Sniffing MiniMed Insulin Pump RF Packets with an RTL-SDR

A MiniMed Insulin Pump with wireless meter

Over on GitHub we've just seen the release of a program called rtlmm made by user ps2 which decodes MiniMed RF packets with an RTL-SDR. We weren't entirely such what MiniMed was, but from Googling the name it appears that it is a product by a company called Medtronic who sell medical equipment such as portable automatic insulin pumps and glucose monitors for diabetic patients. These products have RF telemetry links that transmit to a meter which can receives data and forwards it to your phone via Bluetooth LE. Sniffing the telemetry from these sensors could allow you to build up your own data without the need of the meter.

Rtlmm was inspired by a similar program called rtlomni which is a program released a few months ago and made by F5OEO. rtlomni works with Omnipod diabetes insulin pumps and monitors which are similar products to MiniMeds offerings.

Tweet13
Share
Reddit
Vote
Email
13 Shares

SDR and Radio Talks from the 34th Chaos Communication Congress: SatNOGs, Bug Detection, GSM with SDR, Open Source Satellites and WiFi Holography

Every year the Chaos Computer Club hold the Chaos Communication Congress (CCC) which is a conference that aims to discuss various topics related to technology and security. This year was the 34th conference ever held (34C3) and there were several interesting SDR and radio related talks which we post below. Further links and video downloads are available in the YouTube description.

SatNOGS: Crowd-sourced satellite operations

An overview of the SatNOGS project, a network of satellite ground station around the world, optimized for modularity, built from readily available and affordable tools and resources.

We love satellites! And there are thousands of them up there. SatNOGS provides a scalable and modular platform to communicate with them. Low Earth Orbit (LEO) satellites are our priority, and for a good reason. Hundreds of interesting projects worth of tracking and listening are happening in LEO and SatNOGS provides a robust platform for doing so. We support VHF and UHF bands for reception with our default configuration, which is easily extendable for transmission and other bands too.

We designed and created a global management interface to facilitate multiple ground station operations remotely. An observer is able to take advantage of the full network of SatNOGS ground stations around the world.

34C3 - SatNOGS: Crowd-sourced satellite operations

Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

34C3 - Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

Running GSM mobile phone on SDR

Since SDR (Software Defined Radio) becomes more popular and more available for everyone, there is a lot of projects based on this technology. Looking from the mobile telecommunications side, at the moment it's possible to run your own GSM or UMTS network using a transmit capable SDR device and free software like OsmoBTS or OpenBTS. There is also the srsLTE project, which provides open source implementation of LTE base station (eNodeB) and moreover the client side stack (srsUE) for SDR. Our talk is about the R&D process of porting the existing GSM mobile side stack (OsmocomBB) to the SDR based hardware, and about the results we have achieved.

There is a great open source mobile side GSM protocol stack implementation - OsmocomBB project. One could be used for different purposes, including education and research. The problem is that the SDR platforms were out of the hardware the project could work on. The primary supported hardware for now are old Calypso based phones (mostly Motorola C1XX).

Despite they are designed to act as mobile phone, there are still some limitations, such as the usage of proprietary firmware for DSP (Digital Signal Processor), which is being managed by the OsmocomBB software, and lack of GPRS support. Moreover, these phones are not manufactured anymore, so it's not so easy to find them nowadays.

Taking the known problems and limitations into account, and having a strong desire to give everyone the new possibilities for research and education in the telecommunications scope, we decided to write a 'bridge' between OsmocomBB and SDR. Using GNU Radio, a well known environment for signal processing, we have managed to get some interesting results, which we would like to share with community on the upcoming CCC.

34C3 - Running GSM mobile phone on SDR

UPSat - the first open source satellite

During 2016 Libre Space Foundation a non-profit organization developing open source technologies for space, designed, built and delivered UPSat, the first open source software and hardware satellite.

UPSat is the first open source software and hardware satellite. The presentation will be covering the short history of Libre Space Foundation, our previous experience on upstream and midstream space projects, how we got involved in UPSat, the status of the project when we got involved, the design, construction, verification, testing and delivery processes. We will also be covering current status and operations, contribution opportunities and thoughts about next open source projects in space. During the presentation we will be focusing also on the challenges and struggles associated with open source and space industry.

34C3 - UPSat - the first open source satellite

Holography of Wi-Fi radiation

Can we see the stray radiation of wireless devices? And what would the world look like if we could?

When we think of wireless signals such as Wi-Fi or Bluetooth, we usually think of bits and bytes, packets of data and runtimes.

Interestingly, there is a second way to look at them. From a physicist's perspective, wireless radiation is just light, more precisely: coherent electromagnetic radiation. It is virtually the same as the beam of a laser, except that its wavelength is much longer (cm vs µm).

We have developed a way to visualize this radiation, providing a view of the world as it would look like if our eyes could see wireless radiation.

Our scheme is based on holography, a technique to record three-dimensional pictures by a phase-coherent recording of radiation in a two-dimensional plane. This technique is traditionally implemented using laser light. We have adapted it to work with wireless radiation, and recorded holograms of building interiors illuminated by the omnipresent stray field of wireless devices. In the resulting three-dimensional images we can see both emitters (appearing as bright spots) and absorbing objects (appearing as shadows in the beam). Our scheme does not require any knowledge of the data transmitted and works with arbitrary signals, including encrypted communication.

This result has several implications: it could provide a way to track wireless emitters in buildings, it could provide a new way for through-wall imaging of building infrastructure like water and power lines. As these applications are available even with encrypted communication, it opens up new questions about privacy.

34C3 - Holography of Wi-Fi radiation

Tweet
Share
Reddit
Vote
Email

Securing the Bitcoin network against Censorship with WSPR

Bitcoin WSPR Test Setup
Bitcoin WSPR Test Setup

If you didn't know already Bitcoin is the top cryptocurrency which in 2017 has begun gaining traction with the general public and skyrocketing to a value of over $19,000 US per coin at one point. In addition to providing secure digital transactions, cryptocurrencies like Bitcoin are intended to help fight and avoid censorship. But despite this there is no real protection from the Bitcoin internet protocol being simply blocked and censored by governments with firewalls or by large ISP/telecoms companies.

One idea recently discussed by Nick Szabo and Elaine Ou at the "Scaling Bitcoin 2017" conference held at Stanford University is to use the something similar to WSPR (Weak Signal Propagation Reporting Network) to broadcast the Bitcoin network, thus helping to avoid internet censorship regimes. To test their ideas they set up a HackRF One as a transmitter and RTL-SDR and used GNU Radio to create a test system.

Other ideas to secure the Bitcoin network via censorship resistant radio signals include kryptoradio, which transmits the network over DVB-T, and the Blockstream satellite service which uses an RTL-SDR as the receiver.

If you're interested in the presentation the talk on WSPR starts at about 1:23 in the video below. The slides are available here.

Scaling Bitcoin 2017 Stanford University - Day 2 Afternoon

Tweet12
Share
Reddit
Vote
Email
12 Shares

A Portable SDR Transceiver with LimeSDR Mini, Android Phone and QRadioLink

QRadioLink is a Linux and Android compatible radio app that can run on smartphones. It can be used to receive and transmit digital radio signals with a compatible SDR such as an RTL-SDR (RX only), or a LimeSDR Mini (TX and RX). The following video by Adrian M shows QRadioLink running on an Android phone with a LimeSDR Mini connected to it. An external battery pack is also connected to maintain power levels over a longer time.

In the video Adrian shows how this combination can be used as a fully portable radio transceiver. The video first shows him receiving broadcast FM, digital amateur radio voice (Codec2 & Opus is supported), narrowband FM and SSB signals. Later in the video he transmits a digital voice signal using the microphone on his Android phone. He notes that an external amplifier would still be needed if you wanted more transmission power.

Portable SDR transceiver: LimeSDR-mini, mobile phone and QRadioLink

 

Tweet
Share
Reddit
Vote
Email

Turning an old Radiosonde into an Active L-Band Antenna

VK5QI's Radiosonde Collection
VK5QI's Radiosonde Collection

Over on his blog VK5QI has shown how he has was able to re-purpose an old radiosonde into a wideband active L-band antenna. Radiosondes are small packages sent up with weather balloons. They contains weather sensors, GPS and altitude meters and use an antenna and radio transmitter to transmit the telemetry data back down to a ground station. With a simple radio such as an RTL-SDR and the right software, these radiosondes can be tracked and the weather data downloaded in real time. Some hobbyists such as VK5QI go further and actually chase down the weather balloons and radiosondes as they return to earth, collecting the radiosonde as a prize.

VK5QI and his friend Will decided to put some of his radiosonde collection to good use by modifying one of his RS92 radiosondes into a cheap active L-band antenna. They did this by first opening and removing unnecessary components that may interfere such as the main CPU, GPS receiver, 16 MHz oscillator, SAW filters and balun. They left the battery, LDO's, LNA's and Quadrifilar Helix GPS antenna which is tuned to the GPS L-band frequency. Finally they soldered on a coax connector to a tap point on the PCB and it was ready to use.

They then connected the new antenna to a RTL-SDR V3 and fired up GQRX. They write that their results were quite promising with several Inmarsat and Iridium signals being visible in the spectrum. VK5QI also used gr-iridium with the antenna as was able to decode some Iridium signals.

