Hackers with Radios: Security and the Physical Layer

all righty yes thank you all very much for coming along um pretty big crowd today but thankfully there's a good amount of familiar faces and yes so this is Hackers with radios uh security and the physical layer so uh the plan for today is uh I'll start by talking about some basic uh radio coms Theory then from there we'll look at uh specific attacks and what sort of equipment can we use to carry out these attacks and also I don't uh complain about a problem without proposing a solution so we will be looking at some mitigation strategies no really who am I and why should you care well as you've heard I'm a PhD student with Queens University

belfast's Center for secure information Technologies I'm just going into my second year there and my project uh is the security of 6G open radio access networks uh in terms of my interest in this area I got pretty interested in radio Communications off the back of some classes I did during my undergraduate degree from there I got some relevant work experience and I combined that with uh a sort of curiosity about security for hardware and this sort of grew out of that now uh fun fact I'm also involved with the Queens robotic Society uh this is our uh battlebot he's called John if you haven't checked out uh the hacker BattleBots stall upstairs please do check it out it's tons of fun I'm sure

they'll be getting the uh destructive Bots out this afternoon but uh moving on from that uh before we talk about hacking I do need to bring up the computer missuse act now I'm sure that most of us have come across this about a 100 times by now but the Gest of it is uh you can't gain unauthorized access to other people's computers uh punishments include uh prison time and fines so don't uh don't get on the wrong side of this but when we talk about radio hacking we also need to consider uh using the Spectrum responsibly now the radio spectrum is governed by an organization called ofcom and they essentially Define what uh frequency bands that you need a license to

transmit on how much power you can transmit on these frequency bands with and uh how often you can transmit on them um if you get on the wrong side of them they can send you a fixed penalty notice uh uh take you to court for a fine or even present time so really don't be going out and uh jamming radios please all generally when we think of radios we tend to think of walkie-talkie or a similar sort sort of thing but I'm sure everyone in this room has a good number of radios on them right now so for example I have my phone I'm going to have to juggle some stuff here okay so I have my phone and it has

a Wi-Fi interface of course running at 2.4 and 5 GHz it has blueooth at 2.4 GHz uh cellular interface so that's 4G and 5G they use a a pretty broad range of frequency bands I want to go ahead and list them all and it has a GPS receiver now aside from my phone my wallet it has a contactless payment cards and my employee ID and no I won't be showing you them um these operate on nearfield communication at 13.56 MHz now as well as that um Wireless M and keyboards um typically these tend to use Bluetooth but even when they don't and when they have like a little dongle that comes with them they tend to run at

2.4 GHz now um this one we'll get into in a bit uh in more detail later but um car keys now this set of keys is remote keyless entry so this is the idea whereby I click a key on I click a button on the car key and you know the car unlocks or locks uh this operates is 433.92 MHz but if we're getting a bit fancier uh we move into passive keyless entry and that's this idea that well I've got my key in my pocket I stroll casually up to my car and not away from the microphone and uh pull on the handle and the car just opens like magic uh more on that

later and uh lastly car keys also have a transponder built in at 125 khz uh this essentially means that uh well whenever you start your car your car will uh look for this transponder nearby if someone has tried to pick your ignition key slot or drilled it out to try and just flip the switch uh they're not going to get very far in your car without the transponder uh because the immobilizer will activate no those are some radios that we have on us but how do we actually send a message with radios well here's a very simple setup we have a transmitter and an antenna and if we want to uh have power radiate from our

antenna uh we need to send a special kind of wave called a carrier wave now this is a senoidal wave um if we just send like a constant uh you know like 5vt signal uh we're not going to get much out of the antenna so we have to have this uh time varing signal but the thing is this allows us to rate power but there's no there's not much information encoded in this right it tells us okay the transmitter's on or off so to encode information on this carrier wave we need to go through a process called modulation so in modulation uh we take our carrier wave which uh can excite the antenna but has no uh well not a lot of

information and we take our data which is our information and we combine them to create this uh this output waveform on the right which uh can excite the antenna and also carries information so what does this look like or even even better what dials can we turn uh to modulate our carrier wave well this is the formula for a sinoid wave and you'll see I've highlighted three values that is the uh the amplitude so the maximum value at each cycle the frequency which is the number of cycles per second and the phase which is essentially the uh point in the cycle where we start so these are three quantities that we can uh vary to

