Category: Security

YouTube Tutorial: Building a Passive IMSI Catcher with an RTL-SDR

Thank you to M Khanfar for submitting his YouTube tutorial on how to build a passive IMSI catcher with an RTL-SDR. He writes:

In this video im processes of easy step by step building a passive IMSI catcher. The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised today ! easy step by step install and running under virtual machine Ubuntu 18.04 and cheap SDR dongle! .

Intro
An IMSI catcher is a device commonly used by law enforcement and intelligence agencies around the world to track mobile phones. They are designed to collect and log IMSI numbers, which are unique identifiers assigned to mobile phone subscriptions. Under certain circumstances, IMSI numbers can be linked back to personal identities, which inherently raises a number of privacy concerns.

The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised . Nothing in this video is necessarily new, and those with less than honest intentions are most certainly already using these (or similar) devices.

This video walks through the processes of building a passive IMSI catcher, which is distinctly different from traditional IMSI catchers in that it does not transmit nor does it interfere with cellular networks in any way.

Traditional IMSI catchers are illegal in most jurisdictions due to the fact that they transmit on cellular frequencies (which requires a license), and that they essentially perform a man-in-the-middle attack between a phone and mobile base station (which breaks all sorts of anti-hacking laws). A passive IMSI catcher does neither of these.

How it works
The passive IMSI catcher works by capturing IMSI numbers when a phone initializes a connection to a base station. The IMSI is only disclosed during this initial connection. In an effort to protect privacy, all subsequent communication to that base station is done with a random Temporary Mobile Subscriber Identity (TMSI) number.

This means you will only collect IMSI numbers for devices as they move between base stations. Traditional IMSI catchers work differently, by spoofing a legitimate base station and forcing subscribers to connect to itself. They have the added ability to collect data about stationary devices, and can potentially have a more targeted range.

The only hardware required is a PC and SDR receiver that supports GSM frequencies. Generally this means 850/900/1,800/1,900 MHz. Most of the inexpensive RTL2832U based receivers have an upper-frequency range of about 1,700 MHz. You can get by with one of these, but of course, you won't be able to listen to stations at 1,800 or 1,900 MHz.

--- you can easy search GSM towers around you and show its frequencies then select specific tower then access its HLR data, then you can locate tower location in google map when you have specific data collected from SDR in terminal like :
MCC,MNC,LAC,CELLID , then you can easy add these data in this website: https://cellidfinder.com/cells  then locate it on map, and you can use IMSI number that you sniff to collect details info from database that have access with subscription to full database from this website :https://www.numberingplans.com

Building a Passive IMSI Catcher

 
 

Opening a Parking Barrier with a HackRF Portapack and a Replay Attack

Over on YouTube user kwon lee has uploaded a video demonstrating a replay attack against a parking barrier arm. The tools he uses are a HackRF and Portapack running the Havok firmware. A replay attack involves recording a control signal with the HackRF+Portapack, and then replaying it later with the transmit function of the HackRF. If no wireless security mechanism like rolling-codes are used, simply replaying the signal will result in the transmission being accepted by the controller receiver.

As he has access to the remote control he records the transmission that is sent when the open button is pressed on the remote. Later once outside he shows how transmitting with the HackRF+Portapack results in the barrier arm opening.

This reminds us of a previous post where we noted how a HackRF was used to jam a garage door keyfob to prevent people from leaving in the TV show "Mr. Robot".

RF Replay Attack _ Parking-Breaker via HackRFone+Portapack+havoc

Gaining Access to Windows on the Flex 6500 SDR Transceiver and Installing Other Programs

The Flex 6500 is a now discontinued (only refurb units available for US$2,600) transceiver SDR made for amateur radio use. Together with the optional Maestro control panel, it forms a fully standalone SDR based transceiver, with built in SDR software available on the Maestro's LCD screen. The system runs embedded Windows and is locked down to prevent the user from getting outside the Flex radio software.

However, a Norwegian University radio club found the Flex radio to be very inflexible as they could not connect the radio to their Universities WiFi system, which requires users to authenticate first via a web browser. What should be a simple task on any Windows system was unfortunately not supported by the radio software, and Flex radio themselves were unable to help.

Fortunately the students were able to hack the Windows filesystem via a backdoor found in the built in software, allowing them full access to the Windows desktop. The hack is fairly simple, consisting of gaining access to Notepad and thus the filesystem and command prompt via a "view source" right click menu on the web login interface. Once hacked, the students were able to install custom software like the N1MM+ contest logger, and WSJT-X for WSPR decoding. They were also able to connect a Bluetooth keyboard and mouse which was not supported by default.

[Also seen on Hackaday]

FlexRadio 6500 hacked to gain access to Windows.
FlexRadio 6500 hacked to gain access to Windows.

Bypassing Chamberlain myQ Garage Doors with a Jamming SDR Attack

McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform.  Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.

Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.

Although the system utilizes rolling codes for security,  McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.

McAfee Researchers Jam the actual signal (red) with a jamming signal (black)
McAfee researchers jam the actual MyQ signal (red) with a jamming signal (black)

In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

McAfee Advanced Threat Research Demo Chamberlain MyQ

Using a HackRF for GPS Spoofing on Windows

Over on the TechMinds YouTube channel a new video titled "GPS Spoofing With The HackRF On Windows" has been uploaded. In the video TechMinds uses the GPS-SDR-SIM software with his HackRF to create a fake GPS signal in order to trick his Android phone into believing that it is in Kansas city.

In the past we've seen GPS Spoofing used in various experiments by security researchers. For example, it has been used to make a Tesla 3 running on autopilot run off the road and to cheat at Pokemon Go. GPS spoofing has also been used widely by Russia in order to protect VIPs and facilities from drones.

GPS Spoofing With The HackRF On Windows

SignalsEverywhere: The Ethics of Decoding and Sharing Private Information with SDRs

Over on the SignalsEverywhere YouTube Corrosive has uploaded a new video that addresses the ethics about decoding private information with SDRs. The radio spectrum is full of private communications with little to no security around it. For example hospital pagers in many countries and cities are completely unencrypted and easily decoded by anyone who can run a radio and install software on Windows. These messages often contain very private patient data. Another example he gives is Inmarsat AERO Medlink voice communications, and how he's seen full phone calls being shared online.

In the video Corrosive discusses the ethics about publicly sharing these private communications, even if they may be legal to receive and share in your country. He argues that sharing someones private data and phone calls on the internet is in poor taste and is not okay, which I think is something everyone should be able to agree with.

However, on the other side of the coin several responses to his video on Reddit share a different point of view. On that forum several expressed disagreement, noting that it's because these services are so insecure, that we should actively be sharing intercepted messages and trying to raise outrage and awareness about these privacy flaws. The argument stems from the idea that many information security researchers seem to take: if the public is not aware about their lack of privacy, only the bad guys will be taking advantage, and nothing will end up being properly secured by companies.

We've seen this approach taken by information security artists in the past like the Holy Pager art installation in New York. The temporary installation used a HackRF to continuously print out all pager messages being broadcast in an attempt to raise awareness about what private information is being sent for anyone to read. However, it may be one thing to share private data with a few art gallery patrons, versus the entire internet.

I think we should all at least agree on a middle ground. If you are listening/decoding radio services that are meant to be private but are unsecure for all to listen to, at least keep it to yourself, and don't share peoples private conversations/data on the internet. If you want to raise awareness about the lack of security to put pressure on companies, censor peoples private information and only mention generally about what you are hearing.

RTL-SDR and HackRF Used in Mr. Robot – A TV Drama About Hacking

A few readers have written in to let us know the role SDRs played in the last season of "Mr. Robot". The show which is available on Amazon Prime is about "Mr. Robot", a young cyber-security engineer by day and a vigilante hacker by night. The show has actual cyber security experts on the team, so whilst still embellished for drama, the hacks performed in the show are fairly accurate, at least when compared to other TV shows.

Spoilers of the technical SDR hacks performed in the show are described below, but no story is revealed.

In the recently aired season 4 episode 9, a character uses a smartphone running an SSH connection to connect to a HackRF running on a Raspberry Pi. The HackRF is then used to jam a garage door keyfob operating at 315 MHz, thus preventing people from leaving a parking lot. 

