Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
-
Upload
code-blue -
Category
Devices & Hardware
-
view
598 -
download
8
Transcript of Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
![Page 1: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/1.jpg)
Keiichi HoriaiFujitsu System Integration LABs.
CODE BLUE 2015
Wireless security testing with attack
![Page 2: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/2.jpg)
Agenda Circumstance
In the IoT (Internet of Things) era• key : Wireless Security• To analyze wireless security, SDR ( Software Defined Radio) technology is effective.
Introduce GNU Radio, a SDR tool Powerful tool to test wireless security Easily available, work with inexpensive peripheral hardware
Wireless security testing with attack Attack#1 Key logging wireless keyboard Attack#2 The replay attack for ADS-B
2
![Page 3: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/3.jpg)
Recent release of wireless security
Abuse/Falsification of software and firmware Drone attack by malware and network
• http://www.slideshare.net/codeblue_jp/cb14-dongcheol-hongja/
RF signal level interception/injection SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE
GLOBALSTAR SIMPLEX DATA SERVICE• https://www.blackhat.com/docs/us-15/materials/us-15-Moore-
Spread-Spectrum-Satcom-Hacking-Attacking-The-GlobalStar-Simplex-Data-Service.pdf
Low-cost GPS simulator – GPS spoofing by SDR• Lin Huang, Qing Yang, DEFCON23
• https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf
3
![Page 4: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/4.jpg)
In 2001, Eric Blossom in US started a free & open-source software development toolkit about radio.
Multi-platform (Linux/FreeBSD/OSX/Windows)
Run on personal computer. cf. Many software radio technology run on FPGA on exclusive hardware.
Create flow graph to use GUI on GNURadio Companion
flow graph -> XML file -> Python -> C++
License GPL ver3
http://gnuradio.org/redmine/projects/gnuradio/wiki
About GNURadio
4
![Page 5: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/5.jpg)
GNURadio Component
Elements of the flow graph
SOURCE BLOCK SINK
Software
or
Hardware
Software
Python
C++
Software
or
Hardware
Input OutputProcessing
5
![Page 6: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/6.jpg)
Sources Software
Waveform generation (Sin, Cos, Triangle, Sawtooth, Square )
Various noiseFile
HardwarePC AudioOther peripheral hardware
•RTL-SDR, HackRF, BladeRF, USRP
6
![Page 7: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/7.jpg)
Blocks Operator(Logical, Bytes, Integer, Real, Complex...) Constant, Variable(slider), Type conversion Calculation (add, sub, multiple, div, Log, RMS, integral...) Filter(LowPass, HighPass, BandPass, Reject, FFT, Hilbert,
IIR, Decimation...) Modulation and demodulation ( AM, FM, FSK, PSK, QAM,
OFDM…) Level control (AGC, Mute, Squelch, Moving average...) Network (TCP, UDP, Socket...) and more
7
![Page 8: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/8.jpg)
Sinks Software
Hardware PC Audio Other peripheral hardware
• HackRF, BladeRF, USRP, ... etc.
SCOPE FFT Water Fall
Histogram Constellation Plot
Other Files
8
![Page 9: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/9.jpg)
Peripheral hardware (e.g.)
RTL-SDR HackRF BladeRF USRP
Frequency range [MHz] 24-1800 1-6000 300-
3800 70-6000A/D convertbits 8 8 12 12Band range [MHz] 2.8 20 28 56Transfer / Receive RX Tx | Rx Tx & Rx Tx & RxPrice $20 $300 $420 $675
9
![Page 10: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/10.jpg)
FlowGraph (e.g.)
Available tools
10
![Page 11: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/11.jpg)
VHF receiver A VHF receiver composed of RTL-SDR and GNU Radio
RTL-SDR
11
![Page 12: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/12.jpg)
ISM 2.4GHz band
WiFi/Bluetooth frequency allocation
http://www.digikey.com/es/articles/techzone/2013/jun/shaping-the-wireless-future-with-low-energy-applications-and-systems
12
![Page 13: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/13.jpg)
ISM 2.4GHz band monitoring (e.g.)
