Category: Security

Evaluating LoRaWAN Security with an RTL-SDR

Over on their blog Trend Micro have uploaded a post describing how they evaluated the security of LoRaWAN communications using an RTL-SDR. LoRaWAN is a wireless communications technology that allows for Internet of Things (IoT) connectivity at a much lower cost compared to cellular infrastructure. However, as described in their post LoRaWAN incorporates very little security, making connected devices an easy target for hackers.

The researchers at Trend Micro used an RTL-SDR together with the LoRaPWN software tool which is an improved version of the LoRa Craft Project. With LoRaPWN the researchers were able to intercept uplink and downlink packets. Then when combined with a brute force dictionary attack, they were then able to recover the encryption keys allowing them to decode the data.  Finally they were also able to demonstrate a denial of service attack which results in a device being unable to send further data.

For more information the technical paper (pdf) describing their full setup and tests is available, as well as an older post describing possible LoRaWAN attacks. There is also a YouTube video from "The Things Conference" which we have embedded below. In the video researcher Sebastian Dudek presents some of his findings on LoRaWAN security.

An RTL-SDR Blog V3 Intercepting LoRaWAN packets.
LoRaPWNing: Practical radio attacks on LoRaWAN - Sebastian Dudek (Trend Micro)

Etherify Talk from The rC3 Online Conference

The "Chaos Computer Club (CCC)" have recently been uploading videos to YouTube from their "Remote Chaos Experience rC3" online conference. One talk is by Jacek Lipkowski (SQ5BPF) who presents his Etherify project which we have posted about a few times on this blog already. Etherify is a program that allows users to exploit unintentional RF leakage from Ethernet hardware in order to transmit data over the air, essentially creating a primitive software defined radio. In particular the Raspberry Pi 4 was found to have extreme unintentional leakage, with the signal being receivable from over 50m away.

Primitive soft tempest demos: exfiltrating data via leakage from ethernet and more :)

In this talk i will describe shortly the concept of soft tempest, and show a demo of etherify and sonify. Etherify uses radio frequency leakage from ethernet to exfiltrate data. Sonify uses ultrasound.
Both demos by design use very primitive tools and hardware, and are easy to replicate.

#rC3 Etherify - bringing the ether back to ethernet

Steve Mould Hacks Into his Car with a HackRF

Over on YouTube popular science content creator Steve Mould has uploaded a video showing how he was able to open his own car using a HackRF software defined radio. In the video Steve first uses the Universal Radio Hacker software to perform a simple replay attack by using his HackRF (and also an RTL-SDR V3) to record the car's keyfob signal away from the car and replay it near the car.

Steve goes on to note that most cars use rolling code security, so a simple replay attack like the above is impractical in most situations. Instead he notes how a more advanced technique called "rolljam" can be used, which we have posted about a few times in the past. Later in the video Steve interviews Samy Kamkar who was the security researcher who first popularized the rolljam technique at Defcon 2015. 

I Hacked Into My Own Car

Etherify 4: Using PC Ethernet RF Leakage to Transmit QRSS CW

Recently we've posted about Etherify a few times, mostly about how the unintentional RF leakage from the Raspberry Pi 4 Ethernet hardware is really strong and can be modulated to transmit data. In one of his latest posts Jacek Lipkowski (SQ5BPF) explores if Ethernet ports on PC's exhibit any sort of RF leakage too, and if it can be modulated into a data signal.

The answer is yes, there is some RF leakage, however unlike the Pi 4 the speed at which the leakage can be modulated is much slower, and also the signal strength is much lower. Despite the slow modulation speed, Jacek was still able to transmit data by using QRSS CW, which is essentially just very slow morse code. Using this idea he was able to transmit, and receive the CW signal with an RTL-SDR over a distance of 3 meters at 375 MHz, 625 MHz and 250 MHz. The signal strength is nothing like the Pi 4's Ethernet RF leakage which can be received strongly from over 50 meters away however.

Etherify: Transmitting QRSS CW via Ethernet RF leakage from PC to PC

Testing the Mayhem Firmware on a HackRF Portapack

The Portapack is an add on for the popular HackRF SDR which allows the HackRF to be used portably without a PC. Recently the cost of this hardware duo has come down to below US$150 due to low cost Chinese clones now being available on the market. Generally the clones are of good quality too.

Once you have the hardware it is possible to install third party custom firmware such as "Mayhem" on the Portapack which enables many features such as the ability to receive and transmit various different types of RF protocols. Back in 2018 we did a review of Mayhems predecessor which was known as the "Havok" firmware. More recently Tech Minds did a video overview of Mayhem.

