Category: Security

Using an RTL-SDR, RF Fingerprinting and Deep Learning to Authenticate RF Devices

Every device that transmits radio waves has a unique and identifiable RF fingerprint which occurs due to the very slightly variations in the hardware manufacturing process. This means that devices using identical transmitters of the same make and model can still be differentiated from one another.

Nihal Pasham has been using this knowledge as a way to securely identify IoT sensors and other RF devices like car keyfobs. The idea is that these unique RF fingerprints are immune to authentication spoofing which could be used to create a fake transmitter with fake data. He suggests that RF fingerprinting could be used as an additional authentication check for low cost IoT devices with only basic security.

In order to recognize the minute differences in the RF fingerprints of different devices Nihal notes that a good pattern detection algorithm is required, and that a deep learning neural network fits the bill. Using neural network software Tensorflow, and an RTL-SDR for signal acquisition, he was able to train a proof of concept neural model that was able to classify two test transmitters with 97% accuracy.

Training a Deep Learning Neural Network with an RTL-SDR for RF Fingerprinting
Training a Deep Learning Neural Network with an RTL-SDR for RF Fingerprinting

In the past we've seen similar experiments by Oona Räisänen who used an RTL-SDR to fingerprint several hand held radios heard on the air via small variances in the power and frequencies of each radio's CTCSS tone. Using simple clustering techniques she was able to determine exactly who was transmitting based upon the unique CTCSS.

In a somewhat similar fashion, Disney Research has also been working on a RF fingerprinting technique that uses an RTL-SDR based wrist watch to identify what particular electronic devices the wearer is touching.

Dronesense: A LimeSDR Based Drone Detector and Jammer

Over on the LimeSDR CrowdSupply blog, Ogün Levent has submitted a short article about his "Dronesense" project. Dronsense is a spectrum-scanning and jamming system based on the LimeSDR. The LimeSDR is a US$299 12-bit TX/RX capable SDR that can tune between 100 kHz – 3.8 GHz, with a maximum bandwidth of up to 61.44 MHz.

Drone defense is a problem that is plaguing airports, cities, sensitive buildings and the military. These days anyone with a low cost off the shelf drone can cause havoc. Solutions so far have included net guns, drone deployed nets, wideband jammers, GPS spoofers, traditional and passive radar systems, visual camera detection, propeller noise detection, microwave lasers and SDR based point and shoot drone jamming guns like the IXI Dronekiller.

Both the expensive made for military IXI Dronekiller SDR gun, and the LimeSDR Dronesense work in a similar way. They begin by initially using their scanning feature to detect and find potential drone signals. If a drone signal is detected, it will emit a jamming signal on that particular frequency, resulting in the drone entering a fail-safe mode and either returning to base or immediately landing. Specifically targeting the drone's frequency should help make the jammers compliant with radio regulations as they won't jam other legitimate users at the same time. We note that this method might not stop drones using custom RF communications, or fully autonomous drones.

Dronesense: Drone Detection and Jammer Mounted on another Drone, running on a LimeSDR.
Dronesense: Drone Detection and Jammer Mounted on another Drone, running on a LimeSDR.

However, unlike the IXI Dronekiller gun, Dronesense requires no pointing and aiming of a gun like device. Instead it appears to be mounted on another drone, with an omnidirectional jamming antenna. It runs with a GNU Radio based flowgraph which decides if a detected signal is from a drone, and if so activates the jammer. Unfortunately the software and further details don't appear to be available due to non-disclosure agreements.

DroneSense Second Jamming Test (Software Defined Aerial Platform)

Tracking Company Jets with ADS-B to Give an Edge to Hedge Fund Investors

Financial news site Bloomberg recently ran an article about how hedge fund managers are using ADS-B to track private company aircraft in order to help predict the next megadeal between companies. They explain with an example:

In April, a stock research firm told clients that a Gulfstream V owned by Houston-based Occidental Petroleum Corp. had been spotted at an Omaha airport. The immediate speculation was that Occidental executives were negotiating with Buffett’s Berkshire Hathaway Inc. to get financial help in their $38 billion offer for rival Anadarko Petroleum Corp. Two days later, Buffett announced a $10 billion investment in Occidental.