HackRF
13
![Page 14: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/14.jpg)
Attack wireless devices
Survey attack targetSearch FCC ID in FCC sitePhotos, someone else put on view?Overhaul by myself
Necessary informationRF chip data sheet
•Frequency band, Modulation, Transmission speed, Data format
Observe and analyze the signal14
![Page 15: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/15.jpg)
FCC ID Search
https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=Al%2FFPgcInlgHLjNZvXbPTQ%3D%3D&fcc_id=A6O60001058RX
15
![Page 16: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/16.jpg)
How to monitoring and analyzing the signal
Receive radio waves Check the signal : GNU Radio, SDR# Write the received signal to file : GNU Radio, rtl_sdr
Analyze Monitoring the waveform in detail : baudline Cut the area where you need ( The area selected and
write to file ) : baudline Demodulation: GNU Radio | in-house scripts Decode / Parse / Decrypt
• Convert to bits (0/1) ( Hex dump is unreadable )• Find the characterized bit pattern
16
![Page 17: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/17.jpg)
Signal monitoring tool Baudline
Baudline is the signal time-frequency visualization and analysis support tool
Requirements• Linux(x86_64,PowerPC)• Mac OS X• Solaris SPARC
Select the area and write to file
http://www.baudline.com/index.html17
![Page 18: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/18.jpg)
Monitoring the signal (e.g.)
18
![Page 19: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/19.jpg)
Attack demo #1
Keylogger for Microsoft wireless keyboard 800At first, try to reproduce “keysweeper”(*1)It can’t work the MS Wireless Keyboard 800
Japanese editionDemonstrate process from investigate the
cause using the GNU Radio to work
(*1) https://github.com/samyk/keysweeper19
![Page 20: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/20.jpg)
Keylogger for Wireless Keyboard
27MH z band It is easy to snoop because (in)secureEnd of sale in the 2000s
2.4GHz bandSame as Bluetooth/WiFi frequencyBluetooth specification is secure?What about the proprietary specification
keyboard?
20
![Page 21: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/21.jpg)
Relation Project Travis Goodspeed, 2010
The GoodFET is an open-source JTAG adapter, loosely based
upon the TI MSP430 FET UIF and EZ430U boards http://goodfet.sourceforge.net/
KeyKeriKi Project (CanSecWest 2010) Developed some device with ARM Cortex MPU and radio module
which can keyboard sniffing and remote command execution.
http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html
Keysweeper (January 2015) Make efficient and systematize processes
• Focus on a part of device address fixed 0xCD• Embedded in USB charger and logging to EEPROM• Detect keyword and mobile module send SMS• Forward keystroke to another device in real time ... etc.
https://github.com/samyk/keysweeper
21
![Page 22: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/22.jpg)
Experiment on breadboard
Sniffer hardware
USB
control PC
Microsoft Wireless Keyboard 800 Arduino nano
•Scan 2403-2480MHz by 1MHz step•Inspect 1 byte (=0xCD) in device ID•If next 2byte are (0x0A38 | 0x0A78), stop scanning and start logging
about 1500 lines Arduino program
nRF24L01・ 2.4GHz ISM band ・ GFSK modulation・ 1Mbps or 2Mbps
22
![Page 23: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/23.jpg)
Success ?Radio setupEnd radio setupscanTuning to 2480Potential keyboard: AA AA 5A A9 CD 27 55 49 Tuning to 2403Tuning to 2404Potential keyboard: E4 AA AA A5 CD 55 A5 5A Tuning to 2405Tuning to 2406Tuning to 2407Tuning to 2408…………………
No !!23
![Page 24: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/24.jpg)
Wireless keyboard wave form
24
![Page 25: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/25.jpg)
Baudline (cut the area)
25
![Page 26: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/26.jpg)
Demodulation
-50-40-30-20-10
01020304050
1 51 101 151 201 251 301
-50-40-30-20-10
01020304050
1 51 101 151 201 251 301
I/Q
Vfm Vfm = ( I ( dQ/dt) - Q ( dI/dt)) / (I ^2 + Q^2)
preamblebit = Vfm > 0 ? 0:1bit
26
![Page 27: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/27.jpg)
Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111111111111110010101010101010010011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110010100110011100111001110011100011110111110100111000111111111111100110010000000000001111111011111111111111101111111101111111111111111111111111111111001010101010101001001100111110010100010110110011100100000000000101001111000000111010000000101001110000111011010011000110011101010011110111000001000111001010011001110101001110011100111000111101111101001110101111111111100110000001000100010001111111111111111111111111011111111111111111111101010101001011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110……….
