Category: Security

July 23, 2025

US Trains are Vulnerable to Derailment via RF Attacks to the End of Train Device

A recently published CVE (Common Vulnerabilities and Exposures) states that a software-defined radio can be used to remotely send a brake command signal to the End-Of-Train wirelessly linked control box.

Security researcher Neil Smith reported the vulnerability. Neil explains more in X, explicitly noting that he has been trying to get this published for 12 years and how no one from the American Association of Railroads (AAR) seems to consider this vulnerability a significant issue.

US trains use wireless RF communications devices, called "End-of-Train" (EoT) and "Head-of-Train" (HoT), to enable data communication between the head and end of the train. The two systems interface with the train's braking and control system, allowing the engineer to view information from both sides of the train, and command systems at ends of a long train instantaneously. Such signals can easily be received with an RTL-SDR and the softEOT decoder, or the PyEOT decoder.

The vulnerability stems from the fact that a software-defined radio can easily be used to replicate an EoT RF signal that can command braking. The signal could be transmitted over a long distance with an appropriate amplifier and antenna. Unexpected braking could cause derailment, amongst other problems.

As of right now, the vulnerability is still unpatched, but AAR have noted that they intend to replace the system with the 802.16t standard. However, in the X thread, Neil notes that this replacement won't be in place until 2027 in the best-case scenario.

If you're interested, another security researcher did a talk about railroad telemetry systems back at DEF CON 26, 6 years ago.

An EoT device (aka FRED) on a US Train. Attribution: https://commons.wikimedia.org/wiki/File:FRED_cropped.jpg

April 10, 2025

DragonOS: LTE IMSI Sniffing using the LTE Sniffer Tool and an Ettus X310 SDR

DragonOS creator Aaron recently uploaded a video on YouTube showing how to capture IMSI data from an LTE-enabled phone by using the open-source LTE sniffer tool and Ettus X310 software-defined radio.

In the video, Aaron uses a simulated environment involving a Signal SDR Pro to simulate the LTE cell phone, a B205 Mini operating as the eNodeB (base station), and an Ettus X310 SDR for the actual LTE sniffing. The SRSRAN software running on DragonOS is used to simulate the LTE network environment.

Aaron goes on to show how the LTE sniffer software passively decodes the physical downlink control channels and captures IMSI numbers from user cell phones.

An IMSI is a unique identifier associated with a cell phone user's SIM card. IMSI sniffing cannot be used to listen to or decode voice, text, or data as they are all encrypted. However, bad actors can use IMSI sniffing to track the movement of devices/people.

DragonOS Noble Sniff + Passively Capture LTE IMSI (x310, b205mini, SignalSDR Pro)

Watch this video on YouTube

February 28, 2025

RTL-SDR Jamming Detector Software

Over on GitHub, Alejandro Martín has recently released his open-source 'rtl-sdr-analyzer' software, which is an RTL-SDR-based signal analyzer and automatic jamming detector. The software is based on Python and connects to the RTL-SDR via an rtl_tcp connection.

Alejandro's software is advertised as having the following features:

📊 Real-time Visualization: Advanced spectrum analysis with waterfall display

🔍 Smart Detection: Automatic signal anomaly and jamming detection

📈 Dynamic Analysis: Adaptive baseline calculation and threshold adjustment

⚙️ Flexible Configuration: Fully customizable detection parameters

🌐 Network Support: Built-in RTL-TCP compatibility for remote operation

The software works by continuously monitoring a frequency range, and creating a log whenever a signal is detected that exceeds a certain power value and duration. It can also monitor 'z-score', which determines if the current signal mean has deviated significantly from the baseline, which could indicate a jamming or interference event.

rtl-sdr-analyzer: An RTL-SDR Signal Analyzer & Jamming Detector

February 18, 2025

Saveitforparts: Listening in on Russian Soldiers Hijacking US Military Satellites

Over on the saveitforparts YouTube channel, Gabe has uploaded a video showing how he uses WebSDR streams to show how Russians, including Russian soldiers, are using old US Military satellites for long-range communications around Ukraine.

In the '70s and '80s, the US government launched a fleet of satellites called "FLTSATCOM," which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other worldwide. However, the technology of the time could not support encryption or secure access. So security relied entirely on only the US military's technological superiority of being the only one to have radio equipment that could reach the 243 - 270 MHz frequencies in use by these satellites. Of course, as time progressed, equipment that could reach higher frequencies became commonplace.

In the video, Gabe explains how many Russian soldiers involved in the Ukraine war are using these legacy satellites to communicate with each other. He notes that apart from voice comms, some channels are simply Russian propaganda and music, as well as some channels that appear to be jammed. Gabe also notes that the "UHF Follow-On Satellite" (UFO) satellites that were launched as recently as 2003 are also being hijacked, as they also have no encryption or secure access.

In the past, we also posted a previous video by Gabe about attempting to receive these satellites from his home in North America. However, on that side of the world, the satellites are being hijacked by Brazilian pirates instead.

