Hackers with Radios: Security and the Physical Layer - Mark Megarry

Well folks, uh, thank you all very much for your, uh, patience there with our technical issues. But regardless, my name is Mark McGarry and this is hackers with radios security and the physical layer. So today we'll do a bit of an introduction and then look at threat modeling for radio hackers. And that'll include eavesdropping, replay attacks, and relay attacks. and then we'll move on to a bit of attack mitigations and wrap up. So, a bit more about myself. I'm a PhD student with Queens University Belfast Center for Secure Information Technologies and my project is focused on telecom security. Also, I am contractually obligated to promote the RF hacking village outside. So, go check it out uh when we're done here.

Okay. So, this is a talk about hacking and video hacking. So, please don't break any relevant cyber crime laws. And as well as that, because we're dealing with the radio spectrum, please respect the legislation put in place in Ireland by uh Comm. They they uh regulate the spectrum here, and we'll probably find you if you transmit uh on some band you shouldn't. So, radios, they're everywhere, but they don't all look like this. In fact, I'm willing to bet most people in this room have a number of radios on them right now. I mean, for me, I've got my my phone on me. This this has a Wi-Fi interface. It has a Bluetooth interface, cellular, and it has a GPS receiver.

These are all technically radio interfaces. I'll not show you these, but in my wallet, I've got, you know, my contactless payment cards and my employee ID. I'm sure most people in this room use wireless keyboards and mice pretty often. And in fact, here's a question. If you use a wireless keyboard pretty regularly, are you sure that the message that gets sent when you press a key, are you sure that that's encrypted and that someone in in the other room can't read what you're saying? If you haven't thought about it, it's uh worthwhile. And we'll be talking a bit more about these later, but car keys. So, they can be split into remote keyless entry, and

that's the idea where I can find the car key. That's the idea where you press a button on your key that sends out a signal to your car and your car opens. But there's also passive keyless entry. That's the idea where you have your key in your pocket. You walk up to your car, you pull on the handle and it just opens. Additionally, your keys have a transponder built in. Your car's immobilizer. When your car start looks for this transponder, if it's there, the uh immobilizer will disable and the car will be able to go. If it's not there, then you're stuck. Also, if you're into your smart home and automation stuff, just because uh the

just because your smart lights don't run on Wi-Fi doesn't mean you can't talk to them with the right USB interface. You can uh you can communicate with them. So, one of the sort of key issues with wireless communications is that let me just silence my phone really quick. One of the key issues with wireless communications is we tend to think about uh common links in the system diagrams like this like it's a straight line and yeah you can transmit uh radio power in a fairly concentrated focused beam using things like beam forming or directional antennas but really for things that I have in my pocket right now generally when I press a button on my key fob it's going to

radiate in all directions. So in the first instance, an attacker might have to physically get between you and the device you're talking to. But in in the sort of more more common situation where you're transmitting in all directions, they can they can be anywhere even even in the next room. So what what can these attackers do? Well, I like the uh DOVA adversary model. This essentially says that the channel itself is the attacker. So under this model attackers can eavesdrop on messages, they can transmit new messages sent on the uh they can transmit new messages. They can block messages through jamming or they can modify messages in flight. So let's look at an example of

eavesdropping. So I've gotten a bit into amateur radio recently and here's a setup where let's say Bob is trying to talk to Alice through a repeater. Now, amateur radio voice communications generally aren't encrypted. So, we can uh place a device anywhere within range of bulb. And I used what's called a software defined radio for this. And uh whenever I recorded myself, I'm I'm really hoping that the audio plays here. This is what we heard. Okay, the audio is not playing. Well, you know, take take my word for it. uh if you put a software defined video and you set it up right uh near Bob, you can you can listen into exactly what he's saying. So, let's move on swiftly to

replay attacks. This is one of the oldest tricks in the book, but we have this scenario where we have Bob trying to talk to his wireless device with a key fob. So, I'm going to use the example of a garage door opener. Now, we know from earlier that when Bob presses the open button on his key fob, he's not just transmitting to the device, he's transmitting all around him. And that means that an attacker can listen into this. So, an attacker can record the message Bob sends, wait until Bob leaves, and then just replay the message that says, "Open garage," and the garage will open. Okay. What hardware might an attacker use to carry out these attacks?

Well, one of my sort of favorites in terms of uh the flexibility is the Hacker F1. This is what's called a software defined radio. Now, what a software defined radio is is a device which when it receives a signal, it it creates samples of the the waveform and sends those samples onto your PC. So, your software can put together the original waveform. So you can do uh more advanced analysis with this. The hacker F1, it has a broad frequency range. It's a a little pricey for a for a bit of hobby kit, but it can also transmit, which is uh pretty major. But on the cheaper side of software defined radios, you have what's called

uh what I'm going to be calling the RTL SDR. These are uh cheaper devices, generally about uh £40 or less. They can only receive and they have a limited limited frequency range, but you can still listen in to things like car keys, things on 433 MHz with them. So, you know, if you're curious, this is something that's worth picking up. Now, it wouldn't be a radio hacking talk in 2025 without mentioning the Flipper Zero, of course. So, unlike the software defined videos I've been talking about, uh the Flipper Zero, it doesn't give you samples of the original waveform. It can just give you data out because it's based on the Texas Instruments CC 11101 module. This is this will uh receive and

decode signals using certain modulation schemes. And modulation is how we encode data onto a radio wave. But don't worry about that too much for today. But the benefit of the Flipper Zero is just it's versatile. The Swiss Army knife does RFID. It'll do uh Bluetooth and things like that. So, you know, it's a nice tool to have, but you know, I wasn't too pleased with the price range for it. So, I thought, well, you know, it uses the TICC 111 module. I I can make my own, right? Uh, so this is my arts and crafts project. If it worked, it would cost less than £30, but uh, as you can tell from that, it uh, it to

this day does not work. So, maybe one day. And I need to give one honorable mention to the uh the best hacking device of 2007. Folks, this is the uh GirlTech I am me. Uh originally designed by Mattel as an instant messaging toy for kids. Uh it features a Texas Instruments CC110 sub 1 GHz microcontroller. And people find pretty quickly that you can upload custom firmware onto this device. Uh people have used uh Sammy Camcar's Open Sesame to brute force garage door openers with this pink device. It's been shown to be able to demon it's been shown to be able to jam P25 secure radios. So for something that sold for about $65 back in the day. That's that's

pretty good. But let's let's get onto an example of a replay attack. So I was at Farset Labs. It's a hacker space in Belfast. And I came across this projector screen motor. So you press up on the remote, it goes up. You press down, it goes down. Pretty simple. So I borrowed a friend's hacker F1 and I played the role of the attacker. I used a bit of software called Universal Radio Hacker to listen into the signal I received. And it looked something like this. And you might say, Mark, that's not data. That's that's a squiggle. But uh this is what's called uh amplitude shift keying or onoff keying. So when it's on, it's a one. When it's off, it's

a zero. It's it's dead simple, but you see it often. I mean, car keys quite often use this. So it's it's a popular modulation scheme. But I didn't have to do any complex analysis of this. All I had to do was press replay and then the projector screen rolled up. So that's great. We've used about well over 200 pounds worth of kit to defeat a 20 pound remote controller that had no security guarantees. So I thought, well, what's reasonable next step? What's what's something with some something to it? Some security expectations. And then it hit me. My car. Well, thankfully the car didn't actually hit me, but I the idea hit me to try and break into it. Now, if you

try the same sort of replay attack on a car, you know, you take your car key, you record the signal, and you replay it, you'll sort of be met with a deafening silence. The car is not going to unlock. And that's because car locking systems tend to use what's called rolling code. So, in rolling code, uh, your key has a counter variable and your car has a counter variable. When you press a button on your key, it transmits, uh, a message to your car. That message contains an encoded version of this counter variable. I I'll call it a hash for simplicity. It contains a hash of this counter and it contains the action to be taken. So lock, unlock, open the

boot, all that. When your car receives a message, it checks the uh the hash of the counter that was sent and it compares it to what it's expecting. So this means that if the key is out of date, if the key is sending an old counter value, then the car is going to ignore it. So you can't use the same counter twice. So does that mean that my car can't be unlocked by an attacker? Well, unfortunately, Sammy Cam Car came up came up with an attack called roll jam. And uh these are two different bits of hardware that have been put together for uh roll jam. You'll see there are uh two radio modules on the top one.

