Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Download as PPT, PDF3 likes2,364 views
The document discusses wireless security testing in the IoT era, emphasizing the use of Software Defined Radio (SDR) technology, particularly GNU Radio, for security analysis. It presents various wireless attack scenarios, including keylogging on wireless keyboards and replay attacks on the ADS-B system used in aviation. Key points include the necessity for secure wireless communication and the potential vulnerabilities in current technologies.
![Peripheral hardware (e.g.)
RTL-SDR HackRF BladeRF USRP
Frequency
range [MHz] 24-1800 1-6000 300-3800 70-6000
A/D convert
bits 8 8 12 12
Band range
[MHz] 2.8 20 28 56
Transfer /
Receive RX Tx | Rx Tx & Rx Tx & Rx
Price $20 $300 $420 $675
9](https://image.slidesharecdn.com/wirelesssecuritytestingwithattack-e-160317093824/85/Wireless-security-testing-with-attack-by-Keiichi-Horiai-CODE-BLUE-2015-9-320.jpg)
![Device ID detection
{ P.A. } { [p0] p[1] [p2] [p3] [p4]}
AA A9 33 E5 16 CE
10101010 10101001 00110011 11100101 00010110
11001110
{PktCTL Bit} 0A 78 1D 01
010000000 00001010 01111000 00011101 00000001
{ payload .......
0100111000011101101001100011001110101001111011100……
// From keysweeper_mcu_src https://github.com/samyk/keysweeper
if (radio.available())
{
radio.read(&p, PKT_SIZE);
if (p[4] == 0xCD) // 0xCD -> 0xCE for Japanese KBD
{
sp("Potential keyboard: ");
DEVICE ID
31](https://image.slidesharecdn.com/wirelesssecuritytestingwithattack-e-160317093824/85/Wireless-security-testing-with-attack-by-Keiichi-Horiai-CODE-BLUE-2015-31-320.jpg)
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
- 1. Keiichi Horiai Fujitsu System Integration LABs. CODE BLUE 2015 Wireless security testing with attack
- 2. Agenda Circumstance In the IoT (Internet of Things) era • key : Wireless Security • To analyze wireless security, SDR ( Software Defined Radio) technology is effective. Introduce GNU Radio, a SDR tool Powerful tool to test wireless security Easily available, work with inexpensive peripheral hardware Wireless security testing with attack Attack#1 Key logging wireless keyboard Attack#2 The replay attack for ADS-B2
- 3. Recent release of wireless security Abuse/Falsification of software and firmware Drone attack by malware and network • http://www.slideshare.net/codeblue_jp/cb14-dongcheol-hongja/ RF signal level interception/injection SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE GLOBALSTAR SIMPLEX DATA SERVICE • https://www.blackhat.com/docs/us-15/materials/us-15-Moore- Spread-Spectrum-Satcom-Hacking-Attacking-The-GlobalStar- Simplex-Data-Service.pdf Low-cost GPS simulator – GPS spoofing by SDR • Lin Huang, Qing Yang, DEFCON23 • https://media.defcon.org/DEF%20CON%2023/DEF%20CON %2023%20presentations/Lin%20Huang%20&%20Qing %20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf 3
- 4. In 2001, Eric Blossom in US started a free & open-source software development toolkit about radio. Multi-platform (Linux/FreeBSD/OSX/Windows) Run on personal computer. cf. Many software radio technology run on FPGA on exclusive hardware. Create flow graph to use GUI on GNURadio Companion flow graph -> XML file -> Python -> C++ License GPL ver3 http://gnuradio.org/redmine/projects/gnuradio/wiki About GNURadio 4
- 5. GNURadio Component Elements of the flow graph SOURCE BLOCK SINK Software or Hardware Software Python C++ Software or Hardware Input OutputProcessing 5
- 6. Sources Software Waveform generation (Sin, Cos, Triangle, Sawtooth, Square ) Various noise File Hardware PC Audio Other peripheral hardware •RTL-SDR, HackRF, BladeRF, USRP 6
