RF Hacking with Software-Defined Radio

Software-defined radio (SDR) is rapidly becoming a well-known term, even outside the Information Security industry. From the ability to set off emergency alert systems to emulating car keyfobs and everything in between, SDR is opening a whole new set of doors for penetration testing and security research.

$3,299.00

Duration

3 days

Delivery Method

in-person

Level

intermediate

Seats Available

20

ATTEND IN-PERSON: Onsite in Singapore

DATE: 22-24 August 2022

TIME: 09:00-17:00 SGT/GMT +8

Date Day Time Duration
22 Aug Monday 09:00-17:00 SGT/GMT +8 8 Hours
23 Aug Tuesday 09:00-17:00 SGT/GMT +8 8 Hours
24 Aug Wednesday 09:00-17:00 SGT/GMT +8 8 Hours


Welcome to SDR Exploitation (Hands-On Penetration testing up in the air).
Software-defined radio (SDR) is rapidly becoming a well-known term, even outside the Information Security industry. From the ability to set off emergency alert systems to emulating car keyfobs and everything in between, SDR is opening a whole new set of doors for penetration testing and security research.

In order to detect potential vulnerabilities in RF, penetration testing should be conducted. Penetration testing tests the “air” on the exterior and interior of a facility, analysing the various frequencies being used by RF equipment. It involves determining where each frequency is coming from, and then assessing whether it is vulnerable to hackers.

 

Agenda
Day 1

Introduction toolkits to develop Software-Defined Radio tools like GNU Radio and other alternatives such as Pothos, Redhawk SDR, or MATLAB and Simulink.
During this day we will mainly focus on GNU Radio by introducing the toolkit, the flowgraph concepts, the components, and how to use the different blocks in practice to build several tools

Objective:

  • Simulate a signal and transmit it in the air.
  • Capture, demodulate and decode a signal.
  • Optimize processing.
  • Create your own blocks.

Theory
Assignments 1

  • Few reminding’s of radio and SDR
  • Extended introduction of GNU Radio and its alternatives (RedhawkSDR, Pothos, etc.)
  • Practice with GNU Radio Companion
    – Block schemas o Parameters
    – Generators
    – Sinks and sources
    – Operators
    – Simulations
    – Modules
    – Features to process samples

Assignment 2

  • Radio Frequency Spectrum
  • Country Radio Spectrum
  • Celluar Network Radio Spectrum
  • RF Spectrum Analyzers

Assignment 3

  • Creating a FM/AM station
  • Sending the signal over-the-air
  • Listening to this station

Assignment 4

  • Creating a custom signal to send a message
  • Simulating the custom signal
  • Sending the signal over-the-air

 

Day 2

Starting day 2, attendees will have the opportunity to see and exploit vulnerabilities in several RF devices and discover the security features and ways to circumvent them.We will see in practice how to attack physical intrusions systems such as alarms, intercoms and access control systems that use RF technologies such as sub-GHz, cellular, and RFID. Attendees will have the opportunity to learn techniques that could be used in Red Team contexts and get our feedback from our previous tests.

Theory

  • Introduction to physical intrusion systems
  • Introduction to mobile security
  • Introduction to RFID security
  • Common flaws in current technologies
  • Security mechanisms and ways to defeat them
  • How to improve security of communication systems in different cases
  • Our feedbacks and tips during missions and red team tests

Assignment 1

  • Attacking a Car Key Fob:
    – Capturing data
    – Replaying saved samples
    – Analyzing samples (manually and with powerful tools)
    – Rolling codes security

Assignment 2

  • GPS spoofing objective
  • Overview of GNSS and GPS frequency Information
  • GPS Spoofing Hands-On
  • GPS Spoofing Attack Analysis

Assignment 3

  • RF Jamming Concept
  • Signal Distrupt by transmitting Noise
  • GNSS Signal Jamming
  • Iran US RQ-170 Incident at UN Discuss

Assignment 4

  • ADS-B Signal Decoding
  • ADS-B OUT Signal Deception Concept
  • Threat analysis of plane and Airport Security
  • ADS-B Encoder and Live Signal Decept
  • Tons of Plane Data Generate and Transmit

 

Day 3

Focusing on attacking custom RF devices but also devices used in industrial systems using technologies such as the LoRa, Power-Line Communications, ZigBee, and how to manage to do testbeds many current technologies. We will also introduce devices that could act like unexpected implants and ways to analyse them. Then we will finish with an introduction to hardware hacking that could be complementary to RF hacking by talking about survival and practical reflexes, as well as methods to interface with hardware.

