MWR HackLab - Getting Frequency with SDR

In just one day the team on this project went from novices to fans of RF hacking, here is some of the cool stuff we got up to on the day.

The team initially became familiar with RF hacking in a Software Defined Radio (SDR) workshop primer. Using Elonics E4000 Tuner IC dongles, we experimented with simple identification and demodulation of radio signals using tools such as SDRSharp and Gqrx. This enabled the attendees to get familiar with the basics of RF hacking and signal demodulation. We explored the capabilities of GNU/Radio by implementing our own instrumentation tools for analysing RF signals. We also had a USRP E100 on-hand to get further experience with RF signals and access to more powerful SDR technology.

The USRP E100 provides users with an RF front-end, FPGA and a light-weight embedded Linux OMAP platform with built-in C64 DSP. Exploring the USRP, we discovered that our best approach for usage was to obtain RF samples via the embedded OS and provide these over the built-in Ethernet port which then analysed the samples on more powerful systems.

Using XML-RPC we constructed a sample server application that allowed for adjustment of SDR variables by client Wx GUI components, RF samples were then streamed over UDP to networked clients. This allowed us to visually control the USRP E100 via laptops in a similar fashion to a USRP1, only with some greater flexibility and performance. We created applications for capture (RX) and transmit (TX) alongside WxGUI based interfaces for controlling the USRP in each mode.

By analysing some low-cost wireless technologies, such as 433Mhz door bells, we then experimented with capturing digital signals and replaying the sampled signal back (tip: use throttle blocks to avoid the sample being transmitted too quickly). We looked at and attempted analysis of demodulated data from the captured RF stream to identify bits of binary, screen shots of some of our experimentation are included on this post. As many of these devices are widely known to not use any form of rolling code and often transmit a static binary sequence they are susceptible to replay attacks.

Towards the end of the day many of the team were able to perform successful replay attacks against wireless devices that use basic modulation to transmit binary data, effectively opening the door to “cloning” the wireless technology and playing the high-tech equivalent of knock-a-door and run! The guys from MWR Labs in South Africa have also been experimenting with several gate and car remotes using USRP and GNU/Radio. Many basic non-rolling code gate remotes have been demodulated using a custom written GNU/Radio PCM (Pulse Code Modulation) demodulator. Review of the demodulated data discovered that it matched the code set by a DIP switch inside the wireless remote. These remotes were therefore easily cloned. It was also possible to perform brute-force attacks against the gate as the identified code was only 12 bits. Higher end car remotes use a more complicated FM modulation and keeloq rolling codes. Though the codes could be read, they could not be easily cloned.

What HackLab showed us is that RF technologies are increasingly more wide-spread as low-cost RF systems penetrate more of our daily lives. We will continue to research RF technologies and their security implications and are pretty confident this project will continue at the next event. If you have any ideas for systems for us to investigate tweet us @mwrlabs and you may earn yourself a spot at the next HackLab.