Tagged: DVB-T

Using a Drone and HackRF to Inject URLs, Phish For Passwords on Internet Connected TVs by Hijacking Over the Air Transmissions

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.

At this years Defcon conference security researcher Pedro Cabrera held a talk titled  "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.

Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.

While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.

The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.

Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.

SDR Against Smart TVs: Drones carrying SDRs

SDR Against Smart TVs: Social engineering

 

Watching DVB-T TV and Using SDR Mode at the same time with two RTL-SDRs

Normally if you want to use the RTL-SDR as an SDR on Linux you install the SDR drivers, and blacklist the Kernel's built in DVB-T drivers to prevent them from taking over the RTL-SDR. Once blacklisted, no RTL-SDR plugged into that system can be used for DVB-T watching unless the blacklist is removed. But if the blacklist is removed, SDR mode cannot be used. So it's impossible to use one RTL-SDR as an SDR, and one for DVB-T TV at the same time.

However now, Hayati A. has submitted news about his RTL-SDR driver patch which allows you to run SDR mode and DVB-T TV mode at the same time with two RTL-SDR dongles.

The idea behind allowing two dongles to operate in separate modes is that one dongle needs to have the PID code stored in its EEPROM changed to a code which was recently registered by Hayati. The dongle with this PID code won't be recognized as a DVB-T device by Linux, and so can only be used for SDR. An dongle with the stock EEPROM can then be plugged in and used for DVB-T.

The patch has been accepted into the development branch of the librtlsdr drivers and the Readme notes read:

  • A special USB vendor/product id got reserved at http://pid.codes/ : 0x1209/0x2832 
  • for such devices the linux kernel's DVB modules are not loaded automatically, thus can be used without blacklisting dvb_usb_rtl28xxu below /etc/modprobe.d/
  • this allows to use a second RTL dongle for use with DVB in parallel 
  • the IDs can be programmed with 'rtl_eeprom -n' or 'rtl_eeprom -g realtek_sdr'

Note that the DVB-T drivers in Linux should not be blacklisted if you are doing this. Also some cheaper RTL-SDR models don't come an EEPROM, and those models can not do this.

Setting up and Testing Osmo-FL2K

A few days ago we posted about Osmo-FL2K, which is a newly released piece of software by Steve M from Osmocom that turns a common $5-$15 USB to VGA adapter into a transmit only capable SDR. It is very complimentary to the RTL-SDR.

Any USB to VGA adapter that contains a FL2K chip appears to be compatible and yesterday we received one and have been playing with it. This post is a demonstration of some of the results.

Hardware Used

  1. The cheapest USB to VGA adapter found on the market. It seems all of the low cost $5 - $15 adapters that indicate "USB 3.0 to VGA", and max resolutions of 1920 x 1080 are compatible as they use the FL2K chip. More expensive units are not compatible. Compatible units all have a similar design (box at the end of a short USB cable, although there are other types too). The brand does not matter. (Amazon) (eBay) (Aliexpress)
  2. A VGA to BNC breakout cable to connect the FL2K SDR directly to an RTL-SDR  (via a BNC to SMA adapter) without illegally transmitting over the air. The Red color breakout is the one connected to the TX pin. (Amazon) (eBay) (Aliexpress)
  3. A low cost 20dB or more attenuator to avoid overloading the dongle. (Amazon) (eBay) (Aliexpress)
FL2K Test Hardware
FL2K Test Hardware

Setup

Note that you must have a USB 3.0 port to use Osmo-FL2K, although a USB 2.0 might work although at significantly reduced bandwidths.

Osmo-FL2K is Linux only at the moment, but it may be possible for someone to compile a Windows version, just like with RTL-SDR. Instructions for downloading and compiling the software are available on the official wiki. It is a standard git clone, cmake, make type procedure which can be done in 2 minutes. You'll also need to probably do an 'sudo apt-get install sox pv' if you want to run the WBFM example. 

First we tried to boot into the GNU Radio Live Linux bootable image on a tablet like laptop that only has USB C 3.0 ports. Unfortunately while the FL2K-SDR was recognized, and Osmo-FL2K detected it, there was no signal coming out during test transmissions. It seems that there may be issues when a USB C to USB Type A converter is used. 

