Category: Security

DragonOS: LTE IMSI Sniffing using the LTE Sniffer Tool and an Ettus X310 SDR

DragonOS creator Aaron recently uploaded a video on YouTube showing how to capture IMSI data from an LTE-enabled phone by using the open-source LTE sniffer tool and Ettus X310 software-defined radio.

In the video, Aaron uses a simulated environment involving a Signal SDR Pro to simulate the LTE cell phone, a B205 Mini operating as the eNodeB (base station), and an Ettus X310 SDR for the actual LTE sniffing. The SRSRAN software running on DragonOS is used to simulate the LTE network environment.

Aaron goes on to show how the LTE sniffer software passively decodes the physical downlink control channels and captures IMSI numbers from user cell phones.

An IMSI is a unique identifier associated with a cell phone user's SIM card. IMSI sniffing cannot be used to listen to or decode voice, text, or data as they are all encrypted. However, bad actors can use IMSI sniffing to track the movement of devices/people.

DragonOS Noble Sniff + Passively Capture LTE IMSI (x310, b205mini, SignalSDR Pro)

RTL-SDR Jamming Detector Software

Over on GitHub, Alejandro Martín has recently released his open-source 'rtl-sdr-analyzer' software, which is an RTL-SDR-based signal analyzer and automatic jamming detector. The software is based on Python and connects to the RTL-SDR via an rtl_tcp connection.

Alejandro's software is advertised as having the following features:

  • 📊 Real-time Visualization: Advanced spectrum analysis with waterfall display
  • 🔍 Smart Detection: Automatic signal anomaly and jamming detection
  • 📈 Dynamic Analysis: Adaptive baseline calculation and threshold adjustment
  • ⚙️ Flexible Configuration: Fully customizable detection parameters
  • 🌐 Network Support: Built-in RTL-TCP compatibility for remote operation

The software works by continuously monitoring a frequency range, and creating a log whenever a signal is detected that exceeds a certain power value and duration. It can also monitor 'z-score', which determines if the current signal mean has deviated significantly from the baseline, which could indicate a jamming or interference event.

rtl-sdr-analyzer: An RTL-SDR Signal Analyzer & Jamming Detector
rtl-sdr-analyzer: An RTL-SDR Signal Analyzer & Jamming Detector

Saveitforparts: Listening in on Russian Soldiers Hijacking US Military Satellites

Over on the saveitforparts YouTube channel, Gabe has uploaded a video showing how he uses WebSDR streams to show how Russians, including Russian soldiers, are using old US Military satellites for long-range communications around Ukraine.

In the '70s and '80s, the US government launched a fleet of satellites called "FLTSATCOM," which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other worldwide. However, the technology of the time could not support encryption or secure access. So security relied entirely on only the US military's technological superiority of being the only one to have radio equipment that could reach the 243 - 270 MHz frequencies in use by these satellites. Of course, as time progressed, equipment that could reach higher frequencies became commonplace.

In the video, Gabe explains how many Russian soldiers involved in the Ukraine war are using these legacy satellites to communicate with each other. He notes that apart from voice comms, some channels are simply Russian propaganda and music, as well as some channels that appear to be jammed. Gabe also notes that the "UHF Follow-On Satellite" (UFO) satellites that were launched as recently as 2003 are also being hijacked, as they also have no encryption or secure access.

In the past, we also posted a previous video by Gabe about attempting to receive these satellites from his home in North America. However, on that side of the world, the satellites are being hijacked by Brazilian pirates instead.

Russia Is Hijacking US Military Satellites

The Taylorator: Flooding the Broadcast FM Band with Taylor Swift Songs using a LimeSDR

Over on Hackaday and creator Stephen's blog, we've seen an article about the 'Taylorator,' open source software for the LimeSDR that floods the broadcast FM band with Taylor Swift music. In his blog post, Stephen explains how he wrote this software, explaining the concepts behind audio preparation, FM modulation, and what computing hardware was required to implement it.

The advertised use case of the Taylorator is obviously a bit of a joke; however, as the video on Stephen's blog shows, his software can play a different song on every broadcast FM channel. So, there could be some use cases where you might want people to be able to tune an FM radio to custom music on each channel. Of course, you could also just use it to play a practical joke on someone.

In terms of legality, in his blog post, Stephen notes that blasting the broadcast FM band on every channel is probably not legal and may go against the spirit of low-power FM transmitter laws in most countries. However, he notes that spreading a few mW over 20 MHz of bandwidth results in a weak signal that is unlikely to travel very far. Regardless, we would advise potential users of the software to check their local laws before going ahead and playing around with something like this.

The software is open source and available on Stephen's GitLab.

The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel
The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel

CCC Conference Talk: BlinkenCity – Radio-Controlling Street Lamps and Power Plants

In another talk at the Chaos Computer Club (CCC) 2024 conference, Fabian Bräunlein, and Luca Melette talked about how vulnerable Europe's renewable energy production is to attacks via the longwave radio ripple control system. Essentially, attacks over radio could be used to remotely switch loads and power plants on and off in a way that could damage the grid.

The recorded talk can be viewed directly via the CCC website, or via the embedded YouTube player below.  

A significant portion of Europe's renewable energy production can be remotely controlled via longwave radio. While this system is intended to stabilize the grid, it can potentially also be abused to destabilize it by remotely toggling energy loads and power plants.

In this talk, we will dive into radio ripple control technology, analyze the protocols in use, and discuss whether its weaknesses could potentially be leveraged to cause a blackout, or – more positively – to create a city-wide Blinkenlights-inspired art installation.

With three broadcasting towers and over 1.3 million receivers, the radio ripple control system by EFR (Europäische Funk-Rundsteuerung) GmbH is responsible for controlling various types of loads (street lamps, heating systems, wall boxes, …) as well as multiple gigawatts of renewable power generation (solar, wind, biogas, …) in Germany, Austria, Czechia, Hungary and Slovakia.

The used radio protocols Versacom and Semagyr, which carry time and control signals, are partially proprietary but completely unencrypted and unauthenticated, leaving the door open for abuse.

This talk will cover:

  • An introduction to radio ripple control
  • Detailed analysis of transmitted radio messages, protocols, addressing schemes, and their inherent weaknesses
  • Hardware hacking and reversing
  • Implementation of sending devices and attack PoCs
  • (Live) demonstrations of attacks
  • Evaluation of the abuse potential
  • The way forward
38C3 - BlinkenCity: Radio-Controlling Street Lamps and Power Plants

CCC Conference Talk: Investigating the Iridium Satellite Network

Over the years, we've posted numerous times about the work of “Sec” and “Schneider,” two information security researchers who have been investigating the Iridium satellite phone network using SDRs. Iridium is a constellation of 66 satellites in low Earth orbit that supports global voice, data, and messaging services.

In a talk at the Chaos Computer Club (CCC) 2024 conference, they provided updates on their work. The recorded video of their talk has recently been uploaded to YouTube.

The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.

We'll cover a whole range of topics related to listening to Iridium satellites and making sense of the (meta) data that can be collected that way:

  • Overview of new antenna options for reception. From commercial offerings (thanks to Iridium Time and Location) to home grown active antennas.
  • How we made it possible to run the data extraction from an SDR on just a Raspberry Pi.
  • Running experiments on the Allen Telescope Array.
  • Analyzing the beam patterns of Iridium satellites.
  • Lessons learned in trying to accurately timestamp Iridium transmissions for future TDOA analysis.
  • What ACARS and Iridium have in common and how a community made use of this.
  • Experiments in using Iridium as a GPS alternative.
  • Discoveries in how the network handles handset location updates and the consequences for privacy.
  • Frame format and demodulation of the Iridium Time and Location service.
38C3 - Investigating the Iridium Satellite Network

SDR and RF Videos from DEFCON 32

Recently some videos from this year's DEFCON 32 conference have been uploaded to YouTube. DEFCON32 was held on August 8-11, 2024 at the Las Vegas Convention Center. DEFCON is a major yearly conference about information security, and some of the talks deal with wireless and SDR topics.

During the Defcon 32 wireless village, there were several interesting talks and the full playlist can be found here. The talks include introductions to software-defined radio, information about synthetic aperture radar laws, transmitting RF signals without a radio,  information about the allen radio telescope array, an introduction to the electronic warfare being used in Ukraine and much more.

Over on the DEFCON 32 main stage, there were also several interesting RF-related talks including:

  • RF Attacks on Aviation's Defense Against Mid-Air Collisions (Video)
  • Breaking the Beam:Exploiting VSAT Modems from Earth (Video)
  • GPS spoofing it's about time, not just position (Video)
  • MoWireless MoProblems: Modular Wireless Survey Sys. & Data Analytics (Video)
DEFCON32 Logo
DEFCON32 Logo

Using a HackRF and JavaScript Browser App to Perform Rolljam Replay Attacks on a Car

Over on her website, Charlie Gerard has uploaded a page showing how she was able to perform a replay attack on a car's wireless entry system using a HackRF and a JavaScript browser app she wrote.

Previously, Charlie had already written a JavaScript browser app for ADS-B tracking with an RTL-SDR. To achieve this she used the WebUSB API, which allows USB devices to connect to JavaScript apps in a web browser.

Having recently purchased a HackRF she wanted to see if something similar was possible with the HackRF. In her post, Charlie shows and explains the JavaScript code required to connect to the HackRF from a Chrome browser, and how settings like gain, frequency and sample rate can be adjusted. She then shows how to use the Canvas API to visualize the received data. Finally, she shows how to use the File System Web API to record data, and ultimately retransmit the recorded data with the HackRF.

The replay attack itself is based on the rolljam idea. She uses two HackRF's, with one sitting closer to the car's receiver and jamming it, and another recording the car's keyfob. This prevents the car from incrementing the keyfob's rolling code, allowing it to be recorded and used again at a later time.

Charlie has also posted a video of her tests, which we embedded below.

Hacking my friend's car using JavaScript