Introduction of 《Inside Radio: An Attack and Defense Guide》


Inside Radio:An Attack and Defense Guide

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

About the Authors


Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.


Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.



This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.


Qiren GU is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam. He focuses on wireless communication security,cellular network security, SDR Related Technologies, and also other problems in ADS-B, GPS, Bluetooth, Wifi, NFC, RFID. He is the trainer for ISC, also the lecturer of 360 Network Security University, defcon group 010 speaker. guy behind


Jun LI is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam, he got a master degree from Chengdu University of Information Technology . His is focusing on the security research of connected cars,wireless communication,hardware etc. He had presented his researches at premier security conferences like Blackhat, DEFCON,ISC,CanSecWest, HITB, Syscan360 etc. He is the trainer for ISC . He is the author of Smart Car Attack&Defence Demystified. He won sixth place i n MITRE IoT Challenge .He was featured in the documentary A Century With Cars by CCTV. He started the first DEFCON GROUP in China—DC010 and his is the member of DEFCON GROUPs Global Advisory Board .


Haoqi Shan is a senior security researcher at Radio Security Department of 360 Technology. He is also a PhD student in information security at University of Florida. He focuses on Wi-Fi penetration, 2G/4G system, embedded device hacking etc. He made serial presentations about RFID hacking and LTE devices hacking on BlackHat, Defcon, Cansecwest, CodeBlue, Syscan360 and HITB, etc.


Yingtao ZENG is a Security researcher at UnicornTeam in the Radio Security Research Department of 360 Technology. He is mainly focused on the security of Internet of things, car remote control systems and automotive radar safety research. He has found vulnerabilities in a variety of automobile manufacturers including Buick, Volvo, Chevrolet, Toyota, Nissan, BYD and more. He was a speaker at the Hack In The Box(HITB),DEFCON CarHacking Village,Black Hat


Wanqiao ZHANG is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam, she got a master degree from Nanjing University of Aeronautics and Astronautics. She is focusing on the security research of Communication, Radio of Civil Aviation, Satellite Communication etc. She had presented her researches at premier security conferences like DEFCON, POC, RUXCON, MOSEC etc.She is the trainer for IChunqiu . A delegate of Qihoo 360 in 3GPP.


hardcover 978-981-10-8446-1

eBook 978-981-10-8447-8

Publisher: Springer Singapore

Publisher: Springer; 1st ed. 2018 edition (May 9, 2018)Or April 9,2018

We will sell the book in HITB SECCONF 2018 Amsterdam .



Index to Outline of 《Inside Radio: An Attack and Defense Guide》

 Chapter 1 Overview of Wireless Security, Attack and Defense

1.1 Overview of wireless security
1.1.1 Origin of wireless security
1.1.2 Difference between wireless security and mobile security
1.1.3 Status quo of wireless security
1.2 Wireless attack and defense methods
1.2.1 Common attack targets
1.2.2 Wireless attack methods
1.2.3 Wireless defense methods
1.2.4 Trend of wireless security

Chapter 2 Tools for Wireless Security Research

2.1 Software-defined radio technology
2.1.1 SDR capabilities
2.1.2 SDR usage
2.2 SDR hardware tools
2.2.1 USRP
2.2.2 RTL-SDR
2.2.3 HackRF
2.2.4 bladeRF
2.2.5 LimeSDR
2.3 SDR software tool — GNU Radio
2.3.1 GNU Radio installation
2.3.2 The first thing to do after installation
2.3.3 Example: OFDM Tunnel
2.4 Sniff mouse and keyboard data
2.4.1 Use SDR to sniff data packets of wireless keyboards and mouses running on nordic chips
2.4.2 MouseJack

Chapter 3 RFID/NFC Security

3.1 Introduction to Mifare Classic
3.2 Security analysis of Mifare Classic
3.2.2 Review of the process of cracking Mifare Classic
3.3 A real case of cracking Mifare Classic
3.3.1 Introduction to Proxmark Ⅲ
3.3.2 Burn and use Proxmark III firmware
3.3.3 Proxmark III client
3.3.4 Test the security of Mifare Classic with Proxmark III
3.3.5  Introduction to Chameleon-Mini
3.3.6 Burn and use Chameleon-Mini firmware
3.3.7 Simulate Mifare Classic by combining Proxmark III and Chameleon-Mini
3.3.8 Conclusion of HF attack and defense
3.4 Security analysis of LFID cards
3.4.1 Introduction to LFID cards
3.4.2 Coding principle of ID cards
3.4.3 Decoding principle of ID cards
3.4.4 Read data from ID cards
3.4.5 Format of the ID card number
3.5 Clone an LFID card
3.5.1 Simulation attacks with Proxmark III
3.5.2 Clone attacks with a blank card
3.5.3 Simulation attacks with HackID
3.6 EMV privacy leakage
3.6.1 EMV introduction
3.6.2 Mechanism of privacy leakage in contactless chip cards
3.6.3 Phenomenon of privacy leakage in contactless chip cards
3.6.4 Contactless chip card fraud
3.6.5 Privacy protection in the use of contactless chip cards