Next we tried the GNU Radio Live Linux bootable image on a desktop PC and this time Osmo-FL2K worked fine when plugged into a USB 3.0 port. However, plugging it into extended ports seemed to cause it to not be detected.  So if you're having trouble getting Osmo-FL2K to work, try other USB 3.0 ports on your PC, and avoid USB C adapters if possible.

We also tried Virtual Box, however the FL2K-SDR wouldn't connect to the Linux guest system, even though USB 3.0 was enabled and the extensions were installed. For VMWare it appears only that the paid versions support USB 3.0.

Testing

WBFM

Following the instructions on the official Osmo-FL2K page we were able to get an WBFM transmission up and running almost instantly. The provided example routes audio from your soundcard into the FL2K-SDR, causing it to transmit WBFM audio at 95 MHz. With this we were easily able to broadcast audio from YouTube to another PC via the FL2K-SDR although there is about two seconds of delay.

To choose the frequency you choose the carrier frequency and the sample rate, and then the transmit frequencies will be the sample rate +/- carrier frequency + harmonics.

FL2K broadcasting WFM with fl2k_fm.
FL2K broadcasting WFM with fl2k_fm.
fl2k_fm help screen
fl2k_fm help screen

Harmonics

Speaking of the harmonics we had a look at them using an Airspy and the SpectrumSpy software. The image below shows that the harmonics of a signal transmitted at 95 MHz extend all the way up to the maximum range of the Airspy at 1.8 GHz, and probably further. So filtering is very necessary if you ever want to transmit over the air.

Note that when broadcasting at 95 MHz (sample rate 130 MHz, carrier 35 MHz), there is also a strong signal at the carrier frequency. So band pass filtering would be required. 

Harmonics when transmitting at 95 MHz
Harmonics when transmitting at 95 MHz

DVB-T

We also tested the DVB-T example found at https://github.com/steve-m/fl2k-examples, which worked flawlessly. By using the connected RTL-SDR dongle with the original DVB-T drivers we were able to receive a transmitted stream at 490 MHz using the ProgDVB software.

To do this follow the instructions in the fl2k-examples/DVB-T readme file to generate samples which Osmo-FL2K can transmit. Then on another PC install the DVB-T drivers for the RTL-SDR, and use ProgDVB to scan 490 MHz by manually editing the multiplexes options.

Osmo-FL2K transmitting DVB-T.
Osmo-FL2K transmitting DVB-T to a Laptop running an RTL-SDR.

CPU Usage

Osmo-FL2K is quite CPU intensive, especially if higher sample rates are used. For this reason it might struggle on singe board computers that support USB 3.0. The images below show some CPU usage examples for sample rates of 20, 55, 130 and 155 MS/S. The test PC uses a fairly powerful i7-6700 CPU.

20 MS/S
55 MS/S
130 MS/S
150 MS/S
20 MS/S 55 MS/S 130 MS/S 150 MS/S

Using a Drone and HackRF to Inject URLs, Phish For Passwords on Internet Connected TVs by Hijacking Over the Air Transmissions

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.

At this years Defcon conference security researcher Pedro Cabrera held a talk titled  "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.

Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.

While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.

The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.

Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.

SDR Against Smart TVs: Drones carrying SDRs

SDR Against Smart TVs: Social engineering

 

Watching DVB-T TV and Using SDR Mode at the same time with two RTL-SDRs

Normally if you want to use the RTL-SDR as an SDR on Linux you install the SDR drivers, and blacklist the Kernel's built in DVB-T drivers to prevent them from taking over the RTL-SDR. Once blacklisted, no RTL-SDR plugged into that system can be used for DVB-T watching unless the blacklist is removed. But if the blacklist is removed, SDR mode cannot be used. So it's impossible to use one RTL-SDR as an SDR, and one for DVB-T TV at the same time.

However now, Hayati A. has submitted news about his RTL-SDR driver patch which allows you to run SDR mode and DVB-T TV mode at the same time with two RTL-SDR dongles.

