So You Want to Hack Radios

Presented at ShmooCon XIII (2017), Jan. 14, 2017, 10 a.m. (60 minutes)

The year was 2017, and proprietary wireless protocols roamed the the earth. The age of the radio was upon us, and the future looked bleak. But then, in the midst of the darkness and chaos, hackers everywhere saw the light, and the torrent of CVEs began! Join us as we lift the veil on SDR and show that magical powers are not needed to pwn the Internet of ThingsRadios.

This session offers a tutorial on how to apply Software Defined Radio, with an emphasis on the "Radio�? part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.

The adventure begins with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to any wireless system. We will show how to use this workflow to recover bits out of the air from a variety of proprietary wireless devices.

Attendees should expect to walk away with practical knowledge of how to use SDR to examine proprietary wireless protocols. We will release GNU Radio flowgraphs and shell scripts to get attendees started.


  • Matt Knight
    Matt Knight (@embeddedsec) is a software engineer and security researcher at Bastille, with a diverse background in hardware, software, and wireless security. In 2016, he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College.
  • Marc Newlin
    Marc Newlin (@marcnewlin) is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities. A glutton for challenging side projects, he competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

Similar Presentations: