Category: Security

Tutorial on Performing a Replay Attack with a HackRF and Universal Radio Hacker

Over on YouTube channel Tech Minds has uploaded a short tutorial video that shows how to perform a replay attack with a HackRF and the Universal Radio Hacker software. A replay attack is when you record a control signal from a keyfob or other transmitter, and replay that signal using your recording and a TX capable radio. This allows you to take control of a wireless device without the original keyfob/transmitter. This is easy to do with simple wireless devices like doorbells, but not so easy with any system with rolling codes or more advanced security like most car key fobs.

In the video Tech Minds uses the Universal Radio Hacker software to record a signal from a wireless doorbell, save the recording, replay it with the HackRF, and also analyze it.

Universal Radio Hacker - Replay Attack With HackRF

An Introduction to Pagers with the HackRF PortaPack and an RTL-SDR

Over on YouTube user HackedExistence has uploaded a video explaining how POCSAG pager signals work, and he also shows some experiments that he's been performing with his HackRF PortaPack and an old pager.

The Portapack is an add on for the HackRF SDR that allows the HackRF to be used without the need for a PC. If you're interested in the past we reviewed the PortaPack with the Havok Firmware, which enables many TX features such as POCSAG transmissions.

POCSAG is a common RF protocol used by pagers. Pagers have been under the scrutiny of information security experts for some time now as it is common for hospital pagers to spew out unencrypted patient data [1][2][3] into the air for anyone with a radio and computer to decode.

In the video HackedExistence first shows that he can easily transmit to his pager with the HackRF PortaPack and view the signals on the spectrum with an RTL-SDR. Later in the video he explains the different types of pager signals that you might encounter on the spectrum, and goes on to dissect and explain how the POCSAG protocol works.

Intro to Pagers - POCSAG with HackRF

Vancouver Broadcasts Hospital Patient Data Over Unencrypted Wireless Pagers

Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.

Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.

Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.

In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

YouTube Video: Reverse Engineering with SDR

Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.

One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:

- tuning
- demodulation
- decoding
- determining bit function
- building your own transmitter
- and much, much more!

Reverse Engineering with SDR

Using a HackRF SDR to Sniff RF Emissions from a Cryptocurrency Hardware Wallet and Obtain the PIN

At last years Chaos Communication Congress (35C3) Conference, leveldown security presented their findings on multiple security vulnerabilities present in cryptocurrency hardware wallets.  Cryptocurrency is a type of digital asset that relies on computers solving cryptographic equations to keep the network trusted and secure. Popular cryptocurrencies include Bitcoin, Ethereum and Ripple. To access your cryptocurrency funds on a computer, a software application called a wallet is used.

However, if a computer holding a wallet is compromised, it is possible that the wallet could be opened by a hacker and funds transferred out. To improve security, hardware wallets are available. These are USB keys that require you to enter a PIN on the key before the funds can be accessed. If the USB key is not inserted and activated by the PIN, the wallet cannot be opened.

All electronic devices including hardware cryptocurrency wallets unintentionally emit RF signals. One possible attack against a hardware wallet is to analyze these RF emissions and see if any information can be obtained from them.  The team at leveldown found that the Ledger Blue cryptocurrency wallet in particular has a flaw where each PIN number button press emits a strong RF pulse. By using a HackRF and machine learning to analyze the unintentional RF output of each button press, the team was able to retrieve the PIN number with only RF sniffing from more than 2 meters away.

To do this they created a GNU Radio flowchart that records data from the HackRF whenever an RF pulse is detected. A small Arduino powered servo then presses the buttons on the wallet hundreds of times, allowing hundreds of RF examples to be collected. Those RF samples are then used to train a neural network created in Tensorflow (a popular machine learning package). The result is a network that performs with 96% accuracy.

If you're interested in exploring other unintentional RF emissions from electronics, check out our previous post on using the TempestSDR software to spy on monitors/TVs with unintentionally emitted RF, and the various other posts on our blog on this topic.

Hacking Iridium Satellites With Iridium Toolkit

Over on YouTube TechMinds has uploaded a video showing how to use the Iridium Toolkit software to receive data and audio from Iridium satellites with an Airspy. Iridium is a global satellite service that provides various services such as global paging, satellite phones, tracking and fleet management services, as well as services for emergency, aircraft, maritime and covert operations too. It consists of multiple low earth orbit satellites where there is at least one visible in the sky at any point in time, at most locations on the Earth.

The frequencies used by the older generation Iridium satellites are in the L-band, and the data is completely unencrypted. That allows anyone with an RTL-SDR or other SDR radio to decode the data with the open source Iridium Toolkit. If you're interested in how Iridium Toolkit was developed, see this previous post about Stefan "Sec" Zehl and Schneider's 2016 talk.

In the video Tech Minds shows decoding of various data, including an audio call and the satellite tracks and heat map of Iridium satellites.

Hacking Iridium Satellites With Iridium Toolkit

Using a Drone and HackRF to Inject URLs, Phish For Passwords on Internet Connected TVs by Hijacking Over the Air Transmissions

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.

At this years Defcon conference security researcher Pedro Cabrera held a talk titled  "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.

Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.

While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.

The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.

Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.

SDR Against Smart TVs: Drones carrying SDRs

SDR Against Smart TVs: Social engineering

 

Using an RTL-SDR, RF Fingerprinting and Deep Learning to Authenticate RF Devices

Every device that transmits radio waves has a unique and identifiable RF fingerprint which occurs due to the very slightly variations in the hardware manufacturing process. This means that devices using identical transmitters of the same make and model can still be differentiated from one another.

Nihal Pasham has been using this knowledge as a way to securely identify IoT sensors and other RF devices like car keyfobs. The idea is that these unique RF fingerprints are immune to authentication spoofing which could be used to create a fake transmitter with fake data. He suggests that RF fingerprinting could be used as an additional authentication check for low cost IoT devices with only basic security.

In order to recognize the minute differences in the RF fingerprints of different devices Nihal notes that a good pattern detection algorithm is required, and that a deep learning neural network fits the bill. Using neural network software Tensorflow, and an RTL-SDR for signal acquisition, he was able to train a proof of concept neural model that was able to classify two test transmitters with 97% accuracy.

Training a Deep Learning Neural Network with an RTL-SDR for RF Fingerprinting
Training a Deep Learning Neural Network with an RTL-SDR for RF Fingerprinting

In the past we've seen similar experiments by Oona Räisänen who used an RTL-SDR to fingerprint several hand held radios heard on the air via small variances in the power and frequencies of each radio's CTCSS tone. Using simple clustering techniques she was able to determine exactly who was transmitting based upon the unique CTCSS.

In a somewhat similar fashion, Disney Research has also been working on a RF fingerprinting technique that uses an RTL-SDR based wrist watch to identify what particular electronic devices the wearer is touching.