1Penetration Testing Wireless Systems using SDR
In this article we are going to discuss Penetration Testing Wireless Systems using SDR or embedded wireless systems, now understanding embedded systems that transmit simple wireless signals to the ECU. Embedded wireless systems can be easy targets.
They often rely on short-range signals as their only security, and because they’re small devices with specific functionalities, there are typically no checks from the ECU to validate the data outside of the signal and the CRC algorithm. Such systems are usually good stepping stones for learning before looking at more advanced systems, such as those with keyless entry, which we will discuss later. We’ll look at the technology that unlocks and starts your vehicle as we explore both the wireless side of keyless entry systems and the encryption they use. In particular, we’ll focus on the TPMS and wireless key systems. We’ll consider possible hacks, including ways that the TPMS could be used to track a vehicle, trigger events, overload the ECU, or spoof the ECU to cause unusual behavior. I hope you have read my previous article from where I started discussing about Cars Penetration Testing and my 2nd article about it.
Wireless Systems and SDR (Penetration Testing Wireless Systems using SDR)
First, a quick primer on sending and receiving wireless signals. To perform the type of research discussed, you’ll need an SDR, a programmable radio that sells anywhere from $20, for example, RTL-SDR, to over $2,000, for example, a Universal Software Radio Peripheral (USRP) device from Ettus Research. The HackRF One is a good and very serviceable option from Great Scott Gadgets that will cost you about $300, but you’ll most likely want two so you can send and receive at the same time. One significant difference between SDR devices that has a direct effect on cost is the sample rate, or the number of samples of audio carried per second. Unsurprisingly, the larger your sample rate, the more bandwidth you can simultaneously watch—but also the more expensive the SDR and the faster the processor needs to be. For instance, the RTL-SDR maxes out at around 3Mbps, the HackRF at 20Mbps, and the USRP at 100Mbps. As a point of reference, 20Mbps will let you sample the entire FM spectrum simultaneously. SDR devices work well with the free GNU Radio Companion (GRC) from GNURadio, which you can use to view, filter, and demodulate encoded signals. You can use GNU Radio to filter out desired signals, identify the type of modulation being used (see the next section), and apply the right demodulator to identify the bitstream. GNU Radio can help you go from wireless signals directly to data you can recognize and manipulate.
Signal Modulation (Penetration Testing Wireless Systems using SDR)
To apply the right demodulator, you first need to be able to identify the type of modulation a signal is using. Signal modulation is the way you represent binary data using a wireless signal, and it comes into play when you need to be able to tell the difference between a digital 1 and a digital 0. There are two common types of digital signal modulation: amplitude-shift keying (ASK) and frequency-shift keying (FSK).