Now over on his blog A. Petazzoni has started a new blog series which aims to introduce the basics of the Mayhem firmware, including installation and some hands on testing with RF spoofing, denial-of-service (DoS) and replay attacks. Currently only his first post is out, and in the post he show how to install Mayhem onto the Portapack, then goes on to briefly overview some applications such as RF replay attacks, replicating wireless remote controls, receiving and transmitting POCSAG, receiving and transmitting ADS-B, and creating a jammer.

Obviously a lot of what you can do with a Portapack and the Mayhem firmware is extremely illegal and very dangerous, so please do be careful with what and where you transmit especially if you are new to RF hobby. These signals should remain in your test area only, and not leak out into the wider environment.

[Also seen on Hackaday]

HackRF Portapack transmitting a spoofed pager message.

Etherify: Pi 4 Exhibits Very Strong Ethernet RF Leakage

Not too long ago we posted about Jacek Lipkowski (SQ5BPF)'s project called "Etherify" which seeks to use unintentional RF radiation from Ethernet hardware/cables to transmit arbitrary signals such as morse code and FSK. During his earlier experiments he noted how he felt that the Raspberry Pi 4 had an unusually strong radiated Ethernet signal. In his recent post Jacek investigates this further.

Indeed his new tests seem to confirm that the Pi 4 has excessive RF leakage from the Ethernet hardware. His latest results have shown that he was able to receive the Ethernet leakage strongly from 50 meters away without any cable connected to the Ethernet port to act as a radiator. Jacek's post contains a number of demonstration videos such as the one below.

He admits that his particular Pi 4 unit might be unique in this regard. If anyone else tests this and can confirm excessive leakage, please let us know in the comments.

Ethernet RF leakage received strongly from 50m away without any antenna on the Pi 4

Etherify: Transmitting Morse Code via Raspberry Pi Ethernet RF Leakage

Over on his blog SQ5BPF has been documenting a TEMPEST experiment where he's been able to transmit data via RF being leaked from a Raspberry Pi's Ethernet connection. The idea was born when he found that his Raspberry Pi 4 was leaking a strong RF signal at 125 MHz from the Ethernet cable. He went on to find that it was easy to turn a tone on and off simply changing the Ethernet link speed with the "ethtool" command line tool. Once this was known it is a simple matter of creating a bash script to generate some morse code.

Quite amazingly the Ethernet RF leakage is very strong. With the Raspberry Pi 10 meters away, and a steel reinforced concrete wall in between, SQ5BPF was able to receive the generated morse code via an RTL-SDR connected to a PC. Further experiments show that with a Yagi antenna he was able to receive the signal from 100 meters away.

His post explains some further experiments with data bursting, and provides links to the scripts he created, so you can try this at home.

Update - SQ5BPF also notes the following:

The leakage differs a lot with the hardware used. The Raspberry Pi 4 is exceptional and also allows to switch the link speed quickly, so was a nice candidate for a demo, but other hardware works as well.

The first tests were done on some old laptops I had laying around, and they leak as well. Maybe someday I will publish this, but everyone of them behaves differently.

Etherify 1 demo receiving via SDR and decoding via fldigi

RF Fingerprinting ADS-B Signals for Security

At this years ICNP 2020 IEEE conference a paper titled "Real-World ADS-B signal recognition based on Radio Frequency Fingerprinting" (pdf file) was presented by researchers from Harbin Engineering University in China. The idea presented in the paper is to use RF "fingerprinting" techniques to uniquely identify and confirm that the ADS-B signal originates from the correct aircraft source.

RF fingerprinting works on the premise that every transmitter has small manufacturing variances that result in slightly different signals be transmitted, resulting in a unique "fingerprint" that can be traced to a particular transmitter. The idea here is to use these fingerprints to ensure that a known aircraft is indeed transmitting an ADS-B signal and the signal is not being transmitted from a fake spoofer. ADS-B is completely unencrypted and not authenticated, so spoofing of ADS-B signals may be a real security threat.

In the teams research they use an RTL-SDR to collect ADS-B signals from five different aircraft. They then use that data to create "Contour Stellar Images" and train a deep learning neural network which after training accurately identifies which aircraft a signal comes from.

Aircraft ADS-B Fingerprinting

In previous posts we've seen the idea of fingerprinting used by Disney research and others to identify electronic devices, to authenticate RF IoT devices and to identify handheld transmitters via CTCSS fingerprints.