Category: Security

Reverse Engineering and Controlling a Wireless Doorbell with an RTL-SDR and Arduino

Thank you to Shreyas Ubale for submitting his blog post about reverse engineering a wireless doorbell, and then performing a replay attack. Shreyas had purchased a wireless doorbell set containing one button transmitter and two bell receivers. However, his situation required two transmitters, one for visitors at the door, and one to be used by family within his house.

In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.

In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.

If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.

Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.
Doorbell Signal Analysis in Audacity. Captured with an RTL-SDR.

SignalsEverywhere Podcast: Satcom Piracy Interview

Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast. In this episode Corrosive interviews an anonymous informant who has an interesting story about his involvement with the UHF Military SATCOM pirate radio scene in Brazil. Corrosive also explains a bit further about what SATCOM is and why it's so susceptible to piracy. He also notes that piracy on Inmarsat L-band frequencies is also becoming more common.

The UHF-SATCOM band is anywhere between 243 - 270 MHz and contains fairly strong signals from many several US satellites that can be received with a simple antenna and any UHF radio/SDR. Many of the satellites are simple repeaters without security, and pirates from Mexico and South America often hijack the satellite for their own personal use. In the past, and possibly even still today hijackers involved in drug trafficking and other illegal activities made use of these insecure military satellites for long range communications. Reception of these satellites is generally available in Canada, US, Mexico, South America, Europe and Africa.

Satcom Crackdown; Satellite Piracy on After The Show Podcast

The RadioInstigator: A $150 Signals Intelligence Platform Consisting of a Raspberry Pi, RPiTX, 2.4 GHz Crazyradio and an RTL-SDR

Circle City Con is a yearly conference that focuses on information security talks. At this years conference Josh Conway presented an interesting talk titled "SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than $150". Josh's talk introduces his "RadioInstigator" hardware which is a combination of a Raspberry Pi, CrazyRadio and an RTL-SDR all packaged into a 3D printed enclosure with LCD screen. The idea behind the RadioInstigator is to create a portable and low cost Signals Intelligence (SIGINT) device that can be used to investigate and manipulate the security of radio signals.

The RadioInstigator makes use of the RPiTX software which allows a Raspberry Pi to transmit an arbitrary radio signal from 5 kHz up to 1500 MHz without the use of any additional transmitting hardware - just connect an antenna directly to a GPIO pin. Connected to the Pi is a CrazyRadio, which is a nRF24LU1+ based radio that can be used to receive and transmit 2.4 GHz. And of course there is an RTL-SDR for receiving every other signal. Josh has made the plans for the RadioInstigator fully open source over on GitLab.

In his talk Josh introduces the RadioInstigator, then goes on to discuss other SDR hardware, antenna concepts and software installed on the RadioInstrigator like RPiTX, GNU Radio, Universal Radio Hacker, Salamandra, TempestSDR and more.

[First seen on Hackaday]

Track 3 07 SigInt for the Masses Building and Using a Signals Intelligence Platform for Less than 15

Using an RTL-SDR to Monitor A Tire Pressure Sensor used in Home Brewing

Over on YouTube Andreas Spiess has been helping his friend create a pressure monitoring system for his home brew beer bottles. In order to do this, Andreas uses an externally mounted after market wireless tire pressure sensor whose data can be received with an RTL-SDR and the rtl_433 decoder software. Modern vehicle tires contain a TPMS (tire pressure monitoring system) sensor, which keeps track of tire pressure, temperature and acceleration. The data is wirelessly transmitted via 433 or 315 MHz to the cars dashboard and computer for safety monitoring.

In the first video Andreas discusses tire pressure monitors and how they could be used for other non-tire applications, talks a bit about the wireless protocol used, and how to reverse engineer it. He notes that the author of rtl_433 was able to implement his particular tire pressure sensor brand's protocol into the rtl_433 database, so now anyone can decode them. Finally in this video he also shows that he can easily spoof a flat tire signal using a HackRF and GNU Radio which might cause a modern high end car to refuse to move.

The second video shows how to continuously monitor that TPMS data for the home brew set up. Andreas uses an RTL-SDR and Raspberry Pi running rtl_433, which outputs it's data into Mosquitto, Node-Red, InfluxDB and the Grafana. These programs help to read, manage, log and graph the data. The rtl_433 program is also monitored by Supervisord which automatically restarts rtl_433 if the program crashes.

If you are interested, there is a related video that was uploaded in between the two shown below which shows how he created a 3D printed cap to mount the valve and tire pressure sensor on the beer bottles.

#261 Measure Pressure Remotely (including TPMS Hacking / Attack) for Beer Brewing

#270 Safely Monitor and Alarm with Supervisord and Telegram

Using a HackRF to Reverse Engineer and Control Restaurant Pagers

Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.

Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.

