Software Defined Radios: Hacking the Invisible - Davide Papini - Codemotion Rome 2018
1 like426 views
The document discusses software-defined radios (SDRs), emphasizing their applications in various areas such as telecommunications, GPS spoofing, and tracking. It features demonstrations of hacking techniques, including radio mic manipulation and drone interception, highlighting the versatility and risks associated with SDR technology. The presenters, Davide Papini and Daniele Provenziani, outline the technical specifications, various hardware options, and related spectrum basics.
Software Defined Radios: Hacking the Invisible - Davide Papini - Codemotion Rome 2018
- 1. Software Defined Radios: Hacking the Invisible Davide Papini Daniele Provenziani ROME - APRIL 13/14 2018
- 2. Who We Are • Davide Papini, Cyber Security researcher: • R&D Elettronica S.p.a. • PostDoc at Royal Holoway University of London • PhD at Technical University of Denmark • Daniele Provenziani, System Engineer: • EW COMM Elettronica S.p.a. • Solid Background in COMM ES and EA System • M.S. degree in Telecommunication Engineer at Tor Vergata University of Roma
- 3. Agenda • What are SDR • Applications (e.g. GSM, AIS, ADSB etc) • Hardware • Spectrum Background Demo Time • Mangling with radio mics • Spoofing GPS • Looking at Drones • Hacking remote controls
- 4. What are SDR • RF signal is directly digitalized at BaseBand • Processing is done in Software (digital and analog modulations). • Simple RF management e.g. sample rate, bandwidth, gain. • Easy prototyping (everything is SW)
- 5. SDR usages • Mobile e.g. 2G/3G/4G sniffing and BTS • Radio Broadcasting • GPS spoofing • Ship and Aircraft tracking • Radar • Direction Finding • Drone Detection and Interception • …Only your imagination can stop you…
- 6. Back in 2013: AIS Spoofing • New/Existing Ships Position Spoofing • Allows for false impact alerts • Can deceive authorities in finding target ship locations • Man-in-water spoofing • Distress beacon • SART (S.O.S.) alerts • Induces target ship to sail into hostile waters • Frequency Hopping DoS: • Induces target to change AIS frequency thus disappearing from legitimate systems Balduzzi et al @ Blackhat 2013
- 7. HW • Ettus Bus and Networked Series • Winradio • Nuand Blade RF • HackRF • PlutoRF • RTL-SDR Different specs: • Freq (30MHz-6GHz) • ADC resolution (8,12,14,16 bit) • Bandwidth (2MHz – 120 MHz) • Number of Channels
- 8. Spectrum Basics LTE BW = 20MHz
- 9. Spectrum Basics GSM BW = 200KHz
- 10. Demo Time • B210 • 2 TXRX, 2 RX channels • 56 MHz Bandwidth • 70MHz – 6GHz Frequency • N210 • 1 TXRX, 1 RX channel • 50 MHz Bandwidth • DC – 6GHz • Larger FPGA with RFNOC support (applications up to 100 MSps)
- 12. GPS Background
- 13. GPS Ephemeris • Each Satellite transmits its own navigational status • It transmits also the almanac: the status of the entire network • Need to know the ephemeris if you want to spoof a credible signal.
- 14. Looking at Drones LIVE DEMO
- 15. DRONE backgroud Remote Control (Uplink) Telemetry, Video data (Downlink) FPV Goggles FPV and Telemetry OSD
- 16. DRONE Remote Control RF Analisys RC Frequency Hopping Drone Video Streaming FSK modulation
- 17. DRONE RC Digital Modulation e.g. FSK Preamble SFD Payload (RC data/Telemetry Data) CRC
- 19. Wrapping up Q & A