SoftwareDefinedRadio:
UsingRadioWavestoSpoofthe“Un-spoofable”
By:ArielLuque
1
TableofContents
Abstract...............................................................................................................................................3
1Introduction......................................................................................................................................4
1.1WhatisSDR........................................................................................................................................4
1.2TypesofSDRTechnologies.................................................................................................................5
AdaptiveRadio:...................................................................................................................................5
CognitiveRadio:...................................................................................................................................5
IntelligentRadio:.................................................................................................................................5
1.3AdvantagesofSDR.............................................................................................................................6
1.4DisadvantagesofSDR........................................................................................................................6
1.5TotheCommunity..............................................................................................................................7
2RecordingRadioWaves.....................................................................................................................9
2.1Hardware...........................................................................................................................................9
2.2Software...........................................................................................................................................10
2.3Methodology....................................................................................................................................11
2.4Limitations.......................................................................................................................................12
3Protection.......................................................................................................................................13
3.1Shielding...........................................................................................................................................13
3.2Encryption........................................................................................................................................14
3.3ImprovedDesign..............................................................................................................................15
3.5BecomeaHermit..............................................................................................................................15
4Conclusion.......................................................................................................................................16
6References.......................................................................................................................................18
2
Abstract
Whencreatingalistofdevicesthatare“hackable”,peopleusuallythinksofconnected
deviceswherethereisaguaranteedwayofgettinginthroughsomenetworkprotocol.
However,thingslikekeylesscarentrysystems,tollbooths,orpagersrarelycometothemind
whenthinkingofobjectsthatarevulnerabletoattack.Manyofthesesystemsworkthroughthe
useofspecializedhardwaretosendradiowavestoreceivers,whichthendoabasicjoblike
unlockingcardoorsorchargingasetamountforatoll.Softwaredefinedradio(SDR)aimsto
takeallofthededicatedhardwarethatisresponsibleforfilteringandsignaldetectioninthese
systemsandmoveitintodigitalspace.Thisleadstoasetupwhereasimpleantennaand
analoguetodigitalconverterchipcanbeusedtoemulatebroadcastingandreceivingsystems
thatwouldnormallyrequireproprietaryhardware.Thisarticlewilllookatsomewaysinwhich
SDRcanbeusedtolistentoradiosignalsbroadcastedbydifferentsystems,andincertain
cases,mimicthosesignalsinordertogainaccesstoandmanipulatethosesystems.Wewillalso
lookatpossiblewaystoprotectagainstSDRspoofing.
3
1Introduction
Insimpleterms,radiowavesareatypeofelectromagneticradiationmostcommonly
usedforcommunication.Consumerproductslikecellphonesuseradiowavesasthebackbone
oftheirfunctionality.Furthermore,devicesthatusewidespreadcommunicationstechnologies
likeBluetoothareconstantlybroadcastingalloftheirinformationfortheentireworldtosee.
Althoughnotalldevicesmakeusedofradiowaves,alldevicesdotransmitsomeformof
electromagneticradiationwhichcanberecordedandmonitoredanyonethat’slistening.
1.1WhatisSDR
Aradioisdefinedasanydevicethatcanwirelesslytransitorreceivedatausingtheradio
frequencyspectrumlikecellphones,televisions,andcomputers.Normally,devicesuse
hardwarebasedradiowhicharecreatedtotuneintoaspecificspectrumandperforma
specifictask.Theseradiocanonlybealteredthroughphysicalmeanswhichresultsinhigh
productioncostandexpensivepartswithoutmuchflexibility.However,SoftwareDefined
Radio(SDR)providesaninexpensivesolutiontothisproblembymovingsomeorallofthe
radio’soperatingfunctionsfromhardwareintoaflexiblesoftwarebasedsolution.
4
1.2TypesofSDRTechnologies
AdaptiveRadio:
Adaptiveradioisdefinedasradioinwhichthesystemhasawaytomonitoritsown
performanceandmodifytheiroperationinordertoimproveit.SDRremovesthelimitationsof
hardwareradioandallowsthesystemtohavemorefreedomwhenchangingitsoperation,
whichincreasesthelevelsofperformance.
