So You Want to Hack Radios

Presented at TROOPERS17 (2017), March 20, 2017, 11:30 a.m. (Unknown duration)

The Age of the Radio is upon us: wireless protocols are a dime a dozen thanks to the explosion of the Internet of Things. While proprietary wireless solutions may offer performance benefits and cost savings over standards like 802.11 or Bluetooth, their security features are rarely well-exercised due to lack of access to these interfaces. The adoption of Software Defined Radio (SDR) by the security research community has helped shift this balance, however SDR remains a boutique skillset. Join us as we lift the veil on SDR and show that a PhD is not need to pwn the Internet of ThingsRadios.

This session offers a tutorial on how to apply Software Defined Radio, with an emphasis on the "Radio" part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.

We begin with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to any wireless system. We will show how to use this workflow to recover and inject packets from/into a variety of devices with proprietary modulations.

Attendees should expect to walk away with practical knowledge of how to apply SDR to examine proprietary wireless protocols. We will release GNU Radio flowgraph templates and shell scripts to get attendees started.


  • Marc Newlin
    Marc is an RF/IoT security researcher at Bastille, where he discovered the MouseJack and KeySnffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, he competed solo in two DARPA challenges, although he never went to college. In 2013-14, Marc got into SDR by competing in the DARPA Spectrum Challenge, placing second in the preliminary tournament. In 2011, he wrote software to reassemble shredded documents, finishing the DARPA Shredder Challenge in third place out of 9000 teams.
  • Matt Knight
    Matt is a software engineer and security researcher with Bastille Networks, where he seeks to discover vulnerabilities in the ubiquitous wireless interfaces that connect embedded devices to the Internet of Things. In 2016, he was the first to document the closed-source LoRa PHY based on blind signal analysis. Matt previously worked as a hardware and wireless security consultant, leveraging Software Defined Radio to craft custom attacks against embedded devices, and has developed wireless networking products for a range of customers. Matt holds a BE with a concentration in Electrical Engineering from Dartmouth College.


Similar Presentations: