Tagged: GPS spoofing

SDR Videos from DEFCON 29

Recently some videos from this years (mostly virtual) DEFCON 29 conference have been uploaded to YouTube. Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. Some interesting talks that we've found from the main Defcon and Villages are posted below.

You can view all the talks directly as well as the many others via the main stage DEFCON YouTube channel, the ICS Village Channel, RF Village Channel and the Aerospace Village. There are also several talks from the Ham Radio Village recorded on Twitch. Did we miss any interesting talks? Please let us know in the comments.

Smart Meters: I'm Hacking Infrastructure and So Should You (Hash Salehi)

Why Smart Meters? This is a question Hash is often asked. There's no bitcoin or credit card numbers hiding inside, so he must want to steal power, right? Openly analyzing the technology running our critical infrastructure and publishing the findings is something Hash is passionate about. In the wake of the great Texas freeze of 2021, we can no longer "hope" those in power will make decisions that are in the people's best interest. This talk will present research on the Landis+Gyr GridStream series of smart meters used by Oncor, the largest energy provider in Texas.

Cyber attacks on Industrial Control Systems (ICS) differ in scope and impact based on a number of factors, including the adversary's intent, sophistication and capabilities, and familiarity with ICS and automated indutrial processes. In order to understand, identify and address the specific points that can prevent or stop an attack, a systematic model known as "Cyber Kill Chain" is detailed, a term that comes from the military environment and registered by the Lockheed Martin company. While most are familiar with terms and theoretical diagrams of how security should be implemented, in this talk we want to present live how an attack chain occurs from scratch to compromise industrial devices, the full kill chain, based in our experiences. The goal is to land these threats into the real world without the need to carry out these attacks with a nation-state budget.

Smart Meters: I'm Hacking Infrastructure and So Should You (Hash Salehi)

DEF CON 29 - Paz Hameiri - TEMPEST Radio Station

TEMPEST is a cyber security term that refers to the use of electromagnetic energy emissions generated by electronic devices to leak data out of a target device. The attacks may be passive (where the attacker receives the emissions and recovers the data) or active (where the attacker uses dedicated malware to target and emit specific data).

In this talk I present a new side channel attack that uses GPU memory transfers to emit electromagnetic waves which are then received and processed by the attacker. Software developed for this work encodes audio on one computer and transmits it to the reception equipment positioned fifty feet away. The signals are received and processed and the audio is decoded and played. The maximum bit rate achieved was 33kbit/s and more than 99% of the packets were received.

Frequency selection not only enables maximization of signal quality over distance, but also enables the attacker to receive signals from a specific computer when several computers in the area are active. The software developed demonstrates audio packets transfers, but other types of digital data may be transmitted using the same technique.

[Slides Link] [Whitepaper]

DEF CON 29 - Paz Hameiri - TEMPEST Radio Station

DEF CON 29 RF Village - cemaxecuter - RF Propagation and Visualization with DragonOS

"Today's presentation will start with a brief history of DragonOS, where it started and where it's at today. After a short introduction, I'll dive into the subject of visualizing RF propagation with DragonOS. I'll be showing a fresh OS install and the necessary steps to generate a rough estimate of a transmitter based on SRTM-3 elevation data, as well as a new feature enabling visualization/calculations of the path between transmitter and receiver .

Topics and hands on (pre-recorded) demonstrations will include the following,

  • SPLAT! is an RF Signal Propagation, Loss, And Terrain analysis tool for the electromagnetic spectrum between 20 MHz and 20 GHz.
  • Signal Server Multi-threaded RF coverage calculator
  • Dr. Bill Walker's role
  • Signal Server and DragonOS integration
  • DF-Aggregator Developer / Modifications for visualization

I’ll conclude talking about future improvements to RF propagation and visualization tools."

DEF CON 29 RF Village - cemaxecuter - RF Propagation and Visualization with DragonOS

Continue reading

Using a HackRF for GPS Spoofing on Windows

Over on the TechMinds YouTube channel a new video titled "GPS Spoofing With The HackRF On Windows" has been uploaded. In the video TechMinds uses the GPS-SDR-SIM software with his HackRF to create a fake GPS signal in order to trick his Android phone into believing that it is in Kansas city.

In the past we've seen GPS Spoofing used in various experiments by security researchers. For example, it has been used to make a Tesla 3 running on autopilot run off the road and to cheat at Pokemon Go. GPS spoofing has also been used widely by Russia in order to protect VIPs and facilities from drones.

GPS Spoofing With The HackRF On Windows

Using a HackRF to Spoof GPS Navigation in Cars and Divert Drivers

Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.

The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.

The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.

In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.

Other researchers are working on making GPS more robust. Aerospace Corp. are using a HackRF to try and fuse GPS together with other localization methods, such as by using localizing signals from radio towers and other satellites.

[Also seen on Arstechnica]

Hardware and Method used to Spoof Car GPS Navigation.
Hardware and Method used to Spoof Car GPS Navigation.

Cheating at Pokémon Go with a HackRF and GPS Spoofing

"Pokémon Go" is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at "Pokéstops" and putting Pokémon to battle at "Gyms". Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what "Pokémon" are: Pokémon are fictional animals from a popular children's cartoon and comic.

Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.

To do this he used the off the shelf "GPS-SDR-Sim" software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR's like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF's clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF's clock input port. He also found that he needed to disable "Assisted GPS (a-gps)" on his phone which uses local cell phone towers to help improve GPS location tracking.

Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don't simulate a regular walking speed.

GPS spoofing is not new. One attempt in 2013 allowed university researchers to send a 80 million dollar 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011. In past posts we also showed how security researcher Lin Huang was able to spoof GPS and bypass drone no fly restrictions.

[Also seen on Hackaday.com] / [Russian Readers: There is a translation of this article by softdroid now available]

The "Pokemon Go" GPS spoofing set up.
The "Pokemon Go" GPS spoofing set up.