Monday, September 01, 2014

Learning SDR

I recently launched Software Defined Radio with HackRF, an instructional video series that I hope will make it easier than ever for people to learn the basics of Software Defined Radio (SDR).

When I first learned to use SDR for my wireless security research, it was hard. At first I thought, "I can build radios out of software! I don't know anything about building radios, but I know software. Now with SDR I can build radios!" Unfortunately that wasn't quite true. I quickly learned that, even though I knew a thing or two about software, I knew nothing about Digital Signal Processing (DSP). I also learned that DSP is a lot more complicated than it seemed at first.

Fortunately I happened to be in the best possible place to learn SDR (electronics too) at the time. I was surrounded by RF engineers, and several of them were DSP experts. (I told this story in more detail during a panel discussion at the DEF CON 22 Wireless Village.) Even so, it took me a year or two before I was competent enough to build flexible SDR implementations that were useful for my research. As I finally achieved this goal, I started trying to help other people in the information security community learn to use the technology because I could see that there is no better tool for wireless security research, and especially for reverse engineering of radio signals, than SDR.

The first place I tried to do this was at Black Hat USA 2008. In my talk, Software Radio and the Future of Wireless Security I hoped to teach people the basics of SDR in less than an hour. I thought I could do something like "DSP in five minutes", but, as I developed the presentation, it turned out that I couldn't distill the essentials into such a small amount of time. The following year, Dominic Spill and I volunteered to give a two day SDR workshop at the first ToorCamp. We prepared some material, borrowed a little gear, and set out to teach people the practical skills of working with SDR. This effort was much better, but we had some problems. We only had enough equipment for three to six people, and about thirty showed up. We were in a hot desert full of volcanic ash that invaded all our gear. We had frequent power outages. Despite these challenges, we had a good time, and several people were able to learn some essential skills.

A few weeks later at DEF CON, Sergey Bratus convinced me to make a second attempt at the class in a more favorable setting. We happened to have the conversation while standing next to H1kari who offered a room at ToorCon San Diego, and I've been teaching there every year since then. I think we had five or six people that first year. It went quite well, but it was a challenge getting enough hardware together to allow everyone to fully participate. As the years went by, it became clear that the greatest barrier to entry was the hardware. My classes grew slowly, but they were attended primarily by people who already had SDR equipment. I was accomplishing my goal of teaching security folks about SDR, but I wasn't reaching very many people.

I had been kicking around the idea of trying to build a low cost SDR hardware platform for a long time. In fact, Project Ubertooth was originally intended to be an SDR platform. One of the primary reasons I was interested in building an SDR platform was to be able to provide something that my students could afford, something that could even be rolled into the cost of the class. It took a long time, but I eventually started the HackRF project and later completed HackRF One, an open source hardware platform for SDR. HackRF One is the most affordable general-purpose SDR transceiver in the world, and it allows more people than ever before to learn SDR.

These days I still teach at ToorCon, and I also often teach at other information security events including TROOPERS and Black Hat. The availability of HackRF (and rtl-sdr and more) has made SDR accessible to everyone in the security community and beyond. It is finally possible to bring SDR to a much wider audience, so I have started turning my course content into an online video series.

Software Defined Radio with HackRF is published under an open content license. As I continue to add more videos, I hope that it will become an even more thorough introduction to SDR than I am able to squeeze into a two day class. I hope that with this series and my in-person training, I have finally achieved my dream of making SDR easy to learn. Instead of taking a year, now people can spend a few days of fun experimentation and get started with this exciting technology.

Talking SDR with Robert Ghilduta and Balint Seeber

As usual, the DEF CON Wireless Village put on an excellent program this year at DEF CON 22. In addition to the fantastic Wireless CTF contest, the village put together an impressive schedule of talks worthy of a much larger room.

Among the speakers lined up by the village were Balint Seeber of Ettus Research, Robert Ghilduta of Nuand, and myself of Great Scott Gadgets. Since the three of us were in the same place at the same time, we sat down for a long panel discussion on Software Defined Radio. Thanks to the Wireless Village crew and Adrian Crenshaw, you can now watch video of the conversation.

