AppSec USA 2017 has ended
Back To Schedule
Friday, September 22 • 11:30am - 12:15pm
Enhancing Physical Perimeter Defense Using SDR

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Part One: The Problem

The current solutions of sensor based perimeter defense have their limitations. Taking home defense as an example, sensors are located at all possible breach points of the perimeter (windows, doors, etc). The alarm is triggered only when there is an actual perimeter breach. It takes time for the alarm company to report to local police and more time for police to send patrol cars. If the attackers are determined to finish the task quickly and take off before police can arrive, the chance of getting away is very high.


There is one important additional weakness: this traditional method is limited to what information the sensors pick up. The old methods have no capability of identifying the reconnaissance, which happens very often before potential breaches.


Part Two: The Solution

Most attackers carry cell phones during reconnaissance and the actual breach. This means the chances that a new cellular device will show up near the (potential) breach site is very likely.


I propose a solution of using software-defined radio to simulate cell tower signals within a short range, near the protected perimeters of a site. Through the analysis of abnormal devices within a certain range of the perimeter, we can:

* Identify potential threats (reconnaissance, following, etc).

* Post-breach investigation (by providing cellular device info).

* Conviction (crime scene presence through the location of the device).


Part Three: Technical Implementation Details

SDR Configuration

* (The following SDR config is done only to a short range around the protected perimeter.)

* Use SDR to simulate the cell tower within a short range.

* SDR will force cell phones to downgrade to 2G for information gathering.

* Frequency to power on the SDR. The SDR will NOT always be powered on. It only powers on every 30 minutes, for 1 minute.

* SDR will capture the phone number, active time, and location (directions related to the SDR).


Data Storage

The following data will be stored and encrypted:

* Phone number

* Active time

* Location (relative to the SDR)


Data Analysis

* Normal pattern (learning process): 1) Devices frequently showing up near perimeter (neighbours). 2) Devices only showing up at certain times of the day (mail delivery, garbage pickup, etc).

* Exception pattern: Devices near perimeter that have never show up before (potential reconnaissance).

Identify intrusion: Devices inside the perimeter that have never show up before.

* Correlating the exception pattern with intrusion: identify and note the reconnaissance activity.


Part Four: Limitations and Thoughts


* The solution assumes attackers carry cellular device during the recon or breach.

* The location and direction of the device is based on signal strength and is therefore not guaranteed to be accurate.


Integrate with Other Solutions

* Integration with existing perimeter defense solutions

* Trigger the action of drones for 1) vehicle identification 2) real time images


Part Five: Video Demo



This article and any related technical detail was prepared or accomplished by the author in his personal capacity. The opinions expressed in this article are the author's own and do not reflect the view of author’s employer


avatar for Yitao Wang

Yitao Wang

Yitao Wang has 10+ years of experience in information security. Coming from the other side of the GFW he has great passion for internet and computer security since the wild 90s. Yitao is currently working as a Security Engineer for a FinTech startup company. Previously he led the... Read More →

Friday September 22, 2017 11:30am - 12:15pm EDT
Coronado K