InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

LTE Frequency Hopping Jammer

The goal of this project was to show that communication with a cellular base station and user equipment could be interfered with using narrowband jamming. Specifically, a randomized frequency hopping jammer was used as the main method to disrupt service. The testbed was built with OpenAirInterface, software-defined radios, and a Samsung s4 phone. It was found to be possible to greatly disrupt communications in an LTE system with a jammer

AI Testing Framework for Next-G O-RAN Networks: Requirements, Design, and Research Opportunities

Openness and intelligence are two enabling features to be introduced in next generation wireless networks, e.g. Beyond 5G and 6G, to support service heterogeneity, open hardware, optimal resource utilization, and on-demand service deployment. The open radio access network (O-RAN) is a promising RAN architecture to achieve both openness and intelligence through virtualized network elements and well-defined interfaces. While deploying artificial intelligence (AI) models is becoming easier in O-RAN, one significant challenge that has been long neglected is the comprehensive testing of their performance in realistic environments. This article presents a general automated, distributed and AI-enabled testing framework to test AI models deployed in O-RAN in terms of their decision-making performance, vulnerability and security. This framework adopts a master-actor architecture to manage a number of end devices for distributed testing. More importantly, it leverages AI to automatically and intelligently explore the decision space of AI models in O-RAN. Both software simulation testing and software-defined radio hardware testing are supported, enabling rapid proof of concept research and experimental research on wireless research platforms.Comment: To be published in IEEE Wireless Communications Magazin

LEVERAGING OPENAIRINTERFACE AND SOFTWARE DEFINED RADIO TO ESTABLISH A LOW-COST 5G NON-STANDALONE ARCHITECTURE

Includes Supplementary MaterialCommercial cellular service providers are at the forefront of the paradigm shift from 4G Long Term Evolution (LTE) to 5G New Radio (NR). The increase in throughput, provisioning of ultra-low latency, and greater reliability of 5G enable potential uses that no other wireless communication could support. The Department of Defense (DOD) is interested in 5G NR technologies, but the implementation of the architecture can be lengthy and costly. This capstone configured a 4G LTE network and a 5G non-standalone network using OpenAirInterface and software defined radios (SDRs). Universal Subscriber Identity Module (USIM) cards were configured and introduced to user equipment and attached to the 4G LTE network. A gNodeB (gNB) was added to the 4G LTE network to establish the 5G non-standalone (NSA) network architecture (3GPP Option 3). The testbed developed in this research was able to connect the core to a commercial internet service provider and browse the internet using third-party applications. Our analysis educates future researchers on the challenges and lessons learned when implementing the OpenAirInterface 4G LTE and 5G NSA networks. This work also provides a better understanding of 4G LTE and 5G NSA OpenAirInterface software usability, flexibility, and scalability for potential use cases for the DOD.Chief Petty Officer, United States NavyApproved for public release. Distribution is unlimited