2017/10/19 | Secure Mobile Networking Lab

Secure Mobile NetworkingLab Exercise and Project

Winter 2017/18 – Kick-off - Topics

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide2

• DS1: Practical Eavesdropping on Directional Millimeter Waves• DS2: 60 GHz Backhaul Beam-Steering with Reconfigurable Links• DS3: Static and Dynamic Analysis of Closed-Source Binary WiFi

Firmware• MaS1: Wi-Fi, Bluetooth and NFC Firmware Hacking on Smartphones• DW1: Android native function hooking on ARM64• DW2: KRACK Attack: improvise, adapt, overcome• MM1: NFC Payment Security• MM2: Data mining sensor data to infer human actions• MM3: Collecting and using ENF Data as a security feature• MiS1: Linux/Android Implementation for the Apple Wireless Direct Link

Protocol• MiS2: Speeding up the ONE (and only) network simulator• DY1: Random Network Coding based Broadcast• DY2: Data Collection with TSCH• RK1: Real-Time IEEE 802.11 Implementation on FPGA• RK2: PHY ex Machina

Topic Overview

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide3

Millimeter waves differ conventional wireless technologies and feature high directionality. Communicating with narrow beams might improve security as attackers are naturally degraded. But does this protect against eavesdropping?

DS1: Practical Eavesdropping on Directional Millimeter Waves

Your tasks:● Get familiar with 802.11ad devices● Understand our paper on foundations● Implement practical eavesdropping with common devices

and take into account beam steering● Evaluate different attacker classes

Contact:Daniel Steinmetzer

Type: Lab/Project for 1-2 studentsPrerequisites:Linux, Wireless Systems

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide4

IEEE 802.11ad provide high data rates that are suitable backhaulconnections of for common access points or routers. However,beam-steering adds additional overhead. Can you create a centralcoordinated system to handle reconfigurable links?

DS2: 60 GHz Backhaul Beam-Steeringwith Reconfigurable Links

Your tasks:• Get familiar with 802.11ad• Manage large deployments of routers• Develop beam-steering solutions• Demonstrate flexible reconfiguration

for AP deployments or data-centers

Contact:Daniel Steinmetzer

Type: Lab/Project for 2-4 studentsPrerequisites:Linux, Network Administration

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide5

We currently implement additional functionality on IEEE 802.11adWiFi chips to e.g. increase the performance or execute customprotocols. However, WiFi firmwares are typically closed source andlack suitable debuggers that impede our development. To obtainan understanding on the firmware and open interfaces for customextensions, we aim to analyze the binary firmware by means ofstatic and dynamic analysis techniques.

DS3: Static and Dynamic Analysis ofClosed-Source Binary WiFi Firmware

Your tasks:● Get familiar with the firmware● Find and select suitable analysis tools● Build your own toolchain for this architecture● Analyze the firmware (call trace, stack

dump, …) and identify functions and security flaws

Contact:Daniel Steinmetzer

Type: Lab/Project for 2-4 studentsPrerequisites:Reverse Engineering, Assembly

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide6

MaS1: Wi-Fi, Bluetooth and NFC Firmware Hacking on Smartphones

Contact:

Matthias Schulz

After Reverse Engineering the Wi-Fi firmware of Android Smartphones, we nowtarget new applications and platforms for our firmware hacks and also started toextract additional firmwares such as the Bluetooth firmware that needs analysis.

You tasks:Depending on your interest, you can choose from different topics• Use our firmware patching framework

Nexmon to convert the Wi-Fi chip into an SDR to transmit and receive arbitrary signals

• Extract and analyze the NFC firmware to enable attacks against Milfare cards on your phone

• Extend our Nexmon Penetration Testing App for Android

Type: Lab/Project for 1-4 students

Prerequisites:Interest in Reverse Engineering and figuring out how things work

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide7

NFCGate is an Android app which allows wormholing attackson NFC systems. To accomplish this task, NFCGate hooks native Android functions. This makes it possible to modify native code without modifying the Android image itself. Unfortunately this only works on ARM32 devices for now. Your task would be to find a hooking method which works on ARM64 and update NFCGate accordingly.

DW1: Android native functionhooking on ARM64

Your tasks:• Analyze the problems when hooking

ARM64 functions instead of ARM32 functions

• Create your own / find an already working method to hook native functions in Android in an ARM64 environment

• Modify NFCGate to work on an ARM64 based smartphone Contact:

Daniel Wegemer & Max Maass

Type: Lab/Project for 1-2 studentsPrerequisites:C, Assembly (maybe), Android internals

App (NFCGate)

Native Code

Hardware

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide8

KRACK: A key reinstallation attack on WPA2● affects all WiFi devices● retransmission of message 3 in the 4-way handshake● allows replay, decryption and forgery of WiFi packets● mostly problematic on proprietary firmwares (might never

get patched)

DW2: KRACK Attack: improvise, adapt, overcome

Your tasks:• Analyze the KRACK attack• Recreate the attack using smartphones• Use the Nexmon framework to remove

the security bug from the firmware!

Contact:Daniel Wegemer & Matthias Schulz

Type: Lab/Project for 2-4 studentsPrerequisites:mainly C, Assembly

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide9

Contactless, NFC-based payment systems are increasingly deployed around the world. You will be evaluating the security of an NFC-based credit card terminal (hardware is available) and the underlying protocols, using the Android-based NFC security toolkit NFCGate and/or the hardware NFC relay proxmark.

MM1: NFC Payment Security

Your tasks:• Analyze the protocol and

implementation for security issues• Potentially: Analyze the backend

connection of the payment terminal• Develop attacks on the system• A basic amount of confidentiality will

be required due to our agreement with the vendor

Contact:Max Maass & Daniel Wegemer

Type: Lab/Project for 2-4 studentsPrerequisites:Knowledge of NFC or Android programming is a plus

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide10

Electromyographic (EMG) sensors can be used to track the electrical activity of muscles. They are commercially available in dedicated measurement stations, but also wearable Sensor armbands like the Myo, which also features an accelerometer. Your task will be to see what can be inferred from raw EMG data from a device worn by a user.

MM2: Data mining sensor data toinfer human actions

Your tasks:• Create a system to collect EMG and

accelerometer data• Attempt to infer what actions are

being taken by a user wearing an EMG device

• This can include significant movements (walking, drinking coffee), but also more precise actions (typing) Contact:

Max Maass <mmaass@seemoo.tu…>

Type: Lab/Project for 2-4 studentsPrerequisites:Knowledge of Machine Learning may be helpful, but is not required

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide11

The Electronic Network Frequency (ENF) is the basic frequency of the power grid. It fluctuates around 50 Hertz in a (supposedly) unique pattern over time, and has been used in forensics and time synchronisation, among other purposes. Your task will be to collect this data and evaluate its usefulness as a security feature in secure protocols

MM3: Collecting and using ENF Data as a security feature

Your tasks:• Ideally, create an ENF measurement

system (knowledge of electronics required)

• Investigate the properties of the fluctuations (are they really random?)

• Investigate the usefulness of ENF data as a “proof of freshness” in secure protocols Contact:

Max Maass & Mikhail Fomichev

Type: Lab/Project for 2-4 studentsPrerequisites:Knowledge in electronics are a big plus

https://netzsin.us

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide12

We recently reverse-engineered the Apple Wireless Direct Link (AWDL)protocol (used by AirDrop, AirPlay, Auto Unlock, etc.). AWDL uses channelhopping and synchronization which requires tight bounds on timing, butenables energy-efficient operation.

MiS1: Linux/Android Implementation forthe Apple Wireless Direct Link Protocol

Contact:Milan Stute (mstute@seemoo.de)

Matthias Schulz (mschulz@seemoo.de)

Type: Lab/Project for 2-4 studentsPrerequisites:IEEE 802.11, C/Linux driver programming

Your tasks:● Read the reverse-

engineered protocol specification

● Implement a Linux-driver for AWDL

● Optionally use Nexmon as support for timing-critical parts

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide13

The ONE (Opportunistic Network Environment) is a specializedsimulator for disruption-tolerant networks written in Java.Unfortunately, it was not meant to evaluate very large networks...

MiS2: Speeding up the ONE (andonly) network simulator

Your tasks:• Improve code quality w.r.t.

performance and extensibility (via profiling, modularization, …)

• Push your (tested) changes upstream

Contact:Milan Stute (mstute@seemoo.de)

Type: Lab/Project for 1-2 studentsPrerequisites:Java, Software Design Principles

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide14

DY1: Random Network Coding basedBroadcast

Random network coding is an effective technology for improving reliability and throughput in wireless networks. We also want it to incur minimum latency. Your tasks:

• Implement random network coding based network broadcast, i.e., a node continuously broadcasts a batch of packets throughout the network.

• Each node performs decoding and recombination of packets at runtime.

• Use ContikiOS and ContikiMAC.

Contact:Dingwen Yuan

Type: Lab/Project for 2-3 students

Prerequisites: C programming

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide15

DY2: Data Collection with TSCH

Data Collection is the most important application of WSNs. However, it is non-trivial to make it low-latency, high-reliability and energy-efficient. The newly appeared 802.15.4e (TSCH, Time Slotted Channel Hopping) standard provides a solution.

Your tasks:• Implementation based on TSCH (channel hopping, TDMA) in Contiki.• Topology control: form tree structure, support node join and leave• Auto scheduling: a frame is composed of two parts -- reserved and

contention subframes. Reserved subframes give each source one chance to send to sink. Contention subframes compensate for losses.

Contact:Dingwen Yuan

Type: Lab/Project for 2-3 students

Prerequisites: C programming

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide16

RK1: Real-Time IEEE 802.11 Implementation on FPGA

Contact:Robin Klose [robin.klose@seemoo.tu-darmstadt.de]

Goal: Create an IEEE 802.11 real-time implementation on software-defined radios

• Matlab WLAN System Toolbox: Generate IEEE 802.11 compliant signals• Matlab Simulink: Model-based system design• Matlab HDL Coder: Generate HDL code

Your tasks:• Generate HDL code of the IEEE 802.11 PHY• Implement the IEEE 802.11 MAC (DCF)• Integrate all HDL components into an FPGA image

for the use on USRP software-defined radios• Add software code as needed• Check timing constraints

Prerequisites:Matlab, C/C++, HDL (Verilog or VHDL)

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide17

RK2: PHY ex Machina

Goal: Create PHY algorithms by means of artificial intelligence

• Train deep neural networks to perform PHY tasks in wireless communications• E.g.: channel equalization, error detection and correction, modulation, MAC, …• No PHY knowledge required!• Highly experimental!

Prerequisites:CUDA, TensorFlow, Caffe, ...

Contact:Robin Klose [robin.klose@seemoo.tu-darmstadt.de]

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide19

• DS1: Practical Eavesdropping on Directional Millimeter Waves• DS2: 60 GHz Backhaul Beam-Steering with Reconfigurable Links• DS3: Static and Dynamic Analysis of Closed-Source Binary WiFi

Firmware• MaS1: Wi-Fi, Bluetooth and NFC Firmware Hacking on Smartphones• DW1: Android native function hooking on ARM64• DW2: KRACK Attack: improvise, adapt, overcome• MM1: NFC Payment Security• MM2: Data mining sensor data to infer human actions• MM3: Collecting and using ENF Data as a security feature• MiS1: Linux/Android Implementation for the Apple Wireless Direct Link

Protocol• MiS2: Speeding up the ONE (and only) network simulator• DY1: Random Network Coding based Broadcast• DY2: Data Collection with TSCH• RK1: Real-Time IEEE 802.11 Implementation on FPGA• RK2: PHY ex Machina

Topic Overview

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide20

Contact

Prof. Dr.-Ing. Matthias Hollickmatthias.hollick@seemoo.tu-darmstadt.de

Department of Computer ScienceMornewegstr. 32D-64293 Darmstadt

Phone: +49 6151 16-25472 Fax: +49 6151 16-25471Web: https://seemoo.de

SEEMOO Lab Exercises and Projects Winter 2017/18 Slide21

This document has been distributed by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically.

It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author’s copyright. These works may not be reposted without the explicit permission of the copyright holder.

Copyright Notice