Modified Radiosonde L-Band Antenna connected to a RTL-SDR V3.
Modified Radiosonde L-Band Antenna connected to a RTL-SDR V3.
Tweet
Share
Reddit
Vote
Email

Transmitting and Receiving Text Data via an MP3, FM Transmitter and RTL-SDR

Over on his YouTube channel Kris Occhipinti has uploaded some videos where he shows how he is able to send text data over FM radio frequencies by using an MP3 audio file that  encodes the text data, an FM transmitter connected to an Android phone or MP3 player to transmit the file and an RTL-SDR on the receiving side to receive the FM signal from the FM transmitter. The software used to encode the text into an MP3 is Minimodem, and on the receiving side Minimodem is also used which can easily decode the received audio. Minimodem is a command line program which can generate FSK modem tones from data.

These two videos are part of a series that Kris has been working on that includes many videos about using Minimodem to transfer data like text, files and images between computers via radio.

12 Minimodem an FM Transmitter and a USB SDR Dongle

13 Radio Data Trasmission with RTL FM and SDR

Tweet
Share
Reddit
Vote
Email

Airspy HF+ Can Receive L-Band 1.2 GHz to 1.67 GHz

The Airspy HF+ is a much anticipated and recently released software defined radio that specializes in HF and VHF reception. However, one little known and not often advertised feature is that it can actually be used for L-band reception between 1.2 and 1.67 GHz as well. This means that it could be used for signals such as AERO, STD-C, Iridium, the 23cm amateur radio band and more.

Over on YouTube Adam 9A4QV has uploaded a video that tests the HF+ with Alphasat AERO signals at about 1.545 GHz. He notes that the sensitivity is quite good as it is able to receive the satellite signals directly with only the antenna connected and no external LNA used. Of course adding in an external low noise figure LNA and filter would improve the signal even further. Adam notes that reception on the 23cm amateur band (1240 MHz to 1300 MHz) is also quite good with sensitivity reaching about -130 dBm.

Airspy HF+ L-band satcom test

Tweet
Share
Reddit
Vote
Email

Art Installation Eavesdrops on Hospital Pagers with a HackRF

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

For a long time now it has been known that pager data is sent in the clear and in plain text over a strong and easily received RF signal. The signal can easily be intercepted with a standard scanner radio or more recently with an SDR such as the RTL-SDR. Software such as PDW can then be used to decode the signal into plain text. We have a tutorial on this available here.

In these more modern days of cell phones and secure text messaging very few people still use pagers. But one heavy user of pagers is the medical community who still prefer them as they are already widely implemented in hospitals and are very reliable. The lower frequencies and high transmission powers used by pager systems allows for better reception especially in areas prone to poor cellphone reception such as in big buildings like hospitals with many walls underground areas. They are also very reliable as they receive messages instantly, whereas text messages can be delayed in times of high network traffic which is obviously a problem when a doctor is needed urgently. Finally, another advantage is that most pagers only receive, so there are no local transmissions that could interfere with sensitive medical machines. A major downside however is that pager use means that a lot of very private patient data can be easily intercepted by anyone anywhere in the same city as the hospital.

Back in October artist and programmer Brannon Dorsey displayed an art installation at the Radical Networks conference in Brooklyn which he calls Holypager. The idea is to bring attention to the breach of privacy. The installation simply prints out the pager messages as they are sent in real time, accumulating patient data that any visitor can pick up and read. He doesn't mention it on his page, but in one of the photos we see a HackRF One, antenna and Raspberry Pi hiding underneath the installation which is how the pager messages are received. A simple RTL-SDR could also be used as the receiver. Brannon writes:

Holypager is an art installation that intercepts all POCSAG pager messages in the city it resides and forwards them to one (holy) pager. The installation anonymizes all messages and forwards them randomly to one of three pagers on display. Each message is also printed on a contiguous role of receipt paper amassing a large pile of captured pages for gallery goers to peruse.

Pagers use an outdated protocol that requires all messages to be broadcast unencrypted to each pager in the area. It is the role of the individual pager to filter and display only the messages intended for its specific address. The pagers below have been reprogrammed to ignore this filter and receive every message in the city in real time. Today, these devices are primarily used in hospitals to communicate highly sensitive information between doctors and hospital staff.

Given the severity of the HIPPA Privacy Act, one would assume that appropriate measures would be taken to prevent this information from being publicly accessible to the general public. This project serves as a reminder that as the complexity and proliferation of digital systems increase the cultural and technological literacy needed to understand the safe and appropriate use of these systems often do not.

[Also seen on Hackaday and Motherboard]

Tweet15
Share
Reddit
Vote
Email
15 Shares