Harshit Agrawal & Himanshu Mehta

On the Wings of Time: Demystifying Wireless Ethical Hacking and Defenses (The RF Way)

https://cyberweek.ae

Table of Contents● Introduction to IoT – OWASP, Threat Model, IoT in homes

● RF in IoT world – Architecture, Frequency range, SDR

● Why focus on RF security? – Types of attacks

● Replay attack demos and methodology

● Internet of Radio vulnerabilities

● Privacy & concerns

Introduction to IoT

● This statistic shows the number ofconnected devices (Internet of Things;IoT) worldwide from 2015 to 2025.

● For 2020, the installed base of Internetof Things devices is forecast to grow toalmost 31 billion worldwide.

Internet of things

Symantec ITSR Report 2018

INFRASTRUCTURE

Back-up power, Waste control, Parking facilities, Communication

COMBINED SYSTEMS

Energy usage monitoring system, Card access and security system

SENSING

CCTV, IP video, Air quality, Water flow, Air temp, Light, Door, Smoke/fire

COMPUTING

Processors/data stores:-Databases, Servers, Cloud services, Edge devices

ACTUATING

Door access, Elevator, Heater/AC, Fire alarms, Irrigation system

IoT components in Home

IoT Network Architecture

https://ieeexplore.ieee.org/abstract/document/7226706/figures#figures

Internet of things threat model

1

Controlling DeviceSmartphone, tablets and other smart devices can control all types of “things”

3

Global NetworkMost “things” connected to the Internet, except for power grids or classified government systems

5

Things“Things” can be remotely controlled or viewed, and they can send telemetry for analysis.

2

Cloud ServiceCloud services provide the repository and

access control between the “things” and its controller.

4

Local NetworkThis may be a controller area network (CAN) in connected cars, a local network in homes,

etc

● The combined markets of the Internet of Things (IoT) will grow to about $520B in 2021, more than double the $235B spent in 2017.

Evolving IoT Landscape

Why Focus on RF Security

Source: Mr. Robot Series

Inside the radio wave spectrum?

3 KHz

1 GHz 3 GHz

4 GHz

5 GHz

2 GHz

AM Radio

2.4 GHz band

Used by more than 300 consumer devices, including microwave ovens, cordless phones and wireless networks (WiFi and Bluetooth)

Broadcast TV

Garage Door Openers

Door Openers

AuctionedSpectrum

Cell Phones

Global Positioning

System

Wireless Medical

Telemetry

GSM Network

Satellite Radio

Weather Radar

Cable TV Satellite

TransmissionsHighway Toll

Tags

5 GHzWiFi Network

Security Alarms

Most of the white area of this band is reserved for military, federal government and industry use

PHY LAYER

● Lowest layer in communication stack

● In wired protocols: voltage, timing, and wiringdefining 1s and 0s

● In wireless: patterns of energy being sent over RFmedium

1. Your budget may not allow you to buy one of these (Vector Signal Analyzer)

2. Using a single well-equipped device measuring one location at a time

1. 20 of these (SDR + single board computer)

2. A network of configurable low-cost sensors spread over a wide geographical area.

Why SDRs?

Source: Google ImageCredit: Peter Mathys

Hardwares and Softwares

Source: Google Images

● All radio H/W implemented in S/W.● SDR can be used as VSAs when connected to a computer● Implementation on PC or on Embedded systems● Higher end SDRs have FPGAs for on-board DSP● Most signal processing and all display functions take place in external computer, e.g., using GNU

Radio● Shuttles RF I/Q Samples to DSP or host

SDR as Spectrum Analyzers

Source: Google ImageCredit: Peter Mathys

RF in IoT World

Initial Profiling of our device

● What does our device do in normal operation?

● How do they connect?

● Determining the frequency?

▪ Frequency▪ Time▪ Power

.1

▪ Waveform▪ Spreading/Hopping▪ Jamming

.2

▪ Error-correction▪ Encoding▪ Encryption

.3

What to consider?

Credit: Dr. Adam L. Anderson

Types of RF Attacks

Wardriving

Wardriving is type of sniffing that refers to discovering of non-802.11 RF networks. Example: killerbee 802.15.4 framework

Replay Attacks

Involve retransmitting a previously captured raw PHY-

layer payload or the synthesis of a new frame based on decoded

data

Sniffing

The passive observation of wireless network traffic,

noteworthy as wireless domain enables truly promiscuous

sniffing with no direct physical access.

Jamming

Can be conducted by transmitting noise within the

target network’s RF channel with sufficient bandwidth and power.

Evil-twins Attack

Standing up a decoy device or rogue access point that mimics trusted infrastructure, such that it tricks victims into connecting

into it.

Matt Knight and Marc Newlin

RF Attack Methodology

Information Gathering• Target Device• Type of Modulation• Type of

Coding/Decoding• Type of encryption

Analysis and confirmation• Frequency/ Time

domain• Signal Monitoring

Capture and replay• Using SDR and

GNUradio

Replaying and attack• Using Arduino

Steps to follow

Information Gathering

● Brennenstuhl RCS 1000 N / GB Comfort Remote control set

○ 433.925 MHz

○ Costs below $20

○ Task - Replay Attack

Source: Google Image

What is your Target Device?

● Part Number : HX2262

● Function : Remote Control Encoder IC

● Package : DIP 18 Pin

● Manufactures : HX

● CMOS Technology

● Low Power Consumption

● Very High Noise Immunity

● Up to 12 Tri-State Code Address Pins

● Up to 6 Data Pins

● Wide Range of Operating Voltage: Vcc = 4 ~ 15 Volts

● Single Resistor Oscillator

● Latch or Momentary Output Type

● Operating voltage 240 VAC 50 Hz, British standard

● Switching voltage 240 VAC 4,17 A

● Socket switch switching power max. 1000 W

● Radio signal range max. 15 m

● Operating frequency 433.92 MHz

● Ambient temperature 0°C to 35°C

● Storage temperature - 40°C to 70°C

● Battery 12 V, type A 23

Features Technical Data

RF IC Datasheet

● Setting a radio channel on the remote control

● Setting a radio channel on the socket switch

Control Key DIP switch

6 7 8 9 10

A ON OFF OFF OFF OFF

B OFF ON OFF OFF OFF

C OFF OFF ON OFF OFF

D OFF OFF OFF ON OFF

9 Address Bits 3 Data Bits Sync. Bit

A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 SYNC. BIT

Code Word

Device Overview

Analysis & Confirmation

Frequency Domain Time Domain

Use a spectrum analyzer/SDR

Gqrx:

Modulation

● Defines how the carrier wave is modified to encode the bits we are transmitting

● Representing digital data as variations in the carrier wave

● ASK/OOK - on off keying

Source: Attify

Capturing & Replaying using GNUradio

Switch Demo:

Replay Attack using ARDUINO

Receiver Transmitter

• Voltage: 5.0VDC +0.5V • Voltage: 3V – 12V

• Current:≤5.5mA max • Current: max Less than 40mA max, and min 9mA

• Modulation mode: OOK/ASK • Modulation mode: ASK

• Working frequency: 433.92MHz • Working frequency: 433.92MHz

• Bandwidth: 2MHz • Resonance mode: (SAW)

• Sensitivity: exceeds –100dBm (50Ω) • Transmission power: 25mW

• Frequency error: +150kHz (max)

• Velocity: less than 10Kbps

• Transmission range: 90m (in open space)

433 MHz RF Transmitter and Receiver Module

Parts Required

• Arduino UNO or Arduino MEGA

• 433 MHz RF Remote controlled sockets

• 433 MHz transmitter/receiver

• Breadboard and Jumper wires

Receiver (Rx) Transmitter (Tx)

https://randomnerdtutorials.com/decode-and-send-433-mhz-rf-signals-with-arduino/

Decode and Send 433 MHz RF Signals using Arduino

Receive, Decode and Transmit

Car Key Fob Attack Demo

Case Study: Car RKE

● Relay Hack by Qihoo 360, with a pair of gadget for just $22. (Passive RKE)

● RollJam device by Samy kamkar, to steal secret codes from key. (Two-way RKE)

Possible Prevention for Passive RKE

● Requiring timing constraint in the call-and-response communication of car and key.

● Keep your keys in faraday bag that blocks radio transmissions.

Replay Attack on Smart Switch (Light/Fan) Demo

Internet of Radio Vulnerabilities

Rogue Cell Towers

Used to hijack cell phone connections, and to break 2-factor authentication to listen to calls and

read texts.

Rogue Wi-Fi Hotspots

Impersonate legitimate Wi-Fi networks, and might be used for

MITM attacks to sniff network traffic and steal credentials. Unapproved IoT

Emitters

Sensors often have multiple data radios, 802.11 is known, but what if

also transmitting on other frequencies like Zigbee, or LORA.

Vulnerable Wireless Devices

Low-end keyboard/mouse dongle can expose to RF attack through keystroke injection, which may expose the larger

network to insider attacks.

Eavesdropping/ Surveillance Devices

Voice activated FM & GSM, or other radio bugs

05

01

02 03

04

Matt Knight and Marc Newlin

43

Privacy, Rules, and Regulations:

● Check FCC and ARRL Regulations:

○ FCC 97.313 An amateur station must use the minimum transmitter power necessary to carry out the desired

communications.

○ No station may transmit with a transmitter power exceeding 1.5 kW PEP.

● Steps for Compliance for IoT Organisations○ Be aware of the data collected and processed.

○ Understand the functionality & implement consent.

○ Record everything to meet the requirements of privacy act.

○ Be aware of the privacy by design, and default.

44

References

▪ Symantec ITSR Report 2018

▪ OWASP

▪ Attify

▪ Google Images

▪ Peter Mathys, University of Colorado Boulder

▪ Dr. Adam L. Anderson, Oak Ridge National Lab

▪ Mr. Robot Series

▪ Marc Newlin and Matt Knight

▪ Balliant Seeber

▪ Michael Osmann

▪ Samy Kamkar

▪ https://ieeexplore.ieee.org/abstract/document/7226706/figures#figures

▪ https://randomnerdtutorials.com/decode-and-send-433-mhz-rf-signals-with-arduino/

45

Harshit Agrawal

harshit.nic@gmail.com

@harshitnic

Xen1th MT Lab

Thank You..!

Himanshu Mehta

mehta.himanshu21@gmail.com

@LionHeartRoxx