Category: Security

A Review of WarDragon: A Portable SDR Kit

Over several years Aaron (@cemaxecuter) has been working on DragonOS, a popular Linux distribution that comes preinstalled with many different programs for software defined radios. A Linux distribution like this takes the hassle out of having to figure out how to compile and install various SDR programs, some of which can be quite tricky to get running. 

Recently Aaron has also been working on WarDragon, which is a set of components that he's carefully tested and put together as a ready-to-use portable SDR kit. At its core is an Airspy R2 software defined radio and x86 Mini PC that comes with DragonOS pre-installed. It also includes a USB hub and GPS dongle, as well as an HDMI dummy plug for enabling remote desktop. Everything is held together by a 3D printed frame, and enclosed in a plastic carry hard case, with the external Ethernet, USB-C, and power ports routed to the outside of the enclosure.

Aaron kindly sent us a WarDragon for an honest review. We note that we do not get to keep the WarDragon, and it will be forwarded to someone else after this review.

WarDragon Outer Enclosure
Inside WarDragon (Intel PC hidden underneath)
WarDragon with an LCD screen connected

Getting started with WarDragon is simple. Open the hard-shell case, connect an antenna to the Airspy, remove the dummy HDMI plug, connect a monitor to the HDMI port and a keyboard/mouse to a USB port, connect 12V power, and start the mini PC. A few seconds later DragonOS has booted, and you can run any of the programs pre-installed. And there are certainly a lot of programs available to play with as shown below.

List of software pre-installed in DragonOS

To get started with running it remotely we followed the instructions on the desktop to install OpenSSH, and ran the Rustdesk appimage stored in the 'post install' folder on the desktop. This allowed us to connect remotely to the unit via Rustdesk, a remote desktop interface. From there we were able to run software like SDR++, GQRX, and anything else that was preinstalled.

Aaron notes that every WarDragon will come with a free license for SDR4Space which is a command-line SDR tool for satellites. It can be used for scripting various operations, such as "recording IQ samples, predicting satellite passes and to start a record for a specific satellite and correct doppler at the same time".

The KrakenSDR software is also pre-installed on WarDragon, so the Airspy can easily be swapped out for a KrakenSDR too (or almost any other SDR as well). You can also add extra RTL-SDR units on the USB hub if desired.

Once you're done simply unplug everything and put the HDMI dummy plug back in. Close the enclosure up and you're ready to get on the move again.

One minor concern we have is that while the components are contained with the 3D printed frame, the frame itself is not held down inside the enclosure, so it can move a little during transport. Not a big deal if you are sensible about carrying it, but if you are expecting to throw the box around, something could eventually go wrong. Aaron also notes in the instructions that care should be taken to not leave WarDragon exposed to direct sunlight or in a parked car to avoid the 3D printed insert from warping. This could probably be solved by printing in a material like ABS.

Performance

The mini-PC included with WarDragon runs a 12th Generation Intel Alder Lake - N95 that can turbo up to 3.4 GHz, has 8GB of RAM, and a 256GB SSD built-in. These specs are powerful enough that the system is very snappy, software opens quickly, and software runs smoothly, even at the max 10 MHz bandwidth the Airspy supports.

These x86 mini-PCs appear to be quite a bit more powerful than their similarly priced ARM counterparts, but they do draw more power. The mini-PC running SDR++ and Airspy at 10 MHz oscillates around 20-30W of power draw, whereas a Raspberry Pi 5 running SDR++ only draws 5W.

What We'd Like to See Improved

Because the carry case is fully sealed when closed, the mini PC inside cannot be run when the case is closed, as there would be no airflow for cooling. We'd like to see some thought put into adding an external fan, and indeed Aaron has noted that in future versions he will be adding this. However, adding a fan does come at the expense of water tightness but we don't imagine many people would be throwing this in a body of water. As long as rain resistance is kept it should be alright.

We'd also like to see the SMA port brought out to the side, so an external antenna can be connected with the enclosure closed.

We can also imagine that some users might like to see a more expensive version that comes with a small screen and keyboard/mouse as part of the combo too. Aaron does note that the most common use case for operating via SSH or remote desktop via a field laptop though.

Price Review / Value

The Wardragon consists of the following components:

  • Beelink Mini PC (N95 8G+256G) - US$159 on Amazon.
  • Airspy R2 - US$169 on iTead.
  • Condition 1 11" Carry Case - US$36.99 on condition1.com
  • Other parts (cables, USB hub, USB GPS, HDMI dummy plug, outside connectors, 3D printed frame) - $US35 (estimated)
  • SDR4Space License - $US???

So that's a total of US$400 in parts (not including shipping costs) plus a bit of value from the SDR4Space license which is usually obtained on an inquiry-only basis. WarDragon currently sells for US$580. So for the extra $180, you are paying for the time to preinstall of DragonOS, drill the external mounting holes, 3D print the mount, the build time, testing time, and the ability to get support directly from Aaron himself. And we can't forget to mention the time Aaron puts into creating YouTube videos for WarDragon.

Obviously, if you are on a tight budget it would make sense to try and build your own system. But overall we think WarDragon is not a bad deal if your time is worth more and you just want a portable system to get up and running with DragonOS ASAP.

Flipper Zero Starts a Petition To Fight Canada Ban

Back in early February we reported about how the Canadian government is making plans to completely ban the Flipper Zero, and popular pentesting tool. The wording from Dominic LeBlanc, Canada's Minister of Public Safety, also implies that software defined radio devices could also be banned.

The reason for the ban is because the Canadian government claims that Flipper Zero and 'consumer hacking devices' are commonly being used as tools for high tech vehicle theft. However, as mentioned in the previous post, this has been debunked.

The team behind Flipper Zero have recently started a petition on change.org to stop the ban. At the time of this post the petition has already reached over 8,000 signature. The team have also penned a comprehensive "Response to the Canadian government" blog post, explaining why the ban makes no sense. In the post they debunk the myth of Flipper Zero being used for car theft, and show the real way high tech car theft is being done.

SigintOS Version 2.0 Community Edition Released

SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as the RTL-SDR and TX capable SDRs like the HackRF, bladeRF and USRP radios.

The OS has a built in launcher UI that helps to automatically launch and set up parameters for various programs and GNU Radio scripts that are commonly used. Examples include an FM transmitter, GPS transmitter, GSM base station searcher, IMSI catcher, LTE base station searcher, LTE decoder and a jammer.

Recently the team behind SigintOS have released version 2.0 Community Edition. The team write on their release page:

About Community Edition

SigintOS 2.0 Community Edition; It was developed to provide a much better experience to its users. With a new interface, more stable and powerful infrastructure and development environment, it allows users to develop new tools in addition to existing tools.

Developing Signal Intelligence tools is now much easier with SigintOS™

It is now much easier to develop your own tools with SigintOS™, which contains the world’s most famous and free signal processing and communication software. You can develop them effortlessly with tools such as QT and KDevelop.

Say hello to the 5G World!

SigintOS™ offers you all the possibilities of the 5G world, free of charge and effortlessly!

Whats News?

  • A completely new look.
  • A more stable and robust infrastructure.
  • Latest drivers and software.
  • User-friendly interface that prioritizes habits.

SOFTWARE LIST

Most used software and features

  • Open5GS
  • srsRAN 4G
  • YateBTS
  • Gqrx
  • GnuRadio 3.8
  • SigDigger
  • SDRAngel
  • ADSB Viewer
  • Dump1090
  • OpenCPN
  • GPredict
  • BladeRF
  • HackRF
  • Rtl-SDR
  • USRP – UHD Drivers
  • Kalibrate RTL & HackRF
  • All Gr Modules
  • SigintOS SDR Hardware Monitor Widget
  • QTCreator
  • KDevelop
  • Mysql
  • MongoDB
  • Apache Web Server
  • Php
  • And more …

Canada Moves to Ban Flipper Zero and Possibly Software Defined Radios

Dominic LeBlanc, Canada's Minister of Public safety has recently declared that they plan to ban devices "used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero". The text specifically calls out the Flipper Zero, however the wording appears to imply that any device that can copy a signal will be banned. This means the ban could extend to RX/TX SDRs like the HackRF and possibly even RX only SDRs like RTL-SDRs.

The Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. There are many CC1101 devices on the market, but the Flipper Zero has gained huge popularity on social media because of it's excellent software support, as well as its cute marketing tactic. In the past it was even featured on the popular Linus Tech Tips YouTube channel.

Flipper Zero has had a long line of setbacks including PayPal freezing 1.3M of its cash, and US customs temporarily seizing its shipments, then passing a $70,000 bill on to them for storage fees and Amazon banning the product on their marketplace.

In our opinion, we believe that the ban appears to be misguided. The Flipper Zero is a basic device that can only perform a simple replay attack, which is to record a signal, and replay it at a later time. These sorts of attacks do not work on vehicles built after the 90's which now use rolling codes or more sophisticated security measures. To defeat rolling code security, a more sophisticated attack called Rolljam can be used. A Rolljam device can be built for $30 out of an Arduino and two cheap transceiver modules.

However, according to arstechnica the biggest cause for concern in terms of car theft is a different sort of attack called "signal amplification relay".

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

This sort of attack is a lot less sophisticated in many ways as all you are doing is amplifying a signal, and no clever hardware like the Flipper Zero or a software defined radio is even required. The X video below demonstrates such a hack where a criminal holds up a loop antenna to a house. The loop antenna is connected to a signal amplifier which amplifies the keyfob signal, tricking the car into thinking the keyfob is nearby, and allowing the door to be unlocked by touching the handle, and then turned on with the push to start button.

Flipper zero note that they have not been consulted about the ban, and replied on X stating that they are not aware of the Flipper Zero being used for car theft.

Tech Minds: Video on DJI Drone Detection on the AntSDR E200

Just recently we posted about the release of some firmware for the AntSDR E200 which allows it to decode DJI DroneID. DroneID is a protocol designed to transmit the position of the drone and operator to authorized entities such as law enforcements and operators of critical infrastructure.

In his latest video Matt from the Tech Minds YouTube channel shows this firmware in action. In the video he first shows how to install the firmware, and how to connect to its serial output. He goes on to test it with his DJI Mini 4 Pro and show some live DroneID frames being decoded.

DJI Drone Hacking Using Software Defined Radio ANTSDR E200

DJI DroneID Detection Running on the AntSDR E200 CPU

DJI is a major manufacturer of consumer drones and their drones implement an RF protocol called DroneID which is designed to transmit the position of the drone and operator to authorized entities such as law enforcements and operators of critical infrastructure. 

Recently the AntSDR team have managed to get DJI DroneID decoding working on the AntSDR's onboard ARM processor. The decoding software runs on board the AntSDR E200 and outputs decoded data via the serial or network port. The AntSDR E200 is an SDR that is based on the AD9361 chip and has a 70 MHz to 6 GHz tuning range, 56 MHz of bandwidth and 12-bit ADC. It has 2x2 full duplex TX/RX channels and has an onboard FPGA with ARM CPU core.

They make use of existing code on GitHub from  https://github.com/proto17/dji_droneid and https://github.com/RUB-SysSec/DroneSecurity, both of which implement reverse engineered decoders for DroneID.

The update from AntSDR shows how to install the firmware onto the device and get it up an running. They note that drones that use Occusync 2 or 3 like the Mini2 or Mini3Pro work best, because other models may be encrypted or have a slightly different protocol which doesn't work with these decoders.

Aaron, creator of DragonOS has also uploaded a video showing the decoder in action.

DragonOS FocalX Decoding DJI DroneID w/ AntSDR E200 (MicroPhase)

Encryption on the TETRA Protocol has been broken

TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.

Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.

The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.

For more detail about the possible implications the team write:

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.

Demo: TETRA TEA1 backdoor vulnerability (CVE-2022-24402)

Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.

We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Video showing Flipper Zero Smoking a Smart Meter may be Fake

A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.

The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.

In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.

However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.

Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.

So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system. 

It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.

(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)

Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023