Category: Security

Bypassing Chamberlain myQ Garage Doors with a Jamming SDR Attack

McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform.  Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.

Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.

Although the system utilizes rolling codes for security,  McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.

McAfee Researchers Jam the actual signal (red) with a jamming signal (black)
McAfee researchers jam the actual MyQ signal (red) with a jamming signal (black)

In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

McAfee Advanced Threat Research Demo Chamberlain MyQ

Using a HackRF for GPS Spoofing on Windows

Over on the TechMinds YouTube channel a new video titled "GPS Spoofing With The HackRF On Windows" has been uploaded. In the video TechMinds uses the GPS-SDR-SIM software with his HackRF to create a fake GPS signal in order to trick his Android phone into believing that it is in Kansas city.

In the past we've seen GPS Spoofing used in various experiments by security researchers. For example, it has been used to make a Tesla 3 running on autopilot run off the road and to cheat at Pokemon Go. GPS spoofing has also been used widely by Russia in order to protect VIPs and facilities from drones.

GPS Spoofing With The HackRF On Windows

SignalsEverywhere: The Ethics of Decoding and Sharing Private Information with SDRs

Over on the SignalsEverywhere YouTube Corrosive has uploaded a new video that addresses the ethics about decoding private information with SDRs. The radio spectrum is full of private communications with little to no security around it. For example hospital pagers in many countries and cities are completely unencrypted and easily decoded by anyone who can run a radio and install software on Windows. These messages often contain very private patient data. Another example he gives is Inmarsat AERO Medlink voice communications, and how he's seen full phone calls being shared online.

In the video Corrosive discusses the ethics about publicly sharing these private communications, even if they may be legal to receive and share in your country. He argues that sharing someones private data and phone calls on the internet is in poor taste and is not okay, which I think is something everyone should be able to agree with.

SDR Ethics | We Need to Talk!

However, on the other side of the coin several responses to his video on Reddit share a different point of view. On that forum several expressed disagreement, noting that it's because these services are so insecure, that we should actively be sharing intercepted messages and trying to raise outrage and awareness about these privacy flaws. The argument stems from the idea that many information security researchers seem to take: if the public is not aware about their lack of privacy, only the bad guys will be taking advantage, and nothing will end up being properly secured by companies.

We've seen this approach taken by information security artists in the past like the Holy Pager art installation in New York. The temporary installation used a HackRF to continuously print out all pager messages being broadcast in an attempt to raise awareness about what private information is being sent for anyone to read. However, it may be one thing to share private data with a few art gallery patrons, versus the entire internet.

I think we should all at least agree on a middle ground. If you are listening/decoding radio services that are meant to be private but are unsecure for all to listen to, at least keep it to yourself, and don't share peoples private conversations/data on the internet. If you want to raise awareness about the lack of security to put pressure on companies, censor peoples private information and only mention generally about what you are hearing.

RTL-SDR and HackRF Used in Mr. Robot – A TV Drama About Hacking

A few readers have written in to let us know the role SDRs played in the last season of "Mr. Robot". The show which is available on Amazon Prime is about "Mr. Robot", a young cyber-security engineer by day and a vigilante hacker by night. The show has actual cyber security experts on the team, so whilst still embellished for drama, the hacks performed in the show are fairly accurate, at least when compared to other TV shows.

Spoilers of the technical SDR hacks performed in the show are described below, but no story is revealed.

In the recently aired season 4 episode 9, a character uses a smartphone running an SSH connection to connect to a HackRF running on a Raspberry Pi. The HackRF is then used to jam a garage door keyfob operating at 315 MHz, thus preventing people from leaving a parking lot. 

Shortly after she can be seen using the HackRF again with Simple IMSI Catcher. Presumably they were running a fake cellphone basestation as they use the IMSI information to try and determine someones phone number which leads to being able to hack their text messages. The SDR used in the fake basestation appears to have been a bladeRF.

HackRF Used on Mr Robot
HackRF Used on Mr Robot

In season 4 episode 4 GQRX and Audacity can be seen on screen being used to monitor a wiretap via rtl_tcp and an E4000 RTL-SDR dongle.

