Yuval Adam - Decoding the Black Magic of Radio Waves

now this next stock is something special it's a topic that we've only explored once in the past but the speaker that we're about to have on stage I have known for more than a decade and this gentleman this young hacker this young buckaroo I met him for the first time at a crypto party in downtown Tel Aviv anybody here ever been to a crypto party so crypto party it's not about cryptocurrencies and it's not about Bitcoins it's actually about exchanging your encryption keys in person so that you can trust the other guy it's about setting up encryption on your computer and teaching other people how to use cryptography so it's a pretty awesome practice it was a fun party Downtown Tel

Aviv now Yuval Adam is an independent technologist I think that means as a hacker and he likes to play around with things including radio waves so Val is going to help us decode the black magic of radio waves what a perfect talk after talking about Harry Potter give it up for you pal you Val it's a pleasure to have you on our stage thank you yeah let's smile for the camera okay yo he's on break it's okay he'll be back when you're done don't worry and I'll be back with a drink as well all right Yuval thank thank you very much you need a clicker yes I definitely need my clicker okay don't forget it's not it's not a gift no

okay you want it back at the end yeah see ya this way this works okay uh so hey everyone it's great to be here um my name is Duval in my day job I do Consulting with large companies and small startups but in my spare time like on set I like to play with all sorts of Technologies and radios are definitely one of my biggest Hobbies which is why I'm very excited to be here giving this talk and I'd like to start off with a story uh when I was nine years old I was visiting my grandparents house and as kids usually do I was looking for things to play with and I found something that

fascinated me I found an analog shortwave radio receiver and I remember taking it outside with my best friend and we were sitting outside in the backyard playing around with it tuning around listening to all different uh all different kinds of music stations and then we stumbled upon this first class forever India foxtrot Delta Alpha Mike so this voice sounded so strange and mysterious to me uh it was obvious that this wasn't any regular radio station it would sound very weird and it immediately sparked my curiosity and in retrospect I think it planted the seed for lots of the work that I do today and lots of things that interest me so in this talk I'd like to share some of the

Curiosity for these magical fields of energy that are all around us so radio is the technology of signaling and communicating using waves of electromagnetic energy and it's the main physical phenomenon that Humanity uses in order to communicate wirelessly over long or short distances so it quite literally is all around us now while the physics of radio are pretty complex we don't really need a Physics degree in order to understand kind of the basic core idea of the basic principles and I find this beautiful animation to actually be very intuitive so if you consider a wave of energy coming from a transmitter in your direction as that wave passes through a conductive antenna it's inducing the

electrons in that antenna to create a small electric charge and we can measure that charge and reproduce the signal as it was transmitted to us um and that's pretty much all the theory that you need to know about about radio at least for this talk oh maybe you want to go do a PhD about that that's something else but for now this is everything we need so the main topic that I want to introduce today that some of you may have already heard of is called software defined radio or SDR in the past decade the field of SDR has exploded and made radio much more accessible to large crowds to developers to researchers and to hobbyists lots of

different Crowds Are are playing with this stuff and to understand SDR and why it's such a powerful and transformative concept I think it's much easier to First understand how a hardware radio actually works so let's take this radio receiver as a classic example Hardware radios are single purpose devices they receive a radio signal they implement the processing of that signal with analog Electronics and the only thing that this radio will ever be able to do is tune to a frequency and play back the analog sound of the broadcast no matter how much you Tinker with this device or hack with it it won't do anything else at least not significantly different now to understand what's going on inside

the device I think it's very useful to look at a typical block diagram for something like this so we have an antenna that receives the radio signal and generates a small electric charge as we've seen but that signal usually is two weeks so before any further processing happens that signal needs to be Amplified that's the RF amplifier stage after replification we apply some basic tuning and filtering this really depends on the station that you're listening to for example to the incoming carrier signal and then comes the important part the demodulation so demodulation is what takes the incoming carrier signal and extracts the baseband signal from that so let me give you an example so consider an FM radio

station that's broadcasting let's say a talk show on 100 megahertz we know that the average frequency of human speech is somewhere around 100 Hertz or 100 200 Hertz something like that so the demodulation is what takes the 100 megahertz carrier signal and decodes the the original signal from that the 100 Hertz base band signal that we talked about that's demodulation modulation other way around but for receiving we're demodulating the signal foreign so once we have the original voice signal in hand the only thing left to do is to amplify that signal once again usually with a volume control and then output it through the speaker for The Listener to hear that's a hardware radio DRS do something slightly different

