Tagged: security

USBee: Leaking Data from Air-Gapped Computers and Receiving it with an RTL-SDR

This Monday researchers from Ben-Gurion University of Negev released an academic paper detailing their research in showing how attackers could cause your PC to wirelessly leak data. They write that usually covertly modified USB devices are required to leak data, as is the case with the NSA’s COTTONMOUTH device which is detailed in their ANT catalog. However, the innovation from these researchers is that their own implementation can be used to turn any unmodified USB device into a make shift transmitter.

The attack works by first infecting a computer with their malware software. The malware then utilizes the USB data bus to create electromagnetic emissions on a connected USB device. In these tests they use a USB flash drive and write a file to the device in such a way that the emissions produced are transmitting decodable data. They write that any binary data can be modulated and transmitted to a nearby receiver, such as an RTL-SDR dongle. Data rates can reach up to 80 bytes/s.  The data is modulated with binary frequency shift keying, and their receiver code is implemented in GNU Radio.

This story has also been featured on arstechnica and threatpost. The video below demonstrates the attack.

https://www.youtube.com/watch?time_continue=19&v=E28V1t-k8Hk

Unlocking Almost Any Vehicle with an SDR or Arduino

Earlier this week wired.com released a story indicating that researchers from the University of Birmingham have discovered two vulnerabilities that can be used to unlock almost any car. The first vulnerability concerns Volkswagen Group vehicles (VW, Audi, SEAT, Skoda) sold since 1995. Essentially their research found that the keyless entry systems of VW Group vehicles relies only on a few global master keys which they have been able to recover through reverse engineering of an undisclosed component used in a VW car. Then by sniffing the wireless key’s signal with an RF module or SDR like the RTL-SDR or HackRF they are able to recover the cryptographic algorithms used and then using the global key clone the wireless key signal, which can then be re-transmitted with a simple Arduino.

In their second research findings, the researcher’s write how they have been able to crack the Hitag2 rolling code system which is used in many vehicles such as Alfa Romeo, Chevrolet, Citroen, Dacia, Fiat, Ford, Lancia, Mitsubishi, Nissan, Opel, Peugot and Renault. Again, the hack works by sniffing a few wireless keyfob rolling code signals with an SDR or other device. Once the signals have been sniffed a simple laptop computer can reportedly break the encryption within one minute.

Here are some interesting excerpts from the conclusions of the paper:

The results of this paper show that major manufacturers have used insecure schemes over more than 20 years. Due to the widespread use of the analyzed systems, our findings have worldwide impact. Owners of affected vehicles should be aware that unlocking the doors of their car is much simpler than commonly assumed today. Both for the VW Group and the Hitag2 rolling code schemes, it is possible to clone the original remote control and gain unauthorized access to the vehicle after eavesdropping one or a few rolling codes, respectively. The necessary equipment to receive and send rolling codes, for example SDRs like the USRP or HackRF and off-the-shelf RF modules like the TI Chronos smart watch, are widely available at low cost.

A successful attack on the RKE and anti-theft system would also enable or facilitate other crimes:

– theft of the vehicle itself by circumventing the immobilizer system or by programming a new key into the car via the OBD port with a suitable tool

– compromising the board computer of a modern vehicle, which may even affect personal safety, e.g., by deactivating the brakes while switching on the wiping system in a bend

– inconspicuously placing an object or a person inside the car. The car could be locked again after the act

– on-the-road robbery, affecting the personal safety of the driver or passengers if they (incorrectly) assume that the vehicle is securely locked

Note that due to the long range of RKE systems it is technically feasible to eavesdrop the signals of all cars on a parking lot or at a car dealer by placing an eavesdropping device there overnight. Afterwards, all vulnerable cars could be opened by the adversary. Practical experiments suggest that the receiving ranges can be substantially increased: The authors of [18] report eavesdropping of a 433 MHz RFID system, with technology comparable to RKE, from up to 1 km using low-cost equipment.

The findings were presented at the Usenix Advanced Computing Systems Association conference during August 10-12, 2016 in Austin, TX. The white paper is titled “Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems” and can be downloaded here. Of course they did not publish the actual VW master keys in their paper and they have notified VW and NXP who make the Hitag2 chips in advance, noting that Hitag2 had actually been broken for several years prior.

Back in February we showed how Smay Kamkar was able to bypass rolling codes with his RollJam device, however the findings by these researcher’s is different in that they are actually able to generate new rolling codes, such that a simple Arduino with transmitter can act as a second wireless remote.

A $40 Arduino which can be used to record wireless rolling codes, then transmit new ones once cracked.
A $40 Arduino which can be used to record wireless rolling codes, then transmit new ones once the encryption has been broken.

