The training Software-Defined Radio applied to security assessments was held by Sébastien Dudek at Troopers21 and was remotely organized – like most other events – due to Covid-19. Once we were all caffeinated, we had an exciting journey through basically all things radio.
We started with the technical and physical basics in radio technology, such as various sorts of antennas, analog to digital coding (and backward), encoding schemes, and general risks and possible vulnerabilities of using radio devices. Commonly found vulnerabilities include the following:
- eavesdropping and injection attacks (think of cleartext protocols)
- relay and replay attacks (if there is no rolling code)
- denial of service (for example with jamming)
We quickly moved on to some practical exercises, and my PlutoSDR device finally arrived during the training. The PlutoSDR (more precisely “ADALM-PLUTO”) is an easy-to-use tool and is well suited for an introduction to software-defined radio and radio frequency. It offers one transmit and one receive channel which can be used in full-duplex, so you can send and receive at the same time. That meant I could start tinkering around with real-world signals and did not have to use signals generated by GNU Radio, which is an extraordinarily powerful tool. You can build anything, hide more complex functionality in custom blocks and extend the functionality with Python or C++. The PlutoSDR supports a frequency range from 325 MHz to 3.8 GHz by default, but you can “upgrade” it to support the range from 70 MHz to 6 GHz. You can find the needed commands here.
SDRAngel worked well with the PlutoSDR to explore my surroundings and look at some signals. Most of the time, I used GNU Radio since the exercises were based on recorded signals, so you use these files as a source. I can also recommend taking a look at the following programs, which proved very helpful in certain situations:
- Universal Radio Hacker URH does many things automatically and therefore makes it easier to demodulate/decode a signal (although it doesn’t always work!).
- Inspectrum you can manually analyze a signal that can help you have a weak signal.
- Gqrx I liked Gqrx to look at recorded signals and try various settings and decoding mechanisms. I didn’t get the PlutoSDR to work with it, but SDRAngel always worked perfectly fine.
If you find some signal you would like to know more about, I can recommend taking a look at the Signal Identification Guide which has many example sounds and waterfall images.
In general, the training covered many different technologies. Starting with simple AM/FM signals, we continued with binary modulation techniques (such as On-off keying), moved to mobile networks (2G, 3G, 4G, 5G), long-range (LoRa) communications, power-line communications (such as HomePlug AV – take a look at HomePlugPWN), and finished with RFID and NFC (explicitly looking at MIFARE Classic attacks). If you’re interested in mobile networks, I would recommend this blog post and if you ever wondered about the differences between RFID vs. NFC, there is an excellent infographic in this post.