Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Â
RF Hacking Red Pill 2017
1. RF HACKING: ITâS NOT JUST
FM/AM BROADCAST RADIO
Anocha Upontian, PTT Digital Solution
Keerati Torach, KPMG Thailand
2. CAUTION & DISCLAIMER
⊠Be careful for using Software Defined Radio peripheral that signal will be transmitted on illegal frequency
(depend on country regulations)
⊠Signal interference (Jamming) is illegal
⊠Content on this presentation for EDUCATION PURPOSE ONLY
⊠Itâs recommended to test on permitted system or laboratory environment
⊠You are responsible for using this stuff legally
http://www.thedailysheeple.com/wp-content/uploads/2014/08/faraday-cage.jpg
http://www.wovenwirecloth.org/img/shielding-screen.jpghttps://greatscottgadgets.com/hackrf/
https://nuand.com/
https://www.crowdsupply.com/lime-micro/limesdr
3. AGENDA
⊠Thailandâs spectrum regulations
⊠Radio frequency in communication
⊠RF security assessment tools
⊠Gnu Radio Companion
⊠Case study 1: Wireless doorbell
⊠Case study 2: Beyond a doorbell
⊠Case study 3: Dealing with rolling code
⊠Lesson learned
5. RADIO FREQUENCY IN COMMUNICATION
⊠Absolutely, itâs wireless
⊠Long distance communication
https://en.wikipedia.org/wiki/Radio_frequency
6. RADIO FREQUENCY IN COMMUNICATION
⊠Analog Signal Processing
⊠Amplitude Modulation (AM)
⊠Frequency Modulation (FM)
⊠Phase Modulation (PM)
https://en.wikipedia.org/wiki/Amplitude_modulation
https://en.wikipedia.org/wiki/Phase_modulation
https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png
https://www.scienceabc.com/wp-content/uploads/2016/08/Illustration_of_Frequency_Modulation.jpg
7. RADIO FREQUENCY IN COMMUNICATION
⊠Digital Signal Processing
⊠Amplitude Shift Keying (ASK)
⊠On-Off Keying (OOK)
⊠Frequency Shift Keying (FSK)
⊠Phase Shift Keying (PSK)
OOK
ASK
https://www.owasp.org/images/2/29/AppSecIL2016_HackingTheIoT-PenTestingRFDevices_ErezMetula.pdf
https://web.stanford.edu/class/ee102b/contents/DigitalModulation.pdf
8. RF SECURITY ASSESSMENT TOOLS (HARDWARE)
⊠RTL-SDR with dongle
⊠Only RX (simplex)
⊠24 MHz â 1766 MHz
⊠433 MHz or 315 MHz transmitter (only TX) module
⊠Usually come together with receiver (only RX)
⊠Modulation: ASK/OOK
⊠3-12 working voltage
⊠DIY antenna
⊠Appropriated length
⊠Raspberry Pi 3 Model B
⊠Controlling transmitter
⊠Electronics prototype maker
⊠Breadboards
⊠Jumper wires
⊠9 Voltage battery
⊠Resistors
⊠YARD Stick One with female antenna (buy separately)
⊠Transceiver (able to half duplex)
⊠Modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK and MSK
⊠300-348 MHz, 391-464 MHz, and 782-928 MHz operating frequencies
9. RF SECURITY ASSESSMENT TOOLS (SOFTWARE)
⊠Gnu Radio Companion
⊠Powerful signal processing blocks
⊠Support any SDR peripherals (RTL-SDR, HackRF, BladeRF)
⊠SDR#
⊠Analyze
⊠demodulation
⊠streaming
⊠GQRX
⊠As well as SDR#
⊠Rfcat
⊠For controlling Yard Stick One
⊠Audacity
⊠Pulse analysis
⊠Buadline
⊠Spectrum analysis
⊠Rtl_433
⊠Demodulation and decoding data automatically
⊠Python (basic)
⊠General purpose input output (GPIO) of Raspberry Pi
⊠Rfcat
10. GRC
⊠Signal source
⊠RTL-SDR
⊠File sink
https://en.wikipedia.org/wiki/File:Signal_Sampling.png
Sampling is conversion
process from continuous
to discrete
11. GRC
⊠Digital filtering
⊠Filter only interested bandwidth
http://www.aimagin.com/learn/images/thumb/7/72/Transferfunction.png/600px-Transferfunction.png
https://en.wikipedia.org/wiki/File:Butterworth_response.svg
https://upload.wikimedia.org/wikipedia/commons/7/76/Butterworth_lowpass.png
12. GRC
⊠Rational Resampler
⊠Adjust to appropriated sample rate
⊠Interpolation -> Reconstruct the signal with
given sample rate
⊠Decimation -> Reducing sample rate
13. GRC
⊠Demodulator
⊠Usually convert data type from complex to float
ASK Demodulator
FSK Demodulator
âĶ1011001âĶ
âĶ10110âĶ
17. CASE STUDY 1: WIRELESS DOORBELL
⊠Fixed key transmission
⊠Itâs great for beginning study
⊠Low cost
18. CASE STUDY 1: WIRELESS DOORBELL
⊠Information gathering
19. CASE STUDY 1: WIRELESS DOORBELL
⊠Capture transmitted data and save to file
20. CASE STUDY 1: WIRELESS DOORBELL
⊠Capture signal from original remote and determining a modulation
⊠Buadline
https://greatscottgadgets.com/tr/gsg-tr-2016-1.pdf
22. CASE STUDY 1: WIRELESS DOORBELL
⊠Pulses analysis using Audacity
⊠Decoding data (Pulse Width Modulation?)
0 0 1
http://pcbheaven.com/wikipages/images/pwmmodulation_1236701204.jpg https://learn.sparkfun.com/tutorials/pulse-width-modulation
23. CASE STUDY 1: WIRELESS DOORBELL
⊠Hardware interfacing
https://www.raspberrypi-spy.co.uk/wp-content/uploads/2012/09/Raspberry-Pi-GPIO-Layout-Revision-1.png
Monopole antenna:
Length = Îŧ/4 m
where v = fÎŧ
Îŧ = (v/f)
24. CASE STUDY 1: WIRELESS DOORBELL
⊠DEMO: Ring doorbell with captured signal using Raspberry Pi
vimeo.com/236267585
25. CASE STUDY 1: WIRELESS DOORBELL
⊠Alternatively
⊠YARD Stick One
⊠Buad rate (bit/sec) instead of time delay
⊠For example, 1 bit -> 0.001 s
⊠Buad = 1/0.001 = 1000
1 0 1 1 10 0 0 0
26. CASE STUDY 2: BEYOND A DOORBELL
⊠What about key fob use to lock, unlock, arm, and disarm a car?
27. CASE STUDY 2: BEYOND A DOORBELL
⊠Car Alarm System
28. CASE STUDY 2: BEYOND A DOORBELL
⊠Information gathering
29. CASE STUDY 2: BEYOND A DOORBELL
⊠Low cost jammer
⊠~ 140 āļŋ exclude breadboard
9 Voltage Battery
30. CASE STUDY 2: BEYOND A DOORBELL
⊠Video: Interfere carâs key fob
⊠DEMO: Unlock/Lock car with captured signal using Raspberry Pi + transmitter module or
YARD Stick One
vimeo.com/236269836
vimeo.com/236268296
31. CASE STUDY 3: DEALING WITH ROLLING CODE
⊠A rolling code for preventing replay attacks
⊠Always send out different data for each time
Rtl_433
https://www.youtube.com/user/Hak5Darren
32. CASE STUDY 3: DEALING WITH ROLLING CODE
⊠Defeating rolling code
⊠Samy Kamkarâs RollJam that publish in DefCon 23 (2015)
https://samy.pl/defcon2015/2015-defcon.pdf
33. CASE STUDY 3: DEALING WITH ROLLING CODE
⊠Improper rolling code implemented on automatic sliding gate opener
⊠Sets of code store in pool
⊠Code will rotate every time when receive a valid length of code whether match or mismatch
P
O
O
L
1001
1101
0101
0011
1111
1000
1011
P
O
O
L
1101
01010001
1001
0011
1111
1000
P
O
O
L
0101
0001
0111
1101
1001
0011
1111
P
O
O
L
0001
0111
0000
0101
1101
1001
0011
0101 0101 0101 0101
34. CASE STUDY 3: DEALING WITH ROLLING CODE
⊠Video: Open automatic sliding gate using Raspberry Pi
vimeo.com/236268904
35. LESSON LEARNED
⊠Frequency hopping implementation in order to prevent pulse jamming
⊠Spread spectrum
⊠Bidirectional communication (challenge-response) instead of unidirectional
⊠Along with encryption
36. SPECIAL THANKS
⊠Low cost project due to âĶ
⊠Mr.Krit Saengkyongam â Raspberry Pi
⊠Mr.Prathan Phongthiproek â YARD Stick One
⊠Mom - Everything