Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop...
Transcript of Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop...
![Page 1: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/1.jpg)
RF Fuzzing // River Loop Security
River Loop SecurityRiver Loop Security
Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities
Matt Knight, Ryan Speers DEF CON
![Page 2: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/2.jpg)
RF Fuzzing // River Loop Securitywhois
Matt Knight• Senior Security Engineer at Cruise
Automation• RF Principal at River Loop Security• BE in EE from Dartmouth College• Software, hardware, and RF engineer• RF, SDR, and embedded systems
Ryan Speers• Co-founder at River Loop Security• Director of Research at Ionic Security• Computer Science from Dartmouth College• Cryptography, embedded systems, IEEE
. . , automated firmware analysis
River Loop Security
2
![Page 3: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/3.jpg)
RF Fuzzing // River Loop SecurityBackground
“Making and Breaking a Wireless IDS”, Troopers“Speaking the Local Dialect”, ACM WiSec• Ryan Speers, Sergey Bratus, Javier Vazquez, Ray Jenkins, bx, Travis Goodspeed, & David Dowd• Idiosyncrasies in PHY implementations
Mechanisms for automating:• RF fuzzing• Bug discovery• PHY FSM fingerprint generation
3
![Page 4: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/4.jpg)
RF Fuzzing // River Loop SecurityAgenda
Overview of traditional fuzzing techniques (software and networks)> How these do and don’t easily map to RF
RF fuzzing overview and state of the artIdeal fuzzer designTumbleRF introduction and overviewTumbleRF usage exampleIntroducing Orthrus
4
![Page 5: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/5.jpg)
RF Fuzzing // River Loop Security
Traditional Fuzzing Techniques
![Page 6: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/6.jpg)
RF Fuzzing // River Loop SecurityWhat is fuzzing?
Measured application of pseudorandom input to a system
Why fuzz?• Automates discovery of crashes, corner cases, bugs, etc.• Unexpected input → unexpected state
6
![Page 7: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/7.jpg)
RF Fuzzing // River Loop SecurityWhat can one fuzz?
Fuzzers generally attach to system interfaces, namely I/O:• File format parsers• Network interfaces• Shared memory
7
![Page 8: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/8.jpg)
RF Fuzzing // River Loop SecuritySoftware Fuzzing State of the Art
Abundant fully-featured software fuzzers• AFL / AFL-Unicorn• Peach• Scapy
Software is easy to instrument and hook at every level
What else can one fuzz?
8
![Page 9: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/9.jpg)
RF Fuzzing // River Loop Security
Other Applications of Fuzzing
![Page 10: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/10.jpg)
RF Fuzzing // River Loop SecurityFuzzing Hardware
Challenges:• H/W is often unique, less “standard interfaces” to measure on• May not be able to simulate well in a test harness
Some Existing Techniques:• AFL-Unicorn: simulate firmware in Unicorn to fuzz• Bus Pirate: permutes pinouts and data rates to discover digital buses• JTAGulator: permutes pinouts that could match unlocked JTAG• …
10
![Page 11: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/11.jpg)
RF Fuzzing // River Loop SecurityFuzzing RF
WiFuzz● MAC-focused . protocol fuzzer
Marc Newlin’s Mousejack research● Injected fuzzed RF packets at nRF HID dongles while looking for
USB output
isotope:● IEEE . . PHY fuzzer
11
![Page 12: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/12.jpg)
RF Fuzzing // River Loop SecurityExisting RF Fuzzing Limitations
RF fuzzing projects are siloed / protocol-specific● COTS radio chipsets● Generally limited to MAC layer and up
RF state is hard to instrument● What constitutes a crash / bug / etc?
Implicit trust in chipset – one can only see what one’s radio tells you is happening
12
![Page 13: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/13.jpg)
RF Fuzzing // River Loop SecurityTrust and Physical Layer Vulnerabilities
Not all PHY state machines are created equal!
