Hardware and Software Required for SDR

Before we begin looking into SDR, here’s a list of the tools that we will be using in this chapter:

Software Defined Radio

By now, you will already have a lot of questions about SDR: How do these devices function? How we can create our own? We will take one step at a time, and try to understand the underlying principles of SDR first, and then move to further details.

I’ll start with an example. Imagine you are working on one of your IoT security penetration testing engagements and you have been given a wireless doorbell to pentest. You have tested all the hardware using the previous techniques we have discussed and now you need to look at the radio aspect. You look up the FCC ID of the device and find out that it communicates over 433 MHz. One of the things you can do is get a 433 MHz receiver to analyze the device’s radio properties and the kind of data it is transmitting. However, there is one limitation of this: What if the device transmits at 436 MHz or the next device you pentest transmits at 355 MHz?

A better solution to approach this particular scenario is to work with SDR, which will allow you to modify the radio frequency that you’re listening to and the way you decode the signal based on whichever device you are assessing. Therefore, you no longer need different hardware for different devices, but rather a combination of a single hardware and software utility that will allow you to make changes according to your requirements.

This is exactly what SDR allows you to achieve: You can modify the processing done by the radio component depending on your needs.

Setting Up the Lab

The first thing we should do, before we jump into analyzing frequencies and looking at all the finer details, is to set up our lab environment for the SDR. I strongly recommend setting up the lab for all the SDR exercises on Ubuntu, as other platforms might not be as easy to set up. In addition, Ubuntu is better able to work with advanced concepts when we go deeper later on.

You will also need access to SDR hardware. There are a number of options to choose from and all of them have their own benefits. However, to keep things simple at the start, I have chosen the RTL-SDR, which is an extremely inexpensive ($20) piece of hardware that will allow us to perform a number of our SDR-related exercises. Later on, in this chapter, I also show how we can use HackRF for additional radio exploitation.

One of the limitations of RTL-SDR is that it will only allow you to sniff and look at various frequencies, and not actually transmit your own data. Even though there are hardware modifications available for RTL-SDR with which you can transmit data, for those purposes, I would strongly recommend getting a tool such as HackRF.

SDR 101: What You Need to Know

Before we move further, we need to go through the many underlying concepts that will come into use once we start working with SDR. In this section, we cover some of the extremely basic but important topics that you need to understand before doing anything significant in SDR.

Let’s start with a very simple example—communication through a Wi-Fi router. This means the Wi-Fi router is emitting signals in the air that a laptop is able to pick up through its Wi-Fi chipsets, for example. The Wi-Fi router in this case is the transmitter, and the wireless chip inside the laptop is the receiver.

If we go into finer detail, the data that need to be transmitted from the Wi-Fi router are being modulated with a carrier signal of 2.4 GHz. These data are then being passed through the air (transmitting medium) and received on the other end. Once is the data are received, they are decoded and the final data are obtained from the signal. The modulation process is essential for a number of purposes including noise reduction, multiplexing, working with various bandwidths and frequencies, cable properties, and so on.

As you might have realized, in a modulation, the baseband signal, which is considered the main information source, is carried by a higher frequency wave called the carrier signal. Based on the properties of the carrier signal and the type of modulation being used, the properties of the final signal, which travels through the air, change.

Amplitude Modulation

To give you a quick example, Figure 9-1 shows what amplitude modulation looks like when looking at the signal waveforms. Amplitude is simply the vertical distance of a peak or valley from its equilibrium position.

In Figure 9-1, the modulating signal is being modulated with the carrier signal to produce the final modulated signal. Notice how the amplitude of the final modulated signal is the result of the combined amplitudes of the modulating and carrier signals.

Frequency Modulation

Frequency modulation (FM) works by modulating the frequency of the carrier wave (see Figure 9-2). The frequency of the carrier wave is directly proportional to the input data signal. In this type of modulation, the receiver can only receive the strongest signal, even when others are present. Digital data can be transmitted by shifting the carrier frequency among a discrete value called frequency shift keying (FSK).

Phase Modulation

Phase modulation works by modulating the phase angle of the carrier wave with respect to the input signal as shown in Figure 9-3.

Common Terminology

Let’s now look at some of the common terminology you might encounter while doing SDR security research. I keep it brief to provide an introduction and understanding of what the different components are without going into highly technical details relating to digital signal processing at this stage.

Wavelength

Wavelength in radio signals is the distance between two consecutive crests (the high parts) or troughs (the dips). This can be explained graphically by Figure 9-4.

Frequency

Frequency simply means how frequently an event happens. In the case of radio, it means the number of cycles of a wave for every given second or the rate of oscillation of waves. This is also inversely proportional to the wavelength and is measured in Hertz.

Different devices operate at different frequencies and there exist different frequency bands based on the frequency ranges shown in Figure 9-5.

There is also distribution of frequencies by the application of devices in those frequency ranges such as the broadcasting range, ISM range, amateur radio range, and so on. Even the various SDR tools have varying frequencies such as these:

• RTL-SDR: 52-2200 MHz

• HackRF: 1 MHz to 6 GHz

• Yardstick one: Sub 1 GHz

• LimeSDR: 100 kHz to 3.8 GHz

To give you a perspective of the frequencies just mentioned, a human ear can listen to a 20 Hz to 20 kHz frequency range. The Wi-Fi and BLE devices that you have operate at 2.4 GHz.

Gain

Gain, usually meaning power gain in radio terminology, means the ratio of output power to input power. A gain greater than 1 (where the output power is greater than the input power) is called amplification. Gain can also be thought of in the terms of the magnitude of the signal. This means how big a signal is compared to its previous value after applying the gain. Gain is denoted in terms of logarithmic decibels (dBs). We can understand gain much clearer from Figure 9-6.

The top waveform in Figure 9-6 is the original signal whereas the bottom one has a gain of 1.5. As you can see, the new output signal is 1.5 times that of the original input signal.

In most practical cases, you will see gain being used because the signal received from air is often very weak, which makes the processing difficult. The value of gain should be chosen carefully, as setting the gain to be extremely high would end up distorting the signal, making it unreadable.

GNURadio for Radio Signal Processing

GNURadio is an open source SDK to handle digital and analog signal processing. It also supports a wide range of SDR hardware tools such as RTL-SDR, HackRF, USRP, and more, and includes a huge variety of radio processing blocks and applications that can be used to process the data.

It serves a number of purposes for security research, including things such as analyzing a captured signal, performing demodulation, extracting data from signals, reversing unknown protocols, and more. It is also used to perform audio processing, mobile communication analysis, flight and satellite tracking, RADAR systems, and more advanced signal processing applications.

GNURadio, simply put, is an open source tool that allows you to work with various radio components. You can have various input sources, processing blocks, and output forms. GNURadio applications can also be built using Python scripting, which internally call the C++ signal processing code of GNURadio and give the desired output. GNURadio Companion is a graphical utility that comes along with the GNURadio toolkit that allows you to build flow graphs using the underlying GNURadio components.

Working with GNURadio

To understand GNURadio, we start with a very simple flow graph. In our first exercise, we generate a sinusoidal wave and send it to a Transmission Control Protocol (TCP) sink. In another program, we use a TCP source, pointing it to the input signal coming from the previous program and then finally plot the entire waveform. We learn more about the components as we encounter them further in the exercises.

Launch gnuradio-companion from the terminal. You will see a screen similar to the one shown in Figure 9-7.

This is the home screen of GNURadio, which contains three main components:

• Workspace: The blank area with two blocks named Options and Variable.

• Blocks: The right-side list of all the various processing blocks you can use to build your radio.

• Reports: The bottom pane of the screen that shows output, debug, and error messages.

To use GNURadio to build a workflow, we can drag and drop content from the Blocks pane into our Workspace area. The first component that we will add is a signal source. The Signal Source block would be located inside the section Waveform Generators or can alternatively be found by pressing Ctrl+F and searching for signal source. Your screen should now look similar to the one shown in Figure 9-8.

As you can see, we now have the Signal Source block in our Workspace. Notice that the color of the Signal Source text is red because we have not yet connected the output coming out of the block (in this case a cosine waveform coming out of the signal source) to another block.

