The Airborne Threat of Software-Defined Radio Attacks

Every day we interact with a world that is invisible to us – the world of Internet-of-Things devices we’ve come to depend on. Smartphones, routers, digital assistants, smart speakers, cars and home security systems, all exchange information wirelessly, through aerial channels detected by special gadgets.

At the CypherCon security conference in Milwaukee last month, self-taught radio signal specialist Caleb Madrigal showed the audience how wireless communication works, and how it can be abused by a knowledgeable attacker. His tools were a computer, audio software and a hardware component for picking up airborne data traffic, commonly known as software-defined radio (SDR) system.

”In theory, with SDR you can potentially interact with any wireless device,” Madrigal told me in an interview. During his research, he explored the physical layer of cordless gadgets, the lowest in the system interconnection model, where data transmission and reception from source to destination occurs in a raw state. There is no formatting at this level, and the information just moves from point A to point B.

Using SDR equipment, one can capture, modify or prevent the transmission of the message, essentially controlling the behavior of the devices. In his experiments, Madrigal was able to apply mathematical principles and sound analysis to generate radio signal from scratch to turn a power outlet on and off. The same method works for other wireless products, with different effects.

The internet offers numerous accounts and demonstrations for unlocking cars that have remote keyless entry technology, without the keyfob. Thieves have used the technology to steal from cars parked in the driveway, or even steal the cars themselves. It works by amplifying the signal from the keyfob inside the house and relaying it to the car, tricking the system into believing the key is within the accepted proximity.

Magnetic sensors of a home security system can be obstructed from sending the alarm trigger in what is commonly known as a ‘jamming attack.’ The same is achieved with a security camera, to delay the delivery of the video feed or pictures. This would fit a break-in scenario, where intruders only have to interrupt security for the time they need to get past that camera.

Madrigal says such systems could be hardened with additional protection but, because the issues are systemic, it would be very difficult “to build a wireless security system that wasn’t susceptible to any of these SDR attacks [jamming]. It would be a hard job, because it impacts the physical layer.”

Although radio-based attacks are relatively easy to pull off, the researcher says that installing a wireless security system is a decision based ultimately on threat modeling: determining if your countermeasures are sufficient against potential and actual threats. He says that a shop with valuable merchandise would probably avoid such a system, because the effort to bypass it would be well worth the reward.

Software-defined radio platforms allow tuning into the frequency of a device, like finding and listening to a radio station. They typically require proximity and consist of a hardware component to pick the signal, and software that can analyze or alter it in a way that affects the receiver or the transmitter.

Credit: Caleb Madrigal