Shortly after she can be seen using the HackRF again with Simple IMSI Catcher. Presumably they were running a fake cellphone basestation as they use the IMSI information to try and determine someones phone number which leads to being able to hack their text messages. The SDR used in the fake basestation appears to have been a bladeRF.

HackRF Used on Mr Robot
HackRF Used on Mr Robot

In season 4 episode 4 GQRX and Audacity can be seen on screen being used to monitor a wiretap via rtl_tcp and an E4000 RTL-SDR dongle.

E4000 RTL-SDR Being used for Wiretap Monitoring
E4000 RTL-SDR Being used for Wiretap Monitoring

Did we miss any other instances of SDRs being used in the show? Or have you seen SDRs in use on other TV shows? Let us know in the comments.

The Toosheh Project: An Outernet-like Service for Iran and the Middle East

If you've been following our blog over the years, you'll know that we've mentioned the "Outernet" (now known as "Othernet") service a few times. Othernet is a satellite service that wants to provide one way data such as news, weather, audio, books and Wikipedia articles to those in areas with poor, censored or no internet connection. Previous iterations made use of home satellite TV equipment, then L-band (with RTL-SDR receivers) and now the Ku-band with LoRa receivers. Currently it's only available in North America and Europe.

However, thanks to a reader we were recently informed about an interesting and long running Othernet-like service for the Middle East called "Toosheh" (aka Knapsack) which makes use of satellite TV dishes and receivers that are very common in the Middle East. While not specifically related to SDRs, this is an interesting RF related project and situation that we wanted to post about.

Our reader is from Iran where the government recently shutdown the entire country's internet for 7-days due to anti-government protests. The reader wanted to share information about the Toosheh project which has been operating for several years now, and is one of the ways Iranians can get around heavy internet censorship and blockages.

After two rough weeks of no internet access at all, finally, we're gaining access again and getting back online slowly. As you may know (if you are following the news) a complete internet shutdown conducted by the I.R. of Iran due to some intense protests across the whole country against the government because of a 200% sudden and unannounced gas price increment. The internet is censored in my country anyhow but this time it was a big one. We only had access to a few domestic websites and NOT even Google services! That was tough!

I know it may be irrelevant to the subject of your blog but it's good for your audience to understand and know the people who have worked hard way before the OUTERNET project to develop a satellite offline broadcast with almost no special devices to receive and use and bring free and uncensored information to the people in Iran.

The major role of the Toosheh project occurred in the Iran 2012 presidential election protests which there were no major broadband internet services all over the country and it a lot to bring daily updates of news and TV programs.
The Toosheh is a one-way receive only from the satellite but the tricky part is that Toosheh is not just like a simple satellite data link but it appears as a TV channel in all satellite TV receivers which are very common in Iran, so the blockage of it is hard for the government. However, some trials were arranged by the government back in that time to collect the satellite dishes or jam the signals or mass destruction (!) of the satellite receivers which they currently no longer common in most parts of the country. (at least without unnecessary violence. check out this link: بجستان نیوز » معدوم سازی تجهیزات ماهواره‌ای در بجستان+عکس (Admin note: Article is in Perisian, use Google Translate to translate Persian to English)

The procedure to use this service is freaking simple. Set your dish to Yahsat and search for the channels on 11766 Mhz. Select the Toosheh channel, plug a flash drive to your receiver and record the blank screen in.TS format using the PVR capability. After several hours of recording unplug your flash drive and connect it to your phone, tablet or laptop. Then open the Toosheh app and you are good to go. Now you have access to dozens of free podcasts, music, books, movies, news, webpages, TV shows and much more that will be updated every single day and if you need something specifically just send them an email. Exactly as same as the OUTERNET but without any special equipment and only with ordinary receivers that are available in almost every home nowadays.

Also if you see their website at toosheh.org and search some other press blogs about Toosheh you can gain more info about the topic.
Toosheh Website Image
Toosheh Website Image

We also note that this appears to be the English language version of Toosheh project which provides some more information about coverage and the technology used: https://knapsackforhope.org. Coverage is only available in the middle east.

Toosheh Coverage
Toosheh Coverage