E4000 RTL-SDR Being used for Wiretap Monitoring
E4000 RTL-SDR Being used for Wiretap Monitoring

Did we miss any other instances of SDRs being used in the show? Or have you seen SDRs in use on other TV shows? Let us know in the comments.

The Toosheh Project: An Outernet-like Service for Iran and the Middle East

If you've been following our blog over the years, you'll know that we've mentioned the "Outernet" (now known as "Othernet") service a few times. Othernet is a satellite service that wants to provide one way data such as news, weather, audio, books and Wikipedia articles to those in areas with poor, censored or no internet connection. Previous iterations made use of home satellite TV equipment, then L-band (with RTL-SDR receivers) and now the Ku-band with LoRa receivers. Currently it's only available in North America and Europe.

However, thanks to a reader we were recently informed about an interesting and long running Othernet-like service for the Middle East called "Toosheh" (aka Knapsack) which makes use of satellite TV dishes and receivers that are very common in the Middle East. While not specifically related to SDRs, this is an interesting RF related project and situation that we wanted to post about.

Our reader is from Iran where the government recently shutdown the entire country's internet for 7-days due to anti-government protests. The reader wanted to share information about the Toosheh project which has been operating for several years now, and is one of the ways Iranians can get around heavy internet censorship and blockages.

After two rough weeks of no internet access at all, finally, we're gaining access again and getting back online slowly. As you may know (if you are following the news) a complete internet shutdown conducted by the I.R. of Iran due to some intense protests across the whole country against the government because of a 200% sudden and unannounced gas price increment. The internet is censored in my country anyhow but this time it was a big one. We only had access to a few domestic websites and NOT even Google services! That was tough!

I know it may be irrelevant to the subject of your blog but it's good for your audience to understand and know the people who have worked hard way before the OUTERNET project to develop a satellite offline broadcast with almost no special devices to receive and use and bring free and uncensored information to the people in Iran.

The major role of the Toosheh project occurred in the Iran 2012 presidential election protests which there were no major broadband internet services all over the country and it a lot to bring daily updates of news and TV programs.
The Toosheh is a one-way receive only from the satellite but the tricky part is that Toosheh is not just like a simple satellite data link but it appears as a TV channel in all satellite TV receivers which are very common in Iran, so the blockage of it is hard for the government. However, some trials were arranged by the government back in that time to collect the satellite dishes or jam the signals or mass destruction (!) of the satellite receivers which they currently no longer common in most parts of the country. (at least without unnecessary violence. check out this link: بجستان نیوز » معدوم سازی تجهیزات ماهواره‌ای در بجستان+عکس (Admin note: Article is in Perisian, use Google Translate to translate Persian to English)

The procedure to use this service is freaking simple. Set your dish to Yahsat and search for the channels on 11766 Mhz. Select the Toosheh channel, plug a flash drive to your receiver and record the blank screen in.TS format using the PVR capability. After several hours of recording unplug your flash drive and connect it to your phone, tablet or laptop. Then open the Toosheh app and you are good to go. Now you have access to dozens of free podcasts, music, books, movies, news, webpages, TV shows and much more that will be updated every single day and if you need something specifically just send them an email. Exactly as same as the OUTERNET but without any special equipment and only with ordinary receivers that are available in almost every home nowadays.

Also if you see their website at toosheh.org and search some other press blogs about Toosheh you can gain more info about the topic.
Toosheh Website Image
Toosheh Website Image

We also note that this appears to be the English language version of Toosheh project which provides some more information about coverage and the technology used: https://knapsackforhope.org. Coverage is only available in the middle east.

Toosheh Coverage
Toosheh Coverage

Using a HackRF to Investigate Why WiFi on the Raspberry Pi 4 Doesn’t work when Running HDMI at 1440p

The Raspberry Pi 4 launched with it's fair share of problems, but a new problem seems to have been recently discovered and documented. It turns out that the Pi 4's WiFi stops working when running at a screen resolution of specifically 1440p.

