Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Automatic Modulation Parameter Detection In Practice
Johannes Pohl and Andreas Noack
November 28, 2019
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Proprietary wireless protocols everywhere
Example: Smart HomeIncrease comfort of users through wirelesssockets, door locks, valve sensors . . .Devices are designed under size and energyconstraintsLimited resources for cryptography
Risks of Smart HomeManufactures design custom proprietary wireless protocolsHackers may take over households and, e.g., break in without physical traces
How can we speed up the security investigation of proprietary wireless protocols?
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 2
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Software Defined Radio
Why Software Defined Radios?Send and receive on nearly arbitrary frequenciesa
Flexibility and extendability with custom softwareae.g. HackRF: 1 MHz to 6 GHz
(a) USRP N210 (b) HackRF
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 3
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Universal Radio Hacker
Interpretation
Analysis
101010
Generation
Stateless
Format
Simulation
Stateful
Format
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 4
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Universal Radio Hacker Popularity
Supported PlatformsWindows q, Linux ± and OS X
Most starred repo on GitHub with#sdr tag
Available at official linux repositoriesURH is available in official repositories of ArchLinux, Gentoo, Void Linux, Fedora andopenSUSE (and homebrew for macOS).
PublicationsDeepSec 2018 [1]Blackhat Arsenal USA 2017 [2]Blackhat Arsenal Europe 2018 [3]WOOT 2018 (USENIX Workshop) [5]IoT S&P 2017 (CCS Workshop) [6]
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 5
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Digital Modulations
So what is a digital modulation?Mapping the binary data, i.e. bits, toa analog carrier to transport thesignal over the airAnalog signal has the formA · sin(2πFt + ϕ)We can transport information inamplitude A, frequency F or phase ϕ
Amplitude Shift Keying (ASK)Frequency Shift Keying (FSK)Phase Shift Keying (PSK)
1 0 1 0 0Bits
+
Carrier
ASK
FSK
PSK
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 6
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Interpretation in URHDemodulating signals made easy
Interpretation Phase Features (apart from demodulation)Synchronized selection between demodulated and raw signalSignal Editor, that is, copy, paste, crop, mute signal selectionsConfigurable moving average and bandpass filters
How can we make this even simpler? Automatically detect modulation parameters!
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 7
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Visualization of ParametersFor all plots: x axis represents current sample
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000−1
01 Tnoise
−Tnoise
A
0 200 400 600 800 1,000 1,200 1,400 1,600−1
01
A
0 200 400 600 800 1,000 1,200 1,400 1,6000.10.20.3
centerBit lengthIn
st.F
req.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 8
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Detecting Modulation ParametersAutomatic detection of modulation type and parameters in Interpretation
IQ Signal
Noise leveldetection
MessageSegmen-
tation
ModulationDetection
QuadratureDemod-ulation
CenterDetection
Bit LengthDetection
Tnoise Non-weaksegments
M
Rectangularsignal
center
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 9
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Noise Level Detection
Finding the noise level Tnoise of a signal is the basis for message segmentation andworks the following way:
1 Divide the signal into equal sized chunks Ci .2 For each chunk, calculate the mean magnitude mi = |Ci |.3 Get minimum mean magnitude mmin = min {mi : ∀i}.4 Pick magnitudes of chunks those mean magnitudes do not exceed mmin by 10%:
Mnoise = {|Cj | ,mj < 1.1 ·mmin}
Finally, the noise level Tnoise is returned as the maximum of Mnoise, to cover the fullnoise range.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 10
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Message Segmentation: Separate Messages from Noise
Message Segmentation AlgorithmBased on noise level Tnoise from previous stepMust be robust against outliersUse two internal states: snoise – reading noise, smsg – reading message.Switch states only if consequent samples above/below noise (ca/cb) surpass athreshold to (=outlier tolerance). In practice, to = 10 samples performs well.
snoise smsg
ca ≥ to
cb ≥ to
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 11
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Modulation Detection with help of Wavelet Transform
0 500 1,000
345
τ
|HW
T|
(a) 2-FSK
0 500 1,000
68
τ
|HW
T|
(b) 2-ASK
0 500 1,000
9.5
10
τ
|HW
T|
(c) 2-PSK
0 500 1,000
345
τ
|HW
T|
(d) Normalized 2-FSK
0 500 1,0009.249.259.269.27
τ
|HW
T|
(e) Normalized 2-ASK
0 500 1,000
9.5
10
τ
|HW
T|
(f) Normalized 2-PSK
Figure: Wavelet transforms for FSK/ASK/PSK signals and their amplitude normalized versionsNovember 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 12
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Modulation Detection: Feature Extraction
Signal
Signalnormalization |HWT|
|HWT|
Median filter
Median filter
Variance σ21
Variance σ22
Variance σ23
Variance σ24
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 13
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Modulation Detection: Decision Tree
σ2i < 0.15∀i
OOK
yes
σ22 > 1.5 · σ2
4
σ22 > 10 · σ2
1
Pass FFTcheck
OOK
no
FSKyesno
PSK
yesno
ASK
yes
no
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 14
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Center Detection: Take mean of histogram peaks
0 200 400 600 800 1,000 1,200 1,400 1,600−1
01
Sample
A
(a) 2-FSK modulated message
0 500 1,000 1,5000.1
0.150.2
0.25
Sample
Inst
.Fre
q.
(b) Rectangular signal R(n) after Quad Demod
0.1 0.15 0.2 0.250
50100
c = 0.125+0.252
Instantaneous Frequency
Coun
t(c) Histogram of R(n) with two peaks
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 15
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Bit-Length and Tolerance Detection
How to determine the Bit-Length?Count subsequent samples above/below found center ⇒ plateau lengths vectorIn theory, vector only contains multiples of bit-length; but: interrupted by outliersSet tolerance to maximum of values smaller than 5% of maximum plateau lengthMerge plateaus based on found tolerance like this:
(200︸︷︷︸Hi, 53︸︷︷︸
Lo, 3︸︷︷︸
Hi, 44︸︷︷︸
Lo, 100︸︷︷︸
Hi)→ (200︸︷︷︸
Hi, 100︸︷︷︸
Lo, 200︸︷︷︸
Hi)
Count how often each plateau length nearly divides other lengths, e.g., for(40, 40, 40, 40, 40, 30, 50, 30, 90, 40, 40, 80, 160, 30, 50, 30) the counts areNnear = {30 : 10, 40 : 35, 50 : 3, 80 : 2} so bit-length is 40 (most frequent)
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 16
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Evaluation with real-world signals
# Manufacturer Description Mod. Samplerate SNR Bitlen #Msgs ∅ Length1 Action remote (four but-
tons) for a LED lightOOK 2MS/s 10.8 dB 500 19 11.95Byte
2 Audi car open command OOK 5MS/s 25.8 dB 2400 1 106Byte3 Unknown command to sink a
bus bollardOOK 1MS/s 18.9 dB 300 17 5Byte
4 Brennenstuhl wireless socket re-mote (four buttons)
OOK 1MS/s 11.7 dB 300 64 13Byte
5 Elektromaten open command forparking gate
OOK 2MS/s 16.2 dB 600 11 17Byte
6 ESaver remote (four but-tons) for a wirelesssocket
2-FSK 1MS/s 28.3 dB 100 12 42Byte
7 RWE pairing command ofa wireless socket
2-FSK 1MS/s 12.7 dB 100 18 27.17Byte
8 Scislo garage door opencommand
2-FSK 500 kS/s 14.6 dB 200 8 64.75Byte
9 Volkswagen car open command OOK 1MS/s 32.3 dB 2500 1 53Byte10 Xavax radiator valve tem-
perature command2-FSK 1MS/s 21.8 dB 100 6 231.5Byte
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 17
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Results when additional noise is added
0 20 40 60 80 100
0
20
40
60
80
100
Amplitude of additional noise relative to average signal power in %
Accuracy
in%
1 – action2 – audi3 – audi4 – bollard5 – brennenstuhl6 – elektromaten7 – esaver8 – scislo9 – vw10 – xavax
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 18
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Why does the accuracy of Xavax (Signal #10) drop so early?
(a) Original signal, no additional noise added
(b) Noise with 20% amplitude of mean signal power added
Figure: Reason for accuracy drop of signal #10: The two weaker messages get marked as noisewhen noise with 20% amplitude of mean signal power added is added.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 19
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Setup
CCU door lock remote control
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 20
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Use-case: Attacking a Wireless Door Lock
central (CCU) door lock remote control
Pairing
AES-Key AES-Key
OPEN Command
Challenge
ResponseAES-Key(Challenge)
ACKnew device
AES-Key
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 21
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Adapting parameters live during a recording
MotivationParameters like center and noise level can change between recordings (varyingpower levels of devices, changed distances, different antennas)Attacking stateful protocols: Messages need to be demodulated liveAvoid annoying record-analyze-adjust cycles
We have to update noise level and center based on continuously received chunks CR .
Adaptive Noise Level for received chunk CR
Tnoise ={0.9 · Tnoise + 0.1 ·max |CR | if |CR | < TnoiseTnoise else
Automatic CenterOnce full message inreceive buffer: performCenter Detection fromslide 15.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 22
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Configuring it in the Universal Radio Hacker
Automatic Parameter EstimationNoise and Center will be adaptedlive during simulation timeBoth parameters do not need tobe manually changed when usinga different SDR or antennaExperimental validation provedthat setting these parametersautomatically is as successful assetting them manually to thecorrect value
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 23
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Performance measurement
Why performance matters?Devices have time windows inwhich they expect a responseTime window here: 200msIn this time window, we needto demodulate Challengeand, additionally, calculateand modulate correctResponse
Tested on PC with [email protected] and 16GB RAM 0 20 40 60 80 100
10−6
10−5
10−4
10−3
10−219 ms
6 ms
25 ms
191 µs 179 µs
Timestamp
Tim
ein
seco
nds
Adaptive noiseAutomatic center
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 24
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Result of Interpretation for a typical signal
A lot of datato analyze!
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 26
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Example Protocol: Communication between two Smart Home Devices
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 27
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Example Protocol after hitting the Analyze Protocol Button
Published at USENIX WOOT 2019 [4]
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 28
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Conclusion
Contribute a multipart system that detects modulation parameters (modulationtype, noise level, center, bit-length and tolerance) of a wireless signalEach parameter is returned so it can be fine-tuned afterwards, if neededSpeed up security investigations and lower hurdle for wireless hacking beginnersAimed at proprietary protocols with unknown modulation parameters operating onfrequencies such as 433.92MHz or 868.3MHz usually using binary modulationsBasis for future automations such as automatic protocol field inferenceFuture work is support for higher order modulations
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 29
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
� https://github.com/jopohl/urh/releases ± q
ContactE-Mail: [email protected]: [email protected]: https://bit.ly/2LGpsraGitHub: https://github.com/jopohl
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 30
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
Publications I
[1] Johannes Pohl. “Attacking Internet of Things with Software Defined Radio (Workshop)”. In: DeepSec(2018).
[2] Johannes Pohl. “Universal Radio Hacker: Investigate wireless protocols like a boss”. In: Blackhat ArsenalUSA (2017).
[3] Johannes Pohl. “Universal Radio Hacker v2: Simulate Wireless Devices with Software Defined Radio”. In:Blackhat Arsenal Europe (2018).
[4] Johannes Pohl and Andreas Noack. “Automatic Wireless Protocol Reverse Engineering”. In: 13thUSENIX Workshop on Offensive Technologies (WOOT 19). Santa Clara, CA: USENIX Association, Aug.2019. url: https://www.usenix.org/conference/woot19/presentation/pohl.
[5] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Analyzing and Attacking StatefulWireless Protocols”. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). Baltimore, MD:USENIX Association, 2018. url: https://www.usenix.org/conference/woot18/presentation/pohl.
[6] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Wireless Protocol Analysis”. In:Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (CCS). Dallas, Texas,USA: ACM, 2017, pp. 59–60. doi: 10.1145/3139937.3139951.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 31