Category: Security

Opening a Car and Garage Door With PlutoSDR

Over on his YouTube channel Tysonpower (aka Manuel) has uploaded a video showing how he was able to use his PlutoSDR to perform some simple replay attacks that open his garage and car doors. To do this he records the signal from the wireless keyfobs with the PlutoSDR, and then uses a GNU Radio program to replay that signal again at a later time. From the tests he concludes that the PlutoSDR can be a great cheaper alternative to a HackRF, with the PlutoSDR coming in at $100 vs $300 for the HackRF.

To get around the rolling code security on his car he records the keyfob with the PlutoSDR while it’s out of the wireless range of his car, so that the rolling code will not be invalidated. Then later closer to the car the PlutoSDR is used to replay the car keyfob signal which opens the door.

Note that Tysonpower’s video is narrated in German, but English subtitles are available through the YouTube interface.

Salamandra: A modern study of microphone bugs operation and detection with an RTL-SDR

A couple of weeks ago we posted about Salamandra, an RTL-SDR compatible piece of software which can be used to help detect and locate microphone bugs that are used for spying. Recently we discovered that the two authors of Salamandra, Veronic Valeros and Sebastian Garcia both from the MatesLab Hackerspace in Buenos Aires, Argentina have written a paper on their experiences with microphone bugs, and about the development of Salamandra. The abstract reads:

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect an locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

The paper first outlines the history of microphone bugs and tries to dispel some of the myths about them which originate from movies and other fictional sources. They then perform a survery of the current state-of-the-art microphone bugging techniques, and later go on to discuss the development of Salamandra and some experiments that they performed with it.

In their experiments they show that the Salamandra software and RTL-SDR is able to outperform a commercial bug detector. They also performed several real world simulations where one researcher would hide a bug in a room, and then another would have to use Salamandra to determine if a bug was present, and then locate it using the location feature of Salamandra. They concluded that Salamandra was a very useful tool as they were able to detect the location of the bugs in under 40 minutes in 4/5 tests.

An example waterfall of a microphone bug transmitting and being received with an RTL-SDR
An example waterfall of a microphone bug transmitting and being received with an RTL-SDR
Location of a hidden bug in one of their tests.
Location of a hidden bug in one of their tests.

Receiving the Bitcoin Blockchain from Satellites with an RTL-SDR

Bitcoin is the worlds first and most popular digital currency. It is steadily gaining in value and popularity and is already accepted in many online stores as a payment method. In order to use Bitcoin you first need to download a large database file called a ‘blockchain’, which is currently at about 152 GB in size (size data obtained here). The blockchain is essentially a public ledger of every single Bitcoin transaction that has ever been made. The Bitcoin software that you install initially downloads the entire blockchain and then constantly downloads updates to the blockchain, allowing you to see and receive new payments.

Blockstream is a digital currency technology innovator who have recently announced their “Blockstream satellite” service. The purpose of the satellite is to broadcast the Bitcoin blockchain to everyone in the world via satellite RF signals, so that even in areas without an internet connection the blockchain can be received. Also, one problem with Bitcoin is that in the course of a month the software can download over 8.7 GB of new blockchain data, and there is also the initial 152 GB download (although apparently at the moment only new blocks are transmitted). The satellite download service appears to be free, so people with heavily metered or slow connections (e.g. 3G mobile which is the most common internet connection in the third world/rural) can benefit from this service as well.

The service appears to be somewhat similar to the first iteration of the Outernet project in that data is broadcast down to earth from satellites and an R820T RTL-SDR is used to receive it. The blockstream satellite uses signals in the Ku band which is between 11.7 to 12.7 GHz. An LNB is required to bring those frequencies back down into a range receivable by the RTL-SDR, and a dish antenna is required as well. They recommend a dish size of at least 45 cm in diameter. The signal is broadcast from already existing satellites (like Outernet they are renting bandwidth on existing satellites) and already 2/3 of the earth is covered. The software is based on a GNU Radio program, and can be modified to support any SDR that is compatible with GNU Radio. They write that the whole setup should cost less that $100 USD to purchase and set up.

To set it up you just need to mount your satellite antenna and point it towards the satellite broadcasting the signal in your area, connect up your LNB and RTL-SDR and then run the software on your PC that has GNU Radio installed.

More details can be found on the Blockstream Satellite website, and technical details about the software and hardware required can be found on their GitHub page.

How the Blockchain satellite works (From https://blockstream.com/satellite/howitworks/)
How the Blockchain satellite works (From blockstream.com/satellite/howitworks/)

Some may wonder what’s the point if you can’t transmit to the service to make payments with it. Over on this Bitcoin Reddit thread user “ideit” explains why it’s still useful in this nice quote.

You sell goats in a small village. A customer wants to buy a goat, but you have no banks so people have put their money into bitcoin. Your customer goes to the village center which has a few computers hooked up to the internet. He sends you payment then comes to get his goat. You don’t have internet near your goat farm, but you’re connected to the satellite so you can see he sent you payment and you give him his goat.

