To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.
The Syma X8C drone to be stolen in the competition.
Over on his blog Caleb Madrigal has written a short article that describes how he was able to perform a simple relay attack against a Jeep Patriot vehicle which allowed him to unlock and lock his car via his HackRF. The replay attack is a very simple attack that can easily be performed with a TX capable SDR, like the HackRF. Essentially, all that is done is that a signal is recorded, and then rebroadcast (replayed) again. Normally, wireless car locks have rolling code security measures that prevent such an attack, but it appears that the 2006 Jeep Patriot has no such measures.
Caleb first recorded the unlock and lock signals using his HackRF with GNU Radio. He then took the step of opening the recorded file up in Audacity and isolating the unlock and lock audio signals, and then saving each signal to a separate file. Finally, after doing this he was able to transmit the unlock and lock waveforms which successfully locked and unlocked the Jeep.
Previously we posted news about the upcoming release of SoDeRa/LimeSDR, a low cost 100 kHz – 3.8 GHz range RX/TX capable software defined radio. Due to copyright reasons SoDeRa have renamed the product to LimeSDR.
LimeSDR is a low cost, open source, apps-enabled (more on that later) software defined radio (SDR) platform that can be used to support just about any type of wireless communication standard. LimeSDR can send and receive UMTS, LTE, GSM, LoRa, Bluetooth, Zigbee, RFID, and Digital Broadcasting, to name but a few.
While most SDRs have remained in the domain of RF and protocol experts, LimeSDR is usable by anyone familiar with the idea of an app store – it’s the first SDR to integrate with Snappy Ubuntu Core. This means you can easily download new LimeSDR apps from developers around the world. If you’re a developer yourself, you can share and/or sell your LimeSDR apps through Snappy Ubuntu Core as well.
The LimeSDR platform gives students, inventors, and developers an intelligent and flexible device for manipulating wireless signals, so they can learn, experiment, and develop with freedom from limited functionality and expensive proprietary devices.
The price for a single board is $299 USD for regular backers, but there is an early bird price of $199 USD. At the time of this post there are still over 200 boards left to go at the lower price. There are also higher end options such that add turn-key support and acrylic and aluminium enclosures as well as a PCIe interface option.
The LimeSDR can tune from 100 kHz – 3.8 GHz, can have a bandwidth of up to 61.44 MHz, uses a 12-bit ADC, has two transmit channels, two receive channels, is full duplex and comes with a 4 PPM stable oscillator. To achieve such a high bandwidth the board requires a USB 3.0 connection, and will likely require a modern PC to reach a high bandwidth. From its pricing and specs it looks like it can be thought of a next generation HackRF, or lower cost version of the high end Ettus SDR’s.
Recently Jared Boone, creator of the HackRF portapack posted on his blog about his experience with trying to receive Iridium satellite signals. The HackRF is 8-bit, ~0 – 6 GHz, RX/TX capable SDR, and the Portapack is a kit that allows the HackRF to go portable, by adding an LCD screen, battery pack and control wheel. Iridium is an L-band satellite service that provides products such as satellite phones and pagers. Back in December 2014 we posted how it was found that Iridium pager messages could be decoded.
To receive Iridium Jared used a simple ceramic patch antenna mounted on a piece of cheap copper clad fibreglass. This simple antenna was good enough to receive the Iridium signals with good strength. With this set up Jared was able to easily go outside and receive some packets and record them. He writes his next steps are to try and run the Iridium pager decoder on them and see what packets he captured.
Differential GPS (DGPS) are signals that exist between 285 – 325 kHz and are used to enhance the accuracy of GPS receivers. The system can improve GPS accuracy from 15m down to 10cm in some cases. It works using a network of ground stations at a very accurate known location that continuously measure the GPS error they receive. They then broadcast this error to DGPS capable receivers. The receiver can then use this error knowledge to correct their own readings.
At the 2015 Hackaday super conference Michael Ossmann (designer of the HackRF SDR and various other RF products) gave a talk called “Simple RF Circuit Design”. His talk explains in very simple terms how to successfully create RF circuits without the need to do any complicated calculations. The workshop blurb reads:
This workshop on Simple RF Circuit Design was presented by Michael Ossmann at the 2015 Hackaday Superconference. It sold out almost immediately and for good reason. He has designed numerous popular tools like the the HackRF One and YARD Stick One. Michael’s depth of knowledge and experience make him a leader in a field that is often called a dark art. There is no reason to fear RF design. Follow his recommendations and remove some of the mystery from the topic.
Essentially his talk boils down to 5 rules:
Use Four Layers You’ll have less RF trouble and design work with four layers than on a two layer board. Four layers allows you to have unbroken power planes which helps to reduce ground loops.
Use the Most Integrated Component Possible Instead of designing your own RLC circuits and filters and taking into account various factors like Q values, just use an integrated circuited with defined parameters.
Design for 50 ohms Everywhere Keep every thing matched to the standard 50 Ohms for optimal impedance matching.
Follow Manufacturer Recommendations Use the layouts specified by the manufacturer.
Route the RF Parts First Route the most critical part, the RF section first and keep digital lines away.
SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.
A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.
Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.
Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.
Back in December 2014 the HackRF Blue came out via a crowd funded Indiegogo campaign as a HackRF board that was $100 cheaper than the official version ($199 vs $299 USD). The HackRF is a 8-bit receive and transmit capable SDR with operating range of between 0.1 – 6000 MHz and a bandwidth of up to 20 MHz. As its hardware specifications are released as open source, it is very easy for clones of the official version to be produced. While the HackRF Blue Indiegogo campaign was successful, the product is now out of stock as they seemed to stop production after the campaign.
We are a PCB and SMT assembly factory founded in the year 2001, located in Shenzhen, China. We are a professional EMS/OEM company; provide one-stop contract electronic manufacturing service for PCB&PCBA. Now we want to make small market devices and sell directly to customers.
Some of the part on HackRF is End Of Life and very difficult to find now. We have enough of these part for ~300 HackRF only. You can find some HackRF on Alibaba right now, but they used cheap parts and the manufacture does not test them (they do not install any firmware).
We are trying to find some more of the EOL part first and will make the Kickstarter campaign soon. If we can’t find any more of these part, we will only make ~300pcs. Please register first, when we activate the campaign we will tell you by email. The first 10 people who buy from the Kickstarter will have a heavy discount, only pay $75!
