Tagged: hacking

Hacking GSM Signals with an RTL-SDR and Topguw

The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien’s Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you’ll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software:

So like I said my software can “crack” SMS and call over GSM network.

How ?

I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I’ll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui.

Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you’re able to decipher sms or call.

Why ?

This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It’s very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don’t try to make something to do this automatically.
This is how Topguw was born.

Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM.

My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering.

Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you’re interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals.

GSM Hacking – easier than ever with Topguw

Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you.

Hacking a PlayStation 3 using an RTL-SDR

There is a war going on between game console designers and the console modding community. Modders hack the console system so that they can jailbreak it and then install their own custom firmware while console designers are constantly finding new ways to prevent unauthorized modding. Custom firmware allows a console to run homebrew applications like media players and emulators that use the console in ways that is was not intended to be used in. One PlayStation 3 modder has recently been using an RTL-SDR to help jailbreak a PlayStation 3 Super Slim (4K) console, whose current official firmware appears to not yet have been jailbroken. It’s important to note that so far no actual jailbreaking has been done with this method, but the modder is currently working on it. His idea is to receive leaked RF signals from the PS3 and then use methods similar to Acoustic Cryptoanalysis to decode the data and find out what opcode operations the processors are performing. The modder writes about his method in the following.

My idea was to hook up a rtl-sdr device to the PS3 4k between chassis and real ground (yes, I actually have a two meter copper rod buried in my lawn) using the antenna leads. First I had to make sure the PS3 4k chassis wasn’t grounded in the outlet, and that no video out or USB connector was hooked up to ground indirectly via other hardware. If you want to try this, make sure that the rtl-sdr antenna leads are the only lead between the PS3 mobo/chassis and real ground. Before connecting the rtl-sdr antenna leads I measured the voltage on the PS3 chassis which peaked at around 1.8V which was safe enough, didn’t want to blow it up on the first try. 

This method will effectively turn your console into an “active antenna” leaking all kind of interesting data on the rtl-sdr frequency spectrum (between 24 – 1766 MHz). After hooking it up, I started using gqrx on my laptop to look for signal peaks while the PS3 4k was turned on, after finding a peak I just powered off the PS3 completely and turned it back on, using the waterfall plot you’ve seen in my first post I can see if there is something interesting happening during boot and verify that the signal is indeed coming from the PS3. In a similar way I learned to distinguish between the PS3 BD drive, GPU and CPU which pops up at different frequencies. Then I dumped the data (I/Q recording) that looked interesting and made a note of the frequency. It’s hard to describe the incredible feeling when you tune into a good signal and start watching the waterfall plot revealing opcodes, register bits and what might be stack contents. The Acoustic Cryptoanalysis paper (PDF) has a lot of good info how to interpret the output from various window functions in the plot.  What I’m coding right now is a gnuradio-companion block which will filter and test the dumped data for decryption keys against encrypted PS3 data. 

PS3 Data Received with an RTL-SDR and Shown on GQRX
PS3 Data Received with an RTL-SDR and shown on a GQRX Waterfall

Videos from DEFCON 22 Wireless Village Talks

Another security and hacking conference that recently finished is Defcon 2014. During this conference there was a “Wireless Village” were there were talks discussing all things related to radio frequency. During this conference there were many talks related to Software Defined Radio.

A list of all talks at the Defcon Wireless Village 2014 can be found on this page. The most interesting talks that we found related to SDR are shown below.

Hacking the Wireless World with Software Defined Radio

Presented by Balint Seeber, SDR Evangelist as Ettus Research. Balint presented a similar talk at Black Hat and the slides to go along with that can be found here.

Ever wanted to spoof a restaurant’s pager system? How about use an airport’s Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there’s ‘printing’ steganographic images onto the radio spectrum…

Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur – widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by ‘blindly’ analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I’ll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service’s Traffic Message Channel. If you have any SDR equipment, bring it along!

Track 1 13 Closing Ceremonies

So ya wanna get into SDR?

Not explained through erotic interpretive dance, though could be, this presentation will cover the essentials for getting into the software defined radio hobby. Hardware requirements, distributed nodes, architecture designs, tips/tricks, random projects and common mistakes will be explained. This will be a technical talk that will be open for harassment, jokes, interaction and presented in a way that everyone will be able to take something away from it; wait, this is Vegas… but we’re hackers…

01 so you want to sdr

SDR Tricks with HackRF

HackRF and some other Software Defined Radio platforms can be used in creative ways. I’ll show methods, including a dirty trick or two, for using HackRF outside the advertised frequency range. I’ll also show how the HackRF design lends itself to use as an oscilloscope or function generator suitable for many hardware hacking tasks.

18 SDR Tricks with the hackrf

PortaPack: Is that a HackRF in your Pocket?

The PortaPack H1 transforms the HackRF One software-defined radio into a hand-held radio exploration tool. Spectrum analysis, monitoring and logging, and demodulation and injection of simpler digital modes will be demonstrated by Jared Boone, a HackRF project contributor.

16 Porta pack is that a hackrf in your pocket

PHYs, MACs, and SDRs

The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.

17 PHYs MACs and SDRs

SDR Unicorns

A panel with SDR Gurus Michael Ossmann, Balint Seeber and Robert Ghilduta.

19 unicorns

Brute Force Unlocking a Car with a USRP Software Defined Radio

Wired.com has posted an article showing how security researcher Cesare was able to use his USRP software defined radio to unlock a car with wireless entry. Essentially his hack involves brute forcing the rolling security code used by the wireless unlocking security protocol. Even with just a brute force attack he was able to unlock his car in just a few minutes. While this hack probably won’t work with newer cars which disable unlocking for a few minutes after a number of failed code attempts, Cesare notes that the hack will probably work for many similar cars of the 10 years or older generation.

This article goes along with their previous one discussing how thieves could hack into a home alarm system using a software defined radio.

The USRP is an advanced software defined radio that sells for around a thousand dollars but we note that the same attack could be performed with the cheaper and almost available HackRF SDR.