27
![Page 28: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/28.jpg)
nRF24L01 Packet format Preamble
0xAA | 0x55 Address
3-5 Byte PCF
9 bit Payload
0- 32Byte CRC
1-2 bytehttp://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01
28
![Page 29: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/29.jpg)
KeyKeriki Project results
・ Microsoft Wireless Keyboard 800’s device address is composed of 5 byte start from 0xCD
・ Keystroke is encrypted by simple XOR operation using this device address
http://www.remote-exploit.org/content/keykeriki_v2_cansec_v1.1.pdf
29
![Page 30: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/30.jpg)
Get BIT sequence
bit = Vfm > 0 ? 0:1
111111111111001100010000000000100110111110111111111111111111111111111111111110010101010101010010011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110010100110011100111001110011100011110111110100111000111111111111100110010000000000001111111011111111111111101111111101111111111111111111111111111111001010101010101001001100111110010100010110110011100100000000000101001111000000111010000000101001110000111011010011000110011101010011110111000001000111001010011001110101001110011100111000111101111101001110101111111111100110000001000100010001111111111111111111111111011111111111111111111101010101001011001111100101000101101100111001000000000001010011110000001110100000001010011100001110110100110001100111010100111101110000010001110……….
find to “0x0A78 (0000101001111000)”
Packet control field 9 bit
Devie ID
Preamble 8bit + address 5 byte + packet control 9bit + payload
30
![Page 31: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/31.jpg)
Device ID detection
{ P.A. } { [p0] p[1] [p2] [p3] [p4]} AA A9 33 E5 16 CE10101010 10101001 00110011 11100101 00010110
11001110{PktCTL Bit} 0A 78 1D 01010000000 00001010 01111000 00011101 00000001{ payload .......0100111000011101101001100011001110101001111011100……
// From keysweeper_mcu_src https://github.com/samyk/keysweeperif (radio.available()) { radio.read(&p, PKT_SIZE); if (p[4] == 0xCD) // 0xCD -> 0xCE for Japanese KBD { sp("Potential keyboard: ");
DEVICE ID
31
![Page 32: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/32.jpg)
Behavior after (0xCD->0xCE){………………}Tuning to 2479Tuning to 2480Potential keyboard: A9 33 E5 16 CE 43 5 3CKEYBOARD FOUND! Locking in on channel 802setupRadio 16: 0A 78 1D 01 56 03 43 00 00 1E 00 00 00 00 00 8F <- Key 1 Press> 1 8: 0A 38 1D 01 56 03 00 84 16: 0A 78 1D 01 57 03 43 00 00 00 00 00 00 00 00 90 <- Key OFF 16: 0A 78 1D 01 58 03 43 00 00 1F 00 00 00 00 00 80 <- Key 2 Press> 2 8: 0A 38 1D 01 58 03 00 8A {………………}
(*1) USB HID usage table: http://www.freebsddiary.org/APC/usb_hid_usages.php
(*1)
32
![Page 33: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/33.jpg)
Key Logger DEMO
33
![Page 34: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/34.jpg)
Summary #1 Using GNU Radio, find the device address KEY
(0xCE) of the Microsoft Wireless Keyboard 800 Japanese edition
Change the device address KEY to 0xCE, then monitor keylogger Behavior.
Don’t use wireless keyboard, when the operation with sensitive information. Especially, warn against using proprietary specification device.
Caution Experiment in Japan, signal from nRF24L should be invalidated
• boolean shoutKeystrokes = true; -> false;
34
![Page 35: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/35.jpg)
Attack demo #2 Replay attack for ADS-B(*1) mounted on
aircraftAviation is part of the critical infrastructureADS-B is next generation air traffic control
systemAttack demo played in Blackhat2012,
DEFCON20, ...etc.Applying SDR technology, tried to replay
the attack(*1)Automatic Dependent Surveillance–Broadcast
35
![Page 36: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/36.jpg)
Congestion in the Skies
http://www.flightradar24.com/
36
![Page 37: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/37.jpg)
ADS-B overview Because old radar’s positional accuracy was 1-2 NM, there was a need to
widen the service interval to ensure the safety of aircraft operation.
To keep up with aircraft increasing, new system is needed. ADS-B, using GPS, to provide a highly accurate position information, has been developed as next generation air traffic control system in 1980-1990.
Now, about 70 % of passenger plane have ADS-B
(Source http://www.flightradar24.com/how-it-works)
Required to equip until 2017 in Europe, until 2020 in the United States
Point at issue No encryption Broadcast with no authentication Simple encoding and simple modulation scheme
37
![Page 38: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/38.jpg)
Mechanism of ADS-B ADS-B
Automatic Dependent Surveillance–BroadcastUsing broadcast datalink, Aircraft transmits own
location, speed, altitude, and so on obtained from measuring system such as GPS.
Image http://www.enri.go.jp/news/osirase/pdf/e_navi10.pdf
38
GPS location
Broadcast Datalink
Control Center Ground Receiving Station
![Page 39: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/39.jpg)
Papers related to ADS-B About Vulnerability
Donald L. McCallie, Major, USAF (2011)• http://apps.fcc.gov/ecfs/document/view.action?id=7021694523
Andrei Costin, Aurelien Francillon, BlackHat2012• https://media.blackhat.com/bh-us-12/Briefings/Costin/
BH_US_12_Costin_Ghosts_In_Air_Slides.pdf Brad render, DEFCON20 ( 2012 )
• http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-RenderMan-Hackers-plus-Airplanes.pdf
Hugo Teso, CyCon2013 (2013)• https://ccdcoe.org/cycon-2013.html
About Countermeasures Martin Strohmeier, Ivan Martinovic 、 (2014)
• Detecting False-Data Injection Attacks on Air Traffic Control Protocols• http://www.cs.ox.ac.uk/files/6604/wisec2014-abstract.pdf
Kyle D. Wesson,Brian L. Evans, and more. (2014)• Can Cryptography Secure Next Generation Air Traffic Surveillance? • https://radionavlab.ae.utexas.edu/images/stories/files/papers/adsb_for_submission.pdf
Seoung-Hyeon Lee , Yong-Kyun Kim, Deok-Gyu Lee, and more. (2014)• Protection Method for Data Communication between ADS-BSensor and Next-Generation Air
Traffic Control Systems• http://www.mdpi.com/2078-2489/5/4/622
39
![Page 40: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/40.jpg)
Expected threats
Snoop (Eavesdropping)
Jamming
Fake aircraft’s wake injection(Fake track injection)
40
![Page 41: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/41.jpg)
How to receive ADS-B?
Receive the radio wavesUSB stick for receiving overseas digital TV
It’s about 1000 JPY to 2000 JPY
Process the signal and displayPC
•Windows, Mac, Linux
Smartphone, Tablet41
![Page 42: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/42.jpg)
ADS-B receiver software Decoder
ADSB# http://airspy.com/index.php/downloads/
RTL1090 http://rtl1090.web99.de/
Modesdeco2 (w/ display function)
• http://radarspotting.com/forum/index.php/topic,2978.msg13471.html
dump1090 (w/ display function)
• https://github.com/antirez/dump1090
Display
Virtual Radar Server http://www.virtualradarserver.co.uk/
adsbSCOPE
• http://www.sprut.de/electronic/pic/projekte/adsb/adsb_en.html#downloads
PlanePlotter http://www.coaa.co.uk/planeplotter.htm
42
![Page 43: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/43.jpg)
Receivable area
Antenna
43
![Page 44: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/44.jpg)
ADS-B format
Format
Actual received I/Q signals
https://media.defcon.org/DEF%20CON%2020/DEF%20CON%2020%20slides/DEF%20CON%2020%20Hacking%20Conference%20Presentation%20By%20RenderMan%20-%20Hacker%20and%20Airplanes%20No%20Good%20Can%20Come%20Of%20This%20-%20Slides.m4v
44
![Page 45: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/45.jpg)
Waveform monitoring with GNU Radio
(I2 + Q2)I/Q
45
![Page 46: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/46.jpg)
Received ADS-B (e.g.)
