Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Harshit Agrawal & Himanshu Mehta
On the Wings of Time: Demystifying Wireless Ethical Hacking and Defenses (The RF Way)
https://cyberweek.ae
Table of Contents● Introduction to IoT – OWASP, Threat Model, IoT in homes
● RF in IoT world – Architecture, Frequency range, SDR
● Why focus on RF security? – Types of attacks
● Replay attack demos and methodology
● Internet of Radio vulnerabilities
● Privacy & concerns
Introduction to IoT
● This statistic shows the number ofconnected devices (Internet of Things;IoT) worldwide from 2015 to 2025.
● For 2020, the installed base of Internetof Things devices is forecast to grow toalmost 31 billion worldwide.
Internet of things
Symantec ITSR Report 2018
INFRASTRUCTURE
Back-up power, Waste control, Parking facilities, Communication
COMBINED SYSTEMS
Energy usage monitoring system, Card access and security system
SENSING
CCTV, IP video, Air quality, Water flow, Air temp, Light, Door, Smoke/fire
COMPUTING
Processors/data stores:-Databases, Servers, Cloud services, Edge devices
ACTUATING
Door access, Elevator, Heater/AC, Fire alarms, Irrigation system
IoT components in Home
IoT Network Architecture
https://ieeexplore.ieee.org/abstract/document/7226706/figures#figures
Internet of things threat model
1
Controlling DeviceSmartphone, tablets and other smart devices can control all types of “things”
3
Global NetworkMost “things” connected to the Internet, except for power grids or classified government systems
5
Things“Things” can be remotely controlled or viewed, and they can send telemetry for analysis.
2
Cloud ServiceCloud services provide the repository and
access control between the “things” and its controller.
4
Local NetworkThis may be a controller area network (CAN) in connected cars, a local network in homes,
etc
● The combined markets of the Internet of Things (IoT) will grow to about $520B in 2021, more than double the $235B spent in 2017.
Evolving IoT Landscape
Why Focus on RF Security
Source: Mr. Robot Series
Inside the radio wave spectrum?
3 KHz
1 GHz 3 GHz
4 GHz
5 GHz
2 GHz
AM Radio
2.4 GHz band
Used by more than 300 consumer devices, including microwave ovens, cordless phones and wireless networks (WiFi and Bluetooth)
Broadcast TV
Garage Door Openers
Door Openers
AuctionedSpectrum
Cell Phones
Global Positioning
System
Wireless Medical
Telemetry
GSM Network
Satellite Radio
Weather Radar
Cable TV Satellite
TransmissionsHighway Toll
Tags
5 GHzWiFi Network
Security Alarms
Most of the white area of this band is reserved for military, federal government and industry use
PHY LAYER
● Lowest layer in communication stack
● In wired protocols: voltage, timing, and wiringdefining 1s and 0s
● In wireless: patterns of energy being sent over RFmedium
1. Your budget may not allow you to buy one of these (Vector Signal Analyzer)
2. Using a single well-equipped device measuring one location at a time
1. 20 of these (SDR + single board computer)
2. A network of configurable low-cost sensors spread over a wide geographical area.
Why SDRs?
Source: Google ImageCredit: Peter Mathys
Hardwares and Softwares
Source: Google Images
● All radio H/W implemented in S/W.● SDR can be used as VSAs when connected to a computer● Implementation on PC or on Embedded systems● Higher end SDRs have FPGAs for on-board DSP● Most signal processing and all display functions take place in external computer, e.g., using GNU
Radio● Shuttles RF I/Q Samples to DSP or host
SDR as Spectrum Analyzers
Source: Google ImageCredit: Peter Mathys
RF in IoT World
Initial Profiling of our device
● What does our device do in normal operation?
● How do they connect?
● Determining the frequency?
▪ Frequency▪ Time▪ Power
.1
▪ Waveform▪ Spreading/Hopping▪ Jamming
.2
▪ Error-correction▪ Encoding▪ Encryption
.3
What to consider?
Credit: Dr. Adam L. Anderson
Types of RF Attacks
Wardriving
Wardriving is type of sniffing that refers to discovering of non-802.11 RF networks. Example: killerbee 802.15.4 framework
Replay Attacks
Involve retransmitting a previously captured raw PHY-
layer payload or the synthesis of a new frame based on decoded
data
Sniffing
The passive observation of wireless network traffic,
noteworthy as wireless domain enables truly promiscuous
sniffing with no direct physical access.
Jamming
Can be conducted by transmitting noise within the
target network’s RF channel with sufficient bandwidth and power.
Evil-twins Attack
Standing up a decoy device or rogue access point that mimics trusted infrastructure, such that it tricks victims into connecting
into it.
Matt Knight and Marc Newlin
RF Attack Methodology
Information Gathering• Target Device• Type of Modulation• Type of
Coding/Decoding• Type of encryption
Analysis and confirmation• Frequency/ Time
domain• Signal Monitoring
Capture and replay• Using SDR and
GNUradio
Replaying and attack• Using Arduino
Steps to follow
Information Gathering
● Brennenstuhl RCS 1000 N / GB Comfort Remote control set
○ 433.925 MHz
○ Costs below $20
○ Task - Replay Attack
Source: Google Image
What is your Target Device?
● Part Number : HX2262
● Function : Remote Control Encoder IC
● Package : DIP 18 Pin
● Manufactures : HX
● CMOS Technology
● Low Power Consumption
● Very High Noise Immunity
● Up to 12 Tri-State Code Address Pins
● Up to 6 Data Pins
● Wide Range of Operating Voltage: Vcc = 4 ~ 15 Volts
● Single Resistor Oscillator
● Latch or Momentary Output Type
● Operating voltage 240 VAC 50 Hz, British standard
● Switching voltage 240 VAC 4,17 A
● Socket switch switching power max. 1000 W
● Radio signal range max. 15 m
● Operating frequency 433.92 MHz
● Ambient temperature 0°C to 35°C
● Storage temperature - 40°C to 70°C
● Battery 12 V, type A 23
Features Technical Data
RF IC Datasheet
● Setting a radio channel on the remote control
● Setting a radio channel on the socket switch
Control Key DIP switch
6 7 8 9 10
A ON OFF OFF OFF OFF
B OFF ON OFF OFF OFF
C OFF OFF ON OFF OFF
D OFF OFF OFF ON OFF
9 Address Bits 3 Data Bits Sync. Bit
A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 SYNC. BIT
Code Word
Device Overview
Analysis & Confirmation
Frequency Domain Time Domain
Use a spectrum analyzer/SDR
Gqrx:
Modulation
● Defines how the carrier wave is modified to encode the bits we are transmitting
● Representing digital data as variations in the carrier wave
● ASK/OOK - on off keying
Source: Attify
Capturing & Replaying using GNUradio
Switch Demo:
Replay Attack using ARDUINO
Receiver Transmitter
• Voltage: 5.0VDC +0.5V • Voltage: 3V – 12V
• Current:≤5.5mA max • Current: max Less than 40mA max, and min 9mA
• Modulation mode: OOK/ASK • Modulation mode: ASK
• Working frequency: 433.92MHz • Working frequency: 433.92MHz
• Bandwidth: 2MHz • Resonance mode: (SAW)
• Sensitivity: exceeds –100dBm (50Ω) • Transmission power: 25mW
• Frequency error: +150kHz (max)
• Velocity: less than 10Kbps
• Transmission range: 90m (in open space)
433 MHz RF Transmitter and Receiver Module
Parts Required
• Arduino UNO or Arduino MEGA
• 433 MHz RF Remote controlled sockets
• 433 MHz transmitter/receiver
• Breadboard and Jumper wires
Receiver (Rx) Transmitter (Tx)
https://randomnerdtutorials.com/decode-and-send-433-mhz-rf-signals-with-arduino/
Decode and Send 433 MHz RF Signals using Arduino
Receive, Decode and Transmit
Car Key Fob Attack Demo
Case Study: Car RKE
● Relay Hack by Qihoo 360, with a pair of gadget for just $22. (Passive RKE)
● RollJam device by Samy kamkar, to steal secret codes from key. (Two-way RKE)
Possible Prevention for Passive RKE
● Requiring timing constraint in the call-and-response communication of car and key.
● Keep your keys in faraday bag that blocks radio transmissions.
Replay Attack on Smart Switch (Light/Fan) Demo
Internet of Radio Vulnerabilities
Rogue Cell Towers
Used to hijack cell phone connections, and to break 2-factor authentication to listen to calls and
read texts.
Rogue Wi-Fi Hotspots
Impersonate legitimate Wi-Fi networks, and might be used for
MITM attacks to sniff network traffic and steal credentials. Unapproved IoT
Emitters
Sensors often have multiple data radios, 802.11 is known, but what if
also transmitting on other frequencies like Zigbee, or LORA.
Vulnerable Wireless Devices
Low-end keyboard/mouse dongle can expose to RF attack through keystroke injection, which may expose the larger
network to insider attacks.
Eavesdropping/ Surveillance Devices
Voice activated FM & GSM, or other radio bugs
05
01
02 03
04
Matt Knight and Marc Newlin
43
Privacy, Rules, and Regulations:
● Check FCC and ARRL Regulations:
○ FCC 97.313 An amateur station must use the minimum transmitter power necessary to carry out the desired
communications.
○ No station may transmit with a transmitter power exceeding 1.5 kW PEP.
● Steps for Compliance for IoT Organisations○ Be aware of the data collected and processed.
○ Understand the functionality & implement consent.
○ Record everything to meet the requirements of privacy act.
○ Be aware of the privacy by design, and default.
44
References
▪ Symantec ITSR Report 2018
▪ OWASP
▪ Attify
▪ Google Images
▪ Peter Mathys, University of Colorado Boulder
▪ Dr. Adam L. Anderson, Oak Ridge National Lab
▪ Mr. Robot Series
▪ Marc Newlin and Matt Knight
▪ Balliant Seeber
▪ Michael Osmann
▪ Samy Kamkar
▪ https://ieeexplore.ieee.org/abstract/document/7226706/figures#figures
▪ https://randomnerdtutorials.com/decode-and-send-433-mhz-rf-signals-with-arduino/
45
Harshit Agrawal
@harshitnic
Xen1th MT Lab
Thank You..!
Himanshu Mehta
@LionHeartRoxx