Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods

Matt Knight

This paper has been accepted.

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of RF protocols driven by mobile and IoT. While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think.

Join us as we walk through the fundamentals of radio exploitation. After introducing essential RF concepts and characteristics, we will classify and discuss the different types of wireless attacks. As we introduce each new attack, we will draw parallels to similar wired exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos.

Attendees will come away from this session with an understanding of the mechanics of radio-based network exploitation, and an awareness of how they can bridge their IP network exploitation skills to the wireless domain.

The final white paper will elaborate on each attack primitives drawing comparisons to analogous attacks on wired networks, the resulting behavior/consequences, recent examples of each attack, and mitigations or limitations for each attack. We think it will be a valuable reference for security researchers who wish to bridge their wired and IP network skills into the wireless domain, and security practitioners who wish to learn more about RF security in general.

About Matt Knight

Matt Knight is a software engineer and security researcher at Bastille, with a diverse background in hardware, software, and wireless security. In 2016, he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College.

About Marc Newlin

Marc Newlin is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities. A glutton for challenging side projects, he competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.