Or, you live in an area that caps your bandwidth. You want to run a full node, but downloading blocks eats away at your cap. Connecting to a satellite reduces your bandwidth usage.

Or, you’re using an air gapped laptop to sign transactions from your wallet for security reasons. You can now connect that laptop to the satellites so your laptop can generate its own transactions without connecting to the internet.

Or, your internet connection is terrible. You can usually broadcast transactions since they’re small, but downloading blocks and staying in sync with the blockchain is literally impossible. Connect to a satellite and now it’s simple.

Using an RTL-SDR as a Simple IMSI Catcher

Over on YouTube user Keld Norman has uploaded a video showing how he uses an RTL-SDR with gr-gsm and a Python script to create a simple IMSI catcher. IMSI stands for International mobile subscriber identity and is a unique number that identifies a cell phone SIM card in GSM (2G) mobile phone systems. For security IMSI numbers are usually only transmitted when a connection to a new cell tower is made. More advanced IMSI-catchers used by governmental agencies use a fake cell tower signal to force the IMSI to always be revealed. This way they can track the location of mobile phones as well as other data like who or when you are calling.

In the video Keld uses a Python script called IMSI-Catcher. This script displays the detected IMSI numbers, country, and mobile carrier on a text display. The video description shows how to install GR-GSM and the IMSI-Catcher script on Ubuntu.

IMSI-Catcher Python Script
IMSI-Catcher Python Script

Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX.  With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we’ve only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Hardware used and wireless ISM band devices tested with RPiTX
Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn’t radiate much further than a few meters past the room you’re in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

In the past we’ve seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We’ve also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.

Continue reading

DailyMail Article about the YARD Stick One

Back in May of this year the DailyMail ran an article discussing how the HackRF by Great Scott Gadgets could be used to break into cars. The DailyMail is a British tabloid magazine well known for its low credibility and alarmist articles. This week they ran a new article about Great Scott Gadgets other product, the Yard Stick One. In the article they discuss how the £109 Yard Stick One tool can be used to disable wireless burglar alarms. The YARD Stick One is not an SDR, but rather a computer controlled radio which can be used to transmit and receive wireless digital signals below 1 GHz. It is useful for wireless security research and reverse engineering digital signals in a way that is a bit easier than with using an SDR like the HackRF.

In the experiment performed in the article they use the YARD Stick one to jam a wireless home alarm for a few seconds allowing entry to the property without setting off the alarm. All in all the article is a good advert for the YARD Stick One, and does do a decent job at drawing attention to the lack of security provided by many wireless security devices.

DailyMail shows how a YS1 can be used to jam a wireless burglar alarm.
DailyMail shows how a YS1 can be used to jam a wireless burglar alarm.

Creating an Encrypted ADS-B Plane Spotter with a Raspberry Pi, RTL-SDR and SSL

These days it’s quite easy to share your ADS-B reception on the internet with giant worldwide aggregation sites like flightaware.com and flightradar24.com. These sites aggregate received ADS-B plane location data received by RTL-SDR users from all around the world and display it all together on a web based map.

However, what if you don’t want to share your data on these sites but still want to share it over the internet with friends or others without directly revealing your IP address? Some of the team at beame.io have uploaded a post that shows how to use their beame.io service to securely share your ADS-B reception over the internet. Beame.io appears to be a service that can be used to expose local network applications to the internet via secure HTTPS tunneling. Essentially this can allow someone to connect to a service on your PC (e.g. ADS-B mapping), without you revealing your public IP address and therefore exposing your PC to hacking.

On their post they show how to set up the RTL-SDR compatible dump1090 ADS-B decoder on a Raspberry Pi, and then connect it to their beame-instal-ssl service.

Encrypted ADS-B Sharing with the beame.io service.
Encrypted ADS-B Sharing with the beame.io service.

Detecting Car Keyfob Jamming With a Raspberry Pi and RTL-SDR

It’s been known for a while now that it is possible to break into cars using simple wireless attacks that involve jamming of the car keyfob frequency. Sammy Kamkars “rolljam” is one such example that can be built with a cheap Arduino and RF transceiver chip. One way to secure yourself against wireless attacks like this is to run a jammer detector.

A jammer detector is quite simple in theory – just continuously measure the signal strength at the car keyfob frequency and notify the user if a strong continuous signal is detected. Over on his blog author mikeh69 has posted about his work in creating a wireless jammer detector out of a Raspberry Pi and RTL-SDR dongle. He uses a Python script and some C code that he developed to create a tool that displays the signal strength on an onscreen bar graph and also conveys signal strength information via audio tones. He writes that with a pair of earphones and battery pack you can use the system while walking around searching for the source of a jammer.

Mikeh69’s post goes into further detail about installing the software and required dependencies. He also writes that in the future he wants to experiment with creating large area surveys by logging signal strength data against GPS locations to generate a heatmap. If you are interested in that idea, then it is similar to Tim Haven’s driveby noise detector system which also used RTL-SDR dongles, or the heatmap feature in RTLSDR Scanner.

[Also seen on Hackaday]
RTL-SDR + Raspberry Pi Jammer Detector.
RTL-SDR + Raspberry Pi Jammer Detector.