TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.
Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.
The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.
The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.
The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.
For more detail about the possible implications the team write:
The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.
The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.
The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.
Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.
Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.
Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.
We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.
A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.
The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.
In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.
However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.
Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.
So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system.
It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.
(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)
Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023
Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz.
We've posted about the Flipper Zero a few times before on this blog, especially given that it is now a famously known device, having found popularity on TikTok and having been reviewed by famous Tech YouTubers like Linus Tech Tips.
Recently a video on YouTube by Peter Fairlie has shown the destructive power of the Flipper Zero. In the video it appears that Peter was using the Flipper Zero to wirelessly turn the power meter on and off, which also controlled the power to a large AC unit. Eventually switching the meter on and off while under a heavy load resulted in the meter self destructing and releasing the magic smoke.
In the 70's and 80's the US government launched a fleet of satellites called "FLTSATCOM", which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other all over the world. However, the technology of the time could not implement encryption. So security relied entirely on only the US militaries technological advantage at being the only ones to have radio equipment that could reach these satellites.
Of course as time progressed equipment which could reach the 243 - 270 MHz range of the satellites became common place, and the satellites began picking and repeating terrestrial broadcasts of things like cordless phones. These days the satellites are often hijacked by Brazilian radio pirates, who use the satellites for long range communications.
A common hobby of RTL-SDR users is to listen to these pirates. All you need is a simple antenna and to be based in a region where the satellites cover both your ground station and the pirates.
Over on YouTube the "saveitforparts" channel has uploaded an entertaining video overviewing the pirate phenomenon, and showing how it's possible to listen in using a cheap Baogeng scanner and RTL-SDR. He uses a homemade Yagi and cleverly makes use of an old security camera motorized PTZ mount to accurately aim the antenna. Once the Yagi antenna is aimed at the satellite, pirates can be heard on the radio.
Searching For Space Pirates On Old Military Satellites
On a previous post, we showed an interview by SignalsEverywhere and an anonymous Brazilian radio pirate who explains how and why they do what they do. If you search our blog for 'satcom' you'll also find several previous posts including examples of receiving SSTV from pirates.
Since the Russian invasion of Ukraine, the EU has banned the broadcast of Russian TV channels. This is caused Russia to move their satellite broadcasts from internationally owned satellites, to their own "Express AM8" geostationary satellite.
The Russian satellite can be received from Europe and parts of South America. What's interesting in particular is the hacking and jamming attempts going on on this particular satellite. These breaches are likely to be from individual people or by the Ukrainian Ministry of Strategic Communication. An example of a hack by Ukrainian Ministry of Strategic Communication on 5 January 2023.
Express AM8 transponder 11647V was hacked today at 6:30 PM by Ukrainian Ministry of Strategic Communication. A New Year's address by Ukrainian President V. Selensky was shortly broadcast in Ukrainian on all program positions of the T2-MI transponder.
Express AM8 hacked by Ukraine to broadcast the New Years address by Ukrainian President V. Selensky
Alex 'Happysat' has written to us with the following information. The full guide to receiving TV from the satellite, and information about the satellite and signals and modulations used on the satellite is on GitHub at https://github.com/happysat/Express-AM8.
You may know that here in Europe a number of controversial Russian, Syrian and Iranian (news) channels are not allowed to be broadcast due to sanctions against Russia (everything) and Iran (Press TV).
The Russians moved most of the channels (Rossiya 24, RTR Planeta, NTV Mir, Perivy Kanal, Press-TV) to their own satellite Express AM8 some time ago.
Since it is not a normal DTH satellite such as Astra or Hotbird, everything happens there (jamming / hacks) which is interesting for many (dx) viewers.
Because it is relatively easy to receive in Europe and parts of South America, I have created a GitHub website with some useful tips and tricks.
Not only in terms of content, but also the technical side of it, the different modulations broadcast techniques T2-MI (unfortunately gone for a while after the hacks…) but also just old-fashioned DVB-S signals, Telemetry and some transponders (only symbol rate lower than >2000ks) are even without the need for a satellite receiver.
For example with an SDR radio and the AM-SAT program what the radio amateurs use on Eshail2.
And that a '14 west setup' can easily be made, which does not have to be expensive at all.
Since the famous takedown of a suspected Chinese spy balloon, US jets have shot down a total of three more unidentified balloon objects, now suspected by officials to be 'commercial or benign'. There is speculation that at least one these three objects may have been an amateur radio 'pico' balloon.
One part of the amateur radio hobby is launching high altitude balloons with various radio and other payloads. Larger amateur radio balloons launched in the USA require FAA clearance, need a radar reflector attached, and usually continually transmit APRS telemetry before naturally popping and falling back to earth after a few hours, just like a weather balloon.
