Tagged: hackrf

Using the HackRF PortaPack To Perform a Mag-Stripe Audio Spoof

Over on his blog author "netxing" has uploaded a post describing how he was able to use a Portapack to spoof mag-stripe info stored on credit/debit cards. The idea based around an old trick called magnetic stripe audio spoofing. This is essentially using an electromagnet and a music player like an iPod or smartphone to trick a magnetic card reader into thinking that you're swiping a card through it.

Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.

Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.

HackRF Portapack Mag-strip Spoofing
HackRF Portapack Mag-strip Spoofing

GammaRF: Distributed Radio Signal Collection and Analysis with RTL-SDR and HackRF

Thank you to Josh for submitting news about his project called GammaRF. GammaRF is an client-server program that is used to aggregate signal information via the internet from distributed SDRs. Currently the RTL-SDR and HackRF SDRs are supported.

ΓRF (“GammaRF”, or “GRF”) is a radio signal collection, storage, and analysis system based on inexpensive distributed nodes and a central server. Put another way, it is a distributed system for aggregating information about signals, and a back-end infrastructure for processing this collected information into coherent “products”.

Nodes utilize inexpensive hardware such as RTL-SDR and HackRF radios, and computers as small and inexpensive as Intel NUCs. Each node runs modules which provide various radio monitoring functionality, such as monitoring frequencies for “hits”, watching power levels, keeping track of aircraft (through ADS-B), and more. Nodes are distributed geographically and their data is combined on the server for hybrid analysis.

A web-based system allows users to view information from and about each station in its area. Below shows the server landing page. Markers are placed at each station’s last known location (stations can be mobile or stationary.)

GammaRF Server Landing Page
GammaRF Server Landing Page

From the currently implemented modules it appears that you can monitor ADS-B, scan and monitor the power of a set of frequencies, forward the output from trunk-recorder (a P25 call recorder), scan the spectrum and monitor power levels, monitor a single frequency for activity, take a picture of a swath of RF spectrum, and collect 433 MHz ISM data. Some example applications might include:

  • Monitoring ham radio activity on repeaters in a city
  • Creating timelines of emergency services activity in an area
  • Distributed tracking of satellites and other mobile emitters
  • Monitoring power at a frequency, for example as a mobile node traverses an area (e.g. signal source location)
  • Building direction finding networks (e.g. for fox hunts)
  • Spectrum enumeration (finding channels and guessing modulation) [under development]
Monitoring Activity of an Amateur Radio Repeater
Monitoring Activity of an Amateur Radio Repeater via the 'scanner' Module

Listening To Multiple DMR Channels with DSD+ and a HackRF on Linux

Thanks to Tony C who wrote in and wanted to share a method that he's found to listen to  multiple DMR digital voice channels in Linux. DSD+ is a Windows program that can be used to decode DMR. Although for Windows it is possible to use in Linux via the emulator known as Wine, and pipe the digital audio to it from GQRX. In the quote below, DSD+ "FL" is short for "Fast Lane" which is DSD+'s paid beta service that you can join to get  newer code with more features. Tony writes:

I believe that can bridge the gap between using Linux with the ease of use programs of windows. As I am sure we both can attest that setting up trunk tracking / anything SDR is not as easy on Linux as it is on windows. For example, DSDplus FL makes it extremely easy to identify/decode DMR networks. There are similar things that can be done on Linux, but as I stated, it isn’t as easy to setup.

So the method that I setup and have been using successfully, using Ubuntu and a HackRF, setting up DSDplus 2.98 on wine, that gets audio piped from GQRX using a virtual sink as outlined in https://www.hagensieker.com/wordpress/2018/04/29/dsd-in-ubuntu-18-04/. It was a great blog, but I felt that it was incomplete when trying to get all the voice traffic passed on a network, as it only works on 1 channel at a time.

So I found the control channel for the network and created 5 bookmarks in GQRX and gave them the tag “DMR”. From there I downloaded gqrx scanner https://github.com/neural75/gqrx-scanner followed the install and setup instructions. From there I activated the scanner and GQRX will cycle through the frequencies and when voice traffic is passed, it will stop, and DSDPLUS via wine will decode and record the audio.

[The screenshot] example was for P25, but it has worked in connect+ as well, the only thing is that you cannot bookmark the control channel. I know other options exist out there such as SDRtrunk / op25 which I have used, but I believe this provides a good alternative to those who have used windows and are comfortable with the ease of use of dsdplus FL but want to be on the Linux OS. 

DSD+ Decoding Multiple DMR Channels on Linux
DSD+ Decoding Multiple DMR Channels on Linux

 

Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Using a HackRF to Spoof GPS Navigation in Cars and Divert Drivers

Researchers at Virginia Tech, the University of Electronic Science and Technology of China and Microsoft recently released a paper discussing how they were able to perform a GPS spoofing attack that was able to divert drivers to a wrong destination (pdf) without being noticed. The hardware they used to perform the attack was low cost and made from off the shelf hardware. It consisted of a Raspberry Pi 3, HackRF SDR, small whip antenna and a mobile battery pack, together forming a total cost of only $225. The HackRF is a transmit capable SDR.

The idea is to use the HackRF to create a fake GPS signal that causes Google Maps running on an Android phone to believe that it's current location is different. They use a clever algorithm that ensures that the spoofed GPS location remains consistent with the actual physical road networks, to avoid the driver noticing that anything is wrong.

The attack is limited in that it relies on the driver paying attention only to the turn by turn directions, and not looking closely at the map, or having knowledge of the roads already. For example, spoofing to a nearby location on another road can make the GPS give the wrong 'left/right' audio direction. However, in their real world tests they were able to show that 95% of test subjects followed the spoofed navigation to an incorrect destination.

In past posts we've seen the HackRF and other transmit capable SDRs used to spoof GPS in other situations too. For example some players of the once popular Pokemon Go augmented reality game were cheating by using a HackRF to spoof GPS. Others have used GPS spoofing to bypass drone no-fly restrictions, and divert a superyacht. It is also believed that the Iranian government used GPS spoofing to safely divert and capture an American stealth drone back in 2011.

Other researchers are working on making GPS more robust. Aerospace Corp. are using a HackRF to try and fuse GPS together with other localization methods, such as by using localizing signals from radio towers and other satellites.

[Also seen on Arstechnica]

Hardware and Method used to Spoof Car GPS Navigation.
Hardware and Method used to Spoof Car GPS Navigation.

Cloned SDRPlay and Airspy Units Now Appearing on Aliexpress/eBay

Recently we've found that there are now cloned units of SDRplay RSP1 and Airspy R2 units appearing on Aliexpress and eBay. (We won't link them here to avoid improving the Google ranking of the clone listings). This post is just a warning and reminder that these are not official products of SDRplay or Airspy, and as such you would not receive any support if something went wrong with them. The performance and long term software support of the clones also isn't known. Buying clones also damages the original developers abilities to bring out exciting new products like we've seen so far constantly with Airspy and SDRplay.

SDRplay

We've been in contact with SDRplay for a statement and they believe that the unit is a clone of the older and now discontinued RSP1, and not the RSP1A, despite the listings advertising RSP1A features such as additional filtering. SDRplay note from the pictures of the circuit board that the cloned unit's circuit board looks like an RSP1, and that the listing description is probably just blindly copied directly from the official RSP1A description.

Currently given that the price of the cloned RSP1 is $139, which is higher than the $109 cost of an original and newer model RSP1A, we don't see many taking up the offer.

Airspy

The Airspy R2 has also recently been cloned and now appears on Aliexpress with the lowest price being US$139 without any metal enclosure. Given that the price of an original Airspy R2 with metal enclosure is US$169, we again don't see many taking up the offer of the clone with such a small price difference.