Russia Is Hijacking US Military Satellites

Watch this video on YouTube

January 30, 2025

The Taylorator: Flooding the Broadcast FM Band with Taylor Swift Songs using a LimeSDR

Over on Hackaday and creator Stephen's blog, we've seen an article about the 'Taylorator,' open source software for the LimeSDR that floods the broadcast FM band with Taylor Swift music. In his blog post, Stephen explains how he wrote this software, explaining the concepts behind audio preparation, FM modulation, and what computing hardware was required to implement it.

The advertised use case of the Taylorator is obviously a bit of a joke; however, as the video on Stephen's blog shows, his software can play a different song on every broadcast FM channel. So, there could be some use cases where you might want people to be able to tune an FM radio to custom music on each channel. Of course, you could also just use it to play a practical joke on someone.

In terms of legality, in his blog post, Stephen notes that blasting the broadcast FM band on every channel is probably not legal and may go against the spirit of low-power FM transmitter laws in most countries. However, he notes that spreading a few mW over 20 MHz of bandwidth results in a weak signal that is unlikely to travel very far. Regardless, we would advise potential users of the software to check their local laws before going ahead and playing around with something like this.

The software is open source and available on Stephen's GitLab.

The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel

January 21, 2025

CCC Conference Talk: BlinkenCity – Radio-Controlling Street Lamps and Power Plants

In another talk at the Chaos Computer Club (CCC) 2024 conference, Fabian Bräunlein, and Luca Melette talked about how vulnerable Europe's renewable energy production is to attacks via the longwave radio ripple control system. Essentially, attacks over radio could be used to remotely switch loads and power plants on and off in a way that could damage the grid.

The recorded talk can be viewed directly via the CCC website, or via the embedded YouTube player below.

A significant portion of Europe's renewable energy production can be remotely controlled via longwave radio. While this system is intended to stabilize the grid, it can potentially also be abused to destabilize it by remotely toggling energy loads and power plants.

In this talk, we will dive into radio ripple control technology, analyze the protocols in use, and discuss whether its weaknesses could potentially be leveraged to cause a blackout, or – more positively – to create a city-wide Blinkenlights-inspired art installation.

With three broadcasting towers and over 1.3 million receivers, the radio ripple control system by EFR (Europäische Funk-Rundsteuerung) GmbH is responsible for controlling various types of loads (street lamps, heating systems, wall boxes, …) as well as multiple gigawatts of renewable power generation (solar, wind, biogas, …) in Germany, Austria, Czechia, Hungary and Slovakia.

The used radio protocols Versacom and Semagyr, which carry time and control signals, are partially proprietary but completely unencrypted and unauthenticated, leaving the door open for abuse.

This talk will cover:

An introduction to radio ripple control

Detailed analysis of transmitted radio messages, protocols, addressing schemes, and their inherent weaknesses

Hardware hacking and reversing

Implementation of sending devices and attack PoCs

(Live) demonstrations of attacks

Evaluation of the abuse potential

The way forward

38C3 - BlinkenCity: Radio-Controlling Street Lamps and Power Plants

Watch this video on YouTube

January 9, 2025

CCC Conference Talk: Investigating the Iridium Satellite Network

Over the years, we've posted numerous times about the work of “Sec” and “Schneider,” two information security researchers who have been investigating the Iridium satellite phone network using SDRs. Iridium is a constellation of 66 satellites in low Earth orbit that supports global voice, data, and messaging services.

In a talk at the Chaos Computer Club (CCC) 2024 conference, they provided updates on their work. The recorded video of their talk has recently been uploaded to YouTube.

The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.

We'll cover a whole range of topics related to listening to Iridium satellites and making sense of the (meta) data that can be collected that way:

Overview of new antenna options for reception. From commercial offerings (thanks to Iridium Time and Location) to home grown active antennas.

How we made it possible to run the data extraction from an SDR on just a Raspberry Pi.

Running experiments on the Allen Telescope Array.

Analyzing the beam patterns of Iridium satellites.

Lessons learned in trying to accurately timestamp Iridium transmissions for future TDOA analysis.

What ACARS and Iridium have in common and how a community made use of this.

Experiments in using Iridium as a GPS alternative.

Discoveries in how the network handles handset location updates and the consequences for privacy.

Frame format and demodulation of the Iridium Time and Location service.

38C3 - Investigating the Iridium Satellite Network

Watch this video on YouTube

November 13, 2024

SDR and RF Videos from DEFCON 32

Recently some videos from this year's DEFCON 32 conference have been uploaded to YouTube. DEFCON32 was held on August 8-11, 2024 at the Las Vegas Convention Center. DEFCON is a major yearly conference about information security, and some of the talks deal with wireless and SDR topics.

During the Defcon 32 wireless village, there were several interesting talks and the full playlist can be found here. The talks include introductions to software-defined radio, information about synthetic aperture radar laws, transmitting RF signals without a radio, information about the allen radio telescope array, an introduction to the electronic warfare being used in Ukraine and much more.

Over on the DEFCON 32 main stage, there were also several interesting RF-related talks including: