From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Â
Sniffing Strange Radios: Exploiting Vulnerabilities in Wireless Protocols
1. Not Quite ZigBee; or,
How to Sniff a Strange Radio
Open with âWhy should
you give a shit?â
List of Exploits
Travis Goodspeed
22 April 2010 -- Source Boston
travis@radiantmachines.com
2. Introduction
†WiïŹ
†Bluetooth
†Ubertooth
†ZigBee
†KillerBee, GoodFET, Freakduino Chibi, Daintree
†What about everything else?
3. Introduction
†This is not a USRP lecture.
†Weird radios are usually one-off designs.
†Bad cryptography, if any.
†Little testing, quality control.
†Vulnerabilities inherited from the chipset.
4. Citations
†Max Moser and Thorsten Schröder
†Michael Ossmann
†Read my articles for the rest,
http://travisgoodspeed.com
5. Example Targets
†Radio Remote Controls
†Apple/Nike+ Shoe Pod
†Garmin ANT+ Watch
†Microsoft Keyboard
6. Methodology
†Dissect a device.
†Part numbers, chip die photographs, ïŹrmware.
†Determine radio encoding, rate, and frequency.
†2FSK, 2Mbps, 2.4GHz
†QPSK, 1Mbps, 2.4GHz
†Build a transceiver.
7.
8. Part Numbers
†CC2420, EM250, A7125
†Uniquely identify the part, index the datasheet.
†Vulnerabilities are indexed by part number, not product name.
†Sometimes they are missing or ground off.
†HNO3 and H2SO4 are your friends!
9. Datasheets
†Describe registers and pins.
†Sometimes private, but often public.
†Read the whole damned thing, and youâre secure to ïŹnd bugs.
†Also read the errata sheets.
†For this chip and its ancestors.
13. Die Badges
†Identify the internal part number.
†Sometimes this is the public one.
†Sometimes it isnât.
†Animals, Logos
†Lot numbers.
30. Chipcon ISM Band
†CC1100, 2500 radio.
†CC1110, 2500 system-on-chip.
†Very conïŹgurable.
†CC1110 talks to anything sub-GHz.
†Undocumented 4FSK, use register settings for CC1101.
31.
32. Nordic RF
†No promiscuous mode.
†Thereâs a hack, but itâs ugly.
†Not very conïŹgurable: †Microsoft Keyboards, Mice
†2FSK, ïŹxed deviation. †OpenBeacon
†Integer MHz channels. †Sparkfun Keyfob
†ANT+, Nike+
33.
34.
35. Amiccom A7125
†2.4GHz, 2FSK
†Doccos in English, Chinese
†Unbuffered mode for outputting symbols directly.
†2 million symbols/second!
†Handy, but not necessary, for prom. snifïŹng of Nordic trafïŹc.
36. Modulation Schemes
†Frequency Shift Keying (FSK)
†Cheap digital radios, Bluetooth.
†Amplitude Shift Keying (ASK, OOK)
†Car remotes, garage door openers.
†Phase Shift Keying (PSK)
†WiïŹ, ZigBee
†Complicated variations of each.
37. Frequency Shift Keying
†Symbol Rate: Integer or ïŹoating?
†Frequency: Integer or fractional?
†SYNC: ConïŹgurable? Repurposed as the address?
†Deviation: Space between highest and lowest symbol.
†Encoding:
†2FSK: Low frequency is zero, high frequency is 1.
†4FSK: +1, +1/3, -1/3, -1
38. Getting a radio board.
†Chips are difïŹcult to use directly.
†QFN or BGA chip packages.
†Radio layout requires a custom board.
†Modules are available with radio and analog chain.
†Often lack an MCU, so use a GoodFET.
†Commercial boards are often useful.
†GirlTech IMME, Next Hope Badge
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52. Configuring the Radio
†All digital radios are conïŹgured by Special Function Registers (SFR).
†Register settings can come from multiple sources:
†SmartRF Studio conïŹguring TI/Chipcon radios.
†Datasheets
†Ask Ossmann
57. GoodFET Radio Architecture
†Firmware in C, client in Python.
†Py2Exe port for Win32.
†Only tested on the Chinese build.
†Firmware is trimmed to support only the needed drivers.
†New drivers can be written in pure-Python.
†Port functions to C as needed.
64. nRF24E1
†8051 Microcontroller
†More popular than ARM and X86.
†Internal nRF2401 Radio
†1Mbps GFSK Radio
†2.4 to 2.5 GHz, 1MHz Channel Spacing
†No internal Flash. Boots from external EEPROM.
†No promiscuous mode. (The hack comes later.)
66. nRF24E1 Firmware in IDA
†``goodfet.spi25c dump clicker.hexââ
†Copy all but ïŹrst 7 bytes to clicker.bin.
†Load clicker.bin to CODE memory at 0x0000.
69. Useful Registers
†SPI_DATA, SPICLK, SPI_CNTRL, EXIF
†P1 LED Port
†P0.0 SPI EEPROM Slave Select
†RADIO #0x80
†RADIO.3 is Radio Slave Select
†RADIO.7 is Power Up
80. Microsoft Keyboard
†2.4GHz Nordic, XOR crypto
†SYNC varies by unit.
†Again, thereâs no promiscuous mode.
†Initial Exploit in Keykeriki 2.0
†Max Moser and Thorsten Schröder
†Amiccom A7125, nRF24L01+
82. Promiscuity is a Citizenâs Duty
†If the crypto is so bad, why is it hard to sniff?
†SYNC ïŹeld is unique to the unit.
†Receiver must know the SYNC to receive a packet.
†Two solutions:
†1) Search raw radio trafïŹc for Preamble. (Keykeriki)
†2) Use the preamble as if it were a SYNC. (GoodFET)
83. Schröder and Moserâs Solution
†A7125 samples raw bits at 2Mbps.
†ARM CPU looks for Preamble.
†When the MAC is found,
†Load nRF24L01+ to sniff.
†Dump to PC for interpretation.
†Can it be cheaper?
84. GoodFET Autotune
†Reduce MAC length to two bytes.
†Disable checksums.
†Set MAC to 0x0055 or 0x00AA.
†Count occurrences of 5-byte sequences:
†Might by shifted off by a bit.
†Filter out noise.