change the shape of the sve so if we want to vary the amplitude in order order to encode some information on the S so if I want to say hello or even better 0 1 01 arbitrary bit string that I picked you'll see that we choose two different amplitudes we have a zero and we have just you know the carrier wave now fun fact this amplitude scheme uh I've personally seen this used in uh my own car keys and a set of remotes for Christmas tree lights very very different sort of requirements there but they use they use the same modulation scheme now if we want to change the frequency in order to encode some

information on our wave well you'll see that we've defined uh two different frequencies we have this uh lower frequency that looks a bit fatter and we have this higher frequency that uh looks a bit more bunched up so you know if we want to send a zero we send this lower frequency if we want to send a one we transmit this higher frequency and uh I found that this uh scheme is used in weather balloon radio SS for transmitting data to gr stations lastly uh phase shift keying so you'll see that if we want to send a zero we just send a copy of the carrier wave but if we want to send one uh we

send that shifted by 180° so anywhere there is a peak there's a trough anywhere there is a trough there's a peak uh you'll also see that at any transition from a zero to a one or 1 to a zero uh there are these really sharp like sudden changes in the wave so for a really simple demodulator you might just look for these uh these sudden Transitions and a variant of phase shift keying or psk is used in GSM commun Communications that's a 2G now why do we actually need to be able to tell uh you know different modulation schemes apart well if you're trying to uh interpret a signal for yourself and you receive something like

this you need to be able to look at it and say well okay I'm seeing uh the carrier wave and then nothing carrier wave nothing on off on off uh there's no real change in the frequency and there's no apparent change in the phase so if I'm using software like universal radio hacker I need to be able to select okay amplitude shift keying uh to get this demodulated waveform and then the uh bit string out of it and that was the original information that was uh uh transmitted now you might be happy to hear that that's about the most radio security we'll be looking at for now so let's move on to actual security so oldest trick in the book The

replay attack so we have our innocent user uh Bob as his friend's column uh and he has a uh a key for his garage door opener he presses open on the garage door opener his garage opens pretty simple story except we introduce an attacker who has a bit of radio equipment that can listen into this transmission so Bob presses open on his key the uh garage door hears this it opens but the attacker also hears this and uh this is something to keep in mind that generally unless you're specifically trying to avoid it with like High Gain antennas or with beam forming uh generally if you uh uh broadcast a transmission like this even from your kees uh that's going to go in

quite some you know quite some wide angle around you like that could go 360° around you so um our attacker can pick this up even though it wasn't originally intended for him and he can go ahead and replay this later when Bob goes to bed and that uh garage door will open if there's no uh replay protection so here's a comparison of some Hardware that we can use for the these sorts of attacks so obviously we can't talk about radio hacking in 202 before without talking about the flipper zero so at 165s that seems a bit steep at first but um radio equipment of this sort generally tends to cost a little bit more than I'd like now it's sort of

described as like the Swiss army knife of uh you know physical radio hacking uh we're interested in the sub one gigahertz module in this uh piece of kit but it also has uh bunch of different interfaces like Wi-Fi Bluetooth uh NFC so it's a pretty good allr uh yeah tool to have now the device that I used uh for my Demos in this talk is the uh hacker F1 which is a software defined radio or SDR now it's a bit more expensive at 220 pounds but it's uh a lot more flexible within its frequency range so if you can uh think up a signal in something like G radio and it's within the right frequency range this uh can probably

transmit it no problem and thankfully I didn't have to buy this this was uh lent to me by my buddy Grant I'll shout him out at the end um but before before he handed that to me uh I was trying to put together this uh DIY arts and crafts looking uh radio here so I looked at the flipper zero and I thought well that's a bit expensive uh what is the sub 1 GHz module in that I found it was the Texas Instruments uh cc101 so I just ordered a module of my own put it on a breadboard hooked it up to an Arduino and tried Direct write some code for that now that seemed fine at first but I ended up near

bashing my head off a wall trying to actually get it uh you know replay a signal exactly because it's not a software defined radio it can only uh you know transmit in certain ways so if I wasn't given this SDR I probably would still be playing about with this thing um but at 30 pins I can't really complain now when I was looking at tools for this talk I did come across something that's maybe not Soo practical but I knew I absolutely had to mention it um here's the hottest new radio hacking tool from Mattel the girl Tech I am me now this is an instant me instant uh messaging toy for children and radio

hackers and it contains the Texas Instruments CC 1110 Su GHz microcontroller so very similar to the one in The Flipper zero just a bit older so uh people like Samy camar and more on him later uh find that it's pretty straightforward to upload custom fare to this so he has a demonstration on his website of using this to open a garage door opener and uh some other researchers also found that they could use this to jam p25 or secure radios so it's a very scary uh very scary toy very purple okay so back to business I was sitting at foret Labs uh over at Weaver's court and I was looking about thinking well what can I really what can

