lazy mode rf osint and reverse engineering
play

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | - PowerPoint PPT Presentation

Jul 10, 2023 •98 likes •755 views

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami) Red Team @ Snap Former Wireless Security Researcher @ Bastille Networks Wireless CVEs in products from 21 vendors Radios

  1. Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18

  2. $(whoami) ● Red Team @ Snap ● Former Wireless Security Researcher @ Bastille Networks ● Wireless CVE’s in products from 21 vendors

  3. ● Radios ● They aren’t as scary as they I am lazy and might seem ● How to maximize laziness you can too when hacking them ● Making OSINT a little easier

  4. Related talks So You Want To Hack Radios @ Troopers18 ● Matt Knight and Marc Newlin ● https://www.youtube.com/watch?v=OFRwqpH9zAQ Radio Exploitation 101 @ HITB GSEC ● Matt Knight and Marc Newlin ● https://www.youtube.com/watch?v=UrVbN23zR9c

  5. What is a radio? ● Magic black-box ● Converts digital data into radio waves (TX) ● Converts radio waves into digital data (RX) ● Radios can be analog, but we only really care about digital radios

  6. [ H ardware| S oftware] D efined R adio Hardware Defined Radio Software Defined Radio ● Purpose-built to speak a specific protocol ● Flexible radio front-end ● Usually can’t deviate [much] from the ● Raw RF samples get sent to the host standard computer ● Logic is baked into silicon ● Highly reconfigurable ● Easier to use than SDR ● Protocol logic is implemented in software ● Usually cheaper than SDR ● Can get expensive ● More domain knowledge required

  7. How can we use radios? Hardware Defined Radio Software Defined Radio ● Talk to devices using standardized ● Talk to devices using standardized protocols (WiFi, BT, etc) protocols when an HDR isn’t available (LoRa, ZigBee, etc) ● Talk to devices using proprietary protocols but common RFICs (wireless peripherals, ● Perform PHY-layer attacks (jamming, etc) replay, sniffing, etc) ● Talk to devices using undocumented ● Reverse engineer undocumented protocols, after you’ve reverse engineered protocols and devices the protocol with an SDR, or gathered sufficient OSINT

  8. Be lazy, find vulns 1. Pick a target 2. Define your goals 3. Gather open-source intelligence 4. Acquire the right hardware/software tools 5. Find some vulns

  9. Pick a target

  10. What are “easier” targets? ● Low power devices designed to work for a long time on a single battery/charge ○ low power == low complexity == [maybe] low security ● Inexpensive devices from lesser-known vendors ○ cheap components means simple RF PHY and [maybe] no encryption ● Devices using COTS RFICs ○ usually means good documentation about the RFICs

  11. What are “harder” targets? ● Devices with no compatible (and accessible) HDR ● Devices that exceed the capabilities of your SDR ○ bandwidth ○ frequency ○ retune time ○ ADC resolution ● Devices with little or no OSINT findings ○ blind reversing requires a significant effort

  12. Devices are built under constraints ● Component cost ● Engineering cost ● Desired features ● Power consumption ● People are more likely to use off the shelf RFICs than roll their own ● Application layer SDKs cut down on software/firmware engineering costs

  13. Target 1: Garage Door Opener Keyscan TR4 ● Garage door opener ● Low power ● Long use on single battery

  14. Target 2: Wireless Barcode Scanner Netum NT-1698W ● 2.4GHz wireless barcode scanner ● Inexpensive (~$30 USD) ● Lesser-known vendor

  15. Define your goals

  16. Garage Door Opener Goals ● Open the garage door (without the given opener)

  17. Wireless Barcode Scanner Goals ● Determine if the barcode scanner is functionally a keyboard ● Perform a keystroke injection attack

  18. Gather OSINT

  19. What do we actually need to learn about a device?

  20. What do we actually need to learn about a device? It depends on what your goals are

  21. What do we actually need to learn about a device? It depends on what your goals are ● For a simple replay attack, you might only need to know the frequency.

  22. What do we actually need to learn about a device? It depends on what your goals are ● For a simple replay attack, you might only need to know the frequency. ● For a sniffing attack, you might need to to understand the MAC layer.

  23. What do we actually need to learn about a device? It depends on what your goals are ● For a simple replay attack, you might only need to know the frequency. ● For a sniffing attack, you might need to to understand the MAC layer. ● If it uses an off-the-shelf RFIC, you likely won’t need to understand all the details of the PHY (and maybe not the MAC either).

  24. What do we actually need to learn about a device? It depends on what your goals are ● For a simple replay attack, you might only need to know the frequency. ● For a sniffing attack, you might need to to understand the MAC layer. ● If it uses an off-the-shelf RFIC, you likely won’t need to understand all the details of the PHY (and maybe not the MAC either). ● If it uses an unknown RFIC, you’ll probably need to reverse engineer the PHY.

  25. What are some good sources for RF OSINT? ● Regulatory filings (FCC) ● RFIC datasheets ● Standards documents ● Prior reverse-engineering work ● Marketing material

  26. Federal Communications Commission (FCC) ● US regulatory body governing electromagnetic spectrum usage ● Usually relevant to non-US markets and devices ○ Vendors often use a single test lab to certify a device for multiple markets ○ FCC publishes verbose device RF information

  27. FCC Certification Process 1. Device is manufactured 2. Test lab evaluates the device 3. Telecommunications certification body issues a grant of certification 4. Test report, application, and related exhibits published in FCC database 5. Some exhibits are confidential (temporarily or permanently)

  28. Finding FCC Exhibits ● Lookup FCC ID @ https://www.fcc.gov/general/fcc-id-search-page ● Click on the ‘Detail’ link on the results page

  29. FCC Documentation ● Applications ● Test Reports ● Internal / External Photos ● User Manuals ● Schematics / Block Diagrams ● Operational Descriptions

  30. FCC Application ● Frequency ● Transmit power ● Type of device (i.e. car key fob) ● Vendor information ● Test lab information

  31. FCC Test Reports ● Does the device meet FCC guidelines? ○ Transmit power ○ Bandwidth ○ Frequencies ○ Duty cycle ● 2498 authorized test labs ● Each lab has one or more report formats ● Each lab provides a varying degree of detail

  32. FCC Internal / External Photos ● Internal / external photos of a device ● Typically taken by the test lab ● No standardization means [potentially] questionable quality ○ Low-resolution images ○ Blurred images ○ Blacked-out chip markings

  33. FCC Schematics ● Most vendors request permanent confidentiality on schematics ● More common with lesser known manufacturers ● When available, extremely useful to learn RFIC specifics

  34. FCC Operational Descriptions and User Manuals ● Describes the device behavior in an undefined format ● Hit or miss, but potentially fruitful ● Some vendors include useful technical details

  35. RFIC Datasheets ● It’s much easier to use an existing RFIC than to roll your own ● The engineers who build the <wireless device> needed documentation of the RFIC(s) they used ● What documentation did they use? ● Are there existing open-source implementations of the PHY/MAC? ● Is there an available HDR dongle/shield?

  36. Prior reverse-engineering work ● Has somebody already solved this problem? ● Did they release documentation? Code? ● Is it permissively licensed?

  37. Garage Door Opener - FCC Search FCC ID - ELVUT0A

  38. Garage Door Opener - FCC Search Results

  39. Garage Door Opener - FCC Exhibits

  40. Garage Door Opener - Block Diagram

  41. Garage Door Opener - The Google Solved problem, thanks to: ● @samykamkar ● @andrewmohawk ● Many others

  42. Wireless Barcode Scanner - FCC Search ● No FCC ID :(

  43. Wireless Barcode Scanner - Google

  44. Wireless Barcode Scanner - User Manual

  45. Use the right tools

  46. SDR Hardware (some reasonably-priced devices)

  47. RTL-SDR ● Receive only ● ~20 MHz - 1800 MHz tuning range ● ~2.4 MHz maximum sample rate ● ~$20 USD

  48. HackRF ● Transmit and Receive (half-duplex) ● 1 MHz - 6 GHz tuning range ● 20 MHz maximum sample rate ● ~$300 USD

  49. bladeRF x40 ● Transmit and Receive (full-duplex) ● 300 MHz - 3.8 GHz tuning range ● 40 MHz maximum sample rate ● ~$420 USD

  50. PlutoSDR ● Transmit and Receive (full-duplex) ● 325 MHz - 3.8 GHz tuning range ● 20 MHz maximum sample rate ● ~$100 USD

  51. Open-Source SDR Software (a small slice of a big ecosystem)

  52. GNU Radio ● Open source SDR toolkit written in C/C++ and Python ● Large selection of signal processing libraries ● Hardware support for common SDR platforms ● Efficient prototyping

  53. GNU Radio Companion ● Drag and drop flow graph creator ● Quick and easy

  54. Inspectrum ● Spectrum visualization and analysis tool

  55. Universal Radio Hacker ● [Semi] automatic signal / protocol reversing tool

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OSINT OPEN-SOURCE INTELLIGENCE OSINT Offensive OSINT * 1 Whoami Adam Nurudini CEH, ITIL

