To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.
The Syma X8C drone to be stolen in the competition.
Unfortunately patients who are interested in taking a more active approach to their health (such as one member of the team who herself has an implanted defibrillator) do not get to see this data. The team are hoping to use an RTL-SDR to sniff this data which is transmitted in the 402 – 405 MHz ISM band, and then implement a decoder. So far they have successfully been able to capture some signals, and are working on decoding them into data.
By reverse engineering the signal they hope to draw attention to the fact that healthcare providers are not providing real time body data to the patient, preventing them from making their own informed decisions about their health. They write:
It’s all about making informed decisions. A patient knowing about arrhytmias episodes that occured to him/her has the power to change his lifestyle accordingly, by deducing the factors that have influenced his recent attacks and eliminating them – i.e. observing his/her heart condition according to his/her sleep schedule, work rhythm, food choices and participation in sports. As for now, the patients can only hope to get some information on ICD-prevented arrhytmias on scheduled appointments with their doctor, which often occur once a year or even less often. This eliminates any possibility of making informed choices by using patient’s lifestyle data for future arrhythmia episode prevention.
Inspectrum is a Linux and OSX based tool that can be used for analysing captured signals. It is compatible with the IQ files generated from SDRs, such as the RTL-SDR or HackRF.
Over on YouTube user Mike has uploaded a video that demo’s the latest version of Inspectrum. He shows how the tool can be used to quickly browse the waveforms in a captured signal and how it can be used to determine various digital binary signal properties through an overlay that can be dragged to match the bit frequency of the captured signal.
This program looks like it is shaping up to be a very useful tool for those interested in reverse engineering digital signals. The Inspectrum code and installation procedure can be found at https://github.com/miek/inspectrum.
Look up the device frequency and listen to it with an RTL-SDR and SDR#.
Record the signal and visually study the waveform in Audacity.
Look up system part info and determine encoding type (e.g. ASK/OOK)
Determine the bit string and baud rate.
Program the RFcat to send the same disarm binary string.
Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.
$50 home alarm system broken by an RTL-SDR and RFcat.
SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.
A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.
Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.
Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.
Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.
With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.
Toorcon is a yearly conference that focusus on information security related topics. At the 2015 Toorcon conference Micheal Ossmann (inventor of the HackRF SDR) gave an interesting talk about reverse engineering wireless systems using software defined radio.
Back in November Micheal gave a bit of a quick tutorial on reverse engineering in a November edition of the YouTube web series Hak5. Now his full conference talk has been released over on his website. In his talk he uses a HackRF and a Yardstick One to show how to reverse engineer a wireless cabinet lock.
Over on YouTube the popular security and hacking themed channel Hak5 have created two videos together with Mike Ossmann (creator of the HackRF and Yardstick One) that give a good introduction and overview on reverse engineering unknown radio protocols. In the video they show how to use a SDR like the RTL-SDR or HackRF to initially capture the radio signal, and then how to use the Yardstick One to reverse engineer and recreate the signal. Using this process they reverse engineer the radio protocol for a wireless liquor cabinet lock.
The Yardstick One is a computer controlled wireless transceiver (but it is not an SDR). The Yardstick One understands many radio protocols by default and can be programmed in Python, lowering the learning barrier for reverse engineering signals.
Mike Ossmann has also been slowly releasing very detailed video tutorials about DSP and radio related topics. If you are interested in reverse engineering radio signals it is a very helpful series to watch.
Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913
Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914
