LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs...

21
LTE Recon and Tracking with RTLSDR An SDR SIGINT Primer

Transcript of LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs...

Page 1: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

LTE Recon and Tracking with

RTLSDRAn SDR SIGINT Primer

Page 2: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Ian KlineWolf Den [email protected] Public KeyLead: “Emissions Inspection”, Red Teams, Web App Pentests, Forensic Analyst, Hacker for Hire

whoami

mailto:[email protected]
mailto:[email protected]
Page 3: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Why should you listen

Page 4: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Need a PoC quickly- start with open source research- integrate with commodity tools- you can be up and running an hour from

now

Fast

Page 5: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Build PoCs without major $$$ investment- Start with RTLSDR-E4000 ~$50- No need for other fancy LTE gear

Cheap

Page 6: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Enough about me, let’s track some phones

Page 7: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

http://www.k4ro.net/k4ro/station_tour/images/station10.jpg

Radio Used To Be Hard

Page 8: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Now for $50...

Page 9: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Either RTLSDR will do, but the E4000 can hit one more LTE band than the newer R820T

RTLSDR - E4000

Page 10: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

1 - Planes with ADS-B

Quick RTLSDR Demos

Page 11: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

2 - Cars by their TPMS output

[Shove live TPMS feed from parking lot here]

Quick RTLSDR Demos

Page 12: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

All this is great, but reading data != positional tracking.

I want a tool with a big green arrow

Data vs Positional

Page 13: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

HF/DF

Page 14: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

1 - Field testing during WW22 - Measure signal strength and time of arrival

3 - Sink u-boats4 - Required massive infrastructure

HF/DF

Page 15: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

“Time Difference of Arrival”1. Measure time of arrival of a signal at two

different points2. Take the difference3. Draw a bearing

TDOA DF

Page 16: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

1. Requires extremely accurate clocking between radios

TDOA DF - Challenges

Page 17: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

2. High frequency signals exceed sampling rate of RTL-SDR platform

TDOA DF - Challenges

Page 18: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Doppler DF requires a high speed moving antenna50,000+ RPMs for GSMUse hardware antenna switch to simulate doppler effect to determine bearing

Pseudo Doppler DF

Page 19: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

Commercial PD DF System

Page 20: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

1 - DF sync data when phones connect to towers2 - Save it3 - Plot it all with Kibana because that’s easy

Quick and Dirty LTE Tracker

Page 21: LTE Recon and Tracking with RTLSDR - DEF CON CON 23/DEF CON 23 presentations/DEF… · Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy

3 - Tracking individuals by their LTE/GSM devices

[Emissions Inspection Demo]

Quick RTLSDR Demos


DEF CON 26 Hacking Conference CON 26/DEF CON 26...Find us on Twitter: @michaelossmann / @dominicgs Title DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

DEF CON 26 Hacking Conference CON 26/DEF CON 26...Find us on Twitter: @michaelossmann / @dominicgs Title DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

WEAPONIZING THE BBC MICRO:BIT - DEF CON CON 25/DEF CON 25 presentations/DEFCON...WEAPONIZING THE BBC MICRO:BIT ... Python code size is limited, ... DEF CON Conference, DEF CON, DEFCON,

WEAPONIZING THE BBC MICRO:BIT - DEF CON CON 25/DEF CON 25 presentations/DEFCON...WEAPONIZING THE BBC MICRO:BIT ... Python code size is limited, ... DEF CON Conference, DEF CON, DEFCON,

DEF CON 23 Presentation CON 23/DEF CON 23... · DEF CON 23 Presentation Keywords: DEF CON Conference, DEF CON, DEFCON, Speeches, Hacking, Hackers, Hacker Conference, Computer Security,

DEF CON 23 Presentation CON 23/DEF CON 23... · DEF CON 23 Presentation Keywords: DEF CON Conference, DEF CON, DEFCON, Speeches, Hacking, Hackers, Hacker Conference, Computer Security,

Teaching Old Shellcode New Tricks - DEF CON CON 25/DEF CON 25 presentations/DE… · Teaching Old Shellcode New Tricks DEF CON 2017 @midnite_runr

Teaching Old Shellcode New Tricks - DEF CON CON 25/DEF CON 25 presentations/DE… · Teaching Old Shellcode New Tricks DEF CON 2017 @midnite_runr

TASBot the perfectionist - DEF CON CON 24/DEF CON 24 presentations/DEF CON 24... · TASBot the perfectionist The amazing life & achievements of... Agenda Intro to Speedrunning video

TASBot the perfectionist - DEF CON CON 24/DEF CON 24 presentations/DEF CON 24... · TASBot the perfectionist The amazing life & achievements of... Agenda Intro to Speedrunning video

