Over on YouTube a talk about decoding water and electricity usage meters with an RTL-SDR has been uploaded from the 2015 Camp++ conference in Hungary. The presenter, Stef writes:
Budapest public utilities started to roll out some new metering devices for water and heating (at least in my block). The plumbers who should install these could not tell me about the privacy protections considered, as I was a bit worried about the things leaking information over radio-waves, so I built a radio and reversed the messages.
The talk shows how the presenter was able to reverse engineer the FSK wireless protocol of his heating meter with help from some patent information that he found on the web. Using a GNU Radio flow graph that he created he was able to extract information such as total energy consumption and temperature readings.
Being a security themed conference, the presenter also discusses some of the security risks associated with wireless meters such as whether or not the meter can be used to detect if someone is currently at home.
The theory behind the RNG is by taking advantage of atmospheric noise, which is caused by natural occurrences, such as weak galactic radiation from the center of our Milky Way Galaxy to the stronger local and remote lightning strikes. It’s estimated that roughly 40 lightning strikes are hitting the Earth every second, which equates to about 3.5 million strikes per 24 hour period. Interestingly enough, this provides a great deal of entropy for a random number generator.
In the post Aaron also shows how to put the rtl_entropy generated data through some standardized randomness tests, how to visualize the random output and also shows how to use rtl_entropy to generate 80-bit entropy passwords.
Visualizing the random noise output of rtl_entropy.
They write about the performance of their results:
Using GnuPG as our study case, we can, on some machines:
distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and
fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.
In their experiments they used a Funcube Dongle Pro+ to measure the unintentional RF emissions coming out of a laptop computer at around 1.6-1.75 MHz, but they also mention that a low cost RTL-SDR with upconverter could also work.
Every time the CPU on a target PC performs a new operation the unintentional frequency signature that is emitted changes. From these emissions they are able to use the unique RF signature to determine what operations are being performed by the CPU, and from that they can work out the operations GnuPG is performing when decrypting data. They write:
Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.
Recovering CPU assembly code operations from its unintentional RF emissions.
In addition to the above they were also able to create portable attack hardware by connecting the Funcube Dongle Pro+ with a small Android based embedded computer called the Rikomagic MK802 IV. They also show that they were even able to perform the portable attack with a standard AM radio with the output audio being recorded with a smart phone.
A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.
The researchers write that they will present their work at the CHES 2015 conference in September 2015.
Paul Rascagneres, an RF experimenter has recently uploaded a document detailing his efforts at reverse engineering a wireless doorbell (pdf file) with a 433 MHz Amplitude Shift Keyed (ASK) signal with his HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with a wider available bandwidth and transmit capabilities.
To reverse engineer the doorbell, Paul used GNU Radio with the Complex to Mag decoder block to receive and demodulate the ASK signal. Once demodulated he was able to visually see the binary modulated waveform, and manually obtain the serial bit stream. From there he went on to create a GNU Radio program that can automatically obtain the binary strings from the ASK waveform.
In order to replay the signal, Paul found that the simplest way was to use the hackrf_transfer program, which simply records a signal, and then replays it via the HackRF transmitter on demand. With this method Paul was able to ring his doorbell via the HackRF.
Paul also confirmed his SDR results with an Arduino and 433 MHz transceiver. He then took it a step further and used the Arduino to create a system that could automatically receive and replay signals at 433 MHz and 315 MHz.
Radio pirates often make use of the Fleetsatcom satellites to send and receive slow scan television (SSTV) pictures over a wide distance. Fleetsatcom is a satellite communications system used by the US Navy for radio communications. Since these satellites are simply radio repeaters with no authentication mechanisms, pirates soon discovered that they could take over the satellites for their own use.
Over on YouTube user LEGION ELMELENAS has uploaded a video showing his reception of some pirates transmitting a SSTV image at a Fleetsatcom frequency of 252 MHz. To receive the image he used a home made turnstile antenna, an RTL-SDR dongle, SDR# and the RX-SSTV decoder. The image appears to be a photo of a pirates son.
We previously posted more information about Fleetsatcom SSTV pirates in this post.
SSTV from Satcom satellites. RTL-SDR SDRSharp FLTSATCOM pirates
During several hacker and security themed conferences (Shmoocon, Bsides, Derbycon, Defcon, etc) organizers from Wireless Village have been setting up competitive WiFi and SDR themed capture the flag (CTF) games. In the competition the organizers broadcast a signal and the competitors are required to complete various tasks (capturing flags) such as determining the centre frequency of the transmission, demodulating the signal and finding any meta data contained within the signal such as codec flags in DVB-T signals and RDS data in FM signals. The team which captures the most flags wins a prize. The process of capturing flags often requires the use of some sort of software defined radio like the RTL-SDR, HackRF or BladeRF.
Recently, Russell one of the CTF organizers wrote in to let us know about a SDR CTF training resource that he has put together. The site contains various exercises/tutorials that allow participants to practice the skills needed to compete in the competition. Most exercises involve using a Raspberry Pi together with PiFM for transmitting a simulated competition signal, then receiving and demodulating the signal with a SDR. The exercises include running rtl_power, setting the PPM offset, decoding morse code, AFSK, RDS, ASK/OOK, DVB-T, POCSAG, MotoTRBO, SSTV and decoding numbers stations.
Last year Milos Prvulovic, a computer science researcher uploaded some videos to YouTube showing how he was able to remotely and covertly record the keystrokes of a target laptop in another room wirelessly using just a software defined radio, magnetic loop antenna and some custom software.
The target laptop was first modified with special drivers that cause increased and unique memory and processor activity for each key that is pressed. As computers emit unintentional RF emissions, the modified memory and processor activity causes the target laptop to emit a unique RF signature for each key pressed. Milos used this fact to create a program that can detect the RF emissions from the target laptop, and show the key presses made from the target laptop on the spying PC.
Over on YouTube user Kali Gsm has uploaded a video showing off a new software program he has written that allows an RTL-SDR to be used to gather IMSI, TMSI and Key information from a cell phone connected to a PC.
The IMSI (International Mobile Subscriber Identity) is a number that uniquely identifies a cell phone. Because IMSI’s are unique, they can be used to track a cell phone so they are rarely broadcast and instead a TMSI (Temporary Mobile Subscriber Identity) number is used to identify a cell phone instead. The TMSI is changed depending on geographic location or changed by the network randomly. The key is a number that is used to decrypt the GSM data sent to your phone.
Kali Gsm’s software is called rtl_tool_kit and is planned to be released soon on it’s GitHub page. It uses the gr-gsm software to sniff the GSM downlink with an RTL-SDR dongle and also interfaces to a connected mobile phone. The author writes that the following is possible with the software:
You can get imsi tmsi and key of the device connected to your pc.
You can send silent/flash sms
You can connect/match tmsi to a mobile number if target is on the same BTS and in GSM900/2G mode.
Update 25/01/2015: All YouTube videos appear to have been removed – though the uploader reports in the comments that the videos will be back online soon. Update 29/01/2015: Videos are back online.
