All Your RFz Are Belong to Me: Software Defined Radio Exploits

very warm introduction this week in fact I have started working at bestie over the past three years I've actually been working at Eddie's research so I'm quite actually maps offered in my radio and today I'd like to show you some of the experiments that I've conducted over the past year good suggestion so let's kick it off then I'd like to talk about spectrum monitoring drones and first person video via killer keyless entry and in particular multi-part just to get a show of hands who's heard of multipath when it comes to radio propagation all right good so hopefully I'll be able to show you how one technique that you can use to actually visualize it and make it

look pretty so spectrum muttering well fundamentally still trying to check what signals are out there what portions of the radio spectrum are in use who's using them what sort of signals are out there and a couple of years ago when I was in Vegas rented a car and you can usually tell which car I might be driving it has some extra antennas connected to the roof there so if you were to look a little bit closer you can see that there are a variety there and got some whip antennas having different frequencies but also bps magma antennas connected to the root so inside the car then you've got the laptop in this instance I borrowed some hardware from

my former employer and there we have the 5100 next 300 just two different radio sampling at different frequencies and you could for example write some Python code Python code is great because it's easy to to play with and modify quickly this actually interface to guna radio new radio has an interface to talk to the hardware but this particular program then do was just sup I sort of wrote a bit by bit it as I was going around this road trip to scan the spectrum go through it bit by bit and actually record and log the energy signatures that were detected at each step so you would go through and on the left hand side here you can see that when it

doesn't want the iteration it logs the GPS coordinates where the data was collected and it tells you what frequency what gain settings how long it took how many epic t's were processed and it does this over and over again and you can configure what range of the spectrum to actually go through so I want to do the entire thing and in Python code it just looks like this when you want to configure it to scan a particular range if bigger than and then specify what ranges in the radio spectrum to look at and it will just go through and it will also plot them if you like and it's just really interesting to see the sort of

signatures that various communications protocols have on this sort of fft plot so this one here is at one point eight eight seven five gigahertz so this is in the cell bad and you have these three distinct lines here the blue one there is sort of average energy capture at that frequency for a period of time and then you do the Fourier transform so you turn it into the frequency domain cloth and then you basically take the average over each of those successive windows and then the red one there is the peak energy in each of those frequency bins and green is the minimum or the lowest energy and load bins and usually you would just look at the average but if

you have the maximum and minimum it's also very helpful because you can see the signal is on all the time or if it's bursting so if there's some communication systems the only send out energy every soft and obviously you'll have a maximum amount the average would be a little bit lower than if it was on all the time but your minimum would actually be at around noise floor whereas transmitting all the time your minimum would actually be elevated to around about level as the other ones so you can see here this is probably some bursty so we will signal and the plot there it's obscured on the right-hand side is the time domain pot so that's just the

magnitude of the Civil billion all that interesting and then as we iterate through you see that it will animate the display and that looks like this is it goes through the frequency steps as and these ones are all captured from the cell bad and because it's also storing the GPS coordinates you can take those and then put on the map at each point where you captured some of your spectrum so you can go around essentially like a mule old days at war driving it where you will get up from GPS in this case you're storing spatially the spectrum at that particular point and that can give you very interesting clues about what systems are in use but in particular

spatially where they're based you could go on a process this data more important localization if you want to do and if you don't want to just capture absolutely everything you can also do other tricky things like energy detection so you might say well I want to capture the notion of my idol spectrum or a silent spectrum and then any signal that pops up and exceed some energy mask that I will find here so this in this case it's in blue see how it's kind of flat anything that it exceeds that we marked in red and then you can see hey something's actually popped up as a signal that I'm going to store that and then I'm going to analyze

later and then when in this case it actually detected detected those signals you can see that founders hit there and it's all that information so you can process that later so this is just like a generic tool for looking at the radio spectrum and what's nice is that as you end up doing this sort of sequential scanning you can store these individual captures and then you can stitch it into one really early wideband FFT there so here we're looking at what's this we're looking at the two regions of the cell spectrum allocated this is in this roughly the 800 megahertz region and this is in the 1.9 gigahertz region and you can see that each of these individual sections

