Category: Security

CCC Conference Talk: BlinkenCity – Radio-Controlling Street Lamps and Power Plants

In another talk at the Chaos Computer Club (CCC) 2024 conference, Fabian Bräunlein, and Luca Melette talked about how vulnerable Europe's renewable energy production is to attacks via the longwave radio ripple control system. Essentially, attacks over radio could be used to remotely switch loads and power plants on and off in a way that could damage the grid.

The recorded talk can be viewed directly via the CCC website, or via the embedded YouTube player below.  

A significant portion of Europe's renewable energy production can be remotely controlled via longwave radio. While this system is intended to stabilize the grid, it can potentially also be abused to destabilize it by remotely toggling energy loads and power plants.

In this talk, we will dive into radio ripple control technology, analyze the protocols in use, and discuss whether its weaknesses could potentially be leveraged to cause a blackout, or – more positively – to create a city-wide Blinkenlights-inspired art installation.

With three broadcasting towers and over 1.3 million receivers, the radio ripple control system by EFR (Europäische Funk-Rundsteuerung) GmbH is responsible for controlling various types of loads (street lamps, heating systems, wall boxes, …) as well as multiple gigawatts of renewable power generation (solar, wind, biogas, …) in Germany, Austria, Czechia, Hungary and Slovakia.

The used radio protocols Versacom and Semagyr, which carry time and control signals, are partially proprietary but completely unencrypted and unauthenticated, leaving the door open for abuse.

This talk will cover:

  • An introduction to radio ripple control
  • Detailed analysis of transmitted radio messages, protocols, addressing schemes, and their inherent weaknesses
  • Hardware hacking and reversing
  • Implementation of sending devices and attack PoCs
  • (Live) demonstrations of attacks
  • Evaluation of the abuse potential
  • The way forward
38C3 - BlinkenCity: Radio-Controlling Street Lamps and Power Plants

CCC Conference Talk: Investigating the Iridium Satellite Network

Over the years, we've posted numerous times about the work of “Sec” and “Schneider,” two information security researchers who have been investigating the Iridium satellite phone network using SDRs. Iridium is a constellation of 66 satellites in low Earth orbit that supports global voice, data, and messaging services.

In a talk at the Chaos Computer Club (CCC) 2024 conference, they provided updates on their work. The recorded video of their talk has recently been uploaded to YouTube.

The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.

We'll cover a whole range of topics related to listening to Iridium satellites and making sense of the (meta) data that can be collected that way:

  • Overview of new antenna options for reception. From commercial offerings (thanks to Iridium Time and Location) to home grown active antennas.
  • How we made it possible to run the data extraction from an SDR on just a Raspberry Pi.
  • Running experiments on the Allen Telescope Array.
  • Analyzing the beam patterns of Iridium satellites.
  • Lessons learned in trying to accurately timestamp Iridium transmissions for future TDOA analysis.
  • What ACARS and Iridium have in common and how a community made use of this.
  • Experiments in using Iridium as a GPS alternative.
  • Discoveries in how the network handles handset location updates and the consequences for privacy.
  • Frame format and demodulation of the Iridium Time and Location service.
38C3 - Investigating the Iridium Satellite Network

SDR and RF Videos from DEFCON 32

Recently some videos from this year's DEFCON 32 conference have been uploaded to YouTube. DEFCON32 was held on August 8-11, 2024 at the Las Vegas Convention Center. DEFCON is a major yearly conference about information security, and some of the talks deal with wireless and SDR topics.

During the Defcon 32 wireless village, there were several interesting talks and the full playlist can be found here. The talks include introductions to software-defined radio, information about synthetic aperture radar laws, transmitting RF signals without a radio,  information about the allen radio telescope array, an introduction to the electronic warfare being used in Ukraine and much more.

Over on the DEFCON 32 main stage, there were also several interesting RF-related talks including:

  • RF Attacks on Aviation's Defense Against Mid-Air Collisions (Video)
  • Breaking the Beam:Exploiting VSAT Modems from Earth (Video)
  • GPS spoofing it's about time, not just position (Video)
  • MoWireless MoProblems: Modular Wireless Survey Sys. & Data Analytics (Video)
DEFCON32 Logo
DEFCON32 Logo

Using a HackRF and JavaScript Browser App to Perform Rolljam Replay Attacks on a Car

Over on her website, Charlie Gerard has uploaded a page showing how she was able to perform a replay attack on a car's wireless entry system using a HackRF and a JavaScript browser app she wrote.

Previously, Charlie had already written a JavaScript browser app for ADS-B tracking with an RTL-SDR. To achieve this she used the WebUSB API, which allows USB devices to connect to JavaScript apps in a web browser.

