Uncover RF Security Vulnerabilities with SDRs
September 09, 2022
In today’s wireless and 5G era, companies and individuals encounter a rising number of security threats on their IoT assets. Wireless RF signals can be intercepted by anyone with low-cost radio equipment and decoded using open-source software, thus it’s imperative to assess connected designs for security vulnerabilities. This includes conducting penetration tests, jamming, replay attacks, and other methods to assess vulnerabilities in IoT RF protocols like Bluetooth, ZigBee, 6LoWPAN, Z-Wave, etc.
IoT device communications vary. Take the smart home, for example. Many systems will transmit directly to a gateway using a technology like ZigBee. Others will talk directly to nearby nodes over protocols like Bluetooth Mesh. Others still will leverage some type of backhaul straight to the cloud.
Nevertheless, there are commonalities. For example, all of the topologies mentioned above describe a wireless network implementation, which means they all utilize the RF spectrum.
Even in its simplest sense, modern RF communications networks are thanks to some of the most sophisticated engineering in the world. That said, they’re still susceptible to a range of common threats, vulnerabilities, and attack vectors, including spoofing, replay, tampering, elevation of privilege, information disclosure, Denial of Service attacks.
IoT threat models have evolved to help technologists and engineering organizations simulate and thwart such attacks. These models examine how external entities, processes, data flows, data stores interact with and within a system, then offer defenders the ability to probe or penetration test the system for weaknesses.
For connected device developers dealing with multiple wireless systems or multiple wireless technologies within the same system, software-defined radios (SDRs) can pair with open software tools to provide a flexible, efficient, and cost-effective means of testing different protocol implementations for vulnerabilities.
But first, a brief primer on SDRs.
How SDRs Can Help Identify IoT Security Threats & Vulnerabilities
Software-defined radios contains a radio front-end (RFE) and digital backend. They function as a transceiver with onboard DSP capabilities, as well as a connection or connections to external systems for further processing, storage, and monitoring. The RFE contains the receive (Rx) and transmit (Tx) functionality over a wide tuning range.
The highest performance SDRs contain:
- 3 GHz of instantaneous bandwidth using multiple independent channels, DACs, and ADCs.
- FPGAs with onboard DSP capabilities for modulation, demodulation, upconverting, and down-converting.
- Data packetization over Ethernet optical links containing VITA49 IQ data in the Ethernet Stack
The highest instantaneous bandwidth SDRs have a backhaul/data throughput of 4 x 100 Gbps over QSFP+ transceivers, which can be hooked up to external equipment or systems for further data storage, monitoring, or processing.
SDRs for Penetration Testing
As mentioned, penetration testing is a security practice where the security expert tries to find vulnerabilities in a computer system. The purpose of this exercise is to identify weak points in a system’s defenses that attackers could misuse.
The SDR-based Network Observation Utility Toolkit (SNOUT) leverages SDR to passively sniff and interact with common IoT protocols. It provides a flexible and interactive framework for transmitting and receiving packets across different wireless protocols, enabling scanning or transmission through its adaptable command line.
SNOUT is built as an abstraction layer above the low-level signal transcoding processes required for SDR-based communication. To provide interoperability with existing tools and facilitate advanced packet handling, SNOUT utilizes well-known software packages like GNU Radio, scapy-radio, and specialized SDR software. SNOUT performs device enumeration, vulnerability assessment, advanced packet replay, and packet fuzzing.
Mahony et al. explored the benefits of SDRs for IoT data analysis and penetration testing by implementing various intrusions using the signal processing block-based software Simulink/GNU Radio. They uncovered the main security vulnerabilities of existing wireless sensor networks (WSNs) by adopting the ZigBee protocol and using SDRs as both WSN/IoT analysis tools and penetration testers concerned with external interference scenarios. The SDR provided I/Q samples for analysis – even when packets were erroneous – and produced matched protocol interference.
The key advantage of SDRs over traditional packet sniffers was the received samples in the presence of strong channel interference.
A replay attack is a network attack in which a valid data transmission is fraudulently repeated or delayed. It is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack.
Replay attacks are usually passive in nature, re-transmitting a previously captured raw PHY-layer payload or synthesizing a new frame based on decoded data.
The PHY layer is the lowest layer in the communication stack. In wired protocols it is voltage, timing, and wiring defining 1s and 0s. In wireless protocols it’s a pattern of energy being sent over an RF medium.
Replay attacks with an SDR are realized by:
- Recording the signal with the SDR
- Demodulating and decoding with a program in binary
- Converting the binary to hex (0x)
- Replaying with RFcat libraries.
Using an SDR to collect and reverse-engineer protocols can help you analyze various threats and make recommendations on how to improve security.
For example, the Z-wave routing protocol for IoT can be reverse-engineered to expose its vulnerabilities. Badenhop et al. conducted a black hole attack on an IoT network and showed that frames were silently discarded for a given source and destination. The black hole attack was used to prevent sensor reports or actuating commands between the controller and devices, inhibiting the functionality of the IoT automation system.
Mitigating Attacks and Defenses with Various IoT Security Schemes
Yes, data encryption provides a security layer, in comparison with hardcoded or default passwords, but, as illustrated, modern RF attack vectors have the potential to circumvent those protections and PKI in general.
SDRs can efficiently uncover IoT vulnerabilities that result in stronger overall security. And, when paired with the right software tools, connected device developers have a ready-made penetration test harnesses that can accelerate their time to robust IoT security.
Brendon McHugh is a field applications engineer at Per Vices. Brendon is responsible for assisting current and prospective clients in configuring the right SDR solutions for their unique needs. He holds a degree in theoretical and mathematical physics from the University of Toronto.