Category: Security

CNxROOT Two Posts: How to Build an RTL-SDR Server with OpenWRT, Creating a GSM BaseStation with OpenBTS and a USRP

Recently security researcher cnxroot wrote in to let us know about two of his posts that may be of interest to readers. The posts are written in Chinese, so please use Google Translate to read them in English – it translates okay to some extent.

The first post shows us how to run the RTL-SDR on an OpenWRT capable router server. OpenWRT is a Linux firmware/OS that can be installed on several compatible router devices which extends the usefulness and features of the router. Since it is running Linux the RTL-SDR drivers can be installed onto it, and then rtl_tcp can be run, providing a remote RTL-SDR.

The second post is a bit more advanced. It is about creating a pseudo GSM base station with a USRP SDR and intercepting IoT devices which connect over GSM/GPRS. The post shows how to set up OpenBTS which can be used to create a base station.

RTL-SDR running on an internet router with OpenWRT.
RTL-SDR running on an internet router with OpenWRT.

Reverse Engineering Traffic Lights with an RTL-SDR Part 2

Back in September 2015 we made a post about how Bastian Bloessl was able to use his RTL-SDR dongle to reverse engineer and decode the signals coming from portable wirelessly synchronized traffic lights which are commonly set up around road construction zones.

Recently Bastian noticed that a new set of wireless traffic lights had been set up at his University, so he got to work on trying to reverse engineer those. He found that these new lights use the same frequency band, but work using a different modulation and frame format scheme.

The reverse engineered wireless traffic lights.
The reverse engineered wireless traffic lights.

To reverse engineer these new lights he made a recording of the signals in GQRX and then opened them up in Inspectrum, which is a very nice tool for helping to reverse engineer digital signals. Thanks to Inspectrum he was easily able to extract the preamble and decode the data in GNU Radio.

Bastian has also uploaded a video that shows him reverse engineering the binary frame format in the Vim text editor which may be useful for those wishing to understand how it’s done.

Once the frame format was reverse engineered, he was able to use the program he created last year which allows him to view the status of the lights remotely in real time.

Identifying Transmitters with CTCSS Fingerprinting

Oona Räisänen is a RF hacker and enthusiast who has in the past brought us posts about decoding burger pagers in restaurants, decoding wireless bus signs and FM-RDS with SDR’s like the RTL-SDR. This time she has written an interesting post that shows how she can “fingerprint” radio transmitters by analysing their CTCSS transmissions. CTCSS is short for “Continuous Tone-Coded Squelch System” and is a low frequency tone added on to some transmissions used in handheld radio systems shared by several distinct groups. The CTCSS tone prevents users of a shared system from having to listen to other users talking if they are not part of the same group with the same CTCSS tone frequency. CTCSS provides no means for actually individually identifying a radio.

Oona wanted to see if she could fingerprint and thus identify individual radios by their CTCSS tone by looking at identifying features such as small variances in CTCSS tone power and frequency. The idea is that each radio will have minute differences in the exact tone and power produced by the CTCSS circuitry, due to differences in the crystal oscillators and component tolerances. Oona used an RTL-SDR to record CTCSS data from a conversation on a local handheld radio network. Then by plotting the frequency vs power data on a heatmap graph she was able to find 8 different clusters of points, which potentially identifies 8 individual handheld radios.

Frequency vs power heatmap identifying 8 different radios.
Frequency vs power heatmap identifying 8 different radios.

With the individual radios identifiable by their cluster centers, each cluster can be assigned a name. Now each subsequent transmission can be compared to each cluster center, and assigned to the closest matching cluster, thus matching a new unknown transmission with a known radio. This makes it easier for someone listening in with no context to follow a conversation. 

Assign names to each radio.
Assign names to each radio/cluster center.

Building your own Rogue GSM Basestation with a BladeRF

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.

Performing a Replay Attack on a Wireless Doorbell with a USRP SDR

A replay attack consists of recording a signal, and then simply replaying it back at the same frequency at a later time. To do this a receive and transmit capable software defined radio like a USRP/HackRF/bladeRF can be used.

Over on his blog, the admin of the dxwxr group has posted a tutorial showing how he performs a replay attack on a simple wireless doorbell using a USRP, GNURadio and the audio editor Audacity. This is a very simple process and is a great tutorial for those looking to get started in reverse engineering signals. First he determines the frequency of the doorbell which turned out be be around 315 MHz. Then using GNURadio he records the signal emitted by the doorbell remote and opens up the audio file in Audacity. He then isolates a section of the signal and saves it as a raw aiff file. Finally, he uses GNURadio to transmit the isolated signal via the USRP.

Captured wireless doorbell signal.
Captured wireless doorbell signal.

Talk: Decoding Data from Iridium Satellites

At this year’s hacker themed Eleventh Hope conference, Stefan “Sec” Zehl and Schneider gave a talk which discusses their latest work on decoding data from Iridium satellites using SDR’s. Iridium is a truly global satellite service which provides various services such as global paging, satellite phones, tracking and fleet management services, as well as services for emergency, aircraft, maritime and covert operations too. There are currently 72 operational satellites operating.

In their talk they discuss how Iridium security is moderate to relaxed, pointing out that Iridium claims that the majority of ‘security’ comes from the complexity of the system, rather than actual security implementations. They then go on to discuss how the Iridium system works, how to receive it with an RTL-SDR or HackRF/Rad1o, how the gr-iridium decoder implementation works, and how to use it to actually decode the data. Later in the presentation they show some interesting examples such as an intercepted Iridium satellite phone call to a C-37 aircraft.

USBee: Leaking Data from Air-Gapped Computers and Receiving it with an RTL-SDR

This Monday researchers from Ben-Gurion University of Negev released an academic paper detailing their research in showing how attackers could cause your PC to wirelessly leak data. They write that usually covertly modified USB devices are required to leak data, as is the case with the NSA’s COTTONMOUTH device which is detailed in their ANT catalog. However, the innovation from these researchers is that their own implementation can be used to turn any unmodified USB device into a make shift transmitter.

The attack works by first infecting a computer with their malware software. The malware then utilizes the USB data bus to create electromagnetic emissions on a connected USB device. In these tests they use a USB flash drive and write a file to the device in such a way that the emissions produced are transmitting decodable data. They write that any binary data can be modulated and transmitted to a nearby receiver, such as an RTL-SDR dongle. Data rates can reach up to 80 bytes/s.  The data is modulated with binary frequency shift keying, and their receiver code is implemented in GNU Radio.

This story has also been featured on arstechnica and threatpost. The video below demonstrates the attack.

Unlocking Almost Any Vehicle with an SDR or Arduino

Earlier this week released a story indicating that researchers from the University of Birmingham have discovered two vulnerabilities that can be used to unlock almost any car. The first vulnerability concerns Volkswagen Group vehicles (VW, Audi, SEAT, Skoda) sold since 1995. Essentially their research found that the keyless entry systems of VW Group vehicles relies only on a few global master keys which they have been able to recover through reverse engineering of an undisclosed component used in a VW car. Then by sniffing the wireless key’s signal with an RF module or SDR like the RTL-SDR or HackRF they are able to recover the cryptographic algorithms used and then using the global key clone the wireless key signal, which can then be re-transmitted with a simple Arduino.

In their second research findings, the researcher’s write how they have been able to crack the Hitag2 rolling code system which is used in many vehicles such as Alfa Romeo, Chevrolet, Citroen, Dacia, Fiat, Ford, Lancia, Mitsubishi, Nissan, Opel, Peugot and Renault. Again, the hack works by sniffing a few wireless keyfob rolling code signals with an SDR or other device. Once the signals have been sniffed a simple laptop computer can reportedly break the encryption within one minute.

Here are some interesting excerpts from the conclusions of the paper:

The results of this paper show that major manufacturers have used insecure schemes over more than 20 years. Due to the widespread use of the analyzed systems, our findings have worldwide impact. Owners of affected vehicles should be aware that unlocking the doors of their car is much simpler than commonly assumed today. Both for the VW Group and the Hitag2 rolling code schemes, it is possible to clone the original remote control and gain unauthorized access to the vehicle after eavesdropping one or a few rolling codes, respectively. The necessary equipment to receive and send rolling codes, for example SDRs like the USRP or HackRF and off-the-shelf RF modules like the TI Chronos smart watch, are widely available at low cost.

A successful attack on the RKE and anti-theft system would also enable or facilitate other crimes:

– theft of the vehicle itself by circumventing the immobilizer system or by programming a new key into the car via the OBD port with a suitable tool

– compromising the board computer of a modern vehicle, which may even affect personal safety, e.g., by deactivating the brakes while switching on the wiping system in a bend

– inconspicuously placing an object or a person inside the car. The car could be locked again after the act

– on-the-road robbery, affecting the personal safety of the driver or passengers if they (incorrectly) assume that the vehicle is securely locked

Note that due to the long range of RKE systems it is technically feasible to eavesdrop the signals of all cars on a parking lot or at a car dealer by placing an eavesdropping device there overnight. Afterwards, all vulnerable cars could be opened by the adversary. Practical experiments suggest that the receiving ranges can be substantially increased: The authors of [18] report eavesdropping of a 433 MHz RFID system, with technology comparable to RKE, from up to 1 km using low-cost equipment.

The findings were presented at the Usenix Advanced Computing Systems Association conference during August 10-12, 2016 in Austin, TX. The white paper is titled “Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems” and can be downloaded here. Of course they did not publish the actual VW master keys in their paper and they have notified VW and NXP who make the Hitag2 chips in advance, noting that Hitag2 had actually been broken for several years prior.

Back in February we showed how Smay Kamkar was able to bypass rolling codes with his RollJam device, however the findings by these researcher’s is different in that they are actually able to generate new rolling codes, such that a simple Arduino with transmitter can act as a second wireless remote.

A $40 Arduino which can be used to record wireless rolling codes, then transmit new ones once cracked.
A $40 Arduino which can be used to record wireless rolling codes, then transmit new ones once the encryption has been broken.