- 7. Blocks Operator(Logical, Bytes, Integer, Real, Complex...) Constant, Variable(slider), Type conversion Calculation (add, sub, multiple, div, Log, RMS, integral...) Filter(LowPass, HighPass, BandPass, Reject, FFT, Hilbert, IIR, Decimation...) Modulation and demodulation ( AM, FM, FSK, PSK, QAM, OFDM…) Level control (AGC, Mute, Squelch, Moving average...) Network (TCP, UDP, Socket...) and more 7
- 8. Sinks Software Hardware PC Audio Other peripheral hardware • HackRF, BladeRF, USRP, ... etc. SCOPE FFT Water Fall Histogram Constellation Plot Other Files 8
- 9. Peripheral hardware (e.g.) RTL-SDR HackRF BladeRF USRP Frequency range [MHz] 24-1800 1-6000 300-3800 70-6000 A/D convert bits 8 8 12 12 Band range [MHz] 2.8 20 28 56 Transfer / Receive RX Tx | Rx Tx & Rx Tx & Rx Price $20 $300 $420 $675 9
- 11. VHF receiver A VHF receiver composed of RTL-SDR and GNU Radio RTL-SDR 11
- 12. ISM 2.4GHz band WiFi/Bluetooth frequency allocation http://www.digikey.com/es/articles/techzone/2013/jun/shaping-the-wireless-future-with-low-energy-applications-and-systems 12
- 13. ISM 2.4GHz band monitoring (e.g.) HackRF 13
- 14. Attack wireless devices Survey attack target Search FCC ID in FCC site Photos, someone else put on view? Overhaul by myself Necessary information RF chip data sheet •Frequency band, Modulation, Transmission speed, Data format Observe and analyze the signal 14
- 16. How to monitoring and analyzing the signal Receive radio waves Check the signal : GNU Radio, SDR# Write the received signal to file : GNU Radio, rtl_sdr Analyze Monitoring the waveform in detail : baudline Cut the area where you need ( The area selected and write to file ) : baudline Demodulation: GNU Radio | in-house scripts Decode / Parse / Decrypt • Convert to bits (0/1) ( Hex dump is unreadable ) • Find the characterized bit pattern 16
- 17. Signal monitoring tool Baudline Baudline is the signal time-frequency visualization and analysis support tool Requirements • Linux(x86_64,PowerPC) • Mac OS X • Solaris SPARC Select the area and write to file http://www.baudline.com/index.html17
- 18. Monitoring the signal (e.g.) 18
- 19. Attack demo #1 Keylogger for Microsoft wireless keyboard 800 At first, try to reproduce “keysweeper”(*1) It can’t work the MS Wireless Keyboard 800 Japanese edition Demonstrate process from investigate the cause using the GNU Radio to work (*1) https://github.com/samyk/keysweeper 19
- 20. Keylogger for Wireless Keyboard 27MH z band It is easy to snoop because (in)secure End of sale in the 2000s 2.4GHz band Same as Bluetooth/WiFi frequency Bluetooth specification is secure? What about the proprietary specification keyboard? 20
- 21. Relation Project Travis Goodspeed, 2010 The GoodFET is an open-source JTAG adapter, loosely based upon the TI MSP430 FET UIF and EZ430U boards http://goodfet.sourceforge.net/ KeyKeriKi Project (CanSecWest 2010) Developed some device with ARM Cortex MPU and radio module which can keyboard sniffing and remote command execution. http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html Keysweeper (January 2015) Make efficient and systematize processes • Focus on a part of device address fixed 0xCD • Embedded in USB charger and logging to EEPROM • Detect keyword and mobile module send SMS • Forward keystroke to another device in real time ... etc. https://github.com/samyk/keysweeper 21
- 22. Experiment on breadboard Sniffer hardware USB control PC Microsoft Wireless Keyboard 800 Arduino nano •Scan 2403-2480MHz by 1MHz step •Inspect 1 byte (=0xCD) in device ID •If next 2byte are (0x0A38 | 0x0A78), stop scanning and start logging about 1500 lines Arduino program nRF24L01 ・ 2.4GHz ISM band ・ GFSK modulation ・ 1Mbps or 2Mbps 22
- 23. Success ? Radio setup End radio setup scan Tuning to 2480 Potential keyboard: AA AA 5A A9 CD 27 55 49 Tuning to 2403 Tuning to 2404 Potential keyboard: E4 AA AA A5 CD 55 A5 5A Tuning to 2405 Tuning to 2406 Tuning to 2407 Tuning to 2408 ………………… No !! 23
- 24. Wireless keyboard wave form 24
- 25. Baudline (cut the area) 25
- 26. Demodulation - 50 - 40 - 30 - 20 - 10 0 10 20 30 40 50 1 51 101 151 201 251 301 - 50 - 40 - 30 - 20 - 10 0 10 20 30 40 50 1 51 101 151 201 251 301 I/Q Vfm Vfm = ( I ( dQ/dt) - Q ( dI/dt)) / (I ^2 + Q^2) preamble bit = Vfm > 0 ? 0:1bit 26
- 27. Get BIT sequence bit = Vfm > 0 ? 0:1 111111111111001100010000000000100110111110111111111111111111111111 111111111110010101010101010010011001111100101000101101100111001000 000000001010011110000001110100000001010011100001110110100110001100 111010100111101110000010001110010100110011100111001110011100011110 111110100111000111111111111100110010000000000001111111011111111111 111101111111101111111111111111111111111111111001010101010101001001 100111110010100010110110011100100000000000101001111000000111010000 000101001110000111011010011000110011101010011110111000001000111001 010011001110101001110011100111000111101111101001110101111111111100 110000001000100010001111111111111111111111111011111111111111111111 101010101001011001111100101000101101100111001000000000001010011110 000001110100000001010011100001110110100110001100111010100111101110 000010001110 ………. 27
- 28. nRF24L01 Packet format Preamble 0xAA | 0x55 Address 3-5 Byte PCF 9 bit Payload 0- 32Byte CRC 1-2 byte http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01 28
- 29. KeyKeriki Project results ・ Microsoft Wireless Keyboard 800’s device address is composed of 5 byte start from 0xCD ・ Keystroke is encrypted by simple XOR operation using this device address http://www.remote-exploit.org/content/keykeriki_v2_cansec_v1.1.pdf 29
- 30. Get BIT sequence bit = Vfm > 0 ? 0:1 111111111111001100010000000000100110111110111111111111111111111111 111111111110010101010101010010011001111100101000101101100111001000 000000001010011110000001110100000001010011100001110110100110001100 111010100111101110000010001110010100110011100111001110011100011110 111110100111000111111111111100110010000000000001111111011111111111 111101111111101111111111111111111111111111111001010101010101001001 100111110010100010110110011100100000000000101001111000000111010000 000101001110000111011010011000110011101010011110111000001000111001 010011001110101001110011100111000111101111101001110101111111111100 110000001000100010001111111111111111111111111011111111111111111111 101010101001011001111100101000101101100111001000000000001010011110 000001110100000001010011100001110110100110001100111010100111101110 000010001110 ………. find to “0x0A78 (0000101001111000)” Packet control field 9 bit Devie ID Preamble 8bit + address 5 byte + packet control 9bit + payload 30
- 31. Device ID detection { P.A. } { [p0] p[1] [p2] [p3] [p4]} AA A9 33 E5 16 CE 10101010 10101001 00110011 11100101 00010110 11001110 {PktCTL Bit} 0A 78 1D 01 010000000 00001010 01111000 00011101 00000001 { payload ....... 0100111000011101101001100011001110101001111011100…… // From keysweeper_mcu_src https://github.com/samyk/keysweeper if (radio.available()) { radio.read(&p, PKT_SIZE); if (p[4] == 0xCD) // 0xCD -> 0xCE for Japanese KBD { sp("Potential keyboard: "); DEVICE ID 31
- 32. Behavior after (0xCD->0xCE) {………………} Tuning to 2479 Tuning to 2480 Potential keyboard: A9 33 E5 16 CE 43 5 3C KEYBOARD FOUND! Locking in on channel 80 2setupRadio 16: 0A 78 1D 01 56 03 43 00 00 1E 00 00 00 00 00 8F <- Key 1 Press > 1 8: 0A 38 1D 01 56 03 00 84 16: 0A 78 1D 01 57 03 43 00 00 00 00 00 00 00 00 90 <- Key OFF 16: 0A 78 1D 01 58 03 43 00 00 1F 00 00 00 00 00 80 <- Key 2 Press > 2 8: 0A 38 1D 01 58 03 00 8A {………………} (*1) USB HID usage table: http://www.freebsddiary.org/APC/usb_hid_usages.php (*1) 32
