In his last video, Corrosive from the SignalsEverywhere YouTube channel showed us a quick guide on setting up a Phase 1 P25 digital voice decoder with two RTL-SDR dongles and the DSDPlus Fastlane decoder.
Now in his latest video Corrosive continues with the DSDPlus tutorial and this time explains how to set up priority and groups. On a trunked radio system there may be many different agencies using the same system simultaneously. Without priorities and groups, you would be listening to all communications in the system, and following a conversation within a particular agency would be difficult. Setting up priorities and groups allows you to filter out the conversations that you are not interested in, allowing you to focus on listening in to a particular agency only.
RTL SDR Digital Radio Scanning Priority and Groups With DSDPlus Fastlane Setup Tutorial
GNU Radio Conference is a yearly conference based around the GNU Radio project and the surrounding community. GNU Radio is an open source digital signal processing (DSP) toolkit which is often used to implement decoders, demodulators and various other SDR algorithms.
GRCon is the annual conference for the GNU Radio project & community, and has established itself as one of the premier industry events for Software Radio. It is a week-long conference that includes high-quality technical content and valuable networking opportunities. GRCon is a venue that highlights design, implementation, and theory that has been practically applied in a useful way. GRCon attendees come from a large variety of backgrounds, including industry, academia, government, and hobbyists.
The 2019 GNU Radio Conference will be held on September 16-20 at the Marriot at the Space & Rocket Center in Huntsville, Alabama.
Over on his hackaday.io blog, Gonçalo Nespral has written about his experiences in recreating Samy Kamkars now famous low cost rolljam attack. A rolljam attack allows an attacker break into a car by defeating the rolling code security offered by wireless keyfobs. Back at Defcon 2015, an information security conference, Samy Kamkar presented a method for creating a $32 Rolljam device that consisted of two 433 MHz transceiver modules controlled by an Arduino.
In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.
Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.
The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.
RSA Conference is an information security event that was recently held on March 4 - 8 in San Francisco. The talks have been uploaded to YouTube and from what we see there are three interesting SDR/RF related talks that may be worth looking at, which we show below. The full list of videos can be found on their YouTube channel.
RF Exploitation: IoT and OT Hacking with Software-Defined Radio
Harshit Agrawal, Security Researcher, MIT Academy of Engineering, SPPU
Himanshu Mehta, Team Lead (Senior Threat Analysis Engineer), Symantec
Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. SDR is changing the game for both offense and defense.Learning Objectives:1: Become familiar with common security concerns and attack surfaces in a wireless communication system.2: Understand the ease and prevalence of wireless exploitation, with sophisticated examples.3: Learn to view IoT devices, security and privacy collectively.
RF Exploitation: IoT and OT Hacking with Software-Defined Radio
Hunting and Tracking Rogue Radio Frequency Devices
Eric Escobar, Principal Security Consultant, SecureWorks
Rogue radio frequencies pose a substantial and often overlooked threat to both organizations and targeted individuals. This talk will explore the dangers of rogue radio frequencies and highlight tactics, techniques and tools which can be used to identify and locate potential threats.Learning Objectives:1: Understand the major ways rogue wireless frequencies can impact an organization.2: Develop a basic understanding of how to locate a rogue wireless signal.3: Gain a conversational knowledge of ways to identify and track a wireless signal.Pre-Requisites:Basic understanding of security principles. Basic understanding of wireless communication. Basic understanding of computer networks.
Hunting and Tracking Rogue Radio Frequency Devices
Wireless Offense and Defense, Explained and Demonstrated!
Rick Farina, Senior Product Manager, WLAN Software Security, Aruba Rick Mellendick, Chief Security Officer, Process Improvement Achievers LLC
This session will discuss the use of radio frequency, often overlooked for network enumeration and attack. The techniques to be discuss are used to identify authorized and unauthorized signals in an organization. Without understanding the offensive attacks an organization can’t perform effective defense. The talk will explain and demonstrate how to enumerate and gain access to resources through RF signals.Learning Objectives:1: Understand that wireless doesn’t just mean WiFi.2: Understand that the Bluetooth protocol can allow for direct attacks against phones, PCs and other devices.3: Learn that other RF attacks are very difficult to detect, and gain an understanding of what they look like.Pre-Requisites:The biggest prerequisite for our talk is an open mind and the ability to understand risk, and after the talk to better assess risk on your environment.
Wireless Offense and Defense, Explained and Demonstrated!
DSDPlus is a popular piece of software often used with RTL-SDR dongles to listen to unencrypted digital voice signals such as P25 and DMR. Digital voice is now commonly used by many Police and emergency services as well as business radio. DSDPlus fastlane is DSD's paid upgrade which allows subscribers to access to the latest releases of DSDPlus early.
Over on the SignalsEverywhere YouTube channel, Corrosive has uploaded a quick video guide that shows how to use DSDPlus Fastlane and two RTL-SDR dongles to set up a Phase 1 P25 voice decoder that automatically follows a P25 trunking channel. The basic process involves running two FMP instances which is a program in the DSDPlus suite that connects to the RTL-SDR's and receives the signal. One DSDPlus instance monitors the trunking channel, and this tunes the second FMP+DSD instance to the frequency currently active in the trunking system.
Corrosive also explains how people who are subscribed to RadioReference can download pre-populated data files that will allow the DSDPlus event log to display talkgroup information so that you can see who is talking to who.
RTL SDR Digital Radio Scanning With DSDPlus Setup FastlaneTutorial
The famous HAARP (High Frequency Active Auroral Research Program) antenna array will be transmitting again from March 25 - March 28, 2019. HAARP is an antenna array which is used to perform experiments on the Earth's ionosphere and thermosphere by transmitting HF RF energy into it. With an HF capable receiver like the RTL-SDR V3 it is often possible to receive these transmissions from some distance away. As HAARP only rarely transmits, it is an interesting signal to catch when it is transmitting.
HAARP (High Frequency Active Auroral Research Program)
Ghosts in the Air Glow is an ionospheric transmission art project using the HAARP Ionospheric Research Instrument to play with the liminal boundaries of outer space.
Pairing air glow experiments in the ionosphere—false auroras creating soft, glowing spots in the sky—with SSTV images, audio and image signals articulated by artist Amanda Dawn Christie will be received and decoded via SDR (Software Defined Radio) equipment by amateur radio operators around the world, and streamed live online for audiences who do not have the equipment or expertise for reception.
“The facility, which was used by the military, has an air of mystery about it and has been the subject of many conspiracy theories over the years — that’s something I reflected upon when creating the piece.”
Ghosts in the Air Glow will consist of an hour-long transmission containing eight movements, each created for a specific frequency and intended to explore different concepts related to radio science and the HAARP site itself.
From Arctic wolves meeting the aurora to poetic texts written in Morse code and the NATO phonetic alphabet, the motifs covered by this transmission art work address issues related to military research, surveillance, political territories, ionospheric science, and conspiracy theories.
The first art transmission was sent earlier today, and if you missed it Amanda live streamed the signals being received on YouTube and the recording is available here. Future live streams will be available here. DK8OK has also posted about his reception on his blog.
Further transmissions are scheduled every day until March 28, and the transmissions schedule is available here. Each transmission consists of several 'movements', which consist of differing antenna array arrangements, frequencies being used, and signals being transmitted. If the text formatting of the movements is a bit difficult to read, Reddit user
grink has formatted it into a nice table in his post. To follow the transmissions it would be also wise to follow Amanda on Twitter, where she is posting the most up to date transmission frequencies.
The idea for the project came about when Christie met Christopher Fallen, the chief scientist at HAARP, at a hackers conference earlier this year. Fallen, who is an amateur radio operator, was intrigued by Christie’s proposition to use the IRI to create site-specific transmission art.
He agreed to open the facility to her, and when she gained backing from the Canada Council for the Arts, Ghosts in the Air Glow officially became the first Canadian-funded project to take place at HAARP.
“Art and science are often seen as separate efforts but they actually share many of the same inspirations and techniques. I’m excited to see HAARP, a unique scientific instrument, used for a comparably unique artistic performance,” says Fallen.
“Amanda’s project will be a valuable contribution to the 50-year collection of scientific work in the field of ionosphere radio modification, and also to the brand new collection of artistic work using powerful high-frequency radio transmitters and the upper atmosphere — it’s art directed from the ground but created in space!”
Interdisciplinary artist Amanda Dawn Christie. Photo by Concordia University
If you prefer a video explanation of the project, YouTube user OfficialSWLchannel has prepared a video which is shown below.
HAARP tests and Ghost in the Air Glow from Amanda Dawn Christie
Steve Andrew, the author of the SDRplay Spectrum Analyzer software has recently released an update which enables several new features. This software allows you to use SDRplay SDRs to scan a wide swath of bandwidth by rapidly scanning in 10 MHz (or less) chunks over the SDRplay's frequency range. The SDRplay team write:
We are pleased to announce the availability of V1.0a of the Spectrum Analyser software developed by Steve Andrew specifically for the RSP line of products. This is a very-much upgraded version of the original alpha release and includes many new features as well as removing the limitations imposed on the previous version. New features include multiple traces, a versatile marker system with maths, peak find and display functions, Zero or non-Zero IF options and an upgraded tracking generator system. Currently support are:
Over on the Othernet website the Dreamcatcher hardware is currently on sale for only US$49. This is the lowest we've ever seen it for sale.
If you weren't already aware, the Othernet project aims to bring live data such as news, weather, video, books, Wikipedia articles and audio broadcasts to the world via a free satellite service and cheap receivers. Although an internet connection provides the same data, Othernet's satellite broadcast is receivable in remote areas, will continue working in disasters, and costs nothing to continually receive roughly 200MB of data a day. The trade off is that the service is downlink only, so the data that you get is only what is curated by the Othernet team.
Currently the public service is in a test period and is only available in North America. Europe has come online recently too, however they write that the current version of Dreamcatcher that is for sale may not be optimal for receiving the EU signal.
While currently active, they write that the Othernet satellite service is not guaranteed to continue long term. However even if the service discontinues, the Dreamcatcher can still be used as a TX/RX capable LoRa radio. In a previous post we demonstrated a fun application with two Dreamcatchers and a LoRa chat application.
