Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

Hermes-Lite: A Low Cost Amateur Radio SDR Made from A Repurposed Cable Modem Chip

The HPSDR Hermes SDR is an open source amateur radio SDR transceiver project that was released as far back as 2011. More recently Steve Haynal has been working on a Hermes-Lite project which is intended to be an opensource open hardware low cost amateur radio HF transceiver which is based on the HPSDR Hermes SDR project software and FPGA DSP implementation.

The Hermes-Lite is able to be very low cost (less than $300) because it is based on the AD9866 chip which is a mass produced RF front end (LNA + ADC & DAC) used in cable modems. Because it is a mass produced commodity, the chip only costs approx. US$35-$25 on Mouser depending on quantity. The chip has a 12-bit 80 MHz ADC and DAC, meaning that if used without any analog mixer front end (like in the Hermes-Lite) it can receive the entire spectrum between 0.1 to 38 MHz all at once.  

The Hermes-Lite is also a lot more than just the RF chip, as it contains a set of switched RF filters and a 5W power amplifier for TX. It also interfaces with a PC via Ethernet and has a built in FPGA for DSP processing.

Recently Steve presented at the FOSSi Foundation Latch-Up conference on May 4-5, and a YouTube recording of his presentation is shown below.

[First seen on The SWLing Post]

Hermes-Lite: Amateur Radio SDR

Vela Pulsar Glitch Detected with RTL-SDR Based Radio Telescope

On February 1st 2019 the HawkRAO amateur radio telescope detected a "glitch" during it's observations of the Vela Pulsar. A pulsar is a rotating neutron star that emits a beam of electromagnetic radiation. If this beam points towards the earth, it can then be observed with a large dish or directional antenna and a radio, like the RTL-SDR. The Vela pulsar is the strongest one in our sky, making it one of the easiest for amateur radio astronomers to receive.

Pulsars are known to have very accurate rotational periods which can be measured by the radio pulse period. However, every now and then some pulsars can "glitch", resulting in the rotational period suddenly increasing. Glitches can't be predicted, but Vela is one of the most commonly observed glitching pulsars.

The HawkRAO amateur radio telescope run by Steve Olney is based in NSW, Australia and consists of a 2 x 2 array of 42-element cross Yagi antennas. The antennas feed into three LNAs and then an RTL-SDR radio receiver. He has been observing the Vela pulsar for 20 months.

His observations indicate that Vela glitched and spun up by 2.5PPM at 14:09 UTC on Feb 1, 2019. He claims that this glitch detection is a first for amateur radio astronomy as far as he is aware.

If you're interested in Pulsar detection, check out a few of our previous posts on the topic.

The HawkRAO Amateur Radio Telescope Vela Glitch Detection
The HawkRAO Amateur Radio Telescope Vela Glitch Detection (Blue graph on the right indicates the glitch detection)

Decoding Es’Hail-2 DVB-S2 Realtime in Linux with LeanDVB

Last week we posted about M Khanfar's YouTube video that showed how to decode Es'Hail-2/QO-100 DVB-S2 on Ubuntu with the LeanDVB decoder. However, the method he showed was not in real time as it involved recording an IQ file in GQRX first, then decoding that IQ file. Similarly we also posted last week about a Windows based real time decoder.

M Khanfar recently wrote in again and wanted to show that real time decoding is possible with LeanDVB. The method is to simply pipe the output of the rtl_sdr command line decoder in LeanDVB, and then into VLC. He notes that his PC isn't actually fast enough to decode in real time without lag, but a modern i5 CPU would work well. The actual terminal command is shown in his YouTube video description.

This is Realtime live DVB-S2 Decoding done , without need to record .RAW file , its live and easy method by one click ! In this video i decoding 2MS symbol rate from wideband transponder of QO-100 beacon , you can decoding 1MS , 0.5MS , 333KS , 125KS symbol rate ! The lower Symbol, the faster speed for decoding! , the Amateurs operators on QO-100 Uplink DATV DVB-S2 at 0.5 , 333 , 125Ks , so its easy to Live Decoding Now ! With very low SNR ! , so the normal SDR can coverage wideband beacon of 2Ms symbol and all Ham uplink ! , if you have an SDR that can coverage 27.5 mb of bandwidth, so you can easy decoding Live a standard commercial satellite channels! But it need a high speed Pc .

