Automatic Modulation Parameter Detection In Practice Johannes Pohl - - PowerPoint PPT Presentation

Automatic Modulation Parameter Detection In Practice

Johannes Pohl and Andreas Noack November 28, 2019

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Proprietary wireless protocols everywhere

Example: Smart Home Increase comfort of users through wireless sockets, door locks, valve sensors . . . Devices are designed under size and energy constraints Limited resources for cryptography Risks of Smart Home Manufactures design custom proprietary wireless protocols Hackers may take over households and, e.g., break in without physical traces How can we speed up the security investigation of proprietary wireless protocols?

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 2

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Software Defined Radio

Why Software Defined Radios? Send and receive on nearly arbitrary frequenciesa Flexibility and extendability with custom software

ae.g. HackRF: 1 MHz to 6 GHz

(a) USRP N210 (b) HackRF

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 3

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Universal Radio Hacker

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 4

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Universal Radio Hacker Popularity

Supported Platforms Windows , Linux and OS X  Most starred repo on GitHub with #sdr tag Available at official linux repositories URH is available in official repositories of Arch Linux, Gentoo, Void Linux, Fedora and

• penSUSE (and homebrew for macOS).

Publications DeepSec 2018 [1] Blackhat Arsenal USA 2017 [2] Blackhat Arsenal Europe 2018 [3] WOOT 2018 (USENIX Workshop) [5] IoT S&P 2017 (CCS Workshop) [6]

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 5

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Digital Modulations

So what is a digital modulation? Mapping the binary data, i.e. bits, to a analog carrier to transport the signal over the air Analog signal has the form A · sin(2πFt + ϕ) We can transport information in amplitude A, frequency F or phase ϕ

Amplitude Shift Keying (ASK) Frequency Shift Keying (FSK) Phase Shift Keying (PSK)

1 1 Bits + Carrier ASK FSK PSK November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 6

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Interpretation in URH

Demodulating signals made easy

Interpretation Phase Features (apart from demodulation) Synchronized selection between demodulated and raw signal Signal Editor, that is, copy, paste, crop, mute signal selections Configurable moving average and bandpass filters How can we make this even simpler? Automatically detect modulation parameters!

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 7

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Visualization of Parameters

For all plots: x axis represents current sample

1,000 2,000 3,000 4,000 5,000 6,000 7,000 −1 1 Tnoise −Tnoise A 200 400 600 800 1,000 1,200 1,400 1,600 −1 1 A 200 400 600 800 1,000 1,200 1,400 1,600 0.1 0.2 0.3 center

Bit length

• Inst. Freq.

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 8

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Detecting Modulation Parameters

Automatic detection of modulation type and parameters in Interpretation

IQ Signal Noise level detection Message Segmen- tation Modulation Detection Quadrature Demod- ulation Center Detection Bit Length Detection Tnoise Non-weak segments M Rectangular signal center

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 9

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Noise Level Detection

Finding the noise level Tnoise of a signal is the basis for message segmentation and works the following way:

1 Divide the signal into equal sized chunks Ci. 2 For each chunk, calculate the mean magnitude mi = |Ci|. 3 Get minimum mean magnitude mmin = min {mi : ∀i}. 4 Pick magnitudes of chunks those mean magnitudes do not exceed mmin by 10%:

Mnoise = {|Cj| , mj < 1.1 · mmin} Finally, the noise level Tnoise is returned as the maximum of Mnoise, to cover the full noise range.

