Professional Documents
Culture Documents
The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
Arnaud LEBRUN
Jean-Michel PICOD
Jonathan-Christofer DEMAY
penetration testing community
Bringing Software Defined Radio to the
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
2
8.7 billion in 2012
Source: Cisco
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
3
43 million smart meters in the U.S. in 2012
"
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
(p.85)
Examples of security research tools yet to be started:
Devices to easily interact with, capture, and analyze traffic of metering networks for different vendors.
Currently, the best toolset available is the software-defined radio named USRP2 from Ettus Research,
costing roughly $2k. This toolset allows for RF analysis and indeed can capture data bits. However, the ideal
toolset would allow an analyst's computer to interface to the metering networks and provide an appropriate
network stack in a popular operating system such as Linux
30 June 2014 4
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Difficulties
• Multiple bands
• Multiple bitrates
• Multiple modulations
• Multiple radio protocols
5
– ISM (433 MHz, 868 MHz, 900 MHz, 2.4 GHz)
Bringing Software Defined Radio to the penetration testing community
Existing tools
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
30 June 2014 6
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
every two years”
Bringing Software Defined Radio to the penetration testing community
7
Moore’s law to the rescue:
“ Over the history of computing hardware, the number of
transistors in a dense integrated circuit doubles approximately
Bringing Software Defined Radio to the penetration testing community
Credit: http://greatscottgadgets.com/hackrf/
30 June 2014 8
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
9
Introduction to GNU Radio & scapy
Bringing Software Defined Radio to the penetration testing community
GNU Radio
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
30 June 2014 10
Bringing Software Defined Radio to the penetration testing community
Scapy
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
30 June 2014 11
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
12
Introducing scapy-radio
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
control
How does it work?
UDP + custom
Bringing Software Defined Radio to the penetration testing community
SuperSocket scapy
XMLRPC
layer
layer
13
layer
layer
IN socket
OUT socket
layer
layer
layer
SCAPY
layer
Software Defined Radio
layer
GNU Radio graph (GRC)
layer
IN socket
layer
OUT socket
layer
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
•
•
•
•
•
30 June 2014
Why a UDP socket?
14
Bringing Software Defined Radio to the penetration testing community
Gnuradio header
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
– Channel
– RSSI
– Anything that needs a per packet use
• Protocol ID on 1 byte
– 0 = Invalid packets This GRC block prepends a message with the header
– 1 = Zwave
– 2 = 802.15.4 (ZigBee, 6LoWPAN, etc.)
– 3 = Bluetooth LE
– 4 = wM-Bus
– 5 = Dash7
30 June 2014 15
Bringing Software Defined Radio to the penetration testing community
We are releasing…
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
• Tools
– Passive Zwave discovering
– Example of Zwave automaton
30 June 2014 16
Bringing Software Defined Radio to the penetration testing community
Known limitations
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
• Bandwidth limitation
– On radio side
– On computer side (USB bus)
30 June 2014 17
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Disclaimer
want/need to transmit!
Bringing Software Defined Radio to the penetration testing community
18
Unless you are living in a Faraday cage, don’t
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
What we studied
19
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
•
•
•
•
30 June 2014
Alarm device
Magnetic sensor
Network controller
20
Bringing Software Defined Radio to the penetration testing community
• If you transmit too fast, it crashes the software! • Want to reverse the firmware too?
– Zen-Sys seems to be the leader
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014 21
Bringing Software Defined Radio to the penetration testing community
Bluetooth LE e-cigarette
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
• Potential threats:
– Privacy issues (sniffing consumption)
– Health issues?
– Firmware corruption OTA
– Cascaded attack (hack the e-cigarette that, in
turn hacks the iPhone/Android)
30 June 2014 22
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
•
•
•
30 June 2014
XBee UART bridge
23
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Roadmap
Bringing Software Defined Radio to the penetration testing community
24
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
– Dash7
– wM-Bus
– Others…
Roadmap
25
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
26
How to add a protocol in that tool
Bringing Software Defined Radio to the penetration testing community
30 June 2014 27
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
3. Done!
2. Test it
1. Write your required layer(s)
Step 2 – scapy layer
28
Bringing Software Defined Radio to the penetration testing community
2. Edit scapy/layer/gnuradio.py
• Bind GnuradioPacket and your layer
30 June 2014 29
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
Demonstration
30
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Demo – Zwave
31
scapy-radio
Attacker side
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
Zwave GRC
32
Wait for a packet…
Inits the automaton, loads
30 June 2014
• ./install.sh
Requirements:
• cd scapy-radio
• GNU Radio 3.7
• A compatible SDR
Where to get this?
33
• hg clone http://bitbucket.cassidiancybersecurity.com/scapy-radio
© 2014 Airbus Defence and Space – All rights reserved. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is
prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
30 June 2014
Bringing Software Defined Radio to the penetration testing community
Questions?
34
Thank you for your attention.