Slovenian University Student & Security Researcher Almost Jailed for Researching TETRA with an RTL-SDR

Dejan Ornig, a 26 year old student at the University of Maribor’s Faculty of Criminal Justice and Security was recently almost jailed for finding a security flaw in Police TETRA communications in his home country of Slovenia. Back in 2013 his University Computer Science class of 25 was assigned a task to research security vulnerabilities in TETRA. TETRA is a RF digital communications protocol often used by authorities due to its ability to be secured via encryption. During his research he used an RTL-SDR and the open source Osmocom TETRA decoder, and discovered a flaw in the Slovenian Police’s TETRA configuration which meant that encrypted communications were often being broadcast in the clear. Translated, Ornig said:

For $20 I bought a DVB-T receiver (RTL-SDR), on the Internet, I have found also freely available and open-source software OsmoCOM. Free access solution for decoding the signal Tetra eighth-tetra is already prepared in advance programming framework based on the platform GNU.

He goes on to say (translated):

I was even more surprised when I found that most users do not have authentication turned on the radio terminal, even though the Ministry of the Interior in the documents and tenders repeatedly wrote to all the radio terminals to access networks using authentication.

Shortly after discovering the flaw, Dejan privately contacted the authorities with his findings. But after two years of repeatedly contacting them and waiting for a fix, Dejan decided to take his story to a local news agency in February 2015. At this point the Slovenian Police became interested in Dejan, and instead of fixing the problem, decided to conduct a search on his house, seizing his computer and RTL-SDR. After the search the Police made life harder for Ornig by trying to lump on other problems. During the search they found a “counterfeit police badge” in his house and apparently accused him of impersonating a police officer, and after a search of his PC they also decided to charge him after finding out that he covertly recorded his ex-employer calling him an “idiot”.

Ornig has now been given a 15 month suspended jail sentence for attempting to “hack” the TETRA network. Fortunately the suspended part means that in order to not go to jail Ornig simply must not repeat his crime again within 3 years. While SDR’s and radios are not illegal in most countries this is a reminder to professional and amateur security researchers to check that what you are doing is legal in your country. Even if it is for the overall good, Police often do not have the technical competence to understand security researchers and may react illogically to findings. The good news about Ornig’s story is that apart from the suspended jail sentence the authorities appear to have now worked with him to fix the problems.

TETRA Decoding
TETRA Decoding

Story Sources:
[http://www.ibtimes.co.uk/researcher-jailed-finding-security-flaws-police-communications-1561600][http://siol.net/novice/slovenija/kako-za-20-evrov-prisluskovati-slovenskim-varnostnim-organom-video-44923][https://podcrto.si/odziv-na-trditve-policije-glede-varnosti-komunikacijskega-sistema-tetra]

L-Band Reception with an LNA4ALL, Patch Antenna and RTL-SDR

Over on YouTube Adam 9A4QV has uploaded a video showing how good L-band reception can be with only a cheap home made patch antenna, RTL-SDR dongle and LNA4ALL. The video is in response to a question on our previous post, which discussed the prototype Outernet downconverter. The question asked what difference can we expect with the downconverter compared to just using an LNA, like the LNA4ALL.

In the video Adam shows that L-Band reception with the LNA4ALL can be as good as with the downconverter. The main problem with L-band reception on the RTL-SDR is that some units tend to fail to receive properly at around 1.5 GHz. The downconverter bypasses this problem by receiving L-band at around 200 MHz instead. Though we believe that this problem is solved on the units we sell as we heatsink to a metal enclosure, and if that is not enough, it can be solved further by using this modified driver. The other advantages of the downconverter is that it includes filtering, an LNA, and allows you to use much longer runs of lossy cable, which is useful if for instance you want to put a permanent L-band antenna on the roof.

Monitoring Ionosondes and Creating Ionograms with a USRP and GNU Chirp Sounder

In the HF region between about 0 – 30 MHz it is common to see and hear “chripers” – signals which quickly sweep through the HF frequency band and produce an audible chirp. These chirps are actually signals from Ionosondes which is a type of radar system used to monitor the Ionosphere. The Ionosphere exists about 50km above the surface of the earth and is the atmospheric layer responsible for a large part of long range HF communications. In a previous post by Mario Filippi we also discussed Ionosondes.

Usually it is scientists who transmit and monitor these Ionosondes, however if you have wide band radio that can cover a majority of the HF spectrum then you can also monitor these chirpers yourself. Over on his blog Fabrizio Francione has created a post showing how to use a USRP, together with a GNU Radio Program called GNU Chirp Sounder to create his own amateur Ionogram monitoring station. The USRP is a fairly expensive SDR with a bandwidth of 25 MHz, but we add that we think that next generation of low cost wide band SDRs like the up and coming LimeSDR should also be able to do the same job.