CognitiveRadio:
Cognitiveradiotakestheideaofadaptiveradiofurtherandallowsthecompletechange
ofoperatingbehaviordependingontheirinternalstateandtheirenvironment.Alldecision
madeaboutoperationbehavioraremappedtoinformationthatispredefinedbysome
operationspecificationsorobjectives.Thisisnormallyusedtoallowdevicestomakethebest
usedofavailablespectruminwirelessnetworks.
IntelligentRadio:
Intelligentradioisjustanextensionofcognitiveradiothatallowsforsomeformof
machinelearning.Thisallowstheradiotomakeitsownchoicesabouthowtochangeits
behaviorinresponsetotheirinternalstateorenvironmentinordertoincreaseperformance.
5
1.3AdvantagesofSDR
ThemainadvantageofusingSDRisinmodularityandcosteffectiveness.ByusingSDR,
productscanbecreatedthatuseacommonarchitecture,whichallowsthemtobedeveloped,
tested,andapprovedmuchfasterandtheirtraditionalcounterparts.Softwarecanalsobe
portedtodifferentproductsandreusedinordertoreducecostsofresearchanddevelopment.
Reprogrammingofradiocanalsoleadtobugfixesorupgradetooccuratthesoftwarelevel,
meaningthatdefectiveproductwouldnolongerneedtoberecalled,justpatchedovertheair.
Forradioserviceproviders,SDRallowsthemtoreusedtheiroldinfrastructureto
implementcurrentandfuturetechnologieswithadrasticallyreducedcost,whichwouldallow
themtovirtuallyfutureprooftheircurrentnetworksanddeploynewservicesacrossthe
marketatthesametimeinsteadofrollingfeatureoutbygeographicareas.
1.4DisadvantagesofSDR
Extremelysimplesystemswithonlyoneortwofunctionslikegaragedooropeners
wouldnotgainanyadvantagesbyswitchingtoSDRsincetheywouldgainnoadded
functionalityinthefuture.BecausetypicalSDRchipswouldbeusedinmultipleproducts,are
morecomplex,andinherentlymoreexpensive;itwouldmakenosensetoreplaceasingle
functionradiowithanSDRchip.
6
Morecomplexdevices,likemoderncarentertainmentsystemsorcellphones,would
notseetheimpactofincreasecostsincetheywouldgainallofthebenefitsofaflexibleand
upgradableradiosystem.However,theywouldsufferfromincreasepowerconsumption.
Movingdigitalsignalprocessingfromanintegratedlowpowerchiptoasoftwarebased
solutionincreasethecomputationalloadonthesedevices,whichincreasestheirpower
consumption.Thisisespeciallytroublingfordeviceslikecellphonesandmobiletablets,which
requireefficientsoftwareinordertoincreasebatterylife.
Furthermore,softwareisstilllimitedbyhardware.SDRisfutureproofuptoanextent.
Oncethehardwarethatrunsthedigitalsignalprocessingsoftwarecannolongerkeepupwith
moderncodecs,itisnolongerfutureproof.
1.5TotheCommunity
BesidestheeconomicimpactofSDR,thecommunityshouldbemadeawareofit’s
impactonsecurityandespeciallyonprivacy.Aroundthe1970’s,theNationalSecurityAgency
developedtheTempestprogram,whichdevelopedwaystospyonforeigncommunications
usinglowleveloraccidentalradioemission,likethetypemostelectronicdevicesemitwhen
undernormaloperation.Thislowlevelemissionwouldsometimescarrydatathatcouldthebe
reconstructedandusedforothermeans.Theprogramfocusesonmakingdevicesthatcould
bothreceiveunintentionalelectronicemissionsorshielddevicesfromreleasingthemwith
7
certaindegreesofsuccess.Morerecently,thetermTempesthasevolvedintoamoregeneral
programunderEmissionsSecurity(EMSEC).
TheshieldingdevelopedTempest/EMSECprogramshavevaryinglevelsofsecurity,most
ofwhichareexpensiveandreservedforgovernmentuse.Furthermore,theirmethodsof
recoveringunintendedelectromagneticemissioninvolvedexpensiveandspecializehardware
andsoftware.However,duetotheinevitableimprovementoftechnology,everyonewith
$10.00andacomputercansetuptheirownformofemissionsurveillance,evenifitistoa
limiteddegree.
Allelectronicdevices,nomatterwhattheydo,willemitsomeformofelectronic
emission.Anyonewithastrongenoughradiocantuneintothesesignalsanddeterminewhat
thedeviceisdoingatthattime.Andifsomeonehappenstoknowwhatdevicesyoucarrywith
you,thenyoucaneasilybetrackedbysomeonelookingforthespecificsignalsfromyour
combinationofdevices.Evenwhenturnedoff,devicescanstillemitradiowavesfrom
componentslikerealtimeclocksthatrunontheirownpowersource,orstilldrawpower
regardlessofthestateofthemaindevice.Inotherwords,it’sextremelydifficulttobe
completelyprivatewhilestillhavingthesedevicesunlessyouputallofyourdevicesinafaraday
cage,butthentheymightbecomeuseless.
8
2RecordingRadioWaves
Aswascoveredintheintroduction,weatherintentionalornot,allelectronicdevices
emitsomeformofelectromagneticemission.Thebehavioroftheseunintentionalemissionsis
generallyunknown,butwithfurtherstudycanbedecipheredandusedtotrackthedeviceor
recoverdatawithouttheneedtoevenbeclosetothedeviceor,incaseofnetworkeddevices,
onthesamenetwork.Theseradiowavescanbepickedupandrecordedbyusingacheapradio
andfreesoftware.
2.1Hardware
Thehardwareneededinordertostartrecordingandlookingatradioemissionsusedto
beextremelyexpensive.Withrecentadvancesinsoftwareandtechnologythepricehasgone
downconsiderably.Forstarters,anythingwiththeRealtekRTL2838UHIDIRchipcanbebought
forcheapandwillusuallytunefromabout25MHzto1750MHz.Normallythesedevicesare
madetotuneintotelevisionstations,connectdirectlytoaUSBport,andcomewithasmall4inchantenna,butcanusecustomdriversandbeattachedtolargerantennastobeusedfor
SDR.Thischipsetissupportedbymostifnotallfreesoftwareandcanbeboughtforaslittleas
$10.Onthemoreexpensiveside,thereistheHackRFperipheralthatisabletobothreceiveand
transmitradiowavesfrom1MHzto6GHz,andhasamuchhighersamplerate.Generally,the
moreexpensivetheradio,thebetterthedatacollected.
9
2.2Software
Theseradiochipsetsaredesignedtobeabletogatherradiowavesfromalargeportion
oftheelectromagneticspectrum,buttheyhavenobuiltinlogictobeabletodecodethese
waves.Bydefinition,allofthesignalprocessingisdonebysoftwarepackages.Theeasiest
programtogetstartedisGQRX1forLinuxandOSX,orSDR#2forWindows.Theseprogramhave
basicfunctionalitythatallowsforreadinginputfromaradiowithreal-timemonitoring.They
alsohavesomefilteringanddecodingforAMandFMwaves.
Formorecomplexoperations,differentcustomsoftwareisrequired.Custom
command-lineutilitiescanbewrittenusingthertl-sdr3libraryandPythonwithpythonbindings.
GNURadio4isanotheropensourceoptionthatallowsforgraphicalprogrammingofsignal
processingblocksforsoftwaredefinedradios.SolutionsusingGNURadioaremoreadvanced
andrequiresomeextensiveknowledgeofhowradioworkssoproceedwithcaution,itis
completelypossibletofrytheradio.