However there is also the simpler 'pico' ballooning hobby, which involves the use of mylar helium party balloons to launch small solar powered payloads that are only a few grams in weight. They typically transmit low power WSPR at HF frequencies and can only transmit whenever there is sufficient solar power available. Amateur radio or SDR hobbyist stations around the world can pick up these transmissions, and report them on amateur.sondehub.org and/or wsprnet.org. Well built balloons can totally circumnavigate the globe several times over several months before degrading.
While termed 'pico', the party balloons used can still be roughly a meter in diameter on the ground, with some latex balloons potentially expanding further at high altitudes due to the low atmospheric pressure. These balloons can be legally launched from almost anywhere in the world. In particular in the USA there is no FAA clearance required to launch them due to their payload being much less than the limit of 4 lbs (1.8kg).
32" Silver Orb Shaped Mylar Balloon used for Pico Ballooning
There is speculation that at least one of the objects shot down over Canada, Yukon by a US Air Force jet may have been amateur radio pico balloon K9YO-15 which was launched from Illinois on October 10 2022. It was on it's seventh circumnavigation of the globe after being aloft for 123 days.
The launch blog post indicates that the K9YO-15 balloon was flying a silver mylar 32" sphere SAG balloon which appears to be this one from balloons.online. Unlike latex or rubber weather balloons which inflate and stretch as they rise into lower atmospheric pressures, these mylar balloons can't stretch, so their fully inflated ground size will be the same as their size at high altitudes, meaning the pico balloon won't get much bigger than 32". The payload was a GPS module, Arduino, SI5351 used as a WSPR and APRS transmitter and a solar panel, all together weighing 16.4 grams. A pentagon memo notes that the object shot down over Canada was a "small metallic balloon with a tethered payload" which fits the description of the pico balloon exactly.
The K9YO-15 Pico Balloon PayloadAn (unrelated to this story) example Amateur Radio Pico Balloon launched by a Naval Academy (Source: http://www.aprs.org/balloons.html)
The K9YO-15 balloon ceased all WSPR telemetry transmissions while flying just below Alaska since Feb 11 00:18 UTC (just before sunset in Alaska when the solar panels would stop working).
By using NOAA wind models and the last known location by Alaska, K9YO-15 was projected to have been over Yukon when the US Air Force shot down the unknown balloon object at Feb 11 20:41 UTC (3:41 PM EST / 1:41 PM Yukon time according to Canadian Defense Minister Anand). Reports put the altitude of the shot down object at approximately 40,000ft (~12000 meters), which matches the projected ~11500 meters of K9YO-15. Based on the previous days transmission times, it is suspected that if it were operational, the balloon would have begun transmitting again sometime later in the Yukon afternoon when the sun was stronger, but no transmissions have been seen.
K9YO projected location at the time the object was shot down.
The search area for the fallen balloon debris is reported to be in difficult to access terrain between Dawson City and Mayo. If we do a rough overlay of the predicted trajectory over a Google map, we can see that the predicted location of KY9O-15 at the reported time of the missile impact matches this description very well.
Rough trajectory overlay
Over on Twitter @ikluft (KO6YQ) has been reporting on this speculation, and has been keeping an eye on K9YO-15, awaiting telemetry transmission. We recommend following his account for further updates.
NIBBB #HamRadio club of Illinois🇺🇸 declared K9YO #balloon "missing in action" after no telemetry was received for 5 days. It was projected to be over Yukon Saturday when NORAD🇺🇸🇨🇦 shot down an "unknown object", close enough to raise questions. https://t.co/9ZkRqkc6Zr#aviation
Twitter user and ex project Google Loon engineer @BalloonSciDan has also speculated that the objects shot down may have been pico balloons.
These tiny amateur pico balloons are some of what the US shot down, and Romania sent jets up after. The rest of this group will wander in the air for months until they fail or are destroyed.
I see you're all talking about my tweet. Yes, we are still watching to see if K9YO-15 transmits any telemetry today.
So far K9YO-15 has not sent any new telemetry since Friday before sunset over Alaska. Some have misread confusing data presentation on Sondehub which lists last known telemetry as covering a time range from then to now. Currently the last we've heard from K9YO-15 was Friday Feb 10 before sunset over Alaska (00:48 GMT Feb 11). But the map on Sondehub does show the last reported position.
These floater balloons often use only solar panels, no batteries. Batteries were dropped from the projects early on because they have limited charging cycles before they stop accepting a charge, especially in the harsh temps at altitude, -40F/-40C or worse. When the battery stops accepting a charge, it ends telemetry from the mission. So they only report telemetry during daylight, when the sun is at a high enough angle to illuminate the tiny solar panels. In the Arctic winter, the days are short and the sun might not get high enough to wake up the electronics. So it stays dormant for one or more days until it drifts back down to lower latitudes where there's more sunlight. So K9YO-15 was in a period where watchers didn't expect to hear from it for a few days. But we expected it today. So far nothing. As I write this, daylight is almost done way up there for Tuesday, Feb 14.