The idea behind allowing two dongles to operate in separate modes is that one dongle needs to have the PID code stored in its EEPROM changed to a code which was recently registered by Hayati. The dongle with this PID code won't be recognized as a DVB-T device by Linux, and so can only be used for SDR. An dongle with the stock EEPROM can then be plugged in and used for DVB-T.

The patch has been accepted into the development branch of the librtlsdr drivers and the Readme notes read:

  • A special USB vendor/product id got reserved at http://pid.codes/ : 0x1209/0x2832 
  • for such devices the linux kernel's DVB modules are not loaded automatically, thus can be used without blacklisting dvb_usb_rtl28xxu below /etc/modprobe.d/
  • this allows to use a second RTL dongle for use with DVB in parallel 
  • the IDs can be programmed with 'rtl_eeprom -n' or 'rtl_eeprom -g realtek_sdr'

Note that the DVB-T drivers in Linux should not be blacklisted if you are doing this. Also some cheaper RTL-SDR models don't come an EEPROM, and those models can not do this.

Setting up and Testing Osmo-FL2K

A few days ago we posted about Osmo-FL2K, which is a newly released piece of software by Steve M from Osmocom that turns a common $5-$15 USB to VGA adapter into a transmit only capable SDR. It is very complimentary to the RTL-SDR.

Any USB to VGA adapter that contains a FL2K chip appears to be compatible and yesterday we received one and have been playing with it. This post is a demonstration of some of the results.

Hardware Used

  1. The cheapest USB to VGA adapter found on the market. It seems all of the low cost $5 - $15 adapters that indicate "USB 3.0 to VGA", and max resolutions of 1920 x 1080 are compatible as they use the FL2K chip. More expensive units are not compatible. Compatible units all have a similar design (box at the end of a short USB cable, although there are other types too). The brand does not matter. (Amazon) (eBay) (Aliexpress)
  2. A VGA to BNC breakout cable to connect the FL2K SDR directly to an RTL-SDR  (via a BNC to SMA adapter) without illegally transmitting over the air. The Red color breakout is the one connected to the TX pin. (Amazon) (eBay) (Aliexpress)
  3. A low cost 20dB or more attenuator to avoid overloading the dongle. (Amazon) (eBay) (Aliexpress)
FL2K Test Hardware
FL2K Test Hardware

Setup

Note that you must have a USB 3.0 port to use Osmo-FL2K, although a USB 2.0 might work although at significantly reduced bandwidths.

Osmo-FL2K is Linux only at the moment, but it may be possible for someone to compile a Windows version, just like with RTL-SDR. Instructions for downloading and compiling the software are available on the official wiki. It is a standard git clone, cmake, make type procedure which can be done in 2 minutes. You'll also need to probably do an 'sudo apt-get install sox pv' if you want to run the WBFM example. 

First we tried to boot into the GNU Radio Live Linux bootable image on a tablet like laptop that only has USB C 3.0 ports. Unfortunately while the FL2K-SDR was recognized, and Osmo-FL2K detected it, there was no signal coming out during test transmissions. It seems that there may be issues when a USB C to USB Type A converter is used. 

Next we tried the GNU Radio Live Linux bootable image on a desktop PC and this time Osmo-FL2K worked fine when plugged into a USB 3.0 port. However, plugging it into extended ports seemed to cause it to not be detected.  So if you're having trouble getting Osmo-FL2K to work, try other USB 3.0 ports on your PC, and avoid USB C adapters if possible.

We also tried Virtual Box, however the FL2K-SDR wouldn't connect to the Linux guest system, even though USB 3.0 was enabled and the extensions were installed. For VMWare it appears only that the paid versions support USB 3.0.

Testing

WBFM

Following the instructions on the official Osmo-FL2K page we were able to get an WBFM transmission up and running almost instantly. The provided example routes audio from your soundcard into the FL2K-SDR, causing it to transmit WBFM audio at 95 MHz. With this we were easily able to broadcast audio from YouTube to another PC via the FL2K-SDR although there is about two seconds of delay.

To choose the frequency you choose the carrier frequency and the sample rate, and then the transmit frequencies will be the sample rate +/- carrier frequency + harmonics.

