Category: Security

Receiving pH Readings from a Wireless Medical Implant with RTL-SDR

Over on Hackaday we've learned about an interesting investigation by James Wu who was recently implanted with a stomach pH (acidity) monitoring device called the "Medtronic Bravo Reflux Capsule". Whilst inspecting the patient demo capsule James noted that the device transmitted data wirelessly via a very small low power transmitter, in particular noticing a telltale "433" written on a component on the device, indicating that it uses the 433 MHz ISM band.

Back at home he pulled up the FCC filing for the device, which unveiled that it is OOK-PWM modulated, and operates at 433.92 MHz. The rest of the filing also had information noting that the implant transmits a 59-bit data packet every 12 seconds, and contained a nice breakdown of the packet structure, making it easy for decoding.

With all the information about the device's wireless transmissions now known, James grabbed his RTL-SDR and fired up SDR# to confirm that the signal was indeed transmitting every 12 seconds at 433.92 MHz. Next he was able to decode the data from the device by inputting the protocol information learned from the FCC filing into an rtl_433 command line string.

After a bit of further work James discovered that the pH data was actually two readings in one data string. At this stage he finally had the pH reading, however it was represented as an 8-bit ADC reading with a value between 0 to 255. James plotted the relationship between the 8-bit raw ADC reading, and the pH value shown on the official Medtronic receiver. With this he was able to determine a linear relationship between the ADC reading and real pH reading, but notes that there may be a more accurate calibration curve required for actual medical use.

Decoding pH readings from a stomach implant with an RTL-SDR

If you're interested in wireless medical devices, in the past we've seen how SDRs could be used to not only receive data coming from Minimed Insulin pumps, but to maliciously control them with a HackRF too. We've also seen that data could possibly be received from implanted heart defibrillators as well.

Crimean Resident Arrested under Accusation of Spying for Ukraine with RTL-SDR Dongles

Back in early 2014 Crimea was annexed from the Ukraine by Russian forces. Recently we've heard news that a Crimean resident was arrested by the Russian Federal Security Service under the suspicion of being a Ukrainian informant who was intending to transfer, or was transferring military data abroad using RTL-SDRs.

A video of the arrest has been uploaded to YouTube, and RTL-SDR dongles running with the Airspy SDR# software on his laptop can clearly be seen as having been photographed. The photos of the SDR# screen appear to show that he was monitoring the commercial aviation band with a scanner plugin.

The YouTube description is translated below:

Today it was reported about the arrest of a Crimean resident, either intending to transfer, or transferring military data abroad.

The FSB has published footage of the arrest. The time on the laptop caught on the video during the search of housing 07:40 date 06/22/21. The laptop is turned on, the AIRSPY radio frequency scanning program is running, the laptop is in the dust - only traces of pressing some keys are visible, and the touchpad was not used. There are many icons in the room, books on radio engineering, a Ukrainian flag, aircraft models, several pennants "Tavria 1958", an ICOM IC-R6 radio, maps.

The detainee transferred the information received to Ukraine on one basis, collected it on the other and intended to transfer it.

The court sent the man to the pre-trial detention center for 2 months. If his guilt is proven, then high treason "shines" and does not shine to see the will for 25 years.

According to an article on RadioFreeEurope, the man was detained as he was "collecting data on the flights of Russian military planes for Ukrainian intelligence".

It is unclear if the man was knowingly providing intelligence services, or is simply an aviation hobbyist caught up in politics. If anyone has more information about his story, please let us know in the comments.

UPDATE 29 June 2021: More information on the story at this link.

Украинский осведомитель был футбольным фаном. Болел за «Таврию»

Crimean resident arrested for using RTL-SDRs to monitor the airband
Commercial Aviation Frequencies Monitored

This is a reminder to those in politically dangerous situations to take care when using SDRs. In the past we have seen a Slovenian researcher almost jailed for performing University research with an RTL-SDR, a UN expert arrested for possessing an RTL-SDR in Tunisia, and SDRs come under fire when Trump tweeted a now-debunked conspiracy theory on how an RTL-SDR was being used as a close range scanner by the black lives matter protestor who was shoved to the ground on video by Buffalo police.

Decoding and Logging GPS Coordinates From Wireless Smart Meters

Back in April we posted about "Hash's" RECESSIM YouTube series on hacking electricity smart meters using a software defined radio. Recently his series continues with a video on decoding and logging the GPS coordinates sent by the smart meters used in his area. Using a car, SDR and laptop he was able to drive down the freeway collecting smart meter data as he travelled, decode the data, and plot it on a map. In his video Hash explains why there is GPS data in the signal, and how he was able to reverse engineer and determine the GPS data.

