Category: Security

SigintOS Version 2.0 Community Edition Released

SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as the RTL-SDR and TX capable SDRs like the HackRF, bladeRF and USRP radios.

The OS has a built in launcher UI that helps to automatically launch and set up parameters for various programs and GNU Radio scripts that are commonly used. Examples include an FM transmitter, GPS transmitter, GSM base station searcher, IMSI catcher, LTE base station searcher, LTE decoder and a jammer.

Recently the team behind SigintOS have released version 2.0 Community Edition. The team write on their release page:

About Community Edition

SigintOS 2.0 Community Edition; It was developed to provide a much better experience to its users. With a new interface, more stable and powerful infrastructure and development environment, it allows users to develop new tools in addition to existing tools.

Developing Signal Intelligence tools is now much easier with SigintOS™

It is now much easier to develop your own tools with SigintOS™, which contains the world’s most famous and free signal processing and communication software. You can develop them effortlessly with tools such as QT and KDevelop.

Say hello to the 5G World!

SigintOS™ offers you all the possibilities of the 5G world, free of charge and effortlessly!

Whats News?

  • A completely new look.
  • A more stable and robust infrastructure.
  • Latest drivers and software.
  • User-friendly interface that prioritizes habits.

SOFTWARE LIST

Most used software and features

  • Open5GS
  • srsRAN 4G
  • YateBTS
  • Gqrx
  • GnuRadio 3.8
  • SigDigger
  • SDRAngel
  • ADSB Viewer
  • Dump1090
  • OpenCPN
  • GPredict
  • BladeRF
  • HackRF
  • Rtl-SDR
  • USRP – UHD Drivers
  • Kalibrate RTL & HackRF
  • All Gr Modules
  • SigintOS SDR Hardware Monitor Widget
  • QTCreator
  • KDevelop
  • Mysql
  • MongoDB
  • Apache Web Server
  • Php
  • And more …

Canada Moves to Ban Flipper Zero and Possibly Software Defined Radios

Dominic LeBlanc, Canada's Minister of Public safety has recently declared that they plan to ban devices "used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero". The text specifically calls out the Flipper Zero, however the wording appears to imply that any device that can copy a signal will be banned. This means the ban could extend to RX/TX SDRs like the HackRF and possibly even RX only SDRs like RTL-SDRs.

The Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. There are many CC1101 devices on the market, but the Flipper Zero has gained huge popularity on social media because of it's excellent software support, as well as its cute marketing tactic. In the past it was even featured on the popular Linus Tech Tips YouTube channel.

Flipper Zero has had a long line of setbacks including PayPal freezing 1.3M of its cash, and US customs temporarily seizing its shipments, then passing a $70,000 bill on to them for storage fees and Amazon banning the product on their marketplace.

In our opinion, we believe that the ban appears to be misguided. The Flipper Zero is a basic device that can only perform a simple replay attack, which is to record a signal, and replay it at a later time. These sorts of attacks do not work on vehicles built after the 90's which now use rolling codes or more sophisticated security measures. To defeat rolling code security, a more sophisticated attack called Rolljam can be used. A Rolljam device can be built for $30 out of an Arduino and two cheap transceiver modules.

However, according to arstechnica the biggest cause for concern in terms of car theft is a different sort of attack called "signal amplification relay".

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

This sort of attack is a lot less sophisticated in many ways as all you are doing is amplifying a signal, and no clever hardware like the Flipper Zero or a software defined radio is even required. The X video below demonstrates such a hack where a criminal holds up a loop antenna to a house. The loop antenna is connected to a signal amplifier which amplifies the keyfob signal, tricking the car into thinking the keyfob is nearby, and allowing the door to be unlocked by touching the handle, and then turned on with the push to start button.

Flipper zero note that they have not been consulted about the ban, and replied on X stating that they are not aware of the Flipper Zero being used for car theft.

Tech Minds: Video on DJI Drone Detection on the AntSDR E200

Just recently we posted about the release of some firmware for the AntSDR E200 which allows it to decode DJI DroneID. DroneID is a protocol designed to transmit the position of the drone and operator to authorized entities such as law enforcements and operators of critical infrastructure.