FL2K broadcasting WFM with fl2k_fm.
FL2K broadcasting WFM with fl2k_fm.
fl2k_fm help screen
fl2k_fm help screen

Harmonics

Speaking of the harmonics we had a look at them using an Airspy and the SpectrumSpy software. The image below shows that the harmonics of a signal transmitted at 95 MHz extend all the way up to the maximum range of the Airspy at 1.8 GHz, and probably further. So filtering is very necessary if you ever want to transmit over the air.

Note that when broadcasting at 95 MHz (sample rate 130 MHz, carrier 35 MHz), there is also a strong signal at the carrier frequency. So band pass filtering would be required. 

Harmonics when transmitting at 95 MHz
Harmonics when transmitting at 95 MHz

DVB-T

We also tested the DVB-T example found at https://github.com/steve-m/fl2k-examples, which worked flawlessly. By using the connected RTL-SDR dongle with the original DVB-T drivers we were able to receive a transmitted stream at 490 MHz using the ProgDVB software.

To do this follow the instructions in the fl2k-examples/DVB-T readme file to generate samples which Osmo-FL2K can transmit. Then on another PC install the DVB-T drivers for the RTL-SDR, and use ProgDVB to scan 490 MHz by manually editing the multiplexes options.

Osmo-FL2K transmitting DVB-T.
Osmo-FL2K transmitting DVB-T to a Laptop running an RTL-SDR.

CPU Usage

Osmo-FL2K is quite CPU intensive, especially if higher sample rates are used. For this reason it might struggle on singe board computers that support USB 3.0. The images below show some CPU usage examples for sample rates of 20, 55, 130 and 155 MS/S. The test PC uses a fairly powerful i7-6700 CPU.

20 MS/S
55 MS/S
130 MS/S
150 MS/S
20 MS/S 55 MS/S 130 MS/S 150 MS/S

Aerial TV: Android RTL-SDR DVB-T Decoder Officially Released

Last month we posted about Aerial TV, a new Android based DVB-T decoder that works with RTL-SDR dongles. Back then the app was still in beta testing and had a few operational bugs. Now the Aerial TV app has been officially released.

UPDATE: Due to Google policies Aerial TV has been removed from the Google Play Store. It is claimed that Aerial TV could be used for copyright violation. It is now available on the Amazon store. Official information will always be available on the new official website at aerialtv.eu

The app is based on the new Android DVB-T driver for RTL2832U devices which is written by Martin Marinov who is also the programmer of Aerial TV. The DVB-T driver is open source, and currently supports RTL2832U devices with the R820T, E4000, R828D, FC0012 and FC0013 tuner chips. Of note is that the R828D also has DVB-T2 support.

Aerial TV is free to download and test, but requires a $7.99 licence to use for more than 30 minutes. To use it you will need an OTG (On-the-go) cable adapter and an RTL-SDR dongle with antenna.

Just watch TV – no data plan or wifi connection required. Aerial TV works by picking up digital TV channels off the air with a regular TV antenna.

You will need a low cost USB TV tuner. You can grab one online for less than €10. Make sure to get an RTL2832 tuner. When it arrives, just connect the provided antenna and start watching. You may need a USB OTG cable to plug the tuner in your Android device. USB OTG cables are inexpensive and easy to find.

Note that your Android device must support USB OTG. If unsure, do a quick search online or consult your Android device manual. Also check that there is DVB-T/DVB-T2 service in your local area by doing a quick search online. Signal needs to be strong enough for Aerial TV to pick it up. For best results use an outdoor aerial.

You get free unlimited access to radio forever. You also get to watch all TV channels and experience all features of Aerial TV during the trial period for free. After the trial period ends you can make a one-off purchase and watch as much TV as you want. Remember: you can keep listening to radio even if the trial has ended!

Q: How do I find a supported dongle?
A: All major RTL2832 (rtl-sdr) dongles are supported. These dongles can be easily purchased online. Just type in “RTL2832” or “RTL2832U” in the search box of your favourite online store.

Q: What tuner do I need to watch DVB-T2?
A: If your country has DVB-T2 broadcasts (such as Freeview HD in UK) you will need a DVB-T2 compatible receiver dongle such as R828D in order to watch DVB-T2 with Aerial TV.