QO-100 Realtime Live DVB-S2 Decoding

RSGB Talk – The Farnham WebSDR: DC to Microwaves on your Smartphone

Over on YouTube the Radio Society of Great Britain (RSGB) has uploaded a talk by Noel Matthews (G8GTZ) titled "The Farnham WebSDR: DC to Microwaves on your smartphone". The Farnham WebSDR runs 8 (soon to be 10) RTL-SDR dongles in order to cover multiple bands from DC to 2 GHz.

If you're interested in their talks, the RSGB also recently uploaded several other amateur radio related talks from their 2018 convention to their YouTube channel.

This presentation gives an overview of the Farnham WebSDR (http://farnham-sdr.com/) which currently covers the LF bands through to 10GHz. The presentation describes the system architecture and antennas currently used on each band and how the team has used RTL dongle receivers, available for under £10, to give good RF performance on all bands from DC to 10GHz. There is a demonstration of the SDR in use on both PC and smartphone.

RSGB 2018 Convention lecture - The Farnham WebSDR: DC to Microwaves on your smartphone

RTLion: The Multipurpose RTL-SDR Framework

Redditor [K3PWN] has recently released his project called “RTLion”. RTLion is a software framework for RTL-SDR dongles that currently supports various features such as a power spectrum plot and frequency scanning. The software can run on a Raspberry Pi 3 and all features are intended to be accessed via an easy to use web browser interface, or via an Android app. The software can also be run with Docker, making it useful for IoT applications.

RTLion project can be described as a framework due to the implementation of various features other than the frequency scanner. The common structure of the project is appropriate for adding new features too. RTLion Framework has a FlaskSocketIO based Web interface which houses it’s features there. Web interface preferred to the command line interface for facilitating the usage and supporting remote operations. Matplotlib used for creating graphs, more specifically pylabpsd(Power Spectral Density) method mostly used for converting the complex samples (stored in a numpy array) to FFT graphs.

Main purpose of the RTLion Framework is creating a framework for RTL2832 based DVB-T receivers and supporting various features such as spectral density visualizing and frequency scanning remotely. These features are provided on the Web interface and accessible via the RTLion server or the RTLion Android App for RTL-SDR & IoT applications.

RTLion - IoT RTL-SDR

All of his code is open source and available on Github. Currently he’s looking for feedback on improving the framework and we are interested to see where this project may lead in the future.

SignalsEverywhere Podcast: Is Software Defined Radio Illegal?

Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast, this time discussing the topic "Is Software Defined Radio Illegal?". Recently we posted about the unfortunate arrest of a UN investigator in Tunisia. Reports from news agencies seem to indicate that a major factor in his arrest was his use of an RTL-SDR dongle for monitoring air traffic as part of his investigation on Libya arms embargo violations. Although it is suspected that other political motivations are at play.

In his podcast Corrosive tries to open a discussion on whether software defined radio (SDR) is illegal, since SDR receivers have the possibility to be able to receive, demodulate and decode almost any signal. He first focuses on mostly American FCC laws regarding scanners, but similar laws are likely to be in place throughout most of the western world. Later in the podcast he discusses transmit capable SDRs and how these are more likely to come to the attention of politicians.

Software Defined Radio Illegal?

Online Course: Software Defined Radio From 0 to 1

Back in March we posted about Qasim Chaudhari and his recently released book titled "Wireless Communications From the Ground Up - An SDR Perspective". The book covers advanced University level wireless topics, but he noted how he's attempted to keep the math at school complexity (although for most people we'd say it's still more at undergraduate Engineering school complexity).

Since the last post Qasim has received a lot of feedback from radio amateurs asking for a much simpler introduction to DSP concepts, without the use of University level math. Recently Qasim wrote in and noted how he's now created a set of online lectures that is intended for either professionals who want an overview of physical layer algorithms, or radio hobbyists and general technical persons who want to expand their knowledge.

The course costs US$37 (currently discounted by 20% to $29.50 via this coupon link) and has a sampling of free videos for you to watch.

A sample slide from Qasim's Lectures
A sample slide from Qasim's Lectures