Back in September 2021 we posted about Manahiyo's software that allows the RF spectrum and related graphs to be viewed in virtual reality, using a VR headset and an RTL-SDR. Back then the software was only demonstrated on YouTube, but not released.
A few days ago Manahiyo released the VR software on GitHub. The software requires a Oculus/Meta Quest2 VR headset, and the it is able to run directly on the headset's computing hardware. This makes it possible to have the RTL-SDR attached to the headset itself.
Over on his YouTube channel Frugal Radio, Rob has uploaded a new video whilst on holiday travelling through the USA. In the video he shows what sort of scanner radios, antennas and SDR gear he carries with him on his travels. His gear includes a Uniden SDS-100 scanner, a BCD325 scanner, a Radio-Tone RT4 internet network radio and of course an RTL-SDR Blog V3 and laptop.
He goes on to demonstrate the hardware in action from his Hotel room, decoding local digital audio.
A peek in Frugal's Travel Bag : SDR & Scanner gear on the road
A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.
Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:
This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.
In the videos on the GitHub demonstration page they show a laptop with GNU Radio flowgraph and a HackRF SDR being used to turn the engine of a Honda civic on, and to lock and unlock doors.
Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.
Laptop and HackRF used to turn on a Honda Civic Engine via simple Replay Attack.
In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.
Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINEWhenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.
Tech YouTuber Lon.TV has recently uploaded a video demonstrating how to identify and decode various digital transmissions with an RTL-SDR dongle. In the video he explains how to use VB Cable to pipe audio from SDR# into various decoders, and then goes on to show DMR, APRS, POCSAG, L-Band AERO, FT8, and JS8/JS8CALL all being decoded via an RTL-SDR Blog V3 dongle.
Software Defined Radio Part 2 - Decoding Digital Transmissions with an RTL-SDR USB Radio
Over on his blog Radoslav has created a post showing how he has used a HackRF to wirelessly control a toy RC car by reverse engineering the wireless control protocol, and generating the control signals in a C++ program.
Having already created the rf-car HackRF RC car control software on GitHub a few years ago, Radoslav was easily able to modify it for a new RC car that his daughter received. The process was to simply look up the FCC data on it, finding that it operated with 2.4 GHz and used GFSK modulation. He then used the Inspectrum signal analysis tool to determine the bit strings used to control the car. Finally using, his C++ interface to the HackRF he implemented the new bit string and GFSK modulation.
The video below demonstrates Radoslav controlling the RC car with the keyboard on his laptop.
Thanks to all who submitted, we recently received some interesting tip offs about the Netflix TV Show Yakamoz S-245 featuring a scene with various hobbyist SDR and ham radio programs clearly visible. Yakamoz S-245 is a show about a submarine research mission, and the scene appears to depict military intelligence specialists using the programs.
Paolo Romani (IZ1MLL) has recently released version 4.2 of his SDRSharp PDF Guide. The book is available for download on the Airspy downloads page, just scroll down to the title "SDR# Big Book in English".
As before the document is a detailed guide about how to use SDRSharp, which is the software provided by Airspy. While intended for Airspy devices, SDRSharp also supports a number of third party SDRs, including the RTL-SDR, and it is the software we recommend starting with when using an RTL-SDR.
Paolo writes:
My new v4.2 SDRsharp PDF is out. The guide is now 139 pages long, and covers all the settings, UI customization, included and third party plugins, and use of some external decoders and software, now with Spyserver integration with Raspberry Pi 3/4, etc etc...
The Financial Times has recently run a video story on how hobbyist WebSDR setups are being use to record Russian radio communications during the war on Ukraine.
In these modern times, we would expect the Russian military to be making full use of encrypted radio communications on the battlefield. But early on in the invasion it came to be clear that much of the Russian forces are much less advanced than first thought, and are using cheap civilian unencrypted radios that anyone nearby can listen to with an RTL-SDR or via a web connected SDR.
The FT story focuses on how open source contributors from all over the world are helping to monitor internet connected WebSDRs that are close enough to receive Russian radio communications. And how volunteers are helping translate, confirm authenticity, and collect information about possible war crimes.
If you are interested, previously we posted about a similar video story from the New York Times, and have covered various bits of radio related news from the war in two previous posts [1][2].
