Automatic Modulation Parameter Detection In Practice
Johannes Pohl and Andreas Noack
November 28, 2019 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Proprietary wireless protocols everywhere
Example: Smart Home Increase comfort of users through wireless sockets, door locks, valve sensors . . . Devices are designed under size and energy constraints Limited resources for cryptography
Risks of Smart Home Manufactures design custom proprietary wireless protocols Hackers may take over households and, e.g., break in without physical traces
How can we speed up the security investigation of proprietary wireless protocols?
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 2 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Software Defined Radio
Why Software Defined Radios? Send and receive on nearly arbitrary frequenciesa Flexibility and extendability with custom software
ae.g. HackRF: 1 MHz to 6 GHz
(a) USRP N210 (b) HackRF
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 3 Interpretation
101010 Stateless Stateful Analysis Format Format
Generation Simulation
Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Universal Radio Hacker
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 4 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Universal Radio Hacker Popularity
Supported Platforms Available at official linux repositories Windows q, Linux ± and OS X URH is available in official repositories of Arch Linux, Gentoo, Void Linux, Fedora and Most starred repo on GitHub with openSUSE (and homebrew for macOS). #sdr tag Publications DeepSec 2018 [1] Blackhat Arsenal USA 2017 [2] Blackhat Arsenal Europe 2018 [3] WOOT 2018 (USENIX Workshop) [5] IoT S&P 2017 (CCS Workshop) [6]
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 5 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Digital Modulations
So what is a digital modulation? Bits 1 0 1 0 0 + Mapping the binary data, i.e. bits, to Carrier a analog carrier to transport the signal over the air Analog signal has the form ASK A sin(2πFt + ϕ) · We can transport information in FSK amplitude A, frequency F or phase ϕ Amplitude Shift Keying (ASK) Frequency Shift Keying (FSK) PSK Phase Shift Keying (PSK)
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 6 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Interpretation in URH Demodulating signals made easy
Interpretation Phase Features (apart from demodulation) Synchronized selection between demodulated and raw signal Signal Editor, that is, copy, paste, crop, mute signal selections Configurable moving average and bandpass filters
How can we make this even simpler? Automatically detect modulation parameters!
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 7 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Visualization of Parameters For all plots: x axis represents current sample
1 Tnoise
A 0 T 1 − noise − 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 1
A 0 1 − 0 200 400 600 800 1,000 1,200 1,400 1,600 0.3 0.2 center 0.1 Bit length Inst. Freq. 0 200 400 600 800 1,000 1,200 1,400 1,600
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 8 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Detecting Modulation Parameters Automatic detection of modulation type and parameters in Interpretation
IQ Signal
Message Noise level Tnoise Non-weak Modulation Segmen- detection segments Detection tation
M
Quadrature Bit Length center Center Rectangular Demod- Detection Detection signal ulation
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 9 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Noise Level Detection
Finding the noise level Tnoise of a signal is the basis for message segmentation and works the following way:
1 Divide the signal into equal sized chunks Ci . 2 For each chunk, calculate the mean magnitude m = C . i | i | 3 Get minimum mean magnitude m = min m : i . min { i ∀ } 4 Pick magnitudes of chunks those mean magnitudes do not exceed mmin by 10%: M = C , m < 1.1 m noise {| j | j · min}
Finally, the noise level Tnoise is returned as the maximum of Mnoise, to cover the full noise range.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 10 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Message Segmentation: Separate Messages from Noise
Message Segmentation Algorithm
Based on noise level Tnoise from previous step Must be robust against outliers
Use two internal states: snoise – reading noise, smsg – reading message.
Switch states only if consequent samples above/below noise (ca/cb) surpass a threshold to (=outlier tolerance). In practice, to = 10 samples performs well.
c t b ≥ o snoise smsg c t a ≥ o
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 11 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Modulation Detection with help of Wavelet Transform | |
| 5 8 10 4 HWT 6 HWT .
HWT 9 5 | |
| 3 0 500 1,000 0 500 1,000 0 500 1,000 τ τ τ (a) 2-FSK (b) 2-ASK (c) 2-PSK | | | 5 9.27 10 4 9.26 9.25 HWT HWT .
