arsenal (phase i): what are the advantages of radio hardware security?

Posted by fierce at 2020-02-27

The "arsenal" series is the latest project of freebuf! In this series of articles, we will invite security researchers to share their favorite tools in a certain area of the security circle, such as wireless hardware security, code audit direction, domain penetration, etc. I hope this series of articles can create a good technical exchange atmosphere for the majority of FB fans, and also hope to help you find your own development direction.

This issue of "arms expert": Yang Qing

Yang Qing, ID: ir0nsmith, formerly known as anonymous 360 Unicorn Team, and product director of Tianxun of 360 enterprise security group. The author of the first domestic wireless communication security book "disclosure of radio security"

Bazaar men (September 2015 business) - MGM, Las Vegas

[editor: the gesture of ir0nsmith children's shoes reminds me of a certain expression bag]

At the same time, he is also the first discoverer and reporter of the security loopholes of wireless and RFID in China. "Network security engineer" and backstage technical director of WiFi security in 2015 315 party. Speakers of security summit, such as Defcon hacking conference in the United States, cansecwest in Canada, POC in South Korea, xcon in China, ISC, etc.


Are you kidding me


Well, all of the above are formulaic introductions. You can see from the introductions of the speakers of the major safety meetings. Now we start the real version of self introduction:

First of all, I am a gluttonous person. Drinking and hot pot are my favorites. He is also a playful person. He is a digital equipment controller and usually likes photography (Yang Qing: but he hasn't photographed his private house once). [Xiaobian: what do you say, I can't understand it], he will hit PS4 if he has nothing to do. The most important thing is that I am a fanciful person, so I am a die hard fan of marvel, DC Comics and other animation, as well as all kinds of science fiction films and American dramas.

[editor: marvel? Aegis? Such as:

Spin and jump... The joy and sorrow of a dancer is invisible

It's not serious at first sight

So when I was young, I would like to go to hack and imagine that I am a character in the movie, with superb network penetration technology and advanced equipment, even now, whether it's a car, an airplane or an artificial satellite, I'm still curious about the safety of these technology applications.

This may be the same time that I used netbooks (laptops smaller than 10 inches with Intel's Atom processor as the core) to sit in the subway for a few days. In order to break the WiFi network of the subway and find some loopholes that may be exploited by hackers, I could focus on researching how to break a bus card using RFID technology for several months, and finally write down the details of the loopholes The motive force of loophole report feedback to relevant departments is

The following video is the record at that time (the vulnerability has been fixed, if not authorized, please do not imitate)

Different from that time, I used to fight alone, but now I am accompanied by team members. Moving forward with my partners can achieve more things I once wanted to do without energy and ability.

Unicorn Team is the first team in the world to successfully use software radio to realize low-cost GPS spoofing attack, hijack vehicles, UAVs and other GPS dependent vehicles, and complete the invention patent of GPS spoofing attack protection.

GPS spoofing attack vehicle

GPS deception attack - UAV

It is also the world's first owner of RFID dual frequency (125khz-13.56mhz) protection products and invention patents. At present, it is the team with the most topics selected at the last session of Defcon hacking conference in the United States. It also has the security research team of "single curiosity", the youngest speaker in the history of Defcon, and Huang Lin, the first female doctor of China to attend the hacking conference.

This year is the seventh year of Yang Qing's work. His main work usually includes four aspects: leading the team's research team to determine new research directions and priorities, focusing on the equipment research and development progress of the hardware research and development team, grasping the product function iteration progress of the product team and foreign business sales, and supervising the wireless security team's safe operation of wireless LAN security and access control system of 360 company 。 In addition, there are also some media interviews and conference demonstrations, so you can see our team in ISC China Internet security conference, syscan360, hackpwn and other security conferences over the years, or in various TV media.

Wireless security tool recommendations

If I'm Batman, the unicorn security team is like Wayne's science application department, which provides Batman with a variety of high-tech equipment, and is also the cradle of generations of heroes, such as Batman and Robin. The figure below is our hardware R & D and testing room, but it seems that it is quite different from Batman's Batcave


So in addition to their own quality and skills, portable tools are also very important. This paper focuses on introducing some equipment and software equipment commonly used in wireless communication security research, hoping to give you some inspiration.

1. Nokia N900

This mobile phone is one of my favorite devices (my wife gave me a birthday gift when I was a poor guy). The N900 is based on the Linux derivative version Maemo, and has a pure Linux operating environment. Therefore, when I use the N900 to install and use various security tools, the convenience of smooth and migration is incomparable to Android's "fake Linux".

In addition, the N900 wireless chip has the function of inputting data packets through the patch driven by it, so that it does not need OTG to connect to USB wireless network card. With the aircraft-ng software, it can collect data and evaluate the password strength of the surrounding wireless hotspot at any time. With the volume of its mobile phone, it can not only collect the target in advance when you need to infiltrate in the field For all kinds of wireless network information in the standard environment, it can also be used to make a quick judgment on the availability of wired network. We can combine the USB network card of Linksys with N900 to make it have the ability to connect wired network, as shown in the following figure:

In this way, when you find that there is a ground plug or wall plug-in network interface near the area where you want to carry out physical penetration, it can make you judge whether the network interface is available in the most concealed way (don't tell me that notebook is OK, you can squat in the corner of the wall with your notebook and plug in a network cable to the wall plug, do you see whether "Chaoyang people", "Xicheng Dama" and "Haidian netizen" will be attracted "Fengtai persuasion team" and other concerns...)


In addition, the N900 can be connected to the RF RF module through the OTG, and use the rfcat software environment in parallel to monitor and replay the data of the surrounding RF wireless control system (various remote controllers, remote control lifters, roller shutter doors, and even the car's remote control keys), so that you can become a hacker in the fantasy blockbuster in minutes... The following video is my use of N900 + rfcat to achieve the car wireless key system cracking:

2. Nexus 5

Nexus5 mobile phone has the ability to brush Kali mobile system, so it can also quickly become a small device for wireless network security assessment. In addition, OTG can adapt to a variety of wireless network cards with better performance, so that you can use it to run WiFi and other software to conduct security assessment for specific wireless hot spots, which is half the effort, as shown in the following figure


In addition, it can cooperate with hackid Pro developed by Unicorn security team to conduct security assessment and Analysis on common access control systems, as shown in the following figure


Here we use the card reader to simulate the access control system, and the video demonstration is as follows

3. Nexus 7

As a flat-panel product, nexus7 also has the ability to brush the nethunter system, which enables it to quickly transform into an electronic device with penetration function, and realize the functions of badusb and analog USB keyboard through its USB data interface. As we all know, some electronic entertainment systems have USB Right, when you want to analyze the security of the interface, for example, if you want to connect a USB keyboard for operation, do you work through nexus7 connection, pretending to be a charging state and using nethunter's analog keyboard function, or do you connect a USB keyboard foolishly and knock it to attract the attention of the staff? The effect is self-evident (what do you think of when you change the staff to flight attendants ).

4. USRP B210

Don't tell me about the "low-end" products of rtl-sdr and hackrf. As a 360 strong wireless communication security researcher, I don't have a few pieces of ettus's USRP on me. I'm sorry to say hello to the international wireless bulls at the hacker conference, so I'll choose to compare with USRP As for the b210, which is more portable, the wireless performance of the N210 is, of course, a few blocks away from hackrf or even bladerf. The small gray box in the figure below is b210. Now USRP has developed to such a size, have you been shaking? B210 with the GNU Radio environment, you can do whatever you want to research a variety of wireless communication systems, and even launch a GPS spoofing attack test...

GPS spoofing attack mobile phone


5. Radio frequency watch, God's right hand


Compared with the common RF remote control system, on the premise that I can reverse its fixed code or even change less rolling code, I choose to wear a RF watch produced by TI company, cooperate with the Chronos software to input the instructions of the door opening and vehicle lifting system I need, and launch when I need to use it, so that I can enter the area I want to enter at any time. It's cool, Like Conan Oh:

Come on, let me show you

Watch lift demonstration

In addition, God's right hand, I'm sorry that I took a strange name, which allows me to quickly obtain information about the RFID card of the target. If the target card is a credit card, I can know the supermarket, coffee shop, hotel and other information that the card owner often goes to Here is a column of the Legal Evening News with self assistance

6. Card prevention and safe charging port

Have you ever seen your mobile phone installed an unknown app because of charging on some public charging posts or using a stranger's charging bank?

Or because the mobile phone is plugged into a small partner's computer to charge, leading to the privacy photos being turned over by dishonest small partners

As a standard security circle person, I will also carry protective products with me. For RFID The threat of skimming attack, black widow charger and public charging post of implanted equipment still needs to be prevented. Therefore, the partners of Unicorn security team have created two magic devices: hardware card defense using active RFID protection technology and hardware safety charging port using physical screening and filtering technology to protect 360 employees.


What is the protective effect of card prevention? Please see the curative effect:

Life tool recommendation

Since human beings have been able to reproduce and evolve, they always rely on the manufacture and use of various tools to make their lives better. Therefore, in daily life and work, everyone will take some convenient small things with him. Everyone has his own EDC (every day carry). There is not much nonsense about such things as mobile phones and notebooks. In addition, my EDC is as follows:

1. Flashlight

Light is the root of all living things, so it's a good thing to have a light-emitting device. In most cases, the flashlight of our mobile phone has played the role of a flashlight, but when you are alone in some extreme conditions, you absolutely need this "partner"

(because the flashlight can be held in your mouth. When you have to work with both hands, you don't have a third hand to lift your cell phone. Kiss, what? If you take your cell phone in your mouth, I have nothing to say...)

Now, there are many brands of strong light flashlight. Rich friends can defeat surefire of the United States. It's high-powered. It's hard for some friends to think about domestic products. Now there are many high-quality products. For example, I usually bring a k0-01 flashlight of jetbeam, which can be adjusted in five gears, up to 1080 lumens, and blind cats and dogs every minute! Plus a flicker function, which can send a clear SOS signal when you need help.

Of course, you have to ask me why I choose this model, because ah, this model can be directly charged by USB, and can use a USB cable to charge the flashlight at any time, which is a convenient thing for an it coder, and you don't need to bring an additional 1860 battery charger . after a long time, what does this flashlight look like


As for its brightness, I can assure you that I will never let you down: it blinds my dog!

2. Defense Pen

Something strange appears? Although we are in a civilized society, sometimes we will be threatened by unknown violence. Therefore, under our reasonable knife management regulations, taking a defense pen can maximize your self-defense ability.

(what? Compressed spray, old man, shame...

Defense Pen actually evolved from cool stick (what is cool stick? Most of them are made of metal, short stick shape, and the metal stick with a slight sharpness at the top. Interested friends can search by themselves). As for the defense pen, it has one more function than cool stick, that is, "writing", which is smaller than cool stick and more portable. It is basically pen shape. I will bring a mosquito defense pen I collected many years ago, as shown in the following figure:


As for the usage, I don't want to make more statements here. If you are interested, you can get information on the Internet by yourself. If you want to practice, you can see cold steel's defense pen. In short, the defense pen has the lethality that doesn't belong to swing stick on the premise that it's most convenient to carry. Please rest assured

3. letter openers

Yes, you're right. It's the letter opener. It otaku is a living creature that relies on express delivery. So we must have a handy and sharp "bag opener" that can let me open those dirty express packages as fast as possible. My favorite is the neck knife of Buck buck below:


This knife is made of S30V powder steel (one of the best cutting materials) and forged by heat treatment of BOS, so that its hardness can reach 61HRC

4. Multifunctional tool pliers

Every big boy once wanted to have a Swiss Army knife, and he fancied that he could "walk the world with one knife" with this multi-functional tool knife. With the development of science and technology, the multi-functional tool knife has made great progress. Now, more and more people will choose the multi-functional tool pliers, after all, the pliers can cut the wire mesh (and so on, why cut the wire mesh ah ~ ~)

At present, there are three brands of forceps, which are Victorino (the Swiss Army knife just mentioned), Leatherman lezeman and SOG SOG. It has been concluded that vise's pliers are for collection, laizeman's pliers are better for use, and SOG's pliers are for operation

So as a practical school, I have both the classic models of laizeman and SOG pliers (leather charge TTI, SOG s63), as shown in the following figure:


So if I go for a picnic, I'll choose to take lezeman, which also uses the S30V steel main knife to cut all kinds of fruits and meat easily


But if you do other things that have nothing to do with eating, SOG's pliers are more competent for all kinds of environments and your use needs. After all, the casting precision and the endurance of its tong head are the most NB. How can the casting precision be reflected? A hair can catch it completely, but I can only use A4 paper to show you (wood can find long hair...) , as shown below:


Let's compare the difference and positioning of the two pliers in depth, as shown below


Of course, from a cost-effective point of view, we also choose the tongs made by ganzo. After all, they are good in quality and low in price, so they won't be so distressed If you want to be cheap and competitive, Gerber gobo's Flik pliers are also a good choice (green arrow - Oliver Quinn uses the bullet head embedded in the wall, see a episode of green arrow Season 1 for details)

5. packs

Finally, the above introduces the messy things, which need a suitable bag to store them and make it convenient for you to carry. In hot weather, I will choose maxgear's leg bag to carry these equipment, reduce the shoulder load and bring more convenient position to take, and will not feel sultry, after all, it is similar to the waist bag It seems that this sentence is not only effective for girls' shoes, but also for men's compatriots


I hope that the "sharp tool" introduced in this article can provide some help for everyone's life and work. If we want to do good work, we must first make good use of the tools. But what we can't ignore is the people who can really embody and give full play to the value of the tools. Just like the swordsman in the wind and cloud, even if he holds a wooden sword, he can fight all over the world and dominate the world.

Next notice

This content is sensitive and has been harmonized by FB customer service

*This article is produced by FB editorial department, reprinted from freebuf hackers and geeks (freebuf. Com)