a hackrf in your pocket

PHYs, MACs, and SDRs

The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.

17 PHYs MACs and SDRs

SDR Unicorns

A panel with SDR Gurus Michael Ossmann, Balint Seeber and Robert Ghilduta.

Black Hat Software Defined Radio Talks

Black Hat, a large conference about information security related topics has recently finished and videos of some of the talks given have now been uploaded to YouTube. This year we have found three talks related to Software Defined Radio.

Breaking the Security of Physical Devices by Silvio Cesare

We posted about Silvio’s successful attempt at breaking into a car wirelessly earlier this month and now here is his presentation.

In this talk, I look at a number of household or common devices and things, including a popular model car and physical security measures such as home alarm systems. I then proceed to break the security of those devices. The keyless entry of a 2004/2005 popular make and widely used car is shown to be breakable with predictable rolling codes.

The actual analysis involved not only mathematics and software defined radio, but the building of a button pushing robot to press the keyless entry to capture data sets that enable the mathematical analysis.

Software defined radio is not only used in the kelyess entry attack, but in simple eavesdropping attacks against 40mhz analog baby monitors. But that’s an easy attack. A more concering set of attacks are against home alarm systems. Practically all home alarm systems that had an RF remote to enable and disable the system were shown to used fixed codes. This meant that a replay attack could disable the alarm.

I built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay those codes to defeat the alarms. I also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm’s microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm.

In summary, these attacks are simple but effective in physical devices that are common in today’s world. I will talk about ways of mitigating these attacks, which essentially comes down to avoiding the bad and buying the good. But how do you know what’s the difference? Come to this talk to find out.

Breaking the Security of Physical Devices by Silvio Cesare

Bringing Software Defined Radio to the Penetration Testing Community

Online slides.

“The large adoption of wireless devices goes further than WiFi (smartmeters, wearable devices, Internet of Things, etc.).

The developers of these new types of devices may not have a deep security background and it can lead to security and privacy issues when the solution is stressed.

However, to assess those types of devices, the only solution would be a dedicated hardware component with an appropriate radio interface for each one of them.

That is why we developed an easy-to-use wireless monitor/injector tool based on Software Defined Radio using GNU Radio and the well-known scapy framework.

In this talk, we will introduce this tool we developed for a wide range of wireless security assessments: the main goal of our tool is to provide effective penetration testing capabilities for security auditors with little to no knowledge of radio communications.”

Bringing Software Defined Radio to the Penetration Testing Community

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0

Attacking AIS using software defined radio.

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0 by Marco Balduzzi

Brute Force Unlocking a Car with a USRP Software Defined Radio

Wired.com has posted an article showing how security researcher Cesare was able to use his USRP software defined radio to unlock a car with wireless entry. Essentially his hack involves brute forcing the rolling security code used by the wireless unlocking security protocol. Even with just a brute force attack he was able to unlock his car in just a few minutes. While this hack probably won’t work with newer cars which disable unlocking for a few minutes after a number of failed code attempts, Cesare notes that the hack will probably work for many similar cars of the 10 years or older generation.

This article goes along with their previous one discussing how thieves could hack into a home alarm system using a software defined radio.

The USRP is an advanced software defined radio that sells for around a thousand dollars but we note that the same attack could be performed with the cheaper and almost available HackRF SDR.

Reverse Engineering NSA Spy ‘Retro Reflector’ Gadgets with the HackRF

In 2013 whistleblower Edward Snowden leaked (along with other documents) some information about the American National Security Agencies (NSA) spy tools. One such group of tools named ‘retro reflectors’ has recently been investigated and reverse engineered by Micheal Ossmann, the security researcher behind the recently available for preorder HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with better performance and transmit capabilities.

Newscientist Magazine has written an article about Ossmann’s work here. From their article a retro reflectors are described in the following quote.

One reflector, which the NSA called Ragemaster, can be fixed to a computer’s monitor cable to pick up on-screen images. Another, Surlyspawn, sits on the keyboard cable and harvests keystrokes. After a lot of trial and error, Ossmann found these bugs can be remarkably simple devices – little more than a tiny transistor and a 2-centimetre-long wire acting as an antenna.

The HackRF comes in to play in the following quote

Ossmann found that using the radio [HackRF] to emit a high-power radar signal causes a reflector to wirelessly transmit the data from keystrokes, say, to an attacker. The set-up is akin to a large-scale RFID- chip system. Since the signals returned from the reflectors are noisy and often scattered across different bands, SDR’s versatility is handy, says Robin Heydon at Cambridge Silicon Radio in the UK.

Ossmann will present his work at this years Defcon conference in August.

retro-reflector-surlyspawn     retro-relector    retro-reflector-ragemaster

 

Pytacle – A GSM Decoding/Decrypting Tool Now Supports RTL-SDR

Pytacle, a Linux tool used for automating GSM sniffing has been updated to alpha2, and now supports the RTL-SDR dongle with this update.

According to the website pytacle is

a tool inspired by tentacle. It automates the task of sniffing GSM frames of the air, extracting the key exchange, feeding kraken with the key material and finally decode/decrypt the voice data. All You need is a USRP (or similar – [RTL-SDR]) to capture the GSM band and a kraken instance with the berlin tables (only about 2TB ;) )

True Random Numbers with RTL-Entropy

RTL-Entropy is a Linux based entropy generator which uses the RTL-SDR as the entropy source. It works by using the RTL-SDR to sample atmospheric noise and then using that noise to create randomly generated numbers.

This is useful as computers are only capable of generating pseudo-random numbers, which may look random, but are not truly random. For cryptography and security, it is desirable to use true random numbers, as pseudo-random numbers can possibly be predicted. Combining this RTL-SDR based entropy source with other entropy sources may help improve security.

Exploring Unintended Radio Emissions with the RTL-SDR – Talk now available on YouTube

A few weeks back we posted about some slides from the Defcon conference by information security researcher Melissa Elliot which detailed how she used an RTL-SDR to explore the world of unintended radio emissions.

The talk to go with the slides is now available on YouTube

DEF CON 21 - Melissa Elliott - Noise Floor Exploring Unintentional Radio Emissions