are one capture you can record all of that and then run gloria transforms and stitch them all together into one continuous thing and although it's not real time in this case it gives you an idea of how the spectrum is allocated and all the different sort of protocols and communication systems that are out there and how they actually organize inspector it's one thing to say look at the FCC's database see notionally how the FCC has agreed to license the spectrum that's having actually go and look and see really how to be utilized from a day-to-day perspective and also even if you measure stuff over the course of the day you can also correlate with human activity so maybe during peak

hours they'll be more actively in the spectrum than other hours it's just interesting to see how human behavior can be actually captured in the radio that this is a wider f-15c 17 year this is actually the 2 to 2.5 gigahertz portion of the spectrum so is m 2 points will give Wi-Fi and you can see all of the sort of Wi-Fi traffic and bluetooth trapping popping out there so that's that's sort of the generic analysis of the radio spectrum you can also do other clever little tricks and I'm going to do a shameless plug I'm going to go into this in a lot more detail on Friday you want to come along to the wireless

village but instead of just looking at the frequency domain so how the the radio energy and the radio spectrum is distributed throughout the frequency domain you can actually look at this thing called an auto correlation plot and what this is doing is it's trying to analyze signal to see if there are repetitions inside that and that can be a really important clue as to what sort of signal that actually is so here I've done this for up for the some of the major popular sell your standards that are out this gsm for the first to an LTE for the second to this for 3g cdma and each of these systems tend to have especially on the control channels

repeating information so that when you turn your mobile phone on it has to find a network run it has to try to find some known information out there that it can actually identify as a legitimate network and say oh I'm going to start getting information about the network synchronized to it and figure out what's going on and then I'm going to subscribe and i actually get on as a subscriber so here if you look at gsm then it has these characteristics peaks and the way you interpret this kind of diagram is that you look for the first major peak that pops up and that's telling you that there's something in your signal that repeats with that period so there's a

more obvious one here for LTE and you maybe can't quite see if it his first major p you actually appears at exactly 10 milliseconds and if you were to look at do the same thing for 3g cdma then you'll also get a really strong peak at 10 milliseconds and if you actually look at the standards that's the rate at which the system sends out the same information that's repeating information about the network so it's a fixed bit of information but your cell phone will try to find and then look up here and so if you have some unknown signal and put it into something like this and if you know the standard say oh well that's

repeating at this rate oh that's for doing that right if you were to hook this up to GPS you would have a peak sticking out at one millisecond because that's the rate at which they're cdma code wraps around or the civilian access codes so it's another little hint about what a while doing so some cool tools that you can use just to give you a flavor what's going on so let's look at drones drones are pretty popular and a friend of mine egged me on to sort of get into it and I thought it would be cool to look at how they use the radio spectrum and also to see maybe you could actually put an SDR into one of these

babies them and flat around so the background here were actually looking at the 2.4 gigahertz spectrum where people are actually using the remote controls to fly these drones around at a drone meet up and these remote controls you use frequency hopping so you can see that you end up having these little packets that aren't transmitter on the same frequency all the time but they hop through the spectrum and this allows for lots of people to be using this same band at the same time so it means that you don't have to individually allocate a particular frequency to a person they can also operates reach and if all goes to plan they won't interfere with one

another so it's a really effective way of sharing the radio spectrum between multiple users so I went up there used to be two can there to capture that radio spectrum apart from the uplinks from the remote control it was also interesting because with first person video they mount cameras onto the drones and they send that video back down over the air on the 5 gigahertz band I'm actually transmit rumor ntsc the old analog video standard that has been shut down in favor of digital broadcasting they transmit that as ntsc / FM so it's very very wide band and that you do need to allocate these individual channels unless the competitors trample on one another so that was interesting and make

magazine this little piece when actually do the drone competitions so you can see they really take off and very nimble and there are these amazing highlights here that have the first person vision goggles like that see from the quantity so it's pretty intense and so I thought it would be interesting to see whether or not you could do this with SDR and do it digitally so I with a form employer got this drone and I was really excited I actually I don't have the audio plug in but I make some very loud and excited comments when I managed to get it going taking off but they're really cool if you haven't had the opportunity to fly

when I recommend it's it's so there's a lot of it smarts in the autopilot so he flying stabilized flight mode uses GPS and accelerometers and someone would give you a very stable flight it's a lot of fun but the cool thing is that it also has a downlink so if you run the software on your laptop it'll plot where your drone is it's how you stats about it you can see in the bottom left hand corner and and it's research makes this us up at u310 which is like a normal SDR like this but it's in a tiny little case it's actually a self-contained software-defined radio and an embedded pc like a cell phone class dual-core

processor in the one package so that actually runs linux the new radio you can run open BTS as a base station on there but in this case I thought it would be interesting to put first off a Wi-Fi dongle in there turn it into a flying access point so I believe there is audio is the audio will help it bar

do I need to twiddle any knobs here and you can see right hand side he spectrum monitoring code is run so remember that spectrum honor code that i was showing that that's actually running the Etzel device lying 7mon so associated my laptop with that a tremulous I run the 50m connotations it's cool because we never want to receive radio signals meche ideal you want to try and be as fire Lt and as you possibly can leave now that usually means either erecting something really large antenna mast going to the top of mount a tall building and usually getting roof access could be been problematic it's some creative very small you can draw it in flight or much much higher I'll do your

collection up there and then look advanced them in so here this is running the code and then sending the results down in real time to the ground while you're flying with me so here's a screenshot what's interesting is that this was the measurement of one particular frequency remember Houston mother average line and it's when I through the drawn up in the air then I got a 20 DB increasing that signal level and that's purely because you're up higher you probably have line of straight to your transmitters of interest so the second part of this was that if they're doing a pv and sending video down on really old school wide band and TSU over at them we need to

allocate these channels then maybe there's a way of doing it digitally and there are commercials that would do you know full HD they're expensive I just sort of be nice to look at an SDR solution so put a webcam on it and put plug the webcam in my USB to the III 10 and then wrote some guna video software to actually take the frames of video transmit them over the air and then receive them on the laptop and then get a live video feed so this first iteration was just using GM SK very simple and you can see the video frames they're being broadcast on the radio speaker so just very quickly this is the

prototype very first lowbrow it takes in the rule video frames which have been process here and then this construction here either takes frames if they're available and modulates the ball it just puts a pseudo noise code onto the stream so that you're always transmitting something and this means your receiver can have a signal to lock onto all the time and then it just sends it out the user on the receiver side it's a very simple demodulator and then it outputs those raw data frames out this key fragments that are displays on the screen here engineer any oh that's what it looked like they're just a laptop receiving it and right over there is a three-row bikes and the drawing is a run

there we go

they're really really noisy that's not like a big mosquito so be very very easy and quick to understand why people will get really elevated especially when one floats into your backyard and it's kind of scary because this is the video link that can see it transmitting the video in this case the first iteration is sort of lower frame home but when I gave it some significant else you you can essentially sleep everyone's backyard [Music] again this brings about notice a dry person and then we are in the image and you know you can get some serious out religious we're going to learn another level where you fly when you fly the lights to airports on others you can see

the altitudes evidence coming out and you can see that so that's the radio speculum is down there in the gray lever and you can see in the little image there quite high and lets us there and then you know once you're up high you can see big respectful and that was at 25 meters up in the air as reported by there so some cool things you can do with drugs I'd a GoPro strapped to it that's what it's an HD late latest iteration on ucf working on the interesting things now that it was in a state where you could do full HD from a little drone which is pretty cool and a little side note these drones that can

be a lot of fun but they can also be problematic oh okay get a show of hands out of interest who is heard or watched any of the cyber spectrum SDR meetups heart room I one person number a comfortable yeah so this is mike my good print austin you might have heard about the is III reboot mission that occurred just over a year ago now austin and i work on that he was the lead engineer for that and he came along and we were leaving the workplace and looked outside and there was this beeping flashing theme flying straight up in the sky at high altitude it's not a peep an increasing frequency who just wants to

travel and the all the lights went out just fell to the ground so this drone had an old version of the firmware that had a flyaway problem and it probably had flown for miles and miles and miles out how the controller very original uses rare battery and fall into the ground that drones is press a fail-safe feature that enable them to land safely when they reach a low battery condition we got in the car race around trying to find the thing found it hooked it up the laptop download the software check the settings and they had set the low voltage battery failsafe feature to 0.1 volts it's not exactly going to going to work and we thought we'd be we'd be nice

and and look at the black box recording of the attractive maybe try and take it back to them in the in the nicer 3d robotics autopilot they store that to the SD card this unfortunately had no storage so we took the whole thing apart let's go with it we couldn't do it so sorry to whoever flew it but it's probably a long way from home so that's that so vehicle entry this is something that looked at before we probably all know that in modern cars like a Toyota Prius you can have the key fob you walk up to it there's some sort of transaction that takes place and magically it unlocks get it cited drive

colleague had this car and I wanted to have a look at it really how this transaction took place so here he has his slob in his hand and the car is continually broadcasting a I broadcast mess over low frequency and the remote controller has a three axis low frequency pick up so that when you get close it will detect this message and then initiate a transaction a challenge response so the response is set back over UHF as it would be if you press the button on the remote control but in this case I just wanted to look at both sides of the link to see how that transaction actually took place so there I've got an

x 300 there which isn't sitting on the LF from the car you can see I've just got this really really high tech LF loop anton and it's shoved into the door handle and then the UHF is being picked up on this with a thinner then so if you look at that board line really great this software written by our goals and really great signal analysis you pop it up there in the frequency domain the LF and interestingly in the time domain you can see that there are just these sequence of pulses that it sends out that encodes some sort of broadcast information then specific to the car that the key for business equal so there's some wake up

that occurs if the key fob is near then an idea is sent in the key fob and then the challenge is sent separately the key fob is responding to all this but this is only looking at one side of the link so in the frequency domain for the UHF response from the motor control you can see that they're just a series of energy bursts that I also encode data in a similar way so if you look at in the time domain where you had that idea wake up in a response a challenge this is and I some sort of ID ID and acknowledge acknowledge and then the cryptographic response and when the car received it

authenticates the odds legitimate owner I'm going to open my door now the cool thing is that we software-defined radio you can actually look at both these links simultaneously and see how they line up in time so in this case I'm running board line but with two radio inputs and it's actually putting both frequency domains in different colors on top of one another so if you look at that in time you can see that the blue there is the LF challenge from the car it's very periodic and then the red there are slightly off frequency we can see here that there's some sort of transaction happening I'll show you that we're in a minute and then the

individual frequencies in the new radio so here is just a US IP saw the two channels going into the board line sink so if you look at this inconvenient time to me it looks like what we saw in board line and then there's the challenge so in this case i want to set up a relay to see if you could actually relay it over IP I had a feeling it wouldn't work the very obvious reasons but I just wanted to try so in this case we're pulling in the low frequency we've got a hammer up converter hooked up to a be 200 and this be 200 is going to send back the uhf from somewhere else and you probably hope

people using amplifiers to do this and that's the reason why I should put your Prius remote control in your fridge in your freezer but in inside now we've got six 310 and that is going to actually now broadcast inside what the car is broadcasting outside so it's going to repeat it inside and then there's a loop back to test whether it's working which is this if you put the remote anywhere around here it's going to think that it's next to the car transmit some sort of response which is going to be picked up by this board so if you put the remote there it's going to get the LF transferred back to Asia and then as VNC

to the laptop outside the wake up was coming through how I go into these details too much but what this is doing is it's looking for energy bursts so basically spectrum is idle all the times i'm going to send anything but when it comes alive with one of these challenges or a response than it it starts capturing wait for it to go idle again and just transport that block of samples and sends it to the remote site and so that's what's happening here and same business there this is now inside so you can see there that the low frequency stuff is coming in and this peak older shown the remote is actually picked that up and it thinks it's next to the car

and it's broadcasting back its UHF response so that would be a good step because the right things sex in the car the question then is does the car think that the remote is next to it and will unlock so this is the same sort of relay but for uhf as well and then outside the laptop there assuring that the UHF is being correctly sent out side of the rebroadcast properly and again this is just the test run how definitely it wouldn't work I just thought I you know who knows what might happen you can see there that it's popping up this is the remote control responding and all this excitement around so ah yeah maybe who knows and of course it

didn't work which is good right because it means that they did the security properly who can tell me why it work yes so time that because the latency of the overall relay was far too long which is good this is what you expect it to have so if you look at it in terms of the timing of a proper transaction in the remote is next to the car you can see the blue is the low frequency and the red is the response from the remote control for that and you can see that they happen very very quick succession because that's what you expect when the physical devices are together and if you look at in the time domain again that

