Download - Defcon 17 Videoman Gnuradio
![Page 1: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/1.jpg)
Hacking With GnuRadioHacking With GnuRadio
How to have fun with wireless transmissions!
![Page 2: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/2.jpg)
David M. N. BryanDavid M. N. Bryan
●Info Security ConsultantInfo Security Consultant●CISSPCISSP●HAMHAM●HackerHacker●DEFCONDEFCON
![Page 3: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/3.jpg)
Hacker Spaces!!! Hacker Spaces!!!
Thanks to CCCKC – Sweet Hacker Space! Thanks to CCCKC – Sweet Hacker Space!
![Page 4: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/4.jpg)
What is this?What is this?
![Page 5: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/5.jpg)
Is that a hot pack in your pocket?Is that a hot pack in your pocket?
![Page 6: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/6.jpg)
Physical Attack Physical Attack
![Page 7: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/7.jpg)
Physical Attack Physical Attack
![Page 8: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/8.jpg)
Physical Attack Physical Attack
![Page 9: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/9.jpg)
Counter Measures ?Counter Measures ?
Mind the gap!Mind the gap!Disable the use of RTEDisable the use of RTECrash barCrash barPush to exitPush to exit
![Page 10: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/10.jpg)
Hacking With GnuRadioHacking With GnuRadio
What is GnuRadio?What is GnuRadio?What you needWhat you needRequirementsRequirementsCostsCosts
![Page 11: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/11.jpg)
What is GnuRadio?What is GnuRadio?
Software – Python = byte code = good!Software – Python = byte code = good!Hardware - Hardware -
Universal Software Radio PeripheralUniversal Software Radio PeripheralField Programmable Gate ArrayField Programmable Gate Array4 DAC4 DAC4 ADC4 ADCTX / RX Daughter boards from 0.1Mhz to 5.8GhzTX / RX Daughter boards from 0.1Mhz to 5.8Ghz
![Page 12: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/12.jpg)
USRP v1.0USRP v1.0
![Page 13: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/13.jpg)
USRP BoardUSRP Board
![Page 14: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/14.jpg)
Daughter BoardsDaughter Boards
![Page 15: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/15.jpg)
How Can I use it?How Can I use it?
Get Hardware – USRPGet Hardware – USRPInstall Ubuntu – or other Unix like OSInstall Ubuntu – or other Unix like OSUSRP Interface RequirementsUSRP Interface Requirements
v1.0 USB 2.0v1.0 USB 2.0v2.0 Gigabit Ethernetv2.0 Gigabit Ethernet
![Page 16: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/16.jpg)
Why should I use it?Why should I use it?
Wireless Signal Receiving and GenerationWireless Signal Receiving and GenerationCircuit logicCircuit logicOscillatorOscillator
Other methods are painfully slow for prototypingOther methods are painfully slow for prototyping
![Page 17: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/17.jpg)
CostCost
USRP1 $700USRP1 $700USRP2 $1400USRP2 $1400Daughter Boards $75-$400Daughter Boards $75-$400Screws/Case $20Screws/Case $20Not specifically FCC Part LicensedNot specifically FCC Part Licensed
Owning your neighborhood SCADA- Priceless! Owning your neighborhood SCADA- Priceless!
![Page 18: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/18.jpg)
So what can we do with it?
![Page 19: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/19.jpg)
Wireless AttacksWireless Attacks
RFID Payment CardsRFID Payment CardsGlobal System Mobile (GSM)Global System Mobile (GSM)Bluetooth (Frequency Hopping)Bluetooth (Frequency Hopping)Multiple Access System (MAS)Multiple Access System (MAS)
![Page 20: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/20.jpg)
RFID AttacksRFID Attacks
RFID Tag readingRFID Tag readingBoston Subway HacksBoston Subway HacksMiFare Card AttacksMiFare Card AttacksLong Range Tag ReadingLong Range Tag Reading
![Page 21: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/21.jpg)
GSM AttacksGSM Attacks
wiki.thc.org – A5 GSM Crackingwiki.thc.org – A5 GSM CrackingBase station – call routing?Base station – call routing?Cell free zone?Cell free zone?
![Page 22: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/22.jpg)
Bluetooth AttacksBluetooth Attacks
Frequency Hopping Spread SpectrumFrequency Hopping Spread SpectrumFollow “hop” patternsFollow “hop” patternsUSRP V2 Only – v1 lacks bandwidthUSRP V2 Only – v1 lacks bandwidth
Using 8 v2 USRPsUsing 8 v2 USRPs
![Page 23: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/23.jpg)
MAS SystemMAS System
Multiple Access SystemMultiple Access SystemComputer Applications in Power, IEEEComputer Applications in Power, IEEEVolume 5, Issue 4, Oct 1992 Page(s):29 - 32Volume 5, Issue 4, Oct 1992 Page(s):29 - 32Digital Object Identifier 10.1109/67.160043Digital Object Identifier 10.1109/67.160043Summary:The use of 900 MHz radio for Summary:The use of 900 MHz radio for
supervisory control and data acquisition supervisory control and data acquisition applications was investigated by the Houston applications was investigated by the Houston Lighting and Power Company (HL&P). Multiple Lighting and Power Company (HL&P). Multiple address system applications in the 928/952 address system applications in the 928/952 MHz band were evaluated. (etc....)MHz band were evaluated. (etc....)
