Category: Security

USRP SDRs used to Break 3G to 5G Mobile Phone Security

According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.

In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too.

Theregister.co.uk writes:

"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.

The full paper is available here in pdf form.

Tools used including a laptop, USRP B210 and a sim card reader.
Tools used including a laptop, USRP B210 and a sim card reader.

Motherboard Article: Creating an IMSI Catcher with an RTL-SDR

Motherboard, an online technology magazine has recently run an article titled "With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes". The article describes how an RTL-SDR together with the IMSI-Catcher Linux software can be used to collect IMSI numbers from cellphones connected to a nearby cell tower. The IMSI is a unique number assigned to each SIM card and collecting this data could be used to identify if someone is in the area covered by the cell tower.

The IMSI-Catcher software only works with the older 2G GSM signals which are now being phased out in some countries and are relatively unused in others. Also unlike more advanced IMSI-Catchers which create a fake cell tower signal, the RTL-SDR based IMSI-Catcher can only collect IMSI numbers when the cellphone first connects to the cell tower.

One of our older posts with a YouTube tutorial video explains the RTL-SDR IMSI Catcher in more detail. 

IMSI-Catcher Python Script
IMSI-Catcher Python Script

Stealing a Tesla Model S in Seconds by Cloning its Wireless Keyfob

Recently wired.com ran a story that explains how research hackers from KU Leuven university in Belgium have been able to clone a Tesla car key fob within seconds. With the cloned keyfob they are then able to open the Tesla's door, start the motors and drive away. The researchers believe this attack could also work on cars sold by McLaren and Karma, as well as Triumph motorcycles.

Like most automotive keyless entry systems, Tesla Model S key fobs send an encrypted code, based on a secret cryptographic key, to a car's radios to trigger it to unlock and disable its immobilizer, allowing the car's engine to start. After nine months of on-and-off reverse engineering work, the KU Leuven team discovered in the summer of 2017 that the Tesla Model S keyless entry system, built by a manufacturer called Pektron, used only a weak 40-bit cipher to encrypt those key fob codes.

The researchers found that once they gained two codes from any given key fob, they could simply try every possible cryptographic key until they found the one that unlocked the car. They then computed all the possible keys for any combination of code pairs to create a massive, 6-terabyte table of pre-computed keys. With that table and those two codes, the hackers say they can look up the correct cryptographic key to spoof any key fob in just 1.6 seconds.

The attack hardware consists of a Yardstick One dongle, a Proxmark RFID/NFC radio, and a Raspberry Pi connected to the 6TB hard drive containing the database of pre-computed keys. All together the cost of such a system is under $600.

The actual attack works by first bringing the RFID antenna and radio near the car and recording vehicles identifier code which is periodically transmitted by the car. Then the antenna is brought near to the owners keyfob and impersonates the car using the identifier code. This tricks the keyfob into sending out encrypted response codes which are then decrypted by the 6TB lookup table on the hard drive. The Yardstick One is then used to transmit the final unlock code at 433.92 MHz.

Tesla have since responded by noting that cars sold after June 2018 have improved encryption and aren't vulnerable to this attack, and that owners of cars manufactured earlier are able to enable an option that requires a PIN code to be entered. Owners could also take extra precautions such as using an RFID blocking pouch. Tesla vehicles also have built in GPS tracking which may deter thieves.

The video below shows the attack in action, and a short overview paper by the researchers can be found here.

COSIC researchers hack Tesla Model S key fob

Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Using a HackRF to Spoof GPS Navigation in Cars and Divert Drivers

Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.

The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.

The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.

In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.

Other researchers are working on making GPS more robust. Aerospace Corp. are using a HackRF to try and fuse GPS together with other localization methods, such as by using localizing signals from radio towers and other satellites.

[Also seen on Arstechnica]

Hardware and Method used to Spoof Car GPS Navigation.
Hardware and Method used to Spoof Car GPS Navigation.

Exposing Hospital Pager Privacy Breaches

It has been a known open secret that for years many hospitals have been transmitting sensitive patient data over the air completely unencrypted via their pager network. With a simple ultra cheap radio such as an RTL-SDR, or any other cheap radio scanner such as a Baofeng, it is possible to eavesdrop on this sensitive data with very little technical knowledge required. Hospitals appear to be reluctant to upgrade their systems despite clearly being in violation of HIPAA privacy regulations in the USA.

Recently, @WatcherData has been trying to bring attention to this ongoing security breach in his home state of Kansas, and last month was able to get a news article about the problem published in the Kansas City Star newspaper. Over on Twitter he's also been actively documenting breaches that he's found by using an RTL-SDR to receive the pager messages.

Interestingly, publicity generated by @WatcherData's newspaper article has brought forward a hostile response from the hospital in question. Over on Reddit /r/legaladvice, a forum where anyone can ask legal advice questions, @watcherdata posted the following:

I discovered some time ago that hospitals throughout my region of the US are sending messages to physician pagers that include the name, age, sex, diagnosis, room number, and attending physician. These can be seen by anyone with a simple RTL SDR device, and a couple of free programs.

This seems like a massive HIPAA violation. So I contacted the main hospital sending out most of the information, and they were extremely grateful. I got a call within a day from a high level chairman, he explained their steps to remediate, that their auditors and penetration testers missed it, and that they would have it fixed within a week. Sure enough, they started using a patient number and no identifiable information in the pages. A couple of other hospitals have fixed their systems too, after I started contacting them via Twitter.

Early on in this process, I contacted my local newspaper. They reached out to the hospital in question, and were met with a "very hostile" response. They immediately deflected from any HIPAA violations and explained that I (the source) am in violation of the Electronic Communications Privacy Act of 1986.

This was enough to scare me off completely. I've nuked all log files from my systems and stopped collecting data. The reporters want to know how I would like to proceed. Originally, I was going to get full credit for the find in their article. But now, I at least need to be anonymous, and am thinking about asking them not to run the story at all.

Among the replies there doesn't seem to be consensus on whether simply receiving pager messages in the USA is legal or not.

In the past we've seen similar attempts to bring attention to these privacy breaches, such as an art installation in New York called Holypager, which simply continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. Printing pager messages continuously.

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad

YouTube Talk: Investigating RF Controls with RTL-SDR

During the SANS Pen Test HackFest which was held back in 2017, speaker Katie Knowles who is a security consultant at MWR Infosecurity did a very informative talk on how an RTL-SDR can be used to investigate RF signals. The video has recently been uploaded to YouTube and is shown below. In the talk she goes over how to reverse engineer and understand simple RF protocols, like those used by common RF remote controls found in the home. She then goes on to talk about the basics of software like GNU Radio and rtl_433. The talk blurb reads:

Cranes, trains, theme park rides, sirens, and …ceiling fans? Modern RF protocols have made secure wireless communications easier to implement, but there’s still a horde of simpler RF control systems in the wireless world around us.

Lucky for us, the onset of affordable Software Defined Radios (SDRs) means that exploring these devices is easier than ever! In this talk, Katie examines capturing and understanding basic RF control signals from a common household controller with the affordable RTL-SDR so you can start your own investigations.

With a little knowledge of these protocols we can better explain what makes them risky to the environments we assess, practice thinking in the offensive mindset, and have some fun examining the signals around us.

Slides available here.

Signal Safari: Investigating RF Controls with RTL-SDR – SANS Pen Test HackFest 2017