Category: Security

Detecting Car Keyfob Jamming With a Raspberry Pi and RTL-SDR

It’s been known for a while now that it is possible to break into cars using simple wireless attacks that involve jamming of the car keyfob frequency. Sammy Kamkars “rolljam” is one such example that can be built with a cheap Arduino and RF transceiver chip. One way to secure yourself against wireless attacks like this is to run a jammer detector.

A jammer detector is quite simple in theory – just continuously measure the signal strength at the car keyfob frequency and notify the user if a strong continuous signal is detected. Over on his blog author mikeh69 has posted about his work in creating a wireless jammer detector out of a Raspberry Pi and RTL-SDR dongle. He uses a Python script and some C code that he developed to create a tool that displays the signal strength on an onscreen bar graph and also conveys signal strength information via audio tones. He writes that with a pair of earphones and battery pack you can use the system while walking around searching for the source of a jammer.

Mikeh69’s post goes into further detail about installing the software and required dependencies. He also writes that in the future he wants to experiment with creating large area surveys by logging signal strength data against GPS locations to generate a heatmap. If you are interested in that idea, then it is similar to Tim Haven’s driveby noise detector system which also used RTL-SDR dongles, or the heatmap feature in RTLSDR Scanner.

[Also seen on Hackaday]

RTL-SDR + Raspberry Pi Jammer Detector.
RTL-SDR + Raspberry Pi Jammer Detector.

Retrieving Dialed Phone Numbers from Intercepted Phone Calls

Over on his YouTube channel Linux Psycho has uploaded a video showing how he was able to listen in on wireless phone calls and recover the dialed phone numbers from within the conversation. 

The intercepted signal appears to be unencrypted in the clear NFM at 130 MHz and appears to originate from some sort of wireless telephone service. Heard in the phone call are DTMF dial tones. Later in the video Linux Psycho shows how to retrieve the dialed phone number by recording the DTMF tones and submitting the .wav file to an online DTMF tone detection website. DTMF tones are simply the tones that you hear when you dial a number on a landline phone. Each tone is a different frequency and so it is fairly trivial to recover the dialed numbers.

We’re not sure exactly what the signal that Linux Psycho is listening to actually is as it seems to be a cordless phone, but in the wrong frequency range. Potentially it is a long range wireless phone extension commonly used in the third world or rural areas where actual landline connections are rare.

rtl sdr new, rtl sdr phone hacking

YouTube Talk: Introduction to DSpectrum for Reverse Engineering Signals

Over on YouTube a talk from the author of DSpectrum has been uploaded from his talk during the 13th Cyberspectrum Melbourne meetup. In his talk he goes through the full process of reverse engineering a wireless alarm system in DSpectrumGUI. DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions using data captured from SDRs like an RTL-SDR or HackRF.

In the video he shows how to create a project, import a capture and create an overlay on Inspectrum and bring the waveform back into DSpectrum. DSpectrum was then able to automatically detect that the encoding used was PWM and convert it into a bit string. Then by importing multiple captures from various buttons on the alarm he shows how easy it is to see the differences in the bit strings from within DSpectrum. From these differences he uses DSpectrum to help identify what the function of each byte of the bitstring is. Finally he shows how to perform a replay attack with RFcat or similar hardware using the data gathered.

This is a really good talk to watch if you’re interested in getting started with reverse engineering simple digital signals, like those from ISM band devices.

Cyberspectrum Melbourne #13: Introduction to DSpectrum for reverse engineering signals

Using an RTL-SDR and TEMPEST to attack AES

All electronic devices emit some sort of unintentional RF signals which can be received by an eavesdropping radio. These unintentional signals are sometimes referred to as TEMPEST, after the NSA and NATO specification which aims to ensure that electronic devices containing sensitive information cannot be spied upon through unintentional radio emissions, sounds or vibrations. TEMPEST can also refers to the opposite, which is spying on unsecured electronic devices by these means.

Recently the team at Fox-IT, a cybersecurity specialist company has released a paper showing how an RTL-SDR can be used as a TEMPEST attack device to help recover AES-256 encryption keys (pdf) from a distance by utilizing unintentional RF emissions. AES is an encryption standard commonly used in computing with protocols like HTTPS (e.g. with online banking) and for securing WiFi networks.

In their experiments they set up an AES implementation on an FPGA, and used a simple wire loop antenna and RTL-SDR to measure and record the RF emissions. By then doing some analysis on the recorded signal they are able to fairly easily extract the AES encryption key, thus defeating the encryption.

Further testing in an anechoic chamber showed that with a discone antenna they were able to recover the keys from up to a meter away. A directional antenna could probably reach even further distances.

In the past we’ve seen a similar attack using a Funcube dongle, which is an SDR similar to the RTL-SDR. In that attack they were able to remotely recover encryption keys from a laptop running GnuPC. Also, somewhat related is Disney’s EM Sense which uses an RTL-SDR to identify electronic devices by their RF emissions.