The Ionograms show at what frequencies HF propagation is currently optimal for a specific distance (or number of signal bounces from the Ionosphere). Below is an example Ionogram animation showing the reception of Ionosondes taken over time. Video from the GNU Chirp Sounder page.

Testing a Prototype of the Outernet L-Band Downconverter

Outernet are a startup company that hope to revolutionize the way people in regions with no, poor or censored internet connectivity receive information. Their service is downlink only, and runs on C and L-band satellite signals, beaming up to date news as well as other information like books, educational videos and files daily. To receive it you will need one of their official or homemade versions of the Lighthouse or Lantern receivers (the latter of which is still to be released), or an RTL-SDR or similar SDR. Recently they began test broadcasts of their new 5 kHz 1539.8725 MHz L-band signal on Inmarsat I4F3 located at 98W (covers the Americas), and they hope to begin broadcasts in more regions soon too.

The typical RTL-SDR is known to often have poor or failing performance above 1.5 GHz (though this can be fixed to some extent), so Outernet have been working on an L-band downconverter. A downconverter works by receiving signals, and shifting them down to a lower frequency. This is advantageous because the RTL-SDR is more sensitive and does not fail at lower frequencies, and if used close to the antenna, the lower frequency allows longer runs of cheap coax cable to be used without significant signal loss.

Earlier this week we received in the mail a prototype of their downconverter. The downconverter uses a 1.750 GHz LO signal, so any signal input into it will be subtracted from this frequency. For example the STD-C frequency of 1.541450 GHz will be reduced to 1750 MHz – 1541.450 MHz = 208.55 MHz. This also means that the spectrum will appear reversed, but this can be corrected by selecting “Swap I & Q” in SDR#. The downconverter also amplifies the signal with an LNA, and has a filter to remove interfering out of band signals.

The Outernet downconverter circuit board.
The prototype Outernet downconverter circuit board.
Specsheet for the downconverter.
Specsheet for the downconverter.

We tested the downconverter using their patch antenna which they had sent to us at an earlier date (the patch antenna is used and shown in this Inmarsat STD-C reception tutorial). Our testing found that overall the downconverter works extremely well, giving us much better signal levels. Previously, we had used the patch + LNA4ALL and were able to get reception good enough to decode STD-C and AERO signals, but with the requirement that the patch be carefully pointed at the satellite for maximum signal. With the downconverter the signals come in much stronger, and accurate pointing of the patch is no longer required to get a signal strong enough to decode STD-C or AERO.

The downconverter can be powered by a bias tee connection, and this works well with our bias tee enabled RTL-SDR dongles. We also tested with the bias tee on the Airspy R2 and Mini and had no problems. It can also be powered with a direct 5V connection to a header, and they note that the header will be replaced by a USB connector in the production version.

The release date and exact price that these will be sold at is not confirmed, but we believe that it will be priced similarly to upconverters at around $50 USD or less. A good low cost downconverter should help RTL-SDR and other SDR users receive not only the Outernet signal better, but also other satellite signals such as STD-C and AERO. Although the input is filtered and the RF frequency is specified at 1525 to 1559 MHz, we had no trouble receiving signals up to GPS frequencies of 1575 MHz, and even up to Iridium signals at 1.626 GHz, though reception was much weaker up that high.

Below are some screenshots of reception. Here we used the Outernet patch antenna sitting in a windowsill with the downconverter directly after the antenna, and then 10 meters of RG6 coax cable to the PC and bias tee enabled RTL-SDR. We found that with the downconverted ~200 MHz signal the loss in the RG6 coax was negligible. Better reception could be obtained by putting the patch outdoors. In some screenshots we used Vasilli’s R820T driver with the decimation feature, which allows you to zoom into narrowband signals much more clearly.

Some AERO Signals Zoomed in with the Decimation feature in SDR#.
Some AERO Signals Zoomed in with the Decimation feature in SDR#. Received with the Outernet downconverter and patch antenna.
Some AERO and other Signals Zoomed in with the Decimation feature in SDR#.
Some AERO and other Signals Zoomed in with the Decimation feature in SDR#. Received with the Outernet downconverter and patch antenna.
Signals zoomed out.
Signals zoomed out. Received with the Outernet downconverter and patch antenna.

Comparing Home Made Inmarsat Antennas

Over on his blog “coolsdrstuff”, the author has uploaded a new post showing his comparisons of various home made Inmarsat antennas. In his post he tests a tin can helix antenna, a 10-turn helix antenna, and a LHCP helix feed on a 81cm DirecTV dish.

His results show that the dish outperforms the helix antennas by a significant amount, but only once he took it outdoors. The 10-turn helix antenna also worked better than the tin can helix, although he found that it required very accurate pointing.

Inmarsat are geostaionary satellites that transmit signals on L-band at around 1.5 GHz. They transmit signals that can be decoded with an RTL-SDR, such as STD-C EGC (weather, messaging and safety messages for boats), as well as AERO (the satellite version of ACARS for aircraft).

Good Inmarsat reception with the dish.
Good Inmarsat reception with the dish.

Leif SM5BSZ’s Testing of the Airspy Mini

Over on YouTube Leif (SM5BSZ) has uploaded two videos showing some of his tests with the new Airspy Mini. Leif is fairly well known within the SDR community for writing the program Linrad and for doing various tests on different SDR’s on YouTube and his website. Recently Leif also did some testing on the SDRplay on a previous video.

In his video he shows how to improve the shielding on the Airspy Mini enclosure by ensuring that a good electrical connection is made between the SMA connector and aluminum enclosure. Improving the shielding reduces out of band interference and USB noise.

The Airspy Mini is a $99 USD software defined radio with up to 6 MHz of bandwidth, a 12 bit ADC and tuning range from 24 MHz to 1800 MHz. If you are interested in the Airspy Mini we will also be doing a review of this SDR soon.

Multi-RTL: A GNU Radio Block for Combining and Time Synchronizing Multiple RTL-SDR Dongles

The RTL-SDR has a maximum available stable bandwidth of about 2.4 MHz. Many people have had the idea to combine multiple RTL-SDR dongles together to implement a wider band or multi channel RX device, but very few successful implementations have been seen. The biggest challenge is time synchronization between the multiple RTL-SDR units. Even if a common clock is used, there is no guarantee that the samples streams are synchronized, which can cause problems for the decoding of many signals. The most successful implementations so far have used a common clock, and an external synchronization signal from a generator in addition to other hardware like switches.

However, now Piotr Krysik has come up with a very good and simpler solution for the synchronization of RTL-SDR dongles. Piotr wanted to be able to capture both GSM uplink and downlink channels at the same time. As these channels are not close to each other in the frequency spectrum, he needed two synchronized RTL-SDR dongles to be able to monitor the two channels at once. In order to achieve synchronization he created a GNU Radio block called Multi-RTL, and connected two RTL-SDR dongles to a common clock source.

In his Multi-RTL block he implemented a method of a discovery he made that allows a way to time synchronize the dongles by using a signal that is already being broadcast over the air. He writes that his method is the following:

  • tuning the RTL-SDR dongles to the same frequency where some transmission is present,
  • recording a short signals with all of the dongles,
  • computing cross-correlation of the signals (i.e. with respect to a one selected channel),
  • finding position of maximums of cross-correlations in order to estimate relative delays of the channels,
  • correcting the delays so the channels are time-synchronized,
  • switching the dongles to their target frequencies,
  • changing other parameters of the channels (like gains) to target values.

With his Multi-RTL GNU Radio block Piotr was able to successfully monitor a GSM uplink and downlink channel pair that were spaced 45 MHz apart. Whilst monitoring the signals he sent an SMS to his phone, and then using his recovered encryption key was able to use gr-gsm to decode his message.

The successful implementation of this tool opens the door for many more RTL-SDR based projects, such as the reception of GSM uplink and downlink channels simultaneously, reception of frequency hopping signals, passive radar, and the receiving and decoding of signals with a bandwidth wider than 2.4 MHz.

Two dongles with a common clock.
Two dongles with a common clock.
Synchronizing two dongles by using an external signal.
Synchronizing two dongles by using an external signal.

Sniffing Data from an Implanted Heart Defibrillator

Over on Hackaday a team are attempting to reverse engineer the RF data logging portion of an implanted cardiac defibrillator (ICD) as their Hackaday prize entry. An ICD defibrillator works by monitoring heart condition and automatically applying gentle shocks to put the heart back into a stable rhythm if an abnormal rhythm is detected. Modern implanted defibrillators log heart data and transmit the log daily to a base station, which is then forwarded to the doctor for analysis.

Unfortunately patients who are interested in taking a more active approach to their health (such as one member of the team who herself has an implanted defibrillator) do not get to see this data. The team are hoping to use an RTL-SDR to sniff this data which is transmitted in the 402 – 405 MHz ISM band, and then implement a decoder. So far they have successfully been able to capture some signals, and are working on decoding them into data.

By reverse engineering the signal they hope to draw attention to the fact that healthcare providers are not providing real time body data to the patient, preventing them from making their own informed decisions about their health. They write:

It’s all about making informed decisions. A patient knowing about arrhytmias episodes that occured to him/her has the power to change his lifestyle accordingly, by deducing the factors that have influenced his recent attacks and eliminating them – i.e. observing his/her heart condition according to his/her sleep schedule, work rhythm, food choices and participation in sports. As for now, the patients can only hope to get some information on ICD-prevented arrhytmias on scheduled appointments with their doctor, which often occur once a year or even less often. This eliminates any possibility of making informed choices by using patient’s lifestyle data for future arrhythmia episode prevention.

The planned reception and decoding flowgraph.
The planned reception and decoding flowgraph.