Over on YouTube a video titled “Hunting Rogue WiFi Devices using the HackRF SDR” has been uploaded. The talk is given by Mike Davis at the OWASP (Open Web Application Security Project) Cape Town. The talk’s abstract reads:
Rogue WiFi Access Points are a serious security risk for today’s connected society. Devices such as the Hak5 Pineapple, ESP8266-based ‘throwies’, or someone with the right WiFi card and software can be used to intercept users’ traffic and grab all of their credentials. Finding these rogue devices is a very difficult thing to achieve without specialised equipment. In this talk Mike will discuss the work he has been doing over the past year, to use the HackRF SDR as a RF Direction-finding device, with the goal of hunting down various malicious RF devices, including car remote jammers.
The talk starts off with the basics, explaining what the problems with WiFi devices are, what the HackRF and SDR is, and then goes on to explain some direction finding methods that Mike has been using.
Over on YouTube user Tatu Peltola has uploaded a video showing his RTL-SDR based phase correlative direction finder in action. This set up uses three RTL-SDR dongles and three antennas to measure phase differences and thus determine the direction towards a signal source. All three RTL-SDR’s must be coherent, meaning that all three of their 28.8 MHz clock signals must come from the same source.
In the video Tatu walks around the three antennas with a handheld radio. An arrow on a laptop screen points in the direction of the transmitter.
A known problem with RTL-SDR’s is that even with the clock sources synchronized there is still an unknown cause of additional phase shift. To solve this problem Tatu writes:
Each rtl-sdr is fed from the same reference clock to make their phase shift remain constant. They still have unknown phase shifts and sampling time differences relative to each other. This is calibrated by disconnecting them from antennas and connecting every receiver to the same noise source. Cross correlation of the noise gives their time and phase differences so that it can be corrected.
Over on Reddit, user tautology2 has linked to his project which is software that can create a heatmap of signal strengths. His software uses the data that is output from RTLSDR Scanner which is a program that will collect signal strength data over any desired bandwidth and at the same time also record GPS coordinates using an external GPS receiver. RTLSDR Scanner can also create a heatmap by itself, but tautology2’s heatmap is much clearer and has good web controls for choosing the heatmap signal frequency.
The RTLSDR scanner software has been updated and now supports connection to an external GPS receiver. With a GPS receiver attached to a laptop, the RTL-SDR can be used to make signal strength maps by driving around in a car and monitoring the radio spectrum with RTLSDR Scanner running. The signal strength map can then be viewed in Google Earth, a GIS program or any image viewer.
After checking for local causes of interference and finding nothing, they decided that the interferer must be coming from further away. To find the location of the jamming signal they did some radio direction finding. This involved driving around with Yagi and magnetic loop antennas and RTL-SDR and USRP N200 SDRs and then measuring the signal strength at various points.
For the software they used a custom GNURadio block which calculated the power spectra using the FFTW C library, and averaged the results to disk. They then post processed the data to calculated the RFI power, and correlated the data with GPS coordinates recorded on his phone.
After all the data was processed, they discovered that the interference originated from an FM radio tower which had a faulty FSK telemetry link. They notified the engineer responsible who then replaced the link and the interference disappeared.