![Page 24: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/24.jpg)
MAS System AttacksMAS System Attacks
Simple 1992's Repeater Simple 1992's Repeater
Repeater
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
![Page 25: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/25.jpg)
MAS System AttacksMAS System Attacks
Request StatusRequest Status
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
Input Freq
![Page 26: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/26.jpg)
MAS System AttacksMAS System Attacks
Status ReplyStatus Reply
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End Input Freq
![Page 27: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/27.jpg)
MAS System AttacksMAS System Attacks
Request StatusRequest Status
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
Input FreqInput Freq
Evil Hax0rEvil Hax0r
![Page 28: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/28.jpg)
MAS System AttacksMAS System Attacks
Request StatusRequest Status
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
Input Freq
Evil Hax0rEvil Hax0r
Input Freq
![Page 29: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/29.jpg)
USRP - First AttemptUSRP - First Attempt
![Page 30: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/30.jpg)
MAS System AttacksMAS System Attacks
Request StatusRequest Status
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
Input Freq
Evil Hax0rEvil Hax0r
Input Freq
![Page 31: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/31.jpg)
USRP - Second AttemptUSRP - Second Attempt
![Page 32: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/32.jpg)
MAS System AttacksMAS System Attacks
Request StatusRequest Status
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
Input Freq
Evil Hax0rEvil Hax0r
Input Freq
![Page 33: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/33.jpg)
USRP - Third AttemptUSRP - Third Attempt
![Page 34: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/34.jpg)
USRP - Third AttemptUSRP - Third Attempt
![Page 35: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/35.jpg)
USRP - Third AttemptUSRP - Third Attempt
![Page 36: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/36.jpg)
USRP - Third AttemptUSRP - Third Attempt
![Page 37: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/37.jpg)
USRP - Third AttemptUSRP - Third Attempt
![Page 38: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/38.jpg)
USRP - Third AttemptUSRP - Third Attempt
![Page 39: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/39.jpg)
MAS System AttacksMAS System Attacks
Request StatusRequest Status
RepeaterOmni
Yagi Ant
Yagi Ant Yagi
Ant
Yagi
Ant
Yagi
Ant
Yagi
Ant
Head EndHead End
Evil Hax0rEvil Hax0r
Input Freq
![Page 40: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/40.jpg)
MAS Radio IssuesMAS Radio Issues
Wide OpenWide OpenNo AuthenticationNo AuthenticationNo IntegrityNo IntegritySingle In / Multiple Out “Repeater”Single In / Multiple Out “Repeater”Poor DesignPoor Design
![Page 41: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/41.jpg)
MAS Radio FixesMAS Radio Fixes
Use encryptionUse encryptionUse 802.11 type networksUse 802.11 type networks
Use routing protocol for link failuresUse routing protocol for link failures
Out of band managementOut of band management
![Page 42: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/42.jpg)
Demo ?Demo ?
![Page 43: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/43.jpg)
How Can I Contribute?How Can I Contribute?
Join a hacker spaceJoin a hacker spacePostPostPlayPlayHave Fun!Have Fun!
![Page 44: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/44.jpg)
Thank you!Thank you!
My wife, HeatherMy wife, Heather
![Page 45: Defcon 17 Videoman Gnuradio](https://reader034.vdocuments.us/reader034/viewer/2022051005/55cf8f65550346703b9be7fa/html5/thumbnails/45.jpg)
ReferencesReferences
www.gnuradio.orgwww.gnuradio.org
http://www.ettus.com/http://www.ettus.com/
www.ece.vt.edu/swe/chamrad/crdocs/CRTM09_060727_USRP.pdfwww.ece.vt.edu/swe/chamrad/crdocs/CRTM09_060727_USRP.pdf
http://www.gnu.org/software/gnuradio/doc/exploring-gnuradio.htmlhttp://www.gnu.org/software/gnuradio/doc/exploring-gnuradio.html
http://www.blackhat.com/presentations/bh-europe-08/Steve-DHulton/Whitepaper/bh-eu-08-steve-dhulton-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Steve-DHulton/Whitepaper/bh-eu-08-steve-dhulton-WP.pdf
http://dc4420.org/files/dominicgs/bluesniff_slides.pdfhttp://dc4420.org/files/dominicgs/bluesniff_slides.pdf
http://www.rfidhackers.com/http://www.rfidhackers.com/
http://en.wikipedia.org/wiki/Universal_Software_Radio_Peripheralhttp://en.wikipedia.org/wiki/Universal_Software_Radio_Peripheral