From Jonathan Andersson and Federico Maggi
Early this season, we printed a security analysis of industrial radio remote controls. In that research, we analyzed different vulnerabilities in the execution of radio frequency (RF) communication and the possible effect of an assault on these weaknesses. We believe that RF security study is of great importance especially in light of the recognition that a growing number of net of stuff (IoT) and industrial net of stuff (IIoT) ecosystems are and will be dependent on RF communicating. Because of this, aside from our research activity, we take some opportunity to share in depth our learning adventures. By way of example, Trend Micro Research is in its fifth edition of the Capture the Signal (CTS) competition, a challenge-based game which focuses exclusively on the reverse engineering of radio signals, where investigators, white-hat hackers, along with practitioners can find out about RF safety whilst playing.
We are always excited for learning opportunities and new research, but this moment, serendipitously, the opportunity found us. In the final party of this Crack In The Box Amsterdam seminar — at which we introduced our industrial wireless study and conducted a CTS contest — we had been awarded LED wristbands to use. They are flashing wristbands intended to enhance the experience of an event, party, or series. At the beginning, we were not interested in the security impact; we wished to learn. Later on, however, we discovered that the RF connection was used to transfer a industrial protocol: DMX512 (Digital MultipleX 512), the exact same protocol used to pilot big light exhibitions.
So, despite being modest and affordable, a learning opportunity is offered by devices like LED wristbands, along with an assault against their technology’s impact can be substantial. As an instance, in the case of an important display attended by tens of thousands of people organized by a firm that is well-known and broadcast to be viewed by others, the brand reputation cans influence.
In this blog post, we give a high-level and simplified overview of our analysis. We discuss in detail how we completed — and how technical subscribers can replicate — every step into our technical short,”Hacking LED Wristbands as a Learning Opportunity to Jump RF Security.”
Figure 1. Summary of the evaluation process
The LED wristband
We developed the notion of performing an RF security analysis of the wristbands immediately while attending the celebration. Our research that was impromptu soon made us understand that these small devices made for a target, ideal for discussing and learning. Having noticed the way the wristbands flash in sync with the audio playing and would illuminate, we wondered what kind of RF elements might be supporting the wristbands.
While standing close to the DJ phase, we found what looked like a transmitter. A quick search of the name (Drome) demonstrated that, despite being based in the Netherlands, the seller has customers around the world who use its products. Considering the wide array of products marketed by vendors, it is safe to state that devices such as LED wristbands have substantial adoption.
Launching one of those wristbands in the event, we found out that it’s based on a CC113L receiver, which is that the receiver-only variant of the famous CC1101 transceiver created by Texas Instruments.
Having confirmed that we were really dealing with an devicewe proceeded with this analysis. We had out our software-defined radio (SDR) gear within our backpack, a BladeRF SDR, and we all used it to make as many RF captures as you can. Captures enabled us reveal the total package structure and to compare various packets. Packets within this context determine the light of colours and flash rates or the exhibited”effects”
With we could capture various packets to effects or controls. Although not surprising, we affirmed that there wasn’t any anti-replay mechanism, so we could interfere with the anticipated”color” commanded by the DJ throughout the celebration.
After capturing the signs, a more in-depth analysis was started by us. We needed to do custom error correction and some filtering from post-processing since were incomplete. Luckily, Universal Radio Hacker (URH) has built-in partitioning filters, noise reduction features, and also scriptable packet chips, that come in handy in such circumstances.
Since we had been dealing with a radio, we all needed to demodulate the recorded signal to”see” those pieces. From this, we could locate the preamble, which will be necessary in almost any digital packet radio communication to”awaken” the receiver and provide a reference to set the symbol rate. After this step, our bitstream began to appear cleaner.
We created a custom post-processor to repair the demodulation error in the first two bits of the preamble. With diffing, we jumped with the preamble mended to reverse-engineer the package arrangement.
Embedded protocol investigation
We needed to know the radio parameters although we had obtained the package structure. To ascertain all these, we dug deeper into the radio settings.
Typical of embedded packet radios, the radio processor along with also the microcontroller unit (MCU) are linked via the serial peripheral interface (SPI). Intercepting that the SPI communication can allow anybody to ascertain the modem parameters (e.g., frequency, modulation, frequency deviation, and bandwidth).
We used Sigrok, a open-source signal analysis applications, to interpret the signals recorded with a logic analyzer and decode the SPI trades. Back after we looked at the CC1120 transceiver, there was no available, therefore we had to write our own. Because Sigrok recently added support for the chip, which is of the same family as the 25,, this moment, we were blessed. With this, we got an almost ideal reconstruction of these register values. Employing SmartRF Studio, a setup tool developed by Texas Instruments (the very manufacturer of the examined radio chips)we derived the RF parameters from the register values.
After all, we had the parameters to reconstruct a crate and had successfully rebuilt 99 percent of the packet structure. In any manner we would like, we could now forge packets and restrain the wristbands. However, now we leave this as an exercise to readers that want an chance to test RFQuack, our open RF evaluation frame, which can be used to analyze almost any radio protocol, with no demand for constructing custom software recipients.
Decision and security concerns
This experience is a helpful practice that enabled us to examine and increase our knowledge of RF technologies and discuss it with the neighborhood. As it demonstrates that the ubiquity of RF engineering and consequently the assault opportunities, from a safety perspective, this situation is well worth looking into. While devices like LED wristbands may seem innocuous, taking a look at the huge image (e.g., program variety, seller reach, brand recognition damage) makes it very clear that there’s more to these devices than meets the eye.
Our technical brief,”Hacking LED Wristbands as a Learning Opportunity to Jump on RF Security,” details our analysis also explains how we conducted — and how curious readers themselves can reproduce — each measure summarized here.
The post Hacking LED Wristbands: A’Lightning’ Recap of RF Security Basics appeared on .