HWT 9 5 | | | 3 9.24 0 500 1,000 0 500 1,000 0 500 1,000 τ τ τ (d) Normalized 2-FSK (e) Normalized 2-ASK (f) Normalized 2-PSK
Figure: Wavelet transforms for FSK/ASK/PSK signals and their amplitude normalized versions November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 12 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Modulation Detection: Feature Extraction
Signal HWT Median filter Variance σ2 normalization | | 1
2 Signal Variance σ2
HWT Median filter Variance σ2 | | 3
2 Variance σ4
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 13 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Modulation Detection: Decision Tree
ASK
yes
σ2 > 1.5 σ2 PSK 2 · 4 no no yes σ2 < 0.15 i σ2 > 10 σ2 FSK i ∀ 2 · 1 yes no yes Pass FFT OOK check no
OOK
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 14 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Center Detection: Take mean of histogram peaks
1
A 0 1 − 0 200 400 600 800 1,000 1,200 1,400 1,600 Sample (a) 2-FSK modulated message
0.25 100 0.2 50 0.125+0.25 0.15 c = 2 0.1 Count Inst. Freq. 0 0 500 1,000 1,500 0.1 0.15 0.2 0.25 Sample Instantaneous Frequency (b) Rectangular signal R(n) after Quad Demod (c) Histogram of R(n) with two peaks
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 15 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Bit-Length and Tolerance Detection
How to determine the Bit-Length? Count subsequent samples above/below found center plateau lengths vector ⇒ In theory, vector only contains multiples of bit-length; but: interrupted by outliers Set tolerance to maximum of values smaller than 5% of maximum plateau length Merge plateaus based on found tolerance like this: (200, 53 , 3 , 44 , 100) (200, 100, 200) |{z} |{z} |{z} |{z} |{z} → |{z} |{z} |{z} Hi Lo Hi Lo Hi Hi Lo Hi Count how often each plateau length nearly divides other lengths, e.g., for (40, 40, 40, 40, 40, 30, 50, 30, 90, 40, 40, 80, 160, 30, 50, 30) the counts are N = 30 : 10, 40 : 35, 50 : 3, 80 : 2 so bit-length is 40 (most frequent) near { }
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 16 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Evaluation with real-world signals
# Manufacturer Description Mod. Samplerate SNR Bitlen #Msgs ∅ Length 1 Action remote (four but- OOK 2 MS/s 10.8 dB 500 19 11.95 Byte tons) for a LED light 2 Audi car open command OOK 5 MS/s 25.8 dB 2400 1 106 Byte 3 Unknown command to sink a OOK 1 MS/s 18.9 dB 300 17 5 Byte bus bollard 4 Brennenstuhl wireless socket re- OOK 1 MS/s 11.7 dB 300 64 13 Byte mote (four buttons) 5 Elektromaten open command for OOK 2 MS/s 16.2 dB 600 11 17 Byte parking gate 6 ESaver remote (four but- 2-FSK 1 MS/s 28.3 dB 100 12 42 Byte tons) for a wireless socket 7 RWE pairing command of 2-FSK 1 MS/s 12.7 dB 100 18 27.17 Byte a wireless socket 8 Scislo garage door open 2-FSK 500 kS/s 14.6 dB 200 8 64.75 Byte command 9 Volkswagen car open command OOK 1 MS/s 32.3 dB 2500 1 53 Byte 10 Xavax radiator valve tem- 2-FSK 1 MS/s 21.8 dB 100 6 231.5 Byte perature command
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 17 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Results when additional noise is added
1 – action 100 2 – audi 3 – audi 80 4 – bollard 5 – brennenstuhl 60 6 – elektromaten 7 – esaver 40 8 – scislo
Accuracy in % 9 – vw 20 10 – xavax
0 0 20 40 60 80 100 Amplitude of additional noise relative to average signal power in % November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 18 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Why does the accuracy of Xavax (Signal #10) drop so early?
