Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulnerabilities

Presented at DEF CON 26 (2018), Aug. 12, 2018, noon (45 minutes)

In this session, we introduce an open source hardware and software framework for fuzzing arbitrary RF protocols, all the way down to the PHY. While fuzzing has long been relied on by security researchers to identify software bugs, applying fuzzing methodologies to RF and hardware systems has historically been challenging due to siloed tools and the limited capabilities of commodity RF chipsets. We created the TumbleRF fuzzing orchestration framework to address these shortfalls by defining core fuzzing logic while abstracting a hardware interface API that can be mapped for compatibility with any RF driver. Thus, supporting a new radio involves merely extending an API, rather than writing a protocol-specific fuzzer from scratch. Additionally, we introduce Orthrus, a low-cost 2.4 GHz offensive radio tool that provides PHY-layer mutability to offer Software Defined Radio-like features in a flexible and low-latency embedded form factor. By combining the two, researchers will be able to fuzz and test RF protocols with greater depth and precision than ever before. Attendees can expect to leave this talk with an understanding of how RF and hardware physical layers actually work, and how to identify security issues that lie latent in these designs.

Presenters:

  • Ryan Speers - Director of Research, Ionic Security
    Ryan Speers (@rmspeers) is a security researcher and developer who enjoys embedded systems, low-power radio protocols, and reversing proprietary systems. He has worked in offensive and defensive roles on networks, Windows, micro controllers, and many things in-between. As co-founder at River Loop Security, he tests embedded systems for security issues, and helps clients build more secure systems. He is also Director of Research for Ionic Security where he leads system and cryptographic research. He has previously spoken at a number of security conferences and written some articles for journals ranging from peer-reviewed academic publications to PoC||GTFO. @rmspeers
  • Matt Knight - Senior Security Engineer, Cruise Automation
    Matt Knight (@embeddedsec) is a Senior Security Engineer with Cruise Automation, where he works on securing autonomous cars and the infrastructure that supports them. Matt also leads the RF practice at River Loop Security, an embedded systems security and design consultancy. With specific interests in RF networks and physical layers, he notably reverse engineered the LoRa PHY based on blind signal analysis, and has run several trainings on RF reverse engineering fundamentals. Matt holds a BE in Electrical Engineering from Dartmouth College. @embeddedsec

Links:

Similar Presentations: