universal radio hacker: a suite for analyzing and ...hacker (urh), an open source tool which is...
TRANSCRIPT
Universal Radio Hacker:A Suite for Analyzing and Attacking Stateful Wireless Protocols
Johannes PohlUniversity of Applied Sciences Stralsund, Germany
Andreas NoackUniversity of Applied Sciences Stralsund, Germany
Abstract
Proprietary wireless protocols used by IoT devices are de-signed under size and energy constraints, often neglectingthe security. Therefore, attacks like opening wireless doorlocks or stealing cars are realistic threats. Software De-fined Radios (SDR) propose a generic way to investigatesuch protocols as they can send and receive on nearly arbi-trary frequencies. Most tools for SDR, however, focus onthe HF side and offer little support for analyzing the actualprotocol logic so custom tools or excel spreadsheets mustbe used. In this paper, we present the Universal RadioHacker (URH), an open source tool which is designedfor protocol analysis from the ground up and implementsa full workflow including interfaces for SDRs, intuitivedemodulation, customizable decodings, fuzzing supportand a simulation component. URH splits the processdown into the phases Interpretation, Analysis, Generationand Simulation, whereby results from one phase can betransferred to the other. The software offers all featuresneeded for protocol investigation without overwhelmingusers with complexity. URH is developed with theoreticoriented researchers in mind who want to focus on pro-tocol logic and try to avoid diving into the depths of HFand Digital Signal Processing.
1 Introduction
Internet of Things (IoT) brings comfort such as openingdoors wirelessly without having to mess with mechanicalkeys or automatically closing roller blinds when the sunsets. Such IoT devices often communicate over propri-etary wireless protocols which are designed under sizeand energy constraints whereby security is only a sec-ondary factor. Weaknesses in such protocols pose criticalprivacy and security threats: Adversaries may, for exam-ple, track when victims leave their house and break theirwireless door lock by radio without leaving traces.
Attacking a wireless protocol includes several steps
that require knowledge in radio frequency (RF), codingtheory, protocol design and sometimes even cryptography.Few research groups, however, include specialists fromall these fields, especially a combination of applied (RF)and theoretic (cryptography) researchers is rare.
Given an unknown wireless protocol, we are interestedin the transmitted bits and bytes. Thus, we record sev-eral signals with a Software Defined Radio (SDR) likeHackRF [10] or USRP-N210 [6]. For further analysis,we need bit representations of the raw signals. Figure 1shows an example for such a raw signal.
Figure 1: Sniffed signal, on 868MHz with USRP-N210
In order to extract the bit sequence 10100101101110from this raw signal there are several steps needed:
1. Recognize modulation type (ASK, FSK, PSK, . . . )
2. Demodulation to rectangular signal
3. Mapping of rectangular signal to bitstream
4. Optional: Remove encoding
After these steps, we concentrate on the logical struc-ture of the protocol. The most promising approach is atarget-oriented differential analysis of the bit representa-tions from several signals. For example, comparing bitsequences from signals that activate and deactivate a lightbulb may reveal the responsible on-off bit.
Present tools for wireless protocol investigation arespecialized to certain parts of the process. Therefore, re-searchers need to combine applications such as GNU Ra-dio [4] for demodulation and a wave editor like Audacity[2] to infer bits from recorded sine waves. Furthermore,manual effort or custom scripts are required to performlogic analysis, apply fuzzing or simulate participants.
Our main contribution is an open source softwarenamed Universal Radio Hacker (URH) which covers allaforementioned steps and is, to the best of our knowledge,the first complete suite for investigating stateful wire-less protocols. The software provides abstracted and er-gonomic user interfaces to comfort theoretical researchersand speed up protocol investigations. As a secondary con-tribution, we show attacks on three different IoT devicesand how URH was used to find and perform them. Themost complex attack (section 4.3) opens a wireless doorlock which is protected by a challenge response procedure.The attack includes modeling the protocol state machineand extracting the encryption key from pairing messages.
2 Overview
In this section, we give an overview of the core ideas ofour software and how it can be used in combination withexternal software for greater flexibility.
2.1 ApproachWe break the investigation of partially or fully unknownwireless protocols down to three major steps:
• Interpretation phase covers demodulation of raw sig-nals. The goal of this phase is to map received wavesto digital information (bits).
• In Analysis phase bits are decoded and put into con-text. This phase targets to reveal the protocol logic,for example, by performing a differential analysis.
• The last phase depends on whether a stateful attackshall be performed.
– For stateless attacks, Generation phase is theprocess of altering existing and/or generatingnew messages based on the revealed protocollogic. This includes fuzzing.
– Simulation phase replaces the Generationphase for more complex protocols with multi-ple states. This phase allows to perform sophis-ticated attacks by simulating selected partici-pants and, for example, apply a stateful fuzzingfor certain protocol fields.
More details on each phase are given in section 3. Whyis it advantageous to separate the protocol investigationinto successive steps? First, the phases form a guidelinethat helps beginners to keep an overview. Second, expertsbenefit from clear phase definitions when organizing team-work. Third, the separation gives users more flexibilitywhen it comes to interaction with external programs.
2.2 Design principlesThe development of URH is mainly driven by three de-sign goals. First, ergonomy to provide an intuitive userinterface which does not require deep RF knowledge,see appendix A to get an impression of this UI. Second,functional completeness to cover all steps necessary toinvestigate and attack a stateful wireless protocol - wedescribe this in section 3. Third, extensibility with exter-nal software to consider existing workflows. We achieveextensibility by offering interfaces for external programsin each phase of our design.
