Category: Security

Scott Manley Explains GPS Jamming & Spoofing and Why & Who is Causing It

In recent years GPS spoofing and jamming have become quite commonplace. Recently popular YouTuber Scott Manley uploaded a video explaining exactly what GPS spoofing and jamming is and explains a bit about who is doing it and why.

In the video Scott explains how aircraft now routinely use GPS as a dominant navigational sensor and how some commercial flights have been suspended due to GPS jamming. Scott explains how ADS-B data can be used to determine the source of GPS jamming (via gpsjam.org) and shows hotspots stemming from Russia. He goes on to show how drone shows have also failed in China either due to GPS jamming by rival companies or due to Chinese military warship jamming. Scott then explains a bit about GPS and how jamming and spoofing work.

GPS Jamming & Spoofing - How Does It Work, And Who's Doing It?

YouTube Video Series on Iridium Satellite Decoding with an Airspy, RTL-SDR Blog Patch Antenna and DragonOS

Over on his YouTube channel, Rob VK8FOES has started a new video series about Iridium Satellite Decoding. Iridium is a constellation of low-earth orbiting satellites that provide voice and data services. Iridium was first decoded with low cost hardware by security researchers back in 2016 as mentioned in this previous post. Being unencrypted it is possible to intercept private text and voice communications.

Rob's video is part of a series, and so far only part one has been uploaded. The first video outlines the hardware and software requirements for Iridium decoding and demonstrates the gr-iridium software. An Airspy and RTL-SDR Blog Patch Antenna are used for the hardware, and the software runs on DragonOS.

Rob writes that in part two he will demonstrate the use of iridium-toolkit, which can be used to extract data and recordings from the Iridium data provided from gr-iridium.

Be sure to subscribe to his YouTube channel so that you are notified when part two is released.

Iridium Satellite Decoding Part 1: The Tutorial That Goes Over Your Head, Literally!

WarDragon: Testing EMEye/TempestSDR with Wyze Cam Pan V2 Cameras and a USRP B210

Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.

Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.

In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.

I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.

Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.

If you're interested we reviewed WarDragon in a recent post as well.

WarDragon EMEye/TempestSDR Camera Eavesdropping Attack Research (B210, Airspy R2, Wzye Cam Pan v2)

EM Eye: Eavesdropping on Security Camera via Unintentional RF Emissions

Researchers from the University of Michigan and Zhejiang University have recently published their findings on how it's possible to eavesdrop and wirelessly recover images from security cameras via RF unintentionally leaking from the camera electronics.

EM side-channel attacks aka receiving and decoding data from the unintentional RF transmissions from electronics are nothing new.  In the past, we've posted how some laptops unintentionally broadcast audio from the microphone via RF, how a tool called TempestSDR can be used to spy on monitors/TV's via RF leakage, how encryption keys can be stolen from PCs via unintentional RF, and even how Disney is looking to use RF leakage for RF fingerprinting.

In their research, the team discovered that security cameras leak enough sensitive RF that an image can be recovered from the leakage over a distance. In their tests, they used a USRP B210 SDR as the receiver and tested twelve cameras including four smartphones, six smart home cameras, and two dash cams. They found that eight of the twelve leaked strongly enough for the reception of images through windows, doors, and walls. Cameras like the Xiaomi Dafang and Wyze Cam Pan 2 performed the worst, allowing for images to be recovered from distances of 500cm and 350cm respectively.

The team has not only released a paper on the topic but has also released the full code as open-source software on GitHub. The software is based on a modified version of TempestSDR, so it may also work for other supported SDRs, like the HackRF and RTL-SDR.

EM Eye: How Attackers Can Eavesdrop on Camera Videos

A Review of WarDragon: A Portable SDR Kit

Over several years Aaron (@cemaxecuter) has been working on DragonOS, a popular Linux distribution that comes preinstalled with many different programs for software defined radios. A Linux distribution like this takes the hassle out of having to figure out how to compile and install various SDR programs, some of which can be quite tricky to get running. 

Recently Aaron has also been working on WarDragon, which is a set of components that he's carefully tested and put together as a ready-to-use portable SDR kit. At its core is an Airspy R2 software defined radio and x86 Mini PC that comes with DragonOS pre-installed. It also includes a USB hub and GPS dongle, as well as an HDMI dummy plug for enabling remote desktop. Everything is held together by a 3D printed frame, and enclosed in a plastic carry hard case, with the external Ethernet, USB-C, and power ports routed to the outside of the enclosure.

