In the 70's and 80's the US government launched a fleet of satellites called "FLTSATCOM", which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other all over the world. However, the technology of the time could not implement encryption. So security relied entirely on only the US militaries technological advantage at being the only ones to have radio equipment that could reach these satellites.
Of course as time progressed equipment which could reach the 243 - 270 MHz range of the satellites became common place, and the satellites began picking and repeating terrestrial broadcasts of things like cordless phones. These days the satellites are often hijacked by Brazilian radio pirates, who use the satellites for long range communications.
A common hobby of RTL-SDR users is to listen to these pirates. All you need is a simple antenna and to be based in a region where the satellites cover both your ground station and the pirates.
Over on YouTube the "saveitforparts" channel has uploaded an entertaining video overviewing the pirate phenomenon, and showing how it's possible to listen in using a cheap Baogeng scanner and RTL-SDR. He uses a homemade Yagi and cleverly makes use of an old security camera motorized PTZ mount to accurately aim the antenna. Once the Yagi antenna is aimed at the satellite, pirates can be heard on the radio.
Searching For Space Pirates On Old Military Satellites
On a previous post, we showed an interview by SignalsEverywhere and an anonymous Brazilian radio pirate who explains how and why they do what they do. If you search our blog for 'satcom' you'll also find several previous posts including examples of receiving SSTV from pirates.
Since the Russian invasion of Ukraine, the EU has banned the broadcast of Russian TV channels. This is caused Russia to move their satellite broadcasts from internationally owned satellites, to their own "Express AM8" geostationary satellite.
The Russian satellite can be received from Europe and parts of South America. What's interesting in particular is the hacking and jamming attempts going on on this particular satellite. These breaches are likely to be from individual people or by the Ukrainian Ministry of Strategic Communication. An example of a hack by Ukrainian Ministry of Strategic Communication on 5 January 2023.
Express AM8 transponder 11647V was hacked today at 6:30 PM by Ukrainian Ministry of Strategic Communication. A New Year's address by Ukrainian President V. Selensky was shortly broadcast in Ukrainian on all program positions of the T2-MI transponder.
Express AM8 hacked by Ukraine to broadcast the New Years address by Ukrainian President V. Selensky
Alex 'Happysat' has written to us with the following information. The full guide to receiving TV from the satellite, and information about the satellite and signals and modulations used on the satellite is on GitHub at https://github.com/happysat/Express-AM8.
You may know that here in Europe a number of controversial Russian, Syrian and Iranian (news) channels are not allowed to be broadcast due to sanctions against Russia (everything) and Iran (Press TV).
The Russians moved most of the channels (Rossiya 24, RTR Planeta, NTV Mir, Perivy Kanal, Press-TV) to their own satellite Express AM8 some time ago.
Since it is not a normal DTH satellite such as Astra or Hotbird, everything happens there (jamming / hacks) which is interesting for many (dx) viewers.
Because it is relatively easy to receive in Europe and parts of South America, I have created a GitHub website with some useful tips and tricks.
Not only in terms of content, but also the technical side of it, the different modulations broadcast techniques T2-MI (unfortunately gone for a while after the hacks…) but also just old-fashioned DVB-S signals, Telemetry and some transponders (only symbol rate lower than >2000ks) are even without the need for a satellite receiver.
For example with an SDR radio and the AM-SAT program what the radio amateurs use on Eshail2.
And that a '14 west setup' can easily be made, which does not have to be expensive at all.
Since the famous takedown of a suspected Chinese spy balloon, US jets have shot down a total of three more unidentified balloon objects, now suspected by officials to be 'commercial or benign'. There is speculation that at least one these three objects may have been an amateur radio 'pico' balloon.
One part of the amateur radio hobby is launching high altitude balloons with various radio and other payloads. Larger amateur radio balloons launched in the USA require FAA clearance, need a radar reflector attached, and usually continually transmit APRS telemetry before naturally popping and falling back to earth after a few hours, just like a weather balloon.
