IoT Radio Communication Attack – Part 1

February 26, 2023February 26, 2023 Ahmad Khan 0 Comments black hat pakistan, Ethical hacking, hacking, IoT Radio Communication Attack – Part 1

This is the first post in a series called “IoT – Radio Hacking or IoT Radio Communication Attack”. This is a large topic and to make it digestible I will break it up into multiple articles.

What I would like to cover in the series – Internet of Things – IoT, we have all heard of IoT, right?

IoT is short for Internet of Things. Using IoT technology, everything i.e. car, buildings, fan, light bulb, microwave etc. will be connected to the internet to share and exchange data.

Another question that should come to your mind is – How will these devices be connected to each other?

Either using some form of wired connection or wireless connection. Connecting these devices using cables is not possible due to the infrastructure, space and maintenance costs associated with connecting devices using cables. So these devices will be wirelessly connected and will wirelessly share and exchange data with each other. Wireless connection also does not require much cost and does not take up space. Thus, wireless connectivity is the preferred way to connect various IoT devices. When I say wireless, I mean these devices will use some wireless protocols like ZigBee, RFID and Bluetooth etc. For certain tasks like unlocking car doors, these protocols are not used. Some form of radio communication is used instead. Through radio communication, some data is transmitted by the transmitter and the transmitted data is received by the receiver. The transmitted data is first modulated by the transmitter and demodulated by the receiver on the receiver side.

IoT Radio Communication Attack

To ensure the security of the IoT infrastructure, all components involved in the infrastructure should be secured. Radio communication is one of them. If you look at the history of radio communication security, many vulnerabilities have been discovered and exploited in IoT devices using some kind of radio communication. So, to attack radio communication, one needs to have a good understanding of how IoT devices communicate over radio channels and what all the different modulation schemes they use. Once the modulation scheme is identified, we need to demodulate the original signal and extract the data present in the signal. This requires some background and fundamentals of digital signal processing, which I will cover in the opening part of this series.

Let’s get started.

Electromagnetic waves – Most IoT devices use wireless communication. Example – Using the remote control to lock the car. For wireless communication, they use waves to communicate with each other. These waves are called electromagnetic waves (EV). EVs can be radio waves, X-rays, microwaves, etc. Based on what are electromagnetic waves classified into different types?

“FREQUENCY“
Yes,
based on frequency, electromagnetic waves are classified into different types. We will cover more about Frequency in the upcoming section.

So based on frequency, EVs can be radio waves, x-rays, microwaves, etc.

Also Read :BIOS/UEFI Forensics:Firmware Acquisition and Analysis Appr0aches

If the frequency of wireless communication is in the range of 3 kHz – 300 GHz, then it is called radio wave communication and the waves are radio waves.

All IoT devices use Radio Waves for wireless communication.

Radio communication theory and terminology –

Frequency – Frequency is the number of cycles completed in each duration. The duration can be seconds, minutes, etc.

As mentioned above, the frequency of radio waves is 3 cycles per second. The unit of frequency is Hertz. It is denoted as Hz. As mentioned above, the frequency is 3 Hz, i.e. 3 Hertz.

Frequencies for radio waves are described in multiples of hertz –

KHz or kilohertz – one thousand cycles per second.
MHz or megahertz – a million cycles per second.
GHz or gigahertz – billion cycles per second.

Wavelength – The distance between two consecutive high points (high peaks) or troughs (low peaks) in a radio wave is called the wavelength. The wavelength is referred to as lambda (λ)

As shown above, the distance between two consecutive high points (high peaks) is the wavelength of the radio wave.

Amplitude – The maximum height from the origin or initial position that the wave reaches is called the amplitude. The definition may not be clear but if you look at the diagram below you will know what amplitude is –
Phase – The position of one point on a wave is called the phase. The unit for phase is degrees or radians.

As seen above, the phase can be 0, 90, 180 degrees.

Transmitter – A device that can generate and transmit radio waves is called a transmitter.
Receiver – A device that can receive radio waves is called a receiver.
Transceiver – A device that can transmit and receive radio waves is called Transceiver.
Modulation and Demodulation Concepts – Modulation and Demodulation includes the following concepts –

A. Carrier Waves – I have explained the basics of radio waves. Now we need to do – transmit the information to the target in the form of radio waves. How can one do this?

This is where carrier waves come into play. Carrier waves as the name suggests are responsible for transmitting data/information to the destination. So we can use the carrier wave to send our data to the destination.

b. Modulation – Modulation is the process of mixing data into a carrier wave so that it can be transmitted to its destination. Modulation is achieved by changing the amplitude or frequency or phase of the carrier wave.

Depending on what is different, there are different types of modulation such as frequency modulation, amplitude modulation, phase modulation and so on.

Modulation schemes – Modulation schemes can be divided into analog or digital modulation.

I
Analog modulation – In analog modulation, an analog signal is transmitted with a carrier wave. Example – TV signal.

Analog modulations are of the following types –

a) Amplitude Modulation (AM) – If the amplitude of the carrier signal varies according to the amplitude of the data signal, then it is called Amplitude Modulation. This can be seen in the image below –

b) Frequency Modulation (FM) – If the frequency of the carrier signal changes according to the frequency of the data signal, then it is called frequency modulation. This can be seen in the image below –

c) Phase Modulation (PM) – If the phase of the carrier signal changes according to the phase of the data signal, then it is called phase modulation. This can be seen in the image below –

II. Digital Modulation – In digital modulation we have 2 levels – either high (logic 1) or low (logic low). Like analog modulation, the types of digital modulation are as follows:

a) ASK or Amplitude Shift Keying – If the amplitude of the carrier wave changes in accordance with the data signal, it is called as Amplitude Shift Keying. Since amplitude-shift keying is a digital modulation, if data is present it will appear as 1, otherwise it will appear as 0. Therefore, amplitude-shift keying is also called on-off keying.

b) FSK or Frequency Shift Keying – If the frequency of the carrier wave changes in accordance with the data signal, it is called frequency shift keying. The carrier frequency in FSK modulation varies as below –

c) PSK or Phase Shift Keying – also called BPSK. If the phase of the carrier wave changes in accordance with the data signal, it is called phase shift keying. The phase of the carrier wave in PSK modulation varies as shown below –

The above modulation schemes are widely used. In addition, other complex modulation schemes are used, which I will cover when we come across it.

As of now, this large chunk of theory is more than enough to get you started with radio communications hacking. In the next section I will explain what all Software and Hardware are used to attack radio communication. I will also show a small sample of the tools for hands-on practice and understanding of how to use a particular tool.

That’s it for this part. Please comment if you have any doubts