Category: Security

Vancouver Broadcasts Hospital Patient Data Over Unencrypted Wireless Pagers

Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.

Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.

Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.

In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

YouTube Video: Reverse Engineering with SDR

Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.

One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:

- tuning
- demodulation
- decoding
- determining bit function
- building your own transmitter
- and much, much more!

Reverse Engineering with SDR

Using a HackRF SDR to Sniff RF Emissions from a Cryptocurrency Hardware Wallet and Obtain the PIN

At last years Chaos Communication Congress (35C3) Conference, leveldown security presented their findings on multiple security vulnerabilities present in cryptocurrency hardware wallets.  Cryptocurrency is a type of digital asset that relies on computers solving cryptographic equations to keep the network trusted and secure. Popular cryptocurrencies include Bitcoin, Ethereum and Ripple. To access your cryptocurrency funds on a computer, a software application called a wallet is used.

However, if a computer holding a wallet is compromised, it is possible that the wallet could be opened by a hacker and funds transferred out. To improve security, hardware wallets are available. These are USB keys that require you to enter a PIN on the key before the funds can be accessed. If the USB key is not inserted and activated by the PIN, the wallet cannot be opened.

All electronic devices including hardware cryptocurrency wallets unintentionally emit RF signals. One possible attack against a hardware wallet is to analyze these RF emissions and see if any information can be obtained from them.  The team at leveldown found that the Ledger Blue cryptocurrency wallet in particular has a flaw where each PIN number button press emits a strong RF pulse. By using a HackRF and machine learning to analyze the unintentional RF output of each button press, the team was able to retrieve the PIN number with only RF sniffing from more than 2 meters away.

To do this they created a GNU Radio flowchart that records data from the HackRF whenever an RF pulse is detected. A small Arduino powered servo then presses the buttons on the wallet hundreds of times, allowing hundreds of RF examples to be collected. Those RF samples are then used to train a neural network created in Tensorflow (a popular machine learning package). The result is a network that performs with 96% accuracy.

If you're interested in exploring other unintentional RF emissions from electronics, check out our previous post on using the TempestSDR software to spy on monitors/TVs with unintentionally emitted RF, and the various other posts on our blog on this topic.

Hacking Iridium Satellites With Iridium Toolkit

Over on YouTube TechMinds has uploaded a video showing how to use the Iridium Toolkit software to receive data and audio from Iridium satellites with an Airspy. Iridium is a global satellite service that provides various services such as global paging, satellite phones, tracking and fleet management services, as well as services for emergency, aircraft, maritime and covert operations too. It consists of multiple low earth orbit satellites where there is at least one visible in the sky at any point in time, at most locations on the Earth.

The frequencies used by the older generation Iridium satellites are in the L-band, and the data is completely unencrypted. That allows anyone with an RTL-SDR or other SDR radio to decode the data with the open source Iridium Toolkit. If you're interested in how Iridium Toolkit was developed, see this previous post about Stefan "Sec" Zehl and Schneider's 2016 talk.

In the video Tech Minds shows decoding of various data, including an audio call and the satellite tracks and heat map of Iridium satellites.

Hacking Iridium Satellites With Iridium Toolkit

Using a Drone and HackRF to Inject URLs, Phish For Passwords on Internet Connected TVs by Hijacking Over the Air Transmissions

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.

At this years Defcon conference security researcher Pedro Cabrera held a talk titled  "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.

Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.

While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.

The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.

Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.

SDR Against Smart TVs: Drones carrying SDRs

SDR Against Smart TVs: Social engineering

 

Using an RTL-SDR, RF Fingerprinting and Deep Learning to Authenticate RF Devices

Every device that transmits radio waves has a unique and identifiable RF fingerprint which occurs due to the very slightly variations in the hardware manufacturing process. This means that devices using identical transmitters of the same make and model can still be differentiated from one another.

Nihal Pasham has been using this knowledge as a way to securely identify IoT sensors and other RF devices like car keyfobs. The idea is that these unique RF fingerprints are immune to authentication spoofing which could be used to create a fake transmitter with fake data. He suggests that RF fingerprinting could be used as an additional authentication check for low cost IoT devices with only basic security.

In order to recognize the minute differences in the RF fingerprints of different devices Nihal notes that a good pattern detection algorithm is required, and that a deep learning neural network fits the bill. Using neural network software Tensorflow, and an RTL-SDR for signal acquisition, he was able to train a proof of concept neural model that was able to classify two test transmitters with 97% accuracy.