However there is also the simpler 'pico' ballooning hobby, which involves the use of mylar helium party balloons to launch small solar powered payloads that are only a few grams in weight. They typically transmit low power WSPR at HF frequencies and can only transmit whenever there is sufficient solar power available. Amateur radio or SDR hobbyist stations around the world can pick up these transmissions, and report them on amateur.sondehub.org and/or wsprnet.org. Well built balloons can totally circumnavigate the globe several times over several months before degrading.
While termed 'pico', the party balloons used can still be roughly a meter in diameter on the ground, with some latex balloons potentially expanding further at high altitudes due to the low atmospheric pressure. These balloons can be legally launched from almost anywhere in the world. In particular in the USA there is no FAA clearance required to launch them due to their payload being much less than the limit of 4 lbs (1.8kg).
32" Silver Orb Shaped Mylar Balloon used for Pico Ballooning
There is speculation that at least one of the objects shot down over Canada, Yukon by a US Air Force jet may have been amateur radio pico balloon K9YO-15 which was launched from Illinois on October 10 2022. It was on it's seventh circumnavigation of the globe after being aloft for 123 days.
The launch blog post indicates that the K9YO-15 balloon was flying a silver mylar 32" sphere SAG balloon which appears to be this one from balloons.online. Unlike latex or rubber weather balloons which inflate and stretch as they rise into lower atmospheric pressures, these mylar balloons can't stretch, so their fully inflated ground size will be the same as their size at high altitudes, meaning the pico balloon won't get much bigger than 32". The payload was a GPS module, Arduino, SI5351 used as a WSPR and APRS transmitter and a solar panel, all together weighing 16.4 grams. A pentagon memo notes that the object shot down over Canada was a "small metallic balloon with a tethered payload" which fits the description of the pico balloon exactly.
The K9YO-15 Pico Balloon PayloadAn (unrelated to this story) example Amateur Radio Pico Balloon launched by a Naval Academy (Source: http://www.aprs.org/balloons.html)
The K9YO-15 balloon ceased all WSPR telemetry transmissions while flying just below Alaska since Feb 11 00:18 UTC (just before sunset in Alaska when the solar panels would stop working).
By using NOAA wind models and the last known location by Alaska, K9YO-15 was projected to have been over Yukon when the US Air Force shot down the unknown balloon object at Feb 11 20:41 UTC (3:41 PM EST / 1:41 PM Yukon time according to Canadian Defense Minister Anand). Reports put the altitude of the shot down object at approximately 40,000ft (~12000 meters), which matches the projected ~11500 meters of K9YO-15. Based on the previous days transmission times, it is suspected that if it were operational, the balloon would have begun transmitting again sometime later in the Yukon afternoon when the sun was stronger, but no transmissions have been seen.
K9YO projected location at the time the object was shot down.
The search area for the fallen balloon debris is reported to be in difficult to access terrain between Dawson City and Mayo. If we do a rough overlay of the predicted trajectory over a Google map, we can see that the predicted location of KY9O-15 at the reported time of the missile impact matches this description very well.
Rough trajectory overlay
Over on Twitter @ikluft (KO6YQ) has been reporting on this speculation, and has been keeping an eye on K9YO-15, awaiting telemetry transmission. We recommend following his account for further updates.
NIBBB #HamRadio club of Illinois🇺🇸 declared K9YO #balloon "missing in action" after no telemetry was received for 5 days. It was projected to be over Yukon Saturday when NORAD🇺🇸🇨🇦 shot down an "unknown object", close enough to raise questions. https://t.co/9ZkRqkc6Zr#aviation
Twitter user and ex project Google Loon engineer @BalloonSciDan has also speculated that the objects shot down may have been pico balloons.
These tiny amateur pico balloons are some of what the US shot down, and Romania sent jets up after. The rest of this group will wander in the air for months until they fail or are destroyed.
I see you're all talking about my tweet. Yes, we are still watching to see if K9YO-15 transmits any telemetry today.
So far K9YO-15 has not sent any new telemetry since Friday before sunset over Alaska. Some have misread confusing data presentation on Sondehub which lists last known telemetry as covering a time range from then to now. Currently the last we've heard from K9YO-15 was Friday Feb 10 before sunset over Alaska (00:48 GMT Feb 11). But the map on Sondehub does show the last reported position.
These floater balloons often use only solar panels, no batteries. Batteries were dropped from the projects early on because they have limited charging cycles before they stop accepting a charge, especially in the harsh temps at altitude, -40F/-40C or worse. When the battery stops accepting a charge, it ends telemetry from the mission. So they only report telemetry during daylight, when the sun is at a high enough angle to illuminate the tiny solar panels. In the Arctic winter, the days are short and the sun might not get high enough to wake up the electronics. So it stays dormant for one or more days until it drifts back down to lower latitudes where there's more sunlight. So K9YO-15 was in a period where watchers didn't expect to hear from it for a few days. But we expected it today. So far nothing. As I write this, daylight is almost done way up there for Tuesday, Feb 14.
We (the Amateur Radio balloon community) only expect any telemetry from it today would be via WSPR, none via APRS. WSPR uses HF and can be received at long distances, where it's relayed to Internet map sites. APRS is (usually) on VHF and UHF, only received by line of sight. There are no relay stations in range of today's projected flight course in northern Ontario and James Bay, Canada. So APRS-fed sites wouldn't show updates today anyway.
For an introduction, I'm Ian KO6YQ. I was involved in the first Ham Radio balloons that circumnavigated the globe starting in 2016, launched from San Jose, California. I had roles on them including tracking analyst and social media spokesman. I also organized and led the Ham Radio tracking teams which recovered the Civilian Space eXploration Team (CSXT) first amateur rocket to (suborbital) space in 2004.
Explaining a discrepancy with time reporting on Sondehub, KO6YQ notes:
Time has run out for solar power to provide any telemetry on Wednesday, February 15. So far, no new data. For those who were confused by it, remember that Sondehub has problematic data presentation so don't use it for anything other than mapping the last known position. A reliable place to check for K9YO on WSPR is the WSPR Spots: https://www.wsprnet.org/olddb?mode=html&band=all&limit=200&findcall=k9yo&findreporter=&sort=date
Frequently asked Questions (FAQ):
Since this story has gone viral and now entered the mainstream media, we thought we'd answer a few common questions that we're seeing in the media and comments.
Who is launching pico balloons and why?
Pico balloons are typically launched by ham/amateur radio hobbyists, universities, researchers, schools or kids STEM programs. The idea of launching a low cost balloon that can be tracked while travelling the world is a fun project for hobbyists and a great STEM learning experience for kids.
You might also be interested in tracking regular weather balloons which are launched by meteorological agencies around the world usually twice per day. These are designed to only last a few hours in the air before popping. They can be tracked at https://sondehub.org. A popular hobby of radio enthusiasts is chasing these weather balloons and being the first to recover the fallen sensor package called a radiosonde.
A pico balloon is essentially a kids party balloon. Why aren't there thousands of kids party balloons circumnavigating the globe?
Balloons will inflate more as they rise into the atmosphere, since higher altitudes have lower pressure. A kids party balloon would typically be inflated fully on the ground. If a careless child released a balloon it would rise up, and pop within a few hours, as it reaches an altitude of around 5000ft - 30,000ft (1500m - 9000m) or higher where the internal pressure of the balloon is too great for the balloon's material to hold it.
Pico balloons are weighted by their payloads, and are only partially inflated on the ground. The goal is to inflate with enough Helium or Hydrogen to get the payload to rise at ground level, but allow enough internal space for the balloon to expand without popping as it rises. The weighted balloon will eventually reach an equilibrium point at some altitude where it's fully inflated, but can't rise any higher due to the weighting. This is called being 'neutrally buoyant'. The balloon launcher can use a calculator (such as this one) to determine the right amount of helium to use based on the balloon size and payload weight.
Mylar balloons are used because helium atoms will leak out of the walls of latex/rubber balloons, and they will be flat within a few days. With Mylar balloons the leakage is much slower and they can stay inflated for months.
How can a pico balloon circumnavigate the globe?
As mentioned in the previous question, it's possible to engineer the height that the balloon will fly at by only partially inflating the balloon on the ground. Once at the desired altitude, winds will eventually pull the balloon into global jet streams that take the balloon all around the earth at an average speed of 80 - 140 mph (129 - 225 km/h).
