Tagged: hackrf

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]

SignalsEverywhere: What SDR To Buy? Choose the Right one For You

Over on his YouTube channel SignalsEverywhere, Corrosive has just released a new video titled "Software Defined Radio Introduction | What SDR To Buy? | Choose the Right one For You". The video is an introduction to low cost software defined radios and could be useful if you're wondering which SDR you should purchase.

The video includes a brief overview of the Airspy, KerberosSDR, PlutoSDR, LimeSDR Mini, HackRF, SDRplay RSPduo and various RTL-SDR dongles. In addition to the hardware itself Corrosive also discusses the compatible software available for each SDR.

Software Defined Radio Introduction | What SDR To Buy? | Choose the Right one For You

Using a HackRF to Reverse Engineer and Control Restaurant Pagers

Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.

Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.

Hacking Restaurant Pagers with HackRF

YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2

Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.

DECT 6.0 Cordless Phone Eavesdropping {Install GR-DECT2 and Decode with HackRF SDR} or E4000 RTL SDR

Listening in to a DECT Digital Cordless Phone with a HackRF

Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF. 

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.

DECT 6.0 Phone Decoded With HackRF SDR | Demonstration

Black Friday SDR Sales: Airspy 15% Off, SDrplay RSP2 $20 Off, HackRF 20% Off

Airspy

Airspy is currently running a 15% Black Friday sale over on the manufacturers website iead.cc, and on their US distributor airspy.us. The coupon code is BF2018.

This results in an Airspy Mini costing only $84.15, an Airspy HF+ costing $169.15, an Airspy R2 costing $143.65 and a SpyVerter costing $41.65. This is the cheapest we've seen these products to date.  

SDRplay

Over on Ham Radio Outlet, the RSP2 is currently reduced by $20, taking it down to a price of only $149.95. The RSP2 Pro is also reduced down to $192.95. Other SDRplay products, and products on their website appear to be not discounted.

HackRF

Over on SparkFun the original HackRF is 20% off, resulting in a price of only $239.96. It's still double the price of an Aliexpress clone, but it is an original unit. In the UK ML&S are also selling it for 15% off at £219.95. This is the cheapest price we've seen an original HackRF sold for.

Elad FDM S2

At the higher end of the SDR spectrum, we see that the Elad FDM-S2 is currently reduced by $51, resulting in a sale price of $529.

Most of these sales are expected to run until Monday, or until stocks run out.

Have you found any other great SDR deals? Let us know in the comments.

Using the HackRF PortaPack To Perform a Mag-Stripe Audio Spoof

Over on his blog author "netxing" has uploaded a post describing how he was able to use a Portapack to spoof mag-stripe info stored on credit/debit cards. The idea based around an old trick called magnetic stripe audio spoofing. This is essentially using an electromagnet and a music player like an iPod or smartphone to trick a magnetic card reader into thinking that you're swiping a card through it.

Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.

Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.

HackRF Portapack Mag-strip Spoofing
HackRF Portapack Mag-strip Spoofing

GammaRF: Distributed Radio Signal Collection and Analysis with RTL-SDR and HackRF

Thank you to Josh for submitting news about his project called GammaRF. GammaRF is an client-server program that is used to aggregate signal information via the internet from distributed SDRs. Currently the RTL-SDR and HackRF SDRs are supported.

ΓRF (“GammaRF”, or “GRF”) is a radio signal collection, storage, and analysis system based on inexpensive distributed nodes and a central server. Put another way, it is a distributed system for aggregating information about signals, and a back-end infrastructure for processing this collected information into coherent “products”.

Nodes utilize inexpensive hardware such as RTL-SDR and HackRF radios, and computers as small and inexpensive as Intel NUCs. Each node runs modules which provide various radio monitoring functionality, such as monitoring frequencies for “hits”, watching power levels, keeping track of aircraft (through ADS-B), and more. Nodes are distributed geographically and their data is combined on the server for hybrid analysis.

A web-based system allows users to view information from and about each station in its area. Below shows the server landing page. Markers are placed at each station’s last known location (stations can be mobile or stationary.)

GammaRF Server Landing Page
GammaRF Server Landing Page

From the currently implemented modules it appears that you can monitor ADS-B, scan and monitor the power of a set of frequencies, forward the output from trunk-recorder (a P25 call recorder), scan the spectrum and monitor power levels, monitor a single frequency for activity, take a picture of a swath of RF spectrum, and collect 433 MHz ISM data. Some example applications might include:

  • Monitoring ham radio activity on repeaters in a city
  • Creating timelines of emergency services activity in an area
  • Distributed tracking of satellites and other mobile emitters
  • Monitoring power at a frequency, for example as a mobile node traverses an area (e.g. signal source location)
  • Building direction finding networks (e.g. for fox hunts)
  • Spectrum enumeration (finding channels and guessing modulation) [under development]
Monitoring Activity of an Amateur Radio Repeater
Monitoring Activity of an Amateur Radio Repeater via the 'scanner' Module