DeepSec 2018 Training: Attacking Internet of Things with Software Defined Radio – Johannes Pohl
In Johannes Pohls training participants will learn how to reverse engineer the wireless communication between Internet of Things (IoT) devices with Software Defined Radios (SDR) using the Universal Radio Hacker (URH). The workshop covers required HF (high frequency) basics such as digital modulations and encodings and shows how to reveal the protocol logic step by step and, finally, how to develop attacks against devices. For demonstration they will investigate and attack a wireless socket and a smart home door lock.
During the course of the workshop the communication of the two devices will be analyzed and reverse engineered. In conclusion, attacks on both devices will be developed. By the end of the workshop participants will be able to switch the socket and open the door lock with SDRs.
This of course requires knowledge in the field of modulation, coding and log formats, which will be practically conveyed during the workshop. “Learning by doing” is the motto. For this to work, the participants need their own computer to operate the software (Universal Radio Hacker) which will be used to analyse the signals and bring them back in.
If attendees already own a software defined radio (f.ex.HackRF), they can record the signals and attack the devices themselves. If that’s not the case, Johannes can make the signals available online so participants can download and import them into the Universal Radio Hacker.
We asked Johannes a few more questions about his training.
Please tell us the top 5 facts about your training.
- Software Defined Radios offer great flexibility when investigating wireless communications. You can send and receive on nearly arbitrary frequencies.
- It is a fascinating process to reverse engineer a wireless protocol and, step by step, find out what the data actually means.
- Normally, you would need deep knowledge about digital modulations and encodings to work with SDR. The Universal Radio Hacker abstracts most of this and allows us to focus on the logical level. Furthermore, we can craft attacks on stateless and stateful protocols with it. We will explore the features of this tool.
- You will learn the theory behind digital modulations and encoding, so you also have a good understanding what URH does behind the scenes.
- We will hack two smart home devices together. The first one is a high priced wireless socket, the second one a wireless door lock. We will go from capturing the raw signals over reverse engineering the protocols to crafting attacks on these devices so you see the whole process in action.
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
I had a chat with Markus Robin at a security conference in Stralsund where we talked about the Universal Radio Hacker and Wireless Security and he pointed out that the topic might be very interesting for DeepSec.
Why do you think this is an important topic?
The Internet of Things in general and Smart Homes in particular bring great comfort but also potential threats. Imagine an attacker who monitors when a victim leaves its home based on the wireless communication of smart home devices. When the right moment comes, the attacker breaks the wireless door lock of the victims home without even touching it and leaves no trace apart from the missing valuables.
Is there something you want everybody to know – some good advice for our readers maybe?
Every radio device you own is a risk for your privacy and security. Be especially aware when you see someone with a Software Defined Radio sneaking around your neighbourhood.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
I think the topic will become more and more relevant in the next years, as the Internet of Things is rapidly evolving and we see serious vulnerabilities leading to stolen cars or broken door locks. Manufacturers will have to protect their devices better, since Software Defined Radios combined with suited software allow performing attacks with a low budget and low effort.
Johannes Pohl studied Computer Science at the University of Applied Sciences Stralsund and received his Master of Science in 2013. Since then he works there as a PhD student and conducts research in the area of Location Privacy and Wireless Security. He worked for two years in DevOps research at Boreus Data Center, Germany. Since March 2017 he works as a Scientific Co-Worker at the University of Applied Sciences, Stralsund.