Chapter 9
New Technology
As our world gets smarter, it seems to also get more wireless. This means greater exposure to risk and more opportunities for the radio frequency security researcher. Looking to the future of RF security, two things will define the future of radio hacking and wireless reconnaissance:
Everything is Going Digital
Currently, there is still a lot of analog radio transmission, and there likely will be for some time to come, but increasingly radios are moving to digital. Currently, some scanners support decoding P25 but that’s really the extent of the digital formats they can decode. It is likely that in time, more scanners will support limited TDMA formats. TDMA is a general digital format, used by some older cellphones, and is also starting to be deployed by some radio systems. Motorola has a standard built on TDMA called “P25 Motorola X2-TDMA” which is the upgrade to the current P25 systems. Motorola’s X2-TDMA system was released before Phase 2 requirements were finalized and is largely based on Phase 2 standard. So far, one scanner supports this standard: the GRE PRS-800—currently support for X2-TDMA is in the testing stage. MOTOTRBO is another TDMA-based digital radio standard made by Motorola. Currently no scanner can decode this.
The other standards are up in the air. Many of them are closed standards and the manufactures do not want to license the ability to monitor them to scanner makers. Many use the fact that scanners cannot monitor them in their marketing as a security feature. This does work to keep the general public from being able to casually listen in—for now. Of course, projects like DSD and GNU Radio are working to reverse-engineer these systems and create tools to monitor them. Digital Speech Decoder (DSD) is an open source software package that works with GNU Radio, which can decode some of these formats. For more on this, see the section on GNU Radio later in this chapter. There are many digital formats to be aware of, however, among them: Terrestrial Trunked Radio (TETRA), Vector Sum Excited Linear Prediction (VSELP), OpenSky, iDen, EDACS ProVoice, and DECT, as well as numerous proprietary standards.
TETRA is popular in Europe (in fact it is sometimes known as Trans-European Trunked Radio), but if it’s used in the United States, we haven’t seen it. VSELP is an older digital standard for digital encoding of speech, which is close to being phased out.
The undeniable trend in electronics over the past 20–30 years is that more and more stuff is going wireless. These days, it is more than just the IEEE 802.11 (WiFi) protocols, which is what most penetration testers are currently focusing on. There are lots of other standards—and proprietary wireless formats as well. As these grow in marketshare and mature, it will be increasingly important to be aware of their presence or potential presence in the environment.
Beyond 802.11—Digital Wireless Protocols
Digital Electronic Cordless Telecommunications (DECT)
DECT is a format mainly used by cordless phones and headsets, where it is becoming the de facto standard, but may be found in use for other applications as well, such as baby monitors. Toolsets like DEDECT were built to intercept and attack these systems. The current implementation of the DEDECT requires a Dosch Amand COM-ON-AIR Type 2 PCMCIA Card (Figure 9.1), which is currently very difficult to find. Information on the DEDECT toolset can be found at https://dedected.org/.
Figure 9.1 Dosch Amand COM-ON-AIR Card
DECT supports encryption in the form of a proprietary algorithm called the DECT Standard Cipher (DSC). Through research by the security community, it has been discovered that the encryption was poorly implemented, due to poor random number generation and inadequate key length, and the security algorithm has been broken.
In many cases, the encryption can be disabled on DECT devices by injecting a spoofed data packet that appears to be from the other unit, saying that it does not support encryption. Failing back to cleartext transmission, it now broadcasts unencrypted, leaving the communication exposed. This can even occur mid-call.
DECT’s broken-by-design security model is a good example of a vulnerability that went unnoticed until people started investigating them. What problems have gone unnoticed in the protocols and systems below because security researchers have not looked at them and security was not thought about from the start?
Importance of Assessing Wireless Products Before They are Implemented
This is why it is important to research new radio technology before implementing it. Without fail, proprietary encryption schemes are weaker than publically tested and reviewed encryption, because the public systems can be peer-reviewed by top encryption experts, and flaws that are exposed publicly can be corrected, or at least avoided.
Security assessments are key when implementing a radio system. Do not trust that encryption is strong, or even enabled. If you’re engineering a new technology, involve security researchers and testers in the design process from the beginning. If you’re shopping for a system, do your homework before you buy. Start out by conducting a risk assessment to determine what your risks are, and determine what level of security is needed. If at all possible, perform a vulnerability assessment on products and systems you are considering buying before committing to them, especially if your application for the system is sensitive or mission critical. Different organizations will have different security needs. If you do need encryption, avoid proprietary algorithms, and demand a trusted, open standard such as Triple DES or AES.