Aaron kindly sent us a WarDragon for an honest review. We note that we do not get to keep the WarDragon, and it will be forwarded to someone else after this review.

WarDragon Outer Enclosure
Inside WarDragon (Intel PC hidden underneath)
WarDragon with an LCD screen connected

Getting started with WarDragon is simple. Open the hard-shell case, connect an antenna to the Airspy, remove the dummy HDMI plug, connect a monitor to the HDMI port and a keyboard/mouse to a USB port, connect 12V power, and start the mini PC. A few seconds later DragonOS has booted, and you can run any of the programs pre-installed. And there are certainly a lot of programs available to play with as shown below.

List of software pre-installed in DragonOS

To get started with running it remotely we followed the instructions on the desktop to install OpenSSH, and ran the Rustdesk appimage stored in the 'post install' folder on the desktop. This allowed us to connect remotely to the unit via Rustdesk, a remote desktop interface. From there we were able to run software like SDR++, GQRX, and anything else that was preinstalled.

Aaron notes that every WarDragon will come with a free license for SDR4Space which is a command-line SDR tool for satellites. It can be used for scripting various operations, such as "recording IQ samples, predicting satellite passes and to start a record for a specific satellite and correct doppler at the same time".

The KrakenSDR software is also pre-installed on WarDragon, so the Airspy can easily be swapped out for a KrakenSDR too (or almost any other SDR as well). You can also add extra RTL-SDR units on the USB hub if desired.

Once you're done simply unplug everything and put the HDMI dummy plug back in. Close the enclosure up and you're ready to get on the move again.

One minor concern we have is that while the components are contained with the 3D printed frame, the frame itself is not held down inside the enclosure, so it can move a little during transport. Not a big deal if you are sensible about carrying it, but if you are expecting to throw the box around, something could eventually go wrong. Aaron also notes in the instructions that care should be taken to not leave WarDragon exposed to direct sunlight or in a parked car to avoid the 3D printed insert from warping. This could probably be solved by printing in a material like ABS.

Performance

The mini-PC included with WarDragon runs a 12th Generation Intel Alder Lake - N95 that can turbo up to 3.4 GHz, has 8GB of RAM, and a 256GB SSD built-in. These specs are powerful enough that the system is very snappy, software opens quickly, and software runs smoothly, even at the max 10 MHz bandwidth the Airspy supports.

These x86 mini-PCs appear to be quite a bit more powerful than their similarly priced ARM counterparts, but they do draw more power. The mini-PC running SDR++ and Airspy at 10 MHz oscillates around 20-30W of power draw, whereas a Raspberry Pi 5 running SDR++ only draws 5W.

What We'd Like to See Improved

Because the carry case is fully sealed when closed, the mini PC inside cannot be run when the case is closed, as there would be no airflow for cooling. We'd like to see some thought put into adding an external fan, and indeed Aaron has noted that in future versions he will be adding this. However, adding a fan does come at the expense of water tightness but we don't imagine many people would be throwing this in a body of water. As long as rain resistance is kept it should be alright.

We'd also like to see the SMA port brought out to the side, so an external antenna can be connected with the enclosure closed.

We can also imagine that some users might like to see a more expensive version that comes with a small screen and keyboard/mouse as part of the combo too. Aaron does note that the most common use case for operating via SSH or remote desktop via a field laptop though.

Price Review / Value

The Wardragon consists of the following components:

  • Beelink Mini PC (N95 8G+256G) - US$159 on Amazon.
  • Airspy R2 - US$169 on iTead.
  • Condition 1 11" Carry Case - US$36.99 on condition1.com
  • Other parts (cables, USB hub, USB GPS, HDMI dummy plug, outside connectors, 3D printed frame) - $US35 (estimated)
  • SDR4Space License - $US???

So that's a total of US$400 in parts (not including shipping costs) plus a bit of value from the SDR4Space license which is usually obtained on an inquiry-only basis. WarDragon currently sells for US$580. So for the extra $180, you are paying for the time to preinstall of DragonOS, drill the external mounting holes, 3D print the mount, the build time, testing time, and the ability to get support directly from Aaron himself. And we can't forget to mention the time Aaron puts into creating YouTube videos for WarDragon.

Obviously, if you are on a tight budget it would make sense to try and build your own system. But overall we think WarDragon is not a bad deal if your time is worth more and you just want a portable system to get up and running with DragonOS ASAP.

