Category: HackRF

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SIGINTOS IMSI Catcher
SigintOS IMSI Catcher

YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2

Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.

DECT 6.0 Cordless Phone Eavesdropping {Install GR-DECT2 and Decode with HackRF SDR}

Listening in to a DECT Digital Cordless Phone with a HackRF

Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF. 

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.

Demonstration Listening to DECT Phone Call with a HackRF SDR

Black Friday SDR Sales: Airspy 15% Off, SDrplay RSP2 $20 Off, HackRF 20% Off

Airspy

Airspy is currently running a 15% Black Friday sale over on the manufacturers website iead.cc, and on their US distributor airspy.us. The coupon code is BF2018.

This results in an Airspy Mini costing only $84.15, an Airspy HF+ costing $169.15, an Airspy R2 costing $143.65 and a SpyVerter costing $41.65. This is the cheapest we've seen these products to date.  

SDRplay

Over on Ham Radio Outlet, the RSP2 is currently reduced by $20, taking it down to a price of only $149.95. The RSP2 Pro is also reduced down to $192.95. Other SDRplay products, and products on their website appear to be not discounted.

HackRF

Over on SparkFun the original HackRF is 20% off, resulting in a price of only $239.96. It's still double the price of an Aliexpress clone, but it is an original unit. In the UK ML&S are also selling it for 15% off at £219.95. This is the cheapest price we've seen an original HackRF sold for.

Elad FDM S2

At the higher end of the SDR spectrum, we see that the Elad FDM-S2 is currently reduced by $51, resulting in a sale price of $529.

Most of these sales are expected to run until Monday, or until stocks run out.

Have you found any other great SDR deals? Let us know in the comments.

Using the HackRF PortaPack To Perform a Mag-Stripe Audio Spoof

Over on his blog author "netxing" has uploaded a post describing how he was able to use a Portapack to spoof mag-stripe info stored on credit/debit cards. The idea based around an old trick called magnetic stripe audio spoofing. This is essentially using an electromagnet and a music player like an iPod or smartphone to trick a magnetic card reader into thinking that you're swiping a card through it.

Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.

Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.

HackRF Portapack Mag-strip Spoofing
HackRF Portapack Mag-strip Spoofing

Listening To Multiple DMR Channels with DSD+ and a HackRF on Linux

Thanks to Tony C who wrote in and wanted to share a method that he's found to listen to  multiple DMR digital voice channels in Linux. DSD+ is a Windows program that can be used to decode DMR. Although for Windows it is possible to use in Linux via the emulator known as Wine, and pipe the digital audio to it from GQRX. In the quote below, DSD+ "FL" is short for "Fast Lane" which is DSD+'s paid beta service that you can join to get  newer code with more features. Tony writes:

I believe that can bridge the gap between using Linux with the ease of use programs of windows. As I am sure we both can attest that setting up trunk tracking / anything SDR is not as easy on Linux as it is on windows. For example, DSDplus FL makes it extremely easy to identify/decode DMR networks. There are similar things that can be done on Linux, but as I stated, it isn’t as easy to setup.

So the method that I setup and have been using successfully, using Ubuntu and a HackRF, setting up DSDplus 2.98 on wine, that gets audio piped from GQRX using a virtual sink as outlined in https://www.hagensieker.com/wordpress/2018/04/29/dsd-in-ubuntu-18-04/. It was a great blog, but I felt that it was incomplete when trying to get all the voice traffic passed on a network, as it only works on 1 channel at a time.

So I found the control channel for the network and created 5 bookmarks in GQRX and gave them the tag “DMR”. From there I downloaded gqrx scanner https://github.com/neural75/gqrx-scanner followed the install and setup instructions. From there I activated the scanner and GQRX will cycle through the frequencies and when voice traffic is passed, it will stop, and DSDPLUS via wine will decode and record the audio.

[The screenshot] example was for P25, but it has worked in connect+ as well, the only thing is that you cannot bookmark the control channel. I know other options exist out there such as SDRtrunk / op25 which I have used, but I believe this provides a good alternative to those who have used windows and are comfortable with the ease of use of dsdplus FL but want to be on the Linux OS. 

DSD+ Decoding Multiple DMR Channels on Linux
DSD+ Decoding Multiple DMR Channels on Linux

 

Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Using a HackRF to Spoof GPS Navigation in Cars and Divert Drivers

Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.

The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.

The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.

In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.

Other researchers are working on making GPS more robust. Aerospace Corp. are using a HackRF to try and fuse GPS together with other localization methods, such as by using localizing signals from radio towers and other satellites.

[Also seen on Arstechnica]

Hardware and Method used to Spoof Car GPS Navigation.
Hardware and Method used to Spoof Car GPS Navigation.