There’s some evidence that aircraft-tracking can be used to get an early read on corporate news. A 2018 paper from security researchers at the University of Oxford and Switzerland’s federal Science and Technology department, tracked aircraft from three dozen public companies and identified seven instances of mergers-and-acquisitions activity. “It probably shouldn’t be your prime source of investing information, but as a feeder, as an alert of something else what might be going on, that’s where this work might be useful,” says Matthew Smith, a researcher at Oxford’s computer science department and one of the authors.

"Alternative data" collection firms like Quandl Inc. have services like "corporate aviation intelligence", where they use ADS-B data to keep tabs on private aircraft, then sell their data on to hedge funds and other investors who are hoping to gain an edge in the stock market.

Popular flight tracking sites that aggregate ADS-B data like FlightAware and FlightRadar24 censor data from private jets on their public maps upon the request of the owner, but it's not known if they continue to sell private jet data on to other parties. ADS-B Exchange is one ADS-B aggregator that promises to never censor flights, however the data is only free for non-commercial use. The value from using companies like Quandl is that they probably have a much more accurate database of who each private jet belongs to.

The Bloomberg article also mentions another use case for tracking private flights, which is  tracking the movements of known dictators via their private jets. We previously posted an article about this too. We've also in the past seen ADS-B data used to track world leaders, and help United Nations advisers track flights suspected of violating an arms embargo.

ADS-B data is typically collected these days with a low cost SDR like the RTL-SDR. We have a tutorial on setting up your own ADS-B home tracker here.

Features of Quandl Inc's Corporate Aviation Intelligence Service.
Features of Quandl Inc's Corporate Aviation Intelligence Service.

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.

Medtronic Minimed Insulin Pumps Recalled due to Wireless Security Vulnerabilities

A MiniMed Insulin Pump

Back at the 2018 Black Hat conference it was revealed by security researchers Billy Rios and Jonathan Butts that a HackRF could be used to take control of a Medtronic insulin pump. Back then FDA advisories were issued, but recently a new warning noting that Medtronic MiniMed 508 and Paradigm series insulin pumps could be vulnerable to wireless attacks was again issued. The vulnerabilities could allow hackers to wireless cause the device to deliver excessive amounts of insulin or stop insulin delivery. 

Apparently the vulnerabilities cannot be fixed with a software update, so Medtronic have issued a voluntary recall, asking customers to contact their healthcare providers so that they can upgrade to their newer units which are more secure (although these newer units are not available everywhere outside the USA). We also note that Medtronic implantable cardiac defibrillators (ICDs) which appear to share the same vulnerability do not appear to have been recalled. For both the insulin pumps and ICDs, the issues stem from the fact that the "Conexus" wireless protocol used in the products do not use encryption, authentication or authorization.

A newspaper article at theregister.co.uk writes:

Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure. An attacker who was in close enough physical proximity to the pump could masquerade as a CareLink unit, and send potentially life-threatening commands to the insulin pump over the air using a software-defined radio or similar kit.

"The vulnerabilities affect the radio features," Rios told The Register. "They use a custom radio protocol and the vulnerabilities were exploited through the use of software-defined radios."

Previously we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

Reverse Engineering and Controlling a Wireless Doorbell with an RTL-SDR and Arduino

Thank you to Shreyas Ubale for submitting his blog post about reverse engineering a wireless doorbell, and then performing a replay attack. Shreyas had purchased a wireless doorbell set containing one button transmitter and two bell receivers. However, his situation required two transmitters, one for visitors at the door, and one to be used by family within his house.

In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.

In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.

If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.

Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.
Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.