Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast. In this episode Corrosive interviews an anonymous informant who has an interesting story about his involvement with the UHF Military SATCOM pirate radio scene in Brazil. Corrosive also explains a bit further about what SATCOM is and why it's so susceptible to piracy. He also notes that piracy on Inmarsat L-band frequencies is also becoming more common.
The UHF-SATCOM band is anywhere between 243 - 270 MHz and contains fairly strong signals from many several US satellites that can be received with a simple antenna and any UHF radio/SDR. Many of the satellites are simple repeaters without security, and pirates from Mexico and South America often hijack the satellite for their own personal use. In the past, and possibly even still today hijackers involved in drug trafficking and other illegal activities made use of these insecure military satellites for long range communications. Reception of these satellites is generally available in Canada, US, Mexico, South America, Europe and Africa.
Satcom Crackdown; Satellite Piracy on After The Show Podcast
Circle City Con is a yearly conference that focuses on information security talks. At this years conference Josh Conway presented an interesting talk titled "SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than $150". Josh's talk introduces his "RadioInstigator" hardware which is a combination of a Raspberry Pi, CrazyRadio and an RTL-SDR all packaged into a 3D printed enclosure with LCD screen. The idea behind the RadioInstigator is to create a portable and low cost Signals Intelligence (SIGINT) device that can be used to investigate and manipulate the security of radio signals.
The RadioInstigator makes use of the RPiTX software which allows a Raspberry Pi to transmit an arbitrary radio signal from 5 kHz up to 1500 MHz without the use of any additional transmitting hardware - just connect an antenna directly to a GPIO pin. Connected to the Pi is a CrazyRadio, which is a nRF24LU1+ based radio that can be used to receive and transmit 2.4 GHz. And of course there is an RTL-SDR for receiving every other signal. Josh has made the plans for the RadioInstigator fully open source over on GitLab.
In his talk Josh introduces the RadioInstigator, then goes on to discuss other SDR hardware, antenna concepts and software installed on the RadioInstrigator like RPiTX, GNU Radio, Universal Radio Hacker, Salamandra, TempestSDR and more.
Over on YouTube Andreas Spiess has been helping his friend create a pressure monitoring system for his home brew beer bottles. In order to do this, Andreas uses an externally mounted after market wireless tire pressure sensor whose data can be received with an RTL-SDR and the rtl_433 decoder software. Modern vehicle tires contain a TPMS (tire pressure monitoring system) sensor, which keeps track of tire pressure, temperature and acceleration. The data is wirelessly transmitted via 433 or 315 MHz to the cars dashboard and computer for safety monitoring.
In the first video Andreas discusses tire pressure monitors and how they could be used for other non-tire applications, talks a bit about the wireless protocol used, and how to reverse engineer it. He notes that the author of rtl_433 was able to implement his particular tire pressure sensor brand's protocol into the rtl_433 database, so now anyone can decode them. Finally in this video he also shows that he can easily spoof a flat tire signal using a HackRF and GNU Radio which might cause a modern high end car to refuse to move.
The second video shows how to continuously monitor that TPMS data for the home brew set up. Andreas uses an RTL-SDR and Raspberry Pi running rtl_433, which outputs it's data into Mosquitto, Node-Red, InfluxDB and the Grafana. These programs help to read, manage, log and graph the data. The rtl_433 program is also monitored by Supervisord which automatically restarts rtl_433 if the program crashes.
Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.
Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.
Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.
Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.
However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.
Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast, this time discussing the topic "Is Software Defined Radio Illegal?". Recently we posted about the unfortunate arrest of a UN investigator in Tunisia. Reports from news agencies seem to indicate that a major factor in his arrest was his use of an RTL-SDR dongle for monitoring air traffic as part of his investigation on Libya arms embargo violations. Although it is suspected that other political motivations are at play.