Suspecting interference generated by the HDMI clock, Mike Walters (@assortedhackery) used a HackRF and a near field probe antenna to investigate. By placing the near field probe on the Raspberry Pi 4's PCB and running a screen at 1440p resolution he discovered a large power spike showing up at 2.415 GHz. This interferes directly with 2.4 GHz WiFi Channel 1.

An article by ExtremeTech article notes:

There’s a giant spike that could easily interfere with Channel 1 of a Wi-Fi adapter. So why is this happening? Because a 2560×[email protected] has a pixel clock of 241.5MHz and has a TMDS (transition-minimized differential signaling) clock of 2.415GHz, according to Hector Martin (@Marcan42). And what frequency does the RBP4 use for Wi-Fi? 2.4GHz. Which means… outputting on HDMI over 1440p can cause interference in a Wi-Fi channel.

The ExtremeTech article also notes that this problem is not unique to the Raspberry Pi 4 only. It turns out that USB 3.0 hardware is to blame, and this problem has occurred before with USB3.0 hard driver and on some MacBooks.

While the interference appears to be localized to the near field around the Pi4 PCB, we suspect that you could use TempestSDR to remotely eavesdrop on the Pi 4's video output if the interfering signal was boosted.

DEF CON 27 SDR Talks: Antennas for Surveillance, Ford Keyfob Hack, Smart TV Wireless Side Channel Attack

Talks from this years DEF CON 27 conference which was held back in August are now available on YouTube. DEFCON is a yearly conference that a focuses on information security topics and often includes talks about SDRs and other wireless radio topics too. In particular we wanted to highlight the the DEF CON 27 Wireless Village playlist which contains numerous talks related to wireless, radio and SDRs.

Most talks from the wireless village relate to WiFi, but one talk with some very useful information that we really enjoyed was "Antennas for Surveillance" by Alex Zakhorov. 

We will cover the various kinds of antennas available to optimized your SDR radio for different types of spectrum monitoring. We will also explain why RF filters are necessary on most SDR's and when Low Noise Amplifiers help, and when Low Noise Amplifiers hurt reception.

DEF CON 27 Wireless Village - Alex Zakhorov - Antennas for Surveillance

Another interest talk was called "The Ford Hack Raptor Captor video" by Dale Wooden (Woody) where he shows how he used an RTL-SDR and HackRF to hack a Ford car key fob. If you're interested we wrote about the Hak5 videos on this hack in a previous post.

This talk will show flaws with development of security protocols in New Ford key fobs. This will exploit several areas. The ability for a denial of service to the keyfob WITHOUT jamming. How to trick the vehicle into resetting its rolling code count. How to lock, unlock, start, stop, and open the trunk of ford vehicles using a replay attacked after resetting rolling code count. How to find the master access code for Fords keypad to bypass security. This talk will also demonstrate how to reset your key fobs if they are attacked by a deauth attack. We will also demonstrate gnu-radio script to automate RF collection of Ford key fobs. As seen on HAK5 episodes 2523-2525

DEF CON 27 Wireless Village - Woody - The Ford Hack Raptor Captor video

Outside of the Wireless village there were also some interesting SDR topics including this talk titled "SDR Against Smart TVs URL Channel Injection Attacks" by Pedro Cabrera Camara. If you're interested we also wrote about Pedro's work in a previous post.

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

DEF CON 27 Conference - Pedro Cabrera Camara - SDR Against Smart TVs URL Channel Injection Attacks

Tutorial on Performing a Replay Attack with a HackRF and Universal Radio Hacker

Over on YouTube channel Tech Minds has uploaded a short tutorial video that shows how to perform a replay attack with a HackRF and the Universal Radio Hacker software. A replay attack is when you record a control signal from a keyfob or other transmitter, and replay that signal using your recording and a TX capable radio. This allows you to take control of a wireless device without the original keyfob/transmitter. This is easy to do with simple wireless devices like doorbells, but not so easy with any system with rolling codes or more advanced security like most car key fobs.

In the video Tech Minds uses the Universal Radio Hacker software to record a signal from a wireless doorbell, save the recording, replay it with the HackRF, and also analyze it.

Universal Radio Hacker - Replay Attack With HackRF