Category: Security

Hacking GSM Signals with an RTL-SDR and Topguw

The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien's Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you'll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software:

So like I said my software can "crack" SMS and call over GSM network.

How ?

I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I'll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui.

Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you're able to decipher sms or call.

Why ?

This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It's very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don't try to make something to do this automatically.
This is how Topguw was born.

Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM.

My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering.

Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you're interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals.

Topguw Proof of concept - GSM Hacking educational purpose

Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you.

Update 27 Feb 2023: Note that this content is constantly being censored by video upload sites. If the above video is down, Bastien has uploaded links to alternative video upload sites on pastebin.

Controlling Siri and Google Now with a Yagi and USRP

Wired magazine have recently run a story that shows how French researchers have discovered a method for remotely controlling modern smartphones through an RF attack that targets the voice control functionality called Siri on the iPhone and Google Now on Android. The attack only works for phones that have voice commands enabled, and there must be a pair of microphone enabled headphones plugged in.

The attack is pretty simple in theory. It works by using a software defined radio to transmit a high power amplitude modulated CW signal that will be picked up by the microphone’s cable which acts like an antenna. The AM CW signal is modulated in such a way that the built in low pass filter in the microphone works as a demodulator and turns the signal into an audio voice command.

In their experiments they were able to use a USRP SDR, amplifier and directional Yagi antenna to cause a smartphone to load up their webpage. The same attack could probably be performed with a cheaper HackRF SDR. 

A talk by the researchers was uploaded to Google earlier this month and is shown below.

HIP15-TALK:You don't hear me but your phone's voice interface does

Reverse engineering a public parking electronic display to play Tetris

Recently we received an email from RTL-SDR.com reader @Ivoidwarranties about his latest project which involved using a HackRF to reverse engineer the RF protocol used by a public parking electronic display. Once reverse engineered @Ivoidwarranties used a XR-2206 monolithic function generator, hybrid RF amplifier and an Arduino to create a device that overrides the public parking display and plays a game of Tetris on it.

We don’t have any details on the HackRF reverse engineering side of things, but he has uploaded a video to YouTube showing the hack in action.

Real hacking of public parking electronic display

Video showing SMS Texts and Voice Calls being sniffed with an RTL-SDR

Over on YouTube user Osama SH has uploaded a video briefly showing the steps needed to use an RTL-SDR dongle to sniff some SMS text messages and voice calls made from his own phone. This can be done if some encryption data is known about the phone sending the messages, so it cannot be used to listen in on any phone – just ones you have access to. In the video he uses Airprobe and Wireshark to initially sniff the data, and find the information needed to decode the text message. Once through the process he is able to recover the SMS message and some voice audio files.

Reverse Engineering Wireless Mobile Traffic Lights with an RTL-SDR

When roadworks suddenly appeared on Bastian Bloessl’s girlfriends street the workers put up a set of automated wireless traffic lights to control the flow of traffic during the works. Seeing these lights, Bastian quickly grabbed his RTL-SDR dongle and got to work on reverse engineering the status telemetry signals transmitted by these lights.

Wireless traffic lights reverse engineered with an RTL-SDR
Wireless traffic lights reverse engineered with an RTL-SDR

Bastian discovered two signals at around 170 MHz which corresponded to two pairs of lights. By analyzing the signal in Baudline and Audacity he discovered that the signal was AFSK1200 modulated between 1200Hz and 2400Hz. He then created a simple GNU Radio program which was able to output the frame bit data. After some analysis he was able to make sense of the structure and create a simple web interface that visualized the data as virtual traffic lights on his PC. The YouTube video below shows the signal and his RTL-SDR decoding software in action.

It seems that the telemetry is unencrypted, however we would assume that the control signals are encrypted.

Traffic Lights + GNU Radio + RTL SDR

Spoofing GPS Locations with low cost TX SDRs

At this years Defcon 2015 conference researcher Lin Huang from Qihoo 360 presented her work on spoofing GPS signals. Qihoo 360 is a Chinese security company producing antivirus software. Lin works at Qihoo as a security researcher where her main job is to prevent their antivirus software and users from becoming vulnerable to wireless attacks. Her research brought her to the realm of GPS spoofing, where she discovered how easy it was to use relatively low cost SDRs like a USRP B210/BladeRF/HackRF to emulate GPS signals which could allow a wireless attacker to manipulate the GPS on smartphones and cars.

Previous attempts at GPS spoofing have all used more expensive custom hardware. One attempt in 2013 allowed university researchers to send a 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011.

In Lin’s presentation she shows how she was able to trick a smartphone into thinking it was in a different location. In addition she writes how this method could be used to trick the phone into changing it’s time, as many smartphones will periodically refresh the clock accuracy by using GPS satellites. She also shows how she was able to bypass a DJI drones forbidden area no fly zone policy. DJI drones come with a feature where the engines will not power up if the on board GPS detects that it is in a no drone fly zone. By spoofing the GPS she was able to get the drone to power up inside a no fly zone in Beijng.

Lin Huangs presentation can be downloaded from the defcon media server (pdf). An article on Lin and her research into GPS spoofing has also been run on Forbes.com.

Spoofed GPS logs on a smartphone
Spoofed GPS logs on a smartphone

Seeing through walls with WiFi signals and USRP software defined radios

Researchers at the University College of London have found a way to use WiFi signals to see through walls, using a USRP software defined radio and software written in LabView. The researchers have shown that they are able to utilize local WiFi signals to detect and monitor moving objects such as people behind a wall in a similar fashion to how radar systems work. The advantage over traditional radar is that their system is completely passive, requiring no transmitter, other than the already ubiquitous WiFi signal.

In a demonstration the researchers showed how they were able to not only detect the presence of a person behind a wall, but also detect small hand gestures that were made.

Detecting body gestures from WiFi signals in LabView.
Detecting body gestures from WiFi signals in LabView.

It appears the researchers are patenting their work and are looking to market their technology towards military and security surveillance operators as well as towards other applications such as traffic monitoring and the monitoring of children and the elderly.

We aren’t sure what type of radio accuracy is required for a system such as this, but it may be possible that SDR’s that cost less than the USRP may also work, assuming the software technology can ever be replicated/licensed.

wifi_hostage
A proposed application of the technology: Allowing police to see through walls in a hostage situation.

Breaking into cars wirelessly with a $32 homemade device called RollJam

At this years Def Con conference speaker Samy Kamkar revealed how he built a $32 device called “RollJam” which is able to break into cars and garages wirelessly, by defeating the rolling code protection offered by wireless entry keys. Def Con is a very popular yearly conference that focuses on computer security topics.

A rolling code improves wireless security by using a synchronized pseduo random number generator (PRNG) on the car and key. When the key is pressed the current code is transmitted, and if the code matches what the car is expecting the door opens. The seed for the PRNG in the car and key is then incremented. This prevents replay attacks.

The RollJam hardware currently consists of a Teensy 3.1 microcontroller and two CC1101 433 MHz RF transceiver modules. It works by recording the wireless key signal, but at the same time jamming it so that the car does not receive the signal. When the key is pressed a second time the signal is first jammed and recorded again, but then the first code is replayed by the RollJam device. Now you have an unused code stored in RollJam that can be used to open the car. Samy shows how this works using an SDR and waterfall display graph in the following slide.

How RollJam Works
How RollJam Works

Samy’s full set of presentation slides can be downloaded from samy.pl/defcon2015. Also several large publications including networkworld.coWired.com and forbes.com have also covered this story with longer more in depth articles that may be of interest to readers.