I'm looking forward next year's Wireless Village. Hopefully with a larger venue for DEF CON 23, the village will have space to seat all of the people who want to attend the events there.

Thursday, July 31, 2014

The NSA Playset

Shortly after the NSA ANT catalog was leaked, I started thinking about how to make the gadgets in the catalog. Many of the capabilities described in the ANT catalog are things that we in the information security community already know how to do to some extent, and every one appears to be something that we can build with off-the-shelf or open source hardware and software.

I prepared a talk for Hack In The Box (Amsterdam) 2014 called The NSA Playset and later gave the same talk at ToorCamp 2014. In this presentation, I shared my thoughts about how we in the open security community can build everything in the catalog. My focus was primarily on hardware.

At ToorCamp I was fortunate to be joined by Dean Pierce who originally came up with the name, "NSA Playset". Thanks to Marshall Hecht, we have video of the presentation at ToorCamp:

You can also download slides from the presentation, but you should watch the video to understand what we were trying to say.

The NSA Playset project has grown quite a bit over the past few months, and we encourage new people to contribute. We have a wiki where we are starting to develop pages for individual solutions with some similarity to capabilities in the ANT catalog. It's still pretty thin, but look for several things to be finalized there as we present various topics at DEF CON 22. We discuss upcoming NSA Playset contributions on our mailing list.

Next weekend at DEF CON, we have several events planned:

There is a good chance you'll be able to see additional NSA Playset content, from us or others, at future information security conferences.

Since my talk at HITB, the project has had a fair bit of press coverage, notably from Help Net Security, New Scientist, and ZDNet. At ToorCamp I did a video interview for Hak5. Note to reporters: I'd love to talk to you after you watch my DEF CON talk. At the talk I'll let you know when and where I'll have an open Q&A session.

Tuesday, June 10, 2014

Interview on Security Weekly

I had a great time talking with Paul and company on the Episode 376 of the Security Weekly Podcast. We talked a little about HackRF, but most of the discussion was about Ubertooth and Bluetooth security. This conversation prompted me to write a full description of how we recover Bluetooth UAPs by passive monitoring with Ubertooth.

The Amp Hour #198

We discussed Daisho, USB 3.0, Chris's portalab, and many other things on Episode 198 of The Amp Hour.

Saturday, April 26, 2014

The Amp Hour #185

Chris and I interviewed Hank Zumbahlen, analog expert, on Episode 185 of The Amp Hour.

Friday, January 10, 2014

HackRF Present and Future

At CSAW THREADS in November I gave a talk about the present and future of the HackRF project (video). I reviewed the new HackRF One design, and then I showed all sorts of different things that people are already doing with HackRF Jawbreaker. It's pretty exciting to see all the applications that people are coming up with!

Saturday, January 04, 2014

The Amp Hour #177

I joined Dave and Chris again on Episode 177 of The Amp Hour. Happy Festivus!

Saturday, November 16, 2013

Multiplexed Wired Attack Surfaces

Kyle Osborn and I presented Multiplexed Wired Attack Surfaces at ToorCon 15. This was the second time we gave the talk. The first was at Black Hat USA 2013, but the ToorCon video was posted first.

The basic idea is that connectors on electronic devices are often used in unexpected ways and that some devices, especially phones and tablets, even multiplex several functions onto a single connector. We demonstrated how we are able to access an interactive shell on certain Android phones by connecting a special serial adapter to the phone's USB port; although we were physically connected to the phone via the USB port, we were not using USB.

Similar multiplexed interfaces are present on a wide variety of portable devices, often accessible via USB or headphone connectors. An excellent example using a headphone jack was published earlier this year. We hope that our talk will raise awareness about the attack surfaces presented by these types of interfaces.

The talk at ToorCon was a lot of fun. We got a shell and activated adb on a phone handed to us by a volunteer from the audience. I hope you enjoy the video, but you should also read the paper we wrote for Black Hat.

We've posted links to several resources related to the talk.