Flipper Zero Starts a Petition To Fight Canada Ban

Back in early February we reported about how the Canadian government is making plans to completely ban the Flipper Zero, and popular pentesting tool. The wording from Dominic LeBlanc, Canada's Minister of Public Safety, also implies that software defined radio devices could also be banned.

The reason for the ban is because the Canadian government claims that Flipper Zero and 'consumer hacking devices' are commonly being used as tools for high tech vehicle theft. However, as mentioned in the previous post, this has been debunked.

The team behind Flipper Zero have recently started a petition on change.org to stop the ban. At the time of this post the petition has already reached over 8,000 signature. The team have also penned a comprehensive "Response to the Canadian government" blog post, explaining why the ban makes no sense. In the post they debunk the myth of Flipper Zero being used for car theft, and show the real way high tech car theft is being done.

SigintOS Version 2.0 Community Edition Released

SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as the RTL-SDR and TX capable SDRs like the HackRF, bladeRF and USRP radios.

The OS has a built in launcher UI that helps to automatically launch and set up parameters for various programs and GNU Radio scripts that are commonly used. Examples include an FM transmitter, GPS transmitter, GSM base station searcher, IMSI catcher, LTE base station searcher, LTE decoder and a jammer.

Recently the team behind SigintOS have released version 2.0 Community Edition. The team write on their release page:

About Community Edition

SigintOS 2.0 Community Edition; It was developed to provide a much better experience to its users. With a new interface, more stable and powerful infrastructure and development environment, it allows users to develop new tools in addition to existing tools.

Developing Signal Intelligence tools is now much easier with SigintOS™

It is now much easier to develop your own tools with SigintOS™, which contains the world’s most famous and free signal processing and communication software. You can develop them effortlessly with tools such as QT and KDevelop.

Say hello to the 5G World!

SigintOS™ offers you all the possibilities of the 5G world, free of charge and effortlessly!

Whats News?

  • A completely new look.
  • A more stable and robust infrastructure.
  • Latest drivers and software.
  • User-friendly interface that prioritizes habits.

SOFTWARE LIST

Most used software and features

  • Open5GS
  • srsRAN 4G
  • YateBTS
  • Gqrx
  • GnuRadio 3.8
  • SigDigger
  • SDRAngel
  • ADSB Viewer
  • Dump1090
  • OpenCPN
  • GPredict
  • BladeRF
  • HackRF
  • Rtl-SDR
  • USRP – UHD Drivers
  • Kalibrate RTL & HackRF
  • All Gr Modules
  • SigintOS SDR Hardware Monitor Widget
  • QTCreator
  • KDevelop
  • Mysql
  • MongoDB
  • Apache Web Server
  • Php
  • And more …

Canada Moves to Ban Flipper Zero and Possibly Software Defined Radios

Dominic LeBlanc, Canada's Minister of Public safety has recently declared that they plan to ban devices "used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero". The text specifically calls out the Flipper Zero, however the wording appears to imply that any device that can copy a signal will be banned. This means the ban could extend to RX/TX SDRs like the HackRF and possibly even RX only SDRs like RTL-SDRs.

The Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. There are many CC1101 devices on the market, but the Flipper Zero has gained huge popularity on social media because of it's excellent software support, as well as its cute marketing tactic. In the past it was even featured on the popular Linus Tech Tips YouTube channel.

Flipper Zero has had a long line of setbacks including PayPal freezing 1.3M of its cash, and US customs temporarily seizing its shipments, then passing a $70,000 bill on to them for storage fees and Amazon banning the product on their marketplace.

In our opinion, we believe that the ban appears to be misguided. The Flipper Zero is a basic device that can only perform a simple replay attack, which is to record a signal, and replay it at a later time. These sorts of attacks do not work on vehicles built after the 90's which now use rolling codes or more sophisticated security measures. To defeat rolling code security, a more sophisticated attack called Rolljam can be used. A Rolljam device can be built for $30 out of an Arduino and two cheap transceiver modules.

However, according to arstechnica the biggest cause for concern in terms of car theft is a different sort of attack called "signal amplification relay".

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

This sort of attack is a lot less sophisticated in many ways as all you are doing is amplifying a signal, and no clever hardware like the Flipper Zero or a software defined radio is even required. The X video below demonstrates such a hack where a criminal holds up a loop antenna to a house. The loop antenna is connected to a signal amplifier which amplifies the keyfob signal, tricking the car into thinking the keyfob is nearby, and allowing the door to be unlocked by touching the handle, and then turned on with the push to start button.

Flipper zero note that they have not been consulted about the ban, and replied on X stating that they are not aware of the Flipper Zero being used for car theft.