Let’s go ahead and add a TCP sink, which is where we want our signal to finally end up. Before that, though, we add a Throttle block. The Throttle block is something we will be using in all of our flow graphs because it prevents GNURadio from consuming a lot of system resources. Let’s drag and drop both Throttle and TCP Sink to our Workspace, which should make it look like Figure 9-9.

The next step would be to connect the blocks to each other. This can be done by clicking the Out tab of one block and the In tab of the other block we want to connect. Once done, double-click TCP Sink, which should open up the block’s properties.

In the Properties dialog box, we can configure various values of the given block. In this case, we only need to change the value of Port and set it to 31415 (see Figure 9-10).

Another thing to notice in the Properties dialog box is the use of different colors in different fields (Figure 9-11). GNURadio uses different colors for the properties as mentioned under the Help | Types.

Returning to our flow graph, the next thing that we need to do is create another GNURadio companion (.grc) file that would take the input coming from our first program and plot it for us.

To do this, simply save the existing flow graph and create a new file in GNURadio. In the new file, drag and drop TCP Source, Throttle, and Scope Sink. Edit the property of the TCP Source block’s Port value to 31415.

Once you have everything set, go ahead and run both the flow graphs, starting with the second file you saved. You should be able to see the plot as shown in Figure 9-12.

As you can see, we just created our radio, starting with a signal generator block, and sent it to a TCP sink, which was received by the TCP source in the other program, and finally created a waveform plot with it.

Let’s get more familiar with GNURadio by creating a new workflow in which we add two signals and look at the new signal that gets created as a result. To do this, let’s drag and drop a Signal Source, Throttle, and WX GUI Scope Sink blocks and connect them all. Before doing this, ensure that the frequency of the Signal Source is set to 1000. It should look like the one shown in Figure 9-13.

Now delete the connection between the Signal Source and Throttle blocks and let’s add another Signal Source block with the frequency of 1,000 and an amplitude of 2 and an Add block to the workspace. Connect the output of the Signal Source to Add and the output of Add to Throttle, which is then connected to WX GUI Scope Sink. Your workspace should look like the one depicted in Figure 9-14.

Once you execute the flow graph, your output should like Figure 9-15.

As you will notice from the output signal’s plot (the lower one), you can see that the amplitude of the new program is 3, instead of the original signal’s one. We can also modify this graph a bit and use FFT to see the two different values in the same plot. To do this, simply change the frequency of one of the blocks to 2,000 and replace the WX GUI Scope Sink with WX GUI FFT Sink. Figure 9-16 shows how the flow graph will look.

Once you execute this flow graph, you will be able to see an FFT plot showing the two different signals with varying amplitude and frequencies, as shown in Figure 9-17.

Identifying the Frequency of a Target

One of the most important pieces of analysis that we have to do when we start any IoT device radio analysis is to identify its operating frequency. This information can sometimes be publicly available via the FCC ID information or on the device’s web site or community forums.

If it is not present and not easily obtainable, we can use our own tools and techniques to find out which frequency (or frequency range) the device is active on. For this, we use an SDR tool such as RTL-SDR, which will allow us to monitor a wide range of frequency spectrums covering the frequency on which the device would most often be operating. The software utility that we use to look at the frequency spectrum is GQRX.

Before actually going into identifying the radio frequencies of these devices, let’s perform a quick visual and hardware inspection to see if we can get an approximate idea of the frequency by any means.

1. 1.

   Garage door opener key fob: It’s an inexpensive (< $10) piece of hardware without any visible FCC ID or any other kind of certification marked on the device. If we open up the key fob as shown in Figure 9-18, we see that it uses a 433 MHz oscillator.

    

This implies that the communication is taking place at 433 MHz and we can now listen to that frequency (and nearby ones) to identify the exact frequency being used by the key fob.

1. 2.

   Weather station: In comparison to key fob, we are a bit lucky in this case, as this weather thermometer has a clearly marked FCC ID on the back of the device, as shown in Figure 9-19.

    

Let’s go to fccid.io to look up the FCC ID that we found on the weather station, RNE00609A1TX. Figure 9-20 displays what we find from the FCC database, that the frequency being used by the weather thermometer is 433.92 MHz.