2.2.1 Interfaces For External Programs
We respect that experts already have software or even self-made scripts that are better suited for special cases; referto section 5 for an overview of present tools. Our architec-ture, shown in fig. 2, considers this by offering interfacesto external programs in each phase so that certain taskscan be accomplished outside of our tool. For example,you can demodulate a signal with GNU Radio and passthe bits to our software in order to perform the Analysisphase afterwards. In our approach, we distinguish twoways of interacting with other software. First, for staticinvestigations we use standard file formats for raw signalsand binary data. Second, a socket based network interfaceenables dynamic exchange with other tools.
Universal Radio Hacker
SDR
Interpretation Analysis Generation
External application(e.g. GNU radio or custom program)
SDR.complex 1011....complex
and/or1011...
.complex =̂ complex file (IQ data) 1011... =̂ demodulated bits
Figure 2: Architecture: Applications can work with URHusing open file formats for raw samples and bits. Fordynamic investigations, a socket based interface supportsboth receiving from and sending to external tools.
2.2.2 Device Backends
As shown in fig. 2 our software communicates with SDRsduring Interpretation and Generation. We provide threedistinct device back-ends to interface SDRs: native, exter-nal and network.
The native device back-end is a Cython [3] wrapperof the respective SDR driver. The advantage is that wehave full control and can optimize it for our software.Furthermore, no additional dependencies are required forthis back-end. Diving into the SDR drivers also gives usmore insight and helps to optimize device configurations.Native support is available for a wide range of commonlyused SDRs including HackRF, USRP and RTL-SDR. Forusers with unsupported SDRs it is, however, a laborioustask to create a native wrapper on their own.
Therefore, our approach also covers external back-endswhich work by interfacing external applications like GNURadio or RfCat [1]. The most important external back-endis for GNU Radio that is implemented with simple Pythonfiles using GNU Radio device blocks and a ZeroMQ sinkand source for sending and receiving, respectively. Incase our software lacks support for a certain SDR, usersmay implement a GNU Radio back-end on their own asthis is straightforward. A general drawback is that therespective external application needs to be installed forthe back-end to work.
The network back-end is built on TCP sockets to com-municate with applications in a generic way. It is notdedicated to a certain device and can be used in variouscases. For example, you can receive samples from a re-mote system, or send the binary protocol to an externalprogram that implements a state machine.
3 Universal Radio Hacker
The Universal Radio Hacker (URH) is the realization ofour approach. URH is a cross platform application (Linux,Windows, OSX) implemented in Python and Cython/C++for performance critical parts. In this section, we explainthe phases Interpretation, Analysis, Generation and Sim-ulation in a detailed but rather abstract way. Refer toappendix A for a visual breakdown of the user interface.
3.1 InterpretationThe Interpretation phase aims to extract binary informa-tion (bits) from the received waveform signals. In orderto do this, data needs to be demodulated in the right way.In this section, we sketch how URH performs this demod-ulation behind the scenes.
3.1.1 Demodulation
If you record a wireless transmission and view its wave-form in a wave editor like Audacity, it strongly dependson the used modulation type how the signal appears. Wewant to keep the demodulation process as uniform aspossible, but since each modulation transports informa-tion with a different signal parameter, namely amplitude,
frequency and phase, we have to use some kind of pre-processing for the selected modulation. Our demodulationpre-processing, no matter what modulation is used, resultsin a rectangular signal like the one in fig. 3. Next, weexplain the pre-processing algorithms for Amplitude ShiftKeying (ASK), Phase Shift Keying (PSK) and FrequencyShift Keying (FSK).
ASK pre-processing The pre-processing of ASK issimple, because we only need to evaluate the absolutevalues of the complex samples xc(n) [9, chap. 9.2]
R(n) = |xc(n)|=√
xr(n)2 + xi(n)2, (1)
whereby xr(n) is the real and xi(n) the imaginary part.Performing this for all samples in the signal yields therectangular curve R(n).
PSK pre-processing We use a Costas Loop for PSKpre-processing. The idea behind Costas Loop is to use anumerical controlled oscillator to approximate the carriersignal and get the current phase shift by evaluating thephase difference between the current sample and the cur-rent carrier value. For further readings refer to Feigin [7]who gives a deep insight into Costas Loop.
FSK pre-processing FSK uses different frequenciesfor transporting information. Following [9, chap. 9.2] theinstantaneous frequency F(t) can be derived using
F(t) =ddt
Φ(t), (2)
with Φ(t) = 2π f t +Θ being the instantaneous phase ofthe signal. As we sample at discrete timestamps n we canapproximate F(n):
F(n) = Φ(n)−Φ(n−1) (3)
F(n) = arctan(
xi(n)xr(n)
)− arctan
(xi(n−1)xr(n−1)
)(4)
where xr(n) are the real and xi(n) the imaginary parts ofthe complex samples xc(n). In case of FSK, instantaneousfrequencies F(n) form the rectangular signal R(n).
The rectangular signal in fig. 3 is created from theFSK modulated signal in fig. 1 with FSK pre-processing.Pulses in the upper area will be interpreted as binary one,in the lower area as binary zero. The border between bothareas is automatically detected by URH, but can also beadjusted manually to correct noisy data, if necessary. Theautomatic detection works by first performing a k-meansclustering on the rectangular signal and, subsequently,calculate the average of the two most common centerpoints. Given the rectangular pulse sequence and the bor-der between areas, URH extracts the correct bit sequence10100101101110.
Figure 3: Signal from fig. 1 after FSK pre-processing
3.1.2 Control parameters
One benefit of URH is that you instantly see the resultingbits, when changing any of the modulation parameters.The Interpretation phase has four control parameters:
1. Noise level for suppressing noise. This is useful forrecordings under non-ideal conditions.
2. Center means the border between ones and zeros,indicated by different background colors in fig. 3.
3. Bit length is the number of samples for one raw bit.
4. Modulation type whereby currently binary ASK,FSK/GFSK and PSK are supported.
Note, that default values for these parameters are chosenby URH automatically based on heuristics, for example,the noise level is initially set to the average magnitudeof the last 10% samples of the signal, as most recordingsend with a pause. Therefore, this phase can usually becompleted quickly for most signals.
3.1.3 Advanced features
Some signals may be harder to demodulate e.g. due toquantization errors induced by the SDR. Other devicesmay use multiple channels for communication which needto be separated before demodulation. URH offers someadvanced features to deal with this and debug errors inthe demodulation process.
Synchronization between data and signal Whenevera more closer look to a signal is required, URH allowszooming and even editing the captured signal. Further-more, whenever a selection is made in signal or demod-ulated data the corresponding other part is also selectedautomatically as shown in fig. 4. This is helpful when itcomes to debugging demodulation errors or get a betterunderstanding of the signal.
Digital filters to improve signal quality Some SDRsmay produce low quality captures due to quantization er-rors. URH allows filtering a signal to improve demodula-tion results. Filter parameters and types can be configuredin a custom dialog.
Figure 4: Synchronized signal and data selection
Spectrogram view and bandpass filters Advancedprotocols may use different channels for transmitting data.Demodulation of a signal carrying multiple channels ishard at first sight as shown in fig. 5a. For this reason,URH supports a spectrogram view to identify and, further-more, a customizable bandpass filter to extract channelsas shown in fig. 5b.
Freq 1
Freq 2
Freq 3
(a) Signal with multiple data channels
Freq 1
Freq 2
Freq 3
(b) Identify and extract channels in spectrogram view
only freq 2
(c) Resulting signal can easily be demodulated
Figure 5: Example of signal with multiple channels andcorresponding spectrogram
3.2 AnalysisOnce we have obtained raw bits from the investigatedwireless protocol, the next phase is analysis of the actualprotocol logic. Reverse engineering a protocol is mainlya thinking process that strongly depends on the experi-ence and methods of the individual research group. Ourcontribution to this process is a set of helpful tools andrecommendations based on heuristics. In the followingwe introduce some of these features. For a first overview,fig. 6 shows the steps of Interpretation and Analysis.
Binarydata
Analysis
Decoding1. Line2. Channel3. Source
Basebanddemodulation
Interpretation
Complexdownsampling
Analog-to-digital
converting
I
Q
Universal Radio HackerSoftware Defined Radio
IoT sending deviceWirelesschannel
Figure 6: Overview of Interpretation and Analysis
3.2.1 Encodings
Wireless protocols can have various encodings whichneed to be removed before obtaining the actual bits. Oursoftware offers predefined encodings and, additionally,enables users to build encodings using an object basedapproach: From a set of encoding primitives, such asinverting or edge triggering, any number of instances canbe created and connected in arbitrary order. Furthermore,URH offers an API for external decoding programs for aneven greater flexibility. Having selected or built an encod-ing, there are several ways to check whether this is theright encoding for your signal. First, some encodings donot allow special bit sequences, e.g., Manchester 9 000
or 111, hence some encodings can be ruled out. Second,different encodings lead to different output lengths. Ifthe protocol includes a length field, you can easily provethe decoded message length. Third, in case the protocolentails a checksum the correct encoding can be verified byrecalculating the checksum value. For convenience rea-sons, URH displays the decoding errors for each messageseparately and offers capabilities for verifying checksums.
3.2.2 View, search and highlight data (VSH)
After decoding, the next step is to assign context to thebits and, finally, reveal the protocol logic. Different rep-resentations like bit, hex or ASCII view help to identifycertain protocol fields, for example, a preamble on thephysical layer, MAC addresses or a cyclic redundancychecksum (CRC). Moreover, some protocol elements sim-ply become better visible with the right view type, e.g.,01010101 vs. 0xBEEF.
An important approach is to bring different protocolmessages in relation to each other. When comparingwireless protocol messages, a differential view will in-stantly disclose bit ranges that stay constant and bit rangesthat differ. Together with context information such as:the same devices/addresses were used or messages wererecorded in sequence, further information about the mean-ing of certain bit ranges can often be derived. Theseranges may eventually turn out as addresses, sequencenumbers, length fields or serial numbers.
If you have prior knowledge about the investigated pro-tocol messages, e.g., a wireless thermometer showing 21degree Celsius, it is a promising approach to search forspecific values in the data. This search should be availablefor different views on the raw bits like decimal, hexadeci-mal or ASCII. Furthermore, it is sometimes even valuableto highlight every appearance of a specific value, for ex-ample, to verify an assumption about a binary delimiter.As well, hiding already revealed or unimportant parts ofthe protocol makes it easier to focus on relevant parts.
The Universal Radio Hacker incorporates all view,search and highlight features in its Analysis component.URH aligns recorded messages under each other so thatdifferences can easily be seen. For structuring purposes,you can even organize your messages in groups and toggletheir visibility.
3.2.3 Bringing messages into context
By reviewing the protocol or deploying URHs automaticlogic analyzer you gain knowledge about the position offields like serial numbers or addresses. When you attachtext labels to particular positions, our software assignsa specific color and adds the fields to a Wireshark-likepreview. Each value in this preview can have a differentview type, for example, a hexadecimal view is suitedfor addresses while length values and counters are mostobvious in a decimal view.