In his podcast Corrosive tries to open a discussion on whether software defined radio (SDR) is illegal, since SDR receivers have the possibility to be able to receive, demodulate and decode almost any signal. He first focuses on mostly American FCC laws regarding scanners, but similar laws are likely to be in place throughout most of the western world. Later in the podcast he discusses transmit capable SDRs and how these are more likely to come to the attention of politicians.
Over on Reddit freelance investigative journalist Emmanuel Freudenhal has put up a very interesting post about how he is using ADS-B tracking to keep an eye on the travel habits of dictators around the world. If you were unaware, ADS-B is a signal transmitted by aircraft which contains aircraft ID info, and data such as speed, altitude and GPS location. Websites like ADS-B Exchange aggregate ADS-B data from volunteer ground stations that are running (mostly) RTL-SDR dongles. Emmanuel notes that by watching the movements of aircraft registered to dictators, it is possible to keep an eye on their travel habits.
One story that Emmanuel has written using this data is a piece on Paul Biya, Cameroon's president. His article discusses how Paul Biya is often seen in Geneva Switzerland, away on private visits. In a comment, Emmanuel notes that since his story ran, Paul Biya has almost stopped travelling to Switzerland.
Emmanuel has also been running a Twitter bot that uses ADS-B data to automatically tweet when a dictator aircraft is detected at Geneva airport. A list of known dictator aircraft is kept on a publicly accessible Excel file.
Now he is hoping to expand his tracking operation, and is asking for more people to feed the ADS-B Exchange aggregation website. ADS-B Exchange is the site recommend to feed because it is the only ADS-B aggregation website that does not censor any aircraft. Other aggregation sites such as Flightradar24 and FlightAware have come under scrutiny in the past for their willingness to upon request censor and block the tracking of military/political aircraft and private jets owned by several companies. In particular several aircraft owned by dictators are reportedly censored. However, the counter argument is that not censoring aircraft may result in ADS-B tracking eventually being made illegal, or that costly legal suites may be brought against ADS-B aggregation companies.
I'm a freelance investigative journalist (www.emmanuel-freudenthal.com / @emmanuelfreuden). I'm getting into SDR/ADSB and very glad I found this group because I need your help to track aircrafts!
With a colleague, we started a project to look into the travels of dictators around the world. It's an evolution of a Twitter bot (https://twitter.com/GVA_Watcher) started a few years ago. This bot tweets every time an aircraft owned by a dictatorship lands or takes off at the Geneva airport, Switzerland. And dictators visit Geneva, a lot. There's secretive banks and good healthcare, enjoyed by Algeria's departing president or Cameroon's president Paul Biya.
We want to expand this project to all of the world's airports. See our place-holding website: https://dictatoralert.org(which will get expanded soonish). To do so, we've partnered with ADSB-Exchange, which as you probably know, is the only website that doesn't censor flights. Usually the planes owned/chartered by dictatorships don't show up on flightaware or flightradar24 (anyone can asked to be removed). Some planes also don't share their GPS coordinates (e.g. Mode S) and so they don't show up.
In addition to the Dictator Alerts, we'll also use the data to do investigations into dictatorships, human rights violation and corruption.
The idea is to allow everyone to keep tabs, so the data will be available publicly, via Twitter bots and on a dedicated website (with e.g. a page per dictatorship and per airport).
To succeed, we need a lot more antennas! So, it'd be great if you could feed ADSB-Exchange. You can do that in addition to feeding other services. See how to do it here: https://www.adsbexchange.com/how-to-feed/ If you want to feed, please contact me on [email protected], my twitter DM are open. It's quite important that you contact me before feeding, so that we also capture aircrafts that don't share their GPS coordinates.
That also means, you'll be able to see ALL of the data that you're collecting online.
What do you think? Would you be keen to participate? Any questions?
Your feedback is very welcome, i'm still learning!
Best,
Emmanuel
Dictator Alert. A Twitter bot reporting on dictator movements via ADS-B data. dictatoralert.org
Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events.
GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.
In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred.
An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.
C4ADS Research shows GPS spoofing detected via AIS data
Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.
Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports.
In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.
Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
The BBC also ran a story on this which is available here.