Radio chipsets implement RF state machines differently• Differences can be fingerprinted and exploited• Initial results on . . were profound• Specially-crafted PHYs can target certain chipsets while avoiding
others
13
![Page 14: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/14.jpg)
RF Fuzzing // River Loop Security
RF PHYs: A Primer
![Page 15: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/15.jpg)
RF Fuzzing // River Loop SecurityHow Radios Work
Radio: translates digital s and s to electromagnetic energy (and back)
Transmitter: digital data (bits) → analog RF energy discrete → continuous
Receiver: analog RF energy → digital data (bits) continuous → discrete
Receiving comes down to sampling and synchronization!
15
![Page 16: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/16.jpg)
RF Fuzzing // River Loop SecurityDigitally Modulated Waveforms
16
![Page 17: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/17.jpg)
RF Fuzzing // River Loop SecurityDigitally Modulated Waveforms
PreambleStart of Frame Delimiter (SFD) / Sync Word
Data
17
![Page 18: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/18.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
18
![Page 19: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/19.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
19
![Page 20: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/20.jpg)
RF Fuzzing // River Loop Security
…
RF PHY State Machines
20
![Page 21: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/21.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
21
0 0 0 0 0 0 0 0
0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
4
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 22: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/22.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
22
1 0 0 0 0 0 0 0
0 1 0 1 0 1 0 1
1 1 0 1 0 1 0 1
5
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 23: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/23.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
23
0 1 0 0 0 0 0 0
0 1 0 1 0 1 0 1
0 0 0 1 0 1 0 1
3
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 24: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/24.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
24
1 0 1 0 0 0 0 0
0 1 0 1 0 1 0 1
1 1 1 1 0 1 0 1
6
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 25: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/25.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
25
0 1 0 1 0 0 0 0
0 1 0 1 0 1 0 1
0 0 0 0 0 1 0 1
2
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 26: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/26.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
26
1 0 1 0 1 0 0 0
0 1 0 1 0 1 0 1
1 1 1 1 1 1 0 1
7
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 27: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/27.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
27
0 1 0 1 0 1 0 0
0 1 0 1 0 1 0 1
0 0 0 0 0 0 0 1
1
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 28: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/28.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
28
1 0 1 0 1 0 1 0
0 1 0 1 0 1 0 1
1 1 1 1 1 1 1 1
8
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 29: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/29.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
29
0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
0 0 0 0 0 0 0 0
0
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
Hamming Distance● # bits that are different between two values● If , values are equal
When Hamming Distance <= some threshold, a preamble has been detected
![Page 30: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/30.jpg)
RF Fuzzing // River Loop SecurityRF PHY State Machines
30
Repeat the process, correlating for the SFD value instead, to find the start of the PHY
data unit
1 1 1 1 0 0 0 0
1 1 1 1 0 0 0 0
0 0 0 0 0 0 0 0
0
→ RF Symbol ValuePreamble Correlation Value
XOR Result
→ Shift Register →
Hamming Distance
![Page 31: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/31.jpg)
RF Fuzzing // River Loop SecuritySync Words and Magic Numbers
Turns out not all sync words are created equally• 0x00000000 == 802.15.4 Preamble• 0xA7 == 802.15.4 Sync Word
The isotope research showed some chipsets correlated on “different” preambles / sync words than others
31
![Page 32: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/32.jpg)
RF Fuzzing // River Loop SecuritySync Words and Magic Numbers
Turns out not all sync words are created equally• 0x00000000 == 802.15.4 Preamble• 0xA7 == 802.15.4 Sync Word
The isotope research showed some chipsets correlated on “different” preambles / sync words than others
strategically malformed
32
![Page 33: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/33.jpg)
RF Fuzzing // River Loop SecuritySync Words and Magic Numbers
Turns out not all sync words are created equally• 0xXXXX0000 == 802.15.4 Preamble• 0xA7 == 802.15.4 Sync Word
The isotope research showed some chipsets correlated on “different” preambles / sync words than others
Short preamble?
strategically malformed
33
![Page 34: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/34.jpg)
RF Fuzzing // River Loop SecuritySync Words and Magic Numbers
Turns out not all sync words are created equally• 0xXXXX0000 == 802.15.4 Preamble• 0xAF == 802.15.4 Sync Word
The isotope research showed some chipsets correlated on “different” preambles / sync words than others
Short preamble? Flipped bits in SFD?