(a) Original signal, no additional noise added
(b) Noise with 20% amplitude of mean signal power added
Figure: Reason for accuracy drop of signal #10: The two weaker messages get marked as noise when noise with 20% amplitude of mean signal power added is added.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 19 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Setup
CCU door lock remote control
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 20 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Use-case: Attacking a Wireless Door Lock
Pairing AES-Key AES-Key
central (CCU) door lock remote control
OPEN Command AES-Key Challenge
ResponseAES-Key(Challenge)
new device ACK
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 21 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Adapting parameters live during a recording
Motivation Parameters like center and noise level can change between recordings (varying power levels of devices, changed distances, different antennas) Attacking stateful protocols: Messages need to be demodulated live Avoid annoying record-analyze-adjust cycles
We have to update noise level and center based on continuously received chunks CR .
Adaptive Noise Level for received chunk CR Automatic Center ( Once full message in 0.9 Tnoise + 0.1 max CR if CR < Tnoise Tnoise = · · | | | | receive buffer: perform Tnoise else Center Detection from slide 15.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 22 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Configuring it in the Universal Radio Hacker
Automatic Parameter Estimation Noise and Center will be adapted live during simulation time Both parameters do not need to be manually changed when using a different SDR or antenna Experimental validation proved that setting these parameters automatically is as successful as setting them manually to the correct value
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 23 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Performance measurement
Adaptive noise 19 ms 25 ms 2 Why performance matters? 10− Automatic center Devices have time windows in 6 ms 3 which they expect a response 10− Time window here: 200 ms 191 µs 179 µs 4 In this time window, we need 10− to demodulate Challenge
Time in seconds 5 and, additionally, calculate 10− and modulate correct Response 6 10− Tested on PC with i7-6700K 0 20 40 60 80 100 [email protected] and 16GB RAM Timestamp November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 24 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Result of Interpretation for a typical signal
A lot of data to analyze!
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 26 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Example Protocol: Communication between two Smart Home Devices
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 27 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Example Protocol after hitting the Analyze Protocol Button
Published at USENIX WOOT 2019 [4]
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 28 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References Conclusion
Contribute a multipart system that detects modulation parameters (modulation type, noise level, center, bit-length and tolerance) of a wireless signal Each parameter is returned so it can be fine-tuned afterwards, if needed Speed up security investigations and lower hurdle for wireless hacking beginners Aimed at proprietary protocols with unknown modulation parameters operating on frequencies such as 433.92 MHz or 868.3 MHz usually using binary modulations Basis for future automations such as automatic protocol field inference Future work is support for higher order modulations
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 29 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References
https://github.com/jopohl/urh/releases ± q Contact E-Mail: [email protected] E-Mail: [email protected] Slack: https://bit.ly/2LGpsra GitHub: https://github.com/jopohl
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 30 Introduction Automate the Interpretation Experimental Validation Going live Further Steps References PublicationsI
[1] Johannes Pohl. “Attacking Internet of Things with Software Defined Radio (Workshop)”. In: DeepSec (2018). [2] Johannes Pohl. “Universal Radio Hacker: Investigate wireless protocols like a boss”. In: Blackhat Arsenal USA (2017). [3] Johannes Pohl. “Universal Radio Hacker v2: Simulate Wireless Devices with Software Defined Radio”. In: Blackhat Arsenal Europe (2018). [4] Johannes Pohl and Andreas Noack. “Automatic Wireless Protocol Reverse Engineering”. In: 13th USENIX Workshop on Offensive Technologies (WOOT 19). Santa Clara, CA: USENIX Association, Aug. 2019. url: https://www.usenix.org/conference/woot19/presentation/pohl. [5] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols”. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). Baltimore, MD: USENIX Association, 2018. url: https://www.usenix.org/conference/woot18/presentation/pohl. [6] Johannes Pohl and Andreas Noack. “Universal Radio Hacker: A Suite for Wireless Protocol Analysis”. In: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (CCS). Dallas, Texas, USA: ACM, 2017, pp. 59–60. doi: 10.1145/3139937.3139951.
November 28, 2019 Johannes Pohl and Andreas Noack Automatic Modulation Parameter Detection In Practice Slide 31