Knowing which participant sends a protocol messageis essential for investigating complex wireless protocols.Our software allows assigning participants in Interpreta-tion and Analysis phase by hand or automatically basedon the Received Signal Strength Indicator (RSSI) of amessage.
Larger protocols tend to have different message typessuch as data or ACK messages that have their own fieldsand semantics. URH allows creating, deleting and assign-ing message types to messages. This can either be donemanually or automatically based on configurable rules,for instance, if byte on position 7 is 0x42 and messagelength equals 21 then assign message type ACK. In sum-mary, Interpretation and Analysis are tied closely togetherand ideally result in an estimation of the protocol logic.
3.3 GenerationAfter finishing Interpretation and Analysis you have hy-potheses for the position of protocol fields maybe even forthe complete protocol. To test these hypotheses you cangenerate according data and watch how the target devicereacts on it. You may also modify certain parts of theprotocol like addresses or type codes to induce errors orunusual behavior. All these steps form the Generationphase. The Universal Radio Hacker offers two ways forchanging messages: First, you can manually edit singlebits or nibbles. This is a good starting point for verifyingthe examined logic. For example, if you captured a mes-sage from a light bulb remote that turns this light bulb on,you could test for the on-off bit in the message. Second,URH comes with a fuzzing component.
The fuzzing component is designed to perform more so-phisticated protocol editing. Assume, you want to fuzz aneight bit counter. Thanks to the fuzzing component, youdo not need to edit 256 messages by hand, you just specifythe counter position in the protocol, enter an ascendingrange from 0-255 and hit the button. Besides iterativefuzzing, URH also supports to pick random values froma finite set and to test the numerical limits of a field, i.e.0 and 216− 1 for 16 bit. When you have created somefuzzing messages, URH applies the chosen encoding andperforms the selected modulation like ASK or FSK asshown in fig. 7. Aside from saving the fuzzing messagesin a complex standard format, they can be transmitted viacommon SDRs directly.
(Fuzzed)binary data
Encoding1. Source2. Channel3. Line
Generation phase (all three steps)
Basebandmodulation
Passbandmodulation
433.92 MHz
IoT receiving device
Universal Radio Hacker SDR
Wirelesschannel
Figure 7: In Generation, manipulated bits are encodedand modulated to communicate with the target.
3.4 SimulationA major limitation of the Generation phase is that state-ful protocols cannot be attacked since some values likesequence numbers or cryptographic challenges need tobe determined and manipulated live during interactingwith the devices. In order to address this issue, URHoffers a Simulation tab. The simulator of URH is mainlyconfigured through a flow graph which also shows a vi-sual representation of the protocol flow. See fig. 8 for anexample with two participants A and B. At a glance, theflow of the protocol becomes apparent. Here we simulateA and keep sending messages to B until B responds with a
message that transports the data 0x42. The number andnames of participants are fully customizable to match thespecific scenario.
Figure 8: Example flow graph of a simulation
The flow graph is a high level view on the protocol as itonly shows the fields of messages and not the underlyingbits. These bits can be inspected or changed in anothersub tab, if necessary. At this stage, however, you mainlywant to operate on the logical level so this representationhelps to keep an overview. The flow graph is interactive,i.e., users can add or delete messages or, for example,change source or destination of a message. Messages canbe bootstrapped based on the labels that were assigned inAnalysis (section 3.2) or created from scratch.
The simulator also offers an API for external programs,which will get the message bits that were sent and re-ceived until calling the external program, i.e, the partialtranscript. Results of external programs can be accessedin the simulator and, e.g., be inserted as value for a proto-col label to deal with encrypted data.
As also shown in fig. 8, our simulator supports con-ditions. This way, URH can react to certain events atsimulation time such as the return codes of external com-mands or values of labels. Furthermore, you can add Gotoitems which allow jumping back and forth to arbitraryplaces in the flow graph. This way, loops become possibleand you can, for example, wait for a certain message tobe sent and, ultimately, model state machines.
Values for labels may either be static or learned liveduring simulation. One may also refer to the value of pre-vious labels with formulas, e.g., set the sequence numberof message 4 to item3.sequence number + 1. Com-bined with the feature to learn the values of labels liveduring simulation, this enables modeling protocol statemachines and develop more sophisticated attacks than inGeneration phase.
4 Practical Examples
As a secondary contribution, we show three exampleshow URH assisted us finding weaknesses in IoT proto-cols whereby the first two examples are rather simple.The third example is a more complicated attack and usesour simulator to generate a response for a cryptographicchallenge. We informed manufacturers and assured timefor fixing, so we will not mention product names.
4.1 Example 1: Destroy a device wireless
We acquired $150 wireless sockets (WS) and a compati-ble remote control implementing the EnOcean protocol.While analyzing their wireless protocol, we found out thatwe can physically destroy the wireless sockets with noth-ing more than a SDR in receiving range. Details aboutthe hacking history are presented in the following: Westart by investigating whether the WS is prone to replayattacks. Therefore, we sniff the process of switching iton and off using the remote control. Figure 9 shows thecorresponding messages in hex format. Note the differinghex values in column 5 and 20. The on-off informationis located here and is protected by some kind of redun-dancy, that is, a cyclic redundancy checksum (CRC), fordetecting and eliminating transmission errors.
Figure 9: Messages for on (row 1) and off (row 2)
The protocol does not seem to include any real protec-tion like counters or encryption. Therefore, we feed thedata from fig. 9 into our Generator (section 3.3) and canwatch the WS socket switching – replay attack works!Even when rapidly pressing the remotes on-off buttonsmanually, we could measure a pause of at least 150 msbetween the on and off message. We use our programto shorten this pause to 5 ms. We enqueue this manip-ulated sequence for sending in an infinite loop using aHackRF (SDR) and can watch the WS switching certaintimes. However, after a while the WS stops switching.For further investigations we turned the HackRF off, butwe could not switch the WS with the remote control any-more. It could not even be reset or switched with thephysical button on the WS itself or by disconnecting itfrom the power supply. The socket was broken, a classi-cal warranty case. Our hope that we just had a defectivesocket was wiped out by the replacement devices. It iscritical when $150 IoT devices are not designed to with-stand wireless attacks, but the risk is even greater when itis possible to physically destroy devices from distance.
4.2 Example 2: Device desynchronizationOur second example is a smart home system involvinga central unit (CU) that registers, manages and switchesauthenticated devices. The CU and its paired devicescommunicate via a proprietary modification of the Bid-Cos protocol. We can not perform a simple replay attackbecause messages include a sequence number and thecommunication is AES encrypted. Furthermore, the pro-tocol uses data whitening [5] which consists of a PN9generator that produces a pseudo random bit stream thatis XOR’d with the cleartext data. Consequently, we needto apply a de-whitening beforehand.
We found out that we can desynchronize certain devicesfrom the central unit (CU). To illustrate this, a capturedmessage from the CU to a wireless socket (WS) is par-tially shown in fig. 10. The message part starts with threebyte destination address 0x81835f of the WS, followedby three byte source address 0x78e289 of the CU andends with a 4 byte sequence number 0x00108196.
Figure 10: Relevant protocol part for desync attack
Among other link layer information, such as type,length and device addresses, the sequence number is trans-mitted in plain text. We supposed that all link layer infor-mation are (integrity) protected by a MAC-like primitivein the AES encrypted part. Nevertheless, we incrementednibble 37 by one, that is, we increased the sequence num-ber by about a million, and injected the message again.Subsequently, the WS could not be switched from the CUanymore and was indicated as unreachable due to “wire-less problems”. We assume, that certain devices (WS inthis case) increase their internal sequence number beforechecking the integrity of the unencrypted protocol part.To validate our assumption, we put the WS back to fac-tory settings and performed the attack again. This time,we increased the sequence number only by 8 and eaves-dropped the regular communication attempts between theCU and WS. The devices were synchronized again aftereight messages were sent. The same attacking messagecan be taken for desynchronizing other device connec-tions by changing the source address present in nibbles29-34 from the message part in fig. 10.
This protocol behavior is a serious vulnerability for asmart home system. Attacked devices become practicallyunusable by inserting sufficiently high values as sequencenumber. Only with a factory reset and re-attaching them,devices can be switched again. Non-professional userswill probably make a warranty case of it when they ob-serve ongoing “wireless problems”. Hence, manufactur-
ers reputation may suffer from the demonstrated devicedesynchronization attack when customers consider theirdevices as broken.
4.3 Example 3: Break a door lock wireless
For demonstration of the simulator, we sketch an attackon a wireless door lock which is paired with a smarthome central. The communication between door lock(D) and smart home central (C) uses a challenge responseauthentication with AES. The AES encryption key can beconfigured through a Web UI in the smart home central.Note, the following attack allows hackers to break intohouses with SDRs and, since it is based on a protocolflaw, there is no easy way to fix this for the manufacturer.Therefore, we will not mention the product name andfocus on the role of the simulator in this attack.
All messages in the protocol are pseudo-encrypted byXORing each byte with its predecessor while the first byteis XOR’d with a well-known constant. Although this doesnot strengthen the protocol security, it increases the hur-dle for attacking it with a SDR. Moreover, all messagesare encoded with a data whitening [5] to optimize themfor radio transmission. So when receiving a messageduring simulation, URH performs the following stepsin the background Demodulation⇒ De-Whitening⇒Pseudo-Decryption. Obviously, when sending a mes-sage during simulation these steps are performed in re-verse order and replaced by their counterparts.
In fig. 11 you can see the flow graph that was used forthis attack. We will simulate participant A for attacker.The first action is to trigger an external program whichlooks if the AES key was already found by our tool. Ifnot, it will wait for messages matching the structure ofmessage 3. These messages transport parts of the AESkey to new devices and are always sent when a new deviceis paired with C, even when this new device is configuredto not (!) use encryption. So at this stage, we simply waitfor a new device to pair and then extract the AES key fromthe key transport messages. Once the key was extracted,the simulation goes on to send message 6 which includesthe open command. This message will trigger the doorlock to send message 7 which includes a cryptographicchallenge. Message 8 is then generated by the simulatorusing this challenge and the previously extracted AESkey to calculate the correct response. After this, the doorwill open and send message 9 for confirmation which wejust included for completeness in the flow graph. It is notrequired for the attack. Breaking such a critical devicedemonstrates the power of the simulator and the need formore secure IoT protocols: With just two SDRs a hackercan open a door lock and enter a victims house, given thehacker waits long enough until victim pairs a new device.
