All electronic devices emit some sort of unintentional RF signals which can be received by an eavesdropping radio. These unintentional signals are sometimes referred to as TEMPEST, after the NSA and NATO specification which aims to ensure that electronic devices containing sensitive information cannot be spied upon through unintentional radio emissions, sounds or vibrations. TEMPEST can also refers to the opposite, which is spying on unsecured electronic devices by these means.
In their experiments they set up an AES implementation on an FPGA, and used a simple wire loop antenna and RTL-SDR to measure and record the RF emissions. By then doing some analysis on the recorded signal they are able to fairly easily extract the AES encryption key, thus defeating the encryption.
Further testing in an anechoic chamber showed that with a discone antenna they were able to recover the keys from up to a meter away. A directional antenna could probably reach even further distances.
In the past we’ve seen a similar attack using a Funcube dongle, which is an SDR similar to the RTL-SDR. In that attack they were able to remotely recover encryption keys from a laptop running GnuPC. Also, somewhat related is Disney’s EM Sense which uses an RTL-SDR to identify electronic devices by their RF emissions.
Nullcon is a yearly security conference which was held this year during early March. Recently videos of some of the presentations have been uploaded. One presentation of interest is Arthur Garipov’s presentation on “Drone Hijacking And Other IoT Hacking With GNU Radio And SDR”. In his talk he explains how he uses software defined radios and GNU Radio to hack various IoT devices based on the nRF, and even a drone. The talk blurb reads:
Internet of things is surrounding us. Is it secure? Or does its security stand on (deemed) invisibility? SDR (Software-defined radio) and GNU Radio can answer these questions. In this presentation, we will play some modern wireless devices. They have similar protocols, and none of them encrypts its traffic.
We will show how easy it is to find them using SDR and proprietary chipsets, and how to sniff/intercept/fuzz these devices using a small python script and GNU Radio.
As an example we will show a Mousejack attack to wireless dongles, wireless keyboard keylogger and even a drone hijacking.
Speaker Bio Senior Specialist, Network Application Security Team, Positive Technologies Artur was born in 1987. He is a graduate of the Ufa State Aviation Technical University, was a software developer at OZNA and an independent security researcher. He started his career at Positive Technologies in 2014. Now he is engaged in security research of wireless technologies, mobile systems, and IoT. He is also an organizer of the MiTM Mobile contest and hands-on lab at PHDays V and PHDays VI.
The talk slides can be downloaded from their archives.
Over on YouTube user Corrosive has been uploading some videos that explore cordless phone security with a HackRF. In his first video Corrosive shows how he’s able to use a HackRF to capture and then replay the pager tones (handset finding feature) for a very cheap VTech 5.8 Gigahertz cordless phone. He uses the Universal Radio Hacker software in Windows.
In the second video corrosive shows how bad the voice security on the VTech 5.8 GHz phone can be. It turns out that while advertised as a 5.8 GHz phone and the handset does transmit at 5.8 GHz, the VTech basestation actually transmits voice in clear NFM at around 900 MHz. Cordless phones advertised as 5.8 GHz are typically considered as more secure due to their high frequency which is inaccessible to most scanner radios. In the video he also shows some of the digital pairing signals that the phone and basestation transmits.
The HackRF is a $300 USD RX/TX capable software defined radio which has a wide tuning range from almost DC – 6 GHz, and wide bandwidths of up to 20 MHz. It uses an 8-bit ADC so reception quality is not great, but most people buy it for its TX and wide frequency/bandwidth capabilities.
Recently the HackRF received some negative press in the ‘Daily Mail’, a British tabloid newspaper famous for sensationalist articles. In the article the Daily Mail show that the HackRF can be used to break into £100,000 Range Rover car in less than two minutes. The exact method of attack isn’t revealed, but we assume they did some sort of simple replay attack. What they probably did is take the car key far away out of reception range from the car, record a key press using the HackRF, and then replay that key press close to the car with the HackRF’s TX function. Taking the key out of reception range of the car prevents the car from invalidating the rolling code when the key is pressed.
Of course in real life an attacker would need to be more sophisticated as they most likely wouldn’t have access to the keyfob, and in that case they would most likely perform a jam-record-replay attack as we’ve seen with cheap homemade devices like RollJam. The HackRF cannot do this by itself because it is only half-duplex and so cannot TX and RX at the same time.
We should also mention that the HackRF is not the only device that can be used for replay attacks – potentially any radio that can transmit at the keyfob frequency could be used. Even a very cheap Arduino with ISM band RF module can be used for the same purpose.
Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches the codes stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. This system can be defeated simply by jamming the car keyfob receiver, and using a more selective receiver to record the keyfob unlock packet, then replaying those packets at a later time.
The technique Anthony presents has the attacker use an Arduino with CC1101 transceiver as the jammer. Jamming is totally illegal within the USA, so Anthony does not show exactly how to do the jamming. While the signal is being jammed, the RTL-SDR captures and saves the signal from the keyfob. Later the signal is processed in GNU Radio to remove the jamming signal and extract the keyfob signal. He then uses GNU Radio to demodulate the ASK signal into a binary modulated waveform that he can replay later.
Anthony tested this technique on two cars and a truck and was successful at unlocking the doors all three times.
In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.
Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:
Brute-force attack on the alarm system device source addresses.
Remotely clone authenticated devices used to interact with the alarm system security features.
Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
Assisted replay attack.
The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.
If you’ve been paying attention to the news then you might have heard of the recent Dallas tornado siren hack. Earlier in the month a hacker took control of 156 tornado warning sirens placed all around the city of Dallas, Texas in the United States. The sirens are activated via an RF control signal, and the hacker transmitted the control signal, causing all the sirens to activate causing a city wide false alarm. The attack could have been performed with a transmit capable software defined radio like the HackRF, or any other transmit capable radio such as a handheld radio.
In the blog post and video first Balint discusses the difference between a single frequency network, and a repeated network. In a single frequency network, one powerful transmitter up on a hill would be used to activate all the sirens, whereas with a repeater network several dispersed transmitters might be used to repeat the signal over a wide area.
He then discusses the difference between an analog and digital command transmission system. In an analog command transmission a simple series of tones might be used to activate the sirens. In this case the hacker could simply listen for the tones when the siren is activated during the monthly test, and save them away for a future replay attack. In a digital system instead of tones an encrypted packet of data could be used instead. Depending on how the encryption is implemented this could prevent a replay attack.
Over on YouTube a video titled “Hunting Rogue WiFi Devices using the HackRF SDR” has been uploaded. The talk is given by Mike Davis at the OWASP (Open Web Application Security Project) Cape Town. The talk’s abstract reads:
Rogue WiFi Access Points are a serious security risk for today’s connected society. Devices such as the Hak5 Pineapple, ESP8266-based ‘throwies’, or someone with the right WiFi card and software can be used to intercept users’ traffic and grab all of their credentials. Finding these rogue devices is a very difficult thing to achieve without specialised equipment. In this talk Mike will discuss the work he has been doing over the past year, to use the HackRF SDR as a RF Direction-finding device, with the goal of hunting down various malicious RF devices, including car remote jammers.
The talk starts off with the basics, explaining what the problems with WiFi devices are, what the HackRF and SDR is, and then goes on to explain some direction finding methods that Mike has been using.