Opening Car Doors with an RTL-SDR, Arduino and CC1101 Transceiver

Recently we found this post from last year by security researcher Anthony which shows how an RTL-SDR combined with an Arduino and CC1101 transceiver can be used to open a car. The technique he presents is the jam, intercept and replay technique which was also used by Samy Kamkars Rolljam device

Most modern vehicles use some form of rolling code security on their wireless keyfobs to prevent unauthorized replay attacks. When the car owner presses a button on the keyfob, a unique rolling code is sent to the car. If it matches the codes stored in the car, the car will unlock and then invalidate that code so it can never be used again, thus preventing a replay attack. On the next press the keyfob sends a new code. This system can be defeated simply by jamming the car keyfob receiver, and using a more selective receiver to record the keyfob unlock packet, then replaying those packets at a later time.

The technique Anthony presents has the attacker use an Arduino with CC1101 transceiver as the jammer. Jamming is totally illegal within the USA, so Anthony does not show exactly how to do the jamming. While the signal is being jammed, the RTL-SDR captures and saves the signal from the keyfob. Later the signal is processed in GNU Radio to remove the jamming signal and extract the keyfob signal. He then uses GNU Radio to demodulate the ASK signal into a binary modulated waveform that he can replay later.

Anthony tested this technique on two cars and a truck and was successful at unlocking the doors all three times.

RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.
RTL-SDR receiving a BMW keyfob signal at 315 MHz in HDSDR.
Tweet38
Share
Reddit
Vote
Email
38 Shares

Identifying Issues that can be used to Disable IoT Alarms

Seekintoo cybersecurity researcher Dayton Pidhirney has been investigating security flaws in wireless IoT (Internet of Things) based alarm systems, and has identified six issues that can be used to bypass or disable an alarm. Five attack the RF portion of the IoT device, and one through the traditional IP network.

In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.

Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:

  • Brute-force attack on the alarm system device source addresses.
  • Remotely clone authenticated devices used to interact with the alarm system security features.
  • Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
  • RF Jamming.
  • Assisted replay attack.

The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.

The iSmartAlarm IoT wireless alarm system
The iSmartAlarm IoT wireless alarm system
Tweet
Share
Reddit
Vote
Email

Decoding ADS-B in MATLAB Video Tutorial

Over on YouTube the official MATLAB channel has uploaded a new video that is a tutorial on setting up ADS-B decoding in MATLAB. MATLAB is a technical computing language that is frequently used by many scientists and engineers around the world. They write:

Use the software-defined radio capabilities that are part of Communications System Toolbox™ to capture and decode ADS-B messages. ADS-B is a relatively simple standard used by commercial aircraft to transmit flight data such as aircraft ID, position, velocity, and altitude to air traffic control centers. ADS-B messages are 56 or 112 bits long, the data rate is 1 Mbit/sec, and the messages are amplitude modulated signals, transmitted at a carrier frequency of 1090 MHz

The video goes over what ADS-B is, how to receive it, and then goes on to explain a bit of the MATLAB code. This is a good introduction for people wanting to use an RTL-SDR in MATLAB, or for anyone wanting to learn about ADS-B.

Real-time Airplane Tracking with ADS-B Signals and RTL-SDR Radios

Tweet11
Share
Reddit
Vote
Email
11 Shares

Instructions and a Review of the SDRplay RSP1 Metal Enclosure Upgrade Kit

Mike (kd2kog), our partner on the SDRplay RSP1 Metal case upgrade kit has recently uploaded an instruction set that shows step by step how to perform the upgrade (pdf). It shows how to dismantle the RSP1 from the plastic case, install the included broadcast FM filter, mount the PCB and shows where all the nuts and washers go.

The metal case upgrade is something we brought out back in March. It allows owners of the SDRplay RSP1 SDR to upgrade the default plastic case to a sturdy metal one for improved ruggedness and RF shielding. It also comes with an included broadcast FM filter to help reduce strong FM images which are often a problem on some bands with the RSP1. It also comes with a handy travel case. If you want to purchase the enclosure we have it available on our store at www.rtl-sdr.com/store, and also on US Amazon, both with free shipping.

Also, over on his blog K5ACL has posted a short review of the case.

Image of the RSP1 Metal Case from K5ACL's review
Image of the RSP1 Metal Case from K5ACL’s review
Tweet
Share
Reddit
Vote
Email

A 3D Printed Stand for Generic MCX RTL-SDR Dongles

Thanks to Jaime (EB5ABT) for submitting his 3D printed stand for the generic MCX RTL-SDR dongles. The stand is designed to hold one of the generic dongles on it’s side so that a small whip antenna can be attached to it, whilst staying stably upright.

If you’re interested in printing the stand for yourself Jaime has uploaded the design files to his dropbox. He has also created a short YouTube video showing a slideshow of his stand which is shown at the end of this post.

If you’re interested in 3D printing accessories and enclosures for the RTL-SDR then thingiverse.com has a range of user submitted designs, ranging from custom RTL-SDR dongle enclosures, to stratux Raspberry Pi + dongle enclosures, to Outernet patch antenna stands.

Some of the RTL-SDR related design on Thingiverse.
Some of the RTL-SDR related design on Thingiverse.
Soporte receptor RTL-SDR

Tweet
Share
Reddit
Vote
Email

A Screenshot based Meteor Scatter Detector for HDSDR

Over on our forums Andy (M0CYP) has posted about his new meteor scatter detection program which works with HDSDR and any supported SDR like an RTL-SDR. It works in an interesting way, as instead of analyzing sound files for blips of meteor scatter activity it analyzes screenshots of the HDSDR waterfall. The software automatically grabs the screenshots and determines if a signal is present on any given frequency. You can set a preconfigured detection frequency for a far away transmitter, and if the waterfall shows a reflection it will record that as a meteor.

Meteor scatter works by receiving a distant but powerful transmitter via reflections off the trails of ionized air that meteors leave behind when they enter the atmosphere. Normally the transmitter would be too far away to receive, but if its able to bounce off the ionized trail in the sky it can reach far over the horizon to your receiver. Typically powerful broadcast FM radio stations, analog TV, and radar signals at around 140 MHz are used. Some amateur radio enthusiasts also use this phenomena as a long range VHF communications tool with their own transmitted signals. See the website www.livemeteors.com for a livestream of a permanently set up RTL-SDR meteor detector (although that site does not use Andy’s software).

Andy writes that his meteor scatter detection software is still in beta so there might be some bugs. You can write feedback on the forum post, in the comments here, or contact Andy directly via the link on his website.

Andy's screenshot based meteor detection software
Andy’s screenshot based meteor detection software
Tweet
Share
Reddit
Vote
Email

An RTL-SDR Add-on for the Kodi Entertainment System Software

Kodi is a media player and entertainment hub program that is used to manage digital video collections and music. It is used mostly on TV’s together with a home theater PC, or Raspberry Pi 3, but also runs on Android and iOS. It can be thought of as more fully featured smart TV software.

Recently we’ve seen that there is an ‘add-on’ (plugin) for Kodi which allows FM radio reception with RDS to be received with an RTL-SDR dongle from directly within the Kodi interface (kodi wiki link). The software has been around for a while now, but we hadn’t seen it before. It looks like an easy and cheap way to add broadcast FM capabilities to a home theater PC. Currently the add-on only supports Kodi on Linux and on Raspberry Pi’s. 

The interface allows for manual tuning and for creating presets of your favorite stations.

Kodi RTL-SDR Add-On
Kodi RTL-SDR Add-On
Tweet
Share
Reddit
Vote
Email

Using SDR# and the Fast Scanner Plugin for Wide Band Scanning

Over on Tom’s Radio Room Show (TRRS) on YouTube Tom has uploaded a video showing how to use SDR# together with Vasili’s Fast Scanner plugin. Fast Scanner is a plugin for SDR# that allows you to use SDR# as a wide band scanner. Essentially this quickly scans through multiple ~2 MHz chunks of bandwidth, and automatically tunes to any active signals. 

In his video Tom shows the Fast Scanner plugin in action, shows how to use it, discusses a bit about how it works and also shows what all the features are.

TRRS #1184 - Turn Your SDR Into Wide Band Scanner

Tweet
Share
Reddit
Vote
Email