OSINT OPEN-SOURCE INTELLIGENCE OSINT Offensive OSINT * 1 Whoami Adam Nurudini CEH, ITIL

OSINT OPEN-SOURCE INTELLIGENCE OSINT Offensive OSINT * 1 Whoami Adam Nurudini CEH, ITIL V3, CCNA, CCNP, CASP, PCI-DSS, BSC-IT Lead Security Researcher @ Netwatch Technologies Project Consultant, Information Security Architects Ltd

454 views • 17 slides
AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 +

AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 +

x 1 AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 + v 3 v 1 Traverse the original graph in the reverse topological v 4 x 2 y v 6 sin order and for each node in the original

980 views • 64 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Automatic Differentiation for Computational Engineering Kailai Xu and Eric Darve CME 216 AD 1

Automatic Differentiation for Computational Engineering Kailai Xu and Eric Darve CME 216 AD 1

Automatic Differentiation for Computational Engineering Kailai Xu and Eric Darve CME 216 AD 1 / 47 Outline Overview 1 Computational Graph 2 Forward Mode 3 Reverse Mode 4 AD for Physical Simulation 5 AD Through Implicit Operators 6

809 views • 51 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Italys Surveillance Toolbox Riccardo Coluccini @ORARiccardo 34C3 27th-30th December

Italys Surveillance Toolbox Riccardo Coluccini @ORARiccardo 34C3 27th-30th December

Italys Surveillance Toolbox Riccardo Coluccini @ORARiccardo 34C3 27th-30th December 2017 OSINT OSINT Google Search VAT numbers OSINT Payments by Ministry of Interior due to transparency law n33/2013 OSINT Google

399 views • 36 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Sourcing meets OSINT 3rd of March 2020 // ERA webinar // www.theera.org by Gordon Lokenberg

Sourcing meets OSINT 3rd of March 2020 // ERA webinar // www.theera.org by Gordon Lokenberg

Sourcing meets OSINT 3rd of March 2020 // ERA webinar // www.theera.org by Gordon Lokenberg What is OSINT? Used by Law Enforcement Used by the ARMY Used by Private Investigators Used by Sourcers MAINLY ONLINE, mainly

610 views • 14 slides
Second Order Reverse Mode of AD : A Vertex Elimination Perspective Mu Wang, Alex Pothen and Paul

Second Order Reverse Mode of AD : A Vertex Elimination Perspective Mu Wang, Alex Pothen and Paul

Second Order Reverse Mode of AD : A Vertex Elimination Perspective Mu Wang, Alex Pothen and Paul Hovland Computer Science, Purdue University MCS Division, Argonne National Lab Thanks : NSF, DOE, Intel October 10, 2016 Wang et.al (Purdue

1.07k views • 68 slides
Imagine for a moment @trentmwillis Lazy Loading Engines: Anything But Lazy Engines allow

Imagine for a moment @trentmwillis Lazy Loading Engines: Anything But Lazy Engines allow

Imagine for a moment @trentmwillis Lazy Loading Engines: Anything But Lazy Engines allow multiple logical applications to be composed together into a single application from the users perspective. - Engine RFC Lazy Loading Engines.

1.44k views • 78 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On Au Automotiv omotive Lior Yaari 28/11/2019 Techy Trainer at DeepSec 7 Years In Cyber Security Vulnerability Researcher Sec-Dev CS Teacher

1.28k views • 81 slides
Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012 Background Company WAREHOUSE IN 2008 Regulatory work Since 2008 Since 2010 Since 2011 Since 2011 UK USA Europe Singapore United Kingdom United

268 views • 22 slides
Updates on Camera &amp; Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera &amp; Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera &amp; Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco Pietropaolo, Stephen Pordes, Serhan Tufanli HV system consortium meeting 07/10/2018 Signal Readout Port Port Item Number 1 Ground plane

302 views • 6 slides
MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer) Wireless mice and keyboards 16 vendors

1.14k views • 86 slides
REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using distributed RTLSDR receivers &amp; open source software PRESENTED BY GAVIN ROZZI Cyberspectrum #23 @ DEF CON 2018 August 9th, 2018 SDR HAS THE

985 views • 22 slides
Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief - Unreal games Gears of War 4 - D3D12 multi-GPU support on UWP Other, more exotic D3D12 multi-GPU stuff Sony - PS4 graphics dev support

744 views • 49 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress,

Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress,

Reverse Engineering Outernet Daniel Estvez 27 December 2016 33rd Chaos Communication Congress, Hamburg Daniel Estvez Reverse Engineering Outernet 33C3 1 / 40 Brief info about speaker Currently finishing a PhD in pure Mathematics Also

673 views • 44 slides

More recommend