While performing a STIC evaluation of a product, the evaluation team at jtsec thought that it would be interesting to analyze the communications between two embedded devices that were part of the product. The main objective was to determine whether those communications were properly secured with encryption and other important security measures when it comes to devices that communicate using radio frequencies such as protection against jamming, GPS spoofing or replay attacks.
For this task, using an SDR device was mandatory, so with this objective in mind, the team started researching SDR devices and ended up going with the HackRF One from Great Scott Gadgets, a small RF receiver/transmitter capable of working in the 2.4Ghz frequency range that the product that was being evaluated used for its communications.
What is the HackRF One?
The HackRF One is one the most popular SDR devices on the market. The term SDR stands for "Software Defined Radio" and it is used to aggregate radio communication systems that implement in software instead of hardware the components in charge of modulating and demodulating radio signals. The idea is to have a device that is able to receive and transmit different radio protocols just by configuring its software.*Figure 1: HackRF One#
Among the things that make the HackRF One so popular are its ability to receive and transmit radio in the 1Mhz to 6GHz range, its compatibility with Open-Source software such as GNU-Radio, having a notable community, well written documentation and its "low" price. Things like having such a wide range of operating frequency allows this device to be used with RF-emitting devices that can go from key fobs (which usually operate in the 300-450Mhz freq. range) to much more impressive things like monitoring SpaceX rocket launches.*Figure 2: https://hackaday.com/2021/03/11/monitor-spacex-rocket-launches-with-software-defined-radio/
In this article we will discuss some of the most common use cases for this device by security researchers, cyber criminals or even the average user, the software needed to make use of it and how this will improve our future evaluations.
Common use cases
So, come on and address the elephant in the room. What are these things really used for? Well, for the average user, SDR devices are capable of doing tons of different kind of things like amateur radio usage to communicate with your friends (be wary of local regulation regarding transmitting RF!), building your own GSM network or even listening to your favorite radio station.
When it comes to cyber security researching, devices like the HackRF One can be used to reverse engineer RF protocols that are being used all around us be it LTE or a simple RF protocol used in a garage key fob. While being a fun exercise, this can become a challenging task depending on the chosen protocol due to the fact that in order to get to the actual data someone would need to first find the signal, tune it, demodulate it, get the bits, deframe them and make sense out the resulting data. There are plenty of simple examples of RF reverse engineering projects on the internet for everyone to grasp the basics of RF and getting started with reversing using SDR devices.
Now what to do when the protocol has successfully been reversed? Well, the sky is the limit! The functionality of the original device can be recreated to create your own client of the protocol or even improved by removing artificial limits imposed by the manufacturer to restrict features present in their higher end products.
How is it used by cyber criminals?
Cyber criminals are also known to use devices like the HackRF One (usually combined with accessories like the Portapack) to perform a wide variety of attacks such as "Jamming attacks" where the attacker emits noise to block the reception of a signal, "Replay attacks" where a signal is recorded and replayed without the original source device, "GPS spoofing" or even "Side channel attacks" that allow an attacker to remotely monitor what is being displayed on a monitor of a victim.
Side channel attack example
The last attack that was mentioned leverages on the fact that electronic devices emit unintentional RF signals while operating. Capturing those signals can give out information about what the device is currently doing, and computer monitors are no exception for this issue. Using a software called TempestSDR, it is possible to recreate a black and white live image of what a screen is displaying thanks to the RF signals that the HDMI cable is leaking. After calibrating the frequency at which the signals are being leaked and tinkering with the settings that TempestSDR provide, we have a clear image of what our display is showing!*Figure 3: RF signals being leaked from an HDMI cable shown in SDR#
*Figure 4: Display of the victim
*Figure 5: Recreated picture shown in TempestSDR
The HackRF One can be used in both Windows and Linux with widely available and well-maintained software. In the windows side of things, all that is needed to get started is is SDR#.*Figure 6: SDR# Graphical User Interface
In Linux, installing the driver packages is necessary to get the tools to communicate with the HackRF One. This can be done in Debian based distributions by simply installing the "hackrf" package. Now to use the device to receive and record RF signals, Gqrx is the open-source SDR# equivalent in Linux and it is also present in the Debian repos. *Figure 7: Gqrx Graphical User Interface
These tools are pretty similar in what they do, both allow the user to monitor the RF spectrum, receive RF signals at a certain frequency and demodulate them in different modes like FM, AM or USB, making it possible to recover the information that is being transferred like the audio being broadcasted from a radio station. Both also present a similar layout where the top half is used to display the RF spectrum (signal strength for a given frequency at a point in time) and the bottom one used to display a waterfall plot representing that signal strength over time. Given that the HackRF is also able to transmit, it is possible to record and replay these signals over RF.
Going back to the main goal behind SDR devices, we talked about the idea of being able to receive and transmit different RF protocols with a single device just by configuring its software. Well, the programs that we just talked about only allow a set of predefined actions and configurations to be performed but, What about interacting with radio frequencies in a more programming-oriented way? This is where GNU-radio comes in. GNU radio is an Open Source SDK that provides signal processing blocks that can be combined and interconnected in a graphical manner thus simplifying creating programs that work with RF.
*Figure 8: GNU Radio project example to capture Wifi packets
How can this improve the quality of our evaluations?
There is no doubt that a product is as secure as its weakest link. Security measures implemented at a higher level can be rendered useless by existing low-level attacks such as the one we discussed above and it is clear that effort should also be put into protecting components and its communications at a lower level.
Being able to add an SDR device to the catalog of tools that the evaluation team at jtsec has as its disposal allows us to perform more exhaustive testing on communication fo the product communications to ensure that the highest levels of security are met.