We (the Amateur Radio balloon community) only expect any telemetry from it today would be via WSPR, none via APRS. WSPR uses HF and can be received at long distances, where it's relayed to Internet map sites. APRS is (usually) on VHF and UHF, only received by line of sight. There are no relay stations in range of today's projected flight course in northern Ontario and James Bay, Canada. So APRS-fed sites wouldn't show updates today anyway.
For an introduction, I'm Ian KO6YQ. I was involved in the first Ham Radio balloons that circumnavigated the globe starting in 2016, launched from San Jose, California. I had roles on them including tracking analyst and social media spokesman. I also organized and led the Ham Radio tracking teams which recovered the Civilian Space eXploration Team (CSXT) first amateur rocket to (suborbital) space in 2004.
Explaining a discrepancy with time reporting on Sondehub, KO6YQ notes:
Time has run out for solar power to provide any telemetry on Wednesday, February 15. So far, no new data. For those who were confused by it, remember that Sondehub has problematic data presentation so don't use it for anything other than mapping the last known position. A reliable place to check for K9YO on WSPR is the WSPR Spots: https://www.wsprnet.org/olddb?mode=html&band=all&limit=200&findcall=k9yo&findreporter=&sort=date
Frequently asked Questions (FAQ):
Since this story has gone viral and now entered the mainstream media, we thought we'd answer a few common questions that we're seeing in the media and comments.
Who is launching pico balloons and why?
Pico balloons are typically launched by ham/amateur radio hobbyists, universities, researchers, schools or kids STEM programs. The idea of launching a low cost balloon that can be tracked while travelling the world is a fun project for hobbyists and a great STEM learning experience for kids.
You might also be interested in tracking regular weather balloons which are launched by meteorological agencies around the world usually twice per day. These are designed to only last a few hours in the air before popping. They can be tracked at https://sondehub.org. A popular hobby of radio enthusiasts is chasing these weather balloons and being the first to recover the fallen sensor package called a radiosonde.
A pico balloon is essentially a kids party balloon. Why aren't there thousands of kids party balloons circumnavigating the globe?
Balloons will inflate more as they rise into the atmosphere, since higher altitudes have lower pressure. A kids party balloon would typically be inflated fully on the ground. If a careless child released a balloon it would rise up, and pop within a few hours, as it reaches an altitude of around 5000ft - 30,000ft (1500m - 9000m) or higher where the internal pressure of the balloon is too great for the balloon's material to hold it.
Pico balloons are weighted by their payloads, and are only partially inflated on the ground. The goal is to inflate with enough Helium or Hydrogen to get the payload to rise at ground level, but allow enough internal space for the balloon to expand without popping as it rises. The weighted balloon will eventually reach an equilibrium point at some altitude where it's fully inflated, but can't rise any higher due to the weighting. This is called being 'neutrally buoyant'. The balloon launcher can use a calculator (such as this one) to determine the right amount of helium to use based on the balloon size and payload weight.
Mylar balloons are used because helium atoms will leak out of the walls of latex/rubber balloons, and they will be flat within a few days. With Mylar balloons the leakage is much slower and they can stay inflated for months.
How can a pico balloon circumnavigate the globe?
As mentioned in the previous question, it's possible to engineer the height that the balloon will fly at by only partially inflating the balloon on the ground. Once at the desired altitude, winds will eventually pull the balloon into global jet streams that take the balloon all around the earth at an average speed of 80 - 140 mph (129 - 225 km/h).
A website like Ventusky can be used to view the current jet streams at 40,000ft (12,000m), the altitude that KY9O-15 was neutrally buoyant at.
In California helium balloons in general have been banned, to stop pollution, damage to wildlife, and to protect power lines.
The transmission of the WSPR and APRS telemetry radio signals would be allowed under amateur radio rules. UK, Yemen and North Korea are countries that prohibit transmissions from balloons, and compliance can be achieved via geofencing the transmissions in the software.
All information suggests that the NIBBB hobby club and KY9O's balloon were operating perfectly legally.
What exactly was the payload on the KY9O-15 pico balloon?
The payload was a GPS receiver, an Arduino microcontroller, a radio transmitter and some solar panels. The solar panels power the electronics when in sun, and the GPS receiver determines the global coordinates of the balloon. The microcontroller is the 'brain' of the payload which reads the GPS coordinates from the GPS receiver, and tells the transmitter to send out a WSPR radio signal advertising the balloons ID and coordinates.
These are all common off the shelf, small components that could all fit in the palm of a hand. They would in total cost under $100. K9YO's payload in total only weighed 16.4g (0.58 oz).
