Shmoocon 2014 Wireless CTF SDR Challenge; Postmortem
In 2007-2008, I had the honor of working with Johnny Long” in providing some material for his No Tech Hacking book; around this time frame, Johnny was presenting the concepts to include the question What does a Hacker see?. Shortly thereafter, while sitting in a security conference, I proposed a twist on this question due to all the phones that were ringing and buzzing about; the modified question became What does a Hacker hear?. This has been an observation I've continued to have over the years as the digital age has continued to grow and consume our lives. However, and coincidentally enough, the same application of this theme has presented itself once again.
Recently, at BSides-DE 2013, dragorn, another fellow, and I had the pleasure of teaching a class regarding wireless technology, to include Software Defined Radios. At this conference, the folks who host the Wireless Village at Defcon were running a wireless capture the flag event. To spice things up, dragorn and I worked on developing the first SDR-CTF and beta tested the event at BSides-DE. It went okay? A lot of people tried it, but few had success in defeating the challenges.
Dragorn, Zero_chaos, the WCTF team and I had a call regarding the event and decided that Shmoocon would be a great venue to expand on the concept. We framed up some additional challenges, and came with 5 official ones, and 2 additional 'hey, why not?' challenges. It should also be noted that a HUGE tip of the hat should go to everyone for their support in this effort, especially Zero_Chaos, whom despite being terribly sick (and we all worried about his condition) put together a special version of Pentoo for Shmoocon 2014 for this challenge.
Let us explore the challenges now, and how you can become better prepared for the next WCTF-SDR challenges.
We lucked out on this one. Apparently there was a vendor who was selling RTL-SDR's for near at cost prices. If it were not for them, there was not going to be as nearly as many people who attempted the challenge. We were very fortunate for that; thank you, whomever you are (UPDATE: The vendor was Garrett Gee from http://hackerwarehouse.com. Thanks Brian for the intel.). So, what was it people were using? I observed the following:
Here is a great video explaining the basics of a kit, and a nice way of organizing it.
I was frequently asked by people “what tools/software do I need to bring/use?” My consistent, and probably very annoying, answer was “what ever it takes to capture the flag.” When I designed these challenges, and tested them, I wanted to make sure everyone could capture all, or most, of the flags with Windows, Pentoo (linux) or OSX. Fortunately, this design paid off. In the case of Windows and Pentoo, I was able to defeat all the challenges during the testing. I don't have OSX to test with, but I was seeing a few brave souls taking a successful crack at some of the flags.
You might also notice that there were some really crazy tools that people used in that list, such as the HackRF and BladeRF. While they will work just as fine, my design goal was to make it as accessible to as many people as possible.
There was a reoccurring question of “how should I attack a SDR challenge?” This is a very good question, because the method is different from the traditional WiFi challenges that exist. Like I had mentioned, you must listen to those signals; your brain is a very good computer, and great at patten matching. As such, review this excellent guide on signal identification. Another observation I had were frequency sweeps looking for spikes. These can be useful, but you need a baseline. If you're going to do this, go to another part of the conference, away from the challenge, and conduct multiple samples and create an average. This will become your baseline. Then come back to the challenge, and conduct multiple sweeps to compare against your baseline. Not all challenges are constantly transmitting.
CHALLENGE 1 - AFSK
If you listened through the various frequencies, you might have heard something that sounded like a modem on 77.6 MHz. Well, it's because it was transmitting a quotation encoded by Audio Frequency-Shift Keying. The inspiration of this challenge came from here. Read this page, and you should be on your way to understanding the step by step process.
CHALLENGE 2 - AFSK #2
If it wasn't easy enough, this one built upon the fundamentals of the first AFSK challenge. Transmitting on 78.5 MHz, another message was being encoded and transmitted, but it was slightly more obscure. It was a base-64 encoded, hexadecimal ICMP packet, where the payload wasn't ABCDEFG…. so on and so forth. Simple enough, right?
CHALLENGE 3 - SSTV
Slow Scan Television is probably one of the most annoying things to listen too. The protocol is used by Ham Radio operators to transmit still images, and is reminiscent of watching a large image load over dialup. There are many decoders for SSTV for Windows, Linux and OSX. I tested Windows and Linux decoders, and they seemed to work just fine.
CHALLENGE 4 - Morse Code
Much like Alton Brown laughs diabolically in “Cutthroat Kitchen,” I figured a little morse code should be nice and enjoyable. At 100 MHz, a 5 word per minute transmission was repeated over and over. There is software to automate the decoding of the dits and dashes for the lazy, or uninformed (I fall into both those categories); none the less, I think this was the most sinister of them.
CHALLENGE 5 - Analogue UHF TV
Okay, maybe I was wrong. Alton would love this one more, because of how simple it is. A lot of the RTL-SDR's that are sold are simple TV receivers. If you found the right program to talk to the device, all you had to do was scan (I think it was in the 900MHz band) for available TV transmissions and you would have solved this one.
CHALLENGE 6 - Bug
Rick had found a small FM transmitter; in all honesty, we didn't know much of it when we plugged it in. It was easy to find, the signal drifted a bit (probably by design); it was probably the easiest thing to identify out of all of them. The mic for it was right up and against the audio that was being transmitted for the WCTF.
CHALLENGE 7 - APT
Who can resist saying APT at a security conference? But this time, APT stands for Automatic Picture Transmission. This is the protocol used for the transmission of images from the NOAA Weather Satellites. I believe, to date, there are only three that are working: NOAA-15 (137.620 MHz), NOAA-18 (137.9125 MHz), NOAA-19 (137.100 MHz). There's a ground station in the DC area, so the birds pass over with some regularity. If anyone noticed, there was some PVC pipe and a box of wire. You were expected to construct a quadrifilar helix antenna. Heck, even the omni's that come with the RTL-SDR's will work, if you're in the right place. Timing is important in this one too; knowing when they're coming is necessary. Had anyone completed this, you probably would have won the whole competition. Alas, only one person figured out the bad puns and theme of K2RNF, began constructing the antenna… but over slept.
A special thanks to dragorn, Zero_Chaos and the Wireless CTF Team (Rick, Tara, Justin and John). Thank you for the opportunity; ya'll exemplify everything that is right in our community. For those people who may be reading this that don't know the folks above, I highly and strongly suggest you meet them.
Well, thanks for reading. If you have any questions, you know how to reach me (I hope).