Training a Deep Learning Neural Network with an RTL-SDR for RF Fingerprinting
Training a Deep Learning Neural Network with an RTL-SDR for RF Fingerprinting

In the past we've seen similar experiments by Oona Räisänen who used an RTL-SDR to fingerprint several hand held radios heard on the air via small variances in the power and frequencies of each radio's CTCSS tone. Using simple clustering techniques she was able to determine exactly who was transmitting based upon the unique CTCSS.

In a somewhat similar fashion, Disney Research has also been working on a RF fingerprinting technique that uses an RTL-SDR based wrist watch to identify what particular electronic devices the wearer is touching.

Dronesense: A LimeSDR Based Drone Detector and Jammer

Over on the LimeSDR CrowdSupply blog, Ogün Levent has submitted a short article about his "Dronesense" project. Dronsense is a spectrum-scanning and jamming system based on the LimeSDR. The LimeSDR is a US$299 12-bit TX/RX capable SDR that can tune between 100 kHz – 3.8 GHz, with a maximum bandwidth of up to 61.44 MHz.

Drone defense is a problem that is plaguing airports, cities, sensitive buildings and the military. These days anyone with a low cost off the shelf drone can cause havoc. Solutions so far have included net guns, drone deployed nets, wideband jammers, GPS spoofers, traditional and passive radar systems, visual camera detection, propeller noise detection, microwave lasers and SDR based point and shoot drone jamming guns like the IXI Dronekiller.

Both the expensive made for military IXI Dronekiller SDR gun, and the LimeSDR Dronesense work in a similar way. They begin by initially using their scanning feature to detect and find potential drone signals. If a drone signal is detected, it will emit a jamming signal on that particular frequency, resulting in the drone entering a fail-safe mode and either returning to base or immediately landing. Specifically targeting the drone's frequency should help make the jammers compliant with radio regulations as they won't jam other legitimate users at the same time. We note that this method might not stop drones using custom RF communications, or fully autonomous drones.

Dronesense: Drone Detection and Jammer Mounted on another Drone, running on a LimeSDR.
Dronesense: Drone Detection and Jammer Mounted on another Drone, running on a LimeSDR.

However, unlike the IXI Dronekiller gun, Dronesense requires no pointing and aiming of a gun like device. Instead it appears to be mounted on another drone, with an omnidirectional jamming antenna. It runs with a GNU Radio based flowgraph which decides if a detected signal is from a drone, and if so activates the jammer. Unfortunately the software and further details don't appear to be available due to non-disclosure agreements.

DroneSense Second Jamming Test (Software Defined Aerial Platform)

Tracking Company Jets with ADS-B to Give an Edge to Hedge Fund Investors

Financial news site Bloomberg recently ran an article about how hedge fund managers are using ADS-B to track private company aircraft in order to help predict the next megadeal between companies. They explain with an example:

In April, a stock research firm told clients that a Gulfstream V owned by Houston-based Occidental Petroleum Corp. had been spotted at an Omaha airport. The immediate speculation was that Occidental executives were negotiating with Buffett’s Berkshire Hathaway Inc. to get financial help in their $38 billion offer for rival Anadarko Petroleum Corp. Two days later, Buffett announced a $10 billion investment in Occidental.

There’s some evidence that aircraft-tracking can be used to get an early read on corporate news. A 2018 paper from security researchers at the University of Oxford and Switzerland’s federal Science and Technology department, tracked aircraft from three dozen public companies and identified seven instances of mergers-and-acquisitions activity. “It probably shouldn’t be your prime source of investing information, but as a feeder, as an alert of something else what might be going on, that’s where this work might be useful,” says Matthew Smith, a researcher at Oxford’s computer science department and one of the authors.

"Alternative data" collection firms like Quandl Inc. have services like "corporate aviation intelligence", where they use ADS-B data to keep tabs on private aircraft, then sell their data on to hedge funds and other investors who are hoping to gain an edge in the stock market.

Popular flight tracking sites that aggregate ADS-B data like FlightAware and FlightRadar24 censor data from private jets on their public maps upon the request of the owner, but it's not known if they continue to sell private jet data on to other parties. ADS-B Exchange is one ADS-B aggregator that promises to never censor flights, however the data is only free for non-commercial use. The value from using companies like Quandl is that they probably have a much more accurate database of who each private jet belongs to.

The Bloomberg article also mentions another use case for tracking private flights, which is  tracking the movements of known dictators via their private jets. We previously posted an article about this too. We've also in the past seen ADS-B data used to track world leaders, and help United Nations advisers track flights suspected of violating an arms embargo.

ADS-B data is typically collected these days with a low cost SDR like the RTL-SDR. We have a tutorial on setting up your own ADS-B home tracker here.

Features of Quandl Inc's Corporate Aviation Intelligence Service.
Features of Quandl Inc's Corporate Aviation Intelligence Service.