Tutorials on Wireless Research Frameworks and Tools

Co-located with WiSec 2021, Virtual, July 2, 2021

While there are many open-source research tools, it is hard to distinguish between well-working projects and paperware. Papers claim to solve many interesting problems. However, when trying to build upon those papers’ artifacts, researchers will often face limitations not mentioned before. This situation makes it hard for new researchers to start in practical fields like wireless research, because it complicates setting up experimental environments and building proof of concepts.

Tutorial Format

This tutorial session aims to close this gap by providing short tutorials on elaborated frameworks and tools. Project maintainers or highly advanced users will show a quick walkthrough example, discuss features and limitations, and give an outlook on planned features in upcoming releases. With this, it facilitates jump-starting your research.

Each tutorial will be limited to a maximum of 42 minutes, followed by a Q&A session. This time limit does not allow showing each and every specialty of a tool. However, it is sufficient to provide the gist of each tool to let newcomers decide if this tool is helpful for their research. Recordings will be made public after the workshop.

Organization

As of now, the program is not final and further speakers will be invited. If you have any suggestions about topics, who to invite, or want to participate as a speaker yourself, please contact Jiska Classen at jiska.classen@seemoo.tu-darmstadt.de.

Programming Software Defined Radios with GNU Radio

Bastian Bloessl
Secure Mobile Networking Lab
TU Darmstadt, Germany

The broad availability of Software Defined Radios (SDRs) makes accessing the wireless spectrum easier than ever before. The ability to send and receive arbitrary signals makes them an interesting tool also for security researchers, in particular to interact with devices, using proprietary physical layers and protocols.

In this session, we walk through a complete example, decoding a wireless car key fob. This provides an overview of the most relevant open source tools in the domain and shows how they can be combined to decode an undocumented proprietary signal. In this example, we will be using Fosphor, Inspectrum, and GNU Radio.

Instrumenting Bluetooth Firmware with InternalBlue

Jiska Classen
Secure Mobile Networking Lab
TU Darmstadt, Germany

Bluetooth is a protocol with a sophisticated physical layer and even more complex stack building on top of it. Tools building on top of software-defined radios have many limitations and do not integrate the behavior of proprietary mobile device stacks.

InternalBlue solves this problem by modifying the Bluetooth firmware. This allows implementing non-compliant lower-layer functionality to test the Bluetooth specification, which enabled various researchers to uncover severe issues affecting pairing and encryption recently. Moreover, InternalBlue enables researching a chip’s hardware and firmware security. It runs on all jailbroken iPhones and MacBooks, selected rooted Android phones, Raspberry Pis, and evaluation kits.

Fuzzing Basebands with BaseSAFE

Dominik Maier
Security in Telecommunications
TU Berlin, Germany

Wireless firmware is susceptible to over-the-air attacks that do not require any user interaction. Simple actions such as scanning for available networks, cells, or devices, which happens in the background, could allow an attacker to take over a baseband chip. This, in turn, allows access to traffic processed by a wireless chip and opens the doors for escalations into the main mobile operating system.

BaseSAFE supports partial emulation of baseband firmware, bringing coverage-guided fuzzing to basebands. The underlying design, built on top of AFL++’s unicornafl, can be applied to all kinds of devices. In this example, you will learn how to instrument a parser in the MediaTek baseband firmware.