So, one is for transmitting and receiving and one is for jamming. So, here's how the attack works, right? Bob presses unlock on his key, but the attacker is jamming the car's receiver. So, the attacker hears the message that was sent by Bob. The car doesn't. Bob says, "Well, that didn't work." and does the very human thing of pressing unlock again. Okay, the attacker now has two messages, uh, one older than the other, and the attacker just sends the older of the two messages, keeping the fresh one. So, we can keep doing this in a loop where we have, you know, two messages in our buffer and we we send the older of the two messages until it's time for Bob to

go to work or go to bed or something. We we still have one message in our buffer that is valid and hasn't been used yet. And we can transmit that to unlock the car. So, I really wanted to try out this attack for myself. Problem is, radio jamming is like really illegal. So, I thought, "Yeah, okay. I'll have to have to go back to the drawing board with this one." So, I went for this relay attack. So, here's the situation. We have Bob who's far away from his car. There's an attacker next to him. And then there's an attacker next to his car. Bob is playing with his keys, or the attacker grabs the keys quickly and records the

uh the signal sent from them. And then that attacker sends the message to the attacker closest to the car. I show this being done over like satellite coms, but it's probably going to be a text message or something. Attacker 2 just sends the unlock message that the car hasn't heard yet, and the car unlocks. So, here's a quick uh quick demo of how that might look.

So, I'm at my desk far away from my car with the hacker F1. I press unlock. I record that and then I walk some some long distance to my car where it was out of range.

And then we take this message that the car hasn't heard before and we replay it and the car unlocks. So yeah, that that is worrying. My my car has been unlocked without the key being present. But is this attack practical? Well, I have to wonder if I see a car on the side of the road. It's got like a laptop or a nice watch or something that I really want. Am I going to run home and buy 200 pounds worth of radio equipment off of Amazon, wait for it to arrive, uh, you know, stalk the owner of the car, carry out this convoluted attack? Well, no. I'm probably going to do a much cheaper attack. Pick up the nearest brick and

put it through the window. So, for opportunistic theft, I think this isn't so practical. But in terms of getting you in the car, yeah, it could, you know, it could get someone in the car maybe without the knowledge of the owner. So they could then try and maybe uh start the car, steal it. Um but you know, its use is, you know, it's maybe not as bad. It's not as practical as it might first seem. Now, an attack that's a bit more practical is an attack on passive keyless entry. So the user has his key in his pocket and he walks up to the car and pulls on the door handle. The car sends out a challenge to the key. If the

key is present and valid, it will then calculate and send a response. And we have this fatal assumption at the bottom that because the transmit power of both parties is limited, the distance that this can happen over is quite short. But this isn't always true. So you might have seen a video of this attack happening on YouTube or something. But uh we have what's called the two thief attack where uh picture the scenario. It's it's it's at night. The owner of the car is in bed. Their key is in their house. And we have an attacker with an antenna with an antenna next to the house who's just trying to find the signal from the key.

We have an attacker next to the car with an antenna who then pulls on the door handle. The attacker receives the challenge from the car, sends that over to the other attacker uh through some, you know, higher power method than the the key has. So the attacker sends this challenge over a very long distance. Then the attacker next to the house forwards that onto the key. The key calculates the response, sends that back to the attacker who's close by. He forwards that onto the attacker next to the car. He forwards the message onto the car and the car unlocks. So we've essentially destroyed the assumption that uh the distance this can be done over is is

very short. So then the attacker next to the car gets in, they can repeat this attack and attacker one is away with the car. So let's talk a bit about mitigation. So, here's some advice from the the PSNI uh up north. So, they say, you know, when at home, keep your keep your car key well away from the car. Fair enough. Put your car keys in a signal blocking pouch. Uh reprogram your keys if you buy a secondhand car and turn off wireless signals on your fob when it's not being used. Now, I don't disagree that this is decent advice, but I just I have to wonder what if this was applied to the newest iPhone. Imagine if you got the

newest iPhone home. You open it up. You unbox it and there's a big leaflet in it that says, "Warning, when you're not using this, you need to keep it in a Faraday bag or or all your bank details are going to be public acknowledge." And uh you've got to turn off Wi-Fi when you're not using it because we we can't guarantee it's secure. So, I I I just think it's odd that the onus here is on on the uh the user rather than the manufacturer. So some proposed solutions then from uh researchers. So we have uh the solution of using encoded time stamps. So we know that uh radio signals propagate at the speed of light in a vacuum. So if your

car receives a signal from a key uh that was sent 2 minutes ago, that's that's some distance away. That's that's a bit odd. So you know you can work out what's the maximum freshness of a message you should you should accept. Then uh researchers have also been looking at using machine learning techniques to fingerprint signals. So did this come from a legitimate key or did it come from some other device? You can maybe look at the noise associated with the devices to work out if it's a a legit legitimate key or not. And then we have, you know, we could look at the using physical metrics like the received signal strength, round trip time, GPS coordinates, but ultimately an

issue is uh car key fobs, they're not highcost devices, right? Manufacturers really want to try and keep the cost down because you're not you don't want to buy a£10,000 key fob at the end of the day. So, what are the takeaways? Well, when you broadcast a message from a wireless device, you can't generally control who's going to receive it, only who understands it. Security and hardware is a bit of a balancing act because you you really want a secure key, but you also want a cheap key, right? And uh I just always like to ask the question, do we need to have higher expectations regarding wireless and hardware security testing? Are we doing enough? And I I like having that

conversation. And if you're an interested beginner in this stuff, I'd recommend checking out the uh RSGB in the UK or uh or their equivalent uh down south here. All right, other topics I want to bring up in the future. Wireless keyboards and mice. I talked about them a bit at the beginning, but uh there was a company called Bastial Networks who found that a number of uh pretty bigname brands had products that weren't so secure that maybe were leaking your uh your key presses. So I I'd want to play about with that a bit more myself and just see that with my own eyes. Additionally, I want to look a bit more at uh old older telecoms networks. So

old school hacking involved uh what's called phone freaking or blue boxing. So very old telecoms networks used uh audio for control messages. So people made these tone generators that uh they used to explore parts of the phone network they they shouldn't. And then I want to sort of tie that into a talk about more modern 5G uh RAM and core network security. So keep an eye on that. Okay. Well, thank you very much and thank you to Grant for lending me a hacker F1, my dad for filming me breaking into my car, Foret Labs for letting me play with their projector screen, and Sandy Camar for inspiring the stock.

[Applause] I will be taking any questions. A bridge that would be from zero. >> There's a risk if you copy a car then breaks the car. >> That's one of the side effects of your coffee. >> Yes. So, your car has a sort of tolerance. So your your key can be a couple of presses ahead of the car, but I know from walking around a car park that didn't actually have my car on it and clicking my car key a bunch of times, it if you click it, I don't have a solid number, but if you click it too many times, you won't break it, but you'll have to recynchronize them. So for me, I think that just involved using

the mechanical uh key and then just starting the engine with the key nearby. But that's definitely it can be an annoyance. >> So was it a feature is just a byproduct of the design and copying because it's >> Yeah. So yeah, your key can be a couple presses ahead of your car, but but there will be situations if you play about with this stuff, you will need to recsynchronize those two together.

Okay, so that's us going on. Okay. Well, thank you everyone.