Tagged: conference

DEF CON 27 SDR Talks: Antennas for Surveillance, Ford Keyfob Hack, Smart TV Wireless Side Channel Attack

Talks from this years DEF CON 27 conference which was held back in August are now available on YouTube. DEFCON is a yearly conference that a focuses on information security topics and often includes talks about SDRs and other wireless radio topics too. In particular we wanted to highlight the the DEF CON 27 Wireless Village playlist which contains numerous talks related to wireless, radio and SDRs.

Most talks from the wireless village relate to WiFi, but one talk with some very useful information that we really enjoyed was "Antennas for Surveillance" by Alex Zakhorov. 

We will cover the various kinds of antennas available to optimized your SDR radio for different types of spectrum monitoring. We will also explain why RF filters are necessary on most SDR's and when Low Noise Amplifiers help, and when Low Noise Amplifiers hurt reception.

DEF CON 27 Wireless Village - Alex Zakhorov - Antennas for Surveillance

Another interest talk was called "The Ford Hack Raptor Captor video" by Dale Wooden (Woody) where he shows how he used an RTL-SDR and HackRF to hack a Ford car key fob. If you're interested we wrote about the Hak5 videos on this hack in a previous post.

This talk will show flaws with development of security protocols in New Ford key fobs. This will exploit several areas. The ability for a denial of service to the keyfob WITHOUT jamming. How to trick the vehicle into resetting its rolling code count. How to lock, unlock, start, stop, and open the trunk of ford vehicles using a replay attacked after resetting rolling code count. How to find the master access code for Fords keypad to bypass security. This talk will also demonstrate how to reset your key fobs if they are attacked by a deauth attack. We will also demonstrate gnu-radio script to automate RF collection of Ford key fobs. As seen on HAK5 episodes 2523-2525

DEF CON 27 Wireless Village - Woody - The Ford Hack Raptor Captor video

Outside of the Wireless village there were also some interesting SDR topics including this talk titled "SDR Against Smart TVs URL Channel Injection Attacks" by Pedro Cabrera Camara. If you're interested we also wrote about Pedro's work in a previous post.

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

DEF CON 27 Conference - Pedro Cabrera Camara - SDR Against Smart TVs URL Channel Injection Attacks

Talks from GNU Radio Days 2019

GNU Radio Days 2019 was a workshop held back in June. Within the last week recordings of the talks have been uploaded to YouTube by the Software Defined Radio Academy channel. The talks cover a wide range of cutting edge SDR research topics and projects. Many of the presenters have also made use of RTL-SDR dongles, as well as other higher end SDRs in their research.

All the talks are combined into two 3 hour long videos from the morning and day sessions from day one. Day two also has two videos that consist of recordings from the tutorial sessions which make use of the PlutoSDR. Finally there is also the keynote speech from Marcus Müller where he dives into the internal workings of GNU Radio.

Below we list the talks with timestamps for the YouTube video. Short text abstracts for each of the talks can also be found in the conference book. We note that not all the abstracts appear to have been presented in the videos, so it may be worth checking out the book for missed talks about passive radar, a 60 GHz link, embedded GNU Radio on a PlutoSDR, an SDR 802.11 infrared transmission system, PHY-MAC layer prototyping in dense IoT networks and hacking the DSMx Drone RC protocol.

Continue reading

GNU Radio Conference 2019: Registration Open + Call For Papers

GNU Radio Conference is a yearly conference based around the GNU Radio project and the surrounding community. GNU Radio is an open source digital signal processing (DSP) toolkit which is often used to implement decoders, demodulators and various other SDR algorithms.

GRCon is the annual conference for the GNU Radio project & community, and has established itself as one of the premier industry events for Software Radio. It is a week-long conference that includes high-quality technical content and valuable networking opportunities. GRCon is a venue that highlights design, implementation, and theory that has been practically applied in a useful way. GRCon attendees come from a large variety of backgrounds, including industry, academia, government, and hobbyists.

The 2019 GNU Radio Conference will be held on September 16-20 at the Marriot at the Space & Rocket Center in Huntsville, Alabama.

Registration and a call for papers and posters is currently open, see gnuradio.org/grcon/grcon19.

Nullcon 2017: Drone Hijacking And Other IoT Hacking With GNU Radio And SDR

Nullcon is a yearly security conference which was held this year during early March. Recently videos of some of the presentations have been uploaded. One presentation of interest is Arthur Garipov’s presentation on “Drone Hijacking And Other IoT Hacking With GNU Radio And SDR”. In his talk he explains how he uses software defined radios and GNU Radio to hack various IoT devices based on the nRF, and even a drone. The talk blurb reads:

Internet of things is surrounding us. Is it secure? Or does its security stand on (deemed) invisibility? SDR (Software-defined radio) and GNU Radio can answer these questions. In this presentation, we will play some modern wireless devices. They have similar protocols, and none of them encrypts its traffic.

We will show how easy it is to find them using SDR and proprietary chipsets, and how to sniff/intercept/fuzz these devices using a small python script and GNU Radio.

As an example we will show a Mousejack attack to wireless dongles, wireless keyboard keylogger and even a drone hijacking.

Speaker Bio
Senior Specialist, Network Application Security Team, Positive Technologies Artur was born in 1987. He is a graduate of the Ufa State Aviation Technical University, was a software developer at OZNA and an independent security researcher. He started his career at Positive Technologies in 2014. Now he is engaged in security research of wireless technologies, mobile systems, and IoT. He is also an organizer of the MiTM Mobile contest and hands-on lab at PHDays V and PHDays VI.

The talk slides can be downloaded from their archives.

nullcon Goa 2017 – Drone Hijacking And Other IoT Hacking With GNU Radio And SDR by Arthur Garipov

Talks from the 33rd Chaos Computer Club Conference

Videos from the 33rd Chaos Communication Congress [33c3] of the Chaos Computer Club have recently been uploaded to YouTube. This is a yearly European conference with a theme on hacking. This year several SDR and RF related talks were presented and here below is a sampling of our favorites. See their YouTube Channel for more interesting talks.

Reverse Engineering Outernet

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Currently, they broadcast an L-band signal from 3 Inmarsat satellites, giving them almost worldwide coverage. The bitrate of the signal is 2kbps (or 20MB of content per day), and they use the signal to broadcast Wikipedia pages, weather information and other information of public interest.

Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I think this is contrary to the goal of providing free worldwide access to internet contents. Therefore, I have worked to reverse engineer the protocols and build an open source receiver. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

In this talk, I’ll explain which modulation, coding and framing is used for the Outernet L-band signal, what are the ad-hoc network and transport layer used, how the file broadcasting system works, and some of the tools and techniques I have used to do reverse engineering.

PDF slides available [here].

https://www.youtube.com/watch?v=gPxdah4zAOg

Intercoms Hacking

To break into a building, several methods have already been discussed, such as trying to find the code paths of a digicode, clone RFID cards, use some social engineering attacks, or the use of archaic methods like lockpicking a door lock or breaking a window.

New methods are now possible with recent intercoms. Indeed, these intercoms are used to call the tenants to access the building. But little study has been performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and allow residents to open doors not only from their classic door phone, but to forward calls to their home or mobile phone. Private houses are now equipped with these new devices and its common to find these “connected” intercoms on recent and renovated buildings.

In this short paper we introduce the Intercoms and focus on one particular device that is commonly installed in buildings today. Then we present our analysis on an interesting attack vector, which already has its own history. After this analysis, we present our environment to test the intercoms, and show some practical attacks that could be performed on these devices. During this talks, the evolution of our mobile lab and some advances on the 3G intercoms, and M2M intercoms attacks will be also presented.

https://www.youtube.com/watch?v=pGq4raWvDtQ

Building a high throughput low-latency PCIe based SDR

Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth at the same time. But implementing PCIe/miniPCIe is not for the faint of heart – you have to write your own FPGA code, write your own Linux kernel driver and ensure compatibility with different chipsets, each with its own quirks. In this talk we will look at the requirements for a high performance SDR like XTRX, how this leads to certain design decisions and share pitfalls and gotchas we encountered (and solved).

We’ve been working with SDRs since 2008 and building own SDRs since 2011, focusing on embedded systems and mobile base stations. We created ClockTamer configurable clock source and UmTRX SDR and built a complete base station (UmSITE) to run OpenBTS and later Osmocom GSM stacks. This year we’ve started working on a new tiny high-performance SDR called XTRX which fits into the miniPCIe form-factor and using PCIe for the I/Q samples transfer.

We will talk about when to use PCIe and when not to use PCIe and why did we choose it for XTRX; FPGA implementation of PCIe with optimization for low latency and high throughput; Linux kernel driver for this PCIe device; integration with various SDR platforms; all the various issues we encountered and how you can avoid them.

https://www.youtube.com/watch?v=uf1EQOgBoEE

Talks from the 2015 Software Defined Radio Academy Conference

The software defined radio academy is a sub-conference held during the HAMRADIO conference at Friedrichshafen, Germany. HAMRADIO is the largest Amateur Radio yearly convention held within Europe. This years conference has completed and now several SDR related talks have been uploaded to YouTube. Many of the talks discuss the latest developments in SDR technology and projects. An example of some talks we enjoyed are shown below, but we encourage you to check out the YouTube link and watch any of the talks that interest you.

Bastian Blössl, DF1BBL: Signals Analytics with Radio Controlled Key Systems

In this talk we will go through the complete process of reverse engineering an unknown digital signal. Although a widespread car key fob from Hella will serve as an example, the aim is to provide a generally applicable walk-through. To decode the signal we will user different tools to determine its frequency, modulation, encoding, and finally its frame format. More specifically, we will use fosphor, baudline, gqrx, and audacity to study the signal in time and frequency domain. Even though we will just have a quick glance at the different applications, the goal is to show they capabilities and more importantly how they can be combined. Once we figured out the waveform and its parameters, we will go ahead an build a receiver in GNU Radio. GNU Radio is a real-time signal processing framework that already provides all means to demodulate the signal and produce a bit stream. At this point we will use command line tools and simple python scripts to study the bit stream to derive the frame format. Finally, we add a small technology specific block to GNU Radio that decodes and parses the frames to build a complete receiver. Hopefully, this will provide some hands-on experience and give an overview over the various tools that are available to study and decode the signals out there.

Bastian Blössl, DF1BBL: Signals Analytics with Radio Controlled Key Systems

Dr. Howard White, VE3GFW: Four Generations of SDR Architectures and Products

In the Past Year, a new 4th Generation SDR Architecture has emerged that not only bests Legacy Radios with better performance but has ergonomic advantages so that Contesters and DXer’s can finally make SDR’s their first choice. The talk will cover the rapidly accelerating pace of evolution of SDR Technology through Four Generations of SDR Architectures with examples of Amateur Radio products using each architecture.

SDR Technology has captured the imagination of Amateur Radio Operators who increasingly chose SDR’s when buying a new radio. This trend has become so dominant in the USA that Legacy Radio Manufacturers have started to mislabel Legacy Radios as SDR’s to try to recapture lost sales from the uninformed. The presentation will define what is an SDR and show where Legacy technology is not an SDR.

There are now Four Generations of SDR Architectures. First Generation SDR Architectures became economically and technologically feasible for amateur radio applications around 2000. Since then the pace of evolution of Amateur Radio SDR Architectures has begun to accelerate rapidly with Second Generation Architectures emerging in 2009, Third Generation Architectures in 2012 and most recently the very exciting Fourth Generation SDR Architectures in 2014. The presentation will define each of these architectures, explain how technological developments have caused them to happen and review the strengths and weaknesses of each architecture.

In order to make the presentation relevant to Amateur Radio Operators, the presentation will include products (with relative pricing where practical) currently on the market that are representative of each of the SDR architectures. Perhaps the most exciting development for amateur radio operators in the past year has been the emergence of a new 4th Generation SDR Architecture that not only bests Legacy Radios with better performance but has ergonomic advantages so that Contesters and DXer’s can finally make SDR’s their first choice.

