image image

Sébastien Dudek

SDR Hacking advanced: Reversing and exploiting wireless communications


Trainer: Sébastien Dudek

Date: 21st to 23rd Oct 2024

Time: 9:00am to 5:00pm CEST

Venue: Amsterdam Marriott Hotel

Training Level: Intermediate to Advanced


Training Objectives:

In this training, we will delve deeper into Software-Defined Radio (SDR). Unlike the "SDR Hacking Essential" course, the goal here is to apply the techniques we've previously learned to target both basic and customized systems. This training will be organized around challenges where attendees will need to reverse both analog and digital signals to obtain flags. Additionally, participants will be tasked with attacking real-world targets (reversing firmware, find vulnerabilities, and exploit them in the air).

Furthermore, this training aims to impart survival SIGINT (Signals Intelligence) techniques to help focus on specific signals in the wild.


What to Expect? | Key Learning Objectives:

  • reversing and interacting with real signals, even exotic
  • creating custom tools for specific communications
  • identifying technologies with SIGTINT techniques
  • exploiting custom RF baseband vulnerabilities

Training Detailed Description:

Part 1

In this section, we will start with a guided exercise as a warm-up to refresh our knowledge using an SDR (Software-Defined Radio) device correctly. Subsequently, we will delve into theory and hands-on exercises focusing on SIGINT (Signals Intelligence) techniques for scoping our targets. We will utilize GNU Radio to reverse signal captures and obtain flags. Additionally, we will employ dedicated tools to expedite the reversing process.

Key Radio Concepts Review

  • Wireless Connectivity
  • Modulation
  • Encoding
  • Integrity & Encryption

Devices

  • Spectrum and Signal Analyzers
  • Software-Defined Radio Devices
  • Special RF Chips

SIGINT

  • Techniques for Quickly Identifying Targeted Transmissions
  • SIGINT Tools and Libraries
  • Machine and Deep Learning Techniques

GNU Radio

  • Building an Analyzer
  • Reversing Analog and Digital Communications
  • Further Optimizing Flow-Graphs
  • Interfacing with Radio Channels
    • Tools for SDR

      • Accelerating the Reverse Engineering of Basic and Well-Known Signals
      • Dumb Fuzzing of Communications
      Part 2

      In this segment, we will apply what we have learned to attack real targets, including the exploitation of custom RF basebands.

      Basic Targets

      • Reverse Engineering Remote Controls
      • Attacking Receivers

      Custom Targets

      • Reversing Custom Signals
      • Analyzing Firmware for Vulnerabilities using Ghidra
      • Exploiting Vulnerabilities to Obtain Flags

      Industrial Signals and Protocols with a LoRa Example

      • Reverse Engineering Communications
      • Cracking Keys When Possible
      • Identifying Vulnerabilities and Conducting Fuzzing with Unicorn/Qiling

      Bonus Topics (Time-Permitting or During Coffee Breaks)

      • TEMPEST
      • EM Side-Channel Attacks
      • Zigbee
      • Wi-Fi
      • or other topics depending on the occasion.

      Who Should Attend? | Target Audience:

      • Security Researchers and Engineers
      • Embedded/Wireless Developers
      • Hardware Hackers
      • Pen Testers
      • Government Officers
      • RF Chip Designers

      What to Bring? | Software and Hardware Requirements:

      A laptop with at least 8 GB memory to run a tooled VM, preferably a x86-64 computer.

      A VM will be available for Apple Silicon ARM64, but still in beta version.


      What to Bring? | Prerequisite Knowledge and Skills:

      • good basics in Linux
      • basics in security are a plus
      • basic knowledge of SDR and GNU Radio will be a plus

      Resources Provided at the Training | Deliverables:

      • Tooled VM
      • Labs with captures, flow-graph and scripts
      • A RF kit capable of transmitting and receiving signals in full-duplex

      ABOUT THE TRAINERS

      Sébastien Dudek is the founder of PentHertz Consulting, a company that specializes in wireless and hardware security. He has a strong passion for identifying vulnerabilities in radio communication systems and has published research on various aspects of mobile security, including 5G security, Open RAN, baseband fuzzing, interception, mapping, and more. Additionally, he has conducted research on data transmission using power-line communication technologies, such as HomePlug AV, which includes domestic PLC plugs, as well as their applications in electric cars and charging stations. Sébastien also focuses on practical attacks involving various technologies like Wi-Fi, RFID, and other wireless communication systems.

      Today, Sébastien Dudek and his team are actively engaged in the connected car industry, where they work on various wireless communication aspects such as immobilizers, V2X, IVC, and IVI, all connected via 5G and utilizing a variety of interfaces like Bluetooth Classic/BLE, Wi-Fi, RDS, DAP, wBMS, and more.