I interact with uh with my radios to prove my point here and I saw this it's a uh projector screen that has a motor attached to it uh and this uh projector screen motor has a remote controller that works on 433.92 MHz just the same frequency band that my car keys work on in fact so here's the unit that interacts with here's the hacker F1 that I used to record a signal and I thought I would be this guy for today so I click the uh the down button or no sorry I click the up button on the remotes next to my hacker F1 while I'm recording the signal and the signal that I get looks something like this and if

you think back to our chat about modulation you'll see that we have nothing carrier wave nothing carrier wave so on and so forth with no real change in frequency and no real sudden uh change in fease so it would be a reasonable guess to say that this is amplitude shift keying but in a replay attack uh we don't even need to analyze this waveform we don't need to know anything about it all I had to do was Press replay and this is what happened when I did that yeah so the projector screen started rolling up so I've used about 220 pounds worth of equipment to you know defeat a 20 pound remote control that uh probably

didn't have Security in mind to begin with so I got to thinking where do I go from here what's the sort of you know harder Target that uh maybe security is sort of important for and then it hit me my car well it didn't actually hit me the idea hit me to try and break it into it and uh you'll find that if you try and repeat that replay attack while standing right next to a car you know okay you listen to the signal from your keys and you replay that uh nothing happens and this is because cars use a bit of Replay protection called rolling code now bear with me in Rolling code uh

the key and the car both track a counter uh and I'll get my car keys like just to sort of have something tactile to cck so whenever you uh press a a key on a button on your car key that'll send a message with that command lock or unlock but it also will include uh a cryptographically encoded function uh of that counter so the car receives this message the message of course has the command and the cryptographic function uh of this counter and the car will compare this to its own counter if the counter in the key matches the counter in the car Happy Days the car will unlock in fact if the counter in the key is a

little bit ahead of the car it'll still unlock but if the counter in the key is behind the counter in the car the car will just completely ignore the command and refuse to unlock um yes so anytime you press the key the uh uh cter in the key will increment and anytime the car receives a valid uh key press it will synchronize its cter with the cter in the key so what does it what does this mean for uh our attack well it means that uh whenever Bob presses unlock on his key uh the car receives a message containing a function of one so that function of one is what we're calling the rolling code and we

also receive the same message which contains a function of one uh the car is expecting this uh this value so it unlocks but if we try and Replay that uh that same message later well the car is expecting a function of two or three or four or something and we only have that function of one and because with the uh encoding of this uh the encoding of the counter it's very hard to predict uh what the next encoded value will be so we're sort of out of luck if we want to try and attack this or are we well I mentioned Sammy camar earlier and he came up with this attack called roll Jam so you'll see in the top right that's

his hard he put together in the bottom right that's a another design by Spencer white but you'll see that uh there are two antennas one of these jams the car's radio receiver and the other carries out a replay attack I also want to mention Sami kamam car is also known for a very popular Myspace wor and a lot of work on drone hacking um so this is very much in character for him but here's how this attack Works in some detail so uh Bob will click unlock on his car key but we are jamming the receiver of the car so we'll receive message one and the car won't hear anything uh Bob sees that well his car

is not unlocked so he'll do the very natural thing and press the unlock button again we're still jamming the car so now we've stored message two and message one we have two valid messages and we very quickly stop jamming the car and we replay the older of the two leaving us with one valid message so we can go on and on and do this like a near infinite amount of times until eventually we have messages n and n minus one Bob decides it's time to go to bed or go to work or leave his car uh you know we've transmitted n minus one to lock his car for him very kindly and then he leaves and we

transmit message n the uh most recent message and the car unlocks so I really wanted to try and demo this attack but unfortunately I mentioned ofcom earlier and apparently they really don't TI kindly to you trying to jam radio frequencies so I decided to try something a bit different U this is the uh remote keyless entry relay attack so we have two attackers uh one is near Bob and one is near Bob's car uh Bob and the attacker are very far away from the car so the attacker next to Bob uh at some point receives a uh unlock message from Bob's key Either by very quickly you know momentarily you stealing it and ctly receiving that or

waiting for Bob to play about with his keys I don't know I don't know maybe people do that and uh the attacker next to Bob after receiving this uh transmits that message to his accomplice and I mean I I use the graphic of a satellite here but realistically this is probably an email or something and uh the accomplice replays this attack uh this this message sorry to the car and because the car hasn't heard this one before it will unlock so here's a quick demo of uh of me emulating that so the first step uh I recorded the unlock signal from my car key while pretty far away from my car I then traveled to my car some

distance away and this is to emulate you know sending the message to an

accomplice and then I replayed the signal next to my car so here's me here's the hack rf1 laptop in hand and I'm about to press uh replay and you'll see that the car unlocks so that's nice but I have to ask myself is this a realistic attack for for a criminal for someone who you know means some harm or some personal gain well I reckon if you're an opportunistic thief and you're walking past a car and you see a laptop or a watch in the passenger seat that you really want are you a going to run home go on uh go on the internet and buy 200 pounds worth of radio equipment run back try

and find the owner of the car and carry out this really convoluted attack or are you be going to grab the nearest brick and put it through the window to smash and grab whatever you can because I think it's going to be option b I'm not saying that this isn't going to happen for you know some MO ation but for the motivation of P theft I criminal damage is probably a lot more convenient now for a car thief trying to steal the car itself yes uh some of these thieves are motivated by you know selling the car for its value but a lot of them are looking to you know chop the car for parts

so yes being able to just open the door is very nice but even once the thief is in the car they're still going to have to find a way of starting the engine and getting past the immobilizer so with all the other hurdles I I don't know if they're going to try and you know stalk someone to carry out this attack with a remote keyless entry passive keyless entry that's another kettle of fish we'll get into in a minute so the only real sort of criminal I can think of that would ever benefit from this would be a soccer of some description leaving a Tracker inside of a car but even then I imagine there are

plenty of places outside of a car that this would work for so I just I don't know if this is the most um if this is the most uh you know dangerous exploit of all time but definitely do make your own mind up on this one so I might not be convinced about the practicality of this attack but an attack which I am convinced about and have seen a lot of CCTV footage of uh this attack happening is an attack on keyless entry and keyless start so how this is supposed to work work is Bob has his keys in his pocket so Bob's got a nice new car with a passive keyless entry he walks up to his

car he pulls on the door handle and the car issues a challenge uh Bob's key here's this challenge uh calculates a response sends that response to the car and the car then unlocks if that response is correct so the uh you know this exchange could be very cryptographically secure um but that actually doesn't matter too much because of one fatal flaw one fatal assumption and that is that the uh transmit the distance this can occur at is limited because the keys transmit power is low and the cars transmit power is low so it's a bit like saying that if someone was up on stage with me and whispered something into my ear you know you would have a you and the audience

would have a very hard time hearing it unless I was to start yelling that out at the top of my lungs repeating what they'd said this is the two Thief attack so uh Bob has put his car in his driveway and he's gone to bed for the night uh these two thieves attacker one and attacker two uh show up on the scene attacker one uh is next to Bob's car and attack or two is next to Bob's house where the key is located and both of these attackers have radio equipment which is capable of receiving the required signals and playing an amplified version so attacker one pulls on the door handle the car then transmits the challenge uh message

quietly low power attacker one receives this and then replays it at an extremely high power yelling it very loudly into the air attacker 2 receives this and replays it to the key the key receives what it thinks is a normal challenge calculates the response and sends it by back out into the air attacker 2 receives this and replays the Amplified version which is picked up by attacker one who then passes it on to the car again so the car has had the user pull the door handle it's uh issued its Challenge and it's received a response so it does the only natural thing and it unlocks uh attacker one then presses the ignition button on the car uh this

exchange repeats and attacker one is away and again keep in mind um this is possible because the Assumption in this exchange is that the distance is limited because the power is limited so that doesn't seem very good so how can we mitigate this attack well here's uh a graphic put out by the psni uh you know telling user owners of cars what they can do to try and reduce the risk of the car being stolen like this generally you know I I like this advice I have no issue with the advice itself but I think it's unfortunate that some of this advice has to be said in the first place so when you have advice