5 Discussion and Related Work
Security of IoT systems is a hot topic of internationalresearch groups. There are strong security analyses, forinstance, Garcia et al. [8] dealt with the security of smartcards for wireless payment or Strobel et al. [15] broke adigital locking and access control system that is widelyused in larger companies and universities. Both studiesinvolve opening the device hardware to reverse engineerthe wireless protocol by connecting the wireless chip toa logic analyzer. We would like to enable less hardwareoriented researchers access to these analyses. SoftwareDefined Radios are the answer to this problem, becausethey can send and receive on nearly arbitrary frequencies.But SDRs have to be operated as well: software is neededto process received data or to prepare it for sending.
GNU Radio [4] is the de facto standard for this task.Flow graphs based on hardware-related building blocks,that allow processing of analog and digital signals andinteracting with SDRs, can be created within a GUI. AsGNU Radio works on a quite low level, knowledge aboutDigital Signal Processing (DSP) is necessary to get theright information out of wireless signals. You might savea recorded signal as a wave file (.wav) for further process-ing, since raw complex files cannot be handled by mostanalyzing applications. Audacity [2] is a wave editor thatcan be used to manually extract the raw bits from thesine waves, laborious but easy. A direct approach withinGNU Radio is using a binary slicer which can output bitsdirectly. Flow graphs become complex, are not trivial tocreate and specific for the investigated protocol, in short,not suited for DSP beginners.
Zillner [16] found serious security leaks in ZigBeeusing SecBee. SecBee [16], based on scapy-radio, is aspecialized solution for testing the ZigBee protocol withSDRs. Zillner’s great contribution is limited to the ZigBeeprotocol and cannot be used for other protocols. Anotherspecific solution is Ubertooth [11], based on GNU Radio,that implements a partial Bluetooth stack and enablesinteracting with Bluetooth devices using a SDR. Furtherresearch has been done on this project by Ryan [14], butas well as SecBee, it is limited to a particular application.
Generic wireless protocol analyzers like URH are rare.To the best of our knowledge, there are only two genericanalyzers available that are comparable to our solution:GNU Radio and scapy-radio. Picod et al. [12] developedscapy-radio that combines GNU Radio and the Pythonscapy library for monitoring wireless protocols. Their ap-plication is supposed to be used for security assessments.Since their solution is script based, you can also condi-tionally inject packets and thereby simulate participants.However, scapy-radio requires a complete GNU Radioflow graph for demodulating and decoding the examinedprotocol.
Figure 11: Flow graph of an attack to open a wireless door lock.
We believe, that this is a significant hurdle for theoreticresearchers. For this reason, our tool abstracts most of theDSP components and requires very little knowledge aboutDSP in general. In contrast to scapy-radio, our contribu-tion does not require any preliminary information, suchas demodulation or encoding, about the protocol. Due tothe generalist approach of our contribution, it is consider-ably better suited for unknown and proprietary protocols.URH also contains a simulation environment that can beused to simulate protocol participants. This feature maybe helpful for the wireless security community, as it al-lows observing and interfering with complete protocolruns using own parameters. With very little effort, chosenplaintext and ciphertext attacks are possible.
All in all, the Universal Radio Hacker has some simi-larities with GNU Radio, especially in Interpretation, butdiffers in many other ways and targets a different audi-ence and focuses on the logical protocol level. The mostnotable differences are that URH offers assistance forprotocol analysis, can generate and check CRCs, includescustomizable decodings, entails a fuzzing component andcomes with a simulation environment.
6 Conclusion
In this paper, we have introduced wireless hacking usingSoftware Defined Radios. Our main contribution is anopen source software named Universal Radio Hacker ded-icated to wireless protocol investigation. URH is, to ourknowledge, the first software to provide a complete suitefor investigating stateless and stateful wireless protocols.
• It breaks down DSP including demodulation andfiltering of raw signals to accessible GUI dialogs.We refer to this as Interpretation phase.
• It supports logic analysis of protocols and providesenhanced features like checksum generation besidesfull customizable decodings. We call this step theAnalysis phase.
• It includes a fuzzing component for efficiently find-ing vulnerabilities and applies modulation and en-coding to crafted messages. We call this Generation.
• For more complex protocols that use, e.g., crypto-graphic handshakes it allows simulating participantsand, therefore, dynamically react to messages.
The new software has a modular architecture includinga plugin system for easy extensions to address even moresophisticated problems in the future. Interfaces for com-mon SDRs and a standard file format allow an exchangewith existing hard- and software. Hence, researchers fa-miliar with GNU Radio or DSP experts can benefit fromURH without fundamentally changing their existing work-flows. While abstracting complex mathematics, URH isintended to be easy accessible, so we focused on makingit ergonomic and intuitive. The Universal Radio Hackerincluding source code and documentation can be found atGitHub [13]. Refer to appendix A to get an impression ofURHs graphical user interface.
Besides our main contribution, we gave three practicalexamples of wireless protocol hacking. First, we showeda wireless signal that physically destroys hardware of aninternational manufacturer. Second, we desynchronized adevice from its control unit. Third, we broke the protec-tion of a wireless door lock.
Future work is the enhancement of the automatic logicanalyzer of URH so protocol labels like preamble andlength can be bootstrapped with the click of a button.Likewise, further disclosures of IoT security vulnerabili-ties using the Universal Radio Hacker are planned.
References
[1] Atlas. RfCat. https : / / bitbucket . org /
atlas0fd00m/rfcat. 2017.[2] Audacity Team. Audacity R©.
http://www.audacityteam.org. 2016.[3] S. Behnel, R. Bradshaw, C. Citro, L. Dalcin, D. S.
Seljebotn, and K. Smith. “Cython: The best of bothworlds”. In: Computing in Science and Engineer-ing 13.2 (2011).
