Wireless.md

Wireless Networks

Table of Contents

• General
• General Software Tools
• Tutorials and Guides
• Non Tutorial Writeups
• Dongles/HW Tools
• Cellular Networks
• Software Defined Radio
• 802.11
• RFID
• Zigbee
• Bluetooth
• Z-Wave
• RetroReflectors
• [Foxhunting & WarDriving](#fxh}
• General Blogs/Sites
• Talks/Presentations & Videos
• Papers
• Miscellaneous

---

Sort

• Fix ToC

• Add 101 stuff

• Add SMS Standards/related https://www.usenix.org/legacy/events/sec11/tech/full_papers/Clark.pdf

• RFC 7710: Captive-Portal Identification Using DHCP or Router Advertisements (RAs)

Bluetooth Low-Energy * https://blog.attify.com/the-practical-guide-to-hacking-bluetooth-low-energy/ * https://csrc.nist.gov/csrc/media/publications/sp/800-121/rev-2/draft/documents/sp800_121_r2_draft.pdf * https://obvi.us/presentation/rf-sig/

* https://www.usenix.org/system/files/conference/nsdi16/nsdi16-paper-vasisht.pdf
* https://github.com/gsmaxwell/DopplerFi
* https://github.com/seemoo-lab/nexmon
* https://www.arxiv-vanity.com/papers/1811.10948/
* https://arxiv.org/abs/1811.10948

https://github.com/hexway/apple_bleee

• https://papers.mathyvanhoef.com/dragonblood.pdf https://www.blackhat.com/presentations/bh-europe-07/Butti/Presentation/bh-eu-07-Butti.pdf https://www.youtube.com/watch?v=FCu8rnQVU5M

https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/

• New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols - Ravishankar Borgaonkar, Lucca Hirschi∗, Shinjo Park, and Altaf Shaik

  • In this paper, we reveal a new privacy attack against allvariants of the AKA protocol, including 5G AKA, thatbreaches subscriber privacy more severely than knownlocation privacy attacks do. Our attack exploits a newlogical vulnerability we uncovered that would requirededicated fixes. We demonstrate the practical feasibilityof our attack using low cost and widely available setups.Finally we conduct a security analysis of the vulnerabil-ity and discuss countermeasures to remedy our attack

• Security and Protocol Exploit Analysis of the 5GSpecifications - Roger Jover, Vuk Marojevic

  • ? Abstract—The Third Generation Partnership Project (3GPP)released its first 5G security specifications in March 2018.This paper reviews the proposed security architecture, its mainrequirements and procedures, and evaluates them in the contextof known and new protocol exploits. Although security hasbeen improved from previous generations, our analysis identifiesunrealistic 5G system assumptions and protocol edge cases thatcan render 5G communication systems vulnerable to adversarialattacks. For example, null encryption and null authentication arestill supported and can be used in valid system configurations.With no clear proposal to tackle pre-authentication messages,mobile devices continue to implicitly trust any serving network,which may or may not enforce a number of optional securityfeatures, or which may not be legitimate. Moreover, severalcritical security and key management functions are left outsideof the scope of the specifications. The comparison with known 4GLong-Term Evolution (LTE) protocol exploits reveals that the 5Gsecurity specifications, as of Release 15, Version 1.0.0, do not fullyaddress the user privacy and network availability challenges.Keywords–Security, 5G, 3GPP Release 15, LTE

• A Formal Analysis of 5G Authentication

• Component-Based Formal Analysis of 5G-AKA:Channel Assumptions and Session Confusion - Cas Cremers, Martin Dehnel-Wild

  • We perform fine-grained formal analysis of 5G’s main au-thentication and key agreement protocol (AKA), and providethe first models to explicitly consider all parties defined by theprotocol specification. Our analysis reveals that the security of5G-AKA critically relies on unstated assumptions on the innerworkings of the underlying channels. In practice this means thatfollowing the 5G-AKA specification, a provider can easily and ‘correctly’ implement the standard insecurely, leaving the protocolvulnerable to a security-critical race condition. We provide thefirst models and analysis considering component and channelcompromise in 5G, whose results further demonstrate the fragilityand subtle trust assumptions of the 5G-AKA protocol.We propose formally verified fixes to the encountered issues,and have worked with 3GPP to ensure these fixes are adopted.

• add krack

• Captive-Portal Identification Using DHCP or Router Advertisements (RAs) - RFC 7718

  • This document describes a DHCP option (and a Router Advertisement(RA) extension) to inform clients that they are behind some sort ofcaptive-portal device and that they will need to authenticate to getInternet access. It is not a full solution to address all of theissues that clients may have with captive portals; it is designed tobe used in larger solutions. The method of authenticating to andinteracting with the captive portal is out of scope for thisdocument https://wpa3.mathyvanhoef.com/#new https://news.ycombinator.com/item?id=6942389

• RPL Attacks Framework

  • This project is aimed to provide a simple and convenient way to generate simulations and deploy malicious motes for a Wireless Sensor Network (WSN) that uses Routing Protocol for Low-power and lossy devices (RPL) as its network layer. With this framework, it is possible to easily define campaign of simulations either redefining RPL configuration constants, modifying single lines from the ContikiRPL library or using an own external RPL library. Moreover, experiments in a campaign can be generated either based on a same or a randomized topology for each simulation.

• Funtenna - Transmitter: XYZ Embedded device + RF Funtenna Payload https://github.com/steve-m/fl2k-examples https://osmocom.org/projects/osmo-fl2k/wiki

https://wpa3.mathyvanhoef.com/#new

https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html?m=1 https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html https://blade.tencent.com/en/advisories/qualpwn/

https://devtty0.io/pwning-wireless-peripherals/

https://www.blackhat.com/asia-17/arsenal.html#damn-vulnerable-ss7-network

---

General

• Cyberspectrum SDR Meetups
• 101
  • IEEE 802.11 Tutorial
    • This document describes IEEE 802.11 Wireless Local Area Network (WLAN) Standard. It describes IEEE 802.11 MAC Layer in detail and it briefly mentions IEEE 802.11a, IEEE 802.11b physical layer standard and IEEE 802.11e MAC layer standard
  • FM and Bluetooth and Wifi Oh My Aaron Lafferty - Derbycon7
• Articles
  • sysmocom publicly releases Osmocom user manuals
• Documentation
  • Management Frames Reference Sheet
• Educational
  • Guide to Basics of Wireless Networking
  • US Marine Antenna Handbook
  • So You Want To Hack Radios - A Primer On Wireless Reverse Engineering
  • PHYs, MACs, and SDRs - Robert Ghilduta
    • The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.
  • Intro to SDR and RF Signal Analysis
• Fuzzing
  • Unifying RF Fuzzing Techniques under a Common API: Introducing unfAPI - Matt Knight, Ryan Speers - Troopers18
    • TumbleRF
      • TumbleRF is a framework that orchestrates the application of fuzzing techniques to RF systems. While fuzzing has always been a powerful mechanism for fingerprinting and enumerating bugs within software systems, the application of these techniques to wireless and hardware systems has historically been nontrivial due to fragmented and siloed tools. TumbleRF aims to enable RF fuzzing by providing an API to unify these techniques across protocols, radios, and drivers.
• Testing
  • Introduction to Wireless Security Testing
  • RF Testing Methodology - NCCGroup
    • The RFTM is an Open Source, collaborative testing methodology. It is specifically written in a straightforward way, avoiding mathematics where possible and focussed on providing the information that security researchers and consultants need to know in order to effectively test systems that employ RF technologies.
    • Signals and Modulation
    • Information Sources
    • Receiving Signals
    • Developing an FSK receiver step-by-step
    • Transmitting Data
    • Developing an FSK transmitter step-by-step
    • Signals Identification
• General Videos
  • The Wireless World of the Internet of Things - JP Dunning ".ronin"
    • The Internet of Things brings all the hardware are home together. Most of these devices are controlled through wireless command and control network. But what kind of wireless? And what are the security is in place? This talk with cover the wireless tech used by the Internet of Things and some of the risks to your home or corporate security.
  • Drive it like you Hacked it- Samy Kamkar - Defcon23
    • In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy). APCO Project 25 (P25)
  • HOPE Number Nine (2012): Practical Insecurity in Encrypted Radio
    • APCO Project 25 ("P25") is a suite of wireless communications protocols used in the United States and elsewhere for public safety two-way (voice) radio systems. The protocols include security options in which voice and data traffic can be cryptographically protected from eavesdropping. This talk analyzes the security of P25 systems against passive and active adversaries. The panel found a number of protocol, implementation, and user interface weaknesses that routinely leak information to a passive eavesdropper or that permit highly efficient and difficult to detect active attacks. They found new "selective subframe jamming" attacks against P25, in which an active attacker with very modest resources can prevent specific kinds of traffic (such as encrypted messages) from being received, while emitting only a small fraction of the aggregate power of the legitimate transmitter. And, more significantly, they found that even passive attacks represent a serious immediate threat. In an over-the-air analysis conducted over a two year period in several U.S. metropolitan areas, they found that a significant fraction of the "encrypted" P25 tactical radio traffic sent by federal law enforcement surveillance operatives is actually sent in the clear - in spite of their users' belief that they are encrypted - and often reveals such sensitive data as the names of informants in criminal investigations.
• Miscellaneous
  • RF-Capture
    • RF-Capture is a device that captures a human figure through walls and occlusions. It transmits wireless signals and reconstructs a human figure by analyzing the signals' reflections. RF-Capture does not require the person to wear any sensor, and its transmitted power is 10,000 times lower than that of a standard cell-phone.
    • Paper
  • One Billion Apples' Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol

---

BlueTooth BlueTooth

• 101
  • Bluetooth - Wikipedia
• (Big)Attacks
  • blueborne
• Articles/Presentations/Talks/Writeups
  • Now I wanna sniff some Bluetooth: Sniffing and Cracking Bluetooth with the UbertoothOne
  • Hacking Electric Skateboards - Mike Ryan and Richo Healey - DEF CON 23
    • Richo and Mike will investigate the security of several popular skateboards, including Boosted's flagship model and demonstrate several vulnerabilities that allow complete control of a an unmodified victim's skateboard, as well as other attacks on the firmware of the board and controller directly.
    • Slides
  • The NSA Playset: Bluetooth Smart Attack Tools - Mike Ryan
    • Slides
    • This talk is a part of the NSA Playset series, a collection of unique topics with a common theme: implementing the NSA’s toys as found in the NSA ANT catalog. I have developed multiple Bluetooth Smart (BLE) attack tools, inspired by capabilities likely to be present in the ANT catalog.
  • Outsmarting Bluetooth Smart - Mike Smart
    • This talk covers Bluetooth Smart active attacks, fuzzing Bluetooth stacks, and remote Bluetooth exploitation. I presented this talk at CanSecWest 2014 in Vancouver, BC, Canada.
    • Slides
  • Bluetooth Smart: The Good, the Bad, the Ugly, and the Fix! - BHUSA 2013
    • Slides
  • How Smart Is Bluetooth Smart?
  • Bluetooth Hacking Tools Comparison - Mark Loveless
• Documentation
  • NIST Special Publication 800-121 Revision 2: Guide to Bluetooth Security
  • Protocol Specs - bluetooth.com
• Testing
  • Bluetooth Penetration Testing Framework - 2011
  • Hacking Bluetooth connections - hackingandsecurity
• Tools
  • PyBT
    • PyBT is a crappy half implementation of a Bluetooth stack in Python. At the moment it only supports Bluetooth Smart (BLE).
  • Bluetooth NSA Toolset Talk/Attacks video
  • bluepot
    • Bluepot is a Bluetooth Honeypot written in Java, it runs on Linux.
  • BlueHydra
    • BlueHydra is a Bluetooth device discovery service built on top of the bluez library. BlueHydra makes use of ubertooth where available and attempts to track both classic and low energy (LE) bluetooth devices over time.
  • crackle
    • crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.
• Bluetooth Low Energy
  • 101
  • Articles/Presentations/Talks/Writeups
    • Bluetooth: With Low Energy comes Low Security - Mike Ryan
      • We discuss our tools and techniques to monitor and inject packets in Bluetooth Low Energy. Also known as BTLE or Bluetooth Smart, it is found in recent high-end smartphones, sports devices, sensors, and will soon appear in many medical devices. We show that we can effectively render useless the encryption of any Bluetooth Low Energy link
    • Getting started with Bluetooth Low Energy on iOS
    • This Is Not a Post About BLE, Introducing BLEAH
    • Bluetooth: With Low Energy Comes Low Security
    • My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE
    • Hacking Bluetooth Low Energy: I Am Jack's Heart Monitor - Toorcon2012
      • Bluetooth Low Energy (BTLE) is the hottest new mode in the latest and greatest Bluetooth 4.0 spec. A new generation of wireless devices, including medical devices will be implemented using this mode. BTLE is much simpler than classic Bluetooth. Simpler to implement, simpler to debug, and hey, simpler to hack. I present the progress of a BTLE sniffer/smasher/smusher written for Ubertooth in this WIP talk.
      • Slides
  • Tools
    • BtleJuice
      • BtleJuice is a complete framework to perform Man-in-the-Middle attacks on Bluetooth Smart devices (also known as Bluetooth Low Energy).
    • crackle
      • cracks BLE Encryption (AKA Bluetooth Smart). crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.
    • gattacker
      • A Node.js package for BLE (Bluetooth Low Energy) Man-in-the-Middle & more
    • noble
      • A Node.js BLE (Bluetooth Low Energy) central module.
    • bleno
      • A Node.js module for implementing BLE (Bluetooth Low Energy) peripherals.
    • crackle
      • crackle cracks BLE Encryption (AKA Bluetooth Smart). crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected. With the STK and LTK, all communications between the master and the slave can be decrypted.
• Papers
  • Cracking the Bluetooth PIN - Yaniv Shaked and Avishai Wool
    • This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fastest optimization employs an algebraic representation of a central cryptographic primitive (SAFER+) used in Bluetooth. Our results show that a 4-digit PIN can be cracked in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.

---

Cellular Networks

• 101
• Educational
  • Guide to LTE Security - NIST Special Publication 800-187
  • Demystifying the Mobile Network by Chuck McAuley
    • Must watch video. Very informative.
  • LTE Security - How good is it?
  • Mobile self-defense - Karsten Nohl
  • Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones
    • Malicious injection of cellular signaling traffic from mobile phones is an emerging security issue. The respective attacks can be performed by hijacked smartphones and by malware resident on mobile phones. Until today there are no protection mechanisms in place to prevent signaling based attacks other than implementing expensive additions to the cellular core network. In this work we present a protection system that resides on the mobile phone. Our solution works by partitioning the phone software stack into the application operating system and the communication partition. The application system is a standard fully featured Android sys tem. On the other side, communication to the cellular network is mediated by a flexible monitoring and enforcement system running on the communication partition. We implemented and evaluated our protection system on a real smartphone. Our evaluation shows that it can mitigate all currently know n signaling based attacks and in addition can protect users fr om cellular Trojans.
• Tools
  • SiGploit
    • Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP. SiGploit a signaling security testing framework dedicated to Telecom Security professionals and reasearchers to pentest and exploit vulnerabilites in the signaling protocols used in mobile operators regardless of the geneartion being in use. SiGploit aims to cover all used protocols used in the operators interconnects SS7, GTP (3G), Diameter (4G) or even SIP for IMS and VoLTE infrastructures used in the access layer and SS7 message encapsulation into SIP-T. Recommendations for each vulnerability will be provided to guide the tester and the operator the steps that should be done to enhance their security posture
  • LTE-Cell-Scanner
    • This is a collection of tools to locate and track LTE basestation cells using very low performance RF front ends. For example, these tools work with RTL2832 based dongles (E4000, R820T, etc.) which have a noise figure of 20dB, only 8 bits in the A/D, and a crystal with a frequency error of about 100 ppm.
  • UmTRX
    • UmTRX is a dual-channel wide-band SDR platform with gigabit Ethernet connectivity, that is developed by Fairwaves and designed to be used as a transceiver (TRX) with OpenBTS and OsmoBTS GSM base stations.
• SIM Cards
  • 101
  • Articles/Presentations/Talks/Writeups
    • Rooting Sim Cards
    • Secrets of Sim
    • Security mechanisms for the (U)SIM application toolkit; Test specification
    • Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
    • 4G Security: Hacking USB Modem and SIM Card via SMS
    • The Secret Life of SIM Cards - Defcon21
    • Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
    • Mobile: Cellular Exploitation on a Global Scale The Rise & Fall of the Control
    • The Great SIM Heist How Spies Stole the Keys to the Encryption Castle - The Intercept
  • Tools
    • Osmocom SIMtrace
      • Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
• FemtoCell
  • 101
  • Articles/Presentations/Talks/Writeups
    • The Vodafone Access Gateway / UMTS Femto cell / Vodafone Sure Signal
    • Adventures in Femtoland: 350 Yuan for Invaluable Fun
• GSM
  • 101
  • Articles/Presentations/Talks/Writeups
    • Practical attacks against GSM networks (Part 1/3): Impersonation
    • RTL-SDR Tutorial: Analyzing GSM with Airprobe and Wireshark
      • The RTL-SDR software defined radio can be used to analyze cellular phone GSM signals, using Linux based tools Airprobe and Wireshark. This tutorial shows how I set up these tools for use with the RTL-SDR.
    • How To Build Your Own Rogue GSM BTS For Fun And Profit
    • Sniffing GSM with HackRF
    • GSM/GPRS Traffic Interception for Penetration Testing Engagements
    • CampZer0 // Domonkos Tomcsányi: GSM - have we overslept the last wake-up call?
    • Intercepting GSM Traffic
    • GSM: SRSLY?
      • The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising. From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that really wanted to talk to us. It all came as a surprise � stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet. Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever
    • Wideband GSM Sniffing [27C3]
      • GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year -- like wide-band sniffing and real-time signal processing -- will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.
    • 29C3 GSM: Cell phone network review
      • Did you notice 262 42 in your mobile phone network search list at the last CCC events? Did you and your friends buy SIM cards at the PoC and help test the network by calling each other, or by calling through the bridge to the DECT network services? Did you ever wonder about the details of this open source test network, set up by a team of volunteers in the middle of the city? We would like to tell you all the details of the cell phone network we operate at 29C3, and show you some fancy graphs based on the network activity! We will describe the process of setting up the test network we operate at 29C3, what legal and technical challenges we have faced, and we will describe the actual installation at the CCH. We will also compare this with the 262 42 test networks that were operated using the same open source software but otherwise very different installations at CCC Camp 2011 and 28C3. We will go on to show various statistics that we collect from the network while it has been running.
    • Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide)
    • The big GSM write-up; how to capture, analyze and crack GSM?
    • StackOverflow post on intercepting GSM traffic
    • NSA Playset - GSM Sniffing - Pierce&Loki - Defcon22
    • Sniffing GSM with RTL-SDR
    • Capturing and Cracking GSM traffic using a rtl-sdr
  • Tools
    • GSM MAP
      • The GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen �in the wild�. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
    • gr-gsm
      • Gnuradio blocks and tools for receiving GSM transmissions
• LTE
  • 101
  • Articles/Presentations/Talks/Writeups
    • LTE Security - How good is it?
    • 4G LTE Architecture and Security Concerns
    • LTEInspector : A Systematic Approach for Adversarial Testing of 4G LTE
      • In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model-based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, cate- gorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed
    • Breaking LTE on Layer Two
      • Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol. On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard. In the following, we provide an overview of the website fingerprinting and aLTE attack, and explain how we conducted them in our lab setup. Our work will appear at the 2019 IEEE Symposium on Security & Privacy and all details are available in a pre-print version of the paper.
• SMS
  • Binary SMS - The old backdoor to your new thing - Contextis
  • #root via SMS: 4G access level security assessment
• SS7
  • 101
  • Articles/Presentations/Talks/Writeups
    • SS7: Locate. Track. Manipulate. You have a tracking device in your pocket
      • Companies are now selling the ability to track your phone number whereever you go. With a precision of up to 50 meters, detailed movement profiles can be compiled by somebody from the other side of the world without you ever knowing about it. But that is just the tip of the iceberg.
    • Primary Security Threats For SS7 Cellular Networks
  • Tools
    • SS7 MAP (pen-)testing toolkit
• IMSI Catcher related
  • Android IMSI-Catcher Detector (AIMSICD)
    • Android-based project to detect and avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks.
  • SnoopSnitch
    • SnoopSnitch is an Android app that collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates. With SnoopSnitch you can use the data collected in the GSM Security Map at gsmmap.org and contribute your own data to GSM Map. This application currently only works on Android phones with a Qualcomm chipset and a stock Android ROM (or a suitable custom ROM with Qualcomm DIAG driver). It requires root priviliges to capture mobile network data.

---

Dongles

• FunCube dongle
• RZUSBstick
  • The starter kit accelerates development, debugging, and demonstration for a wide range of low power wireless applications including IEEE 802.15.4, 6LoWPAN, and ZigBee networks. The kit includes one USB stick with a 2.4GHz transceiver and a USB connector. The included AT86RF230 transceiver's high sensitivity supports the longest range for wireless products. The AT90USB1287 incorporates fast USB On-the-Go.
• Gr0SMoSDR
• PyBOMBS
  • PyBOMBS (Python Build Overlay Managed Bundle System) is the new GNU Radio install management system for resolving dependencies and pulling in out-of-tree projects. One of the main purposes of PyBOMBS is to aggregate out-of-tree projects, which means that PyBOMBS needs to have new recipes for any new project. We have done a lot of the initial work to get known projects into the PyBOMBS system as is, but we will need project developers for new OOT projects or other projects not currently listed to help us out with this effort.
• UAV Transponders & Tracker Kits - UST

---

802.11 - WiFi

• 101
  • 802.11 frames : A starter guide to learn wireless sniffer traces
  • IEEE 802.11 Pocket Reference Guide
• Documentation
  • Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i - NIST
• Educational
  • IEEE 802.11 Tutorial
    • This document describes IEEE 802.11 Wireless Local Area Network (WLAN) Standard. It describes IEEE 802.11 MAC Layer in detail and it briefly mentions IEEE 802.11a, IEEE 802.11b physical layer standard and IEEE 802.11e MAC layer standard
  • Wi-Fi Protected Access 2 (WPA2) Overview
  • Wireless Leakage - Robin Wood
  • Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU
• Fox Hunting & Wardriving
  • Practical Foxhunting 101
  • iSniff
    • iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks. iOS devices transmit ARPs which sometimes contain MAC addresses (BSSIDs) of previously joined WiFi networks, as described in [1]. iSniff GPS captures these ARPs and submits MAC addresses to Apple's WiFi location service (masquerading as an iOS device) to obtain GPS coordinates for a given BSSID. If only SSID probes have been captured for a particular device, iSniff GPS can query network names on wigle.net and visualise possible locations.
  • If it fits - it sniffs: Adventures in WarShipping - Larry Pesce
    • There are plenty of ways to leverage known wireless attacks against our chosen victims. We've discovered a new WiFi discovery methodology that can give us insight into attack paths, internal distribution methods, internal policies and procedures as well as an opportunity to launch wireless attacks deep inside a facility without even stepping inside; no physical penetration test needed. How do we make that happen? Box it, tape it and slap an address on it: WARSHIPPING. Thanks FedEx, UPS and USPS for doing the heavy lifting for us. We�'ve even got a new tool to do some of the heavy lifting for location lookups too!
• Identification/Tracking
  • Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field
    • The research presented in this paper provides the reader with a set of algorithms and techniques that enable the user to remotely determine what chipset and device driver an 802.11 device is using. The technique outlined is entirely passive, and given the amount of features that are being considered for inclusion into the 802.11 standard, seems quite likely that it will increase in precision as the standard marches forward. The implications of this are far ranging. On one hand, the techniques can be used to implement innovative new features in Wireless Intrusion Detection Systems (WIDS). On the other, they can be used to target link layer device driver attacks with much higher precision.
  • Meeting People Over WiFi - JoshInGeneral - DC23
    • In this talk we will talk about some of the things that can identify you in an environment and how people can track you. We will look at bluetooth scanning apps that you can use every day to track people inconspicuously from your phone, while walking, metroing, or as a passenger in a car driving.
• Testing
  • Wireless Pentesting on the Cheap
    • In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WEP protected test network. For just $16
  • WPA/WPA2 Dictionaries
• Tools
  • General
    • Aircrack
    • wifi-arsenal
  • D/DOS
    • wifijammer
      • Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation. Granularity is given in the options for more effective targeting.
    • ESP8266 deauther
      • Deauthentication attack and other exploits using an ESP8266!
  • Logging/Monitoring
    • SniffAir An Open Source Framework for Wireless Security Assessments Matthew Eidelberg - DerbyCon7
    • SniffAir
    • probemon
      • A simple command line tool for monitoring and logging 802.11 probe frames
    • Snifflab: An environment for testing mobile devices
      • Specifically, we have created a WiFi hotspot that is continually collecting all the packets sent over it. All connected clients’ HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they can later be decrypted for analysis.
    • Nzyme
      • Nzyme collects 802.11 management frames directly from the air and sends them to a Graylog (Open Source log management) setup for WiFi IDS, monitoring, and incident response. It only needs a JVM and a WiFi adapter that supports monitor mode.
  • MiTM
    • Fluxion
      • Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters
  • WPS
    • pixiewps
      • Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.
  • Cracking Passwords
    • Wireless Password Cracking With Cloud Clusters
    • hcxtools
      • Portable solution for capturing wlan traffic and conversion to hashcat formats (recommended by hashcat) and to John the Ripper formats. hcx: h = hash, c = capture, convert and calculate candidates, x = different hashtypes
• Eduroam
  • 101
    • The eduroam Architecture for Network Roaming - RFC 7593
    • Eduroam - Wikipedia
  • Articles/Blogposts/Writeups
    • Server Certificate Practices in Eduroam (2015)
  • Attacking
    • MITM Attack Model against eduroam (2013)
    • A Practical Investigation of Identity Theft Vulnerabilities in Eduroam (2015)
  • Tools
    • eduroam FreeRADIUS Docker
• EAP
  • EAP-PWD: Extensible Authentication Protocol (EAP) Authentication Using Only a Password - RFC 5931
  • eaphammer
    • EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:
  • crEAP
    • Python script to identify wireless networks EAP types and harvest users
  • EAPEAK
    • EAPeak is a suite of open source tools to facilitate auditing of wireless networks that utilize the Extensible Authentication Protocol framework for authentication. It is meant to give useful information relating to the security of these networks for pentesters to use while searching for vulnerabilities.
  • eapmd5pass
    • An implementation of an offline dictionary attack against the EAP-MD5 protocol. This utility can be used to audit passwords used for EAP-MD5 networks from wireless packet captures, or by manually specifying the challenge, response and associated authentication information.
• Evil/Infernal Twin
  • Infernal twin
  • Evil Twin vulnerabilities in Wi-Fi networks (Master Thesis, 2016)
  • Evil Twin Vulnerabilities in Wi-Fi Networks (Bachelor Thesis, 2016)
  • Infernal-Twin
    • This is the tool created to automate Evil Twin attack and capturing public and guest credentials of Access Point
• Exploit Dev
  • Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
    • This paper describes the process of identifying and exploiting 802.11 wireless device driver vulnerabilities on Windows. This process is described in terms of two steps: pre-exploitation and exploitation. The pre-exploitation step provides a basic introduction to the 802.11 protocol along with a description of the tools and libraries the authors used to create a basic 802.11 protocol fuzzer. The exploitation step describes the common elements of an 802.11 wireless device driver exploit. These elements include things like the underlying payload architecture that is used when executing arbitrary code in kernel-mode on Windows, how this payload architecture has been integrated into the 3.0 version of the Metasploit Framework, and the interface that the Metasploit Framework exposes to make developing 802.11 wireless device driver exploits easy. Finally, three separate real world wireless device driver vulnerabilities are used as case studies to illustrate the application of this process. It is hoped that the description and illustration of this process can be used to show that kernel-mode vulnerabilities can be just as dangerous and just as easy to exploit as user-mode vulnerabilities. In so doing, awareness of the need for more robust kernel-mode exploit prevention technology can be raised.
• KARMA
  • Karma
  • Attacking automatic Wireless network selection (2005)
  • Why do Wi-Fi Clientes disclose their PNL for Free Still Today? (2015)
  • Instant KARMA might still gets you (2015)
• KRACK
  • Key Reinstallation Attacks
  • KRACK - Wikipedia
  • Tools
    • krackattacks-scripts
      • This project contains scripts to test if clients or access points (APs) are affected by the KRACK attack against WPA2. For details behind this attack see our website and the research paper.
• RADIUS
  • apbleed
    • Allows you to use existing heartbleed tools to test the RADIUS server
  • Authentication protocols that DO support hashed passwords (FreeRADIUS mailing list)
• TKIP Related
  • Practical attacks against WEP and WPA (2008)
  • An Improved Attack on TKIP (2009)
  • Cryptanalysis of IEEE 802.11i TKIP
  • Enhanced TKIP Michael Attacks (2010)
  • Plaintext Recovery Attacks Against WPA/TKIP (2013)
  • Practical verification of WPA-TKIP vulnerabilities (2013)
  • On the security of RC4 in TLS (USENIX, 2013)
  • All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS (USENIX, 2015)
  • A Security Analysis of the WPA-TKIP and TLS Security Protocols (PhD Thesis, 2016)
  • Predicting and Abusing WPA2/802.11 Group Keys (2016)
• WEP
  • WPA Migration Mode: WEP is back to haunt you...(slides)
    • Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco.
• WPA/2
  • Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven
  • Wifi Tracking: Collecting the (probe) Breadcrumbs - David Switzer
    • Wifi probes have provided giggles via Karma and Wifi Pineapples for years, but is there more fun to be had? Like going from sitting next to someone on a bus, to knowing where they live and hang out? Why try to MITM someone’s wireless device in an enterprise environment where they may notice — when getting them at their favorite burger joint is much easier. In this talk we will review ways of collecting and analyzing probes. We’ll use the resulting data to figure out where people live, their daily habits, and discuss uses (some nice, some not so nice) for this information. We’ll also dicuss how to make yourself a little less easy to track using these methods. Stingrays are price prohibitive, but for just tracking people’s movements.. this is cheap and easy.
  • Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys
    • Attacks against weak 802.11 Random Number Generators
• WPS
  • 101
    • Brute forcing Wi-Fi Protected Setup - Stefan Viehböck
      • The original paper on WPS cracking.
    • Offline bruteforce attack on wifi protected setup (Pixie dust attack, 2014)
  • Articles/Blogposts/Writeups
    • An Investigation into the Wi-Fi Protected Setup PIN of the Linksys WRT160N v2 (2012)
    • Reversing D-Links WPS pin algorithm
  • Tools
    • wpscrack
      • Continuation of wpscrack originally written by Stefan Viehböck
    • reaver_reattempt
      • Change the Mac address of the wifi connection as well as the emulated one created by airmon-ng in an attempt to avoid being locked out of routers for repeated WPS attack attempts
    • Reaver-wps-fork-t6x
      • Community forked version which includes various bug fixes, new features and additional attack method (such as the offline Pixie Dust attack)
    • WPSIG
      • Simple tool (written in Python) that does information gathering using WPS information elements.
• Misc
  • Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers (WOOT, 2015)
  • Keyspace List for WPA on Default Routers
  • nexmon
    • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.
  • BoopSuite
    • BoopSuite a wireless pentesting suite designed to emulate aircrack-ng functionality for personal growth.
  • New attack on WPA/WPA2 using PMKID - atom - hashcat.net
• Why not?
  • Start Your Own (Wireless) ISP

---

RFID - Radio Frequency Identification

• 101
  • Radio-frequency identification - Wikipedia
  • NFC Frequently Asked Questions
• Articles/Blogposts/Presentations/Talks/Writeups
  • Security of RFID Protocols A Case Study** |
    • In the context of Dolev-Yao style analysis of security proto cols, we investigate the security claims of a pro- posed strong-security RFID authentication protocol. We ex hibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on au thentication, untraceability, and desynchroniza- tion resistance. We analyze and discuss the authors proofs of security. References to other vulnerable protocols are given.
  • Exploring NFC Attack Surface
  • [Owning and Cloning NFC Payment Cards](https://github.com/peterfillmore/Talk-Stuff/blob/master/Syscan2015/PeterFillmore_Syscan2015.pdf]
  • On Relaying NFC Payment Transactions using Android devices
  • NFC Hacking: NFCProxy with Android Beam
  • Practical Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited
  • Practical Guide to RFID Badge copying
  • RFID Hacking with The Proxmark 3
• Tools
  • ravenhid
    • Hardware and software to run a RFID reader to harvest card information. This is the PCB design and Arduino code that will run a RFID reader, allowing you to gather and harvest cards. Typically, a larger reader, such as those in garages, will be more successful, allowing you to ready over a couple feet instead of inches. The board itself is designed to be modular and support multiple methods to output harvested cards once they are read:
      • Text file on a MicroSD card; Print out to LCD; Bluetooth Low Energy Arduino serial connection
    • Each of these options are supported in code, but can be ignored on the PCB. The PCB itself has been designed to use a pluggable module for each of these options, making it easy to ignore, install, or change out which ones you find useful.
  • RFIDiggity - Pentester Guide to Hacking HF/NFC and UHF RFID - Defcon23
  • Wiegotcha: Long Range RFID Thieving
    • Wiegotcha is the next evolution of Long Range RFID badge capturing. Based on previous work by Fran Brown and Bishop Fox (Tastic RFID Thief), Wiegotcha uses a Raspberry Pi in place of an Arduino for the added capabilities and ease of customization. One of the immediate benefits of using an RPi is quick and easy wireless communication with the badge reader.
  • Swiss Army Knife for RFID

---

RF RetroReflectors

• 101
  • Modulating retro-reflector - Wikipedia
• Articles/Presentations/Talks/Writeups
  • [TROOPERS15] Michael Ossmann - RF Retroflectors, Emission Security and SDR
  • The NSA Playset - RF Retroreflectors - Defcon22
• Tools
  • CONGAFLOCK - NSA Playset
    • CONGAFLOCK is a general purpose RF retroreflector intended for experimentation.
  • The Thing (Listening Device) - Wikipedia
  • retroreflectors

---

Satellite Related

• SATELLITE TV RECEIVERS: FROM REMOTE CONTROL TO ROOT SHELL - Sofiane Talmat
• Spread Spectrum Satcom Hacking: Attacking The Globalstar Simplex Data Service - Colby Moore - BHUSA2015
• A Wake-Up Call for SATCOM Security - Ruben Santamarta
• Inmarsat-C - Inmarsat
• Inmarsat-C - Wikipedia
• Very-small-aperture terminal - Wikipedia
• BGAN
• Broadband Global Area Network - Wikipedia
• SwiftBroadband - inmarsat
• SwiftBroadband - Wikipedia
• FleetBroadband
• Fleet Broadband - Wikipedia

---

Software Defined Radio

• 101

  • Software Defined Radio for Infosec People 101
  • So you want to get into SDR talk
  • Bringing Software Defined Radio to the Penetration Testing Community

• Articles/Presentations/Talks/Writeups * Introduction to SDR and the Wireless Village(Defcon)

