RF Hacking with Software-Defined Radio

REGISTRATION CLOSED

DATE: 22-24 August 2022

TIME: 09:00-17:00 SGT/GMT +8

Agenda

Day 1

Introduction toolkits to develop Software-Defined Radio tools like GNU Radio and other alternatives such as Pothos, Redhawk SDR, or MATLAB and Simulink.
During this day we will mainly focus on GNU Radio by introducing the toolkit, the flowgraph concepts, the components, and how to use the different blocks in practice to build several tools

Objective:

• Simulate a signal and transmit it in the air.
• Capture, demodulate and decode a signal.
• Optimize processing.
• Create your own blocks.

Theory
Assignments 1

• Few reminding’s of radio and SDR
• Extended introduction of GNU Radio and its alternatives (RedhawkSDR, Pothos, etc.)
• Practice with GNU Radio Companion
  – Block schemas o Parameters
  – Generators
  – Sinks and sources
  – Operators
  – Simulations
  – Modules
  – Features to process samples

Assignment 2

• Radio Frequency Spectrum
• Country Radio Spectrum
• Celluar Network Radio Spectrum
• RF Spectrum Analyzers

Assignment 3

• Creating a FM/AM station
• Sending the signal over-the-air
• Listening to this station

Assignment 4

• Creating a custom signal to send a message
• Simulating the custom signal
• Sending the signal over-the-air

Day 2

Starting day 2, attendees will have the opportunity to see and exploit vulnerabilities in several RF devices and discover the security features and ways to circumvent them.We will see in practice how to attack physical intrusions systems such as alarms, intercoms and access control systems that use RF technologies such as sub-GHz, cellular, and RFID. Attendees will have the opportunity to learn techniques that could be used in Red Team contexts and get our feedback from our previous tests.

Theory

• Introduction to physical intrusion systems
• Introduction to mobile security
• Introduction to RFID security
• Common flaws in current technologies
• Security mechanisms and ways to defeat them
• How to improve security of communication systems in different cases
• Our feedbacks and tips during missions and red team tests

Assignment 1

• Attacking a Car Key Fob:
  – Capturing data
  – Replaying saved samples
  – Analyzing samples (manually and with powerful tools)
  – Rolling codes security

Assignment 2

• GPS spoofing objective
• Overview of GNSS and GPS frequency Information
• GPS Spoofing Hands-On
• GPS Spoofing Attack Analysis

Assignment 3

• RF Jamming Concept
• Signal Distrupt by transmitting Noise
• GNSS Signal Jamming
• Iran US RQ-170 Incident at UN Discuss

Assignment 4

• ADS-B Signal Decoding
• ADS-B OUT Signal Deception Concept
• Threat analysis of plane and Airport Security
• ADS-B Encoder and Live Signal Decept
• Tons of Plane Data Generate and Transmit

Day 3

Focusing on attacking custom RF devices but also devices used in industrial systems using technologies such as the LoRa, Power-Line Communications, ZigBee, and how to manage to do testbeds many current technologies. We will also introduce devices that could act like unexpected implants and ways to analyse them. Then we will finish with an introduction to hardware hacking that could be complementary to RF hacking by talking about survival and practical reflexes, as well as methods to interface with hardware.

Theory:

• Radio communications used in industrial environments
• Introduction of nRF based devices and common attacks
• Hardware Hacking
  – Introduction and how it could be complementary o Survival and practical reflexes
  – Cheap tools and tricks
  – Radio prototyping arsenal for red team tests

Assignment 1

• Attacking unknown/custom devices
  – Identification (looking at devices’ references, components, etc.)
  – Sniffing signals
  – Decoding signals

Assignment 2

• Attacking nRF devices
  – Analyzing nRF bases devices with GNU Radio like mousses, keyboards, and presenters
  – Capturing strokes
  – Hijacking vulnerable devices o Turn them to implants

Assignment 3

• IoT Device Temperature Sensors Decoding
• IoT DeVice Temperature Spoofing
• Discussion of Impact in Industrial Control System

Assignment 4:

• Guide a vehicle to False Destination Theory
• Create a Driving Flying Scenario and NMEA Concept
• Generate NMEA file
• Driving or Flying at any height at any speed
• Transmit GPS Spoofing Data in Dynamic mode

Assignment 5:

• Security Analysis of TPMS
• Capture and Decode TPMS Packets
• Sending TPMS Forged Packets
• Pseudo TPMS Transmitter