strategically malformed
34
![Page 35: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/35.jpg)
RF Fuzzing // River Loop Security
Systematic Discovery via Fuzzing
![Page 36: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/36.jpg)
RF Fuzzing // River Loop Security
Ideal RF Fuzzer Design
![Page 37: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/37.jpg)
RF Fuzzing // River Loop SecurityIdeal Features
Extensible: easy to hook up new radios
Flexible: modular to enable plugging and playing different engines / interfaces / test cases
Reusable: re-use designs from one protocol on another
Comprehensive: exposes PHY in addition to MAC
37
![Page 38: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/38.jpg)
RF Fuzzing // River Loop Security
TumbleRF
![Page 39: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/39.jpg)
RF Fuzzing // River Loop SecurityTumbleRF
Software framework enabling fuzzing arbitrary RF protocols
Abstracts key components for easy extension:● Radio API● Test case generation API● Harness API
39
![Page 40: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/40.jpg)
RF Fuzzing // River Loop SecurityTumbleRF Architecture
40
![Page 41: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/41.jpg)
RF Fuzzing // River Loop SecurityInterfaces
RF injection/sniffing functions abstracted to generic templateTo add a new radio, inherit base Interface class and redefine its functions to map to the radio driver:
[set/get]_channel()[set/get]_sfd()[set/get]_preamble()tx()rx_start()rx_stop()rx_poll()
TODO: [set/get]_symbol_rate()41
![Page 42: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/42.jpg)
RF Fuzzing // River Loop SecurityGenerators
Rulesets for generating fuzzed input (pythonically)Extend to interface with software fuzzers of your choice
Implement functions:yield_control_case()yield_test_case()
Three generators currently:• Preamble length (isotope)• Non-standard symbols in preamble (isotope)• Random payloads in message
42
![Page 43: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/43.jpg)
RF Fuzzing // River Loop SecurityHarnesses
Monitor the device under test to evaluate test case resultsManage device state in between tests
Three handlers currently:• Received Frame Check: listen for given frames via an RF interface• SSH Process Check: check whether processes on target crashed
(beta)• Serial Check: watch for specific output via Arduino (beta)
43
![Page 44: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/44.jpg)
RF Fuzzing // River Loop SecurityTest Cases
Coordinate the generator, interface, and harness. Typically very lightweight.
Extend BaseCase to implement run_test()or build upon others, e.g.:
Extend AlternatorCase to implement:does_control_case_pass()throw_test_case()
Alternates test cases with known-good control case to check for crashes / ensure interface is still up
44
![Page 45: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/45.jpg)
RF Fuzzing // River Loop Security
45
Test Setup ( / )
![Page 46: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/46.jpg)
RF Fuzzing // River Loop Security
46
Test Setup ( / )
Devices Under Test (left to right)● TI CC● TI CC● Atmel AT RF
Stimulus● USRP B
![Page 47: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/47.jpg)
RF Fuzzing // River Loop SecurityTumbleRF Architecture: Demo Setup
47
![Page 48: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/48.jpg)
RF Fuzzing // River Loop SecurityGenerated Data: Preamble Length
Standard . . PHY Header == x + xA + xLL
48
![Page 49: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/49.jpg)
RF Fuzzing // River Loop SecurityGenerated Data: Preamble Length
Standard . . PHY Header == x + xA + xLL
49
![Page 50: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/50.jpg)
RF Fuzzing // River Loop SecurityGenerated Data: Preamble Length
Standard . . PHY Header == x + xA + xLL
50
![Page 51: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/51.jpg)
RF Fuzzing // River Loop SecurityGenerated Data: Preamble Length
Standard . . PHY Header == x + xA + xLL
51
![Page 52: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/52.jpg)
RF Fuzzing // River Loop SecurityGenerated Data: Preamble Length
Standard . . PHY Header == x + xA + xLL
52
![Page 53: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/53.jpg)
RF Fuzzing // River Loop SecurityGenerated Data: Preamble Length
Modify GNU Radio gr-ieee802-15-4 to omit PHY headerGenerate arbitrary PHY headers via TumbleRF test case generator53
![Page 54: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/54.jpg)
RF Fuzzing // River Loop Security
Demo
![Page 55: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/55.jpg)
RF Fuzzing // River Loop SecurityResults DumpTest: preamble_length_apimote.json (using Dot15d4PreambleLengthGenerator) Case 0: 0 valid, 50 invalid example case: a70a230800ffff000007fba6
Case 1: 0 valid, 50 invalid example case: 70aa308220f0ff0f0070d0eafa
Case 2: 45 valid, 5 invalid example case: 00a70a230804ffff00000757b6
Case 3: 0 valid, 50 invalid example case: 0070aa308260f0ff0f007010e0fb
Case 4: 50 valid, 0 invalid example case: 0000a70a230808ffff000007a387
Case 5: 0 valid, 50 invalid example case: 000070aa3082a0f0ff0f007050fff8
Case 6: 50 valid, 0 invalid example case: 000000a70a23080cffff0000070f97
Case 7: 0 valid, 50 invalid example case: 00000070aa3082e0f0ff0f007090f5f9
Case 8: 48 valid, 2 invalid example case: 00000000a70a230810ffff0000074be4
Case 9: 0 valid, 50 invalid example case: 0000000070aa308220f1ff0f0070d0c1fe
Test: preamble_length_cc2531.json (using Dot15d4PreambleLengthGenerator)
Case 0: 0 valid, 50 invalid example case: a70a230800ffff000007fba6
Case 1: 0 valid, 50 invalid example case: 70aa308220f0ff0f0070d0eafa
Case 2: 13 valid, 37 invalid example case: 00a70a230804ffff00000757b6
Case 3: 0 valid, 50 invalid example case: 0070aa308260f0ff0f007010e0fb
Case 4: 48 valid, 2 invalid example case: 0000a70a230808ffff000007a387
Case 5: 0 valid, 50 invalid example case: 000070aa3082a0f0ff0f007050fff8
Case 6: 50 valid, 0 invalid example case: 000000a70a23080cffff0000070f97
Case 7: 0 valid, 50 invalid example case: 00000070aa3082e0f0ff0f007090f5f9
Case 8: 49 valid, 1 invalid example case: 00000000a70a230810ffff0000074be4
Case 9: 0 valid, 50 invalid example case: 0000000070aa308220f1ff0f0070d0c1fe
Test: preamble_length_rzusbstick.json (using Dot15d4PreambleLengthGenerator)
Case 0: 0 valid, 50 invalid example case: a70a230800ffff000007fba6
Case 1: 0 valid, 50 invalid example case: 70aa308230f0ff0f007060a8fa
Case 2: 0 valid, 50 invalid example case: 00a70a230805ffff0000077cb2
Case 3: 0 valid, 50 invalid example case: 0070aa308270f0ff0f0070a0a2fb
Case 4: 0 valid, 50 invalid example case: 0000a70a230809ffff0000078883
Case 5: 0 valid, 50 invalid example case: 000070aa3082b0f0ff0f0070e0bdf8
Case 6: 37 valid, 13 invalid example case: 000000a70a23080effff000007599f
Case 7: 0 valid, 50 invalid example case: 00000070aa308200f1ff0f0070b044fe
Case 8: 41 valid, 9 invalid example case: 00000000a70a230813ffff00000736e8
Case 9: 0 valid, 50 invalid example case: 0000000070aa308250f1ff0f0070c00cff
TI CC
TI CC
Atmel AT RF
3 transceivers2 manufacturers1 protocol
3 behaviors!55
![Page 56: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/56.jpg)
RF Fuzzing // River Loop Security
Why Care?
Those results can allow for WIDS evasion and selective targeting.
![Page 57: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/57.jpg)
RF Fuzzing // River Loop Security
Developing RF Interfaces
![Page 58: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/58.jpg)
RF Fuzzing // River Loop SecurityRF Interfaces
Not all radios can generate arbitrary preambles, SFDs, modulations, packet formats, etc.
