August 12, 2018

River Loop had the privilege of presenting our latest efforts in wireless fuzzing, including the TumbleRF software framework and the Orthrus offensive radio interface, at DEF CON 26 in Las Vegas, NV.

This research highlights the importance of securing oft-overlooked system components, such as non-IP network interfaces and hardware buses. 2014’s Isotope 802.15.4 bugs highlighted an interesting class of vulnerability existing at the PHY layer, so we wrote some tools to make uncovering bugs like those more systematic.

TumbleRF is an open source Python framework for fuzzing arbitrary RF technologies down to the PHY. While fuzzing has long been relied on by security researchers to identify software bugs, applying fuzzing methodologies to RF and hardware systems has historically been challenging due to siloed tools and the limited capabilities of commodity RF chipsets. We created the TumbleRF fuzzing orchestration framework to address these shortfalls by defining core fuzzing logic while abstracting a hardware interface API that can be mapped for compatibility with any RF driver. Thus, supporting a new radio involves merely extending an API, rather than writing a protocol-specific fuzzer from scratch. In addition to enabling traditional MAC-centric fuzzing workflows, TumbleRF’s flexibility allows attackers to fuzz and characterize PHY state machines if paired with a Software Defined Radio or a sufficiently flexible commodity radio.

Additionally, we introduced Orthrus, a low-cost 2.4 GHz offensive radio tool that provides PHY-layer mutability to offer Software Defined Radio-like features in a flexible and low-latency embedded form factor.

By combining TumbleRF and Orthrus, researchers will be able to fuzz and test RF protocols with greater depth and precision.

We hope that people gained an understanding of how RF and hardware physical layers actually work, and the security issues that lie latent in these designs. Additionally we hope that people using this tool are empowered to pursue RF vulnerabilities in an automated fashion, which in turn will drive the development and adoption of more secure systems.

This was presented by team members Matt Knight and Ryan Speers.