Category: Security

Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

SignalsEverywhere Podcast: Is Software Defined Radio Illegal?

Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast, this time discussing the topic "Is Software Defined Radio Illegal?". Recently we posted about the unfortunate arrest of a UN investigator in Tunisia. Reports from news agencies seem to indicate that a major factor in his arrest was his use of an RTL-SDR dongle for monitoring air traffic as part of his investigation on Libya arms embargo violations. Although it is suspected that other political motivations are at play.

In his podcast Corrosive tries to open a discussion on whether software defined radio (SDR) is illegal, since SDR receivers have the possibility to be able to receive, demodulate and decode almost any signal. He first focuses on mostly American FCC laws regarding scanners, but similar laws are likely to be in place throughout most of the western world. Later in the podcast he discusses transmit capable SDRs and how these are more likely to come to the attention of politicians.

Software Defined Radio Illegal?

Tracking Dictators Around the World with ADS-B Data

Over on Reddit freelance investigative journalist Emmanuel Freudenhal has put up a very interesting post about how he is using ADS-B tracking to keep an eye on the travel habits of dictators around the world. If you were unaware, ADS-B is a signal transmitted by aircraft which contains aircraft ID info, and data such as speed, altitude and GPS location. Websites like ADS-B Exchange aggregate ADS-B data from volunteer ground stations that are running (mostly) RTL-SDR dongles. Emmanuel notes that by watching the movements of aircraft registered to dictators, it is possible to keep an eye on their travel habits.

One story that Emmanuel has written using this data is a piece on Paul Biya, Cameroon's president. His article discusses how Paul Biya is often seen in Geneva Switzerland, away on private visits. In a comment, Emmanuel notes that since his story ran, Paul Biya has almost stopped travelling to Switzerland.

Emmanuel has also been running a Twitter bot that uses ADS-B data to automatically tweet when a dictator aircraft is detected at Geneva airport. A list of known dictator aircraft is kept on a publicly accessible Excel file.

Now he is hoping to expand his tracking operation, and is asking for more people to feed the ADS-B Exchange aggregation website. ADS-B Exchange is the site recommend to feed because it is the only ADS-B aggregation website that does not censor any aircraft. Other aggregation sites such as Flightradar24 and FlightAware have come under scrutiny in the past for their willingness to upon request censor and block the tracking of military/political aircraft and private jets owned by several companies. In particular several aircraft owned by dictators are reportedly censored. However, the counter argument is that not censoring aircraft may result in ADS-B tracking eventually being made illegal, or that costly legal suites may be brought against ADS-B aggregation companies.

On the Reddit post Emmanuel writes:

I'm a freelance investigative journalist (www.emmanuel-freudenthal.com / @emmanuelfreuden). I'm getting into SDR/ADSB and very glad I found this group because I need your help to track aircrafts!

With a colleague, we started a project to look into the travels of dictators around the world. It's an evolution of a Twitter bot (https://twitter.com/GVA_Watcher) started a few years ago. This bot tweets every time an aircraft owned by a dictatorship lands or takes off at the Geneva airport, Switzerland. And dictators visit Geneva, a lot. There's secretive banks and good healthcare, enjoyed by Algeria's departing president or Cameroon's president Paul Biya.

We want to expand this project to all of the world's airports. See our place-holding website: https://dictatoralert.org(which will get expanded soonish). To do so, we've partnered with ADSB-Exchange, which as you probably know, is the only website that doesn't censor flights. Usually the planes owned/chartered by dictatorships don't show up on flightaware or flightradar24 (anyone can asked to be removed). Some planes also don't share their GPS coordinates (e.g. Mode S) and so they don't show up.

In addition to the Dictator Alerts, we'll also use the data to do investigations into dictatorships, human rights violation and corruption.

The idea is to allow everyone to keep tabs, so the data will be available publicly, via Twitter bots and on a dedicated website (with e.g. a page per dictatorship and per airport).

To succeed, we need a lot more antennas! So, it'd be great if you could feed ADSB-Exchange. You can do that in addition to feeding other services. See how to do it here: https://www.adsbexchange.com/how-to-feed/ If you want to feed, please contact me on [email protected], my twitter DM are open. It's quite important that you contact me before feeding, so that we also capture aircrafts that don't share their GPS coordinates.

That also means, you'll be able to see ALL of the data that you're collecting online.

What do you think? Would you be keen to participate? Any questions?

Your feedback is very welcome, i'm still learning!

Best,

Emmanuel

Dictator Alert. A Twitter bot reporting on dictator movements via ADS-B data. dictatoralert.org
Dictator Alert. A Twitter bot reporting on dictator movements via ADS-B data. dictatoralert.org

Other stories of interest: A similar story we ran last year was about tracking police and military aircraft at the G7 summit with an RTL-SDR, and three years ago we ran a story about tracking World Economic Forum Attendees with an RTL-SDR.

Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.

Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR

Over on his hackaday.io blog, Gonçalo Nespral has written about his experiences in recreating Samy Kamkars now famous low cost rolljam attack. A rolljam attack allows an attacker break into a car by defeating the rolling code security offered by wireless keyfobs. Back at Defcon 2015, an information security conference, Samy Kamkar presented a method for creating a $32 Rolljam device that consisted of two 433 MHz transceiver modules controlled by an Arduino.

In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.

Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.

The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.

[First seen on Hackaday]

How RollJam Works
How RollJam Works

RSA Conference Talks: IOT Hacking with SDR, Tracking Rogue RF Devices & Wireless Offense and Defense

RSA Conference is an information security event that was recently held on March 4 - 8 in San Francisco. The talks have been uploaded to YouTube and from what we see there are three interesting SDR/RF related talks that may be worth looking at, which we show below. The full list of videos can be found on their YouTube channel.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Harshit Agrawal, Security Researcher, MIT Academy of Engineering, SPPU

Himanshu Mehta, Team Lead (Senior Threat Analysis Engineer), Symantec

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. SDR is changing the game for both offense and defense.Learning Objectives:1: Become familiar with common security concerns and attack surfaces in a wireless communication system.2: Understand the ease and prevalence of wireless exploitation, with sophisticated examples.3: Learn to view IoT devices, security and privacy collectively.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Hunting and Tracking Rogue Radio Frequency Devices

Eric Escobar, Principal Security Consultant, SecureWorks

Rogue radio frequencies pose a substantial and often overlooked threat to both organizations and targeted individuals. This talk will explore the dangers of rogue radio frequencies and highlight tactics, techniques and tools which can be used to identify and locate potential threats.Learning Objectives:1: Understand the major ways rogue wireless frequencies can impact an organization.2: Develop a basic understanding of how to locate a rogue wireless signal.3: Gain a conversational knowledge of ways to identify and track a wireless signal.Pre-Requisites:Basic understanding of security principles. Basic understanding of wireless communication. Basic understanding of computer networks.

Hunting and Tracking Rogue Radio Frequency Devices

Wireless Offense and Defense, Explained and Demonstrated!

Rick Farina, Senior Product Manager, WLAN Software Security, Aruba
Rick Mellendick, Chief Security Officer, Process Improvement Achievers LLC

This session will discuss the use of radio frequency, often overlooked for network enumeration and attack. The techniques to be discuss are used to identify authorized and unauthorized signals in an organization. Without understanding the offensive attacks an organization can’t perform effective defense. The talk will explain and demonstrate how to enumerate and gain access to resources through RF signals.Learning Objectives:1: Understand that wireless doesn’t just mean WiFi.2: Understand that the Bluetooth protocol can allow for direct attacks against phones, PCs and other devices.3: Learn that other RF attacks are very difficult to detect, and gain an understanding of what they look like.Pre-Requisites:The biggest prerequisite for our talk is an open mind and the ability to understand risk, and after the talk to better assess risk on your environment.

Wireless Offense and Defense, Explained and Demonstrated!

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SIGINTOS IMSI Catcher
SigintOS IMSI Catcher

YouTube Tutorial: Decoding POCSAG and FLEX Pager Messages on Windows with PDW

Pager systems are famously known to be insecure, and due to the lack of encryption and high transmit power anyone with an RTL-SDR or other SDR can receive and decode pager messages. The users of pagers are mostly hospitals and doctors, and IT infrastructure professionals who need to be notified of server warnings and errors quickly. We have a text tutorial on decoding these messages with an RTL-SDR available here, and there are several previous posts discussing how insecure they are. 

If you prefer a video tutorial, M6LME on YouTube has recently uploaded one where he explains the PDW pager decoding software, the VB-Audio 'banana' audio mixing software, and how to use SDR-Console with an RTL-SDR and the aforementioned software to receive and decode the signal.

How to Decode POCSAG & FLEX using an RTL-SDR Dongle