Tagged: jamming

Mapping GPS/GNSS Interference Through ADS-B Data

Websites like adsbexchange.com log ADS-B aircraft tracking data from contributors located all over the world and aggregate it all onto a single map. Typically an RTL-SDR is the receiver of choice for contributors receiving ADS-B signals. One piece of data that is recorded with each packet is GPS/GNSS accuracy.

Over on Twitter John Wiseman @lemonodor has been using the aggregated ADS-B data provided by adsbexchange to highlight regions where ADS-B GPS inaccuracies are significant. This may allow us to use crowd sourced data to detect regions of GPS interference or jamming. In one of his latest findings he noted extreme GPS inaccuracy that noticed around the Baltic regions (Poland, Lithuania, Latvia, Kaliningrad).

As John and others reported in subsequent Tweets, this GPS interference was noticed by others too, with some flights needing to be cancelled or needing to return during their journey, and a NOTAM warning being issued to pilots regarding the interference. Reuters also reported on the GPS disturbance a few days later.

NOTAM: GPS INTERFERENCE DETECTED IN THE EASTERN PARTS OF HELSINKI FIR. AFFECTED AREA SECTOR N, SFC-FL200

It is well known that Russia routinely utilizes GPS spoofing or jamming around Kremlin landmarks, sensitive areas and during military operations. However, others noted that NATO exercises in the Baltic could also be the cause.

To further add to this story, the satellite intelligence operator Hawkeye 360 also recently detected significant GPS interference within or around Ukraine.

Hawkeye360 Detects GPS Interference near or within Ukraine.

Radio Related News Occurring in the Russia-Ukraine Conflict

In the current Russia-Ukraine conflict we've seen several noteworthy radio related events occurring over the last few days, mostly throughout Twitter.

Russian HF Bomber Communications

As mentioned in the previous post it has been found that since the start of the invasion, Russian Strategic bombers have been very active on USB voice at 8131 kHz. We've even seen a security firm predict air raid siren activations based on increased bomber HF activity. 

Russian Military HF Frequencies Jammed by Activists

It has been observed that several Russian military HF stations including the famous UVB-76 Buzzer have been jammed with either the Ukrainian national anthem, or various meme-type songs. It is likely that these stations are being jammed mostly by civilian activists, or members of the activist hacker collective known as Anonymous, rather than any military organization.

The UVB-76 Buzzer is a famous and mysterious numbers station that plays a buzzing sound and sometimes voice. It can be received from all over the world. Via civilian investigations, and through the use of the KiwiSDR TDoA direction finding functionality, it has been found to be transmitted from a location just north of St. Petersburg, and is assumed to be a military signal of some sort.

We've also seen waterfall text based jamming:

Using KiwiSDRs you can listen to these jammed stations yourself remotely through public internet connected SDRs in Europe. Some known frequencies are listed here and here

We note that there have also been reports about fake Russian frequencies being posted on the internet.

We assume most jamming is happening from outside the warring countries, and it is unknown how far the jamming signals extend onto Russian or Ukrainian territory, or how much of an impact they are having on Russian operations.

Russian State TV Hacked

Twitter account Anonymous TV has reported hacking Russian state TV to show citizens what is actually happening in Ukraine. It's unknown if this was a hack via TV transmissions being overpowered by another signal, or a computer hack.

Starlink Activated in Ukraine

A few days ago Elon Musk and SpaceX activated their Starlink wireless satellite internet system in Ukraine, and have sent over a shipment of ground terminals. This is useful as even if the local wired internet were to be destroyed, or be censored by Russia, the Starlink system will be able to connect to uncensored internet as long as there is power. 

An account of a Ukrainian engineer and RF hobbyist recently Tweeted his success at getting his Starlink system up and running from his home in Ukraine. We decided not to link to his Twitter account in this post, just in case he needs to delete his account for safety in the future as he appears to be very close to the bombing.

Viasat Satellite Service Experiences Cyberattack and Outages

Viasat, another provider of satellite internet services in Ukraine region appears to have been subject to a DDOS cyberattack, causing outages to it's satellite internet service in the European region.

SSTV Activism Seen On Russian Meridian Satellites

Meridian satellites are a "family of telecommunications satellites for civil and military use developed by Russia in the 2000s placed in a Molniya Orbit" (Wikipedia). A tweet by Scott Tilley @coastal8049 has noted that they have seen reports of SSTV activist activity occurring on the 484 MHz Meridian transponders. 

Scott Tilleys Twitter feed also shows some interesting other pieces of news and information, including frequencies and orbits of Meridian satellites, images of a destroyed Russian command and control satellite communications vehicle, and links to now deleted, but Google cached pages with information about Russian satellite communication systems.

APRS Activism against Russia causes APRS-IS DDOS

Amateur radio operators can use a system called APRS to communicate with text and packet data globally through internet connected radio repeaters. A few days ago it appears that anti-Russia activists flooded the APRS-IS (Automatic Packet Reporting System-Internet Service) system with bogus packets targeting Russian coordinates, which unintentionally resulted in a denial of service (DOS) event on APRS trackers like aprs.fi

DARC Urges Safety First for Ukraine and Foreign Amateur Radio Hobbyists

The German ham-radio association known as DARC has issued a warning to Ukrainian hams, and to foreign hams who may receive from them. Amateur radio operations are currently banned in Ukraine due to wartime laws.

Poland Amateur Radio Society Provides WinLink HF Email Service

In response to geopolitical threats, the Poland Amateur Radio Society has set up a HF WinLink email system, aimed at provided email services to amateur radio operators that could be cutoff from internet email services. It appears this may be aimed at helping Ukrainians communicate, however in these modern days of electronic warfare, it is important to take into account the warning from DARC above too as transmitting stations could easily be located by Russian electronic warfare forces.

Dear HAM operators, in the face of the latest threats in our region and a possibility of an incoming wave of refugees, with over 2 mln already living in Poland, we would like to remind you that we are at your disposal.

If you are a licensed amateur radio operator, you can send information by e-mail to your relatives in Poland or Emergency Services with via the Winlink system, which works on HF bands, independently of access to the local ICT infrastructure https://winlink.org/WinlinkExpress.

We advise you to download the software, install it and check its operation.
Polish WinLink nodes are QRV on 160,80,20m
SR5WLK dial frequency 3595,5 kHz USB
SR3WLK dial requency 14111 kHz USB
SP3IEW dial frequency 1865 kHz USB

If we receive information about the cut-off of the Internet in the region in danger, we will be QRV daily as SP0MASR @ 18-20 UTC on the frequencies 3770 kHz +/- QRM, 7110 kHz +/- QRM. In such a situation, please communicate in Polish or English.

We are here to serve you.

Shortwave Listening Updates

The excellent SWLing.com blog has also provided some updates on shortwave, including news that WRMI have resumed broadcasts of Radio Ukraine International, Ukrainian state radio resumes broadcasting at 549 kHz, and that the BBC adds to new broadcasts to Ukraine.

Russian Oligarch Jets Tracked with ADS-B

An activist has set up a Twitter account to track the private jets of Russian Oligarch's via ADS-B. ADS-B aircraft data can be used to track aircraft locations, and these signals are typically received with low cost SDRs like RTL-SDRs. The project appears to use data sourced from adsbexchange.com which is known to be one of the only ADS-B aggrators that does not censor data.

The 7055 kHz 'Radio War' Frequency Sees Increase in Activity

In has been reported that the 7055 kHz LSB amateur radio frequency has been used by Ukrainian and Russian amateur radio operators for some time now to insult each other in a 'radio war', and recently activity has significantly increased. Other frequencies involved include 7050 kHz LSB and 3731 kHz.

Captured Equipment Shows Russian Radio Hardware In Use

A recent tweet shows a photo of hardware supposedly captured from Russian forces. Of interested is a Russian R-187PI Azart, a handheld digital software defined radio.

At the same time unconfirmed reports suggest that some parts of the Russian army may be relying on civilian Baofeng radios.

Testing the Mayhem Firmware on a HackRF Portapack

The Portapack is an add on for the popular HackRF SDR which allows the HackRF to be used portably without a PC. Recently the cost of this hardware duo has come down to below US$150 due to low cost Chinese clones now being available on the market. Generally the clones are of good quality too.

Once you have the hardware it is possible to install third party custom firmware such as "Mayhem" on the Portapack which enables many features such as the ability to receive and transmit various different types of RF protocols. Back in 2018 we did a review of Mayhems predecessor which was known as the "Havok" firmware. More recently Tech Minds did a video overview of Mayhem.

Now over on his blog A. Petazzoni has started a new blog series which aims to introduce the basics of the Mayhem firmware, including installation and some hands on testing with RF spoofing, denial-of-service (DoS) and replay attacks. Currently only his first post is out, and in the post he show how to install Mayhem onto the Portapack, then goes on to briefly overview some applications such as RF replay attacks, replicating wireless remote controls, receiving and transmitting POCSAG, receiving and transmitting ADS-B, and creating a jammer.

Obviously a lot of what you can do with a Portapack and the Mayhem firmware is extremely illegal and very dangerous, so please do be careful with what and where you transmit especially if you are new to RF hobby. These signals should remain in your test area only, and not leak out into the wider environment.

[Also seen on Hackaday]

HackRF Portapack transmitting a spoofed pager message.

Bypassing Chamberlain myQ Garage Doors with a Jamming SDR Attack

McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform.  Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.

Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.

Although the system utilizes rolling codes for security,  McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.

McAfee Researchers Jam the actual signal (red) with a jamming signal (black)
McAfee researchers jam the actual MyQ signal (red) with a jamming signal (black)

In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

McAfee Advanced Threat Research Demo Chamberlain MyQ

Explaining and Demonstrating Jam and Replay Attacks on Keyless Entry Systems with RTL-SDR, RPiTX and a Yardstick One

Thank you to Christopher for submitting to us an article that he's written for a project of his that demonstrates how vulnerable vehicle keyless entry systems are to jam and replay attacks. In the article he explains what a jam and replay attack is, the different types of keyless entry security protocols, and how an attack can be performed with low cost off the shelf hardware. He explains a jam and replay attack as follows:

The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.

In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.

Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.
Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.