Category: Security

Opening a Parking Barrier with a HackRF Portapack and a Replay Attack

Over on YouTube user kwon lee has uploaded a video demonstrating a replay attack against a parking barrier arm. The tools he uses are a HackRF and Portapack running the Havok firmware. A replay attack involves recording a control signal with the HackRF+Portapack, and then replaying it later with the transmit function of the HackRF. If no wireless security mechanism like rolling-codes are used, simply replaying the signal will result in the transmission being accepted by the controller receiver.

As he has access to the remote control he records the transmission that is sent when the open button is pressed on the remote. Later once outside he shows how transmitting with the HackRF+Portapack results in the barrier arm opening.

This reminds us of a previous post where we noted how a HackRF was used to jam a garage door keyfob to prevent people from leaving in the TV show "Mr. Robot".

RF Replay Attack _ Parking-Breaker with HackRFone+Portapack+havoc

Gaining Access to Windows on the Flex 6500 SDR Transceiver and Installing Other Programs

The Flex 6500 is a now discontinued (only refurb units available for US$2,600) transceiver SDR made for amateur radio use. Together with the optional Maestro control panel, it forms a fully standalone SDR based transceiver, with built in SDR software available on the Maestro's LCD screen. The system runs embedded Windows and is locked down to prevent the user from getting outside the Flex radio software.

However, a Norwegian University radio club found the Flex radio to be very inflexible as they could not connect the radio to their Universities WiFi system, which requires users to authenticate first via a web browser. What should be a simple task on any Windows system was unfortunately not supported by the radio software, and Flex radio themselves were unable to help.

Fortunately the students were able to hack the Windows filesystem via a backdoor found in the built in software, allowing them full access to the Windows desktop. The hack is fairly simple, consisting of gaining access to Notepad and thus the filesystem and command prompt via a "view source" right click menu on the web login interface. Once hacked, the students were able to install custom software like the N1MM+ contest logger, and WSJT-X for WSPR decoding. They were also able to connect a Bluetooth keyboard and mouse which was not supported by default.

[Also seen on Hackaday]

FlexRadio 6500 hacked to gain access to Windows.
FlexRadio 6500 hacked to gain access to Windows.

Bypassing Chamberlain myQ Garage Doors with a Jamming SDR Attack

McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform.  Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.

Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.

Although the system utilizes rolling codes for security,  McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.

McAfee Researchers Jam the actual signal (red) with a jamming signal (black)
McAfee researchers jam the actual MyQ signal (red) with a jamming signal (black)

In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

McAfee Advanced Threat Research Demo Chamberlain MyQ

Using a HackRF for GPS Spoofing on Windows

Over on the TechMinds YouTube channel a new video titled "GPS Spoofing With The HackRF On Windows" has been uploaded. In the video TechMinds uses the GPS-SDR-SIM software with his HackRF to create a fake GPS signal in order to trick his Android phone into believing that it is in Kansas city.

In the past we've seen GPS Spoofing used in various experiments by security researchers. For example, it has been used to make a Tesla 3 running on autopilot run off the road and to cheat at Pokemon Go. GPS spoofing has also been used widely by Russia in order to protect VIPs and facilities from drones.

GPS Spoofing With The HackRF On Windows

SignalsEverywhere: The Ethics of Decoding and Sharing Private Information with SDRs

Over on the SignalsEverywhere YouTube Corrosive has uploaded a new video that addresses the ethics about decoding private information with SDRs. The radio spectrum is full of private communications with little to no security around it. For example hospital pagers in many countries and cities are completely unencrypted and easily decoded by anyone who can run a radio and install software on Windows. These messages often contain very private patient data. Another example he gives is Inmarsat AERO Medlink voice communications, and how he's seen full phone calls being shared online.

In the video Corrosive discusses the ethics about publicly sharing these private communications, even if they may be legal to receive and share in your country. He argues that sharing someones private data and phone calls on the internet is in poor taste and is not okay, which I think is something everyone should be able to agree with.

SDR Ethics | We Need to Talk!

However, on the other side of the coin several responses to his video on Reddit share a different point of view. On that forum several expressed disagreement, noting that it's because these services are so insecure, that we should actively be sharing intercepted messages and trying to raise outrage and awareness about these privacy flaws. The argument stems from the idea that many information security researchers seem to take: if the public is not aware about their lack of privacy, only the bad guys will be taking advantage, and nothing will end up being properly secured by companies.

We've seen this approach taken by information security artists in the past like the Holy Pager art installation in New York. The temporary installation used a HackRF to continuously print out all pager messages being broadcast in an attempt to raise awareness about what private information is being sent for anyone to read. However, it may be one thing to share private data with a few art gallery patrons, versus the entire internet.

I think we should all at least agree on a middle ground. If you are listening/decoding radio services that are meant to be private but are unsecure for all to listen to, at least keep it to yourself, and don't share peoples private conversations/data on the internet. If you want to raise awareness about the lack of security to put pressure on companies, censor peoples private information and only mention generally about what you are hearing.

RTL-SDR and HackRF Used in Mr. Robot – A TV Drama About Hacking

A few readers have written in to let us know the role SDRs played in the last season of "Mr. Robot". The show which is available on Amazon Prime is about "Mr. Robot", a young cyber-security engineer by day and a vigilante hacker by night. The show has actual cyber security experts on the team, so whilst still embellished for drama, the hacks performed in the show are fairly accurate, at least when compared to other TV shows.

Spoilers of the technical SDR hacks performed in the show are described below, but no story is revealed.

In the recently aired season 4 episode 9, a character uses a smartphone running an SSH connection to connect to a HackRF running on a Raspberry Pi. The HackRF is then used to jam a garage door keyfob operating at 315 MHz, thus preventing people from leaving a parking lot. 

Shortly after she can be seen using the HackRF again with Simple IMSI Catcher. Presumably they were running a fake cellphone basestation as they use the IMSI information to try and determine someones phone number which leads to being able to hack their text messages. The SDR used in the fake basestation appears to have been a bladeRF.

HackRF Used on Mr Robot
HackRF Used on Mr Robot

In season 4 episode 4 GQRX and Audacity can be seen on screen being used to monitor a wiretap via rtl_tcp and an E4000 RTL-SDR dongle.

E4000 RTL-SDR Being used for Wiretap Monitoring
E4000 RTL-SDR Being used for Wiretap Monitoring

Did we miss any other instances of SDRs being used in the show? Or have you seen SDRs in use on other TV shows? Let us know in the comments.

The Toosheh Project: An Outernet-like Service for Iran and the Middle East

If you've been following our blog over the years, you'll know that we've mentioned the "Outernet" (now known as "Othernet") service a few times. Othernet is a satellite service that wants to provide one way data such as news, weather, audio, books and Wikipedia articles to those in areas with poor, censored or no internet connection. Previous iterations made use of home satellite TV equipment, then L-band (with RTL-SDR receivers) and now the Ku-band with LoRa receivers. Currently it's only available in North America and Europe.

However, thanks to a reader we were recently informed about an interesting and long running Othernet-like service for the Middle East called "Toosheh" (aka Knapsack) which makes use of satellite TV dishes and receivers that are very common in the Middle East. While not specifically related to SDRs, this is an interesting RF related project and situation that we wanted to post about.

Our reader is from Iran where the government recently shutdown the entire country's internet for 7-days due to anti-government protests. The reader wanted to share information about the Toosheh project which has been operating for several years now, and is one of the ways Iranians can get around heavy internet censorship and blockages.

After two rough weeks of no internet access at all, finally, we're gaining access again and getting back online slowly. As you may know (if you are following the news) a complete internet shutdown conducted by the I.R. of Iran due to some intense protests across the whole country against the government because of a 200% sudden and unannounced gas price increment. The internet is censored in my country anyhow but this time it was a big one. We only had access to a few domestic websites and NOT even Google services! That was tough!

I know it may be irrelevant to the subject of your blog but it's good for your audience to understand and know the people who have worked hard way before the OUTERNET project to develop a satellite offline broadcast with almost no special devices to receive and use and bring free and uncensored information to the people in Iran.

The major role of the Toosheh project occurred in the Iran 2012 presidential election protests which there were no major broadband internet services all over the country and it a lot to bring daily updates of news and TV programs.
The Toosheh is a one-way receive only from the satellite but the tricky part is that Toosheh is not just like a simple satellite data link but it appears as a TV channel in all satellite TV receivers which are very common in Iran, so the blockage of it is hard for the government. However, some trials were arranged by the government back in that time to collect the satellite dishes or jam the signals or mass destruction (!) of the satellite receivers which they currently no longer common in most parts of the country. (at least without unnecessary violence. check out this link: بجستان نیوز » معدوم سازی تجهیزات ماهواره‌ای در بجستان+عکس (Admin note: Article is in Perisian, use Google Translate to translate Persian to English)

The procedure to use this service is freaking simple. Set your dish to Yahsat and search for the channels on 11766 Mhz. Select the Toosheh channel, plug a flash drive to your receiver and record the blank screen in.TS format using the PVR capability. After several hours of recording unplug your flash drive and connect it to your phone, tablet or laptop. Then open the Toosheh app and you are good to go. Now you have access to dozens of free podcasts, music, books, movies, news, webpages, TV shows and much more that will be updated every single day and if you need something specifically just send them an email. Exactly as same as the OUTERNET but without any special equipment and only with ordinary receivers that are available in almost every home nowadays.

Also if you see their website at toosheh.org and search some other press blogs about Toosheh you can gain more info about the topic.
Toosheh Website Image
Toosheh Website Image

We also note that this appears to be the English language version of Toosheh project which provides some more information about coverage and the technology used: https://knapsackforhope.org. Coverage is only available in the middle east.

Toosheh Coverage
Toosheh Coverage

Using a HackRF to Investigate Why WiFi on the Raspberry Pi 4 Doesn’t work when Running HDMI at 1440p

The Raspberry Pi 4 launched with it's fair share of problems, but a new problem seems to have been recently discovered and documented. It turns out that the Pi 4's WiFi stops working when running at a screen resolution of specifically 1440p.

Suspecting interference generated by the HDMI clock, Mike Walters (@assortedhackery) used a HackRF and a near field probe antenna to investigate. By placing the near field probe on the Raspberry Pi 4's PCB and running a screen at 1440p resolution he discovered a large power spike showing up at 2.415 GHz. This interferes directly with 2.4 GHz WiFi Channel 1.

An article by ExtremeTech article notes:

There’s a giant spike that could easily interfere with Channel 1 of a Wi-Fi adapter. So why is this happening? Because a 2560×[email protected] has a pixel clock of 241.5MHz and has a TMDS (transition-minimized differential signaling) clock of 2.415GHz, according to Hector Martin (@Marcan42). And what frequency does the RBP4 use for Wi-Fi? 2.4GHz. Which means… outputting on HDMI over 1440p can cause interference in a Wi-Fi channel.

The ExtremeTech article also notes that this problem is not unique to the Raspberry Pi 4 only. It turns out that USB 3.0 hardware is to blame, and this problem has occurred before with USB3.0 hard driver and on some MacBooks.

While the interference appears to be localized to the near field around the Pi4 PCB, we suspect that you could use TempestSDR to remotely eavesdrop on the Pi 4's video output if the interfering signal was boosted.