Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Tweet23
Share
Reddit
Vote
Email
23 Shares

Building a Tracking Mount for HRPT Weather Satellite Reception Part 2

Earlier this month we posted about The Thought Emporium who uploaded a video to YouTube where they documented the first steps of their construction of a tracking mount for a 2.4 GHz grid WiFi dish which they intend to use for HRPT weather satellite reception.

If you didn't already know, receiving HRPT weather satellite signals is a little different to the more commonly received NOAA APT or Meteor M2 LRPT images which most readers may already be familiar with. HRPT is broadcast by the same NOAA satellites that provide the APT signal at 137 MHz, but is found in the L-band at around 1.7 GHz. The signal is much weaker, so a high gain dish antenna with motorized tracking mount, LNA and high bandwidth SDR like an Airspy is required. The payoff is that HRPT images are much higher in resolution compared to APT.

In this video they document the steps required to finish the physical build and add the electronics and motors required to control and move the dish. The final product is a working tracking mount that should be able to track the NOAA satellites as they pass over. In the next video which is not yet released they plan to actually test reception.

Track Satellites in Orbit - Part 2

Tweet10
Share
Reddit
Vote
Email
10 Shares

CyberSpectrum Special: DEF CON Wireless Village Talks now Live

Cyberspectrum #23 is now live and can be viewed via the YouTube live stream below. It should be available for delayed viewing after the event as well. The talks include SDR and radio related topics on subjects such as:

  • HAARP ionosphere research
  • An open source implementation of DVB-S2 and DVB-S2X for both satellite and terrestrial amateur radio use
  • An open source SpyServer based tool for automatically demodulating/recording and parsing RF data
  • Reverse engineering X-Band satellites
  • An RTL-SDR powered web based trunking scanner with timeshifting capabilities.
Cyberspectrum Special: DEF CON Wireless Village

Since out last post previewing the event, some new talks have been added, and we've posted the line up and info below.

At this years DEFCON conference SDR evangelist Balint Seeber will be hosting Cyberspectrum #23. DEFCON is a yearly conference with a focus on hacker topics, which often include SDRs and other radio topics too. This years conference will be help on August 9 - 12 a Caesars Palace & Flamingo in Las Vegas. Cyberspectrum is an almost monthly meetup of SDR enthusiasts and researchers that is normally held in the San Francisco Bay Area, but often hosts remote speakers via teleconference. This months meetup will be held at DEFCON on August 9, hosted by the Wireless Village.

Chris Fallen, Ph.D. (@ctfallen): "Opportunities for radio enthusiasts and heaters of the ionosphere: HAARP is just another instrument, or is it?"

Preview of a future #cyberspectrum talk: Background of passive and active ways to get involved with HAARP experiments (and perhaps with other natural natural ionosphere events) based on prior and ongoing work.

Michelle Thompson (@abraxas3d): "ORI and Phase 4 Ground" (https://phase4ground.github.io/)

Open Research Institute (ORI) is a new non-profit research and development organization which provides all of its work to the general public under the principles of Open Source and Open Access to Research.

One of our projects is called Phase 4 Ground. Our mission is to provide an open source implementation of DVB-S2 and DVB-S2X for both satellite and terrestrial amateur radio use. Phase 4 Ground radio system has a 5GHz uplink and a 10GHz downlink. We are developing SDR software that heavily leverages IP multicast and RTP protocols to set up and tear down distributed remote radio functions.

The reference designs are in GNU Radio and we will provide recipes for as many SDRs as possible.

Phase 4 Ground radios are intended to be reusable and reconfigurable, supporting payloads at GEO (AMSAT Phase 4B), HEO (AMSAT Phase 3E), and beyond (such as NASA's Cube Quest Challenge). Additionally, our radios will work as terrestrial microwave stations. These 'Groundsats' on mountaintops or towers establish a fun and flexible digital microwave experience. If you want to build up your radio from SDRs, you can. If you want to build it entirely from scratch, then you can. Our manufacturing partner for an off-the-shelf design is Flex Radio.

Lucas Teske (@lucasteske): SegDSP SpyServer Segment Digital Signal Processor

SegDSP is a WIP "Segment Digital Signal Processor" that is tuned for connecting into a SPY Server and do automatically demodulation/recording/parsing of RF data. This talk will be about what it does today, how was the development, how it works, how it will work and what are the uses for it. Tired of losing the pass of a LEO satellite? Want to hear the recording from last week? SegDSP is a Open Source tool made in Go for both learning and monitoring Satcom and Terrestrial Com.