Theory:

  • Radio communications used in industrial environments
  • Introduction of nRF based devices and common attacks
  • Hardware Hacking
    – Introduction and how it could be complementary o Survival and practical reflexes
    – Cheap tools and tricks
    – Radio prototyping arsenal for red team tests

Assignment 1

  • Attacking unknown/custom devices
    – Identification (looking at devices’ references, components, etc.)
    – Sniffing signals
    – Decoding signals

Assignment 2

  • Attacking nRF devices
    – Analyzing nRF bases devices with GNU Radio like mousses, keyboards, and presenters
    – Capturing strokes
    – Hijacking vulnerable devices o Turn them to implants

Assignment 3

  • IoT Device Temperature Sensors Decoding
  • IoT DeVice Temperature Spoofing
  • Discussion of Impact in Industrial Control System

Assignment 4:

  • Guide a vehicle to False Destination Theory
  • Create a Driving Flying Scenario and NMEA Concept
  • Generate NMEA file
  • Driving or Flying at any height at any speed
  • Transmit GPS Spoofing Data in Dynamic mode

Assignment 5:

  • Security Analysis of TPMS
  • Capture and Decode TPMS Packets
  • Sending TPMS Forged Packets
  • Pseudo TPMS Transmitter

Why You Should Take This Course

Software-defined radio (SDR) is rapidly becoming a well-known term, even outside the Information Security industry. From the ability to set off emergency alert systems to emulating car keyfobs and everything in between, SDR is opening a whole new set of doors for penetration testing and security research.

Who Should Attend

  • Anyone wants to RFID /NFC Pentest
  • Anyone wants to learn SDR Hacking
  • Anyone wants to learn Car Pentesting Concept
  • Anyone interested to learn IOT Device Penetration
  • Anyone interested in Securing Radio Frequency networks

Key Learning Objectives

  • Prerequisite Knowledge

    • Understanding of pentesting (network and applications) or red-teaming.
    • Basic knowledge of radio is not mandatory but is a plus.

    Hardware / Software Requirements

    All attendees will need to bring a laptop capable of running VMware virtual machine (8GB of RAM is a minimum)

    Your Instructor

    Himanshu Mehta is currently working as the Head of Cyber Threat Intelligence at Hive Pro and is very passionate about Cyber Security and Threat Intelligence. He is the board member of the EC-Council’s Licensed Penetration Tester group and involved in several bug bounty & Capture the Flag programs around the globe. He has been invited as Chief Guest for several security events and presented his research at multiple international security conferences like RSAC USA, ICS Singapore, Hack In Paris, HITB (Amsterdam, Dubai, Abu Dhabi), SecurityFest (Sweden), InfoSecurity (London), Offzone (Moscow), NanoSec (Malaysia), DSCI, National Cyber Security Conference, Best of the world Conference & Hakon. He previously worked as a Senior Security Researcher at Darkmatter and led a global team of security intelligence at Symantec, which gave very good insight and increased his thirst into cyber-security that helped him eventually to emerge as a creative leader.

    Vikash Chaudhary is a Pillar of the Indian Ethical Hackers community and is responsible for a whole new generation of rising ethical hackers, a lot of whom successfully contribute to platforms like HackerOne & Bugcrowd. He’s looking to expand his mentorship for the new generation to come in this field i.e. Cyber Security, which he thinks could be a great resource to help grow the security talent pool worldwide.

    He is also the author of multiple security courses:

    1. “Offensive Approach to Hunt Bugs” A manual Hands-on Bug Bounty Course.

    2. “Offensive Bug Bounty – Hunter 2.0”

    3. “SDR Exploitation” Hands-On Penetration testing up in the air.

    Recently, his name was enlisted in the “Top 100 Security Researcher of Microsoft” and his rank is 51 among top 100 security researchers around the globe.