like uh you know put put the device in a signal blocking pouch such as a paraday bag and turn off wireless signals on your key fob when it's not being used I think that's interesting because if you compared that to a phone if you um you know bought the newest uh fruit branded smartphone tomorrow you brought it home and you unboxed it you're very happy with it and then you look online and you see a graphic from your local police service that tells you oh by the way turn off all Wireless Communications on this device when it's not being used because it's really insecure and could leak your information you might return the phone the next day so I don't know I think uh

something Uh something's gone wrong here now as I said I don't like complaining without proposing a solution so here are some of the solutions that have been proposed by others um for one encode time stamps in in these exchanges so radio waves in a vacuum propagate at the speed of light 3 * 10 8 m/s if I have a securely encoded time stamp uh in all of my Transmissions uh let's say from the perspective of the car it receives a message that says it was sent at 10 a.m. and 0 seconds but this is received at 10 a.m. and 45 seconds and the maximum effective range for this uh protocol should be about 5 m

well something's gone very wrong either someone's jamming and delaying your signal or something's gone AR with the laws of physics either way probably better probably a good idea to keep the door locked okay uh researchers have suggested the use of machine learning techniques for fingerprinting signals uh in order to differentiate between uh legit legitimate key and a different piece of equipment being used to repeat the signal from that key and lastly it's been suggested that we should use physical metrics like the received signal strength uh run time trip or even GPS coordinates to identify proximity I understand you know there's no free lunch so with uh well unless you're at besides Bell fast but uh with the use of encoded time stamps

there is a challenge there in synchronizing the timing in the key and the car and this is all a trade-off between you know security price and convenience and that the line has to be drawn somewhere so you know I do understand why things are the way they are no what are the takeways why am I why am I up here talking to you well keep in mind when you broadcast a message from a wireless device you generally can't control who receives it unless you're using like a high gain you know focused an an or you're using beam forming you can generally only control who gets to read it using cryptography secondly um I'd like you to

have a think do we need to have higher expectations regarding Wireless and Hardware security testing or do we need to have more of a focus on specific job rules or uh disciplines that just test for these sorts of attacks um because I genuinely don't have answers for that I would love to chat to you about it later maybe at the after party and if if you're an interested beginner in this area uh check out a course from the uh sorry check out a uh the foundation amateur radio uh sorry I'm tripping over my words no check out a course for the foundation amateur radio license uh possibly from the radio Society of Great Britain um honestly the

theory on the foundation exam is really really helpful and it'll also help you stay out of uh trouble oh yeah so before I wrap up some other topics I wanted to bring up but didn't really have time time for wireless keyboards is yours encrypted Wireless mice can someone pair a fake wireless keyboard with your M with your M tongle maybe radio access networks that's that's a whole another topic with things like uh you know false Bas stations and various EES dropping attacks you know piecing information back together and key exchanges but I'll leave that for another time so thank you very much and a special shout out to grant brins for Lending me his hack rf1 my dad for filming me break

into my car foret labs for letting me play with their projector screen and Samy Kamar for inspiring this talk thank

[Music] you we have time for questions awesome yeah are there any questions

[Music] yes so you're asking how does the counter how does rolling code and I'll just pull a diagram back up how does rolling code work if we have two keys and one car um I'm going to be completely honest I don't actually know how that works with two keys and one car I assume there would have to be some sort of way of synchronizing between the keys but I I don't have a solid answer for you sorry [Music] okay yes no I didn't play about with the transponder for this talk but that's definitely uh definitely something that's on my list but then again I also don't want to accidentally mess up my car as immobilizer but you know in the name of

Science in the name of science I might do it oh yes

yes so if the cars received that valid message um let's see let's see so if the car receives a valid message it's cont will move on but and I'm having trouble thinking this through in my head right now but I think your keys counter because you've clicked the uh button on the key it will still have incremented so when that attack is carried out um it might still be in sync at the end of it um but even if it is not in sync at the end of it um you can still you click your key a couple of times to increment that counter a bit up until the point where the car will accept it I

I think just don't blame me if you break your car yes did you work out car [Music]

ke yeah I think that um I'm not sure if protocol that uses but I imagine that is working on the 125 gilz band um you know similar to the transponder probably uses a similar technology but I'm not sure it might use is um yeah could be working on the same sort of um idea as the passive kless entry where it's like a challenge response but I would have to look that

up okay

[Music] yes sorry did I if I said speed of sound I meant speed of light are you are you asking why is it the speed of light uh because it's an electromagnetic wave light is an electromagnetic wave radio waves are electromagnetic waves so they move it a Sim speed I think I'm not too good at my physics okay yes thank you very much [Music]