Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Attacking DSMx with SDR (PacSec 2016 - English 英語)

No description
by

jonathan andersson

on 26 October 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Attacking DSMx with SDR (PacSec 2016 - English 英語)

R/C History:
One IC
Successful $200K Kickstarter
200MHz ARM9 w/512KB SRAM (w/JTAG)
40/115KLE Altera Cyclone IV E FPGA (w/JTAG)
300MHz to 3.8GHz operation
12-bit 40MSPS Quadrature Sampling w/28MHz FDX RX/TX Channels
38.4MHz VCTCXO (factory cal +/-1ppm)
SuperSpeed USB 3.0
Bus-powered w/DC jack for headless op
4x4 MIMO Configurable
Modular design for GPIO, Ethernet, 1PPS, Frequency/Power expansion
GNURadio/OpenBTS/OpenLTE/Femptocell on Linux, Windows, Mac
Spectrum Analyzer, Vector Signal Analyzer & Vector Signal Generator
This implies that complex radio protocols can be implemented quickly via software and deployed across a variety of diverse SDR hardware both locally and remotely via the internet.
Malicious actors can now explore baseband level wireless attack vectors by sharing software and attaching a particular antenna to an SDR- a significant advance in offensive capabilities within the wireless arena.
About Me
embedded systems
information security
real-time transaction processing
vulnerability & malware analysis
product development & manufacturing
credit card & check processing
"Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. While the concept of SDR is not new, the rapidly evolving capabilities of digital electronics render practical many processes which used to be only theoretically possible." -Wikipedia
Software Defined Radio
2.4GHz R/C Protocols...
Attacking DSMx with Software Defined Radio
Jonathan Andersson
Advanced Security Research Group Manager
Trend Micro TippingPoint DVLabs
Overview
The Attack
R/C Protocols
SDR
DSMx Reversed
Typical SDR Receiver
Antenna
Band Pass
Filter
Low Noise
Amplifier
Low Pass
Filter
Mixer
A/D
FPGA
USB3
Direct Conversion, Homodyne, Synchrodyne, or Zero-IF
SDR Benefits
Nuand BladeRF
Reduced Complexity
Flexibility
Reusability
The downside...
5x3.5in (127x89mm)
Cypress CYUSB3014 FX3 Microcontroller
10x10mm
200MHz ARM926EJ core w/512KB SRAM

5Gbps SuperSpeed PHY (USB 3.1 Gen1)

100MHz 32bit Programmable GPIF II


SDR Functionality:

FPGA Loading & Firmware Update
RF I/Q Data Link (USB3 <-> GPIF II)
Enables SDR arbitrary sample rate

High-precision synthesis

0ppm frequency accuracy

Low phase jitter (0.7ps RMS)

Glitchless 1ppm frequency adjustment
Silicon Labs Si5338
Programmable Clock Generator
4x4mm
Altera Cyclone IV E (40/115kLE) FPGA
19x19mm
Cypress FX3 loads FPGA from SPI Flash or via USB

HDL - general logic & signal processing:

Embedded soft NIOS II processor controls:
VCTCXO Trim DAC
Si5338 Clock Generator PLL
LMS6002D Transceiver

UART for FX3 command & control of NIOS II

Clock domain transfer FIFO (I/Q Data path):
FX3's 100MHz GPIF II clock
LMS6002D ADC/DAC arbitrary clock (Si5338)
9x9mm
Lime Microsystems LMS6002D Transceiver
LNA, PA driver, RX/TX mixers, RX/TX filters, synthesizers, RX gain control, and TX power control with very few external components
The world’s first field programmable RF (FPRF) transceiver IC replaces several individual transceiver chips and allows equipment to be reconfigured rapidly and simply
32bit GPIF
USB3
12bit I/Q RX
12bit I/Q TX
RF RX
RF TX
UART
CLK
CLK
SPI
SPI
LO
optics & pattern recognition systems
image processing
USB storage & media card technology
solar technology
vehicle diagnostic technology
mobile & wireless technologies
software defined radio
20 years of experience in software development, electronic design, FPGA & PCB design, reverse engineering
Domain expertise:
Encoding, Modulation, and Frequency
To create an RF signal for transmission, typically data is first
Encoded
and the result
Modulated
onto a carrier wave of a specific
Frequency.
Carrier at Fc
Frequency
Amplitude
Phase
Data
Encoded
+
=
Modulated RF Signals
Why Encode?
Clock Extraction
Noise Immunity
Clock
Data
Manchester
Manchester Encoding:

Every falling edge clock transition is reflected in encoded data

Receiver uses packet preamble (1010101) to sync its clock
Direct Sequence Spread Spectrum:

Data XOR'd with Pseudorandom Noise bits called 'chips'

Additional encoded transitions spread data bit over a wider spectrum (Process Gain)

Data
PN Seq
DSSS
Carrier Modulation
My first computer
Mitigations / Suggestions
Get in touch with the IoT crowd, they have the same issues right now. Share RF solutions, they are trying to solve similar problems.
Conclusions
SDR will continue to enable increasingly sophisticated attacks on a wide variety of radio systems.
Capture Packet Data
0 ps W MODE_OVERRIDE 01 335565
1.809,600,000 ms W MODE_OVERRIDE 01 353661
25.100,000 us W CLK_EN 02 353912
25.200,000 us W AUTO_CAL_TIME 3C 354164
25.100,000 us W AUTO_CAL_OFFSET 14 354415
24.100,000 us R IO_CFG 00 354656
25.200,000 us W IO_CFG 40 354908
25.100,000 us W RX_CFG 48 355159
24.100,000 us W TX_OFFSET_LSB 55 355400
25.100,000 us W TX_OFFSET_MSB 05 355651
27.200,000 us W XACT_CFG 24 355923
26.100,000 us W TX_CFG 38 356184
26.200,000 us W DATA64_THOLD 0A 356446
25.100,000 us W XTAL_CTRL 80 356697
25.100,000 us W XACT_CFG 04 356948
25.200,000 us W ANALOG_CTRL 01 357200
24.100,000 us W PREAMBLE 06 357441
25.100,000 us W PREAMBLE 33 357692
25.200,000 us W PREAMBLE 33 357944
30.100,000 us W MFG_ID FF 358245
27.200,000 us R MFG_ID XX XX XX XX XX XX 358517
80.400,000 us W MFG_ID 00 359321
74.400,000 us W CHANNEL 61 360065
53.300,000 us W RX_CTRL 83 360598
25.100,000 us R RSSI 20 360849
25.100,000 us W DATA64_THOLD 3F 361100
25.200,000 us W FRAMING_CFG 7F 361352
29.100,000 us W RX_CTRL 83 361643
24.200,000 us R RSSI 20 361885
9.920,000,000 ms R RX_COUNT 0F 461085
26.100,000 us R RX_BUFFER FF 03 4D 9F 86 40 41 B7 DF BA 08 9E E1 17 54 461346
141.800,000 us W XACT_CFG 24 462764
24.100,000 us R XACT_CFG 04 463005
31.200,000 us W RX_ABORT 00 463317
27.100,000 us W DATA64_THOLD 0A 463588
26.200,000 us W FRAMING_CFG 4A 463850
231.877,600,000 ms R XTAL_CTRL 80 2782626
88.039,200,000 ms W TX_CFG 0D 3663018
26.200,000 us W FRAMING_CFG EA 3663280
25.100,000 us W TX_OVERRIDE 00 3663531
25.100,000 us W RX_OVERRIDE 00 3663782
34.200,000 us W TX_CFG 2D 3664124
433.300,000 us W I TX_LENGTH 10 C3 3668457
34.200,000 us W TX_BUFFER XX XX 0B FE 2A E2 13 FE 23 FE 1B F8 30 00 01 34 3668799
1.725,600,000 ms R TX_IRQ_STATUS 9A 9A 3686055
50.300,000 us W XTAL_CTRL 80 3686558
42.200,000 us W CHANNEL 34 3686980
172.900,000 us W I CRC_SEED_LSB XX XX 3688709
53.300,000 us W SOP_CODE 07 3689242
29.200,000 us W SOP_CODE BD 3689534
29.100,000 us W SOP_CODE 9F 3689825
29.200,000 us W SOP_CODE 26 3690117
