Full Report
In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I went about trying to build a challenge for it. Unfortunately I was not able to able to attend the con itself, but still had the privilege to contribute in some way! The first question you may have could be: “But why RFCat?”. Truthfully, some people that are way better at this hacking thing than me (and that were also primarily responsible for this years BSides badge hardware) came up with this idea: “Wouldn’t it be cool to have a cc1111 chip on the badges?”. The cc1111 chip is RFCat compatible, so naturally this would be the goto firmware to use for the chip. With this in mind, I got invited by @elasticninja to see if I would be interested in building an RFCat based challenge and without hesitation agreed! So there we were.
Analysis Summary
# Tool/Technique: RFCat Firmware on cc1111 Chip
## Overview
RFCat is firmware designed to run on chips like the cc1111, enabling low-power radio frequency (RF) communication for exploitation, testing, or building custom challenge environments (as seen in the BSides Cape Town 17 challenge). Its primary purpose here is to enable radio-based interaction between hardware badges (which contain the cc1111 chip) and a challenge server.
## Technical Details
- Type: Tool/Framework (Flashed Firmware enabling Radio Tooling)
- Platform: cc1111 chip (used on custom hardware badges), Yardstick One (used for emulation/development).
- Capabilities: Enables customized communication protocols over radio frequencies, supports various modulation schemes, and forms the basis for creating custom RF-based challenges or chat systems.
- First Seen: Not specified, but its application here is documented around BSides Cape Town 2017.
## MITRE ATT&CK Mapping
Since RFCat is primarily a radio hardware interface/firmware used for legitimate testing/challenges in this context, direct adversary mapping is limited. However, the *techniques* used during the challenge execution can be mapped:
- **TA0011 - Command and Control**
- T1090 - Proxy
- *(Context: The RF link acts as a custom communication channel for moving between challenge stages).*
- **TA0007 - Discovery**
- T1598 - Phishing for Information (If used to probe for server communication parameters)
## Functionality
### Core Capabilities
- Facilitates low-power, short-range RF communication utilizing hardware like the cc1111 chip.
- Provides the foundation for building custom RF chat systems or challenge interactions between badges.
### Advanced Features
- Compatibility with the cc1111 chip allowed for easy flashing onto custom hardware (the badges).
- The challenge utilized different modulation/syncwords between the default "chat" implementation and the actual "challenge server," requiring players to analyze traffic to discover the correct connection parameters.
- The challenges involved a multi-step communication process employing encryption (XOR cipher).
## Indicators of Compromise
(Note: As this is a write-up about building a *challenge*, the IOCs relate to the *solution* of the challenge, not a widespread malware infection.)
- File Hashes: N/A (The provided code is a "simple Github gist," implying source code rather than compiled malware executables).
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Communication occurs over radio frequency channels, not standard TCP/IP).
- Behavioral Indicators: Radio transmission/reception tailored to custom syncwords or modulation schemes that differ from the initial factory configuration. Successful decryption of transmitted payloads using a known XOR key (`_fourth dimensionally!_`).
## Associated Threat Actors
- No specific threat actors are associated with using RFCat firmware in a malicious context based on this article. The tool setup was used for a defensive/educational challenge environment (**BSides Cape Town 17 RFCat Challenge**).
## Detection Methods
Detection would focus on identifying the specific RF emissions or analyzing the provided decoding steps:
- Signature-based detection: Detecting radio traffic utilizing the specific configuration (unknown syncwords/modulation) designed for the challenge server.
- Behavioral detection: Monitoring for devices attempting to communicate using non-standard, repeating, or encrypted messages on specific ISM bands utilized by the cc1111.
- YARA rules: Not applicable in this context.
## Mitigation Strategies
For securing environments where custom RF devices are present:
- Strict control and auditing of custom firmware loaded onto RF chips like the cc1111.
- Monitoring RF spectrum usage for unexpected proprietary communications.
- In a challenge context: Ensuring the exploration of the initial setup (e.g., the default chat system) does not compromise sensitive infrastructure.
## Related Tools/Techniques
- **Yardstick One:** Used as a development and emulation platform to replicate the badge hardware environment.
- **XOR Cipher:** Used as the encryption method for challenge payloads, requiring a key (`_fourth dimensionally!_`) for decryption.
- **ToorChat:** Mentioned as a similar, pre-existing implementation the author later discovered, suggesting similar capabilities in RF-based chat over software-defined radio (SDR) platforms.