Over on YouTube user Keld Norman has uploaded a video showing how he uses an RTL-SDR with gr-gsm and a Python script to create a simple IMSI catcher. IMSI stands for International mobile subscriber identity and is a unique number that identifies a cell phone SIM card in GSM (2G) mobile phone systems. For security IMSI numbers are usually only transmitted when a connection to a new cell tower is made. More advanced IMSI-catchers used by governmental agencies use a fake cell tower signal to force the IMSI to always be revealed. This way they can track the location of mobile phones as well as other data like who or when you are calling.
In the video Keld uses a Python script called IMSI-Catcher. This script displays the detected IMSI numbers, country, and mobile carrier on a text display. The video description shows how to install GR-GSM and the IMSI-Catcher script on Ubuntu.
With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.
In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX. With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.
Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.
A video demo is shown below:
RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.
Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).
For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.
Back in May of this year the DailyMail ran an article discussing how the HackRF by Great Scott Gadgets could be used to break into cars. The DailyMail is a British tabloid magazine well known for its low credibility and alarmist articles. This week they ran a new article about Great Scott Gadgets other product, the Yard Stick One. In the article they discuss how the £109 Yard Stick One tool can be used to disable wireless burglar alarms. The YARD Stick One is not an SDR, but rather a computer controlled radio which can be used to transmit and receive wireless digital signals below 1 GHz. It is useful for wireless security research and reverse engineering digital signals in a way that is a bit easier than with using an SDR like the HackRF.
In the experiment performed in the article they use the YARD Stick one to jam a wireless home alarm for a few seconds allowing entry to the property without setting off the alarm. All in all the article is a good advert for the YARD Stick One, and does do a decent job at drawing attention to the lack of security provided by many wireless security devices.
These days it’s quite easy to share your ADS-B reception on the internet with giant worldwide aggregation sites like flightaware.com and flightradar24.com. These sites aggregate received ADS-B plane location data received by RTL-SDR users from all around the world and display it all together on a web based map.
However, what if you don’t want to share your data on these sites but still want to share it over the internet with friends or others without directly revealing your IP address? Some of the team at beame.io have uploaded a post that shows how to use their beame.io service to securely share your ADS-B reception over the internet. Beame.io appears to be a service that can be used to expose local network applications to the internet via secure HTTPS tunneling. Essentially this can allow someone to connect to a service on your PC (e.g. ADS-B mapping), without you revealing your public IP address and therefore exposing your PC to hacking.
On their post they show how to set up the RTL-SDR compatible dump1090 ADS-B decoder on a Raspberry Pi, and then connect it to their beame-instal-ssl service.
It’s been known for a while now that it is possible to break into cars using simple wireless attacks that involve jamming of the car keyfob frequency. Sammy Kamkars “rolljam” is one such example that can be built with a cheap Arduino and RF transceiver chip. One way to secure yourself against wireless attacks like this is to run a jammer detector.
A jammer detector is quite simple in theory – just continuously measure the signal strength at the car keyfob frequency and notify the user if a strong continuous signal is detected. Over on his blog author mikeh69 has posted about his work in creating a wireless jammer detector out of a Raspberry Pi and RTL-SDR dongle. He uses a Python script and some C code that he developed to create a tool that displays the signal strength on an onscreen bar graph and also conveys signal strength information via audio tones. He writes that with a pair of earphones and battery pack you can use the system while walking around searching for the source of a jammer.
Mikeh69’s post goes into further detail about installing the software and required dependencies. He also writes that in the future he wants to experiment with creating large area surveys by logging signal strength data against GPS locations to generate a heatmap. If you are interested in that idea, then it is similar to Tim Haven’s driveby noise detector system which also used RTL-SDR dongles, or the heatmap feature in RTLSDR Scanner.
Nullcon is a yearly security conference which was held this year during early March. Recently videos of some of the presentations have been uploaded. One presentation of interest is Arthur Garipov’s presentation on “Drone Hijacking And Other IoT Hacking With GNU Radio And SDR”. In his talk he explains how he uses software defined radios and GNU Radio to hack various IoT devices based on the nRF, and even a drone. The talk blurb reads:
Internet of things is surrounding us. Is it secure? Or does its security stand on (deemed) invisibility? SDR (Software-defined radio) and GNU Radio can answer these questions. In this presentation, we will play some modern wireless devices. They have similar protocols, and none of them encrypts its traffic.
We will show how easy it is to find them using SDR and proprietary chipsets, and how to sniff/intercept/fuzz these devices using a small python script and GNU Radio.
As an example we will show a Mousejack attack to wireless dongles, wireless keyboard keylogger and even a drone hijacking.
Speaker Bio Senior Specialist, Network Application Security Team, Positive Technologies Artur was born in 1987. He is a graduate of the Ufa State Aviation Technical University, was a software developer at OZNA and an independent security researcher. He started his career at Positive Technologies in 2014. Now he is engaged in security research of wireless technologies, mobile systems, and IoT. He is also an organizer of the MiTM Mobile contest and hands-on lab at PHDays V and PHDays VI.
The talk slides can be downloaded from their archives.
The HackRF is a $300 USD RX/TX capable software defined radio which has a wide tuning range from almost DC – 6 GHz, and wide bandwidths of up to 20 MHz. It uses an 8-bit ADC so reception quality is not great, but most people buy it for its TX and wide frequency/bandwidth capabilities.
Recently the HackRF received some negative press in the ‘Daily Mail’, a British tabloid newspaper famous for sensationalist articles. In the article the Daily Mail show that the HackRF can be used to break into £100,000 Range Rover car in less than two minutes. The exact method of attack isn’t revealed, but we assume they did some sort of simple replay attack. What they probably did is take the car key far away out of reception range from the car, record a key press using the HackRF, and then replay that key press close to the car with the HackRF’s TX function. Taking the key out of reception range of the car prevents the car from invalidating the rolling code when the key is pressed.
Of course in real life an attacker would need to be more sophisticated as they most likely wouldn’t have access to the keyfob, and in that case they would most likely perform a jam-record-replay attack as we’ve seen with cheap homemade devices like RollJam. The HackRF cannot do this by itself because it is only half-duplex and so cannot TX and RX at the same time.
We should also mention that the HackRF is not the only device that can be used for replay attacks – potentially any radio that can transmit at the keyfob frequency could be used. Even a very cheap Arduino with ISM band RF module can be used for the same purpose.
Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches the codes stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. This system can be defeated simply by jamming the car keyfob receiver, and using a more selective receiver to record the keyfob unlock packet, then replaying those packets at a later time.
The technique Anthony presents has the attacker use an Arduino with CC1101 transceiver as the jammer. Jamming is totally illegal within the USA, so Anthony does not show exactly how to do the jamming. While the signal is being jammed, the RTL-SDR captures and saves the signal from the keyfob. Later the signal is processed in GNU Radio to remove the jamming signal and extract the keyfob signal. He then uses GNU Radio to demodulate the ASK signal into a binary modulated waveform that he can replay later.
Anthony tested this technique on two cars and a truck and was successful at unlocking the doors all three times.