Applied SDR hacking: Red Team SIGINT for mission-critical, automotive, aviation, and marine targets
2-day in-person
Have you ever had to deal with attacking an RF signal, and YouTube tutorials on the Flipper Zero didn't get you anywhere?
Have you ever wanted to listen in on a security team's radio communications during a physical red team engagement?
Did you ever think that covertly breaking into corporate vehicle fleets or garages should be in-scope, but didn't know how to approach this?
Then this is the course for you.
In an increasingly wireless world, we are surrounded by readily exploitable signals everywhere. Yet too often Red Team operations and pentests leave the RF spectrum unaddressed due to a lack of specialist knowledge and experience, especially when it comes to sensitive RF protocols not typically encountered in conventional enterprise and IoT contexts.
This practically-oriented course, taught by the Midnight Blue team known for their TETRA research, aims to equip security practitioners with field-relevant RF security knowledge and experience. While it thoroughly covers the fundamentals of RF, SDR, and SIGINT, it avoids math-heavy RF engineering with limited relevance to day-to-day operational reality.
Instead, this course will provide attendees with a structured, step-by-step approach to the Signals Intelligence (SIGINT) cycle of targeting, identifying, collecting, processing, and analyzing Signals of Interest (SOIs). This includes the often cumbersome task of getting various special-purpose SDR tools to work on current systems.
Attendees will learn how to exploit such signals with commonly available tooling through awareness of common risks and pitfalls in RF security.
Where other SDR trainings tend to focus on enterprise and IoT RF protocols such as 4G/5G, WiFi, RFID, and BT, this training focuses on important but rarely addressed RF technologies such as automotive, aviation, marine, physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure.
Hands-on exercises such as intercepting and decrypting handheld radio comms and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture, as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios.
Course Overview
High-level outline of the course (Course outline is preliminary and subject to minor changes and improvements):
DAY 1 - BLOCK 1: Basics of SDR and SIGINT
Introduction to Radio Frequency (RF), Software Defined Radio (SDR), Digital Signal Processors (DSPs)
SDR theory of operation
Overview of SDR hardware & software
Modulation and signal types
Antenna selection, tuning, and positioning
Building and working with SDR software stacks: SDRangel, Gqrx, GNU Radio, Universal Radio Hacker (URH),DragonOS, Flipper Zero
Signals Intelligence (SIGINT) cycle
DAY 1 - BLOCK 2: Fundamentals of RF Security
Security requirements in RF protocols
Common risks and pitfalls: Jamming, replay, relay, cryptanalysis, etc.
Case studies: railways, water utilities, emergency broadcasts
Physical access control RF systems: automatic doors, gates, barriers, bollards, alarms, etc.
Automotive access control RF systems: Remote Keyless Entry (RKE), Passive Keyless Entry (PKE)
Automotive case study: professional car theft rings
DAY 2 - BLOCK 1: Professional Mobile Radio (PMR) / Land Mobile Radio (LMR) Security
Introduction to PMR / LMR
Terrestrial Trunked Radio (TETRA): Overview, security, vulnerabilities, and available tooling
TETRA SIGINT tooling discussion
TETRA case study: Real-world TETRA interception incidents
APCO-25 (P25): Overview, security, vulnerabilities, and available tooling
dPMR/NXDN: Overview, security, vulnerabilities, and available tooling
TETRAPOL: Overview, security, vulnerabilities, and available tooling
DAY 2 - BLOCK 2: PMR continued, Marine & Aviation
Digital Mobile Radio (DMR): Overview, security, vulnerabilities, and available tooling
DMR SIGINT tooling discussion
DMR case study: DMR usage and targeting in Russia-Ukraine war, Middle-Eastern conflicts, and Mexican cartels
Marine RF systems: AIS/VDES, GMDSS, etc.
Marine case study: tracking & spoofing in conflict zones, piracy, and sanctions evasions
Aviation RF systems: ADS-B, ACARS/VDL, etc.
Drones / Unmanned Aircraft Systems (UAS): telecontrol, analog & digital video (VTX) downlink, scrambling and encryption
Aviation case study: Counter-UAS/drone examples from the Russia-Ukraine war and Middle-Eastern conflicts
Target Audience
Red Team operators. Physical pentesters / "Black Team" covert entry operators. Pentesters, security consultants, and researchers. Secure procurement evaluators looking to assess the security of a to-be-procured RF solution. Designers and integrators of embedded RF systems who wish to understand offense to play more effective defense
Pre-requisites
Student requirements:
- Basic familiarity with Linux
- Basic familiarity with Python
- Some understanding of pentesting and red teaming fundamentals
This will be a tech-forward course less suited for executives, project managers, compliance auditors, etc. Ideally, students have some basic general cybersecurity experience (or equivalent education). That being said, we've had some quick learners with different backgrounds, that benefited greatly from the hands-on nature of the course.
What Students Should Bring:
Modern laptop with Core i7 CPU or equivalent/better and preferably 32GB+ RAM (absolute minimum 16GB)
Laptop should run DragonOS Noble (24.04) or newer (see https://cemaxecuter.com/). A VM is fine, but preferably native installation to reduce risk of spending time on setup problems
Laptop should *not* be a locked-down corporate laptop, administrator privileges are a must-have
Laptop should have USB type A (or Type C + converter) for SDR hardware
Bring a charger
Trainers will provide (included in the registration price):
HackRF based SDR hardware (platform + antenna)
Several exercise targets including: Fixed-code alarm system, rolling-code RKE/door control system, motion-based alarm system
Syllabus, exercises, exercise solutions, and tooling
This will allow you to hone your skills in the field with familiar tools, and to continue and reproduce training exercises at home.
Trainer Bio
Jos Wetzels is a co-founding partner at Midnight Blue. His research has involved reverse-engineering, vulnerability research and exploit development across various domains ranging from industrial and automotive systems to IoT, networking equipment and deeply embedded SoCs. He has discovered zero-day vulnerabilities across tech stacks ranging from bootloaders and RTOSes to proprietary protocol implementations. At Midnight Blue, he has consulted to government agencies, grid operators, and Fortune 500 companies worldwide and has been involved in the first ever public analysis of the TETRA radio standard used by police and critical infrastructure globally - uncovering several critical vulnerabilities.
Jos is a member of the Black Hat USA Review Board and a regular conference speaker who has presented at events such as Black Hat, DEF CON, CCC, Usenix, HITB, OffensiveCon, ReCon, EkoParty, and others.
LinkedIn: linkedin.com/in/jos-wetzels-61539598/
Blog : midnightblue.nl
Twitter (X): @s4mvartaka
Wouter Bokslag is a co-founding partner and security researcher at Midnight Blue. He is known for the reverse-engineering and cryptanalysis of the previously secret cryptographic algorithms used in the TETRA radio standard. He has performed specialist security assessments on RF networks of law enforcement agencies, critical infrastructure, and some of the largest companies in the world. In addition, his prior research includes reverse-engineering and cryptanalysis of several proprietary in-vehicle immobilizer authentication ciphers used by major automotive manufacturers as well as co-developing the world's fastest public attack against the Hitag2 cipher. He holds a Master's Degree in Computer Science & Engineering from Eindhoven University of Technology (TU/e) and designed and assisted in teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several
LinkedIn: linkedin.com/in/wbokslag/