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 10

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Message Segmentation: Separate Messages from Noise

Message Segmentation Algorithm Based on noise level Tnoise from previous step Must be robust against outliers Use two internal states: snoise – reading noise, smsg – reading message. Switch states only if consequent samples above/below noise (ca/cb) surpass a threshold to (=outlier tolerance). In practice, to = 10 samples performs well. snoise smsg ca ≥ to cb ≥ to

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 11

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Modulation Detection with help of Wavelet Transform

500 1,000 3 4 5 τ |HWT|

(a) 2-FSK

500 1,000 6 8 τ |HWT|

(b) 2-ASK

500 1,000 9.5 10 τ |HWT|

(c) 2-PSK

500 1,000 3 4 5 τ |HWT|

(d) Normalized 2-FSK

500 1,000 9.24 9.25 9.26 9.27 τ |HWT|

(e) Normalized 2-ASK

500 1,000 9.5 10 τ |HWT|

(f) Normalized 2-PSK

Figure: Wavelet transforms for FSK/ASK/PSK signals and their amplitude normalized versions

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 12

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Modulation Detection: Feature Extraction

Signal Signal normalization |HWT| |HWT| Median filter Median filter Variance σ2

1

Variance σ2

2

Variance σ2

3

Variance σ2

4

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 13

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Modulation Detection: Decision Tree

σ2

i < 0.15∀i

OOK yes σ2

2 > 1.5 · σ2 4

σ2

2 > 10 · σ2 1

Pass FFT check OOK no FSK yes no PSK yes no ASK yes no

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 14

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Center Detection: Take mean of histogram peaks

200 400 600 800 1,000 1,200 1,400 1,600 −1 1 Sample A

(a) 2-FSK modulated message

500 1,000 1,500 0.1 0.15 0.2 0.25 Sample

• Inst. Freq.

(b) Rectangular signal R(n) after Quad Demod

0.1 0.15 0.2 0.25 50 100 c = 0.125+0.25

2

Instantaneous Frequency Count

(c) Histogram of R(n) with two peaks

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 15

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Bit-Length and Tolerance Detection

How to determine the Bit-Length? Count subsequent samples above/below found center ⇒ plateau lengths vector In theory, vector only contains multiples of bit-length; but: interrupted by outliers Set tolerance to maximum of values smaller than 5% of maximum plateau length Merge plateaus based on found tolerance like this: (200

• Hi

, 53

• Lo

, 3

• Hi

, 44

• Lo

, 100

• Hi

) → (200

• Hi

, 100

• Lo

, 200

• Hi

) Count how often each plateau length nearly divides other lengths, e.g., for (40, 40, 40, 40, 40, 30, 50, 30, 90, 40, 40, 80, 160, 30, 50, 30) the counts are Nnear = {30 : 10, 40 : 35, 50 : 3, 80 : 2} so bit-length is 40 (most frequent)

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 16

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Evaluation with real-world signals

# Manufacturer Description Mod. Samplerate SNR Bitlen #Msgs ∅ Length 1 Action remote (four but- tons) for a LED light OOK 2 MS/s 10.8 dB 500 19 11.95 Byte 2 Audi car open command OOK 5 MS/s 25.8 dB 2400 1 106 Byte 3 Unknown command to sink a bus bollard OOK 1 MS/s 18.9 dB 300 17 5 Byte 4 Brennenstuhl wireless socket re- mote (four buttons) OOK 1 MS/s 11.7 dB 300 64 13 Byte 5 Elektromaten

• pen command for

parking gate OOK 2 MS/s 16.2 dB 600 11 17 Byte 6 ESaver remote (four but- tons) for a wireless socket 2-FSK 1 MS/s 28.3 dB 100 12 42 Byte 7 RWE pairing command of a wireless socket 2-FSK 1 MS/s 12.7 dB 100 18 27.17 Byte 8 Scislo garage door

• pen

command 2-FSK 500 kS/s 14.6 dB 200 8 64.75 Byte 9 Volkswagen car open command OOK 1 MS/s 32.3 dB 2500 1 53 Byte 10 Xavax radiator valve tem- perature command 2-FSK 1 MS/s 21.8 dB 100 6 231.5 Byte

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 17

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Results when additional noise is added

20 40 60 80 100 20 40 60 80 100 Amplitude of additional noise relative to average signal power in % Accuracy in % 1 – action 2 – audi 3 – audi 4 – bollard 5 – brennenstuhl 6 – elektromaten 7 – esaver 8 – scislo 9 – vw 10 – xavax

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 18

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Why does the accuracy of Xavax (Signal #10) drop so early?

(a) Original signal, no additional noise added (b) Noise with 20% amplitude of mean signal power added

Figure: Reason for accuracy drop of signal #10: The two weaker messages get marked as noise when noise with 20% amplitude of mean signal power added is added.

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 19

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Setup

CCU door lock remote control

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 20

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Use-case: Attacking a Wireless Door Lock

central (CCU) door lock remote control Pairing AES-Key AES-Key OPEN Command Challenge ResponseAES-Key(Challenge) ACK new device AES-Key

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 21

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Adapting parameters live during a recording

Motivation Parameters like center and noise level can change between recordings (varying power levels of devices, changed distances, different antennas) Attacking stateful protocols: Messages need to be demodulated live Avoid annoying record-analyze-adjust cycles We have to update noise level and center based on continuously received chunks CR. Adaptive Noise Level for received chunk CR Tnoise =

• 0.9 · Tnoise + 0.1 · max |CR|

if |CR| < Tnoise Tnoise else Automatic Center Once full message in receive buffer: perform Center Detection from slide 15.

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 22

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Configuring it in the Universal Radio Hacker

Automatic Parameter Estimation Noise and Center will be adapted live during simulation time Both parameters do not need to be manually changed when using a different SDR or antenna Experimental validation proved that setting these parameters automatically is as successful as setting them manually to the correct value

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 23

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Performance measurement

Why performance matters? Devices have time windows in which they expect a response Time window here: 200 ms In this time window, we need to demodulate Challenge and, additionally, calculate and modulate correct Response Tested on PC with i7-6700K CPU@4.00GHz and 16GB RAM 20 40 60 80 100 10−6 10−5 10−4 10−3 10−2 19 ms 6 ms 25 ms 191 µs 179 µs Timestamp Time in seconds Adaptive noise Automatic center

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 24

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Result of Interpretation for a typical signal

A lot of data to analyze!

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 26

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Example Protocol: Communication between two Smart Home Devices

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 27

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Example Protocol after hitting the Analyze Protocol Button

Published at USENIX WOOT 2019 [4]

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 28

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Conclusion

Contribute a multipart system that detects modulation parameters (modulation type, noise level, center, bit-length and tolerance) of a wireless signal Each parameter is returned so it can be fine-tuned afterwards, if needed Speed up security investigations and lower hurdle for wireless hacking beginners Aimed at proprietary protocols with unknown modulation parameters operating on frequencies such as 433.92 MHz or 868.3 MHz usually using binary modulations Basis for future automations such as automatic protocol field inference Future work is support for higher order modulations

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 29

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

https://github.com/jopohl/urh/releases  Contact E-Mail: Johannes.Pohl90@gmail.com E-Mail: Andreas.Noack@hochschule-stralsund.de Slack: https://bit.ly/2LGpsra GitHub: https://github.com/jopohl

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 30

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Publications I

[1] Johannes Pohl. “Attacking Internet of Things with Software Defined Radio (Workshop)”. In: DeepSec (2018). [2] Johannes Pohl. “Universal Radio Hacker: Investigate wireless protocols like a boss”. In: Blackhat Arsenal USA (2017). [3] Johannes Pohl. “Universal Radio Hacker v2: Simulate Wireless Devices with Software Defined Radio”. In: Blackhat Arsenal Europe (2018). [4] Johannes Pohl and Andreas Noack. “Automatic Wireless Protocol Reverse Engineering”. In: 13th USENIX Workshop on Offensive Technologies (WOOT 19). Santa Clara, CA: USENIX Association, Aug.

• 2019. url: https://www.usenix.org/conference/woot19/presentation/pohl.

[5] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols”. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). Baltimore, MD: USENIX Association, 2018. url: https://www.usenix.org/conference/woot18/presentation/pohl. [6] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Wireless Protocol Analysis”. In: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (CCS). Dallas, Texas, USA: ACM, 2017, pp. 59–60. doi: 10.1145/3139937.3139951.

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 31