Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

Students will learn about Software-Defined Radio applied against common physical intrusion systems (alarms, intercoms, various remotes, etc.), and IoT devices. This course provides basics, survival reflexes when testing real-world radio devices, and methods to go further. Compared to other courses that teach how to use public tools, this class is more about understanding how these tools work and also how to build proper tools to analyze and attack targeted systems. In the end, we will also see how to go further with an introduction to RF signal analysis instrumentation with help of Machine Learning and Deep Learning, and how to deal with radio emanations and EM side-channel attacks.

Training Overview

In this 3-day training, students will learn about Software-Defined Radio applied against common physical intrusion system (alarms, intercoms, various remotes, etc.), and IoT devices. This course provides basics, survival reflexes when testing real-world radio devices, and methods to go further. Comparing to other courses that teach how to use public tools, this class is more about understanding how these tools work and also how to build proper tools to analyze and attack targeted systems. At the end, we will also see how to go further with an introduction to RF signal analysis intrumentation with help of Machine Learning and Deep Learning, and how to deal witch radio emmanations and EM side-channel attacks.

This course is intended for any:

• pentesters who do not want to be limited by public radio tools
• developers who want to debug and test their wireless devices
• people curious about SDR and security
• security researchers

Training Detailed Description:

Day 1 - Go back to school for a day!

Day 1 is an introduction to radio that will help students to learn its concepts and the techniques used today to receive and transmit signals, but also the constraints that we have to deal with in heterogeneous environments:

• Introduction to radio
  • History, evolution, and regulations
  • Radio waves
  • Digital Signal Processing
  • Sampling theory
  • Software-Defined Radio
  • Antennas
  • Amplifiers and connectors
• Software-Defined Radio devices
  • Specifications
  • How to choose them
  • Few tips and hacks
• Observations
  • Waterfall and spectrum analyzers
  • Signal identification
  • Modulation/Demodulation
  • Modulation/Demodulation
  • Encoding/Decoding
• Faraday cages and quick tricks on how to design a very cheap one
• Use of attenuators and software gain parameters

These days will allow doing important remindings in the radio concepts, but will also include new ones specific to Software-Defined Radio and security.

Day 2 - Hands-on radio

Day 2 will put the student in the playground of Software-Defined Radio, where every idea can be written to be simulated and then concretized to realize receivers and transmitters depending on the chosen hardware limitations:

• Introduction du GNU Radio Software-Defined Radio
• Processing in the chain
• Practice with GNU Radio Companion
  • Block schemas
  • Generators
  • Sinks and sources
  • Operators
  • Simulations
  • Modules
  • Executing a block in a real SDR device
  • Listening to simple AM and FM signals
  • Transferring signal
  • Optimizing samples processing
  • Features to process samples
  • Creating your own block
• Modulating and demodulating analogic radio (AM & FM)
• Working fully with numeric radio (ASK/OOK, FSK, PSK, etc.)
• Investigation and handy tools

During this day, there will be more than 90% practice doing little projects to play with the GNU Radio framework until we dive into bigger projects.

Day 3 - Real-world attacks

Days 3 resumes and applies previous chapters to study common IoT communications and brings useful tricks for Red Team tests as well as pentests. In addition, we will also see how we can go further by instrumenting analysis thanks to ML/DL and talk about radio emanations and EM side-channel attacks:

• Common sub-GHz Remotes
  • Introduction
  • Capturing data
  • Replaying saved samples
  • Analyzing samples (manually and with powerful tools)
  • Rolling codes security and ways to break it
• Attacking Custom devices
  • Sniffing signals
  • Decoding signals
  • Dumping memory to get informations (debugging interfaces, glitching, etc.)
• Instrumenting analysis
  • The machine learning way
  • Deep Learning way
• Emanations
  • TEMPEST
  • EM side-channel attacks
  • Applying ML/DL in these contexts

And if we have time, or you want to discuss further during coffee break or the conference :

• Bonus introduction, discussion or sharing depending on the time:
  • Devices using the mobile network (2G/3G/4G) and mobile protocol stack hacking
  • LoRa & Zigbee
  • Wi-Fi
  • RFID
  • etc.

What to Expect? | Key Learning Objectives:

Hands-on radio captures, interacting with real signals, creating custom tools for specific communications, identifying technologies, reversing even exotic communications, and interacting with them.

Who Should Attend? | Target Audience:

• pentesters who do not want to be limited by public radio tools
• developers who want to debug and test their wireless devices
• people curious about SDR and security
• security researchers

What to Bring? | Software and Hardware Requirements:

• a laptop with at least 8 GB memory to run a tooled VM

What to Bring? | Prerequisite Knowledge and Skills:

• good basics in Linux
• basics in security are a plus
• knowledge of radio is a plus but not required, day 1 is here to make sure we are on the same page

Resources Provided at the Training | Deliverables:

• Tooled VM
• Captures to study later
• A RF kit capable of transmitting and receiving signals in full-duplex

ABOUT THE TRAINERS

Sébastien Dudek is a security researcher at Trend Micro and is also the founder of the PentHertz consulting company specialized in wireless and hardware security. He has been particularly passionate about flaws in radio-communication systems, and published researches on mobile security (baseband fuzzing, interception, mapping, etc.), and on data transmission using the power-line (Power-Line Communication, HomePlug AV) like domestic PLC plugs, as well as electric cars and charging stations. He also focuses on practical attacks with various technologies such as Wi-Fi, RFID, and other systems that involve wireless communications.