Now that we have identified the frequency of both our devices, we can use the tool GQRX to confirm our findings and identify the exact frequencies up to three to four decimal places on which these devices are operating. GQRX is a tool based on GNURadio and the QT framework to provide us with a visual analysis of the entire frequency spectrum. There are a lot of other use cases and modifications you can do with GQRX, but I won’t go into that here. If you are interested, you can find more information on the official web site at http://gqrx.dk/category/doc .

Once you launch GQRX, you will be asked to select a device for which you want to look at the frequency spectrum, as shown in Figure 9-21. Here, change the Device setting to RTL-SDR (or any other device you have) and click OK. You don’t need to modify any other settings here. Once you are in GQRX, modify the frequency to be around 433. You can do this by typing in the values in the frequency placeholders or using the arrow keys after clicking the frequency.

Once you start the devices, you will begin noticing the peaks (or spikes) in the frequency spectrum shown in the top window pane. You will also notice the values creating an impact in the lower pane of the window, which is known as the waterfall view. In our case, the peak is close to 433.897 and the exact frequency we have here is 433.92 MHz.

Analyzing the Data

Now that we have identified the exact frequencies which the devices operate on using GQRX, the next step for us would be to figure out exactly what data are being transmitted through the devices, and if required, decode them into a readable format. Given the fact that both of these devices operate on the 433 MHz frequency, we can use a utility provided along with the RTL-SDR tools called rtl_433 to analyze the data.

Analyzing Using RTL_433 and Replay

Let’s begin with the garage door opener key fob. Start by connecting the RTL-SDR to your system. Next, we use the rtl_433 utility and provide the exact frequency that we want to analyze.

rtl_433 -f 433920000

Once you run this command, you will find that you are able to see the data being transmitted by the key fob, which looks like the output shown in Figure 9-22.

We can also notice here that for each key fob press, the hex value being transmitted changes a bit.

From here on, you can either use a tool like HackRF to transmit the packets again, or even a combination of Arduino and 433 MHz transmitter would work. Let’s go ahead and have a look at how this could be done using Arduino and a 433 MHz transmitter.

First, connect the 433 MHz receiver to your Arduino. This is how the Arduino connections would be overall:

• Arduino 5V ⇐> VCC of both transmitter and receiver.

• Arduino GND ⇐> GND of both transmitter and receiver.

• Arduino D10 ⇐> Data of transmitter.

• Arduino D2 ⇐> Data of receiver.

Next, download the Arduino library for the RC_Switch, which contains the program for transmitting data on 433 MHz, from https://github.com/sui77/rc-switch .

Now, go ahead and import the library in the Arduino IDE. Once done, push the ReceiveAdvanced code to the Arduino and fire up the serial monitor at a 9600 baud rate. The code for ReceiveAdvanced is shown in Figure 9-23.

Now as soon as you press the button of the garage opener key fob, you will be able to see the data being transmitted in the serial terminal. Copy the data, as we are going to retransmit it again. Figure 9-24 shows what the data will look like.

To complete the process, open the SendDemo code and enter the copied data into the print statement. Once you are done, upload the code and you will be able to see it triggering the relay module. Figure 9-25 shows the complete code for SendDemo.

Once you run the SendDemo code, you will be able to replay the radio packets, making the garage door open. Notice that we are looking at a case where there is no verification of existing code being reused to open the garage door. In other cases, though, you will need to perform additional steps to ensure that the replay attack works, which can be made by jamming the signal and capturing so that we have an unused radio packet with us that can be used by us.

Using GNURadio to Decode Data

Now that we know how to replay data by first sniffing RTL-SDR and sending using the Arduino and 433 MHz setup, we can move on to decoding the data of the weather station. Unlike the garage door opener key fob, the weather station transmits data that are not easily understandable. Therefore, we will need to use the GNURadio and its radio processing blocks to be able to figure out exactly what data are being sent by sniffing the packets.

Once you start analyzing the GQRX or GNURadio analysis of the frequency on which the weather station operates, you will be able to see various peaks and bursts of data that are sent at regular intervals. Here we are trying to figure out what the exact data are that are being sent by the weather station.

Let’s go ahead and create a GNURadio workflow to decode the data that are being transmitted by the weather station.

First, open a GNURadio companion and set the Generate Options to WX. Change the sample rate to 1M.

Next, drag and drop an RTL-SDR block as well as a WX GUI FFT Sink block. Modify the properties of the RTL-SDR block to set the frequency of the weather station to 433.92 MHz. Your flow graph should look like the one shown in Figure 9-26.

Now, if you double-click the RTL-SDR Source and look at its Properties dialog box, you will notice that the only output option is Complex float32, as shown in Figure 9-27.

For this reason, we will have to use an additional block of Complex to Mag ^ 2 to convert this to a usable positive value. Drag and drop a Complex to Mag^2 block to the workflow and connect the output of the RTL-SDR source to Complex to Mag^2.

Because the signal at this stage might be a bit weak, it’s a good idea to amplify the signal by adding a Multiply Const block. We can set the constant value to be 20, which is a suitable amplification value.

Figure 9-28 shows how your final flow graph should look.

When you run the flow graph, your result should look like Figure 9-29.

Let’s go ahead and now open the .wav file created in Audacity. Audacity is a tool for audio analysis and editing, but it can also be used to analyze radio signals as in our example.

At this point, you might still be wondering why we added the Multiply Const block: How did we realize that we require the Multiply Const? When we were working on it, we first tried without the Multiply Const and the output .wav file shown in Figure 9-30 was the result.

As you can see, without a Multiply Const block, the signal is extremely weak, and that is why we added it. Figure 9-31 shows how the output .wav file looks like with the Multiply Const block added.

As we can see from Figure 9-31, it looks like an on-off keying (OOK), which is a form of amplitude-shift keying (ASK) modulation. The shorter pulse represents a digital 0 and a longer pulse represents a digital 1.

Once we have this information, we can try to decode it by analyzing individual highs and lows, which would result in the image shown in Figure 9-32. The 1s and 0s are marked as a representation and you should be calculating this either on a notepad or text editor.

It might take a bit of effort and time, but when you convert the decimal notation to ASCII, you will be able to get the final result. In our case, the entire data package is a combination of ID, ST, Temperature, Humidity, and CRC, as shown in Figure 9-33.

That is how we can identify, analyze, and decode data using tools such as RTL-SDR, GNURadio, and GQRX.

Replaying Radio Packets

One of the other important concepts in working with radios is the ability to replay data. Even though we had a look at replaying using a 433 MHz transmitter, this might not always apply when you encounter a device on a less popular frequency. If the frequency that you are working with is somewhat less popular, you might not be able to find the transmitting module that easily. In those cases, a device like HackRF is invaluable.

HackRF is an open source device developed by Michael Ossman (with contributions from numerous contributors, including Jared Boone and Dominic Spill) to analyze and assess radio frequencies in a wide range from 1 MHz to 6 GHz. Because we have already installed the HackRF tools, we can now go ahead and start using them.

The first step is to ensure that your HackRF device is plugged in and accessible to your system. This can be done by using the hackrf_info utility as shown in Figure 9-34.

Once we have verified that the HackRF device is connected and accessible, the next step is to use hackrf_transfer to store the packet captures in a file that we can later use to replay. We also use additional parameters such as –r to specify the read file where captured packets will be stored, -f for the frequency that we want to work with, and –s for the sample rate.

The following code and Figure 9-35 show how the command and output will look.

hackrf_transfer –s 5 –f 433920000 –r dump

Once you have captured the packets, the next step is to simply replay them, which can be done by simply replacing the –r with –t, to specify the file name from which transmit data will be taken.

You can see in Figure 9-36 that we are able to successfully replay the data and also control the weather station data that are being shown on the device. This attack is extremely useful, as it allows you to perform replay attacks, which in most cases allow you to take control of a target IoT device.

Conclusion

We went through a number of concepts in this chapter, including how to get started with SDR, as well as a firsthand experience working with radio signals and decoding the data.

We also gained familiarity with tools such as RTL-SDR, GQRX, GNURadio, and HackRF. These concepts, even though covered briefly in this chapter, will be useful in a lot of practical situation. I have used GNURadio in most of my IoT pentesting engagements where I have to decode radio communication being performed, or to reverse engineer an unknown protocol.

I strongly recommended that you try out these topics by yourself on real-world devices and real-world packet captures.