Smart Meter Hacking - Decoding GPS Coordinates

Cloning A Garage Key with RTL-SDR, Universal Radio Hacker and an Arduino

Over on YouTube Adam Łoboda has uploaded a video showing the full steps that he's taken to reverse engineer and clone a wireless garage door key using an RTL-SDR and Arduino.

He starts by using the Universal Radio Hacker software to record a copy of the wireless signal generated by the garage key. Using the software he can then analyze the signal, and determine the preamble data, payload data and pulse width which he can then input into some Arduino code. The Arduino can then generate an identical signal, and transmit it via a cheap FS1000A 433 MHz RF module. Finally, at the end of the video Adam shows the cloned Arduino based garage key working as expected. 

hacking & clonning my garage key with URH ( Universal radio Hacker ) and ARDUINO DIGISPARK + FS1000A

Receiving Unintentionally Radiated Signals from the Computer System Bus with an RTL-SDR

Back in 2018 we first posted about "System Bus Radio" which is code and a web based app that allows you to transmit RF directly from your computer without any transmitting hardware. It works on the principle of manipulating the unintentional RF radiation produced by a computers system bus by sending instructions that can produce different AM tones. The idea is to demonstrate how unintentional radiation from computers could be a security risk. 

Recently the creator of System Bus Radio has uploaded a guide on receiving the generated signals with an RTL-SDR. He recommends using an RTL-SDR with upconverter, balun and an AM loop antenna. He then shows how he was able to receive the signals from his  MacBook Pro M1, noting that he was able to receive audible signals from several inches away at frequencies between 63 kHz to 5.5 MHz.

System Bus Radio received with an RTL-SDR and upconverter.

Evil Crow RF: An Open Source CC1101 Based Device for Pentesting

The CC1101 is a popular RF silicon chip as it can handle many common digital modulation modes such as OOK/ASK, FSK, GFSK, and MSK within it's hardware. It is not a software defined radio, but rather a hardware radio that can be easily software controlled. Over the years we've seen the CC1101 and it's cousin the CC1111 with embedded microcontroller used in several pentesting/RF reverse engineering tools such as the Flipper Zero, Yard Stick One and PandwaRF.

There is now a new open source CC1101 implementation called the "Evil Crow RF". This hardware marries two CC1101 modules with an ESP32 WiFi and Bluetooth microcontroller. It is capable of operating in the 300 MHz - 348 MHz, 387 MHz - 464 MHz and 779 MHz - 928 MHz bands. As it has two CC1101 modules it can receive or transmit on two different frequencies at the same time. 

The firmware running on the ESP32 allows you to control the device via a simple web interface. Currently built in are interfaces for receiving, transmitting and brute forcing.

The device hardware is completely is open source so anyone can build it, however the creators are selling a ready to use version on Aliexpress, however at the time of this post it appears to be out of stock.

Over on Twitter creator @JoelSernaMoreno has uploaded a short video of it working.

The Evil Crow RF Open Source CC1101 Based Radio

Smart Meter Hacking Hack Chat to be held April 14 Noon Pacific Time

In the last post from a couple of days ago we posted about RECESSIM's YouTube series about smart meter hacking. Hackaday have noted that Hash, the security researcher behind the RECESSIM channel will be hosting a Hack Chat on April 14 noon pacific time. If you're unfamiliar with them, hack chats are live chat events where you can chat directly with an expert on a particular topic.

That electrical meter on the side of your house might not look like it, but it's pretty packed with technology. What was once a simple electromechanical device that a human would have to read in person is now a node on a far-flung network. Not only does your meter tote up the amount of electricity you use, but it also talks to other meters in the neighborhood, sending data skipping across town to routers that you might never have noticed as it makes its way back to the utility. And the smartest of smart meters not only know how much electricity you're using, but they can also tease information about which appliances are being used simply by monitoring patterns of usage.

While all this sounds great for utility companies, what does it mean for the customers? What are the implications of having a network of smart meters all talking to each other wirelessly? Are these devices vulnerable to attack? Have they been engineered to be as difficult to exploit as something should be when it's designed to be in service for 15 years or more?

These questions and more burn within Hash, a hardware hacker and security researcher who runs the RECESSIM reverse-engineering wiki. He's been inside a smart meter or two and has shared a lot of what he has learned on the wiki and with some in-depth Smart Meter Hacking videos. He'll stop by the Hack Chat to discuss what he's learned about the internals of smart meters, how they work, and where they may be vulnerable to attack.

Reverse Engineering Wireless Mesh Smart Meters with Software Defined Radio

Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.

In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.

In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.

Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.

Playlist: Smart Meter Hacking