29.100,000 us W SOP_CODE C8 3690408
28.200,000 us W SOP_CODE 31 3690690
29.200,000 us W SOP_CODE 0F 3690982
29.100,000 us W SOP_CODE B8 3691273
46.300,000 us W DATA_CODE F1 3691736
29.100,000 us W DATA_CODE 94 3692027
29.200,000 us W DATA_CODE 30 3692319
28.100,000 us W DATA_CODE 21 3692600
29.200,000 us W DATA_CODE A1 3692892
29.100,000 us W DATA_CODE 1C 3693183
28.200,000 us W DATA_CODE 88 3693465
29.100,000 us W DATA_CODE A9 3693756
30.200,000 us W DATA_CODE D0 3694058
29.200,000 us W DATA_CODE D2 3694350
29.100,000 us W DATA_CODE 8E 3694641
28.200,000 us W DATA_CODE BC 3694923
29.100,000 us W DATA_CODE 82 3695214
29.200,000 us W DATA_CODE 2F 3695506
28.100,000 us W DATA_CODE E3 3695787
29.200,000 us W DATA_CODE B4 3696079
1.281,800,000 ms W I TX_LENGTH 10 C3 3708897
35.200,000 us W TX_BUFFER XX XX 0B FE 2A E2 13 FE 23 FE 1B F8 30 00 01 34 3709249
1.983,100,000 ms R TX_IRQ_STATUS 9A 9A 3729080
50.300,000 us W XTAL_CTRL 80 3729583
42.200,000 us W CHANNEL 40 3730005
Mitigations
vs
1988
Manufacturer Protocol Radio IC
Spektrum DSMx CYRF6936
Walkera DEVO CYRF6936
Airtronics FHSS-4 CYRF6936
Nine Eagles J6Pro CYRF6936
Multiplex M-Link CYRF6936
Futaba FASST ML2724
DJI DESST ML2724
JR DMSS CC2520
HiTec AFHSS2 CC2500
Graupner HoTT CC2500
FrSky ACCST CC2500
XPS XtremeLink MC13193
Jeti Duplex EX AT86RF231
Tactic AnyLink SLT nRF24L01
HiSky HiSky nRF24L01
Syma Symax nRF24L01
FlySky AFHDS 2A A7105
Hubsan X4 A7105
[More... ]
AM->FM->FM+PCM->
FHSS+CDMA+DSSS+GFSK
FHSS+CSMA/CA+DSSS+FSK
FHSS+CSMA/CA+DSSS+OQPSK
FHSS+CDMA+DSSS+GFSK
r
AFHSS+CSMA/CA+GFSK
FHSS+GFSK
CYRF6396
Demodulate GFSK
Length
Packet Structure
Start of Packet
Data
Reversing Proprietary DSSS
Scan data stream for preamble (correlate) and send some packet data to IPython via ZMQ...
Locate the preamble over the air with SDR...
Same packet repeated
Packets are equal length
I didn't touch any controls on TX
Looks promising...
Is it data?
Working through this table we find we have received a 64-chip sequence separated by 4 bits and followed by its inverse. The radio is TX in 64-chip 8DR mode and we now know our SOP Code. This is CDMA in action. Each user has a unique SOP Code with specific correlation properties and the radio ignores packets not destined for it.
The one byte length field is DSSS encoded using an unknown pseudorandom noise code (Data Code). If only we knew the packet length or could TX known data, we could start to reverse the pn code algorithm...
We don't know how to despread their DSSS and they want to keep it a secret...
Bye Warranty...
Our SOP pn Code
Our Data pn Code seed
TX length
Now we have known TX data!
Given:

f(Data Code0, Data Code1, 8 TX data bits (8DR)) = 64 RX pn chips
DC0 = 0xF1943021A11C88A9
DC1 = 0XD0D28EBC822FE3B4
TXD = 0x10
RXD = 0xF37B7AC7EE6A70D6
How do we determine the function f()?
Write the RX bit stream in binary and
stare at it for a long time
:

F3 7B 7A C7 EE 6A 70 D6
11110011 01111011 01111010 11000111 11101110 01101010 01110000 11010110 (RXD)
You will notice that DC0 appears, but bytewise reversed, rotated and negated...
ouch.
Reversing Proprietary DSSS
After ROR16 our output matches DC0 and TXD = 16, maybe we found something.
F1 94 30 21 A1 1C 88 A9 (rotate right 16)
00110000 00100001 10100001 00011100 10001000 10101001 11110001 10010100 (bytewise reversed)
30 21 A1 1C 88 A9 F1 94

00001100 10000100 10000101 00111000 00010001 10010101 10001111 00101001 (negated)
F3 7B 7A C7 EE 6A 70 D6
11110011 01111011 01111010 11000111 11101110 01101010 01110000 11010110 (RXD)
DC0 = 0xF1943021A11C88A9
TXD = 0x10
RXD = 0xF37B7AC7EE6A70D6
Repeat this many more times with selected sample data (create your own TXs)...
CRC
Different algo for CRC pn codes!
Here is a hint:
The Attack Plan
DSMx
Execution
It can be easily spoofed, but the mfg_id could be recorded and used to assist in identifying the owner of the TX. Passively log unwanted drone activity, etc.
We now know how construct valid messages from the radio layer up for any CYRF6936 system. Anyone can now create an SDR system that communicates with the CYRF6396.
To attack DSMx we need:
Complete SOP/DATA code tables
A Channel hopping sequence
Key is an understanding of how to derive these values remotely with no prior knowledge of the binding (TX to RX pairing) sequence as it is not guaranteed to occur within our RX range.
Once we can speak DSMx to a target, we need to have a Hijack strategy.
Execute hijack by injecting commands ahead of target
Results...
Issues / Uses
"Japan's National Police Agency requested ¥400 million yen for anti-drone countermeasures."
"$75K Reward to Catch Pilots Who Flew Drones Over California Wildfires"
"Reports of unmanned aircraft (UAS) sightings from pilots, citizens and law enforcement have increased dramatically over the past two years. The FAA now receives more than 100 such reports each month."
"Woman shoots drone: “It hovered for a second and I blasted it to smithereens.”
Virginian used 20-gauge shotgun against offending aircraft thought to be paparazzi." ...similar drone shootings took place in Kentucky and California."
"Utah’s proposed HB 420, would let police shoot down drones in emergency situations."
"Battelle has temporarily removed information related to DroneDefender™ while we evaluate the permissible applications of the product under current regulations."
PN Codes, CRC Seeds, and Channel Sequence are all derived from four bytes of an internal mfg_id.
PN Codes are limited to a set of nine per channel (discovered via SDR and SPI logs) which is trivial to brute force in real-time.
The second two mfg_id bytes are transmitted in data packets which we can now decode.
The first two mfg_id bytes are used as the CRC seed and can now be brute forced in real-time as well.
The channel hopping sequence is simply observed over the air or as a shortcut, calculated from the now completely discovered mfg_id via previous 3rd party research.
Sub mS timing is critical, embedded system required
Teensy v3.2 (pjrc.com) 96MHz ARM Cortex M4
Superbit CYRF Radio (1bitsquared.com)
A bunch of stuff from (adafruit.com/wishlists/415801)
Assemble, Code, add PPM control input and blinking lights
At runtime:
Determine DSMx parameters per attack plan
Sync to target radio system and determine timing
Minimum system capable of forcibly landing a DSMx drone
Are mitigations needed? Vendors (except Tactic/SLT) don't really market security. Though the ability for someone to hijack your drone in flight seems like a significant potential customer liability.
Use crypto. Industry standard crypto. (NOT your own crypto!) It
will
add to BOM cost and consume battery power...
Hire a security expert, perform an audit and take the issues seriously, customers appreciate (and the infosec industry expects) honest disclosure.
If you insist on sticking to obfuscation or complexity, use shared secrets that are not transmitted over the air or so easily brute forced.
Wireless control systems should be designed with consideration for malicious actors of this nature.
Current 2.4GHz R/C implementations conveniently eliminate crystal swapping and colored flags, but stop short of real security.
Its not a vendor specific problem, don't fight over it on the forums. ;) From a cursory look, its likely that FASST(DESST), DMSS, FrSky, etc, all expose similar attack vectors.
Hijacking one of these seems very dangerous...
2011: 31,061 JPY (300 USD)
8Ch 2.4GHz FHDSSS
1988: 12,921 JPY (167 USD)
2CH 27MHz AM
Full transcript