Having the ability to apply firmware updates is a great feature that more equipments should utilize to patch problems when they occur. We are seeing more devices starting to support this. Customers should keep in mind how easy or difficult the firmware updates are to apply, however. Many devices support firmware updates, but may need to be sent back to the vendor or manufacturer in the worst cases. Even in the best cases, often you must visit each device and manually apply the update, which is very time consuming.
The advanced two-way radio systems and smartphones do allow for patching over the air, which simplifies the matter, but this opens up a potential new vulnerability: rogue firmware injection over the air. Rogue firmware injection is currently more of a concern with devices where physical access is needed to install firmware, but it is a theoretical exploit vector that should be assessed. It’s important to look at how the device verifies the firmware that is loaded onto it, to prevent someone from loading malicious firmware. Again, a thorough risk assessment will determine whether this is a threat to the specific organization. Creating and loading a custom firmware is currently a sophisticated attack that many companies probably don’t need to worry about, given other vulnerabilities in their environment.
Bluetooth
Bluetooth is an extremely common technology, found in pretty much every cellphone, most laptops, many desktop-class personal computers, and in ever-growing number of cars. Bluetooth uses frequency-hopping spread spectrum in the 2.4 GHz ISM band, the same band used by WiFi, microwave ovens, and most other 2.4 GHz consumer devices. Bluetooth devices form a piconet containing up to eight nodes—one master and seven slaves. Bluetooth is used for short-range communications between device peers, as well as device to peripheral. The number and variety of peripherals which communicate via Bluetooth is immense—wireless headsets for hands-free cell phone use, keyboards, mice, videogame controllers, audio speakers, you name it. Bluetooth is best known for transmitting audio, as in Bluetooth headsets. But it can also be used to connect HID devices such as keyboards and mice, and send data. Although not very popular, there are Bluetooth access points which function the same as WiFi access points to connect multiple devices to a network.
Attack tools against Bluetooth exist, such as Ubertooth (Figure 9.2), but still Bluetooth is not commonly targeted in penetration tests. Ubertooth is a custom made radio dongle that can attack radio systems in the 2.4 GHz range. Originally it was created to attack only Bluetooth, hence the name, but has since been expanded. The project’s home page is http://ubertooth.sourceforge.net/.
Figure 9.2 Ubertooth One Dongle. Reprinted with Permission from Meagan Call
Ubertooth can be used to monitor traffic, inject traffic, and do basic spectrum monitoring. It is very much a platform still in development, so new features are being added all the time. It is one of the cheaper, if not cheapest, ways to sniff Bluetooth, and the cheapest tool to inject custom packets. It has lowered the cost of entry to start attacking Bluetooth devices.
The key with Ubertooth is it is very difficult to take a consumer Bluetooth dongle and have it sniff and inject custom frames. With WiFi, this was very easy to do. Nearly any WiFi adaptor can be used to sniff traffic, and today most support injection as well. Once this was discovered, it became a lot cheaper to attack WiFi. To date, the only way we have seen to accomplish this on a Bluetooth dongle is to load a commercial firmware, which has probable EULA violation implications. Commercial tools to sniff and inject Bluetooth packets cost thousands of dollars. Ubertooth has lowered the cost for a device to attack Bluetooth to $120.
Zigbee
Zigbee is a specification based on IEEE 802.15.4 standard for Personal Area Networks, and typically used in short-range and low-power wireless devices. Commonly, Zigbee devices are used in mesh networks, to extend their range by relaying through intermediary devices in the mesh. It is used in a wide range of products from smart meters to thermostats to wireless light switches. Zigbee shows up in a surprising number of places when you look for it, but very few penetration testers are looking for it. Zigbee radio systems are engineered into a wide variety of applications.
High-Jacking Wireless Connections to Gain Access to Internal Systems
In all cases, the wireless links are potential attack points, and should be considered by penetration testers. By attacking the links or devices, most times the attacker is looking at manipulating the systems they control. For example, you may be able to make it look like more power is being used. Or attack the end point, like a thermostat, and adjust the temperature in the building. This may not seem like a big deal, but for manufacturing and healthcare, temperature control is critical.
However, if you did penetrate a device you may be able to use that to further penetrate into the backend corporate network. For example, on a recent penetration test of a smart grid system we were able to high-jack the radio link between the smart meter and the power company. The power company assumed this was a secure link, and left the rest of their network much more exposed than they should have. So once we were on it, we had full access to their backend systems, and could execute a more traditional penetration test and attack the systems the smart meters talked to. We did find vulnerabilities that allowed us to take over these systems and use them as a jumping-off point into the larger network.
