 The next talk is going to be by Yiska, who is working at the University in Darmstadt as a PhD student and mainly working on physical layer security, and you might also know her from embroidery machines, difficult word, and past CCC game shows. But today she's talking about building and breaking wireless security. Give her a warm welcome. Welcome to my talk about building and breaking wireless security. So I have five sections. First, I will show you some hardware and then I will talk about wireless channels because this is a very physical layer focus talk and we will need this background then to understand how to break and build wireless security and in the end I will give you some hints on how to get started during the Congress. So first the hardware. So for a long time the only way to do such things that I'm going to show you today was very expensive hardware like spectrum analyzers or oscilloscopes and the problem is that private people cannot afford this and you have to go to a university or big lab. But many of you got a radio batch during the camp and there's also another thing that you can buy called HackerF and they go up to 6 gigahertz or 4 gigahertz for the radio batch and it has a sampling rate of 20 mega samples per second, which means you can even transmit and receive Wi-Fi with it. So very cool hardware and you can also buy it if you don't have one the HackerF. But some of you might say well 200 euros it's still too much because I'm just a student and there's another option which is DVT sticks and you can still do great things with them. So they are in a range where you can do things like decoding car keys, decoding bus transmissions, decoding GSM for example and then there's a cheap option for transmissions, the Raspberry Pi where you can just connect one of the GPIO pins to a long antenna wire and then you just modulate a signal on this GPIO pin and you get the low frequency signal. However, it's not the nicest signal so if you want to have something cheap, yeah, okay, but it's not the best option to do this. So just to get a short imagination, how many of you have any of this hardware? Just mentioned here, wow, great. So now I'm going to talk about the concept of wireless channels. So a wireless channel can be imagined as follows. So you have Alice and she is transmitting a sine wave and towards the receiver, Bob or Charlie or whoever, this amplitude first gets lower so the signal power is not that much anymore and over distance you also get within the sine wave a phase shift. So the channel between Alice and Bob basically is the amplitude and phase change and now the next thing is that there is even more than just a line of sight. So there is for example on walls you have absorption but also you might get a reflection on a wall and at this point in time you have two paths which might hit a receiver and at the receiver this happens with a time offset and this looks like a very strong signal first in the time domain and then you might get a lower copy of the signal from the second path and so on so you get a channel impulse response in the time domain and the next part is that you also get frequency response which means these path effects are different per frequency so for example if you have a brism then you know light just has different frequency components which break in a brism and you get the same effect for different frequencies and objects so you also get a frequency response because you have different paths per frequency and even worse transmitters and receivers and objects in between they all might move and you can think of a moving transmitter of shrinking like a sine wave in one direction and in the other direction raise it is so you have a frequency offset just from moving objects in between and all these things are path effects which you can measure and now the question is okay we have all these measurements but how can we use this to break wireless security so typically network security is done as follows so you have an upper layer and you have some cryptography there and on the upper layer the problem is well you have for example TLS or VPA2 and whatever you do there you always get some bits as an output and these bits then I just transferred into a waveform and the waveform in the end is the thing that leaves your antenna and nobody really cares about this so first of all cryptography has a big problem which is eavesdropping and you can assume if you eavesdrop something today you can decrypt it in 20 years for very very sure just because of computation power and if there is some other flaw in the implementation maybe even earlier and everybody in a wireless transmission range can just eavesdrop without being noticed and decode the signal later the next problem is that if you have multiple eavesdroppers they can locate the signal source and the problem there is that the signal source then is no more anonymous it's just you know the position and privacy is gone and also multiple or better antennas can enhance the trans the reception range for the eavesdropper and you can also inject signals which means normally at the receiver all signals just add up and if there's a low and a high signal they just add up and the receiver just has an automatic gain control takes the strongest signal and is happy so whatever you have the one who is sending let's say the loudest is the one who will be interpreted and maybe many many people of you thought this is the main topic of this talk which is protocol reverse engineering but it is not however I'm just shortly telling you about it because this might be your expectation so normally you just see some wireless transmissions going on you are eavesdropping and then you try to find out the bits in the signal which is most of the time not that complicated because there is many popular modulation schemes and you just try some popular things and then you try to map some bits to the actual content that you are expecting so for example you say this thing might be a bus stop display and you know names of bus stops and then you try to map it and this what Onar did two years ago and she did it with a simple dvbt stick nothing else and she decoded the bus stop display so another thing is worm hauling which is also still a little bit upper layer so you might have an electronic passport and you might have a server in between and then a reader and even if they have some signatures you can still forward everything and it's working and you can eavesdrop all transmission between the passport and the reader however this takes some milliseconds and some milliseconds with speed of light which is the speed of wireless waves transmissions would be thousands of kilometers so you might want to measure the time and now the idea of measuring the time becomes more physical layer but there has been some cryptographic protocols and people say wow it's so secure we proved it for example you just have bit challenges and you say a receiver has to first read a bit before he can spoof the bit again and what you can also do on wireless waves the bit actually has a waveform and you might just read the first few percent of this waveform let's say the first 20 percent of the waveform and then you can say for pretty sure it might be a one or a zero and this means you can shorten the time of interpreting a bit and spoofing it again which means you can