RFQuack: A Universal Hardware-Software Toolkit for Wireless Protocol (Security) Analysis and Research

TL;DR

RFquack is an open-source, flexible hardware-software toolkit that combines the ease of use of RF dongles with the power of software-defined radios, enabling advanced wireless protocol analysis and security research.

Contribution

It introduces a multi-radio hardware system with swappable RF frontends and a uniform API, facilitating flexible, high-performance wireless protocol analysis and vulnerability discovery.

Findings

Identified 11 vulnerabilities in RF protocols of industrial devices and key fobs.

Demonstrated RFquack's effectiveness in RF hacking contests and protocol analysis.

Enabled new research workflows with a structured firmware architecture and multi-radio support.

Abstract

Software-defined radios (SDRs) are indispensable for signal reconnaissance and physical-layer dissection, but despite we have advanced tools like Universal Radio Hacker, SDR-based approaches require substantial effort. Contrarily, RF dongles such as the popular Yard Stick One are easy to use and guarantee a deterministic physical-layer implementation. However, they're not very flexible, as each dongle is a static hardware system with a monolithic firmware. We present RFquack, an open-source tool and library firmware that combines the flexibility of a software-based approach with the determinism and performance of embedded RF frontends. RFquack is based on a multi-radio hardware system with swappable RF frontends, and a firmware that exposes a uniform, hardware-agnostic API. RFquack focuses on a structured firmware architecture that allows high- and low-level interaction with the RF frontends. It facilitates the development of host-side scripts and firmware plug-ins, to implement efficient data-processing pipelines or interactive protocols, thanks to the multi-radio support. RFquack has an IPython shell and 9 firmware modules for: spectrum scanning, automatic carrier detection and bitrate estimation, headless operation with remote management, in-flight packet filtering and manipulation, MouseJack, and RollJam (as examples). We used RFquack to setup RF hacking contests, analyze industrial-grade devices and key fobs, on which we found and reported 11 vulnerabilities in their RF protocols.