In his latest video Matt from the Tech Minds YouTube channel shows this firmware in action. In the video he first shows how to install the firmware, and how to connect to its serial output. He goes on to test it with his DJI Mini 4 Pro and show some live DroneID frames being decoded.

DJI Drone Hacking Using Software Defined Radio ANTSDR E200

DJI DroneID Detection Running on the AntSDR E200 CPU

DJI is a major manufacturer of consumer drones and their drones implement an RF protocol called DroneID which is designed to transmit the position of the drone and operator to authorized entities such as law enforcements and operators of critical infrastructure. 

Recently the AntSDR team have managed to get DJI DroneID decoding working on the AntSDR's onboard ARM processor. The decoding software runs on board the AntSDR E200 and outputs decoded data via the serial or network port. The AntSDR E200 is an SDR that is based on the AD9361 chip and has a 70 MHz to 6 GHz tuning range, 56 MHz of bandwidth and 12-bit ADC. It has 2x2 full duplex TX/RX channels and has an onboard FPGA with ARM CPU core.

They make use of existing code on GitHub from  https://github.com/proto17/dji_droneid and https://github.com/RUB-SysSec/DroneSecurity, both of which implement reverse engineered decoders for DroneID.

The update from AntSDR shows how to install the firmware onto the device and get it up an running. They note that drones that use Occusync 2 or 3 like the Mini2 or Mini3Pro work best, because other models may be encrypted or have a slightly different protocol which doesn't work with these decoders.

Aaron, creator of DragonOS has also uploaded a video showing the decoder in action.

DragonOS FocalX Decoding DJI DroneID w/ AntSDR E200 (MicroPhase)

Encryption on the TETRA Protocol has been broken

TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.

Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.

The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.

For more detail about the possible implications the team write:

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.

Demo: TETRA TEA1 backdoor vulnerability (CVE-2022-24402)

Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.

We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Video showing Flipper Zero Smoking a Smart Meter may be Fake

A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.

The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.

In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.

However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.

Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.

So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system. 

It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.

(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)

Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023

Flipper Zero Self Destructs an Electricity Smart Meter

Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. 

We've posted about the Flipper Zero a few times before on this blog, especially given that it is now a famously known device, having found popularity on TikTok and having been reviewed by famous Tech YouTubers like Linus Tech Tips

Recently a video on YouTube by Peter Fairlie has shown the destructive power of the Flipper Zero. In the video it appears that Peter was using the Flipper Zero to wirelessly turn the power meter on and off, which also controlled the power to a large AC unit. Eventually switching the meter on and off while under a heavy load resulted in the meter self destructing and releasing the magic smoke.

Hunting for Space Radio Pirates on the US Military Fleet Satcom Satellites

In the 70's and 80's the US government launched a fleet of satellites called "FLTSATCOM", which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other all over the world. However, the technology of the time could not implement encryption. So security relied entirely on only the US militaries technological advantage at being the only ones to have radio equipment that could reach these satellites.

Of course as time progressed equipment which could reach the 243 - 270 MHz range of the satellites became common place, and the satellites began picking and repeating terrestrial broadcasts of things like cordless phones. These days the satellites are often hijacked by Brazilian radio pirates, who use the satellites for long range communications.

A common hobby of RTL-SDR users is to listen to these pirates. All you need is a simple antenna and to be based in a region where the satellites cover both your ground station and the pirates.

Over on YouTube the "saveitforparts" channel has uploaded an entertaining video overviewing the pirate phenomenon, and showing how it's possible to listen in using a cheap Baogeng scanner and RTL-SDR. He uses a homemade Yagi and cleverly makes use of an old security camera motorized PTZ mount to accurately aim the antenna. Once the Yagi antenna is aimed at the satellite, pirates can be heard on the radio.

Searching For Space Pirates On Old Military Satellites

On a previous post, we showed an interview by SignalsEverywhere and an anonymous Brazilian radio pirate who explains how and why they do what they do. If you search our blog for 'satcom' you'll also find several previous posts including examples of receiving SSTV from pirates.