Tagged: infosec

Derpcon 2020 Talk: Breaking into the World of Software Defined Radio

Derpcon is a COVID-19 inspired information security conference that was held virtually between April 30 - May 1 2020. Recently the talks have been uploaded to their YouTube channel. One interesting SDR talk we've seen was by Kelly Albrink and it is titled "Ham Hacks: Breaking into the World of Software Defined Radio". The talk starts by giving a very clear introduction to software defined radio, and then moves on to more a complex topic where Kelly shows how to analyze and reverse engineer digital signals using a HackRF and Universal Radio Hacker.

RF Signals are basically magic. They unlock our cars, power our phones, and transmit our memes. You’re probably familiar with Wifi and Bluetooth, but what happens when you encounter a more obscure radio protocol? If you’re a hacker who has always been too afraid of RF protocols to try getting into SDRs, or you have a HackRF collecting dust in your closet, this talk will show you the ropes. This content is for penetration testers and security researchers to introduce you to finding, capturing, and reverse engineering RF signals. I’ll cover the basics of RF so you’re familiar with the terminology and concepts needed to navigate the wireless world. We’ll compare SDR hardware from the $20 RTLSDR all the way up to the higher end radios, so you get the equipment that you need without wasting money. I’ll introduce some of the software you’ll need to interact with and analyze RF signals. And then we’ll tie it all together with a step by step demonstration of locating, capturing, and reverse engineering a car key fob signal.

Ham Hacks: Breaking into the World of Software Defined Radio - Kelly Albrink

Stealing Encryption Keys from PCs using Software Defined Radio and Unintentional Electromagnetic Emissions

Tel Alviv University researchers D. Genkin, L. Pachmanox, I. Pipman and E. Tromer have released a paper this year detailing their research on extracting encryption keys from PCs via their unintentional radio emissions. They say that they have been able to demonstrate their work by extracting encryption keys from GnuPG on laptops within seconds by using their non-intrusive wireless methods. GnuPG is software which allows you to encrypt and sign your data.

They write about the performance of their results:

Using GnuPG as our study case, we can, on some machines:

  • distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and
  • fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.

In their experiments they used a Funcube Dongle Pro+ to measure the unintentional RF emissions coming out of a laptop computer at around 1.6-1.75 MHz, but they also mention that a low cost RTL-SDR with upconverter could also work.

Every time the CPU on a target PC performs a new operation the unintentional frequency signature that is emitted changes. From these emissions they are able to use the unique RF signature to determine what operations are being performed by the CPU, and from that they can work out the operations GnuPG is performing when decrypting data. They write:

Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.

Recovering CPU assembly operations from its RF emissions.
Recovering CPU assembly code operations from its unintentional RF emissions.

In addition to the above they were also able to create portable attack hardware by connecting the Funcube Dongle Pro+ with a small Android based embedded computer called the Rikomagic MK802 IV. They also show that they were even able to perform the portable attack with a standard AM radio with the output audio being recorded with a smart phone.

A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.
A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.

The researchers write that they will present their work at the CHES 2015 conference in September 2015.

Previously we also posted about Melissa Elliots talk on unintentional RF emissions, Milos Prvulovic’s work on spying on keyboard presses from unintentional RF emissions and also a security flaw discovered with some HP laptops which caused them to unintentionally convert audio picked up from the microphone into RF signals.

Spying on Keyboard Presses with a Software Defined Radio

Last year Milos Prvulovic, a computer science researcher uploaded some videos to YouTube showing how he was able to remotely and covertly record the keystrokes of a target laptop in another room wirelessly using just a software defined radio, magnetic loop antenna and some custom software.

The target laptop was first modified with special drivers that cause increased and unique memory and processor activity for each key that is pressed. As computers emit unintentional RF emissions, the modified memory and processor activity causes the target laptop to emit a unique RF signature for each key pressed. Milos used this fact to create a program that can detect the RF emissions from the target laptop, and show the key presses made from the target laptop on the spying PC.

EM Covert Channel Attack Setup and Explanation

EM Covert Channel Attack Through a Wall

EM Covert Channel Attack from Nearby Desk

Pytacle – A GSM Decoding/Decrypting Tool Now Supports RTL-SDR

Pytacle, a Linux tool used for automating GSM sniffing has been updated to alpha2, and now supports the RTL-SDR dongle with this update.

According to the website pytacle is

a tool inspired by tentacle. It automates the task of sniffing GSM frames of the air, extracting the key exchange, feeding kraken with the key material and finally decode/decrypt the voice data. All You need is a USRP (or similar – [RTL-SDR]) to capture the GSM band and a kraken instance with the berlin tables (only about 2TB ;) )

Exploring Unintended Radio Emissions with the RTL-SDR – Talk now available on YouTube

A few weeks back we posted about some slides from the Defcon conference by information security researcher Melissa Elliot which detailed how she used an RTL-SDR to explore the world of unintended radio emissions.

The talk to go with the slides is now available on YouTube

DEF CON 21 - Melissa Elliott - Noise Floor Exploring Unintentional Radio Emissions

Potential Major Security Flaw on HP Laptop Discovered with RTL-SDR

Over on Reddit, user cronek discovered by using his RTL-SDR that the microphone on his HP EliteBook 8460p laptop computer was continuously and unintentionally transmitting the audio from the built in microphone at 24 MHz in FM modulation. He found that the only requirement needed for the microphone to transmit was that the laptop needed to be turned on – even muting the microphone did nothing to stop the transmission.

Click here to read the original post.

I accidentally stumbled upon a signal in the 24MHz range, appearing to be 4 carriers. I tuned to it and heard silence, then someone came into my office and started talking and I could hear them speak. The signal appeared to be coming from my other laptop (not the one running the SDR) and was pretty weak (my antenna, the crappy one that comes with the dongle, stuck to a metal stapler was right next to the HP laptop).

This is of potential concern as as the US Military is apparently transitioning to this particular laptop. However, this may be an isolated incident, as in the thread cronek explains that other laptops he tested did not display this behavior.

HP Laptop Microphone Leak at 24 MHz

Exploring Unintentional Radio Emissions with the RTL-SDR

Melissa Elliot (0xABAD1DEA), an infosec security researcher has uploaded slides on the topic of investigating unintentional radio emissions from various electronic devices, and the security issues these emissions can cause. She used the RTL-SDR as the radio receiver to show that sophisticated equipment isn’t needed. One interesting experiment she performed was trying to recover a checkerboard image displayed on an LCD screen entirely via its unintentional radio emissions received with the RTL-SDR. She got close, as you can sort of make out the checkerboard pattern on the recovered image below. Update: Tomsguide have written an article on Melissa’s talk.

LCD Recover from Unintentional Radio Emissions