RF Hacking with Software-Defined Radio (SDR)

Day 1

The first day will introduce toolkits to develop Software-Defined Radio tools like GNU Radio, but also alternatives such as Pothos, Redhawk SDR, or MATLAB and Simulink.

During this day we will mainly focus on GNU Radio by introducing the toolkit, the flowgraph concepts, the components, and how to use the different blocks in practice to build severals tools to:

• simulate a signal and transmit it in the air;
• capture, demodulate and decode a signal;
• optimize processing;
• create your own blocks;
• etc.

Theory

• Few remindings of radio and SDR
• Extended introduction of GNU Radio and its alternatives (RedhawkSDR, Pothos, etc.)

Assignments 1

• Practice with GNU Radio Companion

  • Block schemas
  • Parameters
  • Generators
  • Sinks and sources
  • Operators
  • Simulations
  • Modules
  • Features to process samples

Assignment 2

• Creating a FM/AM station
• Sending the signal over-the-air
• Listening to this station

Assignment 3

• Creating a custom signal to send a message
• Simulating the custom signal
• Sending the signal over-the-air

Assignment 4

• Installing Out-Of-Tree blocks
• Creating your own block

Day 2

Starting day 2, attendees will have the opportunity to see and exploit vulnerabilities in several RF devices, but also discover the security features and ways to circumvent them. On this day, we will see in practice how to attack physical intrusions systems such as alarms, intercoms and access control systems that use RF technologies such as sub-GHz, cellulars, and RFID. During this day, attendees will have the opportunity to learn techniques that could be used in Red Team contexts and get our feedback from our previous tests.

Theory

• Introduction to physical intrusion systems
• Introduction to mobile security
• Introduction to RFID security
• Common flaws in current technologies
• Security mechanisms and ways to defeat them
• How to improve security of communication systems in different cases
• Our feedbacks and tips during missions and red team tests

Assignment 1

• Attacking a complete alarm solution:

  • Capturing data
  • Replaying saved samples
  • Analyzing samples (manually and with powerful tools)
  • Rolling codes security

Assignment 2

• Attacking a device using the mobile network:

  • Monitoring 2G, 3G, 4G and 5G cells
  • Mobile security
  • Interception techniques
  • Our feedback in missions
  • Fuzzing and triggering bugs with 2G, 3G, 4G and 5G protocol stacks over-the-air

Assignment 3

• Attacking RFID systems:

  • Analyzing radio communications
  • Identifying technologies
  • Tools and techniques to defeat common physical access systems and methods to study custom systems

Day 3

Following day 2, day 3 will focus on attacking custom RF devices but also devices used in industrial systems using technologies such as the LoRa, Power-Line Communications, ZigBee, and how to manage to do testbeds many current technologies. We will also introduce devices that could act like unexpected implants and ways to analyze them. Then we will finish with an introduction to hardware hacking that could be complementary to RF hacking by talking about survival and practical reflexes, as well as methods to interface with hardware.

Theory:

• Radio communications used in industrial environments
• Introduction of nRF based devices and common attacks

• Hardware Hacking

  • Introduction and how it could be complementary
  • Survival and practical reflexes
  • Cheap tools and tricks
  • Radio prototyping arsenal for red team tests

Assignment 1

• Attacking unknown/custom devices

  • Identification (looking at devices' references, components, etc.)
  • Sniffing signals
  • Decoding signals

Assignment 2

• Attacking nRF devices

  • Analyzing nRF bases devices with GNU Radio like mousses, keyboards, and presenters
  • Capturing strokes
  • Hijacking vulnerable devices
  • Turn them to implants

Assignment 3

• Attacking LoRa and ZigBee communications

  • Detect used bands
  • Capture signal
  • Optimize the interception process
  • Decode data and payloads
  • Security of LoRa and ZigBee
  • Transmit packets

Assignment 4

• Monitor PLC devices
• Analyzing a capture of a Power-Line Communications devices
• Exploit old and new vulnerabilities on the HomePug standards
• Talk to cars and charging stations
• Take advantages of your electric lines that behaves like an antenna

Class Requirements

• An RF SDR compatible SDR. We recommend the Analog Devices Pluto SDR, which supports Tx/Rx in full duplex.
• A working laptop capable of running virtual machines.
• 4GB RAM required, at a minimum.
• 40 GB free Hard disk space.