The training Software-Defined Radio applied to security assessments was held by Sébastien Dudek at Troopers21 and was remotely organized – like most other events – due to Covid-19. Once we were all caffeinated, we had an exciting journey through basically all things radio.
The God of frequencies Michael Ossmann visited us again this year at the TROOPERS16 and showed us how to break another device using a specific setup.
Last time he introduced the HackRF One to us (Read here:https://www.insinuator.net/2014/08/hackrf-one-the-story-continues/), but this post is a short summary of his talk about “Rapid Radio Reversing”, he is a wireless security researcher, who makes hardware for hackers. Best known for the HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Today we received a few ShareBrained Technology – PortaPack H1 to use with our HackRFs. Having done a first few minutes of scanning, I just wanted to give you a quick overview of its features and potential…
This and the following two posts should serve as a step-by-step guide through the whole process of analyzing a radio frequency black box, demodulate and understand the data transfered and finally modulate our own data in order to e.g. perform a brute force attacks.
once again, we welcomed Michael Ossmann at the ERNW headquarters for fun with SDR. This time with Mike´s advanced SDR workshop. And to be up front about it…it was plain awesome. For everybody who is not familiar with Software Defined Radio (SDR): Let’s regard it as the ultimate tool when working with radio signals. Take a look a this to learn more.
Mike showed us the new revision of his HackRF One and explained us some more advanced techniques when it comes to Radio Frequnecies hacking. Compared to last time, the workshop focused on reversing signals and how to synthesize them. So this time we were crafting RF packets ourselves instead of just replaying a capture. This introduces different attack types which can be carried out over the air for example bruteforcing or fuzzing of radio devices.
We thought about some devices that would be worth taking a look at because you probably dont want to start reversing your car`s remote key.So we ended up analyzing “simpler” devices for training purposes and decided to mess around with a Shutter remote control and an Instant Messaging device.
The remote shutter control operates the shutter of a DSRL so you can take pictures without holding the camera in your hands. So a user could focus the cam and take pictures. An attacker on the other hand could take pictures when the camera is not supposed to or simply jam the reciever to prevent from pictures being taken. This was quite easy and worked very well, so we went on to other interesting devices…
Mike brought a modified version of the IM-Me (Instant Messenging device for children). We tried to record and analyze its signals to be able to spoof messages and run arbitrary shell commands on a remote system that has installed a special “IM-Me” Server application based on previous research. Our goal was to synthesize commands which are sent to the device e.g “ls”. The first step in doing this is to capture a clean signal and filter it properly to be able to demodulate the signal into binary data to process it further. Mike explaind pretty handy tricks to accomplish these tasks on which we will talk about in further posts, so stay tuned.
If yo are interested in the IM-me take a look at this and this to learn more.
So THANKS a lot Mike. It once again has been quite interesting to see
where RF testing is heading and how much more is to be learned on this field.
today we welcomed Michael Ossmann at the ERNW headquarter for an exclusive workshop on his HackRF gadget. Everybody was quite excited to get hands-on with this shiny piece of hardware, which is currently crowd-funded on Kickstarter. For everybody who’s not familiar with Software Defined Radio (SDR): Let’s regard it as the ultimate tool when working with radio signals.
Let’s quote Michael’s campaign website:
Transmit or receive any radio signal from 30 MHz to 6000 MHz on USB power with HackRF. HackRF is an open source hardware project to build a Software Defined Radio (SDR) peripheral.
SDR is the application of Digital Signal Processing to radio waveforms. It is similar to the software-based digital audio techniques that became popular a couple of decades ago. Just as a sound card in a computer digitizes audio waveforms, a software radio peripheral digitizes radio waveforms. It’s like a very fast sound card with the speaker and microphone replaced by an antenna. A single software radio platform can be used to implement virtually any wireless technology (Bluetooth, ZigBee, cellular technologies, FM radio, etc.).