Stealing a Drone with Software Defined Radio

PHDays (Positive Hack Days) is a yearly forum with a focus on ethical hacking and security. During this years forum which took place in June, the organizers set up a competition where the goal was to “steal” or take control of a Syma X8C quadcopter drone. The drone runs on the nRF24L01 module, which from previous posts we have seen can easily be sniffed and decoded with an RTL-SDR or other SDR.

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.

The Syma X8C drone to be stolen in the competition.
The Syma X8C drone to be stolen in the competition.

Slovenian University Student & Security Researcher Almost Jailed for Researching TETRA with an RTL-SDR

Dejan Ornig, a 26 year old student at the University of Maribor’s Faculty of Criminal Justice and Security was recently almost jailed for finding a security flaw in Police TETRA communications in his home country of Slovenia. Back in 2013 his University Computer Science class of 25 was assigned a task to research security vulnerabilities in TETRA. TETRA is a RF digital communications protocol often used by authorities due to its ability to be secured via encryption. During his research he used an RTL-SDR and the open source Osmocom TETRA decoder, and discovered a flaw in the Slovenian Police’s TETRA configuration which meant that encrypted communications were often being broadcast in the clear. Translated, Ornig said:

For $20 I bought a DVB-T receiver (RTL-SDR), on the Internet, I have found also freely available and open-source software OsmoCOM. Free access solution for decoding the signal Tetra eighth-tetra is already prepared in advance programming framework based on the platform GNU.

He goes on to say (translated):

I was even more surprised when I found that most users do not have authentication turned on the radio terminal, even though the Ministry of the Interior in the documents and tenders repeatedly wrote to all the radio terminals to access networks using authentication.

Shortly after discovering the flaw, Dejan privately contacted the authorities with his findings. But after two years of repeatedly contacting them and waiting for a fix, Dejan decided to take his story to a local news agency in February 2015. At this point the Slovenian Police became interested in Dejan, and instead of fixing the problem, decided to conduct a search on his house, seizing his computer and RTL-SDR. After the search the Police made life harder for Ornig by trying to lump on other problems. During the search they found a “counterfeit police badge” in his house and apparently accused him of impersonating a police officer, and after a search of his PC they also decided to charge him after finding out that he covertly recorded his ex-employer calling him an “idiot”.

Ornig has now been given a 15 month suspended jail sentence for attempting to “hack” the TETRA network. Fortunately the suspended part means that in order to not go to jail Ornig simply must not repeat his crime again within 3 years. While SDR’s and radios are not illegal in most countries this is a reminder to professional and amateur security researchers to check that what you are doing is legal in your country. Even if it is for the overall good, Police often do not have the technical competence to understand security researchers and may react illogically to findings. The good news about Ornig’s story is that apart from the suspended jail sentence the authorities appear to have now worked with him to fix the problems.

TETRA Decoding
TETRA Decoding

Story Sources:
[http://www.ibtimes.co.uk/researcher-jailed-finding-security-flaws-police-communications-1561600][http://siol.net/novice/slovenija/kako-za-20-evrov-prisluskovati-slovenskim-varnostnim-organom-video-44923][https://podcrto.si/odziv-na-trditve-policije-glede-varnosti-komunikacijskega-sistema-tetra]

Using a HackRF to perform a replay attack against a Jeep Patriot

Over on his blog Caleb Madrigal has written a short article that describes how he was able to perform a simple relay attack against a Jeep Patriot vehicle which allowed him to unlock and lock his car via his HackRF. The replay attack is a very simple attack that can easily be performed with a TX capable SDR, like the HackRF. Essentially, all that is done is that a signal is recorded, and then rebroadcast (replayed) again. Normally, wireless car locks have rolling code security measures that prevent such an attack, but it appears that the 2006 Jeep Patriot has no such measures.

Caleb first recorded the unlock and lock signals using his HackRF with GNU Radio. He then took the step of opening the recorded file up in Audacity and isolating the unlock and lock audio signals, and then saving each signal to a separate file. Finally, after doing this he was able to transmit the unlock and lock waveforms which successfully locked and unlocked the Jeep.

https://www.youtube.com/watch?v=Q-OlgVLHIDs

Reverse Engineering the SimpliSafe Wireless Burglar Alarm

SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.

A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.

Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.

Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.

The SimpliSafe Alarm Keypad and a Yardstick One.
The SimpliSafe Alarm Keypad and a Yardstick One.

Bypassing Rolling Code Systems – CodeGrabbing/RollJam

A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.

Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:

  1. Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
  2. Target presses the remote, car does NOT lock and the attacker obtains the first keypress
  3. Target presses the remote a second time and the attacker obtains the second keypress
  4. Attacker then sends the first key press to lock the car, car locks as per normal
  5. Target assumes all is well and carries on about their day
  6. Attacker then sends the second keypress to the car, unlocking it
  7. Profit.
  8. Target returns to the vehicle and remote works as per normal

In the video below Andrew uses an SDR to help demonstrate the RollJam attack.

https://www.youtube.com/watch?time_continue=108&v=xAggMOEazDI
Showing how the RollJam attack works.
Showing how the RollJam attack works.

Software defined radio talks from Defcon 23

Defcon is a yearly conference that focuses on computer security and hacking talks. In recent years they have included a “Wireless Village” section that includes talks about all things wireless. This year there were several interesting talks related to Software Defined Radio in some way. Recently some of these talks have been uploaded to YouTube and below we present the ones we have found – let us know if we missed any interesting ones.

Balint Seeber – SIGINT & Blind Signal Analysis w/ GNU Radio & SDR

The workshop will cover many common techniques used to reverse engineer the physical layer of a wireless communications system:

– Blind signal analysis on a signals re-broadcast from a satellite transponder: modulation type, order, symbol rate, error correction,scrambling, differential coding, visualization

– Applying auto-correlation to interesting signals on the HF band: RADAR, OFDM, symbol timing

– Frequency hopping: wide-band, real-time spectrum visualization

All with GNU Radio!

http://www.youtube.com/watch?v=drsgh_PZmJ8

Tim Oshea – GNU Radio Tools for Radio Wrangling/Spectrum Domination

An overview of modern tools available in GNU Radio and the greater GNU Radio ecosystem for building, testing, inspecting and playing with radio system physical layers in gory detail.

http://www.youtube.com/watch?v=CrHNlu8TbJg

Michael Calabro – Software Defined Radio Performance Trades & Tweaks

This workshop is targeted at new and experienced software defined radio (SDR) operators, developers, and enthusiasts seeking a better end-to-end system understanding, and anyone looking to maximize their SDR’s performance. Commercially available SDRs (e.g. USRPs, RTL-SDRs, BladeRFs, etc) are commonly used to fuzz wireless interfaces, deploy private cellular infrastructure, conduct spectrum surveys, and otherwise interact with a wide variety of custom and commercial devices. This workshop focuses on the key parameters and performance drivers in SDR setup and operation that elevate these common platforms to the level of fidelity required to interact seamlessly with commercial devices and networks.

The workshop will begin by surveying different SDR hardware architectures and summarizing the performance tradespaces of several of SDR applications (e.g. collection/survey/transmit). Then the workshop will break down into three main content focuses:

Understanding SDR Hardware: Breakdown common RF frontend and receiver architectures. Identify and derive key performance parameters, and when they will bound performance. Topics covered will include: Noise figure calculation, internal amplification, Frequency selectivity, external RF chains, and noise sources.

Understanding SDR Platform Objectives: Collection, transmission, surveying, and other applications, each present unique challenges to SDRs and will be limited by different dimensions of SDR processing and/or setup configuration. Topics covered include: real-time processing, host buffering, sampling, guard-intervals, framework selection (GRC vs REDHAWK vs MATLAB vs custom), and frequency and time domain signal representation.

Optimizing and Improving Performance: Now that the hardware and platform trade space have been characterized, how do attendees meet and exceed the performance requirements of their application? We will present specific examples for several common platforms (RTL-SDR and USRP). Topics covered will include clock selection, ADC dynamic range, FPGA/SoC offloading, RFIC configuration, CIC filters, sampling, DC biases, antenna selection & pointing, host buffering / processing, and cost-performance trades.

http://www.youtube.com/watch?v=0WzM4K35jIU

Karl Koscher – DSP for SDR

The barrier to entry in software-defined radio is now almost non-existent. Wide band, receive-only hardware can be obtained for as little as $10, and tools like gqrx and SDR# make it extremely easy to get started listening to signals. However, there is a steep learning curve graduating from an SDR script kiddie to developing your own SDR tools. In this talk, I’ll cover the basic theory behind software-defined radios digital signal processing, and digital communication, including I/Q samples, FIR filters, timing and carrier recovery, and more.

http://www.youtube.com/watch?v=y3O-t2UfL0o

In addition to these Wireless Village talks there was also an interesting talk by Samy Kamkar in which explains how he uses SDR in his vehicle security research.

Samy Kamkar – Drive it like you Hacked it: New Attacks and Tools to Wireles

Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security?

In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced “code grabbers” using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation.

Ladies and gentlemen, start your engines. And other people’s engines.

Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

http://www.youtube.com/watch?v=UNgvShN4USU