Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods

Presented at DEF CON 25 (2017), July 28, 2017, 4 p.m. (45 minutes)

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of radio frequency protocols driven by mobile and IoT. While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. Join us as we walk through the fundamentals of radio exploitation. After introducing essential RF concepts and characteristics, we will develop a wireless threat taxonomy by analyzing and classifying different methods of attack. As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios. Attendees will come away from this session with an understanding of the mechanics of wireless network exploitation, and an awareness of how they can bridge their IP network exploitation skills to the wireless domain.

Presenters:

• Marc Newlin - Security Researcher at Bastille
  Marc Newlin is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge. @marcnewlin
• Matt Knight - Senior Software Engineer, Threat Research at Bastille
  Matt Knight is a software engineer and applied security researcher at Bastille, with a background in hardware, software, and wireless security. Matt's research focuses on preventing exploitation of the myriad wireless networking technologies that connect embedded devices to the Internet of Things. Notably, in 2016 he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College. @embeddedsec

Links:

• https://defcon.org/html/defcon-25/dc-25-speakers.html#Knight
• https://infocon.org/cons/DEF CON/DEF CON 25/DEF CON 25 video and slides/DEF CON 25 - Matt Knight - Radio Exploitation 101.mp4
• https://infocon.org/cons/DEF CON/DEF CON 25/DEF CON 25 video and slides/DEF CON 25 - Matt Knight - Radio Exploitation 101.srt (subtitles)
• https://www.youtube.com/watch?v=HTVPmF8u7Yg

Similar Presentations:

• ShmooCon XIII (2017) / So You Want to Hack Radios
• TROOPERS17 (2017) / So You Want to Hack Radios
• 44CON 2017 / So You Want to Hack Radios