Online magazine Motherboard have recently uploaded a video on YouTube where a reporter interviews white hat hacker Ang Cui. Cui is the inventor of the Funtenna which is software malware that can infect any embedded device, turning it into an improvised RF transmitter.
As an example of the type of devices the Funtenna can infect, Cui shows how he infected a desktop telephone, as well as a desktop printer. The malware running on the phone causes the phone to transmit an RF signal of the voices heard by the microphone, and the malware running on the printer causes the printer to emit a binary coded transmission of the text being printed. The malware is able to do this by forcing a GPIO, PWM or UART interface on the printer to modulate in a similar way to what is done with the Raspberry Pi FM transmitter project, rpitx. To receive and decode the signal Cui uses a software defined radio and a GNU Radio program.
Ang Cui previously presented his work on Blackhat 2015 and his slides can be found here, and we also show the video of his presentation below in the second video.
How Hackers Could Wirelessly Bug Your Office
Emanate Like A Boss: Generalized Covert Data Exfiltration With Funtenna
Over on YouTube user Crazy Danish Hacker has been working on uploading an entire series on GSM Sniffing with an RTL-SDR. His series is explained in a slow and clear presenting style, and it starts at the very beginning from installing the RTL-SDR. The tutorial series is not yet complete, however he is uploading a new video almost daily. Presumably the series will end with showing you how to receive text messages and voice calls originating from your own cellphone.
So far he has shown how to install the RTL-SDR, identify GSM downlinks, install and use GQRX and kalibrate, locate nearby cell towers, install and use GR-GSM and how to extract the TMSI & KC keys from your cell phone. To obtain the TMSI & KC keys he shows us how to use an Android tool called usbswitcher which forces the phone to use its USB modem interface, from which the keys can be obtained.
The video below shows his teaser video on the series. Check out his GSM playlist to view the full series.
GSM Sniffing Teaser - Software Defined Radio Series!
"Pokémon Go" is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at "Pokéstops" and putting Pokémon to battle at "Gyms". Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what "Pokémon" are: Pokémon are fictional animals from a popular children's cartoon and comic.
Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.
To do this he used the off the shelf "GPS-SDR-Sim" software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR's like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF's clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF's clock input port. He also found that he needed to disable "Assisted GPS (a-gps)" on his phone which uses local cell phone towers to help improve GPS location tracking.
Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don't simulate a regular walking speed.
ANT-FS is a wireless file transfer protocol that is designed specifically for transferring files wireless between two devices. It is designed for ultra low power devices and typically runs on devices operated by a coin sized battery. It is commonly used in applications like fitness tracker devices, which store data to later be downloaded to a PC.
Over on YouTube user sghctoma has uploaded a video showing a teaser of him receiving and decoding ANT-FS packets with blocks developed for the POTHOS graphical language. As ANT-FS is usually transmitted at 2.4 GHz, he had to use a MMDS downconverter which allowed his RTL-SDR to receive the packets. Sghctoma writes that the video is simply a teaser, and that a live demo with real deivce, and the full code + details will be released during his talk at DEFCON titled “Help, I’ve got ANTs!!!”.
ANT-FS sniffing with RTL-SDR, an MMDS downconverter and Pothosware
To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.
The Syma X8C drone to be stolen in the competition.
Dejan Ornig, a 26 year old student at the University of Maribor’s Faculty of Criminal Justice and Security was recently almost jailed for finding a security flaw in Police TETRA communications in his home country of Slovenia. Back in 2013 his University Computer Science class of 25 was assigned a task to research security vulnerabilities in TETRA. TETRA is a RF digital communications protocol often used by authorities due to its ability to be secured via encryption. During his research he used an RTL-SDR and the open source Osmocom TETRA decoder, and discovered a flaw in the Slovenian Police’s TETRA configuration which meant that encrypted communications were often being broadcast in the clear. Translated, Ornig said:
For $20 I bought a DVB-T receiver (RTL-SDR), on the Internet, I have found also freely available and open-source software OsmoCOM. Free access solution for decoding the signal Tetra eighth-tetra is already prepared in advance programming framework based on the platform GNU.
He goes on to say (translated):
I was even more surprised when I found that most users do not have authentication turned on the radio terminal, even though the Ministry of the Interior in the documents and tenders repeatedly wrote to all the radio terminals to access networks using authentication.
Shortly after discovering the flaw, Dejan privately contacted the authorities with his findings. But after two years of repeatedly contacting them and waiting for a fix, Dejan decided to take his story to a local news agency in February 2015. At this point the Slovenian Police became interested in Dejan, and instead of fixing the problem, decided to conduct a search on his house, seizing his computer and RTL-SDR. After the search the Police made life harder for Ornig by trying to lump on other problems. During the search they found a “counterfeit police badge” in his house and apparently accused him of impersonating a police officer, and after a search of his PC they also decided to charge him after finding out that he covertly recorded his ex-employer calling him an “idiot”.
Ornig has now been given a 15 month suspended jail sentence for attempting to “hack” the TETRA network. Fortunately the suspended part means that in order to not go to jail Ornig simply must not repeat his crime again within 3 years. While SDR’s and radios are not illegal in most countries this is a reminder to professional and amateur security researchers to check that what you are doing is legal in your country. Even if it is for the overall good, Police often do not have the technical competence to understand security researchers and may react illogically to findings. The good news about Ornig’s story is that apart from the suspended jail sentence the authorities appear to have now worked with him to fix the problems.
Over on his blog Caleb Madrigal has written a short article that describes how he was able to perform a simple relay attack against a Jeep Patriot vehicle which allowed him to unlock and lock his car via his HackRF. The replay attack is a very simple attack that can easily be performed with a TX capable SDR, like the HackRF. Essentially, all that is done is that a signal is recorded, and then rebroadcast (replayed) again. Normally, wireless car locks have rolling code security measures that prevent such an attack, but it appears that the 2006 Jeep Patriot has no such measures.
Caleb first recorded the unlock and lock signals using his HackRF with GNU Radio. He then took the step of opening the recorded file up in Audacity and isolating the unlock and lock audio signals, and then saving each signal to a separate file. Finally, after doing this he was able to transmit the unlock and lock waveforms which successfully locked and unlocked the Jeep.
Look up the device frequency and listen to it with an RTL-SDR and SDR#.
Record the signal and visually study the waveform in Audacity.
Look up system part info and determine encoding type (e.g. ASK/OOK)
Determine the bit string and baud rate.
Program the RFcat to send the same disarm binary string.
Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.
$50 home alarm system broken by an RTL-SDR and RFcat.