HackRF

The HackRF is a different story in respect to clones. The HackRF design and circuits are open source, so unlike the closed source designs of the SDRplay and Airspy, in a way HackRF clones are actually encouraged and are legal. For some time now it's been possible to find cloned HackRF's on Aliexpress for only US$120 at the lowest, and from $150 - $200 including antennas and TCXO upgrades. This is quite a saving on the $299+ cost of the original HackRF. Reports from buyers indicate that the HackRF clones are actually decent and work well. The advantage of buying the original version is that you support Michael Ossmann, the creator of the HackRF, and may potentially get a better performing unit.

We've also seen clones of the HackRF Portapack on Aliexpress, which is an add-on for the HackRF that allows you to go portable. The clones go for $139 vs $220 for the original. No word yet on the quality.

RTL-SDR V3

We also note that recently there have been several green color RTL-SDRs released on the market with some being advertised as "RTL-SDR Blog V3" units. These are not our units, and are not even actual clones of the V3. These green units appear to just be standard RTL-SDRs without any real improvements apart from a TCXO. Some listings even advertise the V3's bias tee and HF features, but they are not implemented. Real V3 units come in a silver enclosure branded with RTL-SDR.COM.

Final Words

If you know how China works, you'll understand that it's highly unlikely that there is any legal recourse for SDRplay and Airspy to remove these products from sale. Once a product is popular it is almost a given that it will be cloned. It's possible that the clones might be able to be gimped via blacklisting official software, but that the companies would implement this is a stretch, and would probably be easy to get around. In the end while not ethical in a business fairness sense, these clones may be good for the consumer as they force the original designers to lower their prices and improve added value services.

If readers are interested in a comparison between the clones and original units, please let us know as we may consider an article on it.

Cloned SDRs Roundup
Cloned SDRs Roundup

Generating a WiFi Radio Heatmap with a Helical Antenna, Antenna Rotator and a HackRF

Over on YouTube The Thought Emporium channel has been working on creating a "WiFi Camera" over the past few weeks. The idea is to essentially create a small radio telescope that can "see" WiFi signals, by generating a heatmap of WiFi signal strength. This is done with a directional helical 2.4 GHz antenna and motorized rotator that incrementally steps the antenna through various angles. After each movement step a HackRF and Python script is used to measure WiFi signal strength for a brief moment, and then the rotator moves onto the next angle. The helical antenna and rotator that they created are made out of PVC pipe plastic and wood, and are designed to be built by anyone with basic workshop tools like a bandsaw.

The final results show that they've been able to successfully generate heatmaps that can be overlaid on top of a photo. The areas that show higher signal strength correlate with areas on the photo where WiFi routers are placed, so the results appear to be accurate. In the future they hope to expand this idea and create a skyward pointing radio telescope for generating images of the galactic hydrogen line, and of satellites.

WiFi Heatmap Building Scan Results
The Thought Emporiums' WiFi Heatmap Building Scan Results

The videos are split into three parts. The first two videos show the build process of the antennas and rotator, whilst the third video shows the final results.

DIY Radio Telescope Version 2: Wifi vision - Part 1

DIY Radio Telescope V2: Wifi Vision - Part 2

Building a Camera That Can See Wifi | Radio Telescope V2 - Part 3 SUCCESS!

Using a HackRF to Transmit To a Local Repeater

Over on YouTube Tech Minds has uploaded a new video where he shows how he can use his HackRF SDR with the SDRAngel software to easily transmit voice to a local ham radio repeater. If you are unfamiliar with ham radio, a ham repeater is simply a radio station that receives voice or other signals on a certain ham radio frequency, and re-transmits the signal with stronger power on another frequency. This allows communications to be receivable over a much larger distance.

SDRAngel is a very nice piece of SDR software that has controls for TX capable SDR's like the HackRF. In the video Tech Minds shows the HackRF being used as a transmitter, with it transmitting to a repeater at 145.137 MHz. An RTL-SDR is then used to listen to the repeater output at 145.737 MHz. With this set up he is able to contact a friend via the repeater easily.

It doesn't appear that Tech Minds is using any sort of external amplifier, so this shows that the HackRF is powerful enough to hit local repeaters just by itself.

Transmitting With A HackRF One Via My Local Ham Radio Repeater