1
http://gqrx.dk/
2
http://airspy.com/
3
http://www.rtl-sdr.com/
4
http://gnuradio.org/redmine/projects/gnuradio/wiki
10
2.3Methodology
Thetestingmethodologyisfairlystraightforward,justrunapreferredsoftwarepackage
witharadioattachedtoyourcomputerandstartlisteningtoradioemissionaroundyou.Do
integerincrementswhentuningandseeifanyinterestingspikesshowupwhenmonitoring.
Everyspikehasameaning.ThereareeasyradiowavestolookforlikeAMandFMstations,
policeradio,andaircrafttowers.However,usingsimplemathallowssomeonetoseemore
interestingradioemission,likethosefromRAM,computerscreens,physicalbuttonspresses,or
justaboutanythingelse.Froexample,whenlookingforoutputfromram,dividethespeedof
therambythenumberofchannelsanditispossibletoseeelectromagneticwavesemittedby
RAM,whichlooklikeagrid5.Thesamemethodworksfordisplays,multiplythenumberof
pixelsbytherefreshrateandthecolordepthinbitsperpixel,andifthedisplaycableisnotwell
shieldedthentheemissionfromthedisplaycanberecordedandtheoretically6reconstructed.
5
Examplesofwavescollectedcanbefoundintheadditionalpostedprovidedwiththepaper.
6
Itiscompletelypossiblewithexpensiveequipmentandgoodenoughalgorithms.However,
don’texpecttodothiswitha$10radio.
11
2.4Limitations
Therefirstmajorlimitationistheradiobeingusedtoreceiveandtransmitsignalswhich
determinesthefrequenciesthatcanbetunedinto,andinturn,whatdevicescanbetracked.
Forexample,tobeabletolistenintotheentireATTmobilespectrum,oneneedsaradiothat
cantunefromBand5(850MHz)toband4(1700/2100MHZ).Usingacheapradiolikean
RTL2832udonglewillnotallowfullcoverageofband4,nottomentionthesampleratewould
mostlikelynotbehighenoughtogetusabledata.However,usingmoreexpensiveradioslikea
HackRFwillcoverthefullspectrumandprovideamuchhighersamplerate.
AntennasarethesecondmajorlimitationtogatheringdatausingSDR.Antennas
determinewhattypesofradiosignalswillbepickedup,aswellasthedistanceatwhichthese
signalswillbereceived.Thebiggertheantenna,thebetterthequalityofthereceivedsignal,
andthefartherawayasignalcanberecorded.Finally,radioemissionwillalsogetinthewayof
recordingdata.Accidentalemissionsfromallelectronicsclosetotheantennawilladdnoiseto
theincomingsignal,andmakeithardertoretrieveusabledata.
Astechnologyadvances,theselimitationsbecomemuchlessrelevant.Justafewyears
ago,gatheringradiosignalswasanexpensiveprocess,whichcannowbedonefor$10.AsSDR
chipsshrinkandbecomemoreadvanced,theonlylimitationwillbethesizeoftheantenna.
12
3Protection
Mostcountrieshavetheirownmethodstotestdevicesforradioemissions,andinmost
casesdevicesareallowedtoemitacertainlevelofelectromagneticwavesinspecificspectrums
andtheymustmeettheserequirementstobeabletobesoldinthatcountry.Itislefttothe
manufacturertoshieldagainstadditionalorunintentionalelectromagneticemissions.Inmost
cases,manufacturersdonotdothis,whichiswhysomeonecaneasilystarttrackingemissions
fromelectronicdevices.However,notallunintentionalemissionsarenecessarilybad.Theyare
onlyworrisomewhenthereisacorrelationtosomeactionthatishappeningonthedevice.For
examples,ifasmallpulseisreleasedeverytimeakeyispressedonakeyboard,thensomeone
cangoaheadandwriteascriptthatwilllookforanddecodethesepulses.Nowwehaveakey
loggerthatdoesn’tneedtoberunningonthecomputertostealsensitiveinformation.Butthis
isanextremecase,anddoesnotaffecteverysingledevicewithakeyboard.Sohowdowe
protectagainstthesetypesofattackswithouthavingtostartsourcingourdevicesfromtheNSA
andtheirTempestprogram?
3.1Shielding
AgoodwaytoavoidbeingdetectedbydetectedbySDRscanneristoreduce
electromagneticradiationsasmuchaspossiblebytheuseofshielding.Normally,electronic
deviceshavesomeformofshieldingtopreventspecificradiowavesfrominterferingwithboth
thedeviceitself,aswellasdevicesaroundit.Inordertominimizestrayemissions,shieldinghas
tobetakenuptothenextlevel.Ontheextremeend,therearedevicesspeciallydesignedto
13
notemitunintentionalradiowaves,whichcomewithspecializedchipsandmodifiedpower
sourceswrappedinafaradaycageandplaceintoaheavymetalbox.Theyarealsoextremely
expensive.
Thereisstillhopeforindividualswhowanttobemoresecurebutcannotaffordsuch
extrememeasures.Agoodfirststepistomakesureallpurchasedequipmentmeetsoneor
multiplemodernemissionstestslikeFCCcertifiedmachines.Useonlyshieldedcablesforall
connection,andmakesurethesableisasshortaspossible.Longcablesactasantennasthat
cantransmitandwellasreceivesignals.Ifyou’rereallyparanoid,buyormakeafaradaycage,
placeyourequipmentinside,andonlyrunaveryshortshieldedUSBorEthernetconnectionif
youneedsomeformofinterconnect.Oryoucouldalwayswrapyourdevicesincopious
amountsoftinfoiluntiltheynolongeremitadetectablesignal.
3.2Encryption
Hardwareshieldingisn’ttheonlyprotectionagainstsomeonesnoopingfor
unintentionalradioemissions.Oneofthemainissuesisbeingabletoreproduceviabledata
fromaccidentalemissions.Onewaytogetaroundthisistostartencryptingalldatathatis
beingsentfromadevice.Forexample,transferringdataoverwiredinterconnectswillleak
someofthatdataoutaselectromagneticwaves.Someonenearbywitharadiocanthen
capturethesewavesandrebuildthisdatatovaryingdegreesofsuccess.Ifthisdataweretobe
encrypted,thechancesofbeingabletoreverseengineersaiddatawouldbemuchharder.
14
3.3ImprovedDesign
ThemainwaytodefendagainstSDRattacksisbyimplementingbetterdesign.
Manufacturerscanstartdesigningchipsaroundreducingstrayemissions,ormakingsurethat
strayemissionsdonotcorrelatetoanyactionsonthedevice.Forsimpler,singleusedevices
likekeylessentrysystemsorgaragedooropeners,arandomkeyshouldbeusedeverytimeto
preventsomeonefromrecordingthewirelesssignalandusingthatinordertoreplicatethe
signalfromthekeylessentrysystem.Thisisnotmuchofathreatfornewercarsthatusea
rollingkeysystem,butforotherthingslikegaragedooropeners,itcanposearealthreatto
safety.
3.5BecomeaHermit
Ifyouwanttobetotallyandcompletelysecurethentheonefoolproofplanisto
removeyourselffromelectronicsandsociety.Allelectronicdeicesemitsomeformof
electromagneticwave,whichmeansthattheyactisradiotransmittersthatareconstantly
broadcastingasignal.Thesetransmitterscanthenbetrackedandlinkedbacktotheirowners.
Inotherwords,thereisnowaytohavecompleteprivacywithelectronicdevicesunlessyou
happeninliveinahousemadeofcopperplatingorwrapallyourelectronicinfaradaycages.
Someonewillbeabletotrackyoubylisteningintoyourelectronicdevices.
15
4Conclusion
“Everydeviceyouownisscreamingitsnameintotheinfinitevoid”.7Weather
intentionalornot,everyelectronicdeviceisconstantlyemittingelectromagneticemissions
duringthecourseofnormaldaytodayoperation.Theseemissionsareuniquetoeverydevice
duetotheirpurposeandpowerconsumption,aswellasanyembeddeddevicestheymay
contain.Withenoughinformation,someonecanmakeanemission“map”foranyonedevice
andusethattotrackusersandtheiractivities.Theseemissionsareevenmorevulnerablefor
deviceswhichnoonethinkstosecurelikegaragedooropeners,homealarmsystems,oreven
somecarkeylessentrysystems.
SoftwareDefinedRadioasafieldisbecomingcheapertostarteveryday.Anyonewitha
computerand$10canstartrecordinganddecodingradioemissions.Addinabitmoremoney
andonecanstartreplicatingandsendingouttheseemissionstotakecontrolofcertain
systems.Placesarehospitalsareespeciallyvulnerable.Mosthospitalsstillrelyonpagers,which
areextremelyvulnerabletoattacksusingsoftwaredefineradioinordertosendinaccurateor
falsemessagestodoctors.
Althoughworrisome,civiliansusingcheapradiosinordertocollectemissionarenotthe
mainthreat.Governmentshavetheabilitytotakeradioemissionscollectiontothenextlevel,
7
MelissaElliott,DEFCON21,NoiseFloor:ExploringUnintentionalRadioEmissions
16
andcanreconstructusableandsensitivedatafromunintentionalemissionsbyelectronic
devices.AsseenintheTempestprogram,andprovedintheleakedNSAANTCatalog8.TheNSA
alreadyhasdevicesthatcaninterceptanddecoderadiofrequenciesfromvariouselectronics,
andinturndecipherlocationdata,textdata,voice,andvideo.Mostoftheseweretestingasof
2009,andsomewerealreadydeployedoutinthefield.Protectingagainstthesedevicesisthe
subjectofextensiveresearchbytheTempestandEMSECprogram,so“regular”peoplewillnot
haveaccesstodefendagainsttheseattacks.
Currently,securityandprivacyhavebecomeahugetopicnotonlyatthepersonalor
userlevel,butattheinternationallevel.Thedecreaseincostandincreaseincapabilityof
softwaredefinedradiosallowtheinvasionofprivacytorisetonewheights.Unintentional
emissionsareconstantlysignalingyourdevicesexistence,andsometimesputtingoutsensitive
orimportantdataforanyonewhoislistening,makingitimpossibletohavetrueprivacywithout
removingyourselffrommodernsociety.
8
Availableat:https://www.eff.org/files/2014/01/06/20131230-appelbaumnsa_ant_catalog.pdf
17
6References
Elliot,Melissa.DEFCON21-NoiseFloorExploringUnintentionalRadioEmissions.96,2013.
https://www.youtube.com/watch?v=5N1C3WB8c0o.
FederalCommunicationsCommision.RadioFrequencySafety.n.d.
https://www.fcc.gov/general/radio-frequency-safety-0.
Goodman,Cassi.IntroductiontoTEMPEST.418,2001.https://www.sans.org/readingroom/whitepapers/privacy/introduction-tempest-981.
Grayver,Eugene."DisadvantagesofSDR."InImplementingSoftwareDefinedRadio,byEugene
Grayver.SpringerScience&BusinessMedia,n.d.
Lucas,Jim.WhatAreRadioWaves?46,2015.http://www.livescience.com/50399-radiowaves.html.
NationalSecurityAgency."NSAANTCatalog."ElectronicFrontierFoundation.n.d.
https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa_ant_catalog.pdf.
Ossmann,Michael.DEFCON22-TheNSAPlayset:RFRetroreflectors.1231,2014.
https://www.youtube.com/watch?v=mAai6dRAtFo.
Wagfenseil,Paul.HowtoSpyonYourNeighborsWithaUSBTVTuner.88,2013.
http://www.tomsguide.com/us/usb-tv-tuner-software-defined-radio-sdr-radio-spyingprivacy,review-1836.html.
WirelessInnovationForum.WirelessInnovationForum.n.d.
http://www.wirelessinnovation.org/what_is_sdr.
WirelessInovationForum."SoftwareDefinedRadioPDF."WirelessInovationForum.n.d.
http://www.wirelessinnovation.org/assets/documents/SoftwareDefinedRadio.pdf
18