August 9, 2018
River Loop was thrilled to present its TumbleRF fuzzing framework at Black Hat Arsenal, a forum dedicated to open source security research and software at Black Hat USA.
TumbleRF is an open source Python framework that enables researchers to fuzz arbitrary RF technologies down to the PHY. As River Loop’s 2014 Isotope research demonstrated, PHY-layer bugs can have serious implications, and often hide in plain sight. Thus, developing a tool to make finding these bugs systematic seemed like a good fit.
While fuzzing has long been relied on by security researchers to identify software bugs, applying fuzzing methodologies to RF and hardware systems has historically been challenging due to siloed tools and the limited capabilities of commodity RF chipsets.
We created TumbleRF to address these shortfalls by defining core fuzzing logic while abstracting a hardware interface API that can be mapped for compatibility with any RF driver. Thus, supporting a new radio involves merely extending an API, rather than writing a protocol-specific fuzzer from scratch. In addition to enabling traditional MAC-centric fuzzing workflows, TumbleRF’s flexibility allows attackers to fuzz and characterize PHY state machines if paired with a Software Defined Radio or a sufficiently flexible commodity radio.
We hope that attendees gained an understanding of how RF and hardware physical layers actually work, and the security issues that lie latent in these designs. Additionally we hope that researchers using this tool are empowered to pursue RF vulnerabilities in an automated fashion, which in turn will drive the development and adoption of more secure systems.
This was presented by team members Matt Knight and Ryan Speers.