Hacking Restaurant Pagers with HackRF

Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

SignalsEverywhere Podcast: Is Software Defined Radio Illegal?

Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast, this time discussing the topic "Is Software Defined Radio Illegal?". Recently we posted about the unfortunate arrest of a UN investigator in Tunisia. Reports from news agencies seem to indicate that a major factor in his arrest was his use of an RTL-SDR dongle for monitoring air traffic as part of his investigation on Libya arms embargo violations. Although it is suspected that other political motivations are at play.

In his podcast Corrosive tries to open a discussion on whether software defined radio (SDR) is illegal, since SDR receivers have the possibility to be able to receive, demodulate and decode almost any signal. He first focuses on mostly American FCC laws regarding scanners, but similar laws are likely to be in place throughout most of the western world. Later in the podcast he discusses transmit capable SDRs and how these are more likely to come to the attention of politicians.

Tracking Dictators Around the World with ADS-B Data

Over on Reddit freelance investigative journalist Emmanuel Freudenhal has put up a very interesting post about how he is using ADS-B tracking to keep an eye on the travel habits of dictators around the world. If you were unaware, ADS-B is a signal transmitted by aircraft which contains aircraft ID info, and data such as speed, altitude and GPS location. Websites like ADS-B Exchange aggregate ADS-B data from volunteer ground stations that are running (mostly) RTL-SDR dongles. Emmanuel notes that by watching the movements of aircraft registered to dictators, it is possible to keep an eye on their travel habits.

One story that Emmanuel has written using this data is a piece on Paul Biya, Cameroon's president. His article discusses how Paul Biya is often seen in Geneva Switzerland, away on private visits. In a comment, Emmanuel notes that since his story ran, Paul Biya has almost stopped travelling to Switzerland.

Emmanuel has also been running a Twitter bot that uses ADS-B data to automatically tweet when a dictator aircraft is detected at Geneva airport. A list of known dictator aircraft is kept on a publicly accessible Excel file.

Now he is hoping to expand his tracking operation, and is asking for more people to feed the ADS-B Exchange aggregation website. ADS-B Exchange is the site recommend to feed because it is the only ADS-B aggregation website that does not censor any aircraft. Other aggregation sites such as Flightradar24 and FlightAware have come under scrutiny in the past for their willingness to upon request censor and block the tracking of military/political aircraft and private jets owned by several companies. In particular several aircraft owned by dictators are reportedly censored. However, the counter argument is that not censoring aircraft may result in ADS-B tracking eventually being made illegal, or that costly legal suites may be brought against ADS-B aggregation companies.

On the Reddit post Emmanuel writes:

I'm a freelance investigative journalist (www.emmanuel-freudenthal.com / @emmanuelfreuden). I'm getting into SDR/ADSB and very glad I found this group because I need your help to track aircrafts!

With a colleague, we started a project to look into the travels of dictators around the world. It's an evolution of a Twitter bot (https://twitter.com/GVA_Watcher) started a few years ago. This bot tweets every time an aircraft owned by a dictatorship lands or takes off at the Geneva airport, Switzerland. And dictators visit Geneva, a lot. There's secretive banks and good healthcare, enjoyed by Algeria's departing president or Cameroon's president Paul Biya.

We want to expand this project to all of the world's airports. See our place-holding website: https://dictatoralert.org(which will get expanded soonish). To do so, we've partnered with ADSB-Exchange, which as you probably know, is the only website that doesn't censor flights. Usually the planes owned/chartered by dictatorships don't show up on flightaware or flightradar24 (anyone can asked to be removed). Some planes also don't share their GPS coordinates (e.g. Mode S) and so they don't show up.

In addition to the Dictator Alerts, we'll also use the data to do investigations into dictatorships, human rights violation and corruption.

The idea is to allow everyone to keep tabs, so the data will be available publicly, via Twitter bots and on a dedicated website (with e.g. a page per dictatorship and per airport).

To succeed, we need a lot more antennas! So, it'd be great if you could feed ADSB-Exchange. You can do that in addition to feeding other services. See how to do it here: https://www.adsbexchange.com/how-to-feed/ If you want to feed, please contact me on [email protected], my twitter DM are open. It's quite important that you contact me before feeding, so that we also capture aircrafts that don't share their GPS coordinates.

That also means, you'll be able to see ALL of the data that you're collecting online.

What do you think? Would you be keen to participate? Any questions?

Your feedback is very welcome, i'm still learning!

Best,

Emmanuel

Dictator Alert. A Twitter bot reporting on dictator movements via ADS-B data. dictatoralert.org
Dictator Alert. A Twitter bot reporting on dictator movements via ADS-B data. dictatoralert.org

Other stories of interest: A similar story we ran last year was about tracking police and military aircraft at the G7 summit with an RTL-SDR, and three years ago we ran a story about tracking World Economic Forum Attendees with an RTL-SDR.