so the first part of the signal pipeline is identical sdrs are usually generic enough so that no matter what signal we care about it's all the same to them the difference is that instead of demodulating the signal like we did earlier the SDR digitizes the signal through an analog to digital converter so what that means is basically we're taking the incoming analog signal the wave that we saw earlier and we're sampling it at a very very high frequency producing digital samples that process is called IQ sampling those samples are then passed out directly to software for further processing now once you give this some thought it becomes obvious why this is such a huge deal

if you make your Hardware stupid and generic enough then you're turning your Hardware problems into software problems and we know for a fact the software problems are cheaper and faster to solve right that's the difference between going out and Manufacturing a new hardware revision for your device and just pushing a firmware update That's The Power of SDR so a little bit of context on how we got here so SDR as a concept was initially developed in various commercial products during the 80s and 90s but the real explosion of SDR as we know it happened in 2012. when a group of developers were looking into the RTL 2832 chipset this chipset was used in cheap USB sorry USB

dongles that were built for receiving digital TV broadcasts here in Israel it's Idan Plus the developers discovered that the video decoding pipeline can actually be bypassed allowing you to feed the raw signal directly into the computer these devices are now known by their project name that will spawned off out of this which is called RTL SDR and they marked the first time in history that an off-the-shelf device at a 20 price point was available to anyone and allowed anyone to connect their computer to radio waves and needless to say that this sparked massive massive interest so fast forward 10 years we now have a multitude of SDR devices available on the market anything from the cheap RTL

sdrs and up to laboratory grade devices that cost tens of thousands of dollars there really is the device for any type of use case that you could think of now I want to say one thing about layer One Security which might seem obvious but I think it's worth noting and that's the key difference when you're using wired connection that connection is by definition confined to a physical space right to the cable itself if you want to attack that physical connection you either need physical access to the cable or a side channel to attack that with wireless connections we're by definition broadcasting and propagating our signal widely so the only limiting factors here really are a range for getting an effective

signal or directionality if that signal is kind of pointed in one specific direction or own specific sector or any limitations on the antenna like if you want to talk with a satellite you usually need a pretty big satellite dish those are really the only limiting factors here so now that we know how sdrs work and what they do I want to show you a few applications of how they're being used and one of the most prominent examples is tracking commercial flights this is done with the relatively simple protocol called adsb which basically means that aircraft broadcasts their exact position at all times for safety reasons and the thing is that these signals are so ridiculously easy to pick up you can

do it with no more than the cheapest SDR you can find zero computational power essentially and a homemade antenna that measures no more than let's say 10 centimeters in size all these components together cost like 50 60 dollars once you have all the hardware set up it's time to run some software and in this case I'm using a popular CLI tool that's called dump 1090. once you start running it you immediately start to see all the incoming data packets in real time as they're trans being transmitted from the aircraft around you and of course once you have these um these coordinates you can also plot them on a map with a simple setup like the one that I

showed you operating from relatively open balcony in the middle of Tel Aviv you can receive Targets in ranges upwards of 350 kilometers so this just shows you how easy it is to work with well-known signals and in this case adsb is broadcast from above it's unencrypted and there's well supported software for it but what happens if you don't have that luxury let's say you're doing some novel research on on a new wireless device or inspecting like a widely broadcast signal that you have no idea where it's coming from this field is called Blind signal analysis and I want to show you how that's done using open source software so first of all a small tip if you're

let's say researching a device and you do have it on hand it will probably have an FCC ID every single device that went through the regulation process will have one of these you can go on the FCC database which is open and see all the specs and lab reports for this device so that will give you hands on what you're looking for in terms of frequency or or how this device works but we're here to talk about sigan not about Ascent so the real first step is to identify a signal of interest and we usually do that with a spectrum analysis here I'm running a software called gqrx Spectrum analysis means that we're looking at waterfall view of the

frequency domain which is the horizontal axis in this diagram over time the vertical axis and that will show you um sorry so recently tuning the SDR to a certain frequency window and that will show you the strength of each signal in within that window so here the The Wider signals are are much stronger the Peaks after we've located our signal of interest and frequency and time we need to start deconing it now there are dozens of different ways to actually modulate a signal and each modulation potentially has dozens of different parameters for how data is encoded within that um specifically for things that we're discussing or that most of this crowd would be interested in we usually care

about Digital Data that's modulated onto an analog carrier so Digital Data being Digital Data that's kind of obvious as opposed to let's say analog data which is voice and the analog carrier is the radio waves which are a physical phenomenon so they're again an analog property of of nature so digital data on an analog carrier for most of the stuff for most use cases this is the the stuff that we care about so we can then use another open source software in this case I'm using ultimate radio hacker which is software that helps you capture specific signals and inspect them and that would help us identify which parameters they use so things like which modulation which line