[Also seen on Hackaday]

Fictional scenario involving a hacker recording RFI from a remote PC.
Fictional scenario involving a hacker recording RFI from a remote PC.

Nullcon 2017: Drone Hijacking And Other IoT Hacking With GNU Radio And SDR

Nullcon is a yearly security conference which was held this year during early March. Recently videos of some of the presentations have been uploaded. One presentation of interest is Arthur Garipov’s presentation on “Drone Hijacking And Other IoT Hacking With GNU Radio And SDR”. In his talk he explains how he uses software defined radios and GNU Radio to hack various IoT devices based on the nRF, and even a drone. The talk blurb reads:

Internet of things is surrounding us. Is it secure? Or does its security stand on (deemed) invisibility? SDR (Software-defined radio) and GNU Radio can answer these questions. In this presentation, we will play some modern wireless devices. They have similar protocols, and none of them encrypts its traffic.

We will show how easy it is to find them using SDR and proprietary chipsets, and how to sniff/intercept/fuzz these devices using a small python script and GNU Radio.

As an example we will show a Mousejack attack to wireless dongles, wireless keyboard keylogger and even a drone hijacking.

Speaker Bio
Senior Specialist, Network Application Security Team, Positive Technologies Artur was born in 1987. He is a graduate of the Ufa State Aviation Technical University, was a software developer at OZNA and an independent security researcher. He started his career at Positive Technologies in 2014. Now he is engaged in security research of wireless technologies, mobile systems, and IoT. He is also an organizer of the MiTM Mobile contest and hands-on lab at PHDays V and PHDays VI.

The talk slides can be downloaded from their archives.

nullcon Goa 2017 - Drone Hijacking And Other IoT Hacking With GNU Radio And SDR by Arthur Garipov

Exposing Cordless Phone Security with a HackRF

Over on YouTube user Corrosive has been uploading some videos that explore cordless phone security with a HackRF. In his first video Corrosive shows how he’s able to use a HackRF to capture and then replay the pager tones (handset finding feature) for a very cheap VTech 5.8 Gigahertz cordless phone. He uses the Universal Radio Hacker software in Windows.

In the second video corrosive shows how bad the voice security on the VTech 5.8 GHz phone can be. It turns out that while advertised as a 5.8 GHz phone and the handset does transmit at 5.8 GHz, the VTech basestation actually transmits voice in clear NFM at around 900 MHz. Cordless phones advertised as 5.8 GHz are typically considered as more secure due to their high frequency which is inaccessible to most scanner radios. In the video he also shows some of the digital pairing signals that the phone and basestation transmits.

Cordless Phone Security Exposed With HackRF SDR

HackRF Receives Negative Press in the UK’s ‘DailyMail’ Newspaper

The HackRF is a $300 USD RX/TX capable software defined radio which has a wide tuning range from almost DC – 6 GHz, and wide bandwidths of up to 20 MHz. It uses an 8-bit ADC so reception quality is not great, but most people buy it for its TX and wide frequency/bandwidth capabilities.

Recently the HackRF received some negative press in the ‘Daily Mail’, a British tabloid newspaper famous for sensationalist articles. In the article the Daily Mail show that the HackRF can be used to break into £100,000 Range Rover car in less than two minutes. The exact method of attack isn’t revealed, but we assume they did some sort of simple replay attack. What they probably did is take the car key far away out of reception range from the car, record a key press using the HackRF, and then replay that key press close to the car with the HackRF’s TX function. Taking the key out of reception range of the car prevents the car from invalidating the rolling code when the key is pressed. 

Of course in real life an attacker would need to be more sophisticated as they most likely wouldn’t have access to the keyfob, and in that case they would most likely perform a jam-record-replay attack as we’ve seen with cheap homemade devices like RollJam. The HackRF cannot do this by itself because it is only half-duplex and so cannot TX and RX at the same time.

We should also mention that the HackRF is not the only device that can be used for replay attacks – potentially any radio that can transmit at the keyfob frequency could be used. Even a very cheap Arduino with ISM band RF module can be used for the same purpose.

Opening Car Doors with an RTL-SDR, Arduino and CC1101 Transceiver

Recently we found this post from last year by security researcher Anthony which shows how an RTL-SDR combined with an Arduino and CC1101 transceiver can be used to open a car. The technique he presents is the jam, intercept and replay technique which was also used by Samy Kamkars Rolljam device

Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches the codes stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. This system can be defeated simply by jamming the car keyfob receiver, and using a more selective receiver to record the keyfob unlock packet, then replaying those packets at a later time.

The technique Anthony presents has the attacker use an Arduino with CC1101 transceiver as the jammer. Jamming is totally illegal within the USA, so Anthony does not show exactly how to do the jamming. While the signal is being jammed, the RTL-SDR captures and saves the signal from the keyfob. Later the signal is processed in GNU Radio to remove the jamming signal and extract the keyfob signal. He then uses GNU Radio to demodulate the ASK signal into a binary modulated waveform that he can replay later.

Anthony tested this technique on two cars and a truck and was successful at unlocking the doors all three times.

RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.
RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.