[4] E. Blossom. “GNU radio: tools for exploring theradio frequency spectrum”. In: Linux journal 2004(2004).
[5] B. G. Christiansen. Design Note DN509 DataWhitening and Random TX Mode.
[6] Ettus. USRP N210. https://www.ettus.com/product/details/UN210-KIT. 2016.
[7] J. Feigin. “Practical Costas loop design”. In: RFsignal processing January (2002).
[8] F. D. Garcia, G. De Koning Gans, R. Muijrers, P.Van Rossum, R. Verdult, R. W. Schreur, and B. Ja-cobs. “Dismantling MIFARE classic”. In: LectureNotes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and LectureNotes in Bioinformatics) 5283 LNCS (2008).
[9] R. G. Lyons. Understanding Digital Signal Pro-cessing. Third. 2011.
[10] M. Ossmann. HackRF One – an open source SDRplatform. https://greatscottgadgets.com/hackrf/. 2016.
[11] M. Ossmann, D. Spill, M. Ryan, W. Code, and J.Boone. Ubertooth – open source wireless develop-ment platform suitable for Bluetooth experimenta-tion.https://github.com/greatscottgadgets/
ubertooth. 2015.[12] J.-m. Picod, A. Lebrun, and J.-c. Demay. “Bringing
Software Defined Radio to the Penetration TestingCommunity”. In: Black Hat USA 2014 (2014).
[13] J. Pohl and A. Noack. Universal Radio Hacker.https://github.com/jopohl/urh. 2018.
[14] M. Ryan. “Bluetooth: With Low Energy ComesLow Security.” In: WOOT. 2013.
[15] D. Strobel, B. Driessen, T. Kasper, G. Leander, D.Oswald, F. Schellenberg, and C. Paar. “Fumingacid and cryptanalysis: Handy tools for overcom-ing a digital locking and access control system”.In: Lecture Notes in Computer Science (includ-ing subseries Lecture Notes in Artificial Intelli-gence and Lecture Notes in Bioinformatics) 8042LNCS.PART 1 (2013).
[16] T. Zillner. “ZigBee Exploited - The Good, the Badand the Ugly”. In: Black Hat USA 2015 (2015).
A Appendix – UI breakdown
In this section, we show important UI elements of the Uni-versal Radio Hacker to support section 3 and demonstratehow the abstract concepts look in reality.
A.1 Device InteractionThe following dialogs enable interaction with SDRs. Withthe spectrum analyzer from fig. 12 you can find the centerfrequency of the investigated device. The dialog is inter-active, that is, clicking on a certain point will let URHtune the SDR to the corresponding frequency.
Figure 12: Spectrum analyzer with maximum in red
Having found the target frequency, the next step is toreceive sample signals. This can be done right from URHwith the receive dialog from fig. 13. A preview of thereceived signal is drawn live so you instantly see the orderand strength of received signals at first sight.
Figure 13: Receive dialog with live signal preview
At certain stages during protocol investigation, signalsneed to be sent back to the target. This might be in In-terpretation to perform a replay attack or at the end ofGeneration to send manipulated messages. Sending isdone with the dialog shown in fig. 14. The signal in thisdialog is editable so users can delete or mute parts oradd configurable sine waves before sending. The blueprogress bar indicates the current sent signal part so userscan watch the sending progress. This is useful to identifymessages that trigger desired actions on the target device.
Figure 14: Send dialog with current send indicator
A.2 Interpretation Tab
After recording signals, they are automatically added inthe Interpretation tab as shown in fig. 15. Parameters likenoise, center, bit length and error tolerance are detectedautomatically but can also be adjusted by the user. Addi-tionally, users can choose from a set of modulations. Fora better understanding of the signal the user can switchbetween the analog view and the preprocessed rectangularcurve of the signal (section 3.1.1) that in most cases givesa better impression of the signal and helps to confirm themodulation type.
In fig. 15 you can see that messages of the lower signalare colored differently. The colors indicate participants ofthe protocol. The participants are automatically detectedbased on the Received Signal Strength Indicator (RSSI)but can be changed or set by hand if necessary.
Every adjustment influences the generated preview ofdemodulated binary data visible at the bottom of fig. 16.Furthermore, selection of demodulated data is synchro-nized with the raw signal as shown in fig. 16. This way,users can conveniently explore the signal.
Each signal is also editable, that is, you can deleteor mute selections or zoom into interesting parts of thesignal. Moreover, users can copy and paste signal areasor even insert custom sine waves using the dialog fromfig. 17 to operate on the raw signal level.
Figure 15: Overview of Interpretation tab
Figure 16: Synchronize bit and signal view
Figure 17: Insert sine waves into signal
The protocol sniff dialog from fig. 18 is an advancedfeature that can be used if modulation parameters of aprotocol are known. In this dialog, demodulation is per-formed live by URH and you will only see the messagesin binary form in the Analysis tab. Therefore, large sig-nals do not have to be saved in a complex format whichsaves a lot of space in RAM or on disk.
A.3 Analysis TabAll demodulated bits from Interpretation tab are automat-ically inserted into the table on Analysis tab shown infig. 19. The view type is set to hex in this example. Everyrow header shows the regarding participant by includingits configurable short name and color to keep an overview
Figure 18: Protocol Sniff dialog
for larger protocols with many participants. Note thetree view on the upper left, where all signal names fromInterpretation are listed and get highlighted if the userselects corresponding data in the table. Interpretation andAnalysis are strongly tied together in URH. For example,you can select an area in the table and choose Show inInterpretation in context menu. The software will jumpback to Interpretation and show the respective raw signalpart. Furthermore, signals can be arranged in any orderand assigned to configurable groups for better overview.
