From zero to hardware hacker # 3 - Feedback on Radio Hacking

The objective of this article is to share our experiences with RF hacking. It provides useful insights and practical tips for advancing in the field of RF hacking. This account is based on the study of MISC magazine, particularly the special issue number 29, and my work on previous blog posts about hardware hacking. We will review the encountered problems, the bottlenecks, and the solutions that can help resolve this type of issue. We will review the encountered problems, the bottlenecks, and the solutions that can help resolve this type of issue.

Choice of equipment

Radio equipment is quite expensive and requires a significant budget to gain proficiency in this field. It’s challenging to start when you’re unsure if you will enjoy the domain or not. Here is the list of my choices, the good points, the regrets, and my projections for the future.

Choice of SDR dongle

Radio equipment is quite expensive and requires a significant budget to gain proficiency in this field. It’s challenging to start when you’re unsure if you will enjoy the domain or not. Personally, I opted for the NESDR Smart v5, an antenna, and a software-defined radio (SDR) tool that costs around 40 euros. It operates on a frequency range of 100 kHz to 1.75 GHz and is compatible with most standard SDR tools, offering a bandwidth of 3.2 MHz. It operates in read-only mode (RX), making it sufficient for beginners to start and learn SDR basics.

While I believe this setup is a good starting point, it falls short in analyzing many interesting communication channels like Wi-Fi and mobile networks (2G, 3G, 4G). To advance further, I would consider upgrading to a BladeRF 2 xA4, which appears to be a good compromise between cost and functionality.

Choosing a computer-controlled radio dongle

I also purchased a Yardstick, a radio transceiver controllable via the RFCAT tool. Unfortunately, it hasn’t been very useful to me, and I regret buying it so hastily. My mistake stemmed from confusing the Yardstick with an SDR dongle, which it is not. However, the Yardstick can be quite effective for tasks like brute-forcing garage doors or similar devices.

If I develop a deeper interest in radio hacking in the future, I would prefer an SDR tool that supports both transmitting and receiving (RX/TX).

Antenne

The ATN 500 antenna is a versatile VHF-UHF telescopic antenna with a 50-ohm impedance, designed to cover a frequency range from 75 MHz to 1 GHz. This range makes it a suitable choice for initial IoT experiments, such as garage door hacking. However, for more advanced applications like mobile communications, Bluetooth, or WiFi attacks, a different antenna would be necessary.

The antenna’s length can be adjusted from 20 cm to 88 cm, allowing for flexibility in various scenarios. Constructed from stainless steel, it is durable and reliable. The ATN 500 features a male SMA connector and a tilt-and-rotate element that is adjustable to 360°, ensuring optimal positioning.

Designed for vertical polarization, the antenna is capable of omnidirectional transmission and reception, meaning it can pick up signals from all around. However, this also makes it more susceptible to interference and noise, which can compromise signal clarity.

Choice of methodology to anaylse a signal

I think I quickly understood the main aspects of how radio signal analysis works because it is similar to other methods, such as in electronics.Here is the method that seems to be the most relevant to me:

• found communication frequencies : OSINT, spectre analyse
• Analyse communication “encoding” : type of modulation, modulation parameter, etc.
• Identify protocol : GSM, WIFI, Bluetooth, etc.

However, the implementation of this process still needs to be tested on each of the points mentioned above.

Found communication frequencies

With OSINT, I think I have found a good method:

• Find the product documentation
• Find documentation of similar products from the same manufacturer or competitors
• If this does not yield conclusive results, search for the most common frequency bands for this type of product

If this part were to end here, it would be a quick win. However, nothing is ever that simple. The problem arises when there is no information about the product and we have to work in a black box manner, which requires spectrum analysis. To do this efficiently, the 3.2 MHz bandwidth proposed by my tools becomes a real labor-intensive task. Therefore, it is necessary to use specific equipment, which requires a good-sized case for this type of equipment (entry-level price around 2000 euros, and around 4000 euros for serious and well-usable equipment). I think, however, that at my level, an OSINT analysis is sufficient, and I will revisit this scope when I am much more experienced.

Optimization of the radio setup

One aspect that I am not proficient in is the adjustment of the antenna, including its position, length, and placement. This can help in having the best possible tuned antenna to analyze a target signal. This is done using a VNA (Vector Network Analyzer). Again, the entry-level cost is 280 euros, with prices easily reaching 850 euros for amateur equipment that will last for some time.

SDR

Mastering Software-Defined Radio (SDR) is crucial for radio signal analysis in RF hacking due to its unmatched flexibility and adaptability in intercepting and decoding various radio signals using generic and programmable hardware. Additionally, SDR facilitates the exploration and exploitation of vulnerabilities in wireless communications by providing a versatile platform for experimenting and developing RF hacking tools. To make significant progress and improvement in the SDR field, it’s essential to perform precise and clean analyses. Currently, I can only configure GQRX roughly and analyze the data displayed on the two graphs (refer to previous articles).

Attack on radio

At the moment, I am focusing on analyzing signals to understand what is happening, but this does not necessarily constitute an attack. In the next phase, conducting radio attacks (such as jamming, repeating, etc.) is a logical continuation of the learning process. However, I currently do not have the necessary equipment to carry out these actions.

Conclusion

There is still much to explore in RF hacking, and I am just beginning to glimpse into this fascinating and vast universe. There are countless opportunities for discovery and innovation. However, diving into this field requires a significant investment in expensive equipment, with basic starter labs costing around 4000 euros. Choosing the right equipment is crucial and can be daunting without a certain level of expertise. This field is challenging to enter, demanding a solid scientific background. Moreover, there is a noticeable lack of comprehensive documentation, which seems rare and sparse. This is one of the main reasons I want to share my insights and experiences through this blog.