The KillerBee framework was developed by Josh Wright to attack Zigbee. The project’s home page is: http://code.google.com/p/killerbee/. It is free, open source software. KillerBee is a framework for assessing and exploiting vulnerabilities in ZigBee and IEEE 802.15.4 networks. It can be used to sniff packets, replay packets for reply attacks, and to attack the crypto system used by Zigbee. Figure 9.3 shows KillerBee being used to inject custom crafted packets using Scapy.
Figure 9.3 Using KillerBee to Inject Custom Crafted Packets. Printed with Permission from Spencer “zeroSteiner” McIntyre
KillerBee can be used with a couple of different Zigbee radios. The most popular is the Atmel RZUSBSTICK (Figure 9.4). KillerBee has limited functionality when using this radio with the stock firmware. By loading a custom firmware more features are available. Note that loading the custom firmware does require an ATMEL programming tool ($200 USD). But overall, it is still cheap to create a custom attack tool. The big benefit of KillerBee is it created a cheap platform to sniff and inject packets to attack Zigbee from. In the past, test gear to do this was very expensive. With KillerBee, you can take a $40 Atmel RZUSBSTICK and make it into an attack tool.
Figure 9.4 Atmel RZUSBSTICK Used by KillerBee. Reprinted with Permission from Meagan Call
Digital Means More than Just WiFi
Clearly, there is a great deal more in the world of digital radio than just 802.11 (WiFi). Some example applications for non-WiFi wireless technologies are:
Home/building automation systems: Common brands are Crestron, Control4, and X10. They are used to connect together lighting, HVAC, motion and temperature sensors, motorized window shades, and other appliances, so buildings and homes can be automated and more energy efficient. For example, the automation system can be programmed to adjust the HVAC system to turn on and off, depending on which rooms are occupied, and the weather forecast for the day. All of those light switches, sensors, thermostats, etc. are often connected wirelessly. Some use Zigbee or custom implementations of 802.14.4, while others use proprietary RF technology. These systems are not only green, they can also save money, so they will become more popular, particularly as prices on the technology drop and energy costs rise.
Smart Grid: The most popular smart grid applications currently are with electric power grids, but can apply to gas and water distribution networks as well. The technology is used to create a grid that can adapt in real time to changes. In a basic implementation, smart meters only report usage data back to a central office in real time, or near real time, but lacks the ability to control. To be truly smart, the grid has to be able to take the information it has gathered, and change/react to better manage load.
Smart grid meters can interact with home appliances to adjust energy usage. For example, they can interact with thermostats to set a higher AC temperature during the hot season if the grid is under heavy load. Or, they can talk to smart appliances, such as laundry machines and dishwashers, to schedule them to run when energy costs are the cheapest, or when there is a surplus, and avoid running when energy is in high demand. The meters, appliances, and the infrastructure to support this are often wirelessly connected using a variety of protocols, from proprietary mesh networks, to Zigbee, to cellular.
Proprietary links for digital signs, billboards, etc.: Generally, billboards that have full color displays are updated over cellular links so they get faster speeds. Lower-tech signs like the gas price signs or the LED signs outside of banks and such use proprietary radio links that are usually 9600 Baud. They are slow, but not much data needs to be sent. There are really no standards here. A sign made by company A usually can’t be controlled by a controller made by company B.
Software-Defined Radios (SDRs)
We are accustomed to think of radios as hardware equipment, made of transistors, circuitry, and an antenna. However, it is possible in theory to virtualize any type of electronics hardware by emulating it in software. Thus, the software-defined radio (SDR) is born. The general design of an SDR is an RF front end which feeds into an analog-to-digital converter (ADC). This digital signal is fed into a general purpose computer for processing (Figure 9.5). In some designs a digital signal processor (DSP) is placed between the ADC and general purpose computer to aid in processing the output from the ADC. The RF front end varies, but converts the RF signal to a level and format usable by the Analog-to-Digital converter. In a perfect world, you could just plug an antenna into an ADC, but in reality you need some front-end hardware to convert the RF to a useable format and level.
Figure 9.5 Typical Software-Defined Radio Block Diagram
SDR is not a new concept, but with FPGAs and other electronics advances, it is now cheaper to implement them. Also, thanks to the speed of desktop computers, it has become feasible to implement features in software that formerly required specialized hardware for performance reasons. With the rise of cheaper SDRs, we are entering a new golden age of wireless hacking. While many SDRs are still expensive, prices are continually dropping, as with all electronics. SDRs will be the key to intercepting, decoding, and hacking the new digital RF systems.