Figure 19: Analysis tab overview
To start a protocol investigation we need to decodethe raw bits first. URH offers a large set of predefinedencodings that can be configured in the dialog from fig. 20.You can arrange the decoding primitives from the left inan arbitrary order to craft more sophisticated encodings.If a primitive is missing, users can also trigger externalprograms that implement these special encodings.
Once the data is decoded, we enable the differentialview that produces a result shown in fig. 21. At a glance,we see that nibbles at position 5 and 15 change, that is,carry certain information. In this case, these are the on-offbit of a wireless socket and corresponding checksum.
More sophisticated protocols like the one from fig. 19have several message types. With URH custom messagetypes can be added and named whereby each messagetype has its own protocol fields. The assigning of a mes-
Figure 20: Configure custom decodings in this dialog
Figure 21: Differential view to identify interesting areas
sage type to a message can either be done manually or byusing the dialog from fig. 22. Users can define customrules for a message type which is then assigned to everymessage matching these rules.
Figure 22: Assign message types automatically based oncustom rules
A very helpful feature is the possibility to attach col-ored text labels to protocol parts. Thereby, already reverse-engineered parts of a protocol can be tagged. This isuseful to get a better understanding of the complete pro-tocol. For each label you can configure a display format,that is, bit, hex, decimal or ASCII view. When verticallytraversing through different messages, you can see the
interpreted values from each label in a Wireshark-likeview in the bottom of the application (see fig. 19). URHis also able to find particular labels automatically.
A.4 Generation TabIn Generation tab messages can be crafted and send backvia a SDR to observe reactions of investigated devices. Inorder to do this, you can create an arbitrary set of bit se-quences by choosing from the previously analyzed signalsand modify them as desired. It is, however, a laborioustask to change messages manually. To address this prob-lem, URH has a powerful fuzzing component. Each labelcan be individually configured using the fuzzing dialogshown in fig. 23.
Figure 23: Editing fuzzing settings in this dialog
Having configured the desired values for fuzzing, URHcreates the corresponding messages. The configurationfrom fig. 23 produces the result from fig. 24. Note, thatonly values for the fuzzing label (nibble 23-28) change,while the rest of the message is repeated. Dependingon how many protocol fields should be fuzzed, you canconfigure message generation to fuzz one field at a time(subsequent), all fields in parallel by selecting the nextvalue for each field in each subsequent message (concur-rent), or all fields in parallel by testing all combinationsof values for each field (exhaustive). The encoding thatwas previously selected for decoding the input data willautomatically be applied in reverse order.
The final step in the Generation tab is to set the mod-ulation that transforms bit sequences to actual signals.Modulations can be edited using dialog shown in fig. 25.Here, users can configure modulation parameters whilecomparing the respective output with recorded signals.
The process of configuring a modulation gets sped upby an auto detect button. Furthermore, values for bitlength, sample rate and modulation default to the current
Figure 24: Each label can be fuzzed
project configuration. The correct modulation parametersare often found without further manual adjustments.
Figure 25: Manage modulations with this dialog
A.5 Simulator Tab
With the Simulator tab protocol state machines can bemodeled which allows attacks on stateful wireless proto-cols. The simulator is mainly configured through a flowgraph, as already described in section 3.4. In this section,we will show other important parts of the simulator.
Users can define the behavior for protocol labels duringsimulation time in a table as shown in fig. 26. Each labelcan have one of five value types which control how theresulting value will be created. The resulting value willbe matched against when receiving a message and for amismatch the simulation will retry to receive the messageor end when the (configurable) number of maximum re-tries was reached. When sending a message the valuewill be inserted for this field. The possible value typesare Constant, Live input, Formula, Random value andExternal program. Checksum fields are a special case, thesoftware will automatically calculate the correspondingchecksum during simulation.
Figure 26: Configure labels in this table
These value types allow to reach the desired protocolstate and create stateful answers to messages. For ex-ample, a sequence number can be learned live duringsimulation (Live Input) for message 1 and then be in-creased by one with a Formula in message 2 as shownfor the sequence number in fig. 26. Such formulas canbe arbitrary Python expressions to cover a variety of usecases. For even more complex tasks such as AES en-cryption a simple API for External programs allows toperform these tasks outside of URH and use the resultduring simulation.
Having configured a SDR for sending and receivingthe simulation can be started. The status will be shown inthe dialog from fig. 27 which helps to keep an overviewand trace problems with the simulation in two ways. First,it shows the expected and actual value for each field ina message. Second, it shows a preview of the currentRX status at the bottom to quickly track down problemsresulting, e.g., from poor signal strength.
Figure 27: Simulator dialog
The transcript of the simulation can be found in theMessages tab of the Simulator dialog for further analysis.With Universal Radio Hacker researchers can investigate
arbitrary stateful wireless protocols in separate phases:Interpretation, Analysis, Generation and Simulation. Theknowledge acquired from the first two phases is broughtto practice in Generation and/or Simulation phase whichallow to test your hypotheses about the investigated pro-tocol against the physical system. Using this concept andthe particular support of our software, we have reverseengineered more than ten protocols.
Due to the modular concept and plugin system of URH,new features can be added easily. In this way, CC1101data whitening and CRC-16/32 checking have been in-cluded in URH, both because of a specific demand. Morefeatures and plugins will follow, by us or by other re-searchers that like to provide new features to the opensource solution Universal Radio Hacker.