>About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Defeating Spread Spectrum Communication with SDR- 666

Michael Ossmann - ToorCon 2013Posted 3 Years Ago
  • Spread spectrum is the usage of more bandwidth than necessary on a radio transmission than what is necessary. In the land of radios, bandwidth is the width (in Hz) of the range of the frequency of the components in the signal. Some AM protocols use a narrow band in order to send the information, in the magnitude of 10kHz.
  • Bluetooth uses 100MHz, but only uses 1MHz at a time. Although this seems like a waste, it has the benefit of being less susceptible to interference by moving around. Additionally, multiple Bluetooth connections can be used at once without interference. The extra space with the benefit is known as spread spectrum.
  • There are two main flavors of spread spectrum: Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS). Are these secure? This talk is about tackling the security of FHSS and DSSS, as claims have been made on the security of this for over a century.
  • FHSS changes frequencies constantly (like Bluetooth). The first question is can we receive or view the data with FHSS? According to the speaker, this can be done with any SDR as long as we know the hopping pattern. An example of this is with the Ubertooth, which is used to hack Bluetooth and BLE. An additional implementation of this was done at ShmooCon in 2011, with code on Github. This can be used to jam or listen into signals.
  • An attack scenario is that SDRs can operate on many channels at once. By receiving or transmitting on all of the signals at once, we do not even need to know the hopping sequence! We can simply listen, then compute later if we want to steal the information. Additionally, if we want to transmit, we send the data on all of the frequencies, where one of them will work. Damn, that seems obvious but is quite clever!
  • When digitizing an analog wave, we do this by representing the data with 0 and 1s with a finite size and a finite amount of samples. When you get multiple bands sitting over the top of each other, this is called aliasing, which causes interference. Most of the time, we avoid this by filtering the frequencies that we want.
  • Most of the time, aliasing is bad. However, with FHSS, we know that the target is only using ONE frequency at a time. As a result, we can turn off the anti-aliasing to intentionally get the data across multiple frequencies to overlap. The author calls this intentional aliasing. In the talk, this is used to find data from multiple bluetooth channel at once, which is really awesome! On the HackRF, this required the turning off of the standard anti-aliasing and the addition of a bandpass filter to the antenna.
  • But, there is still a problem... the channels are overlapped with each other. But, the author used a trick in this to make the data somewhat offset. By using a sample rate that is not an integer multiple of the bandwidth of bluetooth, the frequencies are somewhat offset, even though they layered on top of each other. Wow, another amazing trick!
  • DSSS artificially inflates the amount of bits being sent for redundancy. The term chip is used in order to represent a value being sent. We turn a 1 into 12 chips to make it easier for device to decode down the road. Then, the 0 would be the inverse of the value of the 1. By using a correlation technique with the chip sequence, we can find the actual data being sent by looking for these spikes of expected signals.
  • This modulation technique is used in 802.11b/g, 802.15.4, Zigbee, satellite communication and GPS. When looking at a waterfall graph, the pattern is quite distinct! It has a uniform pattern across a large bandwidth that repeats. How is the security of it?
  • DSSS is not vulnerable to narrowband jamming. However, it is vulnerable to wideband jamming. Additionally we can send random codes to cause corruption if we know the chipping code. If it is really low on power, can we even find it? You can always detect signals!
  • Directional antennas can be used to easier find a signal but this is a given. Additionally, by multiplying the signal by itself the signal becomes really easy to see. To make things better, the chip rate is even obvious in the visualization with three spikes (two ends of the chip rate and the middle). Even an auto correlation feature can be used with this within GNU radio.
  • I am a little confused on how DSSS works still. To me, bandwidth is the size where data between two frequencies. Unintuitively, the increasing the data rate (amount of changes in signal) artificially increases the bandwidth. This concept is the basis of the protocol but it does not make intuitive sense to me.
  • At the end of the presentation, the author is trying to reverse the packet structure of a device they have. By looking at a data sheet, they figured out the beginning of a packet, the amount of chips in a bit and much more. By the end, the author would decode the information from the signal!
  • At the end of the talk, the author claims that spread spectrum is not a security feature, even if many things claim this. Sounds like an interesting thing to attack and go after! Many things still claim these to be a security feature.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed