Category: HackRF

March 19, 2018

Developing an Alternative To GPS with a HackRF

The LA Times recently ran a story that discussed how vulnerable GPS is to malicious spoofing. This has been well known for a number of years now with researchers having been successful at diverting a 80-million dollar yacht off it's intended course 5 years ago. We've also seen GPS spoofing performed with low cost TX capable SDRs like the HackRF. For example we've seen researchers use GPS spoofing to cheat at "Pokemon Go" an augmented reality smartphone game and to bypass drone no-fly restrictions.

The article in the LA times also discusses how a group of researchers at Aerospace Corp. are testing GPS alternatives and/or augmentations, that improve resilience against spoofing. The system being developed is called 'Sextant', and it's basic idea is to use other sources of information to help in determining a location.

Other sources of information include signals sources like radio, TV and cell tower signals. It also includes taking data from other localization signals like LORAN (a long range HF based hyperbolic navigation system), and GPS augmentation satellites such as the Japanese QZSS which is a system used to improve GPS operation in areas with dense tall buildings, such as in many of Japans cities. More advanced Sextant algorithms will possibly also incorporate accelerometer/inertial data, and even a visual sensor that uses scenery to determine location.

Most likely a key component of Sextant will be the use of a software defined radio and from the photos in the article the team appear to be testing Sextant with a simple HackRF SDR. While we're unsure of the commercial/military nature of the software, and although probably unlikely, hopefully in the future we'll see some open source software released which will allow anyone to test Sextants localization features with a HackRF or similar SDR.

Aerospace Corp. Testing Sextant with a HackRF

March 14, 2018

Measuring the Noise Figure of Airspy and HackRF SDRs in Real Time

The Noise Figure (NF) is an important metric for low noise amplifiers and SDRs. It's a measure of how much components in the signal chain degrade the SNR of a signal, so a low noise figure metric indicates a more sensitive receiver. The Noise Figure of a radio system is almost entirely determined by the very first amplifier in the signal chain (the one closest to the antenna), which is why it can be very beneficial to have a low NF LNA placed right at the antenna

Over on his blog Rowetel has been attempting to measure the noise figure of his HackRF and Airspy, and also with the SDRs connected to an LNA. He's managed to come up with a method for measuring the noise figure of these devices in real time. The method involves using a GNU Octave script that he created and a calibrated signal generator.

It’s a GNU Octave script called nf_from_stdio.m that accepts a sample stream from stdio. It assumes the signal contains a sine wave test tone from a calibrated signal generator, and noise from the receiver under test. By sampling the test tone it can establish the gain of the receiver, and by sampling the noise spectrum an estimate of the noise power.

As expected, Rowetel found that the overall noise figure was significantly reduced with the LNA in place, with the Airspy's measuring a noise figure of 1.7/2.2 dB, and the HackRF measuring at 3.4 dB. Without the LNA in place, the Airspy's had a noise figure of 7/7.9 dB, whilst the HackRF measured at 11.1 dB.

Some very interesting sources of noise figure degradation were discovered during Rowetel's tests. For example the Airspy measured a NF 1 dB worse when used on a different USB port, and using a USB extension cable with ferrites helped too. He also found that lose connectors could make the NF a few dB's worse, and even the position of the SDR and other equipment on his desk had an effect.

March 12, 2018

Viewing Drone Signals with HackRF being used as a Wideband Spectrum Analyzer

Over on his YouTube channel user Andy Clarke has uploaded a video where he demonstrates his HackRF being used as a wideband spectrum analyzer with the HackRF Spectrum Analyzer software. About a year ago the HackRF team released a new firmware update which enabled the HackRF to be able to sweep through the frequency spectrum at a rate of up to 8 GHz per second. This allowed the HackRF to be used as a wideband spectrum analyzer which is able to display an arbitrarily large swath of spectrum. Shortly after the firmware update spectrum analyzer program by 'pavsa' was released on GitHub.

In the video Andy demonstrates the HackRF being used to view the WiFi band and show a 2.4 GHz WiFi connection between a drone and it's controller. He also shows it working with a handheld radio and the uplink of his mobile phone. Andy hopes to use the HackRF to avoid losing his drones due to interference.

Software Defined Spectrum Analyser - Hack RF

Watch this video on YouTube

January 30, 2018

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

January 25, 2018

Pseudo-Doppler Direction Finding with a HackRF and Opera Cake

Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.

In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.

If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.

Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.

January 19, 2018

Schmoocon 18: Live Stream of Micheal Ossmann and Schuyler St. Leger on Psuedo-Doppler begins in 15 minutes

Micheal Ossmann @michaelossmann (famous for creating the HackRF SDR and various other projects) and Schuyler St. Leger @DocProfSky (a very talented young man) will soon be presenting their "Pseudo-Doppler Redux" talk at the Schmoocon 2018 conference at 3:30pm EST. The talk is available for all to watch live on Livestream.

Michael Ossmann and Schuyler St. Leger demonstrate their new take on Pseudo-Doppler direction finding techniques, using SDR to enhance direction finding capabilities.

January 18, 2018

Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets

January 8, 2018

Reverse Engineering for a Secure Future: Talk by Samy Kamkar

During the Hackaday superconference held during November 2017, Samy Kamkar presented a talk on how he reverse engineers devices, and in particular passive entry and start systems in vehicles. In the talk he also explains what tools he uses which includes SDRs like the HackRF One and RTL-SDR dongle and explains the methodology that he takes when looking at how to reverse engineer any new device. Samy is most famous for writing the Samy MySpace computer worm and also popularizing the "RollJam" wireless car door vulnerability. The talk blurb reads:

In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.

Samy Kamkar: Creating Vehicle Reconnaissance & Attack Tools -- Hackaday Superconference 2017

Watch this video on YouTube