An F22 with all it's radio sensors should have picked up the transmissions from the pico balloon. Why didn't it?
Pico balloons usually don't carry batteries because they are heavy and degrade over time. So instead they carry paper thin solar panels. So the balloon circuits and transmitter are only active when in strong sunlight, any other time it is completely quiet and powered down. It's possible that in the weak Yukon sun at high latitude wouldn't have been strong enough to power the WSPR transmitter until later in the day.
How could a tiny 32" balloon be spotted by radar? How could a sidewinder missile lock onto it?
The pico balloon was made out of metallic mylar material which would easily show up on a modern radar system. It's possible that in the past before the Chinese spy balloon incident, radar operators would ignore or filter out slow moving small objects like insects/birds/balloons that pose no threat.
The sidewinder has a fragmentation warhead, so an explosion near the balloon would easily take it out. The metallic mylar material would easily reflect the sun's infrared, and against the cold background of the sky/space it would be easy for the IR heat seeker sensor on the sidewinder missile to track it.
The K9YO balloon was flying at altitudes used by commercial airliners. Is there any risk to them?
A jet coming across a pico balloon in the first place would be very unlikely, and even more unlikely for it to make it's way in to an engine even if an aircraft flew directly at it. But there is some risk that a balloon ingested by an jet engine could cause issues. However given their lightweight nature it seems unlikely that there would be any massive damage, if any at all.
What is WSPR and APRS?
WSPR (pronounced as 'whisper') stands for Weak Signal Propagation Reporter. It is a type of radio signal protocol used by amateur radio hobbyists. Because of the way it is designed, it is possible for WSPR to be transmitted with very low power (such as the tiny amount of power possible from small solar panels), and still be received by amateur radio ground stations all over the world. The WSPR signal encodes it's callsign ID, and the transmitters GPS location. Amateur ground stations will upload received WSPR data to sites like wsprnet.org.
APRS or "Automatic Packet Reporting System" is another protocol used by amateur radio hobbyists. However, these signals don't travel globally, rather they can only be received locally with line of sight. The advantage is that APRS signal can be transmitted much faster (assuming sufficient power).
Are we 100% certain that the object was the K9YO pico balloon?
No, despite the circumstantial evidence, there is still some doubt. The balloon was already old and probably near the end of it's life. The sun in the high Yukon latitudes is also weaker, meaning that the solar panels might not be getting sufficient sun to power the circuits. The balloon had previously gone missing for 30 days before reappearing. And the transmitter was showing signs of drifting in frequency.
Are there any other globe trotting radio projects?
Yes, there are small autonomous boats or 'drift buoys' travelling the seas through natural currents. These also use WSPR and APRS to report their location. hitchBOT was a hitchhiking robot that relied on travelling strangers to find and carry it around the world. It had a GPS receiver and 3G radio.
Over on Reddit user u/mknlsn has posted an interesting use for his RTL-SDR. He happens to live next door to a Hollywoood reality TV show production and was able to use his RTL-SDR to listen in on the wireless microphones fitted to the cast. The wireless microphones used by the production appear to be simple analogue FM modulated, without any sort of security.
We remind readers to check local laws on this sort of use, especially if recording audio, as some countries and US states may have differing laws on what can be recorded, or even listened to live. This would likely be considered private communications, so recording and sharing would definitely be illegal in most regions.
Recently we also posted about Frugal Radio using an Airspy SDR to listen in on wireless microphones from outside a theatre show.
Back in May we posted about CVE-2022-27254 where university student researchers discovered that the wireless locking system on several Honda vehicles was vulnerable to simple RF replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR. This vulnerability only affected 2016-2020 Honda Civic vehicles which came without rolling code security.
Recently a new vulnerability discovered by @kevin2600 that affects ALL Honda vehicles currently on the market (2012-2022) has been disclosed. The vulnerability is dubbed 'Rolling-PWN' (CVE-2022-27254) and as the name suggests, details a method for defeating the rolling code security that exists on most Honda vehicles. Rolling code security is designed to prevent simple replay attacks, and is implemented on most modern vehicles with wireless keyfobs. However @kevin2600 notes the following vulnerability that has been discovered:
A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.
The vulnerability has been tested on various Honda vehicles with HackRF SDRs, and this seems to indicate that all Honda vehicles since 2012 are vulnerable.
Although no tools have been released, the vulnerability is simple enough and we've already seen people replicate results.
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
The story of Rolling-Pwn has already been covered by magazines and news organizations such as TheDrive, Vice, NYPost, and FoxLA.
It should be noted that when the previous replay attack vulnerability was highlighted, Honda released a statement noting that it has no plans to update its older vehicles. It is likely that Honda will not issue updates for this vulnerability either. It is possible that this vulnerability extends beyond just Honda vehicles too.
