Tagged: hackrf

Developing an Alternative To GPS with a HackRF

The Aerospace Sextant System
The Aerospace Sextant System

The LA Times recently ran a story that discussed how vulnerable GPS is to malicious spoofing. This has been well known for a number of years now with researchers having been successful at diverting a 80-million dollar yacht off it's intended course 5 years ago. We've also seen GPS spoofing performed with low cost TX capable SDRs like the HackRF. For example we've seen researchers use GPS spoofing to cheat at "Pokemon Go" an augmented reality smartphone game and to bypass drone no-fly restrictions.

The article in the LA times also discusses how a group of researchers at Aerospace Corp. are testing GPS alternatives and/or augmentations, that improve resilience against spoofing. The system being developed is called 'Sextant', and it's basic idea is to use other sources of information to help in determining a location.

Other sources of information include signals sources like radio, TV and cell tower signals. It also includes taking data from other localization signals like LORAN (a long range HF based hyperbolic navigation system), and GPS augmentation satellites such as the Japanese QZSS which is a system used to improve GPS operation in areas with dense tall buildings, such as in many of Japans cities. More advanced Sextant algorithms will possibly also incorporate accelerometer/inertial data, and even a visual sensor that uses scenery to determine location.

Most likely a key component of Sextant will be the use of a software defined radio and from the photos in the article the team appear to be testing Sextant with a simple HackRF SDR. While we're unsure of the commercial/military nature of the software, and although probably unlikely, hopefully in the future we'll see some open source software released which will allow anyone to test Sextants localization features with a HackRF or similar SDR.

Aerospace Corp. Testing Sextant with a HackRF
Aerospace Corp. Testing Sextant with a HackRF

Measuring the Noise Figure of Airspy and HackRF SDRs in Real Time

The Noise Figure (NF) is an important metric for low noise amplifiers and SDRs. It's a measure of how much components in the signal chain degrade the SNR of a signal, so a low noise figure metric indicates a more sensitive receiver. The Noise Figure of a radio system is almost entirely determined by the very first amplifier in the signal chain (the one closest to the antenna), which is why it can be very beneficial to have a low NF LNA placed right at the antenna

Over on his blog Rowetel has been attempting to measure the noise figure of his HackRF and Airspy, and also with the SDRs connected to an LNA. He's managed to come up with a method for measuring the noise figure of these devices in real time. The method involves using a GNU Octave script that he created and a calibrated signal generator.

It’s a GNU Octave script called nf_from_stdio.m that accepts a sample stream from stdio. It assumes the signal contains a sine wave test tone from a calibrated signal generator, and noise from the receiver under test. By sampling the test tone it can establish the gain of the receiver, and by sampling the noise spectrum an estimate of the noise power.

As expected, Rowetel found that the overall noise figure was significantly reduced with the LNA in place, with the Airspy's measuring a noise figure of 1.7/2.2 dB, and the HackRF measuring at 3.4 dB. Without the LNA in place, the Airspy's had a noise figure of 7/7.9 dB, whilst the HackRF measured at 11.1 dB.

Some very interesting sources of noise figure degradation were discovered during Rowetel's tests. For example the Airspy measured a NF 1 dB worse when used on a different USB port, and using a USB extension cable with ferrites helped too. He also found that lose connectors could make the NF a few dB's worse, and even the position of the SDR and other equipment on his desk had an effect.

Noise figure measurement
Noise figure measurement

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

 
 

Pseudo-Doppler Direction Finding with a HackRF and Opera Cake

Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.

In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.

If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.

OperaCake running with four antennas
OperaCake running with four antennas
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.

 

Schmoocon 18: Live Stream of Micheal Ossmann and Schuyler St. Leger on Psuedo-Doppler begins in 15 minutes

Micheal Ossmann @michaelossmann (famous for creating the HackRF SDR and various other projects) and Schuyler St. Leger @DocProfSky (a very talented young man) will soon be presenting their "Pseudo-Doppler Redux" talk at the Schmoocon 2018 conference at 3:30pm EST. The talk is available for all to watch live on Livestream.

