Training Details
2-DAY TRAINING, 2-3 JUNE @ MEERVAART AMSTERDAM
TICKET PRICE: €1500 EX BTW + €250 HARDWARE KIT
This practically-oriented course, taught by the Midnight Blue team known for their TETRA research, aims to equip security practitioners with field-relevant RF security knowledge enabling them to assess and target important but rarely addressed RF technologies such as automotive, aviation, marine, physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure.
Hands-on exercises such as intercepting and decrypting handheld radio comms, drone video feeds, and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios from the Russia-Ukraine war and various conflicts in the Middle-East.
Hardware kit
The hardware kit will include:
- An SDR platform which is capable of reproducing the lab exercises
- Several exercise targets ranging from physical access control systems to automotive security devices
More details will follow.
Training Outline
(Slight modifications to the training schedule are possible as we continue to fine-tune the course contents)
DAY 1 - BLOCK 1: Basics of SDR and SIGINT
- Introduction to Radio Frequency (RF), Software Defined Radio (SDR), Digital Signals Processors (DSPs)
- SDR theory of operation
- Overview of SDR hardware & software
- Modulation and signal types
- Antenna selection, tuning, and positioning
- Building and working with SDR software stacks: Gqrx, GNU Radio, Universal Radio Hacker (URH), DragonOS, SigDigger
- Signals Intelligence (SIGINT) cycle
DAY 1 - BLOCK 2: Fundamentals of RF Security & Professional Mobile Radio (PMR)
- Security requirements in RF protocols
- Common risks and pitfalls: Jamming, replay, relay, cryptanalysis, etc.
- Case studies: Railways, water utilities, emergency broadcasts
- Automotive and physical access control RF systems: Remote Keyless Entry (RKE), Passive Keyless Entry (PKE), gates, barriers, bollards, alarms, etc.
- Automotive case study: Professional car theft rings
- Introduction to Professional Mobile Radio (PMR)
- TETRA, DMR, APCO-25 (P25), dPMR/NXDN, TETRAPOL: Overview, security, vulnerabilities, and available tooling
- Terrestrial Trunked Radio (TETRA): Overview, security, vulnerabilities, and available tooling
- TETRA SIGINT tooling discussion
- TETRA case study: Real-world TETRA interception incidents
DAY 2 - BLOCK 1: TETRA & Digital Mobile Radio (DMR) Security
- Remaining TETRA exercises from DAY 1
- Digital Mobile Radio (DMR): Overview, security, vulnerabilities, and available tooling
- DMR SIGINT tooling discussion
- DMR case study: DMR usage and targeting in Russia-Ukraine war, Middle-Eastern conflicts, and Mexican cartels
DAY 2 - BLOCK 2: Marine and Aviation RF Security
- Marine RF systems: AIS/VDES, GMDSS, etc.
- Marine case study: tracking & spoofing in piracy and sanctions evasions
- Aviation RF systems: ADS-B, ACARS/VDL, Unmanned Aircraft Systems (UAS) telecontrol and telemetry protocols
- Aviation case studies: Counter-UAS examples from the Russia-Ukraine war, Israel-Lebanon war
Prerequisites
- Familiar with Linux
- Basic familiarity with Python
- Understanding of pentesting and red teaming fundamentals
- Basic familiarity with cryptographic concepts (e.g. block vs stream ciphers, symmetric vs asymmetric cryptography)
Hardware & Software requirements
- Modern laptop with Core i7 CPU or equivalent/better and preferably 32GB+ RAM (absolute minimum 16GB)
- Laptop should run DragonOS Noble (24.04) or newer (see https://cemaxecuter.com/)
- Preferably native installation to reduce risk of spending time on setup problems. A VM can work, but prior experience shows this can introduce issues
- Laptop should *not* be a locked-down corporate laptop, administrator privileges are a must-have
- Laptop should have USB 3.0+ port for SDR hardware
JOS WETZELS
Jos Wetzels is a co-founding partner at Midnight Blue. His research has involved reverse-engineering, vulnerability research and exploit development across various domains ranging from industrial and automotive systems to IoT, networking equipment and deeply embedded SoCs. He has discovered zero-day vulnerabilities across tech stacks ranging from bootloaders and RTOSes to proprietary protocol implementations. At Midnight Blue, he has consulted to government agencies, grid operators, and Fortune 500 companies worldwide and has been involved in the first ever public analysis of the TETRA radio standard used by police and critical infrastructure globally - uncovering several critical vulnerabilities. Prior to founding Midnight Blue, he worked as a security researcher and reverse engineer at Forescout where he developed state-of-the-art intrusion detection capabilities for Operational Technology (OT) environments. Jos is a member of the Black Hat USA Review Board and a regular conference speaker who has presented at events such as Black Hat, DEF CON, CCC, Usenix, HITB, OffensiveCon, ReCon, EkoParty, and others.
WOUTER BOKSLAG
Wouter Bokslag is a co-founding partner and security researcher at Midnight Blue. He is known for the reverse-engineering and cryptanalysis of the previously secret cryptographic algorithms used in the TETRA radio standard. He has performed specialist security assessments on RF networks of law enforcement agencies, critical infrastructure, and some of the largest companies in the world. In addition, his prior research includes reverse-engineering and cryptanalysis of several proprietary in-vehicle immobilizer authentication ciphers used by major automotive manufacturers as well as co-developing the world's fastest public attack against the Hitag2 cipher. He holds a Master's Degree in Computer Science & Engineering from Eindhoven University of Technology (TU/e) and designed and assisted in teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years.