Category: Security

HackRF and Portapack Featured in Recent Linus Tech Tips Video

Over on YouTube the Linus Tech Tips channel has recently released a video about the HackRF titled "It’s TOO Easy to Accidentally Do Illegal Stuff with This". Linus Tech Tips is an extremely popular computer technology YouTube channel. The HackRF is a popular transmit capable software defined radio that was released about 10 years ago. The portapack is an add-on for the HackRF that allows the HackRF to be used as a handheld device, and when combined with the Mayhem firmware, it enables easy access to some controversial tools that could get a user into a lot of legal trouble very fast.

In the video Linus, whose team is based in Canada, mentions that they decided to purchase the HackRF and similar devices because of the Canadian government's plan to ban various RF tools, including the Flipper Zero and HackRF.

Linus then discusses and demonstrates "van eck phreaking" with TempestSDR, showing how he can use the HackRF to recover the video from a PC monitor wirelessly. He then goes on to demonstrate how the Portapack can be used to jam a wireless GoPro camera transmitting over WiFi. 

Finally, Linus discusses the legality and morality of such devices being available on the market.

It’s TOO Easy to Accidentally Do Illegal Stuff with This

BSidesPGH 2024 Talk: Introduction to Software Defined Radio For Offensive and Defensive Operations

Over on the YouTube channel "SecPGH" a talk by Grey Fox titled "Introduction to Software Defined Radio For Offensive and Defensive Operations" has been uploaded from the BSidesPGH 2024 conference. BSidesPGH 2024 was a security conference held in Pittsburgh, PA, USA on July 25.

The talks are generally about network security, however, Fox's talk is all about RF security topics and software defined radio. In the talk, he introduces SDR, and devices like the Flipper Zero and demonstrates various basic examples such as receiving FM from a handheld radio and ADS-B.

Next, he goes on to demonstrate security topics such as showing how to capture and analyze signals from a 433 MHz security alarm using an RTL-SDR and Flipper Zero, and how to jam frequencies and replay captured signals. Finally, he demonstrates WiFi cracking with the help of Kali Linux and Flipper Zero with WiFi dev board attached.

BSidesPGH 2024 Track 2 Grey Fox Introduction to Software Defined Radio For Offensive and Def

Easvesdropping on HDMI with TEMPESTSDR and SDRplay

Over on YouTube "Sam's eXperiments logs" have uploaded a video showing how he was able to succeed when using TEMPESTSDR to eavesdrop on HDMI cables with his SDRplay. TEMPESTSDR software combined with a software defined radio allows a user to eavesdrop on TVs, monitors, and more by wirelessly receiving their unintentional RF emissions and recovering information from those emissions. In many cases it is possible to recover live images of the display, clear enough to read text.  

Sam's video explains the challenges he faced with signal strength due to the highly effective shielding of his HDMI cables. To get around this Sam shows how he unshielded his HDMI cables for the test. This is good news for privacy, as it shows how effective shielding can be at stopping these kinds of attacks. He then goes on to show the results he obtained which show text being read from his screen.

I Finally Succeeded: HDMI Signal Eavesdropping with TEMPESTSDR

Deep-Tempest: Eavesdropping on HDMI via SDR and Deep Learning

Over the years we've posted several times about the TEMPEST applications of software-defined radio. TEMPEST aka (Van Eck Phreaking) is when you listen to the unintentional RF emissions of electronics and are able to recover information from that. In the past, we posted about TempestSDR, an RTL-SDR compatible program that allows you to view images from a computer monitor or TV simply by picking up the unintentional RF emissions from it.

Usually, the images received are fuzzy and it can be difficult to recover any information from them. However recently there has been work on combining Tempest techniques with deep learning AI for improving image quality.

Deep-tempest has recently been released on GitHub and from their demonstrations, the ability to recover the true image with deep learning is very impressive. From a fuzzy grey screen, they show how they were able to recover clear text which looks almost exactly like the original monitor image.

Deep-tempest is based on gr-tempest, and requires GNU Radio, Python 3.10 and a Conda environment. Instructions for installing it are on the GitHub.

The whitepaper on the University research done to implement Deep-Tempest can be found freely on arxiv at https://arxiv.org/pdf/2407.09717.

How Deep-Tempest Works
How Deep-Tempest Works
Deep-Tempest Results
Deep-Tempest Results

Scott Manley Explains GPS Jamming & Spoofing and Why & Who is Causing It

In recent years GPS spoofing and jamming have become quite commonplace. Recently popular YouTuber Scott Manley uploaded a video explaining exactly what GPS spoofing and jamming is and explains a bit about who is doing it and why.

In the video Scott explains how aircraft now routinely use GPS as a dominant navigational sensor and how some commercial flights have been suspended due to GPS jamming. Scott explains how ADS-B data can be used to determine the source of GPS jamming (via gpsjam.org) and shows hotspots stemming from Russia. He goes on to show how drone shows have also failed in China either due to GPS jamming by rival companies or due to Chinese military warship jamming. Scott then explains a bit about GPS and how jamming and spoofing work.

GPS Jamming & Spoofing - How Does It Work, And Who's Doing It?

YouTube Video Series on Iridium Satellite Decoding with an Airspy, RTL-SDR Blog Patch Antenna and DragonOS

Over on his YouTube channel, Rob VK8FOES has started a new video series about Iridium Satellite Decoding. Iridium is a constellation of low-earth orbiting satellites that provide voice and data services. Iridium was first decoded with low cost hardware by security researchers back in 2016 as mentioned in this previous post. Being unencrypted it is possible to intercept private text and voice communications.

Rob's video is part of a series, and so far only part one has been uploaded. The first video outlines the hardware and software requirements for Iridium decoding and demonstrates the gr-iridium software. An Airspy and RTL-SDR Blog Patch Antenna are used for the hardware, and the software runs on DragonOS.

Rob writes that in part two he will demonstrate the use of iridium-toolkit, which can be used to extract data and recordings from the Iridium data provided from gr-iridium.

Be sure to subscribe to his YouTube channel so that you are notified when part two is released.

Iridium Satellite Decoding Part 1: The Tutorial That Goes Over Your Head, Literally!

WarDragon: Testing EMEye/TempestSDR with Wyze Cam Pan V2 Cameras and a USRP B210

Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.

Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.

In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.

I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.

Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.

If you're interested we reviewed WarDragon in a recent post as well.

WarDragon EMEye/TempestSDR Camera Eavesdropping Attack Research (B210, Airspy R2, Wzye Cam Pan v2)

EM Eye: Eavesdropping on Security Camera via Unintentional RF Emissions

Researchers from the University of Michigan and Zhejiang University have recently published their findings on how it's possible to eavesdrop and wirelessly recover images from security cameras via RF unintentionally leaking from the camera electronics.

EM side-channel attacks aka receiving and decoding data from the unintentional RF transmissions from electronics are nothing new.  In the past, we've posted how some laptops unintentionally broadcast audio from the microphone via RF, how a tool called TempestSDR can be used to spy on monitors/TV's via RF leakage, how encryption keys can be stolen from PCs via unintentional RF, and even how Disney is looking to use RF leakage for RF fingerprinting.

In their research, the team discovered that security cameras leak enough sensitive RF that an image can be recovered from the leakage over a distance. In their tests, they used a USRP B210 SDR as the receiver and tested twelve cameras including four smartphones, six smart home cameras, and two dash cams. They found that eight of the twelve leaked strongly enough for the reception of images through windows, doors, and walls. Cameras like the Xiaomi Dafang and Wyze Cam Pan 2 performed the worst, allowing for images to be recovered from distances of 500cm and 350cm respectively.

The team has not only released a paper on the topic but has also released the full code as open-source software on GitHub. The software is based on a modified version of TempestSDR, so it may also work for other supported SDRs, like the HackRF and RTL-SDR.

EM Eye: How Attackers Can Eavesdrop on Camera Videos