Security Street Knowledge
  • By: QJax


    Justin Searle stated in a recent SANS training, Assessing and Exploiting Control Systems, “wireless and RF security is a huge security hole and as far as SCADA security assessments go, there are very few people doing it or even know how to do it“.

    RF Signals > IP Packets > ZigBee = SCADA Wi-Fi Assessments

    Generally, when we talk about sniffing wireless packets we are typically referring to protocols such as 802.11 Wi-Fi, Bluetooth or even RFID packets flying freely amongst us. However, you should know that hackers are taking a different approach to snatching packets out of thin air. The new approach is to record Radio Frequency or RF transmissions and convert RF waves into human readable packets. The recording software tool of choice is referred to as a Software Defined Radio (SDR). There are several SDR software to choose from, such as an open source project GNU Radio, SDR# (SDRsharp), OsmoSDR, and GQRX to name a few.  The GUI of GNU Radio Companion, allows you to define your radio Signal Source Type, Modulation and Sink Options (playback) and high/low pass filtering options.

    SCADA HACKING: So why sniff ZigBee RF signals?


    1. ZigBee can be used for Smart Water metering.
    2. ZigBee can be used to control lighting, HVAC and appliances in your home or office.
    3. ZigBee can be used by DECT to actuate natural gas control valves.
    4. Manipulating RF signals provides an extended range attack vector from feet to miles with a high gain antenna.
    5. Many of the past mistakes are repeated when these new wireless technologies are re-introduced.
    6. 43 million smart meters deployed in the U.S. as of 2012

    Going beyond 802.11 Wi-Fi assessments

    Beyond wardriving for open access points, hackers are now seeking to capture radio frequencies, translate captured radio waves into bits and decode the protocol for further analysis. In its simplest form, radio waves can be retransmitted to possibly execute a replay attack. This is a hackers’ dream as it relates to anonymous and long range system exploitation. This revelation has inspired others, including myself, to begin researching the possibilities of SDR hacking. We want to know “how does this threat relate to SCADA systems?” To start I acquired a few SDR boards such as the USRP B200, the HackRF, and a cheaper purpose-build ZigBee protocol sniffer called the APImote for exploring and exploiting of ZigBee and IEEE 802.15.4 protocols. These RF peripherals have full transmit & receive capabilities with continuous RF coverage from 70 MHz –6 GHz. Essentially, arming an adversary with the ability to capture a wide range of frequencies including, UHF Radio, FM Radio, 900 MHz smart meters, Cellular GSM ranges and the typical 802.11 a/b/n Wi-Fi signals. With the development of new testing tools, stable equipment and a repeatable process, the future will bring an entirely new challenge in protecting Industrial Control Systems such as (SCADA), Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).

    Now imagine war-driving for ZigBee networks and other SCADA related RF signals.

    WATCH THIS VIDEO and imagine this scenario near a Refinery or Chemical Plant.


    You need to install or upgrade Flash Player to view this content, install or upgrade by clicking here.




    The Software

    Below is an example of an FM Radio built with GNU Radio





    This tool is a modified version of scapy that aims at providing an quick and efficient pentest tool with RF capabilities.

    scapy-radio includes:

    • A modified version of scapy that can leverage GNU Radio to handle a SDR card
    • GNU Radio flow graphs (GRC files) we have build that allows full duplex communication
    • GNU Radio blocks we have written to handle several protocols

    Supported radio protocols:

    • Bluetooth LE (advertising only)
    • 802.15.4 (used by Zigbee, Xbee, 6LoWPAN)
    • ZWave (European frequency, 868MHz)



    Software Defined Radio with HackRF by Michael Ossmann

    You need to install or upgrade Flash Player to view this content, install or upgrade by clicking here.



    SDRsharp and GQRX are software used to show a visual interpretation of various radio signals and allows for real-time frequency tuning, bandwidth and modulation.









    The Hardware

    Recently there has been an explosion of affordable SDR hardware. It used to cost HAM radio hobbyists thousands of dollars to play in the RF world. Now the entry cost for an SDR enthusiast can be accomplished with an investment from $20 to $700 U.S. dollars. Compromise between size, performance or price and you can get started with an RF board from $300 to $1,000.








        A time well spent at the Defcon22 conference…

    Immediately following the Blackhat 2014 Conference is the Defcon22 conference. Blackhat tends to draw more of the “Corporate Security” types, while historically, Defcon attendees are considered to be made up of “real hackers”. However, those that attend Blackhat also get an admission badge for Defcon. This year Blackhat and Defcon broke all previous attendee records. According to organizers, Blackhat had over 9,000 security executives, hackers, academics, and spies attending. As for Defcon, nearly 16,000 attended, up from last year’s Defcon21 conference. This year’s Defcon22 set a new record for Amateur (HAM) Radio license examinees with an unofficial count of 205 (181 passed exams, 172 new/upgraded hams) sitting for their license testing. These are the guys (we know about) that intend to transmit RF signals over authorized frequencies.

    Hacking via Software Defined Radio is not for the faint of heart. Until Defcon, I had failed to get my hardware working properly. Therefore, one of my objectives was to catch up with a few experts on deck to see if I could pick their brains. During my time at the Defcon22 conference, I had a personal one-on-one RF hacking session with Balint Seeber – Ettus Research Applications Engineer by day and SDR wizard by night. Balint and I worked together to get my software and hardware (USRP B200) up and running on my new MacBook. We fired up both of our Software Defined RF boards and Balint started transmitting RF signals from his USRP B210, while my B200 was setup to receive his transmissions. Here is a video of my Blackhat Defcon experiences, including Balint transmitting a very cool image advertising their latest SDR board, the X300.

    Qjax (USRP B200) receiving images over RF from Balint’s (USRP B210)

    You need to install or upgrade Flash Player to view this content, install or upgrade by clicking here.



    RF Threat Management Through Assessment

    In summary, devices can be hacked using high or low frequency sound waves. Once you can demonstrate an RF attack, it will only be a matter of time before someone refines the technique and increases its effectiveness to wreak havoc. “If you have a high demand for information security and assurance, you would need to prepare countermeasures,” Michael Hanspach wrote in an email to Inside Science. Even more so, items like smoke detectors, windows sensors and home alarms running on the 433 MHz are at risk. The world has gone Wi-Fi, therefore the threat-scape associated with electronic systems is widening. Some will choose to wait for the new breed of RF Hackers to emerge and some will make attempts to get ahead of the game. Which one are you?

    Exploring the Wireless World


    You need to install or upgrade Flash Player to view this content, install or upgrade by clicking here.

  • Comments: Off Category: Uncategorized
  • Tags: , , , , , , , , , , , , , , , , , , , , , ,

Comments are closed.