PHY manipulation requires:● Software Defined Radio● Transceiver chipset with lots of configurations
58
![Page 59: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/59.jpg)
RF Fuzzing // River Loop SecuritySoftware Defined Radio
Prior example used Software Defined Radio:● GNU Radio and a USRP● gr-ieee802-15-4 is flexible because it’s well designed
SDR has some drawbacks:● GNU Radio is complicated and hard to develop for● SDRs are expensive● High latency for host-based DSP● Power hungry: hard to embed
59
![Page 60: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/60.jpg)
RF Fuzzing // River Loop SecurityConfigurable Transceivers
Discrete radio chipsets are purpose built:● Generally speak protocol really well● Band-limited● Low power● Some kind of API
Examples include:
60
![Page 61: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/61.jpg)
RF Fuzzing // River Loop SecurityFlexible Transceivers
Certain discrete transceivers can be flexible, like SDR!
Some radios expose PHY configuration registers:● Preamble length● SFD magic number● Header symbol error tolerance● etc.
61
![Page 62: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/62.jpg)
RF Fuzzing // River Loop SecurityApiMote ( / )
ApiMote, designed by Javier & Ryan, exposed PHY registers in TI CC :● Preamble length● SFD value● Digital FSM state status pins for low latency injection
62
Pre-assembled/flashed are available via [email protected]
![Page 63: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/63.jpg)
RF Fuzzing // River Loop SecurityApiMote ( / )
However, the ApiMote needs an update:● CC is EOL● Expensive BOM● USB issues
CC and others don’t have the same degree of PHY configuration, so started looking at other chipsets
63
![Page 64: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/64.jpg)
RF Fuzzing // River Loop SecurityEnter ADF
Most interesting option: Analog Devices ADF
. GHz . . radio with lots of features:● Several modulations● Lots of configurability● SPORT mode
64
![Page 65: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/65.jpg)
RF Fuzzing // River Loop SecuritySPORT Mode?
Streams demodulated symbols over serial, up to Msps● Bypasses decoding and PHY header / packet framing● We can implement these parts in software
Full control of PHY for most . GHz protocols!
65
ApiMote . >> . .
![Page 66: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/66.jpg)
RF Fuzzing // River Loop Security
Introducing Orthrus
![Page 67: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/67.jpg)
RF Fuzzing // River Loop SecurityOrthrus ( / )
Spiritual successor to the ApiMote
Named for -headed dog from Greek mythology● Why? Because Orthrus has two heads!
67
![Page 68: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/68.jpg)
RF Fuzzing // River Loop SecurityOrthrus ( / )
NXP LPC ARM MCU● Host communication via USB● Controlling radios● RF state machine implementation and control
x ADF radios● ADF has a slow re-tune time
○ allows for pre-emptive re-tune!● can listen while the other sits ready to transmit
○ High-speed responsive jamming
68
![Page 69: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/69.jpg)
RF Fuzzing // River Loop SecurityInitial Prototype
ADF dev board wired to Teensy:
Custom PCB is in progress69
![Page 70: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/70.jpg)
RF Fuzzing // River Loop SecurityOrthrus RF Design Flow
Implement PHY decoders in event loop in firmwareBlue-Green frontend switching for fast retuning / channel hopping
TODO: State machine abstraction language?● e.g. XASM / ASML / SCXML● Implement PHYs via config definitions rather than code
70
![Page 71: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/71.jpg)
RF Fuzzing // River Loop SecurityInterested? Get Involved!
Contribute something to TumbleRF:• Radio interface to fuzz your favorite protocol• Generator for some cool new fuzzing idea you have• Harness to check the state of a device you care about testing
Contribute to Orthrus:• Firmware development• State machine abstraction definitions
71
![Page 72: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/72.jpg)
RF Fuzzing // River Loop Security
Thank You!DEF CON 26 Crew
River Loop SecurityCruise Automation
Ionic SecurityRiver Loop Security
https://github.com/riverloopsec/tumblerf
![Page 73: Designing RF Fuzzing Tools to Expose PHY Layer ... CON 26/DEF CON 26...RF Fuzzing // River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040723/5e322a1160e76227d24005f1/html5/thumbnails/73.jpg)
RF Fuzzing // River Loop Security
Questions?@embeddedsec
@rmspeers
[matt|ryan]@riverloopsecurity.com
River Loop Security
https://github.com/riverloopsec/tumblerf