Dr. Howard White, KY6LA: Four Generations of SDR Architectures and Products

Martin Dudok van Heel, PA1SDR: Passive Radar at home

This talk is about using the reflections of FM-radio and GPS satellites signals to do passive radar.

With passive radar you can analyze everything that reflects radiowaves without transmitting anything yourself. The airplanes, cars, buildings, amount of rainfall, the condition of the atmosphere layers, ionized gases, landscape layout, ocean waves, meteorites or individual humans or machines moving inside or outside buildings. Even most stealth airplanes can be detected by passive radar when the signals of distant transmitters are reflected down to the receiving passive radar station.

With the building blocks, normally used for implementing Software Defined Radio Systems you can also do very interesting signal analysis. You can use the opensource toolkits GNU Radio (SDR) + Octave (math) + your own code to analyze the direct path and reflections of any kind of wireless signal. You can use this to do passive radar, which is the art of generating a radar image by analyzing the reflections of signals you have not transmitted yourself. You need to be able to somehow obtain an estimate of the original transmitted signal without reflections, and compare/correlate that to the signal with reflections. Then use the time of arrival, phase, Doppler shift and direction of arrival to determine the exact location, speed and strength of (the source of the) refection, and thus generate a passive radar image.

Martin Dudok van Heel, PA1SDR: Passive Radar at home

András Retzler, HA7ILM: OpenWebRX, a Multi-User, Web-Based SDR Receiver Application

Software Defined Radio technology is getting more and more popular among amateur radio operators and hobbyists, as several different universal SDR receiver devices have become available recently. OpenWebRX is a software made for those who want to set up remote SDR receiver stations accessible from the web. It has been developed with open-source codebase, multi-user access and easy setup in mind, to be an alternative to other similar projects (WebSDR, ShinySDR, WebRadio, etc.) It also supports cheap RTL2832U based tuners. Basically, OpenWebRX is an on-line communications receiver for analog modulations (AM/FM/SSB/CW), with a web UI on which real-time waterfall display is available. Users can select a channel within the bandwidth of the sampled signal acquired from the SDR hardware. The selected channel is demodulated on the server and the resulting audio is streamed to the browser of the user, where it is played back. Users can set receiver parameters (channel frequency, modulation mode, filter envelope) independently. OpenWebRX was written in python and JavaScript. The web interface supports multiple browsers and uses modern browser features introduced in HTML5. The digital signal processing functions were placed in a separate library, libcsdr, which has been implemented in C and can also be considered useful as a standalone package. It can perform digital downconversion, filtering and demodulation tasks on I/Q data.

András Retzler, HA7ILM: OpenWebRX, a Multi-User, Web-Based SDR Receiver Application

SDR Talks from the 2015 Chaos Communication Camp

The Chaos Communication Camp (CCC) conference was recently held in Germany this year. The conference is a five day event that focuses on topics such computer security, hacking, electronics and other similar related topics. The full list of talks can be found here, but on this page we list all the SDR related talks which we could find. If you know of any more SDR related talks from the CCC please let us know in the comments.

“The Rad1o: Listen to all the things”

This year participants of the CCC were all given a Rad1o badge, which is a HackRF variant. In this talk the creators of the Rad1o explain their experience with creating the Rad1o and give an overview of it’s hardware and software options.

“Satellite Open Ground Station Network: open source ground station, optimized for modularity, built from readily available and affordable tools and resources.”

(Audio broken until 2:50) The SatNOGS project aims to provide low cost satellite ground stations (where one critical component is currently an RTL-SDR dongle) along with free networking software in order to create a crowd sourced satellite coverage network. The SatNOGS project was also the grand prize winner of the 2014 Hackaday prize which saw them take away almost $200k US dollars of prize money. This talk introduces the SatNOGS project.

“Iridium Hacking: please don’t sue us”

Iridium is a satellite service that provides global communications. This talk discusses how the presenters were able to decode the Iridium pager network with a simple software defined radio like the RTL-SDR. At the end of the presentation they show a live demo of the Iridium signals being decoded.