DEF CON 26 Voting Village - DEF CON® Hacking Conference CON 26 voting... · 2018-09-27 · DEF CON 26 Voting Village Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases,

DEF CON 26 Voting Village - DEF CON® Hacking Conference CON 26 voting... · 2018-09-27 · DEF CON 26 Voting Village Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases,

Eric Sesterhenn 2018 CON 26/DEF CON 26 presentations/DEFCON-26... · DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

Eric Sesterhenn 2018 CON 26/DEF CON 26 presentations/DEFCON-26... · DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

DEF CON 23 Presentation CON 23/DEF CON 23 presentations/DEF… · Don’t"believe"anything"I"Say • Also,"hold"those"around"you"accountable

DEF CON 23 Presentation CON 23/DEF CON 23 presentations/DEF… · Don’t"believe"anything"I"Say • Also,"hold"those"around"you"accountable

Introduction to x86 disassembly - DEF CON CON 24/DEF CON 24 workshops/DEF CON 24... · x86 •Today, “x86” generally refers to all architectures based off of the original 8086

Introduction to x86 disassembly - DEF CON CON 24/DEF CON 24 workshops/DEF CON 24... · x86 •Today, “x86” generally refers to all architectures based off of the original 8086

SCADA - DEF CON

SCADA - DEF CON

DEF CON 23 Presentation

DEF CON 23 Presentation

DEF CON 26 HACKING CONFERENCE CON 26/DEF CON 26 receipt.pdf · Title: DEF CON 26 HACKING CONFERENCE Author: DEF CON 26 Subject: DEF CON 26 RECEIPT Keywords: DEF CON Conference, DEF

DEF CON 26 HACKING CONFERENCE CON 26/DEF CON 26 receipt.pdf · Title: DEF CON 26 HACKING CONFERENCE Author: DEF CON 26 Subject: DEF CON 26 RECEIPT Keywords: DEF CON Conference, DEF

Your Bank’s Digital Side Door - DEF CON CON 26/DEF CON 26 presentations/DEF… · Quicken/Quickbooks Connection Types Web Connect •Unidirectional •Manual •Download a file

Your Bank’s Digital Side Door - DEF CON CON 26/DEF CON 26 presentations/DEF… · Quicken/Quickbooks Connection Types Web Connect •Unidirectional •Manual •Download a file

DEF CON 24 Hacking Conference - Ruxcon · Title: DEF CON 24 Hacking Conference Author: DEF CON 24 Speaker Keywords

DEF CON 24 Hacking Conference - Ruxcon · Title: DEF CON 24 Hacking Conference Author: DEF CON 24 Speaker Keywords

HACKING HOTEL KEYS - DEF CON CON 24/DEF CON 24 presentations/DEF… · HACKING HOTEL KEYS Security Consultant ... Researcher. 9About 11 years pen-testing, Security Research, ... 912

HACKING HOTEL KEYS - DEF CON CON 24/DEF CON 24 presentations/DEF… · HACKING HOTEL KEYS Security Consultant ... Researcher. 9About 11 years pen-testing, Security Research, ... 912

DEF CON 24 Hacking Conference

DEF CON 24 Hacking Conference

DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… · started in late 2017 to prepare for the 2018 CCDC season. We ended up using the BETA

DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… · started in late 2017 to prepare for the 2018 CCDC season. We ended up using the BETA

Introduction to SDR & the Wireless Village - DEF CON CON 23/DEF CON 23 presentations/DEF… · Introduction to SDR & the Wireless Village ! Who the Frig...! satanklawz!! DaKahuna!

Introduction to SDR & the Wireless Village - DEF CON CON 23/DEF CON 23 presentations/DEF… · Introduction to SDR & the Wireless Village ! Who the Frig...! satanklawz!! DaKahuna!

Aaron Bayles DC101 @ DEF CON 22 - DEF CON® Hacking Conference · Aaron Bayles DC101 @ DEF CON 22 ... //media.blackhat.com/us ... Lockpicking, Hackers, Infosec, Hardware Hacking,

Aaron Bayles DC101 @ DEF CON 22 - DEF CON® Hacking Conference · Aaron Bayles DC101 @ DEF CON 22 ... //media.blackhat.com/us ... Lockpicking, Hackers, Infosec, Hardware Hacking,

Bypass firewalls, application white ... - media.defcon.org CON 22/DEF CON 22 presentations... · DEF CON 22, 2014. Hungary. root@ ... ... DEFCON, DEF CON, Hacker, Security Conference,

Bypass firewalls, application white ... - media.defcon.org CON 22/DEF CON 22 presentations... · DEF CON 22, 2014. Hungary. root@ ... ... DEFCON, DEF CON, Hacker, Security Conference,