Tagged: wireless security

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

 

Identifying Issues that can be used to Disable IoT Alarms

Seekintoo cybersecurity researcher Dayton Pidhirney has been investigating security flaws in wireless IoT (Internet of Things) based alarm systems, and has identified six issues that can be used to bypass or disable an alarm. Five attack the RF portion of the IoT device, and one through the traditional IP network.

In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.

Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:

  • Brute-force attack on the alarm system device source addresses.
  • Remotely clone authenticated devices used to interact with the alarm system security features.
  • Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
  • RF Jamming.
  • Assisted replay attack.

The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.

The iSmartAlarm IoT wireless alarm system
The iSmartAlarm IoT wireless alarm system

Hacking Alarm Systems with an RTL-SDR and RFcat

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

  1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
  2. Record the signal and visually study the waveform in Audacity.
  3. Look up system part info and determine encoding type (e.g. ASK/OOK)
  4. Determine the bit string and baud rate.
  5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

$50 home alarm system broken by an RTL-SDR and RFcat.
$50 home alarm system broken by an RTL-SDR and RFcat.

Reverse Engineering the SimpliSafe Wireless Burglar Alarm

SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.

A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.

Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.

Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.

The SimpliSafe Alarm Keypad and a Yardstick One.
The SimpliSafe Alarm Keypad and a Yardstick One.