Over on YouTube "Sam's eXperiments logs" have uploaded a video showing how he was able to succeed when using TEMPESTSDR to eavesdrop on HDMI cables with his SDRplay. TEMPESTSDR software combined with a software defined radio allows a user to eavesdrop on TVs, monitors, and more by wirelessly receiving their unintentional RF emissions and recovering information from those emissions. In many cases it is possible to recover live images of the display, clear enough to read text.
Sam's video explains the challenges he faced with signal strength due to the highly effective shielding of his HDMI cables. To get around this Sam shows how he unshielded his HDMI cables for the test. This is good news for privacy, as it shows how effective shielding can be at stopping these kinds of attacks. He then goes on to show the results he obtained which show text being read from his screen.
I Finally Succeeded: HDMI Signal Eavesdropping with TEMPESTSDR
Over the years we've posted several times about the TEMPEST applications of software-defined radio. TEMPEST aka (Van Eck Phreaking) is when you listen to the unintentional RF emissions of electronics and are able to recover information from that. In the past, we posted about TempestSDR, an RTL-SDR compatible program that allows you to view images from a computer monitor or TV simply by picking up the unintentional RF emissions from it.
Usually, the images received are fuzzy and it can be difficult to recover any information from them. However recently there has been work on combining Tempest techniques with deep learning AI for improving image quality.
Deep-tempest has recently been released on GitHub and from their demonstrations, the ability to recover the true image with deep learning is very impressive. From a fuzzy grey screen, they show how they were able to recover clear text which looks almost exactly like the original monitor image.
Deep-tempest is based on gr-tempest, and requires GNU Radio, Python 3.10 and a Conda environment. Instructions for installing it are on the GitHub.
The whitepaper on the University research done to implement Deep-Tempest can be found freely on arxiv at https://arxiv.org/pdf/2407.09717.
In recent years GPS spoofing and jamming have become quite commonplace. Recently popular YouTuber Scott Manley uploaded a video explaining exactly what GPS spoofing and jamming is and explains a bit about who is doing it and why.
In the video Scott explains how aircraft now routinely use GPS as a dominant navigational sensor and how some commercial flights have been suspended due to GPS jamming. Scott explains how ADS-B data can be used to determine the source of GPS jamming (via gpsjam.org) and shows hotspots stemming from Russia. He goes on to show how drone shows have also failed in China either due to GPS jamming by rival companies or due to Chinese military warship jamming. Scott then explains a bit about GPS and how jamming and spoofing work.
GPS Jamming & Spoofing - How Does It Work, And Who's Doing It?
Over on his YouTube channel, Rob VK8FOES has started a new video series about Iridium Satellite Decoding. Iridium is a constellation of low-earth orbiting satellites that provide voice and data services. Iridium was first decoded with low cost hardware by security researchers back in 2016 as mentioned in this previous post. Being unencrypted it is possible to intercept private text and voice communications.
Rob's video is part of a series, and so far only part one has been uploaded. The first video outlines the hardware and software requirements for Iridium decoding and demonstrates the gr-iridium software. An Airspy and RTL-SDR Blog Patch Antenna are used for the hardware, and the software runs on DragonOS.
Rob writes that in part two he will demonstrate the use of iridium-toolkit, which can be used to extract data and recordings from the Iridium data provided from gr-iridium.
Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.
Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.
In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.
I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.
Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.
In their research, the team discovered that security cameras leak enough sensitive RF that an image can be recovered from the leakage over a distance. In their tests, they used a USRP B210 SDR as the receiver and tested twelve cameras including four smartphones, six smart home cameras, and two dash cams. They found that eight of the twelve leaked strongly enough for the reception of images through windows, doors, and walls. Cameras like the Xiaomi Dafang and Wyze Cam Pan 2 performed the worst, allowing for images to be recovered from distances of 500cm and 350cm respectively.
Over several years Aaron (@cemaxecuter) has been working on DragonOS, a popular Linux distribution that comes preinstalled with many different programs for software defined radios. A Linux distribution like this takes the hassle out of having to figure out how to compile and install various SDR programs, some of which can be quite tricky to get running.
Recently Aaron has also been working on WarDragon, which is a set of components that he's carefully tested and put together as a ready-to-use portable SDR kit. At its core is an Airspy R2 software defined radio and x86 Mini PC that comes with DragonOS pre-installed. It also includes a USB hub and GPS dongle, as well as an HDMI dummy plug for enabling remote desktop. Everything is held together by a 3D printed frame, and enclosed in a plastic carry hard case, with the external Ethernet, USB-C, and power ports routed to the outside of the enclosure.
Aaron kindly sent us a WarDragon for an honest review. We note that we do not get to keep the WarDragon, and it will be forwarded to someone else after this review.