How Does an SDR Differ from a Traditional Radio?
Software emulation of features traditionally implemented in hardware. Components that are usually implemented in hardware in a traditional radio are implemented in software in an SDR. The software and processing can run on a general purpose computer (personal computer or embedded system). Some use Field Programmable Gate Arrays (FPGAs) to assist with processing. Often a combination of both FPGA and a general-purpose CPU is used.
Common parts of the radio implemented in software:
Filters: Making hardware filters that adapt to changes in the signal is very complicated and requires a large number of components. This is much simpler in software because the filter can be changed easily, based off of characteristics of the signal. Because of this, filters are commonly implemented in software. All audio filters in an SDR are implemented in software. Many times RF filters are also implemented in SDRs.
• Amplifiers: Due to the laws of physics, hardware amplifiers always introduce noise when they amplify a signal. Better hardware amplifiers have less noise, but noise will still be introduced. Software can amplify a signal without introducing noise. The bigger issue here is making sure the signal was sampled at a high enough rate so it can be amplified without losing resolution/clarity—generally speaking, the higher the sample rate, the better the result. It should be noted that in most SDRs today, the RF amplifier in the front end is implemented in hardware, not in software. However on higher-end radios, more of the front end is implemented in software, and as SDRs advance these benefits will be realized by more readers.
• Modulators/demodulators: One of the most common parts implemented in software. The other components in this list are often still implemented in hardware for many models of SDR. It is much easier to add new demodulators in software. It is also easier for software to give the end user the capability to adjust the modulators manually, or automatically, depending on the signal. Building a hardware demodulator that has the same level of flexibility and control is fairly complicated, and therefore an expensive proposition.
Advantages of SDR
• Cost: By emulating costly specialized hardware components, manufacturers are able to make radios with fewer, and cheaper non-specialized components.
• Rapid development: The great advantage of SDR is you can make changes to the radio by changing code instead of re-wiring a hardware component. This allows for fast prototyping. If problems exist, you seldom need to re-wire the hardware; you just need to patch the software. Once one developer produces and distributes the code, anyone can download it and run it. With a physical radio there is skill needed to make the radio which can decode the signals, once someone figures out how to do that.
• Upgradeability: With most obsolete hardware, usually all you can do is replace it. A lot of radio hardware still works perfectly fine, but lacks features or refinements that new models offer. With obsolete software, you can easily upgrade it, and gain new features and functionality.
• Flexibility: SDR provides far more features and configuration options than you can fit into a single piece of radio hardware.
• Device consolidation: One piece of well-made and versatile SDR hardware can be adapted to do multiple things by loading in new code. In the past, it was necessary to build multiple, purpose-built radios—which got large and expensive. Today, you can modify a single SDR to perform multiple functions based on the code it is running. The flexibility of SDR means we can gain the ability to decode video and other data formats such as POCSAG (pagers) by writing new programs. For example in open source SDR, such as GNU Radio, there is existing source code for decoding two-level and four-level FSK signals. This functionality often costs extra in commercial SDR products.
• Signal capture and advanced analysis: Finally, one of the greatest advantages of SDR is the ease with which RF signals can be recorded and captured into a file. This is great because you can perform more extensive analysis on a recorded signal than you can with a live signal. Traditional radios require a signal to be present in order to perform analysis on it, but with a recorded signal you can go back repeatedly and analyze it in different ways. This is a huge help when analyzing an unknown signal. With traditional radios, at best you could record the audio output of the radio and analyze it later.
Unless you know exactly how to decode the signal, we recommend capturing the RF signal so you can process it later on. If you know how to decode the RF signal to a usable audio format you can do that as well. If the RF capture is done right (capturing the entire signal) you have the raw signal with no processing. Once the original RF signal has been processed into an audio format, if the audio signal was processed wrong (AM versus FM for example) the data needed to decode the signal could be lost.
The Power of Recording Raw RF Signals
Offline Analysis of Unknown Data Signals
For much the same reason professional photographers like to shoot in RAW format, it’s always worthwhile to capture the original, unprocessed RF signal whenever you can. For analyzing signals, recording is incredibly useful, because you no longer need to analyze the system live, which can involve lots of time waiting for a signal. Once you capture the transmission, you can take it off site and analyze as much as you like. Being able to replay the sample signal multiple times is hugely beneficial.On one project, we needed to reverse-engineer the radio signal used to control a PLC (Programmable Logic Controller) which is used to control an industrial process. Once we found out the frequency of the signal, we could hear data when we tuned into that channel and decoded it as an FM signal. When we fed this signal into a visualization tool we could see it looked like a square wave. We might have been able to try to decode the binary signal right there. However, at the time we were not sure how the control signal was encoded over the air, whether it was FM encoded, or it was just lucky that it looked like an FM signal. So we captured the raw RF signal, and the decoded FM audio signal.
