Category: Security

Talk: My journey into FM-RDS by Oona Räisänen

Back in November we posted about Oona’s work with decoding radio controlled bus stop display signs using her RTL-SDR. Oona has given a talk at the Chaos Communication Congress about her work on decoding FM-RDS and the bus stop displays. The talk is now available on YouTube.

How I discovered mysterious hidden signals on a public radio channel and eventually found out their meaning through hardware hacking, reverse engineering and little cryptanalysis.

A story about my experiences with FM-RDS (Radio Data System), a digital subcarrier embedded in FM broadcast transmissions, and also cryptanalysis of the weakly encrypted TMC traffic messages contained therein. I originally found about the existence of such transmissions in a roundabout way, by using a spectrum analyzer program to examine intermodulation distortion in my radio’s Line Out audio. As it turned out, the inaudibly quiet distortion, probably caused by the radio’s stereo demuxer circuitry, contained all the information needed to decode all RDS data present in the transmission. I will demonstrate the journey I took and give a short introduction to how the data is actually encoded. Live acquisition of local RDS data depending on signal conditions in the premises.

As a bonus, I’m introducing yet another little-known FM subcarrier called DARC, and my recent reverse engineering of the bus stop display radio protocol used in Helsinki.

Pytacle – A GSM Decoding/Decrypting Tool Now Supports RTL-SDR

Pytacle, a Linux tool used for automating GSM sniffing has been updated to alpha2, and now supports the RTL-SDR dongle with this update.

According to the website pytacle is

a tool inspired by tentacle. It automates the task of sniffing GSM frames of the air, extracting the key exchange, feeding kraken with the key material and finally decode/decrypt the voice data. All You need is a USRP (or similar – [RTL-SDR]) to capture the GSM band and a kraken instance with the berlin tables (only about 2TB ;) )

True Random Numbers with RTL-Entropy

RTL-Entropy is a Linux based entropy generator which uses the RTL-SDR as the entropy source. It works by using the RTL-SDR to sample atmospheric noise and then using that noise to create randomly generated numbers.

This is useful as computers are only capable of generating pseudo-random numbers, which may look random, but are not truly random. For cryptography and security, it is desirable to use true random numbers, as pseudo-random numbers can possibly be predicted. Combining this RTL-SDR based entropy source with other entropy sources may help improve security.

Receiving, Decoding and Decrypting GSM with the RTL-SDR : YouTube Talk and Slides

A few days ago we posted about how Domi aka Domonkos Tomcsányi wrote on his blog about decoding and decrypting GSM signals from your own cell phones. Domi also did a talk at the CampZero conference which has now been uploaded to YouTube. His slides can be obtained from this link.

CampZer0 // Domonkos Tomcsányi: GSM - have we overslept the last wake-up call?

Receiving, Decoding and Decrypting GSM Signals with the RTL-SDR

A while back we did a small write up on receiving and analyzing cellular GSM signals with the RTL-SDR. Now blogger Domi has taken it further and has done an excellent big write up on his blog showing how to receive, decode, and also decrypt your own cell phone GSM signals with the RTL-SDR.

Domi’s big write up is split into four posts. It starts with an introduction to GSM, then focuses on setting up the environment and required software, then uncovering the TMSI (step to be released later), and then finally shows how to actually receive and decrypt your cell phone data such as voice and SMS messages.

GSM Decoding with Airprobe and Wireshark and RTL-SDR
GSM Decoding with Wireshark

Exploring Unintended Radio Emissions with the RTL-SDR – Talk now available on YouTube

A few weeks back we posted about some slides from the Defcon conference by information security researcher Melissa Elliot which detailed how she used an RTL-SDR to explore the world of unintended radio emissions.

The talk to go with the slides is now available on YouTube

DEF CON 21 - Melissa Elliott - Noise Floor Exploring Unintentional Radio Emissions

Potential Major Security Flaw on HP Laptop Discovered with RTL-SDR

Over on Reddit, user cronek discovered by using his RTL-SDR that the microphone on his HP EliteBook 8460p laptop computer was continuously and unintentionally transmitting the audio from the built in microphone at 24 MHz in FM modulation. He found that the only requirement needed for the microphone to transmit was that the laptop needed to be turned on – even muting the microphone did nothing to stop the transmission.

Click here to read the original post.

I accidentally stumbled upon a signal in the 24MHz range, appearing to be 4 carriers. I tuned to it and heard silence, then someone came into my office and started talking and I could hear them speak. The signal appeared to be coming from my other laptop (not the one running the SDR) and was pretty weak (my antenna, the crappy one that comes with the dongle, stuck to a metal stapler was right next to the HP laptop).

This is of potential concern as as the US Military is apparently transitioning to this particular laptop. However, this may be an isolated incident, as in the thread cronek explains that other laptops he tested did not display this behavior.

HP Laptop Microphone Leak at 24 MHz