Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF.
DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.
In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.
Demonstration Listening to DECT Phone Call with a HackRF SDR
Over on Ham Radio Outlet, the RSP2 is currently reduced by $20, taking it down to a price of only $149.95. The RSP2 Pro is also reduced down to $192.95. Other SDRplay products, and products on their website appear to be not discounted.
Over on SparkFun the original HackRF is 20% off, resulting in a price of only $239.96. It's still double the price of an Aliexpress clone, but it is an original unit. In the UK ML&S are also selling it for 15% off at £219.95. This is the cheapest price we've seen an original HackRF sold for.
Elad FDM S2
At the higher end of the SDR spectrum, we see that the Elad FDM-S2 is currently reduced by $51, resulting in a sale price of $529.
Most of these sales are expected to run until Monday, or until stocks run out.
Have you found any other great SDR deals? Let us know in the comments.
Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.
Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.
Thank you to Josh for submitting news about his project called GammaRF. GammaRF is an client-server program that is used to aggregate signal information via the internet from distributed SDRs. Currently the RTL-SDR and HackRF SDRs are supported.
ΓRF (“GammaRF”, or “GRF”) is a radio signal collection, storage, and analysis system based on inexpensive distributed nodes and a central server. Put another way, it is a distributed system for aggregating information about signals, and a back-end infrastructure for processing this collected information into coherent “products”.
Nodes utilize inexpensive hardware such as RTL-SDR and HackRF radios, and computers as small and inexpensive as Intel NUCs. Each node runs modules which provide various radio monitoring functionality, such as monitoring frequencies for “hits”, watching power levels, keeping track of aircraft (through ADS-B), and more. Nodes are distributed geographically and their data is combined on the server for hybrid analysis.
A web-based system allows users to view information from and about each station in its area. Below shows the server landing page. Markers are placed at each station’s last known location (stations can be mobile or stationary.)
From the currently implemented modules it appears that you can monitor ADS-B, scan and monitor the power of a set of frequencies, forward the output from trunk-recorder (a P25 call recorder), scan the spectrum and monitor power levels, monitor a single frequency for activity, take a picture of a swath of RF spectrum, and collect 433 MHz ISM data. Some example applications might include:
Monitoring ham radio activity on repeaters in a city
Creating timelines of emergency services activity in an area
Distributed tracking of satellites and other mobile emitters
Monitoring power at a frequency, for example as a mobile node traverses an area (e.g. signal source location)
Building direction finding networks (e.g. for fox hunts)
Spectrum enumeration (finding channels and guessing modulation) [under development]
Thanks to Tony C who wrote in and wanted to share a method that he's found to listen to multiple DMR digital voice channels in Linux. DSD+ is a Windows program that can be used to decode DMR. Although for Windows it is possible to use in Linux via the emulator known as Wine, and pipe the digital audio to it from GQRX. In the quote below, DSD+ "FL" is short for "Fast Lane" which is DSD+'s paid beta service that you can join to get newer code with more features. Tony writes:
I believe that can bridge the gap between using Linux with the ease of use programs of windows. As I am sure we both can attest that setting up trunk tracking / anything SDR is not as easy on Linux as it is on windows. For example, DSDplus FL makes it extremely easy to identify/decode DMR networks. There are similar things that can be done on Linux, but as I stated, it isn’t as easy to setup.
So the method that I setup and have been using successfully, using Ubuntu and a HackRF, setting up DSDplus 2.98 on wine, that gets audio piped from GQRX using a virtual sink as outlined in https://www.hagensieker.com/wordpress/2018/04/29/dsd-in-ubuntu-18-04/. It was a great blog, but I felt that it was incomplete when trying to get all the voice traffic passed on a network, as it only works on 1 channel at a time.
So I found the control channel for the network and created 5 bookmarks in GQRX and gave them the tag “DMR”. From there I downloaded gqrx scanner https://github.com/neural75/gqrx-scanner followed the install and setup instructions. From there I activated the scanner and GQRX will cycle through the frequencies and when voice traffic is passed, it will stop, and DSDPLUS via wine will decode and record the audio.
[The screenshot] example was for P25, but it has worked in connect+ as well, the only thing is that you cannot bookmark the control channel. I know other options exist out there such as SDRtrunk / op25 which I have used, but I believe this provides a good alternative to those who have used windows and are comfortable with the ease of use of dsdplus FL but want to be on the Linux OS.
In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.
This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.
As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.
In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.
Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.
Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.
The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.
The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.
In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.
Recently we've found that there are now cloned units of SDRplay RSP1 and Airspy R2 units appearing on Aliexpress and eBay. (We won't link them here to avoid improving the Google ranking of the clone listings). This post is just a warning and reminder that these are not official products of SDRplay or Airspy, and as such you would not receive any support if something went wrong with them. The performance and long term software support of the clones also isn't known. Buying clones also damages the original developers abilities to bring out exciting new products like we've seen so far constantly with Airspy and SDRplay.
We've been in contact with SDRplay for a statement and they believe that the unit is a clone of the older and now discontinued RSP1, and not the RSP1A, despite the listings advertising RSP1A features such as additional filtering. SDRplay note from the pictures of the circuit board that the cloned unit's circuit board looks like an RSP1, and that the listing description is probably just blindly copied directly from the official RSP1A description.
Currently given that the price of the cloned RSP1 is $139, which is higher than the $109 cost of an original and newer model RSP1A, we don't see many taking up the offer.
The Airspy R2 has also recently been cloned and now appears on Aliexpress with the lowest price being US$139 without any metal enclosure. Given that the price of an original Airspy R2 with metal enclosure is US$169, we again don't see many taking up the offer of the clone with such a small price difference.
The HackRF is a different story in respect to clones. The HackRF design and circuits are open source, so unlike the closed source designs of the SDRplay and Airspy, in a way HackRF clones are actually encouraged and are legal. For some time now it's been possible to find cloned HackRF's on Aliexpress for only US$120 at the lowest, and from $150 - $200 including antennas and TCXO upgrades. This is quite a saving on the $299+ cost of the original HackRF. Reports from buyers indicate that the HackRF clones are actually decent and work well. The advantage of buying the original version is that you support Michael Ossmann, the creator of the HackRF, and may potentially get a better performing unit.
We've also seen clones of the HackRF Portapack on Aliexpress, which is an add-on for the HackRF that allows you to go portable. The clones go for $139 vs $220 for the original. No word yet on the quality.
We also note that recently there have been several green color RTL-SDRs released on the market with some being advertised as "RTL-SDR Blog V3" units. These are not our units, and are not even actual clones of the V3. These green units appear to just be standard RTL-SDRs without any real improvements apart from a TCXO. Some listings even advertise the V3's bias tee and HF features, but they are not implemented. Real V3 units come in a silver enclosure branded with RTL-SDR.COM.
If you know how China works, you'll understand that it's highly unlikely that there is any legal recourse for SDRplay and Airspy to remove these products from sale. Once a product is popular it is almost a given that it will be cloned. It's possible that the clones might be able to be gimped via blacklisting official software, but that the companies would implement this is a stretch, and would probably be easy to get around. In the end while not ethical in a business fairness sense, these clones may be good for the consumer as they force the original designers to lower their prices and improve added value services.
If readers are interested in a comparison between the clones and original units, please let us know as we may consider an article on it.