Having recently purchased a HackRF she wanted to see if something similar was possible with the HackRF. In her post, Charlie shows and explains the JavaScript code required to connect to the HackRF from a Chrome browser, and how settings like gain, frequency and sample rate can be adjusted. She then shows how to use the Canvas API to visualize the received data. Finally, she shows how to use the File System Web API to record data, and ultimately retransmit the recorded data with the HackRF.

The replay attack itself is based on the rolljam idea. She uses two HackRF's, with one sitting closer to the car's receiver and jamming it, and another recording the car's keyfob. This prevents the car from incrementing the keyfob's rolling code, allowing it to be recorded and used again at a later time.

Charlie has also posted a video of her tests, which we embedded below.

Hacking my friend's car using JavaScript

WarDragon: Real-Time Drone Remote ID Tracking with Snifflee, TAR1090 and ATAK

Over on YouTube Aaron, creator of DragonOS and the WarDragon kit has uploaded a video showing how he was able to detect drone Remote ID with a Bluetooth dongle and plot it on a TAK map. Remote ID is an RF system regulated in many countries that broadcasts drone information, including GPS position, often over Bluetooth Long Range or Wi-Fi. Note that the Bluetooth dongle is not an SDR, but this story may still be interesting for many readers.

The setup uses Sniffle, which is an open-source Bluetooth sniffer program for TI CC1352/CC26x2 based Bluetooth hardware. Sniffle passes sniffed data packets into SniffleToTak which is open-source software that relays the drone ID packets into a TAK server, which can then be viewed in TAK software like ATAK.

Aaron tests the setup with his DJI drone flying nearby, and shows that the drone is successfully detected and plotted on the TAK map. He also plots the positions of nearby aircraft received via a second ADS-B receiver to show that drones and aircraft can be plotted on the same map.

WarDragon Enhancing Drone Remote ID Real-Time Tracking + ADS-B w/ ATAK (TAR1090, Sniffle) Part 3

HackRF and Portapack Featured in Recent Linus Tech Tips Video

Over on YouTube the Linus Tech Tips channel has recently released a video about the HackRF titled "It’s TOO Easy to Accidentally Do Illegal Stuff with This". Linus Tech Tips is an extremely popular computer technology YouTube channel. The HackRF is a popular transmit capable software defined radio that was released about 10 years ago. The portapack is an add-on for the HackRF that allows the HackRF to be used as a handheld device, and when combined with the Mayhem firmware, it enables easy access to some controversial tools that could get a user into a lot of legal trouble very fast.

In the video Linus, whose team is based in Canada, mentions that they decided to purchase the HackRF and similar devices because of the Canadian government's plan to ban various RF tools, including the Flipper Zero and HackRF.

Linus then discusses and demonstrates "van eck phreaking" with TempestSDR, showing how he can use the HackRF to recover the video from a PC monitor wirelessly. He then goes on to demonstrate how the Portapack can be used to jam a wireless GoPro camera transmitting over WiFi. 

Finally, Linus discusses the legality and morality of such devices being available on the market.

It’s TOO Easy to Accidentally Do Illegal Stuff with This

BSidesPGH 2024 Talk: Introduction to Software Defined Radio For Offensive and Defensive Operations

Over on the YouTube channel "SecPGH" a talk by Grey Fox titled "Introduction to Software Defined Radio For Offensive and Defensive Operations" has been uploaded from the BSidesPGH 2024 conference. BSidesPGH 2024 was a security conference held in Pittsburgh, PA, USA on July 25.

The talks are generally about network security, however, Fox's talk is all about RF security topics and software defined radio. In the talk, he introduces SDR, and devices like the Flipper Zero and demonstrates various basic examples such as receiving FM from a handheld radio and ADS-B.

Next, he goes on to demonstrate security topics such as showing how to capture and analyze signals from a 433 MHz security alarm using an RTL-SDR and Flipper Zero, and how to jam frequencies and replay captured signals. Finally, he demonstrates WiFi cracking with the help of Kali Linux and Flipper Zero with WiFi dev board attached.

BSidesPGH 2024 Track 2 Grey Fox Introduction to Software Defined Radio For Offensive and Def

Easvesdropping on HDMI with TEMPESTSDR and SDRplay

Over on YouTube "Sam's eXperiments logs" have uploaded a video showing how he was able to succeed when using TEMPESTSDR to eavesdrop on HDMI cables with his SDRplay. TEMPESTSDR software combined with a software defined radio allows a user to eavesdrop on TVs, monitors, and more by wirelessly receiving their unintentional RF emissions and recovering information from those emissions. In many cases it is possible to recover live images of the display, clear enough to read text.  

Sam's video explains the challenges he faced with signal strength due to the highly effective shielding of his HDMI cables. To get around this Sam shows how he unshielded his HDMI cables for the test. This is good news for privacy, as it shows how effective shielding can be at stopping these kinds of attacks. He then goes on to show the results he obtained which show text being read from his screen.

I Finally Succeeded: HDMI Signal Eavesdropping with TEMPESTSDR