Chapter 4 433/315MHz Communication

4.1 Sniff and analyze the security of remote control signals
4.2 Attacks by replaying remote control signals
4.2.1 Parking bar signal replay
4.2.2 Wireless door bell signal replay
4.2.3 Vibrator signal replay
4.3 Crack fixed-code garage doors with brute force
4.3.1 Complexity of brute-force attack
4.3.2 Hardware for fixed-code brute-force attack
4.4 Security analysis of remote car key signals
4.4.1 Generation of remote control signals
4.4.2 Security analysis of Keeloq key generation algorithm
4.4.3 An example of remote controller bugs
4.4.4 Rolljam replay attacks on car keys
4.4 Security analysis of the PKE system
4.5 Security analysis of the tire pressure monitoring system

Chapter 5 Aeronautical Radio Navigation

5.1 Introduction to ADS-B system
5.1.1 Definition of ADS-B
5.1.2 Definition of 1090ES
5.2 ADS-B signal encoding
5.2.1 Modulation method
5.2.2 Format of message
5.2.3 Altitude code
5.2.4 CPR longitude and latitude code
5.2.5 CRC validation
5.3 ADS-B signal sniffing
5.3.1 Receive ADS-B signal with “dump1090”
5.3.2 Receive ADS-B signal with “gr-air-modes”
5.4 ADS-B signal deception
5.5 Analysis of attack and defense

Chapter 6 Bluetooth Security

6.1 Introduction to Bluetooth technology
6.3 Bluetooth sniffing tool Ubertooth
6.3.1 Ubertooth software installation
6.3.2 Ubertooth usage
6.4 Low-power Bluetooth
6.4.1 TI’s BLE Sniffer
6.4.2 Sniff BTLE data packets with “ubertooth-btle”
6.4.3 Read and write BLE devices’ properties with a mobile app
6.4.4 Transmit data packets by simulating the BLE device

Chapter 7 ZigBee Technology

7.1 Introduction to ZigBee
7.1.1 The relationship between ZigBee and IEEE 802.15.4
7.1.2 Structure of 802.15.4 frames
7.1.3 Different types of MAC frame in ZigBee
7.1.4 Device types and network topology of ZigBee
7.1.5 ZigBee networking
7.1.6 Application layer of ZigBee
7.1.7 The application support sub-layer of ZigBee
7.1.8 Application profile of ZigBee
7.2 ZigBee security
7.2.1 Security layers
7.2.2 Key types
7.2.3 Security levels
7.2.4 Key distribution
7.2.5 Access authentication for ZigBee nodes
7.3 ZigBee attacks
7.3.1 Attacking tools
7.3.2 Protocol analysis software
7.3.3 Network discovery
7.3.4 Attack an unencrypted network
7.3.5 Attack an encrypted network
7.4 An example of attacking
7.4.1 Obtain the key from the device
7.4.2 Attacks by using the key
7.5 Summary of attacks and defenses

Chapter 8 Mobile Network Security

8.1 Security status of the GSM system
8.1.1 Terminology and basic concepts of the GSM/UMTS system
8.1.2 Security of GSM encryption algorithms
8.1.3 Active attack and passive attack in GSM
8.1.4 GSM sniffing with “gr-gsm”
8.2 IMSI Catcher
8.2.1 What is an IMSI Catcher?
8.2.2 IMSI Catcher in GSM environment
8.2.3 IMSI Catcher in UMTS environment
8.2.4 IMSI Catcher in LTE environment
8.2.5 Defect of the IMSI Catcher
8.2.6 Stingray cellphone tracker
8.2.7 IMSI Catcher Detector
8.3 Femtocell security
8.3.1 Introduction to femtocell
8.3.2 Attack surface of femtocell
8.3.4 GSM femtocell based on VxWorks
8.4 LTE redirection and downgrade attack
8.4.1 Redirection attack principles IMSI catcher DoS Attack Redirection Attack
8.4.2 The cause of redirection bugs
8.5 ‘Ghost Telephonist’ Attack
8.5.1 Vulnerability principle
8.5.2 Experiment setting
8.5.3 Attack methods
8.5.4 Countermeasures
8.6 Analysis of attack and defense

Chapter 9 Satellite Communication

9.1 Overview of artificial satellites
9.2 GPS security research
9.2.1 GPS sniffing and security analysis
9.2.2 GPS spoofing
9.2.3 Methods of defense and suggestions
9.3 Security analysis of Globalstar system
9.3.1 Globalstar’s CDMA technology
9.3.2 Globalstar data cracking
9.3.3 Possible attack methods



Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s