Luigi Freitas (@luigifcruz): "Reverse Engineering X-Band Satellites Datalink And The Worst Software Defined Radio Ever"

This talk will be about the reverse engineering process of the next generation X-Band datalink signal on-board of Sun Synchronous Satellites like Suomi (NPP) and NOAA-20 (NPOESS/JPSS-1). From the RAW I/Q recording to the decompressed high-resolution Earth pictures. This is the latest addition to the Open Satellite Project, a non-profit organization that is committed to develop and publish software tools and hardware projects that enable the Open-Source Community to access spacecraft non-sensitive data.

The other half (or so) of this talk will be about the “Worst SDR Ever” that is made entirely of dirty cheap parts readily available from China. This project is intended to demonstrate how a Software Defined Radio works utilizing real hardware and comprehensive modular software.

Gavin Rozzi (@gavroz): "OC Radio Live" (https://ocradio.live)

An online trunking scanner website with time shifting capabilities covering New Jersey powered by the RTLSDR and open source software.

Tweet17
Share
Reddit
Vote
Email
17 Shares

Decoding a Moon Orbiting Satellite 378500 km’s away with an RTL-SDR

Thanks to IU2EFA (William) for writing in and letting us know about his success in decoding telemetry from the moon orbiting satellite known as DSLWP-B / LONGJIANG-2. LONJIANG-2 is a Chinese lunar microsatellite (45kg) that was launched in May 2018. It is designed to perform ultra long-wave radio astronomy observations. It also has an on board camera and took some nice photos of the Earth back in June.

While the satellite is still being tested, William notes that it is transmitting telemetry data to Earth during it's scheduled days at 435.4 MHz and 436.4 MHz, and the signal can be received with an RTL-SDR and Yagi antenna. William writes:

[LONJIAN-2] transmits with a little linear antenna and a little power of just 2 Watts.

In other sessions, I used a professional radio to have the maximum performance.

But this morning I wanted to test the reception, just using my RTLSDR V3 and my antenna yagi 15 elements pointed to the Moon. No other options (as filters, pre aplifiers, or other stuffs. Zero of these)

Well, the result was great. I received the signals and also i could decode them!

So I think people can be happy to know, that with a very little setup, they can receive incredible little signals from great distances.

When I received these signals, the Moon distance was about 378500 km.

LONGJIAN-2 transmits telemetry with GMSK and JT4G, and JT4G can be decoded with WSJT-X or WSJT 10. There is also a GNU Radio program called gr-dslwp that can be used to decode the telemetry. JT4G is a weak signal coding that can be decoded with signal levels down to -17 dB. Therefore anyone with modest hardware can decode the satellite. More information about the coding can be found on this post by Daniel Estevez.

On the Lilacsat page for LONGJIANG-2 if you scroll down you can also see reports from several other amateur radio operators who have managed to receive the satellite with RTL-SDR dongles and other radios. Below is an image of an example for SP5ULN who was able to receive and decode the JT4G signal with an RTL-SDR, LNA, and 19-element Yagi.

Example of LONJIAN-2 being received with an RTL-SDR by SP5ULN as noted on the LilacSat website.
Example of LONJIAN-2 being received with an RTL-SDR by SP5ULN as noted on the LilacSat website.
IU2EFA decode Longjiang2 2018 jul 15 afternoon

Tweet18
Share
Reddit
Vote
Email
18 Shares

Receiving GOES Weather Satellite HRIT with an SDRplay and 2.4 GHz WiFi Grid Antenna

Over on the SDRplay forums member RSP2user has posted a new tutorial, this time showing how to receive weather satellite images from GOES satellites with an RSP2 and cheap 2.4 GHz WiFi grid antenna

GOES 15/16/17 are geosynchronous weather satellites that beam back high resolution weather  images and data. In particular they send beautiful high resolution 'full disk' images which show one side of the entire earth. As the satellites are in geosynchronous orbit, they are quite a bit further away from the earth. So compared to the more easily receivable low earth orbit satellites such as the NOAA APT and Meteor M2 LRPT satellites, a dish antenna, good LNA and possibly a filter is required to receive them. However fortunately, as they are in a geosynchronous orbit, the satellite is in the same position in the sky all the time, so no tracking hardware is required.

In the tutorial RSP2user notes that he's been using a $16 2.4 GHz WiFi grid dish antenna and the NooElec SAWbird LNA. In the past we've also seen GOES reception from Pieter Noordhuis who used a 1.9 GHz grid antenna from L-Com which seems to be a better match to the 1.7 GHz GOES frequency. However, 2.4 GHz WiFi grid antennas are much more common and therefore much cheaper. In the past there has been debate on whether or not these cheaper WiFi antennas would be good enough for GOES, so it's good to see that the cheaper option is confirmed to work, at least for the satellite elevations found in the RSP2user's part of the USA.

The SAWBird is a 1.7 GHz LNA which is required to improve SNR by reducing system noise figure, and to filter any interfering out of band signals. The SAWbird is currently not available for public sale, but NooElec have noted that it is due to be released soon. RSP2user also notes that the polarization of the dish is important, so the dish may need to be rotated, and also that flipping the secondary reflector significantly increases the gain at 1.69 GHz.

For software the XRIT demodulator from USA-Satcom for a small fee is used together with the SDRplay RSP2. As seen by Pieter Noordhuis' results, it's also possible to receive these signals with an RTL-SDR and Pieters free software. So it may be possible to reduce the costs of a GOES reception system by using an RTL-SDR, SAWBird and 2.4 GHZ WiFi grid antenna. With those components the total cost would be well under $100.

As a bonus, in later posts on his forum thread, RSP2user shows that the system can also be used to receive HRPT images from the low earth orbit NOAA 19 satellite by hand tracking the antenna as the satellite passes over.

RSP2users GOES Receiver: SDRplay, SAWBird LNA, 2.4 GHz WiFi Grid Antenna
RSP2users GOES Receiver: SDRplay, SAWBird LNA, 2.4 GHz WiFi Grid Antenna
Tweet18
Share
Reddit
Vote
Email
18 Shares

Upcoming DEFCON Cyberspectrum Wireless Village SDR Talks

At this years DEFCON conference SDR evangelist Balint Seeber will be hosting Cyberspectrum #23. DEFCON is a yearly conference with a focus on hacker topics, which often include SDRs and other radio topics too. This years conference will be help on August 9 - 12 a Caesars Palace & Flamingo in Las Vegas. Cyberspectrum is an almost monthly meetup of SDR enthusiasts and researchers that is normally held in the San Francisco Bay Area, but often hosts remote speakers via teleconference. This months meetup will be held at DEFCON on August 9, hosted by the Wireless Village.

The planned talk overviews are listed below, and Balint would like to note that any physical attendees are welcome to get in contact with him and submit more talks. Previous Cyberspectrum talks can be viewed on this YouTube playlist.

Michelle Thompson (@abraxas3d): "ORI and Phase 4 Ground" (https://phase4ground.github.io/)

Open Research Institute (ORI) is a new non-profit research and development organization which provides all of its work to the general public under the principles of Open Source and Open Access to Research.

One of our projects is called Phase 4 Ground. Our mission is to provide an open source implementation of DVB-S2 and DVB-S2X for both satellite and terrestrial amateur radio use. Phase 4 Ground radio system has a 5GHz uplink and a 10GHz downlink. We are developing SDR software that heavily leverages IP multicast and RTP protocols to set up and tear down distributed remote radio functions.

The reference designs are in GNU Radio and we will provide recipes for as many SDRs as possible.

Phase 4 Ground radios are intended to be reusable and reconfigurable, supporting payloads at GEO (AMSAT Phase 4B), HEO (AMSAT Phase 3E), and beyond (such as NASA's Cube Quest Challenge). Additionally, our radios will work as terrestrial microwave stations. These 'Groundsats' on mountaintops or towers establish a fun and flexible digital microwave experience. If you want to build up your radio from SDRs, you can. If you want to build it entirely from scratch, then you can. Our manufacturing partner for an off-the-shelf design is Flex Radio.

Lucas Teske (@lucasteske): SegDSP SpyServer Segment Digital Signal Processor

SegDSP is a WIP "Segment Digital Signal Processor" that is tuned for connecting into a SPY Server and do automatically demodulation/recording/parsing of RF data. This talk will be about what it does today, how was the development, how it works, how it will work and what are the uses for it. Tired of losing the pass of a LEO satellite? Want to hear the recording from last week? SegDSP is a Open Source tool made in Go for both learning and monitoring Satcom and Terrestrial Com.

Luigi Freitas (@luigifcruz): "Reverse Engineering X-Band Satellites Datalink And The Worst Software Defined Radio Ever"

This talk will be about the reverse engineering process of the next generation X-Band datalink signal on-board of Sun Synchronous Satellites like Suomi (NPP) and NOAA-20 (NPOESS/JPSS-1). From the RAW I/Q recording to the decompressed high-resolution Earth pictures. This is the latest addition to the Open Satellite Project, a non-profit organization that is committed to develop and publish software tools and hardware projects that enable the Open-Source Community to access spacecraft non-sensitive data.

The other half (or so) of this talk will be about the “Worst SDR Ever” that is made entirely of dirty cheap parts readily available from China. This project is intended to demonstrate how a Software Defined Radio works utilizing real hardware and comprehensive modular software.

Gavin Rozzi (@gavroz): "OC Radio Live" (https://ocradio.live)

An online trunking scanner website with time shifting capabilities covering New Jersey powered by the RTLSDR and open source software.

Tweet33
Share
Reddit
Vote
Email
33 Shares

Using RPiTX as a 2FSK Transmitter

Over on his blog, Rowetel has been experimenting with 2FSK transmissions and the new v2beta branch of RPiTX. RPiTX is a piece of software for the Raspberry Pi that enables it to transmit RF signals via a GPIO port, with no other hardware required.

In his tests he's been creating 100bit/s 2FSK test frames, transmitting them at 7.177 MHz, and receiving and decoding them on another PC with a hardware radio. The results show that the transmission is working perfectly, with only minor artefacts caused by RPiTX. Rowetel also notes that the narrow band spectral purity of the RPiTX output is remarkably clean. The only worry is the wide band harmonics which can easily be removed with filtering.

This shows that RPiTX could easily be used as a transmitter for amateur radio purposes, assuming proper external filtering is applied. Rowetel also mentions that he hopes that cheap radio technologies like RPiTX could one day be used to help reduce the cost and difficulty in covering the 'last 100 miles' of communications in the developing world.

RPiTX 2FSK apectrum analyzer measurement showing good narrow band spectral purity.
RPiTX 2FSK apectrum analyzer measurement showing good narrow band spectral purity.
Tweet11
Share
Reddit
Vote
Email
11 Shares

SDR-Remote: A Physical Tuning and Control Knob for SDR#

Recently Maxim who runs his small company "ExpElectroLab" wrote in and wanted to share a new product that he's developed called "SDR-Remote v2.0". This is a physical tuning knob that connects to your PC, and can be used with programs like SDR#. Apart from the knob, there are also several buttons for volume control, presets, and various other functions. He writes:

Heart - ARDUINO NANO V3.0, buttons, encoder and software. Sketch wrote to order a professional programmer.

Implemented by:

  • tuning the reception frequency with a multiplicity of 1 kHz, 100 kHz, 1 mHz (additionally 50 Hz)
  • volume control
  • Mute the sound (mute)
  • FM mono / stereo switching
  • switching of modulation types
  • turn on / off the noise
  • adjustment of the threshold of noise
  • adjustment of the width of the strip
  • switching ranges 160m, 80m, 40m, 25m, 13m.10m, FM, AVIA, 2m, 70cm

It appears that Maxim doesn't have a full store, but rather sells the devices on VK Markets, which is a Russian clone of Facebook. Also at the moment only SDR-Remote V1.0 is available for sale, but V2.0 seems to be due to go on sale soon. Version 1.0 sells for 2,650 Rub, which is equivalent to around US$42. His store also contains various other home brew SDR related products such as upconverters, LNA's, filters and a fractal antenna. The video below in in Russian, but shows V2.0 being unboxed and demonstrates it working with SDR#.

Maxim has noted that you can contact him at [email protected] if you are non Russian and are interested in his products.

SDR-Remote V1.0
SDR-Remote V1.0
SDR-Remote V2.0 или валкодер для SDR Sharp

Tweet17
Share
Reddit
Vote
Email
17 Shares