Universal Radio Hacker

Similar documents
Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols

Introduction of USRP and Demos. by Dong Han & Rui Zhu

Electronic Access Control Security. Matteo Beccaro HackInTheBox Amsterdam, May 27 th, 2016

SECTION 4 CHANNEL FORMAT TYPES AND RATES. 4.1 General

Rob Havelt Black Hat Europe, 2009


Hacking. Joshua Lackey, Ph.D.

STANAG 4529 CONFORMANCE TEST PROCEDURES

Wireless Sensor Networks

DEEJAM: Defeating Energy-Efficient Jamming in IEEE based Wireless Networks

Wireless Communication

Chaos Communication Camp Milosch Meriac Henryk Plötz

2 I'm Mike Institute for Telecommunication Sciences

WiMOD LR Base Plus Firmware

CH 5. Air Interface of the IS-95A CDMA System

Just how smart is your home?

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

WIRELESS NETWORK USER MANUAL MHz RFT-868-REL Remotely Controlled Relay Switch

A Wireless Communication System using Multicasting with an Acknowledgement Mark

CH 4. Air Interface of the IS-95A CDMA System

Software Defined Radio. Listening to the Bleeps and Bloops around you

) A C K A c k n o w l e d g m e n t (

REMOTE CONTROL SERVICES (FBD)

Wireless Communication Project : Spread Spectrum. Name: Qin Xiaosong Student ID:

3. ADD-ON MODULES Due to hardware limitations, such as antenna design, the base node is limited to a 433 MHz band. Two

Lecture #2. EE 471C / EE 381K-17 Wireless Communication Lab. Professor Robert W. Heath Jr.

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR. Pieter Robyns

Overview of Digital Mobile Communications

Low-cost approach for a software-defined radio based ground station receiver for CCSDS standard compliant S-band satellite communications

Keysight Technologies P-Series and EPM-P Power Meters for Bluetooth Testing. Technical Overview and Self-Guided Demonstration

An Empirical Study of UHF RFID Performance. Michael Buettner and David Wetherall Presented by Qian (Steve) He CS Prof.

Computer Networks. Week 03 Founda(on Communica(on Concepts. College of Information Science and Engineering Ritsumeikan University

Block Ciphers Security of block ciphers. Symmetric Ciphers

Frequency Hopping Pattern Recognition Algorithms for Wireless Sensor Networks

A Programmable Clock Generator Based on Xilinx CoolRunner

The paradigm does not necessarily describe reality, and at best only describes one aspect of reality.

RFID Multi-hop Relay Algorithms with Active Relay Tags in Tag-Talks-First Mode

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Lecture 6: Reliable Transmission"

D850 Settings

IEEE P Wireless Personal Area Networks

Error Protection: Detection and Correction

Spread Spectrum. Chapter 18. FHSS Frequency Hopping Spread Spectrum DSSS Direct Sequence Spread Spectrum DSSS using CDMA Code Division Multiple Access

802.11a Hardware Implementation of an a Transmitter

CSRmesh Beacon management and Asset Tracking Muhammad Ulislam Field Applications Engineer, Staff, Qualcomm Atheros, Inc.

Lower Layers PART1: IEEE and the ZOLERTIA Z1 Radio

CS101 Lecture 01: Introduction. What You ll Learn Today

Chapter 10 Error Detection and Correction 10.1

SMACK - A SMart ACKnowledgement Scheme for Broadcast Messages in Wireless Networks. COMP Paper Presentation Junhua Yan Nov.

UWB for Sensor Networks:

Data and Computer Communications

PRIVA COMPASS IRRIGATION EDITIONS

Study of 3D Barcode with Steganography for Data Hiding

An LED-to-LED Visible Light Communication System with Software-Based Synchronization

CHAPTER 2. Instructor: Mr. Abhijit Parmar Course: Mobile Computing and Wireless Communication ( )

Chapter 1 Acknowledgment:

Spreading Codes and Characteristics. Error Correction Codes

ECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University

Ultra Wideband Sensor Network for Industrial IoT

CS434/534: Topics in Networked (Networking) Systems

INTRODUCTION TO COMMUNICATION SYSTEMS AND TRANSMISSION MEDIA

Exercise 2 Thomas Basmer

Wireless Networks (PHY): Design for Diversity

Quasi-Zenith Satellite System Interface Specification Positioning Technology Verification Service (IS-QZSS-TV-001)

When Electromagnetic Side Channels Meet Radio Transceivers

SourceSync. Exploiting Sender Diversity

Wireless Medium Access Control and CDMA-based Communication Lesson 14 CDMA2000

IZAR RADIO. A safe form of radio

05/11/2006. Lecture What does a computer do? Logic Manipulation. Data manipulation

OFDM Signal Modulation Application Plug-in Programmer Manual

Amateur Station Control Protocol (ASCP) Ver Oct. 5, 2002

Wireless Communications

An Overview of the QUALCOMM CDMA Digital Cellular Proposal

TABLE OF CONTENTS CHAPTER TITLE PAGE

TI2863 Complete Documentation. Internet Transceiver Controller. 1. Device purpose. 2. Device configuration. TI2863 Internet Transceiver Controller

Chapter 7 GSM: Pan-European Digital Cellular System. Prof. Jang-Ping Sheu

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Wireless ad hoc networks. Acknowledgement: Slides borrowed from Richard Y. Yale

EE123 Digital Signal Processing

ZigBee Propagation Testing

745 Transformer Protection System Communications Guide

Securing Deployed RFIDs by Randomizing the Modulation and the Channel Jue Wang, Haitham Hassanieh, Dina Katabi, and Tadayoshi Kohno

<Simple LSB Steganography and LSB Steganalysis of BMP Images>

% 4 (1 $ $ ! " ( # $ 5 # $ % - % +' ( % +' (( % -.

A Practical Method to Achieve Perfect Secrecy

Single Error Correcting Codes (SECC) 6.02 Spring 2011 Lecture #9. Checking the parity. Using the Syndrome to Correct Errors

General Class Digital Modes Presentation

Chlorophyll Fluorescence Imaging System

TSA 6000 System Features Summary

D750 Settings

GSM INTERCEPTION. Cellular Network Monitoring System

Lecture 3 Data Link Layer - Digital Data Communication Techniques

Laboratory 5: Spread Spectrum Communications

A GENERIC ARCHITECTURE FOR SMART MULTI-STANDARD SOFTWARE DEFINED RADIO SYSTEMS

RECOMMENDATION ITU-R BT *

UNIVERSITY OF MICHIGAN DEPARTMENT OF ELECTRICAL ENGINEERING : SYSTEMS EECS 555 DIGITAL COMMUNICATION THEORY

Applications. Operating Modes. Description. Part Number Description Package. Many to one. One to one Broadcast One to many

Faculty of Information Engineering & Technology. The Communications Department. Course: Advanced Communication Lab [COMM 1005] Lab 6.

Introduction... 1 Part I: Fast Track to Super Snaps Part II: Taking Creative Control Part III: After the Shot

DNT2400. Low Cost 2.4 GHz FHSS Transceiver Module with I/O

Transcription:

Universal Radio Hacker A Suite for Analyzing and Attacking Stateful Wireless Protocols Johannes Pohl and Andreas Noack University of Applied Sciences Stralsund August 13, 2018

Internet of Things Proprietary wireless protocols everywhere Smart Home Increase comfort through wireless sockets, door locks, valve sensors... Devices are designed under size and energy constraints Less resources for cryptography Risks of Smart Home Manufactures design custom proprietary wireless protocols Hackers may take over households and e.g. break in without physical traces How can we eavesdrop and manipulate the wireless communication between such devices to assess the security? August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 2

Software Defined Radios Software Defined Radio Why Software Defined Radios? Send and receive on nearly arbitrary frequencies a Flexibility and extendability with custom software a e.g. HackRF: 1 MHz - 6 GHz (a) USRP N210 (b) HackRF August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 3

Software Defined Radios Software Defined Radios are affordable Last Checked: July 21, 2018 August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 4

Software Defined Radios Universal Radio Hacker August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 5

Software Defined Radios Universal Radio Hacker Interpretation 101010 Analysis August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 5

Software Defined Radios Universal Radio Hacker Interpretation Format Stateless 101010 Analysis Generation August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 5

Software Defined Radios Universal Radio Hacker Interpretation Format Generation Stateless 101010 Analysis Stateful Format Simulation August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 5

Introduction Attacking a Door Lock Conclusion Protocol Setup CCU August 13, 2018 door lock Johannes Pohl and Andreas Noack Universal Radio Hacker remote control Slide 6

Protocol Overview Pairing AES-Key AES-Key central (CCU) door lock remote control August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 7

Protocol Overview Pairing AES-Key AES-Key central (CCU) door lock remote control OPEN Command August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 7

Protocol Overview Pairing AES-Key AES-Key central (CCU) door lock remote control OPEN Command Challenge August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 7

Protocol Overview Pairing AES-Key AES-Key central (CCU) door lock remote control OPEN Command Challenge Response AES-Key (Challenge) August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 7

Protocol Overview Pairing AES-Key AES-Key central (CCU) door lock remote control OPEN Command Challenge Response AES-Key (Challenge) ACK August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 7

Protocol Overview Pairing AES-Key AES-Key central (CCU) door lock remote control OPEN Command AES-Key Challenge Response AES-Key (Challenge) wireless socket ACK August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 7

Interpretation Record and demodulate signal Capture of door lock open communication Zoom into start of second message August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 8

Interpretation Demodulation and Signal Editing with URH Further Interpretation Features Synchronized selection between demodulated and raw signal Signal Editor i.e. copy, paste, crop, mute signal selections Configurable moving average and bandpass filters August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 9

Analysis Analysis phase In Analysis phase we reverse engineer the protocol format. Example format Preamble Synchronization Length Source Address Destination Address Data Checksum This includes Decode messages Labeling of protocol fields Group messages by assigning message types August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 10

Analysis What kind of decoding does the door lock use? All messages are encoded in the following way 1 Pseudo encryption 2 Data Whitening 3 (Modulation) August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 11

Analysis Pseudo Encryption Code enc [0] = msg [0]; enc [1] = ~( msg [1]) ^ 0x89 ; for (i = 2; i < NUM_BYTES ; i ++) enc [i] = ( enc [i -1]+ 0xdc ) ^ msg [i]; Use Does not increase the security Assumption: Obscure method for pseudo security August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 12

Analysis Data Whitening Data Whitening To increase transmission quality a data whitening is used XOR with each 8 LSB of a pseudo-random sequence generated by an LFSR represented by the polynomial x 9 + x 5 + x 0 + s 8 s 7 s 6 s 5 s 4 s 3 s 2 s 1 s 0 s 8 s 7... s 0 Initial state is 111111111 First eight states of the LFSR 111111111 011111111 001111111 000111111 000011111 100001111 110000111 111000011 August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 13

Analysis Decodings with URH August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 14

Analysis Result in URH after decoding and labeling Other Options: Select all, Filter, Align Assign manually or rule based Check against configurable CRC August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 15

Simulation Simulation phase In Simulation phase we can work on the logical layer. URH takes care of Modulation and Encoding during simulation time. August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 16

Simulation Demonstration Video August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 17

Summary and future work Summary Software Defined Radios offer a high flexibility when investigating radio protocols Tools like Universal Radio Hacker abstract the required HF basics and enable analyzing such protocols without having to be a hardware expert Smart Home manufactureres have to react, Security by Obscurity is no longer an option Ongoing work Rule based intelligence for automatic analysis phase Enhance accuracy of detecting interpretation parameters Support for more complex modulations e.g. 4-PSK August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 18

https://github.com/jopohl/urh Contact E-Mail: Johannes.Pohl90@gmail.com E-Mail: Andreas.Noack@hochschule-stralsund.de Slack: https://bit.ly/2lgpsra GitHub: https://github.com/jopohl apple August 13, 2018 Johannes Pohl and Andreas Noack Universal Radio Hacker Slide 19

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback