AutomaticModulationParameterDetectionInPractice › docs › Slides › 2019 › ROOTs › Automatic... · 2019-12-21 · Introduction AutomatetheInterpretation ExperimentalValidation

Automatic Modulation Parameter Detection In Practice

Johannes Pohl and Andreas Noack

November 28, 2019

Introduction Automate the Interpretation Experimental Validation Going live Further Steps References

Proprietary wireless protocols everywhere

Example: Smart HomeIncrease comfort of users through wirelesssockets, door locks, valve sensors . . .Devices are designed under size and energyconstraintsLimited resources for cryptography

Risks of Smart HomeManufactures design custom proprietary wireless protocolsHackers may take over households and, e.g., break in without physical traces

How can we speed up the security investigation of proprietary wireless protocols?

November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 2


Software Defined Radio

Why Software Defined Radios?Send and receive on nearly arbitrary frequenciesa

Flexibility and extendability with custom softwareae.g. HackRF: 1 MHz to 6 GHz

(a) USRP N210 (b) HackRF



Universal Radio Hacker

Interpretation

Analysis

101010

Generation

Stateless

Format

Simulation

Stateful

Format



Universal Radio Hacker Popularity

Supported PlatformsWindows q, Linux ± and OS X

Most starred repo on GitHub with#sdr tag

Available at official linux repositoriesURH is available in official repositories of ArchLinux, Gentoo, Void Linux, Fedora andopenSUSE (and homebrew for macOS).

PublicationsDeepSec 2018 [1]Blackhat Arsenal USA 2017 [2]Blackhat Arsenal Europe 2018 [3]WOOT 2018 (USENIX Workshop) [5]IoT S&P 2017 (CCS Workshop) [6]



Digital Modulations

So what is a digital modulation?Mapping the binary data, i.e. bits, toa analog carrier to transport thesignal over the airAnalog signal has the formA · sin(2πFt + ϕ)We can transport information inamplitude A, frequency F or phase ϕ

Amplitude Shift Keying (ASK)Frequency Shift Keying (FSK)Phase Shift Keying (PSK)

1 0 1 0 0Bits

+

Carrier

ASK

FSK

PSK



Interpretation in URHDemodulating signals made easy

Interpretation Phase Features (apart from demodulation)Synchronized selection between demodulated and raw signalSignal Editor, that is, copy, paste, crop, mute signal selectionsConfigurable moving average and bandpass filters

How can we make this even simpler? Automatically detect modulation parameters!



Visualization of ParametersFor all plots: x axis represents current sample

0 1,000 2,000 3,000 4,000 5,000 6,000 7,000−1

01 Tnoise

−Tnoise

A

0 200 400 600 800 1,000 1,200 1,400 1,600−1

01

A

0 200 400 600 800 1,000 1,200 1,400 1,6000.10.20.3

centerBit lengthIn

st.F

req.



Detecting Modulation ParametersAutomatic detection of modulation type and parameters in Interpretation

IQ Signal

Noise leveldetection

MessageSegmen-

tation

ModulationDetection

QuadratureDemod-ulation

CenterDetection

Bit LengthDetection

Tnoise Non-weaksegments

M

Rectangularsignal

center



Noise Level Detection

Finding the noise level Tnoise of a signal is the basis for message segmentation andworks the following way:

1 Divide the signal into equal sized chunks Ci .2 For each chunk, calculate the mean magnitude mi = |Ci |.3 Get minimum mean magnitude mmin = min {mi : ∀i}.4 Pick magnitudes of chunks those mean magnitudes do not exceed mmin by 10%:

Mnoise = {|Cj | ,mj < 1.1 ·mmin}

Finally, the noise level Tnoise is returned as the maximum of Mnoise, to cover the fullnoise range.



Message Segmentation: Separate Messages from Noise

Message Segmentation AlgorithmBased on noise level Tnoise from previous stepMust be robust against outliersUse two internal states: snoise – reading noise, smsg – reading message.Switch states only if consequent samples above/below noise (ca/cb) surpass athreshold to (=outlier tolerance). In practice, to = 10 samples performs well.

snoise smsg

ca ≥ to

cb ≥ to



Modulation Detection with help of Wavelet Transform

0 500 1,000

345

τ

|HW

T|

(a) 2-FSK

0 500 1,000

68

τ

|HW

T|

(b) 2-ASK

0 500 1,000

9.5

10

τ

|HW

T|

(c) 2-PSK

0 500 1,000

345

τ

|HW

T|

(d) Normalized 2-FSK

0 500 1,0009.249.259.269.27

τ

|HW

T|

(e) Normalized 2-ASK

0 500 1,000

9.5

10

τ

|HW

T|

(f) Normalized 2-PSK

Figure: Wavelet transforms for FSK/ASK/PSK signals and their amplitude normalized versionsNovember 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 12


Modulation Detection: Feature Extraction

Signal

Signalnormalization |HWT|

|HWT|

Median filter

Median filter

Variance σ21

Variance σ22

Variance σ23

Variance σ24



Modulation Detection: Decision Tree

σ2i < 0.15∀i

OOK

yes

σ22 > 1.5 · σ2

4

σ22 > 10 · σ2

1

Pass FFTcheck

OOK

no

FSKyesno

PSK

yesno

ASK

yes

no



Center Detection: Take mean of histogram peaks

0 200 400 600 800 1,000 1,200 1,400 1,600−1

01

Sample

A

(a) 2-FSK modulated message

0 500 1,000 1,5000.1

0.150.2

0.25

Sample

Inst

.Fre

q.

(b) Rectangular signal R(n) after Quad Demod

0.1 0.15 0.2 0.250

50100

c = 0.125+0.252

Instantaneous Frequency

Coun

t(c) Histogram of R(n) with two peaks



Bit-Length and Tolerance Detection

How to determine the Bit-Length?Count subsequent samples above/below found center ⇒ plateau lengths vectorIn theory, vector only contains multiples of bit-length; but: interrupted by outliersSet tolerance to maximum of values smaller than 5% of maximum plateau lengthMerge plateaus based on found tolerance like this:

(200︸︷︷︸Hi, 53︸︷︷︸

Lo, 3︸︷︷︸

Hi, 44︸︷︷︸

Lo, 100︸︷︷︸

Hi)→ (200︸︷︷︸

Hi, 100︸︷︷︸

Lo, 200︸︷︷︸

Hi)

Count how often each plateau length nearly divides other lengths, e.g., for(40, 40, 40, 40, 40, 30, 50, 30, 90, 40, 40, 80, 160, 30, 50, 30) the counts areNnear = {30 : 10, 40 : 35, 50 : 3, 80 : 2} so bit-length is 40 (most frequent)



Evaluation with real-world signals

# Manufacturer Description Mod. Samplerate SNR Bitlen #Msgs ∅ Length1 Action remote (four but-

tons) for a LED lightOOK 2MS/s 10.8 dB 500 19 11.95Byte

2 Audi car open command OOK 5MS/s 25.8 dB 2400 1 106Byte3 Unknown command to sink a

bus bollardOOK 1MS/s 18.9 dB 300 17 5Byte

4 Brennenstuhl wireless socket re-mote (four buttons)

OOK 1MS/s 11.7 dB 300 64 13Byte

5 Elektromaten open command forparking gate

OOK 2MS/s 16.2 dB 600 11 17Byte

6 ESaver remote (four but-tons) for a wirelesssocket

2-FSK 1MS/s 28.3 dB 100 12 42Byte

7 RWE pairing command ofa wireless socket

2-FSK 1MS/s 12.7 dB 100 18 27.17Byte

8 Scislo garage door opencommand

2-FSK 500 kS/s 14.6 dB 200 8 64.75Byte

9 Volkswagen car open command OOK 1MS/s 32.3 dB 2500 1 53Byte10 Xavax radiator valve tem-

perature command2-FSK 1MS/s 21.8 dB 100 6 231.5Byte



Results when additional noise is added

0 20 40 60 80 100

0

20

40

60

80

100

Amplitude of additional noise relative to average signal power in %

Accuracy

in%

1 – action2 – audi3 – audi4 – bollard5 – brennenstuhl6 – elektromaten7 – esaver8 – scislo9 – vw10 – xavax



Why does the accuracy of Xavax (Signal #10) drop so early?

(a) Original signal, no additional noise added

(b) Noise with 20% amplitude of mean signal power added

Figure: Reason for accuracy drop of signal #10: The two weaker messages get marked as noisewhen noise with 20% amplitude of mean signal power added is added.



Setup

CCU door lock remote control



Use-case: Attacking a Wireless Door Lock

central (CCU) door lock remote control

Pairing

AES-Key AES-Key

OPEN Command

Challenge

ResponseAES-Key(Challenge)

ACKnew device

AES-Key



Adapting parameters live during a recording

MotivationParameters like center and noise level can change between recordings (varyingpower levels of devices, changed distances, different antennas)Attacking stateful protocols: Messages need to be demodulated liveAvoid annoying record-analyze-adjust cycles

We have to update noise level and center based on continuously received chunks CR .

Adaptive Noise Level for received chunk CR

Tnoise ={0.9 · Tnoise + 0.1 ·max |CR | if |CR | < TnoiseTnoise else

Automatic CenterOnce full message inreceive buffer: performCenter Detection fromslide 15.



Configuring it in the Universal Radio Hacker

Automatic Parameter EstimationNoise and Center will be adaptedlive during simulation timeBoth parameters do not need tobe manually changed when usinga different SDR or antennaExperimental validation provedthat setting these parametersautomatically is as successful assetting them manually to thecorrect value



Performance measurement

Why performance matters?Devices have time windows inwhich they expect a responseTime window here: 200msIn this time window, we needto demodulate Challengeand, additionally, calculateand modulate correctResponse

Tested on PC with [email protected] and 16GB RAM 0 20 40 60 80 100

10−6

10−5

10−4

10−3

10−219 ms

6 ms

25 ms

191 µs 179 µs

Timestamp

Tim

ein

seco

nds

Adaptive noiseAutomatic center



Result of Interpretation for a typical signal

A lot of datato analyze!



Example Protocol: Communication between two Smart Home Devices



Example Protocol after hitting the Analyze Protocol Button

Published at USENIX WOOT 2019 [4]



Conclusion

Contribute a multipart system that detects modulation parameters (modulationtype, noise level, center, bit-length and tolerance) of a wireless signalEach parameter is returned so it can be fine-tuned afterwards, if neededSpeed up security investigations and lower hurdle for wireless hacking beginnersAimed at proprietary protocols with unknown modulation parameters operating onfrequencies such as 433.92MHz or 868.3MHz usually using binary modulationsBasis for future automations such as automatic protocol field inferenceFuture work is support for higher order modulations



� https://github.com/jopohl/urh/releases ± q

ContactE-Mail: [email protected]: [email protected]: https://bit.ly/2LGpsraGitHub: https://github.com/jopohl


https://github.com/jopohl/urh/releases

[email protected]

[email protected]

https://bit.ly/2LGpsra

https://github.com/jopohl


Publications I

[1] Johannes Pohl. “Attacking Internet of Things with Software Defined Radio (Workshop)”. In: DeepSec(2018).

[2] Johannes Pohl. “Universal Radio Hacker: Investigate wireless protocols like a boss”. In: Blackhat ArsenalUSA (2017).

[3] Johannes Pohl. “Universal Radio Hacker v2: Simulate Wireless Devices with Software Defined Radio”. In:Blackhat Arsenal Europe (2018).

[4] Johannes Pohl and Andreas Noack. “Automatic Wireless Protocol Reverse Engineering”. In: 13thUSENIX Workshop on Offensive Technologies (WOOT 19). Santa Clara, CA: USENIX Association, Aug.2019. url: https://www.usenix.org/conference/woot19/presentation/pohl.

[5] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Analyzing and Attacking StatefulWireless Protocols”. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). Baltimore, MD:USENIX Association, 2018. url: https://www.usenix.org/conference/woot18/presentation/pohl.

[6] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Wireless Protocol Analysis”. In:Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (CCS). Dallas, Texas,USA: ACM, 2017, pp. 59–60. doi: 10.1145/3139937.3139951.


https://www.usenix.org/conference/woot19/presentation/pohl

https://www.usenix.org/conference/woot18/presentation/pohl

https://doi.org/10.1145/3139937.3139951

Documents

AutomaticModulationParameterDetectionInPractice › docs › Slides › 2019 › ROOTs › Automatic... · 2019-12-21 · Introduction AutomatetheInterpretation ExperimentalValidation