Category: Security

Reverse Engineering a 30 Year Old Wireless Garage Door Opener with a HackRF and GNU Radio

At his childhood home Maxwell Dulin discovered that his garage door was controlled by a 30 year old system called the "Sears Craftsman 139.53708 Garage Door Remote". Being interested in SDRs Maxwell decided to see if he could reverse engineer the remote using his HackRF.

His first steps were to search for the frequency which he found active at 390 MHz. He then moved on to analyzing the signal with Inspectrum, discovering the OOK modulation, then working his way towards the binary control strings. One thing that helped with his reverse engineering was the use of the 9-bit DIP switches on the remote that configure the security code that opens up a specific door as this allowed him to control the transmitted bits, and determine which bits were used for the security code. With this and a bit of GNU Radio code he was able to recreate the signal and transmit it with his HackRF.

Finally Maxwell wanted to see how vulnerable this door is to a brute force attack that simply transmits every possible security code. Through some calculations, he discovered that brute forcing every possible security code in the 9-bit search space would only take 104 minutes to open any garage using this opener.

GNU Radio replaces a 30 year old garage door remote

Remoticon 2021: Smart Meter Hacking Talk

Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.

In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.

Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Snooping Network Traffic from LAN Cables with an RTL-SDR or HackRF

Mordechai Guri is a cyber-security security researcher at Israel's Ben Gurion University of the Negev. Recently Guri has described a method for sniffing network data from LAN Ethernet cables over an air gap through the use of RTL-SDR or HackRF software defined radios. Guri's paper is available directly here.

The idea behind the attack is that ethernet cables can act as an antenna, leaking signals at frequencies which can easily be sniffed by a SDR. The specific technique in the paper does not decode normal network traffic, instead it requires that malicious code which modulates a custom signal over the ethernet cable be installed on the PC first. The technique used appears to be similar to what the Etherify software by SQ5BPF uses, which modulates data in morse code by turning the network card on and off.

Receiving a signal modulated by the LanTenna malware

SDR Videos from DEFCON 29

Recently some videos from this years (mostly virtual) DEFCON 29 conference have been uploaded to YouTube. Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. Some interesting talks that we've found from the main Defcon and Villages are posted below.

You can view all the talks directly as well as the many others via the main stage DEFCON YouTube channel, the ICS Village Channel, RF Village Channel and the Aerospace Village. There are also several talks from the Ham Radio Village recorded on Twitch. Did we miss any interesting talks? Please let us know in the comments.

Smart Meters: I'm Hacking Infrastructure and So Should You (Hash Salehi)

Why Smart Meters? This is a question Hash is often asked. There's no bitcoin or credit card numbers hiding inside, so he must want to steal power, right? Openly analyzing the technology running our critical infrastructure and publishing the findings is something Hash is passionate about. In the wake of the great Texas freeze of 2021, we can no longer "hope" those in power will make decisions that are in the people's best interest. This talk will present research on the Landis+Gyr GridStream series of smart meters used by Oncor, the largest energy provider in Texas.

Cyber attacks on Industrial Control Systems (ICS) differ in scope and impact based on a number of factors, including the adversary's intent, sophistication and capabilities, and familiarity with ICS and automated indutrial processes. In order to understand, identify and address the specific points that can prevent or stop an attack, a systematic model known as "Cyber Kill Chain" is detailed, a term that comes from the military environment and registered by the Lockheed Martin company. While most are familiar with terms and theoretical diagrams of how security should be implemented, in this talk we want to present live how an attack chain occurs from scratch to compromise industrial devices, the full kill chain, based in our experiences. The goal is to land these threats into the real world without the need to carry out these attacks with a nation-state budget.

Smart Meters: I'm Hacking Infrastructure and So Should You (Hash Salehi)

DEF CON 29 - Paz Hameiri - TEMPEST Radio Station

TEMPEST is a cyber security term that refers to the use of electromagnetic energy emissions generated by electronic devices to leak data out of a target device. The attacks may be passive (where the attacker receives the emissions and recovers the data) or active (where the attacker uses dedicated malware to target and emit specific data).

In this talk I present a new side channel attack that uses GPU memory transfers to emit electromagnetic waves which are then received and processed by the attacker. Software developed for this work encodes audio on one computer and transmits it to the reception equipment positioned fifty feet away. The signals are received and processed and the audio is decoded and played. The maximum bit rate achieved was 33kbit/s and more than 99% of the packets were received.

Frequency selection not only enables maximization of signal quality over distance, but also enables the attacker to receive signals from a specific computer when several computers in the area are active. The software developed demonstrates audio packets transfers, but other types of digital data may be transmitted using the same technique.

[Slides Link] [Whitepaper]

DEF CON 29 - Paz Hameiri - TEMPEST Radio Station

DEF CON 29 RF Village - cemaxecuter - RF Propagation and Visualization with DragonOS

"Today's presentation will start with a brief history of DragonOS, where it started and where it's at today. After a short introduction, I'll dive into the subject of visualizing RF propagation with DragonOS. I'll be showing a fresh OS install and the necessary steps to generate a rough estimate of a transmitter based on SRTM-3 elevation data, as well as a new feature enabling visualization/calculations of the path between transmitter and receiver .

Topics and hands on (pre-recorded) demonstrations will include the following,

  • SPLAT! is an RF Signal Propagation, Loss, And Terrain analysis tool for the electromagnetic spectrum between 20 MHz and 20 GHz.
  • Signal Server Multi-threaded RF coverage calculator
  • Dr. Bill Walker's role
  • Signal Server and DragonOS integration
  • DF-Aggregator Developer / Modifications for visualization

I’ll conclude talking about future improvements to RF propagation and visualization tools."

DEF CON 29 RF Village - cemaxecuter - RF Propagation and Visualization with DragonOS

Continue reading

BSides Talk: Hacking RF Breaking what we can’t see

Over on YouTube the BSides Halifax channel has uploaded a recent talk given by Security Engineer Grant Colgan titled "Hacking RF Breaking what we can't see". In the talk Grant first shows the various bits of wireless devices that he tests, as well as the receiver equipment that he uses which includes a HackRF and RTL-SDR dongles. He goes on to show various live demos.

An often overlooked aspect of security is what happens when information is moving magically from one device to another with no wires. We know this as (usually) Wifi or Bluetooth and any attacks are usually based on these technologies. However when you widen the scope to RF wireless communication, A lot more tools become available. In this talk I will be talking about the attack and doing live demos.

Hacking RF Breaking what we can't see - Grant Colgan (BSides Halifax 2021)

The KiwiSDR Backdoor Situation

Since it's announcement in early 2016 we've posted many times about the KiwiSDR, a 14-bit wideband RX only HF software defined radio created by John Seamons (ZL/KF6VO). The KiwiSDR has up to 32 MHz of bandwidth, so it can receive the entire 10 kHz - 30 MHz VLF/LF/MW/HF spectrum all at once.

Compared to most other SDRs the KiwiSDR is a little different as it is designed to be used as a public web based SDR, meaning that KiwiSDR owners can optionally share their KiwiSDR online with anyone who wants to connect to it. The public functionality allows for some interesting distributed applications, such as TDoA direction finding, which allows users to pinpoint the location of unknown HF transmissions such as numbers stations.

In order to implement this online capability, the KiwiSDR runs custom open source software on a Beaglebone single board computer which connects to your home network. Recently there has been vocal concern about a security flaw in the software which could allow hackers to access the KiwiSDR. The flaw stems from the fact that the KiwiSDR has 'backdoor' remote admin access that allows the KiwiSDR creator to log in to the device and troubleshoot or make configuration changes if required. This backdoor has been public knowledge in the KiwiSDR forums since 2017, although not advertised and explicit consent to have it active and used was not required.

The intent of the backdoor is of course not malicious, instead rather intended as an easy way to help the creator help customers with configuration problems. However, as KiwiSDR owner Mark Jessop notes, the KiwiSDR operates in HTTP only, sending the admin master password in the clear. And as KiwiSDR owner and security researcher @xssfox demonstrates, the admin page gives full root console access to the Beaglebone. These flaws could allow a malicious party to take over the Beaglebone, install any software and perhaps work their way onto other networked devices. Another tweet from xssfox implies that the password hashes are crackable, allowing the main admin password to be easily revealed.

Creator John Seamons has already released a patch to disable the admin access, and as of the time of this article 540 out of 600 public KiwiSDRs have already been auto-updated. Owners of KiwiSDR clones should seek out updates from the cloner.

It is clear that the KiwiSDR is a passion project from John who has dedicated much of his time and energy to consistently improving the technical RF engineering side of the device and software. However we live in an age where malicious hacking of devices is becoming more common, so anyone releasing products and software that network with the internet should be reminded that they have a responsibility to also dedicate time to ensuring security.

John has reached out to us in advance and noted that he currently cannot yet comment publicly on this topic due to legal advice.

The KiwiSDR
The KiwiSDR

Receiving pH Readings from a Wireless Medical Implant with RTL-SDR

Over on Hackaday we've learned about an interesting investigation by James Wu who was recently implanted with a stomach pH (acidity) monitoring device called the "Medtronic Bravo Reflux Capsule". Whilst inspecting the patient demo capsule James noted that the device transmitted data wirelessly via a very small low power transmitter, in particular noticing a telltale "433" written on a component on the device, indicating that it uses the 433 MHz ISM band.

Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.

With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.

After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.

Decoding pH readings from a stomach implant with an RTL-SDR

If you're interested in wireless medical devices, in the past we've seen how SDRs could be used to not only receive data coming from Minimed Insulin pumps, but to maliciously control them with a HackRF too. We've also seen that data could possibly be received from implanted heart defibrillators as well.

Crimean Resident Arrested under Accusation of Spying for Ukraine with RTL-SDR Dongles

Back in early 2014 Crimea was annexed from the Ukraine by Russian forces. Recently we've heard news that a Crimean resident was arrested by the Russian Federal Security Service under the suspicion of being a Ukrainian informant who was intending to transfer, or was transferring military data abroad using RTL-SDRs.

A video of the arrest has been uploaded to YouTube, and RTL-SDR dongles running with the Airspy SDR# software on his laptop can clearly be seen as having been photographed. The photos of the SDR# screen appear to show that he was monitoring the commercial aviation band with a scanner plugin.

The YouTube description is translated below:

Today it was reported about the arrest of a Crimean resident, either intending to transfer, or transferring military data abroad.

The FSB has published footage of the arrest. The time on the laptop caught on the video during the search of housing 07:40 date 06/22/21. The laptop is turned on, the AIRSPY radio frequency scanning program is running, the laptop is in the dust - only traces of pressing some keys are visible, and the touchpad was not used. There are many icons in the room, books on radio engineering, a Ukrainian flag, aircraft models, several pennants "Tavria 1958", an ICOM IC-R6 radio, maps.

The detainee transferred the information received to Ukraine on one basis, collected it on the other and intended to transfer it.

The court sent the man to the pre-trial detention center for 2 months. If his guilt is proven, then high treason "shines" and does not shine to see the will for 25 years.

According to an article on RadioFreeEurope, the man was detained as he was "collecting data on the flights of Russian military planes for Ukrainian intelligence".

It is unclear if the man was knowingly providing intelligence services, or is simply an aviation hobbyist caught up in politics. If anyone has more information about his story, please let us know in the comments.

UPDATE 29 June 2021: More information on the story at this link.

Украинский осведомитель был футбольным фаном. Болел за «Таврию»

Crimean resident arrested for using RTL-SDRs to monitor the airband
Commercial Aviation Frequencies Monitored

This is a reminder to those in politically dangerous situations to take care when using SDRs. In the past we have seen a Slovenian researcher almost jailed for performing University research with an RTL-SDR, a UN expert arrested for possessing an RTL-SDR in Tunisia, and SDRs come under fire when Trump tweeted a now-debunked conspiracy theory on how an RTL-SDR was being used as a close range scanner by the black lives matter protestor who was shoved to the ground on video by Buffalo police.