Tagged: bladerf

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

Industrial Machines like Cranes, Excavators Can Easily be Hacked with Software Defined Radios

Recently, the RF research team at Trend Micro released a very nice illustrated report, technical paper and several videos demonstrating how they were able to take control of building cranes, excavators, scrapers and other large industrial machines with a simple bladeRF software defined radio. Trend Micro is a well known security company mostly known for their computer antivirus products.

Trend write that the main problem stems from the fact that these large industrial machines tend to rely on proprietary RF protocols, instead of utilizing modern standard secure protocols. It turns out that many of the proprietary RF commands used to control these machines have little to no security in place.

A Forbes article written about the research writes:

Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.

So straightforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.

Being a responsible security firm, Trend Micro has already notified manufacturers of these vulnerabilities, and government level advisories (1, 2) and patches have already been rolled out over the last year. However the Forbes article states that some vulnerabilities still remain unpatched to this day. Of interest, the Forbes articles writes that for some of these vendors the simple idea of patching their system was completely new to them, with the firmware version for some controllers still reading 0.00A.

The videos showing the team taking control of a model crane, real crane and excavator are shown below. The video shows them using bladeRF 2.0 SDRs which are relatively low cost TX/RX capable software defined radios. We also recommend taking a look at Trends web article as it very nicely illustrates several different RF attack vectors which could apply to a number of different RF devices.

In the past we've also posted about similar serious RF attacks to infrastructure and machines that reveal the vulnerability and disregard to wireless security present in everyday systems. These include vulnerabilities like taking control of city disaster warning sirens, GPS spoofing of car navigation systems, hacking wireless door systems on cars, and revealing hospital pager privacy breaches.

Trend Micro Illustrates Replay Attacks
Trend Micro Illustrates Replay Attacks

Crane hacking Pt 1

Crane hacking Pt 2

bladeRF 2.0 micro: New 47 MHz – 6 GHz, 56 MHz bandwidth, 2×2 MIMO SDR for $480

Nuand have recently released their new bladeRF 2.0 micro software defined radio. The SDR has a frequency range of 47 MHz to 6 GHz on TX and 70 MHz to 6 GHz on RX, a bandwidth of up to 56 MHz, a 12-bit ADC and has 2 RX and 2 TX radios.

There are two options for sale, the US$480 xA4 version and the US$720 xA9 version. The differences between the two appear to be entirely in the FPGA, with the more expensive version having an FPGA that contains many more logic elements which means that more DSP hardware can be synthesized on it. The RF transceiver chip used is the AD9361, which is the chip used on most high end SDRs like USRP's.

The bladeRF 2.0 micro is the next-generation 2x2 MIMO, 47MHz to 6GHz frequency range, off-the-shelf USB 3.0 Software Defined Radio (SDR) that is easy and affordable for students and RF enthusiasts to explore wireless communications, yet provides a powerful waveform development platform expected by industry professionals.

Support is available for Linux, macOS, and Windows. The bladeRF libraries, utilities, firmware, and platform HDL are released under open source licenses, and schematics are available online. The FPGA and USB 3.0 peripheral controller are programmable using vendor-supplied tools and SDKs that are available online, free of charge.

The bladeRF 2.0 micro features support for: GNU Radio via gr-osmosdr, Pothos via SoapySDR, SDRange, SDR Console, SDR # via sdrsharp-bladeRF, YateBTS, OpenAirInterface, srsUE & srsLTE, MathWorks MATLAB® & Simulink® via libbladeRF bindings.

The bladeRF 2.0 micro
The bladeRF 2.0 micro

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.


Leif (SM5BSZ) Compares Several HF Receivers

Over on YouTube well known SDR tester Leif (SM5BSZ) has uploaded a video that compares the performance of several HF receivers with two tone tests and real antennas. He compares a Perseus, Airspy + SpyVerter, BladeRF + B200, BladeRF with direct ADC input, Soft66RTL and finally a ham-it-up + RTLSDR. The Perseus is a $900 USD high end HF receiver, whilst the other receivers are more affordable multi purpose SDRs.

If you are interested in only the discussion and results then you can skip to the following points:

24:06 – Two tone test @ 20 kHz. These test for dynamic range. The ranking from best to worst is Perseus, Airspy + SpyVerter, Ham-it-up + RTLSDR, Soft66RTL, BladeRF ADC, BladeRF + B200. The Perseus is shown to be significantly better than all the other radios in terms of dynamic range. However Leif notes that dynamic range on HF is no longer as important as it once was in the past, as 1) the average noise floor is now about 10dB higher due to many modern electronic interferers, and 2) there has been a reduction in the number of very strong transmitters due to reduced interest in HF. Thus even though the Perseus is significantly better, the other receivers are still not useless as dynamic range requirements have reduced by about 20dB overall.

33:30 – Two tone test @ 200 kHz. Now the ranking is Perseus, Airspy + SpyVerter, Soft66RTL, BladeRF+B200, Ham-it-up + RTLSDR, BladeRF ADC.

38:30 – Two tone test @ 1 MHz. The ranking is Perseus, Airspy + SpyVerter, BladeRF + B200, ham-it-up + RTLSDR, Soft66RTL, bladeRF ADC. 

50:40 – Real antenna night time SNR test @ 14 MHz. Since the Perseus is know to be the best, here Leif uses it as the reference and compares it against the other receivers. The ranking from best to worst is Airspy + SpyVerter, ham-it-up + RTLSDR, BladeRF B200, Soft66RTL, BladeRF ADC. The top three units have similar performance. Leif notes that the upconverter in the Soft66RTL seems to saturate easily in the presence of strong signals.

1:13:30 – Real antenna SNR ranking for Day and Night tests @ 14 MHz. Again with the Perseus as the reference. Ranking is the same as in 3).


In a previous video Leif also uploaded a quick video showing why he has excluded the DX patrol receiver from his comparisons. He writes that the DX patrol suffers from high levels of USB noise.


Building your own Rogue GSM Basestation with a BladeRF

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.

YouTube Tutorial about using the BladeRF for Several Experiments

On YouTube user CrazyDanishHacker has been uploading some tutorial videos showing how to perform several experiments with the BladeRF. Some things he shows are GPS spoofing, broadcasting digital TV, getting 124 MHz bandwidth, using spectrum painter and how to use the BladeRF on Windows 10, Kali Linux and Ubuntu.

You might remember CrazyDanishHacker from our previous post where we posted about his in depth YouTube tutorial on GSM sniffing and cracking. That series now appears to be complete ending on episode #16 of his software defined radio series. The BladeRF tutorials start on episode #17.

The bladeRF is a $420 software defined radio which is capable of transmit and receive. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300 MHz – 3.8 GHz. Along with the HackRF we eventually expect that it will be superseded by the upcoming LimeSDR.

BladeRF + SDR# on Windows 10 – Software Defined Radio Series #17