Aerial TV Screenshot
Aerial TV Screenshot
Test a android program "Aerial TV (Unreleased)" ver. 1.1 with usb dongle with R820T2 chip

Aerial TV: An Android DVB-T Decoder for the RTL-SDR

On the Google Play store a new RTL-SDR compatible app called ‘Aerial TV’ has been released (in beta) by Martin Marinov. Aerial TV allows you to watch DVB-T HD TV on your android device, with an RTL-SDR connected to it via USB OTG cable. Martin is also the author of the popular SDR Touch Android program and the RTL2832U Android driver port. 

The new software requires a different DVB-T driver app to be installed first, which is also provided by Martin. This is because the RTL-SDR needs to be operated in a mode different to the way that the SDR drivers use it in. Martin has also open sourced his Android DVB-T driver and it is available on GitHub.

Aerial TV is currently free on the Google Play store, but looks like it may eventually have some in-app purchases. Also, it is currently marked as ‘Unreleased’ on Google Play, which is essentially a beta version, so you might expect there to be some bugs.

Aerial TV Screenshot
Aerial TV Screenshot

Over on YouTube user GiamMa-based researchers SDR R&D IoT has uploaded a video showing Aerial TV scanning for TV channels, and then eventually playing some video.

APP DVB Receiver Aerial TV (Unreleased) rtl sdr compatible test with oneplus one

Measuring the return loss of the standard RTL-SDR whip antenna

Most low cost sellers of RTL-SDR dongles bundle them with a cheap fixed length whip antenna. Over on YouTube Adam 9A4QV has measured the return loss of these whip antennas with his vector network analyzer to determine at what frequencies you can expect decent performance. The return loss indicates at what frequencies you can expect a good impedance match, and thus a good standing wave ratio (SWR). The lower the return loss the better the impedance match and thus less power is wasted in the antenna meaning better receive performance.

Adams results found that without a ground plane the antenna has a return loss of less than -10dB at around 625 MHz and about 1.40 GHz. With a ground plane (placed on a metal surface) the antenna has good performance at around 535 MHz, 1.4 GHz and 2.4 GHz. This is not surprising as the antenna is designed for DVB-T TV, of which most signals are transmit near 535 MHz. Adam also remarks that the performance at the ADS-B frequency of 1090 MHz with or without ground plane is quite bad.

DVB-T antenna return loss with ground plane
DVB-T antenna return loss with ground plane
DVB-T dongle whip antenna test

Transmitting DVBT HDTV from a Raspberry Pi to an RTL2832U

Over on his blog, OZ9AEC has uploaded a post showing how he was able to create a live HDTV transmitter out of a Raspberry Pi, a Raspi Cam module and a UTC DVB-T Modulator adaptor. As he does not want to interfere with commercial DVB-T broadcasts, he sets the module to transmit at 1.28 GHz, aka the 23 cm licenced ham radio band.

On the RTL2832U dongle side, he modified the RTL2832U Linux DVB-T drivers (not the SDR drivers) to work on the 1.3 GHz band. The intention of this camera is for it to fly on a rocket mission. In the YouTube video below he has uploaded some sample footage with the RTL2832U dongle receiving the stream from 300 meters away.

Rocketcam 1 test 3 (20140531_142625)

Transmitting DVB-T with the BladeRF and Receiving it on a RTL-SDR

The BladeRF is a software defined radio that has transmit and receive capability. Over on his blog, Clayton Smith has recently posted about his experiments which involve using the BladeRF to transmit DVB-T digital TV on one laptop to another laptop running an RTL-SDR in DVB-T mode. This is one of the few applications where the RTL-SDR is used as a DVB-T receiver as it was originally intended. Clayton used GNU Radio, a DVB-T package for GNU Radio and some python scripts to create the BladeRF transmitter.

The newer Linux kernels have DVB-T support for the RTL2832U chip, so the latest version of Ubuntu 13.10 will be able to recognize the RTL-SDR stick as a DVB-T receiver easily. Clayton used VLC in Ubuntu 13.10 to receive the DVB-T signal transmitted by the BladeRF which was tested on the 70cm, 33cm and 23cm bands.

DVB-T Received by the RTL-SDR
Webcam DVB-T TX by a BladeRF and RX by the RTL-SDR