Category: Security

Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Using a HackRF to Spoof GPS Navigation in Cars and Divert Drivers

Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.

The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.

The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.

In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.

Other researchers are working on making GPS more robust. Aerospace Corp. are using a HackRF to try and fuse GPS together with other localization methods, such as by using localizing signals from radio towers and other satellites.

[Also seen on Arstechnica]

Hardware and Method used to Spoof Car GPS Navigation.
Hardware and Method used to Spoof Car GPS Navigation.

Exposing Hospital Pager Privacy Breaches

It has been a known open secret that for years many hospitals have been transmitting sensitive patient data over the air completely unencrypted via their pager network. With a simple ultra cheap radio such as an RTL-SDR, or any other cheap radio scanner such as a Baofeng, it is possible to eavesdrop on this sensitive data with very little technical knowledge required. Hospitals appear to be reluctant to upgrade their systems despite clearly being in violation of HIPAA privacy regulations in the USA.

Recently, @WatcherData has been trying to bring attention to this ongoing security breach in his home state of Kansas, and last month was able to get a news article about the problem published in the Kansas City Star newspaper. Over on Twitter he's also been actively documenting breaches that he's found by using an RTL-SDR to receive the pager messages.

Interestingly, publicity generated by @WatcherData's newspaper article has brought forward a hostile response from the hospital in question. Over on Reddit /r/legaladvice, a forum where anyone can ask legal advice questions, @watcherdata posted the following:

I discovered some time ago that hospitals throughout my region of the US are sending messages to physician pagers that include the name, age, sex, diagnosis, room number, and attending physician. These can be seen by anyone with a simple RTL SDR device, and a couple of free programs.

This seems like a massive HIPAA violation. So I contacted the main hospital sending out most of the information, and they were extremely grateful. I got a call within a day from a high level chairman, he explained their steps to remediate, that their auditors and penetration testers missed it, and that they would have it fixed within a week. Sure enough, they started using a patient number and no identifiable information in the pages. A couple of other hospitals have fixed their systems too, after I started contacting them via Twitter.

Early on in this process, I contacted my local newspaper. They reached out to the hospital in question, and were met with a "very hostile" response. They immediately deflected from any HIPAA violations and explained that I (the source) am in violation of the Electronic Communications Privacy Act of 1986.

This was enough to scare me off completely. I've nuked all log files from my systems and stopped collecting data. The reporters want to know how I would like to proceed. Originally, I was going to get full credit for the find in their article. But now, I at least need to be anonymous, and am thinking about asking them not to run the story at all.

Among the replies there doesn't seem to be consensus on whether simply receiving pager messages in the USA is legal or not.

In the past we've seen similar attempts to bring attention to these privacy breaches, such as an art installation in New York called Holypager, which simply continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. Printing pager messages continuously.

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad

YouTube Talk: Investigating RF Controls with RTL-SDR

During the SANS Pen Test HackFest which was held back in 2017, speaker Katie Knowles who is a security consultant at MWR Infosecurity did a very informative talk on how an RTL-SDR can be used to investigate RF signals. The video has recently been uploaded to YouTube and is shown below. In the talk she goes over how to reverse engineer and understand simple RF protocols, like those used by common RF remote controls found in the home. She then goes on to talk about the basics of software like GNU Radio and rtl_433. The talk blurb reads:

Cranes, trains, theme park rides, sirens, and …ceiling fans? Modern RF protocols have made secure wireless communications easier to implement, but there’s still a horde of simpler RF control systems in the wireless world around us.

Lucky for us, the onset of affordable Software Defined Radios (SDRs) means that exploring these devices is easier than ever! In this talk, Katie examines capturing and understanding basic RF control signals from a common household controller with the affordable RTL-SDR so you can start your own investigations.

With a little knowledge of these protocols we can better explain what makes them risky to the environments we assess, practice thinking in the offensive mindset, and have some fun examining the signals around us.

Slides available here.

Signal Safari: Investigating RF Controls with RTL-SDR – SANS Pen Test HackFest 2017

Hacker Warehouse Demonstrates Pager Decoding with an RTL-SDR

Over on YouTube the web show Hacker Warehouse have created a video explaining wireless pagers and how RTL-SDRs can be used to sniff them. In the video host Troy Brown starts by explaining what pagers are and how they work, and then he shows how to decode them with SDR# and PDW. We have a tutorial on this project available here too.

Later in the video he shows some examples of pager messages that he's received. He shows censored messages such as hospital patient data being transmitted in plain text, sports scores, a memo from a .gov address claiming allegations of abuse from a client, office gossip about a hookup, a message about a drunk man with a knife, a message from a Windows server with IP address and URL, a message from a computer database, and messages from banks.

In the past we've also seen an art installation in New York which used SDR to highlight the blatant breach of privacy that these pager messages can contain.

Decoding Pager Data with RTLSDR - Tradecraft

SirenJack: Rebuttal by ATI Systems

Last week we posted news about the "SirenJack" radio security vulnerability which was released by Balint Seeber of the Bastille security research agency. SirenJack describes how a cheap TX capable SDR or a $30 handheld radio could allow an attacker to take over wirelessly controlled emergency sirens that are found in many cities around the US. In particular, it was discussed how Acoustic Technology, Inc (ATI Systems) sirens' were the first to be found as vulnerable.

Today Dr. Ray Bassiounim, President & CEO of ATI Systems wrote to us (and presumably other news agencies that ran the SirenJack story) a rebuttal which we paste below.

ATI Siren Vulnerability Misrepresented by Bastille Networks

Balint Seeber of Bastille Networks, Inc. has released information that he has been able to hack Acoustic Technology, Inc.’s wireless protocol. ATI believes that Seeber misrepresents his claims that he did so using only a $35 radio and a laptop. ATI understands the great lengths, time, effort, and expertise that Seeber and Bastille went through.  However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.

Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk? Other discrepancies discovered include:

  • Bastille’s SirenJack white paper states in part “...nor was there access to equipment...”  However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.
  • Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.
  • In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?
  • In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren.  Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.
  • None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.

When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.

“For the past 30 years ATI has had thousands of clients, both nationally and internationally.  Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.

It's true that Balint and Bastille do have years of knowledge and the equipment to find vulnerabilities, however we believe that Bastille was only claiming that a $30 radio can be used to take over the system now that the vulnerability is already known. If a more malicious hacker found the vulnerability first, and then released the details to 'script kiddies' or other malicious people, it could have caused major issues.

The white paper on SirenJack is now available and can be found at sirenjack.com. From the white paper it appears that Bastille analyzed the RF spectrum to find the weekly siren test signal. Once found they were able to characterize the modulation scheme, and since no encryption was used, they were able to dissect the packet. They then determined that the packets could easily be reproduced and thus any transmit capable radio could be used to attack the system. Also although Bastille used USRP SDRs in the reverse engineering stage, it seems that the same reverse engineering work could be done with a simple RTL-SDR.

SirenJack: Could sirens be taken over with a $30 radio?
SirenJack: Could sirens be taken over with a $30 radio?

SirenJack: Security Vulnerability Found in Wirelessly Controlled Emergency Sirens

Balint Seeber from security research firm Bastille has recently disclosed a major security vulnerability found in wirelessly controlled emergency sirens called "SirenJack". These sirens are used in many states and cities within the USA to warn large populations of disasters or other dangers, although at the moment only sirens by ATI System in San Francisco have been identified as vulnerable. The vulnerability stems from the fact that the wireless protocol used to activate the sirens is not encrypted, so a bad actor could record the monthly test activation transmissions, analyze them and forge control signals of his own. This would allow a hacker to take control the sirens at will using a simple $30 handheld radio and a laptop, or a transmit capable software defined radio.

This security research release comes after the Dallas tornado siren hack, which occurred in early 2017. During that hack a hacker activated 156 tornado sirens placed around the city of Dallas, Texas. In contrast to SirenJack, the Dallas siren hack was most likely caused by a more standard replay or brute force attack, since simple DTMF tones are used to activate Dallas' siren system.

ATI Systems have indicated that they have already patched the vulnerability as Bastille responsibly disclosed the vulnerability to them 3 months prior. However, it is likely that sirens created by other contractors in other states may have the same or similar vulnerabilities.

In the video below Balint shows the SirenJack vulnerability in action on a test siren setup. During the test he is able to take control of the siren and transmit any arbitrary audio to it using a software defined radio. Several other SirenJack video are available on Bastille's YouTube channel

SirenJack Proof of Concept