When we later analyzed the RF signal, we found out it was an FSK encoded signal, and could only be decoded from the RF capture. If we had attempted to capture the signal as just FM, we would have wasted time, and been forced to return to re-capture the signal, if we could get another opportunity.
The raw capture can also be helpful when analyzing frequency-hopping systems. When frequency hopping is occurring it can be very difficult to guess the hopping pattern and sync up with the signal in real time. However if you capture the raw RF signal, it is easier to analyze the hopping pattern off-line. Additionally, if you do figure out the hopping pattern you can always feed the raw RF capture back into GNU Radio and decode the traffic. Note when doing this you need to make sure you capture all the signal. So if the hopping system you are analyzing hops over a 5 MHz range, for example, you want to make sure the raw capture is at least 5 MHz wide.
What is an FSK?
FSK stands for Frequency-Shift Keying and is a common digital modulation used to transmit information wirelessly.
To decode FSK signals you need an FSK decoder. Decoders come in two types: 2-level and 4-level. These decoders are also called data slicers.
A 2-level decoder is a fairly simple circuit to build in hardware (Figure 9.6), and can decode traffic up to 2400 Baud, although 1200 Baud is a more realistic upper limit. A 4-level decoder is a more complicated circuit to build, but still possible for the hobbyist, and can decode faster data rates, and will also decode 2-level signals.
Figure 9.6 Hardware 2-Level FSK Decoder. Reprinted with Permission from Meagan Call
A hardware FSK decoder takes the audio output from a radio and converts it to serial (i.e. RS-232, or RS-232 over USB), which can be fed into a computer so a program on the computer can process it. The decoder does not need to know what type of data it is decoding.
FSK decoders, with the appropriate software, can be used to decode POCGAG and Flex, which are two popular protocols used by pagers, Trunking Control channels, and APCO-25 traffic.
Usually an SDR will interface with the host PC via a USB cable, but some high performance units use high speed connections such as gigabit Ethernet.
Disadvantages of SDR
• Depending on what you want to do, it may require both software programming abilities and a deep understanding of RF and electronics. This can even be a concern when customizing someone else’s code.
• Data decoding features are either expensive (commercial products), or else rough around the edges (open source software still in early development).
GNU Radio
GNU Radio is an open source toolkit for building software-defined radios. It is released under the GPLv3 license, and features powerful signal processing software, signal processing blocks built in C++, connected together by glue code written in Python, called “graphs.” It contains a number of pre-built blocks and graphics to decode a wide range of things, from broadcast FM radio to GSM cell phone traffic. Figure 9.7 is a graphical representation of a Wide Band FM radio written for GNU Radio.
Figure 9.7 Wide Band FM Radio Written for GNU Radio
GNU Radio is fairly hardware independent. The Ettus Research Universal Software Radio Peripheral (USRP) is probably the most popular radio that can be used with it. Cost for a complete USRP starts around $800–1000 for a USRP1 and a daughter card. The price range is mainly determined by which model of daughter card you get.
To set up Ettus USRP, there is a main chassis that supports different daughter boards, which allow the radio to transmit and receive on different frequencies. There are different USRP models available, designed to allow processing of different amounts of bandwidth, some offering onboard processing power, and available in USB or Ethernet interfaces. The USRP1 (Figure 9.8) is currently the most popular model with hobbyist and penetration testers. It uses a USB 2.0 interface, and can support up to four daughter cards. It supports up to 8 MS/s to the host PC. Depending on the daughter board, it can receive and transmit over a very wide frequency range. The USRP1 currently costs $700 without any daughter cards.
Figure 9.8 Ettus USPR1. Reprinted with Permission from Meagan Call
Currently Ettus makes 13 different daughter cards for the USRP. Four of the daughter cards are popular with penetration testers, so will be discussed here. The WBX daughter card (Figure 9.9) can transmit and receive between 50 and 2200 MHz and costs $400. The TVRX2 is a receive-only daughter card that covers 50–860 MHz and costs $200. The TVRX2 card can also receive two signals at once. Due to the frequency ranges they cover, the WBX and TVRX2 cards can receive most signals of interest to penetration testers performing wireless reconnaissance.
