Tagged: hackrf

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.

Medtronic Minimed Insulin Pumps Recalled due to Wireless Security Vulnerabilities

A MiniMed Insulin Pump

Back at the 2018 Black Hat conference it was revealed by security researchers Billy Rios and Jonathan Butts that a HackRF could be used to take control of a Medtronic insulin pump. Back then FDA advisories were issued, but recently a new warning noting that Medtronic MiniMed 508 and Paradigm series insulin pumps could be vulnerable to wireless attacks was again issued. The vulnerabilities could allow hackers to wireless cause the device to deliver excessive amounts of insulin or stop insulin delivery. 

Apparently the vulnerabilities cannot be fixed with a software update, so Medtronic have issued a voluntary recall, asking customers to contact their healthcare providers so that they can upgrade to their newer units which are more secure (although these newer units are not available everywhere outside the USA). We also note that Medtronic implantable cardiac defibrillators (ICDs) which appear to share the same vulnerability do not appear to have been recalled. For both the insulin pumps and ICDs, the issues stem from the fact that the "Conexus" wireless protocol used in the products do not use encryption, authentication or authorization.

A newspaper article at theregister.co.uk writes:

Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure. An attacker who was in close enough physical proximity to the pump could masquerade as a CareLink unit, and send potentially life-threatening commands to the insulin pump over the air using a software-defined radio or similar kit.

"The vulnerabilities affect the radio features," Rios told The Register. "They use a custom radio protocol and the vulnerabilities were exploited through the use of software-defined radios."

Previously we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525

SignalsEverywhere: What SDR To Buy? Choose the Right one For You

Over on his YouTube channel SignalsEverywhere, Corrosive has just released a new video titled "Software Defined Radio Introduction | What SDR To Buy? | Choose the Right one For You". The video is an introduction to low cost software defined radios and could be useful if you're wondering which SDR you should purchase.

The video includes a brief overview of the Airspy, KerberosSDR, PlutoSDR, LimeSDR Mini, HackRF, SDRplay RSPduo and various RTL-SDR dongles. In addition to the hardware itself Corrosive also discusses the compatible software available for each SDR.

Software Defined Radio Introduction | What SDR To Buy? | Choose the Right one For You

Using a HackRF to Reverse Engineer and Control Restaurant Pagers

Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.

Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.

Hacking Restaurant Pagers with HackRF

YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2

Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.

DECT 6.0 Cordless Phone Eavesdropping {Install GR-DECT2 and Decode with HackRF SDR}

Listening in to a DECT Digital Cordless Phone with a HackRF

Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF. 

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.

Demonstration Listening to DECT Phone Call with a HackRF SDR

Black Friday SDR Sales: Airspy 15% Off, SDrplay RSP2 $20 Off, HackRF 20% Off

Airspy

Airspy is currently running a 15% Black Friday sale over on the manufacturers website iead.cc, and on their US distributor airspy.us. The coupon code is BF2018.

This results in an Airspy Mini costing only $84.15, an Airspy HF+ costing $169.15, an Airspy R2 costing $143.65 and a SpyVerter costing $41.65. This is the cheapest we've seen these products to date.  

SDRplay

Over on Ham Radio Outlet, the RSP2 is currently reduced by $20, taking it down to a price of only $149.95. The RSP2 Pro is also reduced down to $192.95. Other SDRplay products, and products on their website appear to be not discounted.

HackRF

Over on SparkFun the original HackRF is 20% off, resulting in a price of only $239.96. It's still double the price of an Aliexpress clone, but it is an original unit. In the UK ML&S are also selling it for 15% off at £219.95. This is the cheapest price we've seen an original HackRF sold for.

Elad FDM S2

At the higher end of the SDR spectrum, we see that the Elad FDM-S2 is currently reduced by $51, resulting in a sale price of $529.

Most of these sales are expected to run until Monday, or until stocks run out.

Have you found any other great SDR deals? Let us know in the comments.