A website like Ventusky can be used to view the current jet streams at 40,000ft (12,000m), the altitude that KY9O-15 was neutrally buoyant at.
In California helium balloons in general have been banned, to stop pollution, damage to wildlife, and to protect power lines.
The transmission of the WSPR and APRS telemetry radio signals would be allowed under amateur radio rules. UK, Yemen and North Korea are countries that prohibit transmissions from balloons, and compliance can be achieved via geofencing the transmissions in the software.
All information suggests that the NIBBB hobby club and KY9O's balloon were operating perfectly legally.
What exactly was the payload on the KY9O-15 pico balloon?
The payload was a GPS receiver, an Arduino microcontroller, a radio transmitter and some solar panels. The solar panels power the electronics when in sun, and the GPS receiver determines the global coordinates of the balloon. The microcontroller is the 'brain' of the payload which reads the GPS coordinates from the GPS receiver, and tells the transmitter to send out a WSPR radio signal advertising the balloons ID and coordinates.
These are all common off the shelf, small components that could all fit in the palm of a hand. They would in total cost under $100. K9YO's payload in total only weighed 16.4g (0.58 oz).
An F22 with all it's radio sensors should have picked up the transmissions from the pico balloon. Why didn't it?
Pico balloons usually don't carry batteries because they are heavy and degrade over time. So instead they carry paper thin solar panels. So the balloon circuits and transmitter are only active when in strong sunlight, any other time it is completely quiet and powered down. It's possible that in the weak Yukon sun at high latitude wouldn't have been strong enough to power the WSPR transmitter until later in the day.
How could a tiny 32" balloon be spotted by radar? How could a sidewinder missile lock onto it?
The pico balloon was made out of metallic mylar material which would easily show up on a modern radar system. It's possible that in the past before the Chinese spy balloon incident, radar operators would ignore or filter out slow moving small objects like insects/birds/balloons that pose no threat.
The sidewinder has a fragmentation warhead, so an explosion near the balloon would easily take it out. The metallic mylar material would easily reflect the sun's infrared, and against the cold background of the sky/space it would be easy for the IR heat seeker sensor on the sidewinder missile to track it.
The K9YO balloon was flying at altitudes used by commercial airliners. Is there any risk to them?
A jet coming across a pico balloon in the first place would be very unlikely, and even more unlikely for it to make it's way in to an engine even if an aircraft flew directly at it. But there is some risk that a balloon ingested by an jet engine could cause issues. However given their lightweight nature it seems unlikely that there would be any massive damage, if any at all.
What is WSPR and APRS?
WSPR (pronounced as 'whisper') stands for Weak Signal Propagation Reporter. It is a type of radio signal protocol used by amateur radio hobbyists. Because of the way it is designed, it is possible for WSPR to be transmitted with very low power (such as the tiny amount of power possible from small solar panels), and still be received by amateur radio ground stations all over the world. The WSPR signal encodes it's callsign ID, and the transmitters GPS location. Amateur ground stations will upload received WSPR data to sites like wsprnet.org.
APRS or "Automatic Packet Reporting System" is another protocol used by amateur radio hobbyists. However, these signals don't travel globally, rather they can only be received locally with line of sight. The advantage is that APRS signal can be transmitted much faster (assuming sufficient power).
Are we 100% certain that the object was the K9YO pico balloon?
No, despite the circumstantial evidence, there is still some doubt. The balloon was already old and probably near the end of it's life. The sun in the high Yukon latitudes is also weaker, meaning that the solar panels might not be getting sufficient sun to power the circuits. The balloon had previously gone missing for 30 days before reappearing. And the transmitter was showing signs of drifting in frequency.
Are there any other globe trotting radio projects?
Yes, there are small autonomous boats or 'drift buoys' travelling the seas through natural currents. These also use WSPR and APRS to report their location. hitchBOT was a hitchhiking robot that relied on travelling strangers to find and carry it around the world. It had a GPS receiver and 3G radio.
Over on Reddit user u/mknlsn has posted an interesting use for his RTL-SDR. He happens to live next door to a Hollywoood reality TV show production and was able to use his RTL-SDR to listen in on the wireless microphones fitted to the cast. The wireless microphones used by the production appear to be simple analogue FM modulated, without any sort of security.