WarDragon Outer EnclosureInside WarDragon (Intel PC hidden underneath)WarDragon with an LCD screen connected
Getting started with WarDragon is simple. Open the hard-shell case, connect an antenna to the Airspy, remove the dummy HDMI plug, connect a monitor to the HDMI port and a keyboard/mouse to a USB port, connect 12V power, and start the mini PC. A few seconds later DragonOS has booted, and you can run any of the programs pre-installed. And there are certainly a lot of programs available to play with as shown below.
List of software pre-installed in DragonOS
To get started with running it remotely we followed the instructions on the desktop to install OpenSSH, and ran the Rustdesk appimage stored in the 'post install' folder on the desktop. This allowed us to connect remotely to the unit via Rustdesk, a remote desktop interface. From there we were able to run software like SDR++, GQRX, and anything else that was preinstalled.
Aaron notes that every WarDragon will come with a free license for SDR4Space which is a command-line SDR tool for satellites. It can be used for scripting various operations, such as "recording IQ samples, predicting satellite passes and to start a record for a specific satellite and correct doppler at the same time".
The KrakenSDR software is also pre-installed on WarDragon, so the Airspy can easily be swapped out for a KrakenSDR too (or almost any other SDR as well). You can also add extra RTL-SDR units on the USB hub if desired.
Once you're done simply unplug everything and put the HDMI dummy plug back in. Close the enclosure up and you're ready to get on the move again.
One minor concern we have is that while the components are contained with the 3D printed frame, the frame itself is not held down inside the enclosure, so it can move a little during transport. Not a big deal if you are sensible about carrying it, but if you are expecting to throw the box around, something could eventually go wrong. Aaron also notes in the instructions that care should be taken to not leave WarDragon exposed to direct sunlight or in a parked car to avoid the 3D printed insert from warping. This could probably be solved by printing in a material like ABS.
Performance
The mini-PC included with WarDragon runs a 12th Generation Intel Alder Lake - N95 that can turbo up to 3.4 GHz, has 8GB of RAM, and a 256GB SSD built-in. These specs are powerful enough that the system is very snappy, software opens quickly, and software runs smoothly, even at the max 10 MHz bandwidth the Airspy supports.
These x86 mini-PCs appear to be quite a bit more powerful than their similarly priced ARM counterparts, but they do draw more power. The mini-PC running SDR++ and Airspy at 10 MHz oscillates around 20-30W of power draw, whereas a Raspberry Pi 5 running SDR++ only draws 5W.
What We'd Like to See Improved
Because the carry case is fully sealed when closed, the mini PC inside cannot be run when the case is closed, as there would be no airflow for cooling. We'd like to see some thought put into adding an external fan, and indeed Aaron has noted that in future versions he will be adding this. However, adding a fan does come at the expense of water tightness but we don't imagine many people would be throwing this in a body of water. As long as rain resistance is kept it should be alright.
We'd also like to see the SMA port brought out to the side, so an external antenna can be connected with the enclosure closed.
We can also imagine that some users might like to see a more expensive version that comes with a small screen and keyboard/mouse as part of the combo too. Aaron does note that the most common use case for operating via SSH or remote desktop via a field laptop though.
Price Review / Value
The Wardragon consists of the following components:
Beelink Mini PC (N95 8G+256G) - US$159 on Amazon.
Airspy R2 - US$169 on iTead.
Condition 1 11" Carry Case - US$36.99 on condition1.com
Other parts (cables, USB hub, USB GPS, HDMI dummy plug, outside connectors, 3D printed frame) - $US35 (estimated)
SDR4Space License - $US???
So that's a total of US$400 in parts (not including shipping costs) plus a bit of value from the SDR4Space license which is usually obtained on an inquiry-only basis. WarDragon currently sells for US$580. So for the extra $180, you are paying for the time to preinstall of DragonOS, drill the external mounting holes, 3D print the mount, the build time, testing time, and the ability to get support directly from Aaron himself. And we can't forget to mention the time Aaron puts into creating YouTube videos for WarDragon.
Obviously, if you are on a tight budget it would make sense to try and build your own system. But overall we think WarDragon is not a bad deal if your time is worth more and you just want a portable system to get up and running with DragonOS ASAP.
Back in early February we reported about how the Canadian government is making plans to completely ban the Flipper Zero, and popular pentesting tool. The wording from Dominic LeBlanc, Canada's Minister of Public Safety, also implies that software defined radio devices could also be banned.
The reason for the ban is because the Canadian government claims that Flipper Zero and 'consumer hacking devices' are commonly being used as tools for high tech vehicle theft. However, as mentioned in the previous post, this has been debunked.
The team behind Flipper Zero have recently started a petition on change.org to stop the ban. At the time of this post the petition has already reached over 8,000 signature. The team have also penned a comprehensive "Response to the Canadian government" blog post, explaining why the ban makes no sense. In the post they debunk the myth of Flipper Zero being used for car theft, and show the real way high tech car theft is being done.