coding they use which moderate things like that all these things together affect how our digital signal is modulated and encoded onto the analog carrier once we've extracted a valid stream of bits your H is also going to help us in doing analysis in order to understand the higher level data protocol this might be a phase that more of us are familiar with if we've done low-level work with protocols um or things like that this phase is where we might have to start dealing with things like checksums forward error correction uh and most importantly encryption so if our protocol is any good this is the point where you start to see encrypted data and start to kind

of probe how well that encryption actually works and if we did everything like we should have then we've completely reversed engineered our signal and we can then take the knowledge that we have from there and Implement a complete signal processing flow using a very popular tool called new radio which is a toolkit for Signal processing and this will give us the complete real-time radio applications that we can then integrate into any other software stack um so that's kind of from A to Z the entire process of how we take an unknown signal and move to a complete implementation in software there's one other very interesting aspect of SDR that I want to talk about which is the ability to use more than

one receiver uh so we now have off-the-shelf devices that run multiple receivers all on the same Hardware clock and this enables uh really interesting use cases that aren't usually possible with a single receiver and I want to show you two examples so the first example is Direction finding if you're using multiple receivers you can calculate What's called the direction of arrival of a signal so this tells us not just how strong the signal is but also where it's coming from and this is kind of a type of War driving if you're familiar with the term that never existed before it allows us to pinpoint signals directly back to where they are transmitted from another application is passive radar and

this method we're using strong well-known signals like radio or TV stations and we're comparing the source signal versus how those signals bounce off of a moving Target now this uses some complicated math but it gives really interesting results this basically builds kind of a small radar station in your home if that's where you're operating this from so this allows you to track various different objects in motion and in this diagram you can see like some vehicles or airplanes things like that very interesting stuff so the first question you might be asking yourself because we've just discussed receiving up until now so what about transmitting um you know what's going on there um the thing is that cheap sdrs

you can't really transmit at least not reliably um which is not entirely true because there is like for example a really cool hack that allows you to send dirty signals from a gpio open of a Raspberry Pi I don't know if anyone knows about that that's a really really cool project but higher quality devices absolutely allow for active transmission attacks so this opens up a whole class of attacks things like spoofing replay attacks man in the middle downgrade attacks and denial of service you can do all of these things if you have a transmitting SDR and just to show one example which uh is in the news GPS jamming is absolutely a thing obviously it's happening on a kind

of military grade scale but it's happening and you can actually measure that um like this website which measures GPS jamming all over the world it actually does that using uh data that from airplanes that we saw earlier which is kind of interesting um so that's kind of an example of kind of a military active uh Transit transmitting attack the second question that might be on everybody's mind is you know if sdrs have been around for 10 years for over 10 years then aren't we stagnating you know what's going to change in the future um and how is all of this really relevant and there are many answers to that question so we know several things uh we know

that wireless layer ones are still a viable attack Vector that isn't going anywhere anytime soon we're seeing more and more research coming out all the time that exploits various physical layers and we know that SDR devices just keep getting better because we're seeing them come out in the market they have better specs they perform better they're cheaper so that's happening we're seeing more open source signal processing tools with new capabilities specifically around machine learning and deep learning of signals which is a really cool thing um essentially you know there are some demos showing how you can pretty much you know AI on signals and we're seeing more and more clients using Wireless infrastructure so things like autonomous

vehicles drones and satellites when all of these are deployed they're using the wireless spectrum and they're using they're communicating over radio uh and the last thing is that as the uh the popularization of Open Source infrastructure Stacks so things like LTE or 5G you can deploy those just using open source software you can basically have your own LTE network within your home if you want to do that it's a little bit complicated because the the frequencies are regulated but otherwise in terms of software it's possible so there's lots of exciting advances and the field is definitely expanding and improving um so to answer the question all the stuff points to the fact that if we care

about the security of our technology in general we should be caring about how the technology that we are building is using radio and SDR is the de facto way to do that either to build a product or to research it so I'd like to kind of end on the same note that I started with and that is that the world of radio is full of mysteries to explore and I believe that we're really lucky and privileged within a time where taking that journey is now available to everyone thank you very much [Applause] I know you asked for a special red little drink we call it smile to the paparazzi that's good all right so now I have a

special announcement but thank you so much we have speaker gifts and the drink and Campari for you back there thanks leave the clicker that's not a gift okay