Browse Classifications
- All Resources
- Strategic Content
- Technical Content
- Ahead of the Breach Podcast Content
- Partner Program Content
Ahead of the Breach - Ayyappan Rajesh, Offensive Security Engineer at Block Harbor
Ayyappan Rajesh, Offensive Security Engineer at Block Harbor Cybersecurity, takes Casey deep into the technical underbelly of wireless security testing in this illuminating episode of Ahead of the Breach.
Every week, CEO Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.
We recently spoke with Ayyappan Rajesh, Offensive Security Engineer at Block Harbor Cybersecurity. Here are the top takeaways from the interview.
#1: Leverage FCC IDs to Unlock Device Security Secrets
“Assuming it's a black box device that I've just been handed, and the end goal is just hack it, the first thing I would do is flip the device open and look for something called an FCC ID. So the FCC essentially mandates everyone to have an FCC ID on any device that can send out any sort of wireless signals. And a lot of the times, you are able to look all their test reports up just by having that FCC ID. So what I'll do is go figure out what that FCC ID is and then go look for the report online. You can go on FCCID.io, it's a user friendly site, you can download all the PDFs for any FCC ID.
“And with that I generally look at what sort of technologies it supports. So if it supported GSM — GSM is ancient. I think it's been phased out most of the world, at least in the US it has been completely phased out where there supports 4G, 5G, and things like that — if it were just GSM, the good thing is as an attacker I can just create a fake cell tower with no authentication and force the device to latch on.
“Of course, this is all done in a very controlled environment. We have Faraday cages, which are boxes that prevent any signals from coming in or going out. And then essentially that device is forced to latch on to a GSM base station, after which you can do a bunch of things.
“When it comes to 4G, 5G, it does get a little trickier there because they did increase the level of security on those technologies. So a lot of the times, you're going to need something called a secret key (Ki), and things like that from a SIM card. And usually it's only the telecom operator that knows this. You can't get it for your own SIM card. So there is a great programmable SIM provider out there, sysmocom. So you can go get those SIM cards and essentially program your own SIM cards just using those, because those are blank. And so now because you've programmed the keys yourself, you can put that onto your base station, which is something like SRS RAN, SRS LTE, or Open5GS, and you could then make that device latch onto your 4G, 5G network.”
Actionable Takeaway: When testing cellular devices, start by identifying the FCC ID to access detailed documentation about supported technologies. For GSM devices, you can create fake cell towers without authentication, whereas 4G/5G requires programmable SIM cards from providers like sysmocom to implement custom base stations within controlled Faraday environments.
#2: Master GPS Spoofing for Advanced Vehicle Testing
“GPS spoofing is something that we regularly test for. For instance, it's not as serious as it is in drones — in drones, of course, if you're spoofing the wrong location, they can spin out, you can force them to land, and a bunch of other different things. But automotive focused, there could be instances where the car goes into a different mode when it's at a service location and things like that. I remember there was this incident somewhere in Europe where a train, they couldn't fix it because you'd need to be at a certain service location and only then you would be allowed to repair the train. But a bunch of hackers spoofed GPS and were able to trick the train into thinking it was at the location and give them more access so they weren’t able to repair it.
“So for GPS as well, GPS L1 operates at 1.575 GHz, which falls exactly in the range where our HackRF or USRP can transmit. So again, you'd need an SDR, but you can do it with a HackRF, which is significantly cheaper compared to more expensive tools. You'd need the hardware, of course, this time for a car, you of course need a much bigger Faraday cage. You could use anechoic chambers. They also sell these tents just because again, even GPS spoofing could cause harm to other people. So you need to be careful. And then the rest of it is open source tools.”
Actionable Takeaway: GPS spoofing can bypass location-based security controls in automotive systems and other devices. The technique requires an SDR like HackRF, appropriate Faraday containment, and open-source tools. Real-world examples demonstrate how attackers have successfully tricked train systems to gain unauthorized maintenance access.
#3: Join Hands-On Security Challenges to Build Real-World Skills
“[I you want to get started testing your skills, I recommend] YouTube for certain. And I also highly, highly recommend the Cyber Auto Challenge. It's a challenge aimed at students. So if you're attending college, you just go do an application and then they have a week-long event that's completely paid for where you'll have OEMs bring in their vehicles, things that are even in pre-production.
“And as a student, you don't pay for any of this. You have a week long of classes where they teach you things like RF cans, everything there is. And then you have about 24 hours to go hack any of the devices that they have. So you have 24 hours to go take everything you've learned, go hack a real device, write a report, or make a presentation about it and then give it to an OEM. And I think that's really cool.
“And if you can definitely attend DEF CON, the car hacking village is there. We collaborate with OEMs, they bring their infotainments, they bring a bunch of different things that you wouldn't otherwise be able to hack unless you owned it. And best part is that most of them are built on security issues that people have seen in the past. So it's really got gamified and it's something that you can go learn and then maybe try it out on different devices.”
Actionable Takeaway: Students can accelerate their wireless security skills through free programs like the Cyber Auto Challenge, which provides access to pre-production vehicles and expert training. DEF CON's Car Hacking Village offers another valuable learning environment where you'll encounter gamified security challenges based on real vulnerabilities discovered in production systems.
Sprocket Security
Sprocket Security is made of an expert team providing continuous penetration testing, among additional cybersecurity solutions for businesses who want to operate preventively, stopping exploits before they happen. Contact us today!
Further Reading
Explore Related Content.
Ahead of the Breach - Bindi Davé, Deputy CISO at DigiCert
Ahead of the Breach Podcast sits down with Bindi Davé Deputy CISO at DigiCert, to explore the importance of establishing trust in digital communications and the impact of zero trust and AI on security practices. read more →
Read moreContinuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations
