Category: Security

Using the Don’t Look Up Tool to Eavesdrop on Insecure Private Satellite Communications

Over on YouTube, Rob VK8FOES has uploaded a video showing how to install and use the "dontlookup" open-source Linux Python research tool for evaluating satellite IP link security. Back in October, we posted about a new Wired article that discussed how many geostationary satellites are broadcasting sensitive, unencrypted data in the clear and how a cheap DVB-S2 receiver and satellite dish can be used to eavesdrop on them.

In the video, Rob discusses the new dontlookup tool, which is an excellent one-stop shop open-source tool for parsing IP data from these satellites. He goes on to show the full steps on how to install and use the tool in Linux. The end result is private internet satellite data being visible in Wireshark (blurred in the video for legal reasons). In the video description, Rob writes:

I thought I would make a video showcasing this new open-source Python tool for Linux. 'Don't look up' is the result of a research campaign conducted by a group of cyber security researchers from the USA for decoding DVB-S2 satellite data transponders.

Geostationary communications satellites are somewhat of a 'perfect target' to malicious threat actors, due to their downlink signals covering large portions of earth surface. This gives attackers are large attack surface to intercept IP traffic being transmitted from space. To most peoples surprise, little-to-no security, such as encryption, are being used on these data transponders!

This is all old news to myself, and the fans of my YouTube channel that have been following my TV-satellite hobby for the past couple of years. Most of this was already possible with consumer-grade satellite equipment and a Python application called GSExtract. However, the scope of GSExtract was a lot more narrower than that of DontLookUp, with the developers claiming to have achieved an exponential packet recovery rate compared to GSExtract.

Join me in this video today where I will be showing my users how to patch and build the TBS5927 USB satellite receiver drivers for RAW data capturing. I'll also be showcasing the software application called 'DVBV5-Zap' which interfaces with our satellite receiver to capture RAW data from a satellite. And finally, I will finish-off the video by demonstrating the actual usage of DontLookUp itself. To make the tutorial as accessible as possible, I'm doing the entire process inside a Linux virtual machine!

This tutorial will probably only work in DragonOS FocalX R37 Linux by the wonderful @cemaxecuter. You are welcome to try on other Linux distributions, but your mileage will vary! Also, due to the TBS5927 using something called a 'Isochronous Endpoint', it's only possible to use this satellite receiver via USB Passthrough in VMWare versions 17.5 and above. VirtualBox does not support Isochronous USB Endpoints in any version. It's always best to run Linux on 'bare-metal' by installing it directly to your PC's internal SSD, or running it from a bootable USB thumb drive.

Please understand that if you own an internal PCI-E satellite receiver card from TBS, it is not possible to 'pass it through' to Linux running inside in a Type-2 Hypervisor (VMware, VirtualBox etc.) Installing Linux on bare-metal is the only hope for PCI-E card owners. Thanks very much for watching!

HARDWARE:
TBS5927 USB Satellite Receiver
90cm 'Foxtel' Satellite Dish
Golden Media GM202+ LNB
Hills RG-6 Coaxial Cable (F-Type Connectors, 75 Ohm)

SOFTWARE:
VMWare Workstation 17.6.2
DragonOS FocalX R37 Linux
TBS 'Linux_Media' Drivers
'RAW Data Handling' Patch
DVBV5-Zap
DontLookUp

If you're interested in this topic, Rob's YouTube channel has many videos on this topic that are worth checking out.

Don't Look Up (No, Not The Movie): A New Research Tool To Evaluate Satellite IP Link Security!

NSA GENESIS: How NSA Spies Snooped on Local RF Bands using Modified Cell Phones with a Built-in SDR

Over on YouTube, the "Spy Collection" channel has recently uploaded a video detailing the US National Security Agency's (NSA) GENESIS spy gadget. GENSIS was a modified Motorola cell phone that contained a full software-defined radio system within. This system allowed NSA agents to discreetly record the local RF spectrum for later analysis. For example, an agent may have been able to record the frequencies and RF protocols used at particular facilities of interest for use in later operations. 

Details about the NSA GENESIS were revealed when the NSA's Advanced Network Technologies (ANT) catalogue was publicly leaked back in 2013. Originally, project GENESIS was due to be declassified in 2032.

Spy Collection also notes that the leaked documents indicate it is possible the phone was also used, or intended to be used, as a "finishing tool". In other words, a remotely detonated explosive phone, that could be given to persons on the US terrorist list. 

NSA's Leaked Secret GENESIS Cell Phone

Demonstrating a Rollback Attack on a Honda via HackRF Portapack and an Aftermarket Security Solution

Over on YouTube "Obsessive Vehicle Security" has uploaded a video demonstrating a rollback attack against a Honda vehicle using a HackRF Portapack and the "Remote" function on the Mayhem firmware. His recent blog post also succinctly explains the various types of keyless vehicle theft used by modern thieves, including Roll-Jam, Relay Amplification and Rollback attacks. Regarding rollback attacks he explains:

A Rollback Attack works by capturing remote signals and replaying them. In theory this should not be possible with a rolling code remote system, however, a large number of vehicles are vulnerable to it. Including my 2015 Honda Vezel!

For it to work on the Honda I need to capture 5 consecutive remote signals. It does not matter if the car has seen these or not, when I replay them it re-syncs and unlocks the car. I have tested this and can replay the sequence as many times as I like. It always works.

He also mentions in the video how an aftermarket security system can partially mitigate these attacks.

In the past we also posted about Flipper Zero based rollback attacks.

Rollback Attack on Honda - HackRF One Bypasses Rolling Code Security

Eavesdropping on Sensitive Data via Unencrypted Geostationary Satellites

Recently, Wired.com released an article based on research by researchers at UC San Diego and the University of Maryland, highlighting how much sensitive unencrypted data many geostationary satellites are broadcasting in the clear.

The researchers used a simple off-the-shelf 100cm Ku-band satellite dish and a TBS-5927 DVB-S/S2 USB Tuner Card as the core hardware, noting that the total hardware cost was about $800. 

Simple COTS hardware used to snoop on unencrypted satellite communications.
Simple COTS hardware used to snoop on unencrypted satellite communications.

After receiving data from various satellites, they found that a lot of the data being sent was unencrypted, and they were able to obtain sensitive data such as plaintext SMS and voice call contents from T-Mobile cellular backhaul and user internet traffic. The researchers notified T-Mobile about the vulnerability, and to their credit, turned on encryption quickly.

They were similarly able to observe uncrypted data from various other companies and organizations, too, including the US Military, the Mexican Government and Military, Walmart-Mexico, a Mexican financial institution, a Mexican bank, a Mexican electricity utility, other utilities, maritime vessels, and offshore oil and gas platforms. They were also able to snoop on users' in-flight WiFi data.

Cellular Backhaul
We observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas. This traffic included unencrypted calls, SMS, end user Internet traffic, hardware IDs (e.g. IMSI), and cellular communication encryption keys.

Military and Government
We observed unencrypted VoIP and internet traffic and encrypted internal communications from ships, unencrypted traffic for military systems with detailed tracking data for coastal vessel surveillance, and operations of a police force.

In‑flight Wi‑Fi
We observed unprotected passenger Internet traffic destined for in-flight Wi-Fi users on airplanes. Visible traffic included passenger web browsing (DNS lookups and HTTPS traffic), encrypted pilot flight‑information systems, and in‑flight entertainment.

VoIP
Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call audio and metadata from end users.

Internal Commercial Networks
Retail, financial, and banking companies all used unencrypted satellite communications for their internal networks. We observed unencrypted login credentials, corporate emails, inventory records, and ATM networking information.

Critical Infrastructure
Power utility companies and oil and gas pipelines used GEO satellite links to support remotely operated SCADA infrastructure and power grid repair tickets.

The technical paper goes in depth into how they set up their hardware, what services and organizations they were able to eavesdrop on, and how they decoded the signals. The team notes that they have notified affected parties, and most have now implemented encryption. However, it seems that several services are still broadcasting in the clear.

ESP32 Bus Pirate: Turn your ESP32 into a Multi-Purpose Hacker Tool

Thank you to "Geo" for writing in and sharing with us his open source project called "ESP32-Bus-Pirate" which he thinks might be of interest to those in the RTL-SDR community. The ESP32 is a popular low-cost microcontroller due to the fact that it has WiFi and Bluetooth capabilities built in. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in hardware radio components to achieve various interesting feats. Geo writes:

This firmware turns an inexpensive ESP32-S3 board into a multi-protocol debugging and hacking tool, inspired by the original Bus Pirate and the Flipper Zero.

It currently supports a wide range of protocols and devices, including I²C, SPI, UART, 1-Wire, CAN, infrared, smartcards, and more. It also communicates with radio protocols as Subghz, RFID, RF24, WiFi, Bluetooth.

Compared to existing solutions, the focus is on:

Accessibility — runs on cheap ESP32-S3 hardware (around $7–$10).

Versatility — one device can probe, sniff, and interact with multiple buses.

Extensibility — open-source and modular, making it easy to add new protocol support.

I believe this could be useful for hardware hackers, security researchers, and hobbyists looking for a low-cost, flexible alternative to commercial tools.

With the firmware installed on a compatible ESP32 device, it is possible to create WiFi, Bluetooth, and RF24 sniffers, scanners, and spoofers, as well as perform general sub-GHz and RFID sniffing, scanning, and replay attacks. It also has a host of non-RF capabilities useful for hacking devices.

Flipper Zero DarkWeb Firmware Bypasses Rolling Code Security

Over on YouTube Talking Sasquach has recently tested custom firmware for the Flipper Zero that can entirely break the rolling code security system used on most modern vehicles. Rolling code security works by using a synchronized algorithm between a transmitter and receiver to generate a new, unique code for each transmission, preventing replay attacks and unauthorized access.

In the past we've discussed an attack against rolling code security systems called RollJam, which works by jamming the original keyfob signal so the vehicle cannot receive it, and at the same time recording it for later use. However, this attack is difficult to perform in reality.

For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob's functions, including lock, unlock, and unlock trunk. A consequence of this is that the original keyfob gets out of sync, and will no longer function.

According to the Talking Sasquatch, the attack works by simply reverse engineering the rolling code sequence, either through sequence leaks or prior brute forcing of the sequence from a large list of known codes. However, another article mentions that the firmware is based on the "RollBack" attack, which works by playing back captured rolling codes in a specific order to initiate a 'rollback' of the synchronization system.

Regardless of the method, videos demonstrating the attack show that only a single capture is needed to emulate a keyfob completely.

Affected vehicles include Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru. As of yet, there appears to be no easy fix for this, other than mass vehicle recalls.

I Copied My Car's Key Fob With a Flipper Zero

TEMPEST-LoRa: Emitting LoRa Packets from VGA or HDMI Cables

University researchers from China have recently shown in a research paper that it is possible to maliciously cause a VGA or HDMI cable to emit LoRa compatible packets by simply displaying a full-screen image or video. This has potential security implications as a malicious program could be used to leak sensitive information over the air, completely bypassing any internet or air-gap security systems.

In the past, we have demonstrated that TEMPEST techniques can be used to spy on monitors and security cameras by analyzing the unintentional signals they emit. This research takes the idea a step further by determining what particular images need to be displayed to create a LoRa packet with data. 

In the paper, the researchers mention using either off-the-shelf LoRa devices or low-cost SDRs such as the HackRF to receive the packets. The advantage of the SDR method is that it allows for customization of the frequency and the use of LoRa-like packets, which can achieve even longer ranges and higher data rates. The team show that they were able to achieve a receive range of up to 132 meters and up to 180 kbps of data rate.

TEMPEST-LoRa Test Setup
TEMPEST-LoRa Test Setup
Geek Trick! This picture is transmitting LoRa wireless signals!

Saveitforparts: Tracking US Government Spy Planes over your Neighbourhood

In his latest YouTube video, Gabe from the saveitforparts channel has uploaded an interesting video detailing how he's tracking government spy planes over his neighbourhood using SDRs to monitor ADS-B data, and Orbic hotspots to detect Stingray activity (fake cell tower basestations).

In the video, Gabe highlights how he detects and follows a suspicious aircraft, concluding that it is most likely a DEA surveillance plane. This conclusion is supported by the fact that the ADS-B data is censored on FlightRadar24, something which normally only happens with law enforcement aircraft, as well as private jets. Upon zooming in on the aircraft with a camera, various antennas and cameras are also visible on the belly. Finally, Gabe found that the plane's registration number is linked to a Texas-based shell company with connections to the DEA.

In the video Gabe also tests out the RayHunter custom firmware for Orbic mobile internet to WiFi hotspot devices. This custom firmware turns these devices into Stingray detectors. A Stingray is a fake cellular base station that is often used by law enforcement to spy on cell phone activity.

Is That Really A Government Spy Plane Over My Neighborhood?