Figure 9.9 Inside of an Ettus USRP1 with the WBX and RFX2400 Daughter Cards Installed. Reprinted with Permission from Meagan Call
The RFX2400 and XCVR2450 are two daughter cards which are also popular with penetration testers. The RFX2400 (Figure 9.9) can transmit and receive in the 2.3–2.9 GHz frequency range which covers the frequencies used by 802.11b/g, Zigbee, and Bluetooth. The RFX2400 costs $275. The XCVR2450 expands on the capabilities of the RFX2400 by adding the ability to transmit and receive in the 4.9–5.9 GHz band. This allows the card to operate in the frequency range used by 802.11a, 802.11n in greenfield mode, and cordless phones operating in the 5 GHz band. The XCVR24500 costs $400. If a penetration tester has the budget, the authors recommend investing in a USRP1 chasse with the WBX and XCVR2450 daughter cards.
Example: Using the GNU Radio as a Spectrum Analyzer
Spectrum analyzers are helpful tools to visualize a chunk of the RF spectrum. This can be helpful when trying to find new signals or seeing how a signal behaves. For example, this function can be helpful to spot frequency-hopping spread spectrum radios. Issuing the command usrp_fft.py -f followed by the frequency will open a new window which is seen in Figure 9.10.
Figure 9.10 FFT Display on GNU Radio
Using GNU Radio a $20 USB TV Tuner
GNU Radio also supports a variety of inexpensive USB TV tuners. These usually cost around $20. Look for compatible ones containing the Realtex RTL2832 chipset. Though not nearly as powerful as the USPR, they cannot transmit, are limited in their ability to process bandwidth, and receiver performance can be poor, but for $20 it’s a great toy to experience the power of SDR, and its weaknesses may be lessened as better software is developed for the radio. Dongles with the Elonics E400 tuner have the best performance discovered to date. They can tune in to frequencies from 64 to 1700 MHz, with some gaps around 1100–1250 MHz (since that frequency band was not in use for television broadcast). They have a theoretical sample rate of 3.2 MS/s, but as of this writing, they only deliver up to 2.8 MS/s. Third-party drivers are needed to get them to work with GNU Radio. Gz-baz and osmocom rtl sdr are two projects that build these drivers.
WiNRADiO
WiNRADiO is one of the most popular consumer SDRs. It is a commercially developed group of SDRs, and consists of receivers only. They come pre-built, so there is no assembly required, and start at around $700 and up. Figure 9.11 is the WiNRADiO G305e receiver. The WiNRADiO software that comes with these radios provides the ability to decode all analog formats (AM, FM, SSB). Adding capability to decode digital formats requires additional software, which costs extra. WiNRADiO has a polished GUI interface (Figure 9.12), especially when compared to the interface on GNU Radio. Most of the WiNRADiO software is written for Windows, but there is some support for Mac OS X and Linux.
Figure 9.11 WiNRADiO G305e Receiver. Reprinted with Permission from Meagan Call
Figure 9.12 WiNRADiO G305 GUI
WiNRADiO offers a Professional Demodulator option for $200 which makes it easy to see how signals are demodulated for the various formats it supports, and to adjust the filters and processing applied during the demodulation process. When the Demodulator is in Professional Mode, set under the Demodulator menu on the main menu bar, you can open a tool to analyze and customize how the signal is demodulated. To open this tool click Setup in the demodulator section of the WiNRADiO GUI. On this initial screen (Figure 9.13) a number of variables can be adjusted, which affect how the signal is demodulated.
Figure 9.13 WiNRADiO Professional Demodulator Setup Window
The audio filter settings can easily be adjusted by clicking and dragging the edge limits of the filter. Figure 9.14 shows the default filter setting and Figure 9.15 shows the filter after it has been adjusted.
Figure 9.14 Default FMN Notch Filter
Figure 9.15 Customized FMN Notch Filter
Additionally, on this screen the demodulation settings can be adjusted to determine how the signal is demodulated. To assist with adjusting the demodulation settings, a block diagram of the demodulation structure can be displayed (Figure 9.16) by clicking on the View Demodulation Structure button on the Demodulator Settings window. By clicking on the various points in the block diagram you can see what the signal looks like as it is processed by the demodulator. This view is helpful when fine-tuning a demodulator, to see how various settings affect the processing of a signal.
Figure 9.16 Demodulator Block Diagram
The capabilities of a WiNRADiO can be extended via a plug-in architecture called XRS (eXtensible Radio Specification), which allows individuals to write their own plug-ins, or use plug-ins created by a third party. Most of these plug-ins are free, but some cost money. They allow users to add functionality to fit their needs. There is still not a large community writing WiNRADiO plug-in—far more people are creating new blocks and graphs for GNU Radio. WiNRADiO sells a number of plug-ins to expand their products. There is also an online site at http://xrs.WiNRADiO.com where third-party developers can post their XRS extensions. Some popular examples of these extensions include:
• APCO P25 Decoders ($99.95–$199.95 depending on the radio), made by WiNRADiO. Note this just decodes the APCO P25 digital format to voice, and does provide any trunk the tracking capabilities. (Trunking is provided by a separate software package; see below.)
• Trunking software ($99.95–$199.95, depending on the radio it is created for), made by WiNRADiO. This package allows you to track trunking radio systems as they switch channels. (See the section on Trunking in Chapter 2 for more information on how trunked radio systems work.)
• Advanced Digital Suite ($199.95), made by WiNRADiO. It decodes WEFAX, HF Fax, NAVTEX, Packet Radio, ACARS, CTCSS, and DTMF. CTCSS and DTMF are the most useful for radio recon. It also has some signal analysis capabilities, which can be useful for identifying the encoding used on an unknown data signal. One of the more challenging parts of signal analysis when you find an unknown data signal is figuring out how it is encoded. By listening to it, you can tell its data—it will sound like a modem, and with experience, it’s possible to make a guess at what it is by how it sounds. For example, pagers sound different from trunking control channels. Bearing identification by ear, the signal analysis tools in the Digital Suite can do the job. For example, using an audio water fall graph (Figure 9.17), it’s possible to see patterns in the signals which could be a clue to its format. An oscilloscope view (Figure 9.18) can help you figure out if it is FSK, simple on/off keying, or another data format. FSK signals have a distinct looking waveform. So if you see that pattern, the next step is to feed the signal into an FSK decoder, see what comes out, and try to figure out how to decode that.
Figure 9.17 Water Fall Graph Showing Transmit Pattern of Burst Radio System
Figure 9.18 Oscilloscope View of Data Signal
• Universal FSK Decoder ($499.95), made by WiNRADiO. This can decode a number of formats but the most useful one is the ability to output raw bits which can be processed by external programs. Analysis tools are very helpful when decoding signals, especially non-standard formats. Its FSK is only a two-level decoder, so formats that require a four-level FSK cannot be decoded. Many modern FSK formats use four-level encoding. So this is a pretty big weakness especially for a $500 piece of software.
• Mini SIGINT (Figure 9.19) is a free plug-in that takes a finger print of a section of spectrum, and then alerts when changes over a certain threshold appears in that spectrum. This tool is useful for finding new signals. For example, if you know a device works in a certain band, but do not know the exact frequency it is using, you could take a baseline scan of that band to obtain a fingerprint of the ambient RF, then power up the unknown device and re-scan. The plug-in will identify what frequencies appeared when the device was active.
Figure 9.19 Mini SIGNIT XRS Plug-In Identifying New Signals
• Band Search (Figure 9.20) is a free plug-in that allows you to easily select a band to search for activity.
Figure 9.20 XRS Band Search Plug-In
• Waterfall Scanner (Figure 9.21) is a free XRS plug-in which graphs the activity of a set frequency range in three-dimensions (signal strength versus frequency versus time). The plug-in can also log this data to a txt or CVS file, which is helpful for off-line analysis. Note this plug-in does not log raw RF data like GNU Radio can. Instead it logs the data used to create the graph such as the frequency, signal strength and time of each signal was detected. This tool is helpful for visualizing the activity of a band over time, and determine if seemingly random signals are following a pattern.
Figure 9.21 XRS Waterfall Scanner
WiNRADiO is excellent for finding new signals and performing analysis on digital signals before decoding. However, unless the right decoder exists for WiNRADiO, and we have purchased it, we usually decode them with GNU Radio in the USRP. The polished interface of WiNRADiO makes it better for quickly detecting a signal, and from there we can determine if it is of interest and perform further analysis using GNU Radio, which in many cases can do things that cannot be done with WiNRADiO, thanks to the support of the open source community.
There are other consumer grade software-defined radios, but most cover HF bands which are of limited use in wireless recon so are not discussed here.
Network-Enabled Dispatch Systems
Network-enabled dispatch systems are a recent newcomer to the environment, and are beginning to draw the interest of penetration testers. In the old days, the dispatcher needed to be close to the transmitter to dispatch units. This limited where a dispatcher could be physically located. Everything was hardwired, which also limited the mobility of the dispatcher. The hardwired nature of these systems also offered some security.
High-end, modern data radio dispatch systems often operate over IP-enabled networks using VOIP. One benefit is that dispatchers can now move around to any place they can get an IP connection. The downside is the systems are now on IP-enabled networks, which open them up to new attacks (or old attacks, depending on your perspective).
Case Study: VOIP-Enabled Dispatch Radio on an Open TCP/IP Network
A University recently updated to a new IP-enabled dispatch system. Initially, they were very excited because this allowed the dispatcher to easily move around the campus. With a laptop and some other portable equipment, she could plug-in anywhere on campus and start dispatching. They foresaw that this would afford their security great disaster recovery capabilities if the security building was taken over or they could not operate from there for some reason.
Not understanding the potential vulnerability they would be exposing themselves to, they opened up access to the radio system so the dispatcher could be on the teacher, student, or any of the campus wireless networks. Unfortunately, this meant that anyone with access to these fairly public networks could attack their new radio system. In looking at the radio system, we found the software needed to interact with it was difficult to find, and we could not find it online. This offered them some protection, as long as this remained true, at any rate. The system wasn’t designed to be put on a public network, which the student network basically was, and was poorly secured because of that. All of the traffic generated by the dispatch system was transmitted in cleartext, including user authentication, VOIP streams, and information about unit assignment. The dispatch system had an activity log, where the dispatcher could note which units are responding to what calls, and when they finish with the calls. This sensitive information would have been highly useful to unfriendlies, who could have easily used the public networks at the university to monitor the dispatcher’s coordination efforts, and use the information to keep one step ahead of the security force, or spoof the system to misdirect units to where they weren’t needed.
Additionally, the hardware what was provided and supported by the vendor was not well secured. For example, the system was missing security patches. The database running on the system had a very weak SA password set. The system had a large number of listening services which exposed additional attack surface. The large number of open ports wouldn’t be alarming on an internal network, but were far too many for a system connected to a public network anyone could join.
First, we recommended placing this system into its own private DMZ. The vendor would not apply patches until the system was thoroughly tested. So there would be long periods of time where the system could not be patched.
We recommended setting up a VLAN on the campus teacher network that could access this VLAN and assign a few network ports spread across campus that had access to this special VLAN and therefore the radio dispatch system. These special network jacks were also placed in secure locations where not anyone could plug-in and use them. So in an emergency they know they could go to these locations to gain access to the dispatch system. This VLAN was also given a high Quality of Service (QoS) priority on the network, to ensure the dispatch traffic was not dropped when the network got congested.
We debated using a VPN but the vendor would not guarantee it would work over a VPN, given the latency it could introduce and how sensitive VOIP can be to latency issues.
The vendor also said they do not recommend accessing the system over a wireless link because of the potential latency issues. So that, paired with the security concerns, stopped them from using it on the wireless.
Conclusions and Looking Forward
In summary, there’s a great deal more to wireless than just 802.11. There is a clear trend toward everything changing over to digital formats, and moving away from analog. Wireless communications are becoming increasingly commonplace just about everywhere—not just to replace existing wired systems, but adding “smart” capabilities to devices and systems which previously lacked them. There is a great deal of opportunity here for the penetration tester, as new technologies are implemented without due consideration given to the security implications. An ever-increasing surface area for potential vulnerabilities to be discovered will keep security professionals busy for years to come.
Software-defined radios are bringing about a golden age of wireless hacking. Their ability to reduce the amount of specialized hardware that you need to carry with you, combined with its superior flexibility and adaptability, and the enhanced signal analysis capabilities that it brings to the table give the security professional a very flexible and powerful tool.
With radio, as with any high tech field, the only constant is change. It’s important to keep your knowledge of the industry current. Staying abreast of the state of the art is a challenge. The best way to do that is to become immersed in the community. Read trade and hobbyist magazines such as Monitoring Times and Popular Communications on a regular basis. Getting your amateur radio license and joining local radio and scanner clubs are both great ways to get started with building your hands-on experience. American Radio Relay League’s (ARRL) Website (http://www.arrl.org/) is a great source of information on how to get your amateur radio license or locate a local amateur radio club. The radio community is also very active on the Internet. Radioreference.com provides community forums, which are a source of both news and lively discussion, and provides opportunities to make contacts and friends with other professionals in the RF field.