  • [Software Defined Radio with HackRF](https://greatscottgadgets.com/sdr/[WebSDR](http://websdr.org/)
    • A WebSDR is a Software-Defined Radio receiver connected to the internet, allowing many listeners to listen and tune it simultaneously. SDR technology makes it possible that all listeners tune independently, and thus listen to different signals; this is in contrast to the many classical receivers that are already available via the internet.
  • Hacking the Wireless World with Software Defined Radio 2.0
  • Exploit: Hacking the Wireless World with Software Defined Radio BlackHat USA 2014
  • From baseband to bitstream and back again: What security researchers really want to do with SDR - Andy Davis - nccgroup
  • Using Software Defined radio to attack Smart home systems
  • Using Software Defined Radio for IoT Analysis
  • Decoding the LoRa IoT Protocol with an RTL-SDR

• Documentation

• General

  • PHYs, MACs, and SDRs - Robert Ghilduta
    • The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.
  • RTL-SDR and GNU Radio with Realtek RTL2832U [Elonics E4000/Raphael Micro R820T] software defined radio receivers.

• Tools

  • GNU Radio
    • GNU Radio is a free & open-source software development toolkit that provides signal processing blocks to implement software radios. It can be used with readily-available low-cost external RF hardware to create software-defined radios, or without hardware in a simulation-like environment. It is widely used in hobbyist, academic and commercial environments to support both wireless communications research and real-world radio systems.
  • Gqrx
    • Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit.
    • Documentation
    • Practical Tips & Tricks
  • GPS-SDR-SIM
    • Software-Defined GPS Signal Simulator; GPS-SDR-SIM
  • nrsc5
    • NRSC-5 receiver for rtl-sdr
  • gr-nrsc5
    • A GNU Radio implementation of HD Radio (NRSC-5)
  • rtlamr
    • An rtl-sdr receiver for Itron ERT compatible smart meters operating in the 900MHz ISM band.
  • Uni-SDR Link
    • The initial release of Uni-SDR Link. This applications sole purpose is to allow Universal Trunker (aka Unitrunker) to control the tuning frequency of individual VFO's in SDR Console v2. This is achieved by translating Unitrunker Receiver Control commands into a format accepted by SDR Console. Communication occurs over virtual com / serial ports.
  • ShinySDR
    • This is the software component of a software-defined radio receiver. When combined with hardware devices such as the USRP, RTL-SDR, or HackRF, it can be used to listen to a wide variety of radio transmissions, and can be extended via plugins to support even more modes.
  • Scapy-Radio
    • This tool is a modified version of scapy that aims at providing an quick and efficient pentest tool with RF capabilities. A modified version of scapy that can leverage GNU Radio to handle a SDR card.
  • Universal Radio Hacker
  • RTLSDR Scanner
    • A cross platform Python frequency scanning GUI for the OsmoSDR rtl-sdr library.
    • Details
    • Manual
  • gr-lora
    • This is an open-source implementation of the LoRa CSS PHY, based on the blind signal analysis conducted by @matt-knight. The original research that guided this implementation may be found at https://github.com/matt-knight/research
  • hdfm
    • hdfm displays weather and traffic maps received from iHeartRadio HD radio stations. It relies on nrsc5 to decode and dump the radio station data for it to process and display.

• Wi-Max

  • Ghosts from the Past: Authentication bypass and OEM backdoors in WiMAX routers

---

Zigbee Wireless Networks

• 101
  • Zigbee - Wikipedia
  • IEEE 802.15.4 - Wikipedia
  • IEEE Std 802.15.4-2015 (Revision of IEEE Std 802.15.4-2011) - IEEE Standard for Low-Rate Wireless Networks
• Articles/Presentations/Talks/Writeups
  • ZigBee Exploited: The good, the bad and the ugly - Tobias Zillner
  • KillerBee Framework
    • KillerBee is a Python based framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems and much more. Using the KillerBee framework, you can build your own tools, implement ZigBee fuzzing, emulate and attack end-devices, routers and coordinators and much more.
  • SecBee
    • SecBee is a ZigBee security testing tool developed by Cognosec. The goal is to enable developers and security testers to test ZigBee implementations for security issues.
  • Frony Fronius - Exploring Zigbee signals from Solar City
    • Solar equipment is becoming more readily used in homes and businesses due to cost savings, eco-friendly conservationism and current tax incentives. Companies like SolarCity use Power Inverters/Meters from 3rd parties in order to provide it's services while making the solution affordable for customers. This research will focus on understanding the communication between the Inverter, Internet Gateway and web portal used to view electrical consumption of subscriber.
• Tools
• KillerBee
  • Framework and Tools for Attacking ZigBee and IEEE 802.15.4 networks.

Z-Wave

• 101
• Articles/Presentations/Talks/Writeups
  • Stealthy and Persistent Back Door for Z-Wave Gateways
    • Z-Wave is a proprietary wireless protocol that is gaining market share in home automation and security systems. However, very little work has been done to investigate the security implications of these sub-GHz devices. In this talk we review recent work on hacking Z-Wave networks, and introduce a new attack that creates a persistent back door. This attack maintains a stealthy, parallel, and persistent control channel with all Z-Wave devices in the home. We will demonstrate the attack against a commercial Z-Wave security system.
  • Honey, I'm Home!! Hacking Z-Wave Home Automation Systems - video
    • Slides - PDF
• Tools

Miscellaneous

• Wireless Keyboard Sniffer
• nexmon
  • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.