Samy Kamkar is famous in the wireless and hardware information security scene for his research on various security exploits including methods to defeat rolling code security, and using a children's toy to open wireless garage doors. In a recent Hackster.io Hackster Café interview Samy talks about various security related topics including software defined radios.
Samy Kamkar first became notorious for software and hardware security exploits – including SkyJack, a custom drone that could take control of other UAVs, and OpenSesame, a hacked child's toy that can open remote-controlled garage doors. He now brings this deep experience to Openpath, the touchless access control company he co-founded in 2016. From security celebrity to founder, we sit down for a chat with Samy on this episode of Hackster Café (new episodes every Tuesday at 10am Pacific).
While we usually don't encourage politics on this blog, with the possibility of a Ukraine invasion by Russia we just wanted to issue a general warning to Ukrainian SDR owners. Last year we saw Stanislav Stetsenko a resident of Crimea arrested by the Russian Federal Security Service under suspicion of being a Ukrainian informant. The evidence against him was that he was an aviation and plane spotter hobbyist who used RTL-SDRs for listening in to aircraft communications - something of which many of us do in safety.
Back in June 2021 Stanislav was facing 25 years in prison. We still don't know what has happened to him. If anyone local has heard any updates please let us know. (UPDATE: US1GBF in the comments below knew Stanislav personally and has provided an update: Stanislav was reportedly transferred from Crimea to a Moscow prison. The Ukrainian authorities are working on the exchange of Stanislav. However, the exchange has already been postponed many times because of the refusal of the Russians to diplomacy. Work continues.)
From our website and sales statistics we know that there is a sizable RTL-SDR community in the Ukraine. We don't know what will happen if there is an invasion, but it's possible that, like in Crimea, Russian security forces will see SDR hobbyist activities as a threat, so we urge Ukrainian residents to have a plan to take down any web feeds and antennas should it come to the worst.
EDIT: This post has stirred up quite the discussion. As long as comments remain civil comments will remain open. This post is not intended to take sides. Whilst many Ukrainians in the amateur radio community already know to keep their activities safe during conflicts, we are aware of many young Ukrainian STEM students and hobbyists that may be somewhat insulated or not care about geopolitical events, who read our blog and copy activities that are safe to perform in most countries, but may not be safe in the Ukraine during times of conflict.
Crimean resident arrested for RTL-SDR use in June 2021
His first steps were to search for the frequency which he found active at 390 MHz. He then moved on to analyzing the signal with Inspectrum, discovering the OOK modulation, then working his way towards the binary control strings. One thing that helped with his reverse engineering was the use of the 9-bit DIP switches on the remote that configure the security code that opens up a specific door as this allowed him to control the transmitted bits, and determine which bits were used for the security code. With this and a bit of GNU Radio code he was able to recreate the signal and transmit it with his HackRF.
Finally Maxwell wanted to see how vulnerable this door is to a brute force attack that simply transmits every possible security code. Through some calculations, he discovered that brute forcing every possible security code in the 9-bit search space would only take 104 minutes to open any garage using this opener.
GNU Radio replaces a 30 year old garage door remote
Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.
In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.
Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.
Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter
The idea behind the attack is that ethernet cables can act as an antenna, leaking signals at frequencies which can easily be sniffed by a SDR. The specific technique in the paper does not decode normal network traffic, instead it requires that malicious code which modulates a custom signal over the ethernet cable be installed on the PC first. The technique used appears to be similar to what the Etherify software by SQ5BPF uses, which modulates data in morse code by turning the network card on and off.
Receiving a signal modulated by the LanTenna malware
Recently some videos from this years (mostly virtual) DEFCON 29 conference have been uploaded to YouTube. Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. Some interesting talks that we've found from the main Defcon and Villages are posted below.
Smart Meters: I'm Hacking Infrastructure and So Should You (Hash Salehi)
Why Smart Meters? This is a question Hash is often asked. There's no bitcoin or credit card numbers hiding inside, so he must want to steal power, right? Openly analyzing the technology running our critical infrastructure and publishing the findings is something Hash is passionate about. In the wake of the great Texas freeze of 2021, we can no longer "hope" those in power will make decisions that are in the people's best interest. This talk will present research on the Landis+Gyr GridStream series of smart meters used by Oncor, the largest energy provider in Texas.
Cyber attacks on Industrial Control Systems (ICS) differ in scope and impact based on a number of factors, including the adversary's intent, sophistication and capabilities, and familiarity with ICS and automated indutrial processes. In order to understand, identify and address the specific points that can prevent or stop an attack, a systematic model known as "Cyber Kill Chain" is detailed, a term that comes from the military environment and registered by the Lockheed Martin company. While most are familiar with terms and theoretical diagrams of how security should be implemented, in this talk we want to present live how an attack chain occurs from scratch to compromise industrial devices, the full kill chain, based in our experiences. The goal is to land these threats into the real world without the need to carry out these attacks with a nation-state budget.
Smart Meters: I'm Hacking Infrastructure and So Should You (Hash Salehi)
DEF CON 29 - Paz Hameiri - TEMPEST Radio Station
TEMPEST is a cyber security term that refers to the use of electromagnetic energy emissions generated by electronic devices to leak data out of a target device. The attacks may be passive (where the attacker receives the emissions and recovers the data) or active (where the attacker uses dedicated malware to target and emit specific data).
In this talk I present a new side channel attack that uses GPU memory transfers to emit electromagnetic waves which are then received and processed by the attacker. Software developed for this work encodes audio on one computer and transmits it to the reception equipment positioned fifty feet away. The signals are received and processed and the audio is decoded and played. The maximum bit rate achieved was 33kbit/s and more than 99% of the packets were received.
Frequency selection not only enables maximization of signal quality over distance, but also enables the attacker to receive signals from a specific computer when several computers in the area are active. The software developed demonstrates audio packets transfers, but other types of digital data may be transmitted using the same technique.
DEF CON 29 RF Village - cemaxecuter - RF Propagation and Visualization with DragonOS
"Today's presentation will start with a brief history of DragonOS, where it started and where it's at today. After a short introduction, I'll dive into the subject of visualizing RF propagation with DragonOS. I'll be showing a fresh OS install and the necessary steps to generate a rough estimate of a transmitter based on SRTM-3 elevation data, as well as a new feature enabling visualization/calculations of the path between transmitter and receiver .
Topics and hands on (pre-recorded) demonstrations will include the following,
SPLAT! is an RF Signal Propagation, Loss, And Terrain analysis tool for the electromagnetic spectrum between 20 MHz and 20 GHz.
Signal Server Multi-threaded RF coverage calculator
Dr. Bill Walker's role
Signal Server and DragonOS integration
DF-Aggregator Developer / Modifications for visualization
I’ll conclude talking about future improvements to RF propagation and visualization tools."
DEF CON 29 RF Village - cemaxecuter - RF Propagation and Visualization with DragonOS
Over on YouTube the BSides Halifax channel has uploaded a recent talk given by Security Engineer Grant Colgan titled "Hacking RF Breaking what we can't see". In the talk Grant first shows the various bits of wireless devices that he tests, as well as the receiver equipment that he uses which includes a HackRF and RTL-SDR dongles. He goes on to show various live demos.
An often overlooked aspect of security is what happens when information is moving magically from one device to another with no wires. We know this as (usually) Wifi or Bluetooth and any attacks are usually based on these technologies. However when you widen the scope to RF wireless communication, A lot more tools become available. In this talk I will be talking about the attack and doing live demos.
Since it's announcement in early 2016 we've posted many times about the KiwiSDR, a 14-bit wideband RX only HF software defined radio created by John Seamons (ZL/KF6VO). The KiwiSDR has up to 32 MHz of bandwidth, so it can receive the entire 10 kHz - 30 MHz VLF/LF/MW/HF spectrum all at once.
Compared to most other SDRs the KiwiSDR is a little different as it is designed to be used as a public web based SDR, meaning that KiwiSDR owners can optionally share their KiwiSDR online with anyone who wants to connect to it. The public functionality allows for some interesting distributed applications, such as TDoA direction finding, which allows users to pinpoint the location of unknown HF transmissions such as numbers stations.
In order to implement this online capability, the KiwiSDR runs custom open source software on a Beaglebone single board computer which connects to your home network. Recently there has been vocal concern about a security flaw in the software which could allow hackers to access the KiwiSDR. The flaw stems from the fact that the KiwiSDR has 'backdoor' remote admin access that allows the KiwiSDR creator to log in to the device and troubleshoot or make configuration changes if required. This backdoor has been public knowledge in the KiwiSDR forums since 2017, although not advertised and explicit consent to have it active and used was not required.
Interesting post on the KiwiSDR forums. Seems to imply the KiwiSDR author has remote access to all KiwiSDRs? Post has since been modified to remove the last paragraph and the thread locked :-/ https://t.co/cAi5dS7J49pic.twitter.com/elqSsaUJ65
The intent of the backdoor is of course not malicious, instead rather intended as an easy way to help the creator help customers with configuration problems. However, as KiwiSDR owner Mark Jessop notes, the KiwiSDR operates in HTTP only, sending the admin master password in the clear. And as KiwiSDR owner and security researcher @xssfox demonstrates, the admin page gives full root console access to the Beaglebone. These flaws could allow a malicious party to take over the Beaglebone, install any software and perhaps work their way onto other networked devices. Another tweet from xssfox implies that the password hashes are crackable, allowing the main admin password to be easily revealed.
Quick video showing how the backdoor on the kiwisdr works.
I've also tested that touch /root/kiwi.config/opt.no_console mitigates the issue
Creator John Seamons has already released a patch to disable the admin access, and as of the time of this article 540 out of 600 public KiwiSDRs have already been auto-updated. Owners of KiwiSDR clones should seek out updates from the cloner.
It is clear that the KiwiSDR is a passion project from John who has dedicated much of his time and energy to consistently improving the technical RF engineering side of the device and software. However we live in an age where malicious hacking of devices is becoming more common, so anyone releasing products and software that network with the internet should be reminded that they have a responsibility to also dedicate time to ensuring security.
John has reached out to us in advance and noted that he currently cannot yet comment publicly on this topic due to legal advice.