*8d7583a5585b575a9ebc4bbb3f04;
CRC: 000000 (ok)DF 17: ADS-B message. Capability : 5 (Level 2+3+4 ) ICAO Address : 7583a5 Extended Squitter Type: 11 Extended Squitter Sub : 0 Extended Squitter Name: Airborne Position ……. F flag : odd T flag : non-UTC Altitude : 17125 feet ………….
Raw data in hex
Aircraft location data, ...etc.
I/Q signal after A/D convert
Demodulation / Decode
Parse the data
46
![Page 47: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/47.jpg)
Attack Vector
IP Network
ADS-B Receiving Station
ADS-B Receiving StationADS-B
Receiving Station
ADS-BBroadcast
GPS Satellite
Actor V2
V3
Image http://www.mlit.go.jp/koku/koku_fr14_000007.html
V1
47
![Page 48: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/48.jpg)
Replay Attack (V1) Intercepted raw data ( File name: xxxx.raw)
Inject the raw data via IP network$cat xxxx.raw | nc target_IP target_PORT
※In reality, the adversary needs to find a way to get through the authentication in order to connect to the target server.
*8d869210581fe3bf4350dfd62439;*5da40455385715;*8d86dca29914ee0f20f410ef2595;*8d780c3c581db79c18a4b0ffc872;*8d867f609914b993e8700ba91251;*02a1839b9e229d;*……………
48
![Page 49: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/49.jpg)
Replay Attack (V2) Create an ADS-B pulse signal file from the raw data
$cat xxxx.raw | ./adsb-pulsegen test_file.bin
Use the file to generate a RF signal modulated $hackrf_transfer –f 1090MHz –s 2MHz –t test_file.bin –x 0
*8d869210581fe3bf4350dfd62439;*5da40455385715;*8d86dca29914ee0f20f410ef2595;*8d780c3c581db79c18a4b0ffc872;*8d867f609914b993e8700ba91251;*02a1839b9e229d;*0261819c1d1e5a;……………
49
![Page 50: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/50.jpg)
DEMO Injection via IP network (V1)
Real-time interception of ADS-B signal and display on map
Inject the raw data received in the past
Injection via RF channel (V2)Generate an I/Q signal file from the received raw
data Inject the RF signal modulated by the I/Q signal
50
![Page 51: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/51.jpg)
ADS-B network injection
http://www.flightradar24.com/
Network injection demo Screen shot
51
![Page 52: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/52.jpg)
ADS-B RF injectionRF injection demo screen shot
52
![Page 53: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/53.jpg)
Security of air traffic control? Why doesn’t it get renewed?
Threat not being recognized
To preserve safety and interoperability
International discussion takes a long period of time
• Forming consensus
• Development
• Deployment
Image http://www.jatcaonline.com/SSR_system.JPG https://upload.wikimedia.org/wikipedia/commons/f/fe/D-VOR_PEK.JPG
ASR/SSR
ILS ( glide slope / Localizer )
VOR/DME
53
![Page 54: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/54.jpg)
Summary #2 Technically, an attack against ADS-B is extremely easy
Not only ADS-B but any air traffic control system that relies on radio waves are vulnerable to jamming attacks.
Possible attack scenarios
Terrorists or nation state actors injects false flight paths or performs jamming attacks to confuse the air traffic control as one of the ways to accomplish an objective.
Is it hard to implement early countermeasures? ( Requires an international consensus )
A mitigation plan such as detecting interception or using tracking algorithms must be considered
Create an environment that enhances virtual trainings and incident response plan
54
![Page 55: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/55.jpg)
Conclusion Due to the emerge of the software defined radio experiment
tool GNU Radio and the low cost RF related hardware, the technical threshold to carry out an RF attack has been lowered
The existing systems that relies on radio waves such as the air traffic control system, has not been able to follow the modernization which the commercial technology like WIFI or smartphone has gone through
A fundamental countermeasure will require a long period of time
Compensating the lack of countermeasure with operational practice will require an enhanced incident response plan and trainings
55
![Page 56: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/56.jpg)
Thank you !
Questions ?
56
![Page 57: Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015](https://reader036.fdocuments.in/reader036/viewer/2022062412/58f9aaa0760da3da068b7ae3/html5/thumbnails/57.jpg)
57 Copyright 2010 FUJITSU LIMITED