happens very very quickly now because I was using the new radio outside shipping over Wi-Fi over IP actually later on through ethernet cable as well inside rebroadcasting and replaying about capturing it's endemic outside that just adds up late seating system and so if you're doing this sort of general purpose hardware then you're not exceeding the time out of this transaction and it doesn't work something else you can do is you can do a direct radio to radio but you can't do it over the air because then you actually end up having hard line between two radios to stream the samples back and forth now there's been some other work done by other folks I think on a

different model of car and that took things further I sort of abandoned after this because I had other things to look at and it was more about just looking at the transaction in the radio spectrum but you know there are other things other interesting avenues you can do to try and fool the system that's just sort of giving an idea of how one of these other popular communications protocols are implemented and what it looks like on the radio spectrum how you can actually visualize that itself so i'll just talk a little bit about multi-partner multipath is always a problem in deployed communication systems in the real world a lot of the time when people talk about wireless

systems you can talk about it in a theoretical context and allow when you end up deploying a real wireless comm system out there in the real world you have to end up dealing with all sorts of additional effects that can degrade the performance of your system just due to the fact that you have lots of buildings in the way or you might be moving at speed relative to the transmitter so your Doppler affection and reflections are at reflecting and so on so I thought it'd be interesting to try to visualize multi-part using a really common signal that's out there and this one I chose as ATSC digital television set for America North America and like you saw in the

spectrum monitoring code earlier on in the talk here I'm actually using that same code to capture some TV signals for a period of time and you can see that you get this very distinctive shape in the spectrum that indicates that it's digital TV and you can tell because it has this sort of flattish shape here but then you have spike and that's known as the pilot tone so you can tell if you're looking at digital TV because on the left-hand side you'll always have this pilot tone it's just due to the way to do the modulation and tektronix has a really nice application note about the fundamentals of the eight vs be 8 vs be

is the modulation they use for the hill television it's eight vestigial sideband and the way it works have your transport stream contains your compressed digital video and in the end after processing and interleaving and forward error correction you map it to these voltage levels they call them from negative 72 positive 7 and that's how you map them to binary symbols now as your ATSC signals are transmitted you get all your data sent that every so often you need to send unknown repeating sequence remember how i mentioned that with the autocorrelation for digital television you have to have this known sequence because your TV sets have to know how to recognize you TBC one has to have a

known sequence that is defined in the standard so if it says art is going to be this long sequence i can lock onto its is going to be the big the stream from this point and I'm just going to keep receiving from there to every so often in your 80s signal there's going to be the sink segment but more importantly there's going to be this long synchronization series of symbols that's used by the TV to assess the state of your channel so there is an equalizer in there and that will be used to mitigate against multipath effects because multipath basically means as you'll see in a minute you have lots of different versions of the signal

arriving different points in time and that will actually degrade your signal because you're receiving the same thing and they're all going to destructively interfere with one color what it equalizer does is it undoes that effect so it does is best to sort of cancel out these are the signal coming and you just get the one stronger signal going to your television and then it decodes it has to have some fixed training sequence to compare against and that's what's in this 511 symbol long equalizer sequence and this is known as the PM 511 code this is defined in standard you can opieop and all have it there and when you take that and you I have a little

canoe area flow graph it takes this long sequence and it turns it into the baseband signal so this is actually what is transmitted over the air this is what it would look like if you receive that just that little bit of signal so if you actually have this as your reference you can then go and take this receive a legitimate TV signal and correlate this sequence against your known TV signal and what you get then is periodically every single time that field set comes through your television stream will get this really strong correlation peak and this is what you expect this is positively identifying that we are receiving a good atsc signal which is cool this is what the TV does every all

the time to receive and synchronize your television single just think about to change that channel button on your TV it does this in r instance all set up automatically now what I want you to imagine is I want to take these this is looking in an overtime I want you to take these and I want you to look at it essentially from from the right and so all of these correlations put on top of one another and you get this so you can see surrounding that to zooming into to one of these peaks and overlaying all of the pizza polymer you can see that the peak is really strong and then around that it's all really really low amplitude and

this is indicative of ruling a really good sequence that you can correlate against now if you look at that over time then you can see you have this really bright red line which is your correlation p and everything to the left and the right is really low amplitude so there's nothing nothing there in this case we're just receiving the direct signal from the television tower and we have a nice strong peak now if you consider the direct part there there's no reflections you're just getting direct transmission from the TV tower if you have multi-part and this is the experiment will set up that we did you have say along the path in a shorter part and the same TV signal will travel

along the long part and then get to the receiver and a slightly later point then compared to the short part that will go from the transmitter and then get to the receiver and you can see here these are bouncing off they might be buildings they might be big Hills some sort of reflector but interestingly there's no direct part here because let's say this is another hill and you're on the other side of the hill so you don't actually see the TV transmitter so this is the sub that we had the TV transmitter is although out there on sutro tower and sentences go and our receivers here on the other side of this helpful and as it

turned out we were receiving the TV signal bouncing back from a hill quite close by and another one further away in the distance and so if you imagine this is our view the TV antenna is behind us and we're getting a reflection on this hill am I getting a reflection off this one further out in the distance so that means we're we're getting too strong TV signals which is the same signal but they're arriving slightly different times and so if you run the software again this is what you get my friend was actually holding up a TV antenna pointing it at the closer hill and then slowly moving it toward the hill further up in the distance so the software first

locks onto the strongest correlation peak which is going to come from the strongest signal which is the hill that's closer in which is here and as you can imagine you're moving it from one Hilton distant Hill this is tire on the vertical axis as he moves it this correlation pink which is the stronger signal power you will decrease in amplitude because we're not pointing at that hill anymore and the signal sent Hill is going to become stronger because then we end up pointing at it and you can see there that this appears actually two of them to the right and so this is offset by whatever 60 samples which translates into maybe microseconds work but this is actually showing you that

you will one strong signal coming in and then maybe two other ones here arriving say you know 57 micro seconds later so this is actually telling you how many reflections you've got coming in to your one point where you are and that's essentially the visualization of multi part because you can see all the different signals coming from the different part links they have to travel through propagate across to get to your receiver and so an equalizer is important because essentially mitigates against this all the signals that end up destructively interfering now this is important for this system you consider more modern communication systems that use OFDM like Wi-Fi and LTE they're actually designed very much with

multipath in mind so they use different sorts of ways to correct against this and that's kind of the golden standard against which all modern communication systems are designed this is kind of old and the other interesting thing about this is that consider that in this case we're just looking to Hills right the hills are moving we're not moving everything is going to say pretty static so you get straight lines here because that's what you would expect I did another experiment where I ended up driving from census go down into the south bay and every so often I would capture a bit of the signal at that frequency and my thinking was well probably going to pick

up a direct path from the transmitter but there might be times where I get reflections of stuff maybe off a hill or a big building as I'm traveling down the highway the distance between my car so the building to the transmitter is going to change right is now I'm moving so there might be an instance growing up getting closer and closer and closer to the building that's reflecting the signal so my path is going to become shorter and so I might see some extra lines hopping up here that are actually diagonal now because that multipath propagation distance is changing and it's a little bit difficult to see I don't really fit at these results too

much but I think if I zoomed it there's some little diagonal line so I think there was some some effect their but now considering that the car is moving you could do other interesting things to like maybe use this for passive radar and people have actually done this with different television signals and even with FM radio where you compare it against your direct path of the transmitter but you point your antenna out in the opposite direction and then you correlate the two signals to see if you're getting any multi-part reflections of things out there like airplanes so it's actually a really cool way of detecting moving objects and there's been some really interesting research done on this are people some

people also use it to try to localize I think large ships using digital television signals and there's a guidance and amazing miracle you ha on this sort of stuff and also in the context of I honest very scattering it amazing stuff so it's just interesting to think about all these wireless signals that we use every day and have actually propagate through the real world so if you zoom in there you can see that kind of have these diagonal lines showing up because I was moving so there was some sort of multipath effect happening so that's what it brings me to the end of the tour the meet meetups that I mentioned before our monthly occurrence and if your

interests are I encourage you to either join us online if you're not in the Bay Area or actually even start one up you know franchise it out but we've been running this for nine months now and we alternate between San Francisco and south bay and it's just basically a forum anybody can come along that likes SDR to talk about the project you know much like these conferences that on a sort of smaller but more regular basis and we screen them online live stream and record them in Italy so it's all online it's all sort of free so if you're interested in that get in touch or starter and thanks to your attention [Applause] so any questions No if you want to come

along on Friday to the while spillage I'll go through how to do some blind signal analysis and try reverse engineering signals on fri Sydney early optimum