We remind readers to check local laws on this sort of use, especially if recording audio, as some countries and US states may have differing laws on what can be recorded, or even listened to live. This would likely be considered private communications, so recording and sharing would definitely be illegal in most regions.
Recently we also posted about Frugal Radio using an Airspy SDR to listen in on wireless microphones from outside a theatre show.
Back in May we posted about CVE-2022-27254 where university student researchers discovered that the wireless locking system on several Honda vehicles was vulnerable to simple RF replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR. This vulnerability only affected 2016-2020 Honda Civic vehicles which came without rolling code security.
Recently a new vulnerability discovered by @kevin2600 that affects ALL Honda vehicles currently on the market (2012-2022) has been disclosed. The vulnerability is dubbed 'Rolling-PWN' (CVE-2022-27254) and as the name suggests, details a method for defeating the rolling code security that exists on most Honda vehicles. Rolling code security is designed to prevent simple replay attacks, and is implemented on most modern vehicles with wireless keyfobs. However @kevin2600 notes the following vulnerability that has been discovered:
A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.
The vulnerability has been tested on various Honda vehicles with HackRF SDRs, and this seems to indicate that all Honda vehicles since 2012 are vulnerable.
Although no tools have been released, the vulnerability is simple enough and we've already seen people replicate results.
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
The story of Rolling-Pwn has already been covered by magazines and news organizations such as TheDrive, Vice, NYPost, and FoxLA.
It should be noted that when the previous replay attack vulnerability was highlighted, Honda released a statement noting that it has no plans to update its older vehicles. It is likely that Honda will not issue updates for this vulnerability either. It is possible that this vulnerability extends beyond just Honda vehicles too.
A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.
Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:
This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.
In the videos on the GitHub demonstration page they show a laptop with GNU Radio flowgraph and a HackRF SDR being used to turn the engine of a Honda civic on, and to lock and unlock doors.
Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.
Laptop and HackRF used to turn on a Honda Civic Engine via simple Replay Attack.
In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.
Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINEWhenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.
The Financial Times has recently run a video story on how hobbyist WebSDR setups are being use to record Russian radio communications during the war on Ukraine.
In these modern times, we would expect the Russian military to be making full use of encrypted radio communications on the battlefield. But early on in the invasion it came to be clear that much of the Russian forces are much less advanced than first thought, and are using cheap civilian unencrypted radios that anyone nearby can listen to with an RTL-SDR or via a web connected SDR.
The FT story focuses on how open source contributors from all over the world are helping to monitor internet connected WebSDRs that are close enough to receive Russian radio communications. And how volunteers are helping translate, confirm authenticity, and collect information about possible war crimes.
If you are interested, previously we posted about a similar video story from the New York Times, and have covered various bits of radio related news from the war in two previous posts [1][2].
DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. The creator Aaron also runs a YouTube channel showing how to use the various packages installed.
In his latest video Aaron tests his Pi64 image with GR-GSM and IMSI Catcher running with the GNU Radio 3.10 platform on a Raspberry Pi 4. He tests operation with an RTL-SDR and LimeSDR.
GR-GSM is a GNU Radio based program capable of receiving and analyzing mobile GSM data. We note that it cannot decode actual messages without additional information about the encryption key, but it can be interesting to investigate the metadata. GSM is mostly outdated these days, but still used in some areas by some older phones and devices. IMSI Catcher is a script that will record all detected GSM 'IMSI' numbers received by the mobile tower which can be used to uniquely identify devices.
Short video setting up and testing GR-GSM on DragonOS Pi64 w/ GNU Radio 3.10 and the RTL-SDR. The current DragonOS Pi64 build has GNU Radio 3.8 and all the necessary tools to accomplish what's shown in this video. If you'd like to test the build shown in this video, it's temporarily available here until I finish and put it on Source Forge.
A LimeSDR and DragonOS Focal's Osmo-NITB-Scripts was used to create the GSM900 lab environment. The RTL-SDR was able to see and decode the GSM900 network and although only briefly shown in the video, the IMSI Catcher script works.
Here's the fork used for this video and for testing. There's also a pull request on the main GR-GSM repo for this code to be added.