shorten the distance or actually travel in time and predict something before you actually should be able to predict it and this is a very big problem for example if you have a car key and you can shorten the distance and the distance measurement it's a big issue and another thing that I wanted to show you is reactive jamming reactive jamming means you have multiple participants in a network and you want to jam certain things in this network for example you might only want to jam Alice and whenever you see Alice's MAC address you jam into her frame and break it and the nice thing about Wi-Fi is that Wi-Fi actually tries to avoid collisions and the more collisions happen and the more packets don't get through the network the worse the situation gets because Alice just thinks well there's much contention and then she has a backup timer and increases the time slots in which she tries to send again and she's even sending less often and less often because all her transmissions fail and the attacker just has to jam less often and gets all the bandwidth and you can do this for example also if you just break some Wi-Fi firmware and you can get all the bandwidth for just 15 dollars great and you might also build some security with jamming and there has the idea of just well jamming everything around you so you disable communication and then you can say if this jam signal is pseudo random generated by a key then everybody who has the key can subtract the pseudo random signal again because he or she can calculate it and then subtract it and just subtracting to signals is zero and you have no more noise in the transmission from the data source which is overlapped by the jamming signal however there is an attack for this so actually this was used to build authorization and confidentiality but there is an attack because if you have two equal channels towards the jammer then you get two times the same jamming signal on both antennas we have the same phase and amplitude in this signal however the data source which you can see there has two different distances which means two different channels so you have a slight phase offset in this and when you now subtract the two received e-dropping signals from each other then the jamming signal just gets zero again but the data signal adds up because of the phase shift so you can reconstruct everything even though there was the jamming signal and another scary thing is actually seeing through walls with wi-fi so normally you would build a radar system which scans through different positions and then you get reflections however you can also do this with a single antenna like on your radio badge and from then then you get reflections from objects and objects are moving there is stable walls there is everything is not moving only people are moving in a building and they have reflections and you can think of this the same way as of a radar system because of the symmetric channel because the channel is valid in both directions and by this you can actually identify and drag humans and you can even do something like gesture-based communication through walls so you know there's a person and the person is sitting on the couch and it gets even more scary because something else that you can do is you can with more antennas even drag lip movements through walls or loudspeaker movements because the membrane is vibrating and even more scary on your phone the audio chip and the wi-fi chip are located very close to each other and when you have wi-fi transmissions while you have a phone call then the audio of the phone call causes the wi-fi chip to vibrate and these vibrations can be measured to reconstruct the audio and it's all working through walls you don't see the attacker because this might have been a bit scary I'm also going now to my second part of the talk which is how we can build security with waves so we might have cryptography or not we might have some bits in the end and we will try to do the magic on the waveform so what can we do something that you might know from cryptography is the vernum one-time pad which basically means that you have a key which is as long as your plain text and the key is only used once and for example Alice has a Bob Alice and Bob share a key which is one terabyte large and they exchange information until they reach the one terabyte limit and then they need to exchange another key before they can exchange more data the good thing about it is that a neve stripper cannot do any calculation on this so if you have an nsa attacker for example with unlimited calculation resources the attacker will not be successful however in practice you would need to share your key with all servers that you have contact with so it's very unpractical and it's symmetric so another key for each server in the wireless domain there is something similar the vinyl wiretap channel where you have the assumption that each channel is different and this means that the channel between Alice and Bob and Alice and the eavesdropper might be different in the way that eave misses for example 10 percent information that Bob would get and these 10 percent information advantage can be used for confidential data transmission however in practice the problem is that we don't know the position of the eavesdropper and the eavesdropper might have multiple antennas or a very good antenna and might not have a disadvantage so it's hard to estimate your advantage over the eavesdropper this doesn't matter if you do key extraction with the same thing so you say channels are symmetric or reciproc and this means that you can generate symmetric keys out of a channel so you have the face and amplitude information and all the other responses that I told you about and you can really build keys from that and use them in upper layer protocols the only problem is if you implement this for example with the received signal strength indicator which is propagated by Wi-Fi chips to upper layers this is just an 8-bit value and it can even be predicted depending on your distance so you shouldn't use the received signal strength for example but there is good metrics that you can use for this and to build confidentiality you can also use covered channels which means you are not doing something like encryption but you just try to hide information and normally when you have a transmission then you have for example different phases and amplitudes representing bits so let's say the yellow cloud is the thing which actually was one point at the transmission representing the bits 0 0 and then at reception you will get another thing which means a cloud because of the channel the channel modified slightly the the transmission at the receiver and you can introduce some more artificial noise to actually encode some data in this and hide it and as long as you keep within these squares this is not propagated to any upper layers no transmission errors occur and if you do this in a good way so that the statistics are still okay of these errors then you might even not be detected by a software defined radio with this and something else is distance bounding I already told it for short in the time traveling scenario you can use this for authentication and authorization but I would only use it as a second factor because you never know if someone is there who can slightly shorten the time for some reason and another thing you can use is device fingerprinting because each device is when it's built manufactured has some differences and these differences also will change the transmission behavior everything is still within the standard but you can first of all identify devices so you can track a device and you can also classify devices which means you can say this device is from this vendor this device is from the other vendor and maybe you just exclude some vendors from your network if you want this the only problem here is that you really need a very good measurement of this fingerprint because otherwise some properties might be easily spoofed so you really need a good measurement so and there's even more which I only will tell in very short for example you can build a shield for pacemakers and other implantable devices which protects you from attackers so you just wear it in addition and sending a jamming signal or you can build integrity with unoff coding or you can implement oblivious transfer protocols on the physical layer and you can also do location fingerprinting because of all these different channels and now the question is where to start where are people here who are thinking about these things at least to some extent so there is one assembly the delta 23 cows weller which is located close to the food then there's the radio assembly from the radio bench they are in hall three and if you are just listening right now you can also just get a hem radio license and it's not too hard it's just a multiple choice test and it's not expensive so you should do it and then you are allowed to transmit on frequencies on lots of frequencies and maybe you just want to record something like all your car keys and then share it to experts and ask them about these things or maybe you are still a student and then maybe your university is offering something so at least in downstate we are offering lectures and there's also a mailing list on this topic that I can offer people and they are also talking about which university is doing hem radio or software defined radio things so thank you for listening and now I will take questions I see no one running to the microphones well maybe I have just been talking too fast the internet has any questions yeah sort of so does 802.1 x so eap tls help against eavesdropping well not really because on a physical layer you can always eavesdrop it's I mean the question actually is if there is decryption or not and I mean of course encryption helps you against eavesdropping but it does not help you from actually recording the bits and you might decode them as I said in 20 years so whenever you see a standard which is older than 20 years assume it is broken and maybe just not published because of some legal reasons now there's someone on microphone one have you ever played around with the usrp a little bit normally I'm using another platform which is called warp and but it's about the same thing but is it cheaper no it's 7000 instead of 700 and microphone four please I was wondering if any of these attacks do you know if they're already implemented on open source firmware or drivers on 802.11 yeah so there is for example an implementation for just the Wi-Fi protocol for usrp and Hacker ref and it's working on the radio batch I already tried it you can find it on github for the attacks I mean all the things I showed have at least some implementation papers so there's some sources on the bottom but I don't know which of them are open source so some of them are but I don't know if all of them are and microphone number three please thanks first thanks for the talk if you have a repeater in your network you shouldn't you be able to locate yourself better than any other so that you can exclude an eavesdropper why should I be able to exclude an eavesdropper if I can locate myself if it's if it's possible to calculate where you are you should be able to just give yourself the signal right yes but the eavesdropper is passive I mean the eavesdropper is not sending anything it's just a receiver how should you know if there is a receiver right and microphone one please thanks for the talk as part of an authentication protocol couldn't we use hardware that implements directed antennas to provide extra security by locking out eavesdroppers by not providing them the signal in the first place yes so there has been for example the new 60 gigahertz standard it has this very narrow antenna beams but you still get reflections so we really did it in experiments and we measured that you get for example if you have a cup in the middle of a transmission then it has a surface which just also bends some some of the rays like around and so you can just put simple objects in the room which cause reflections that you still can eavesdrop and the internet again so you said something about a receiver fingerprint can you give an example for that receiver I said transmitter fingerprint yeah okay so they are asking for an example apart from the MAC address how but the MAC address I mean the MAC address is still above the physical layer so a fingerprint would be for example when you switch your device on when sending then you have a certain characteristic how the signal starts when turning on the device this might be a characteristic and microphone one hi thank you have you already tested voice eavesdropping and how complicated it is I didn't test it but there is a video on youtube so this has been published on mobi-com in this year during september I think mobi-com has been and just google um the um vipro matri and mobi-com and there's the video thank you and microphone four that it's naturally trivial to locate a single omnidirectional source foreign attacker are there fancy things I can do to consume my position my position with um with directed or multiple senders you mean you want to obfuscate your own location yes where I'm sending from because it was an single omnidirectional so um yes let's say it's it's possible you can craft another signal other locations but I would really call it and kind of antenna war so if you have an eavesdropper having more antennas then you can still be localized and so on so it's a question of costs not not really so maybe you have more antennas than the eavesdropper okay then you are safe again then the eavesdropper has more antennas and so on thank you um I see no more questions or one more question on microphone number four uh you briefly mentioned something about warm holes apparently you use some kind of bridging to connect devices that aren't supposed to be connected because they're too far away do any real world systems actually detect this kind of attack or can you just basically use it to fake your e-password and the one who actually has the passport is somebody completely different for the the scenario that I showed with the e-password it's working and it's also working for our men's arcards at my university so um there's lots of things which are working there's maybe also things that do distance bounding and then it's not working of course and students in our group implemented this so you can really download the source install the app on your phone and do this thank you oh no actually does the internet have any questions none anymore no questions in the room anymore so uh wow Q&A finished before the time is over uh thank you very much and give a warm hand to this guy