Michael Ossmann and Schuyler St. Leger demonstrate their new take on Pseudo-Doppler direction finding techniques, using SDR to enhance direction finding capabilities.

Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.

Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets
HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets

 

Securing the Bitcoin network against Censorship with WSPR

Bitcoin WSPR Test Setup
Bitcoin WSPR Test Setup

If you didn't know already Bitcoin is the top cryptocurrency which in 2017 has begun gaining traction with the general public and skyrocketing to a value of over $19,000 US per coin at one point. In addition to providing secure digital transactions, cryptocurrencies like Bitcoin are intended to help fight and avoid censorship. But despite this there is no real protection from the Bitcoin internet protocol being simply blocked and censored by governments with firewalls or by large ISP/telecoms companies.

One idea recently discussed by Nick Szabo and Elaine Ou at the "Scaling Bitcoin 2017" conference held at Stanford University is to use the something similar to WSPR (Weak Signal Propagation Reporting Network) to broadcast the Bitcoin network, thus helping to avoid internet censorship regimes. To test their ideas they set up a HackRF One as a transmitter and RTL-SDR and used GNU Radio to create a test system.

Other ideas to secure the Bitcoin network via censorship resistant radio signals include kryptoradio, which transmits the network over DVB-T, and the Blockstream satellite service which uses an RTL-SDR as the receiver.

If you're interested in the presentation the talk on WSPR starts at about 1:23 in the video below. The slides are available here.

Scaling Bitcoin 2017 Stanford University - Day 2 Afternoon

Art Installation Eavesdrops on Hospital Pagers with a HackRF

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

For a long time now it has been known that pager data is sent in the clear and in plain text over a strong and easily received RF signal. The signal can easily be intercepted with a standard scanner radio or more recently with an SDR such as the RTL-SDR. Software such as PDW can then be used to decode the signal into plain text. We have a tutorial on this available here.

In these more modern days of cell phones and secure text messaging very few people still use pagers. But one heavy user of pagers is the medical community who still prefer them as they are already widely implemented in hospitals and are very reliable. The lower frequencies and high transmission powers used by pager systems allows for better reception especially in areas prone to poor cellphone reception such as in big buildings like hospitals with many walls underground areas. They are also very reliable as they receive messages instantly, whereas text messages can be delayed in times of high network traffic which is obviously a problem when a doctor is needed urgently. Finally, another advantage is that most pagers only receive, so there are no local transmissions that could interfere with sensitive medical machines. A major downside however is that pager use means that a lot of very private patient data can be easily intercepted by anyone anywhere in the same city as the hospital.

Back in October artist and programmer Brannon Dorsey displayed an art installation at the Radical Networks conference in Brooklyn which he calls Holypager. The idea is to bring attention to the breach of privacy. The installation simply prints out the pager messages as they are sent in real time, accumulating patient data that any visitor can pick up and read. He doesn't mention it on his page, but in one of the photos we see a HackRF One, antenna and Raspberry Pi hiding underneath the installation which is how the pager messages are received. A simple RTL-SDR could also be used as the receiver. Brannon writes:

Holypager is an art installation that intercepts all POCSAG pager messages in the city it resides and forwards them to one (holy) pager. The installation anonymizes all messages and forwards them randomly to one of three pagers on display. Each message is also printed on a contiguous role of receipt paper amassing a large pile of captured pages for gallery goers to peruse.

Pagers use an outdated protocol that requires all messages to be broadcast unencrypted to each pager in the area. It is the role of the individual pager to filter and display only the messages intended for its specific address. The pagers below have been reprogrammed to ignore this filter and receive every message in the city in real time. Today, these devices are primarily used in hospitals to communicate highly sensitive information between doctors and hospital staff.

Given the severity of the HIPPA Privacy Act, one would assume that appropriate measures would be taken to prevent this information from being publicly accessible to the general public. This project serves as a reminder that as the complexity and proliferation of digital systems increase the cultural and technological literacy needed to understand the safe and appropriate use of these systems often do not.

[Also seen on Hackaday and Motherboard]