- 34. Summary #1 Using GNU Radio, find the device address KEY (0xCE) of the Microsoft Wireless Keyboard 800 Japanese edition Change the device address KEY to 0xCE, then monitor keylogger Behavior. Don’t use wireless keyboard, when the operation with sensitive information. Especially, warn against using proprietary specification device. Caution Experiment in Japan, signal from nRF24L should be invalidated • boolean shoutKeystrokes = true; -> false; 34
- 35. Attack demo #2 Replay attack for ADS-B(*1) mounted on aircraft Aviation is part of the critical infrastructure ADS-B is next generation air traffic control system Attack demo played in Blackhat2012, DEFCON20, ...etc. Applying SDR technology, tried to replay the attack (*1)Automatic Dependent Surveillance–Broadcast 35
- 36. Congestion in the Skies http://www.flightradar24.com/ 36
- 37. ADS-B overview Because old radar’s positional accuracy was 1-2 NM, there was a need to widen the service interval to ensure the safety of aircraft operation. To keep up with aircraft increasing, new system is needed. ADS-B, using GPS, to provide a highly accurate position information, has been developed as next generation air traffic control system in 1980-1990. Now, about 70 % of passenger plane have ADS-B (Source http://www.flightradar24.com/how-it-works) Required to equip until 2017 in Europe, until 2020 in the United States Point at issue No encryption Broadcast with no authentication Simple encoding and simple modulation scheme 37
- 38. Mechanism of ADS-B ADS-B Automatic Dependent Surveillance–Broadcast Using broadcast datalink, Aircraft transmits own location, speed, altitude, and so on obtained from measuring system such as GPS. Image http://www.enri.go.jp/news/osirase/pdf/e_navi10.pdf 38 GPS location Broadcast Datalink Control Center Ground Receiving Station
- 39. Papers related to ADS-B About Vulnerability Donald L. McCallie, Major, USAF (2011) • http://apps.fcc.gov/ecfs/document/view.action?id=7021694523 Andrei Costin, Aurelien Francillon, BlackHat2012 • https://media.blackhat.com/bh-us- 12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_Slides.pdf Brad render, DEFCON20 ( 2012 ) • http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20- RenderMan-Hackers-plus-Airplanes.pdf Hugo Teso, CyCon2013 (2013) • https://ccdcoe.org/cycon-2013.html About Countermeasures Martin Strohmeier, Ivan Martinovic 、 (2014) • Detecting False-Data Injection Attacks on Air Traffic Control Protocols • http://www.cs.ox.ac.uk/files/6604/wisec2014-abstract.pdf Kyle D. Wesson,Brian L. Evans, and more. (2014) • Can Cryptography Secure Next Generation Air Traffic Surveillance? • https://radionavlab.ae.utexas.edu/images/stories/files/papers/adsb_for_submission.pdf Seoung-Hyeon Lee , Yong-Kyun Kim, Deok-Gyu Lee, and more. (2014) • Protection Method for Data Communication between ADS-BSensor and Next-Generation Air Traffic Control Systems • http://www.mdpi.com/2078-2489/5/4/622 39
- 40. Expected threats Snoop (Eavesdropping) Jamming Fake aircraft’s wake injection (Fake track injection) 40
- 41. How to receive ADS-B? Receive the radio waves USB stick for receiving overseas digital TV It’s about 1000 JPY to 2000 JPY Process the signal and display PC •Windows, Mac, Linux Smartphone, Tablet 41
- 42. ADS-B receiver software Decoder ADSB# http://airspy.com/index.php/downloads/ RTL1090 http://rtl1090.web99.de/ Modesdeco2 (w/ display function) • http://radarspotting.com/forum/index.php/topic,2978.msg13471.html dump1090 (w/ display function) • https://github.com/antirez/dump1090 Display Virtual Radar Server http://www.virtualradarserver.co.uk/ adsbSCOPE • http://www.sprut.de/electronic/pic/projekte/adsb/adsb_en.html#downloads PlanePlotter http://www.coaa.co.uk/planeplotter.htm 42
- 44. ADS-B format Format Actual received I/Q signals https://media.defcon.org/DEF%20CON%2020/DEF%20CON%2020%20slides/DEF%20CON%2020%20Hacking%20Conference %20Presentation%20By%20RenderMan%20-%20Hacker%20and%20Airplanes%20No%20Good%20Can%20Come%20Of%20This %20-%20Slides.m4v 44
- 45. Waveform monitoring with GNU Radio (I2 + Q2 )I/Q 45
- 46. Received ADS-B (e.g.) *8d7583a5585b575a9ebc4bbb3f04; CRC: 000000 (ok) DF 17: ADS-B message. Capability : 5 (Level 2+3+4 ) ICAO Address : 7583a5 Extended Squitter Type: 11 Extended Squitter Sub : 0 Extended Squitter Name: Airborne Position ……. F flag : odd T flag : non-UTC Altitude : 17125 feet …………. Raw data in hex Aircraft location data, ...etc. I/Q signal after A/D convert Demodulation / Decode Parse the data 46
- 47. Attack Vector IP NetworkIP Network ADS-B Receiving Station ADS-B Receiving Station ADS-B Receiving Station ADS-B Broadcast GPS Satellite Actor V2 V3 Image http://www.mlit.go.jp/koku/koku_fr14_000007.html V1 47
- 48. Replay Attack (V1) Intercepted raw data ( File name: xxxx.raw) Inject the raw data via IP network $cat xxxx.raw | nc target_IP target_PORT ※In reality, the adversary needs to find a way to get through the authentication in order to connect to the target server. *8d869210581fe3bf4350dfd62439; *5da40455385715; *8d86dca29914ee0f20f410ef2595; *8d780c3c581db79c18a4b0ffc872; *8d867f609914b993e8700ba91251; *02a1839b9e229d; *…………… 48
- 49. Replay Attack (V2) Create an ADS-B pulse signal file from the raw data $cat xxxx.raw | ./adsb-pulsegen test_file.bin Use the file to generate a RF signal modulated $hackrf_transfer –f 1090MHz –s 2MHz –t test_file.bin –x 0 *8d869210581fe3bf4350dfd62439; *5da40455385715; *8d86dca29914ee0f20f410ef2595; *8d780c3c581db79c18a4b0ffc872; *8d867f609914b993e8700ba91251; *02a1839b9e229d; *0261819c1d1e5a; …………… 49
- 50. DEMO Injection via IP network (V1) Real-time interception of ADS-B signal and display on map Inject the raw data received in the past Injection via RF channel (V2) Generate an I/Q signal file from the received raw data Inject the RF signal modulated by the I/Q signal 50
- 51. ADS-B network injection http://www.flightradar24.com/ Network injection demo Screen shot 51
- 52. ADS-B RF injection RF injection demo screen shot 52
- 53. Security of air traffic control? Why doesn’t it get renewed? Threat not being recognized To preserve safety and interoperability International discussion takes a long period of time • Forming consensus • Development • Deployment Image http://www.jatcaonline.com/SSR_system.JPG https://upload.wikimedia.org/wikipedia/commons/f/fe/D-VOR_PEK.JPG ASR/SSR ILS ( glide slope / Localizer ) VOR/DME 53
- 54. Summary #2 Technically, an attack against ADS-B is extremely easy Not only ADS-B but any air traffic control system that relies on radio waves are vulnerable to jamming attacks. Possible attack scenarios Terrorists or nation state actors injects false flight paths or performs jamming attacks to confuse the air traffic control as one of the ways to accomplish an objective. Is it hard to implement early countermeasures? ( Requires an international consensus ) A mitigation plan such as detecting interception or using tracking algorithms must be considered Create an environment that enhances virtual trainings and incident response plan 54
- 55. Conclusion Due to the emerge of the software defined radio experiment tool GNU Radio and the low cost RF related hardware, the technical threshold to carry out an RF attack has been lowered The existing systems that relies on radio waves such as the air traffic control system, has not been able to follow the modernization which the commercial technology like WIFI or smartphone has gone through A fundamental countermeasure will require a long period of time Compensating the lack of countermeasure with operational practice will require an enhanced incident response plan and trainings 55
- 56. Thank you ! Questions ? 56
- 57. 57 Copyright 2010 FUJITSU LIMITED