Tagged: rtl-sdr

Encryption on the TETRA Protocol has been broken

TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.

Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.

The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.

For more detail about the possible implications the team write:

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.

Demo: TETRA TEA1 backdoor vulnerability (CVE-2022-24402)

Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.

We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Fox Hunting with the KrakenSDR

Over on his YouTube channel Mark Jessop has uploaded some dash cam footage showing him using a KrakenSDR and a custom LED display to hunt down three amateur radio transmitters during a fox-hunt.

An amateur radio fox-hunt is an activity where someone will hide a transmitter within a defined area, and it is up to the hunters to use radio direction finding equipment to find it. The KrakenSDR is our 5-channel coherent radio based on RTL-SDRs, and it can be used for applications like radio direction finding.

Mark uses a custom four element array on the roof of his car, which is connected to his KrakenSDR. Instead of the KrakenSDR app, Mark prefers to use his custom LED HUD to displays the bearings and signal power directly.

Some annotated and sped-up dash-cam footage captured during the July 2023 Amateur Radio Experimenters Group Fox-hunt. We run these monthly, and usually have three transmitters hidden around the Adelaide (South Australia) area.

I run a KrakenSDR with a custom-built 4-element antenna array mounted to the roof of my car. This gives me direction estimates to the target transmitter, at least when the signals are strong enough!

I've also build a heads-up-display which helps me safely make use of the KrakenSDR's output data while driving. The source code for this is here: https://github.com/darksidelemm/neopixel-doa-display

The display is shielded so it's not visible from outside the car - Red & Blue lights on your dashboard can give the wrong impression!

AREG Fox-hunt - 14th July 2023

Goestools Now Ported to Run on Windows

Thank you to Carl Reinemann (aka USRadioGuy) for letting us know through his blog post that goestools has recently been ported to Windows. Goestools is a software package that is used to receive and decode images from GOES weather satellites. In the past it was only available for Linux systems, however recently thanks to the work of Jamie Vital, goestools has now been ported and can run on Windows. Carl Reinemann has confirmed that the software runs perfectly on Windows. Our GOES tutorial should also be easily modified to work with the Windows port.

The Windows port can be downloaded from goestools-win on GitHub. If you are interested, Jamie Vital is also the author of Vitality GOES, which is a program that can display the received weather images in a nice GUI.

Alternatively we note that another cross platform GOES decoder is SatDump which is currently the most popular choice for GOES.

Goestools on Windows

Building a DIY Portable 137 MHz Yagi Antenna for LRPT

Over on his YouTube channel dereksgc has uploaded the next video in his series on satellite reception. In this video he shows how to build a Yagi antenna tuned for 137 MHz, which is great for receiving NOAA APT and Meteor M2-3 LRPT. Note that a Yagi antenna will give you stronger reception compared to a turnstile, QFH or V-Dipole, but as it is a directional antenna you will need to manually point it towards the satellite as it passes over your location.

For Meteor M2-3 LRPT, a Yagi antenna may be beneficial, as it appears this satellite is having some issues with signal strength, due to a possibly defective antenna that did not fully unfold on the satellite.

The Yagi antenna design is a four element design, with one reflector, two directors and one driven dipole element. The physical construction consists of a piece of wood for the boom, brass welding rods for the elements, and a terminal block for the active dipole element. 3D printed handles are added for easy holding and the RTL-SDR and LNA sit directly on top of the boom.

DIY portable 137 MHz yagi antenna (for good LRPT) || Satellite reception pt.13

Receiving Unintentional Voice Transmissions from GPS Satellites

Over on dereksgc's YouTube channel we've discovered a few more recent interesting videos from his satellite decoding series that people may be interested in. One from two weeks ago shows how it's possible to receive voice transmissions on navigation satellites such as GPS.

Many navigational and meteorological satellites carry a search and rescue (SAR) repeater which is intended to receive UHF emergency locator beacons and rebroadcast them in the L-band or higher. However the repeaters appear to be picking up all sorts of other signals from the ground, including voice transmissions. Dereksgc notes that the theory is that there are some land based communications systems in some countries that are sharing frequencies that emergency locator beacons use, or that malicious pirates may be actively using these SAR repeaters for their own communications.

Dereksgc shows examples of retransmitted signals on the Beidou, GLONASS and Elektro-L satellite downlinks at 1.5442 GHz and at 2.226 MHz for the GPS satellites. He also shows what sort of satellite dish and feed setup you need. In the video he uses a HackRF as the SDR, but you could also use an RTL-SDR for the satellites that transmit at 1.5442 GHz.

Receiving voice transmissions from GPS satellites || Satellite reception pt.10

Video on Meteor M2-3 LRPT, HRPT and Telemetry Reception

Over on YouTube dereksgc has another video on Meteor M2-3 reception. In the video Derek goes over the history of Meteor M launches and then goes on to test reception of the 3.4 GHz telemetry signal which he recorded early after the satellites launch.

The next day he sets up 1.7 GHz HRPT reception using a hand tracked satellite dish and is successful as receiving it. He then goes on to test 137 MHz LRPT reception with a V-dipole antenna and RTL-SDR and is also successful. Finally he decodes the recordings using SatDump and is able to get some great images.

Derek also notes that there might be a problem with the LRPT antenna which could explain some reports of poor reception at some elevations of the satellite. He notes that it seems likely that the QFH antenna extension process on the satellite didn't extend fully or at all.

Receiving Meteor-M N2-3 LRPT and HRPT || Satellite reception pt.11

Saveitforparts: Receiving Images from the new Russian Satellite Meteor M2-3

A few days ago we posted about the successful launch and deployment of the latest Russian Meteor M2-3 weather satellite. The satellite is currently actively transmitting LRPT weather images.

Over on his YouTube channel, "saveitforparts" has uploaded a video showing how he received images from the new satellite using his RTL-SDR. His method involves first recording the signal pass on a Raspberry Pi with rtl_fm, and then passing that wav file into SatDump for decoding and image generation.

We note that it is also possible to directly live decode the pass using SatDump, however a Raspberry Pi may be a little too slow to run the GUI version of SatDump. Instead you could use rtl_tcp on the Pi and run SatDump on a networked PC, or simply run the RTL-SDR and SatDump on the PC or a more powerful device like an Orange Pi 5.

Ultimately he experiences some unresolved problems with the decoding process, but is able to end up with a decent image.

Grabbing Images From New Russian Satellite (Meteor M2-3)

KrakenSDR Low Power FM Transmitter Hunt

If you weren't already aware, KrakenSDR is our 5-channel coherent radio based on RTL-SDRs, and it can be used for applications like radio direction finding. KrakenSDR is in stock and can be purchased from CrowdSupply or Mouser. More information is also available on our website at krakenrf.com.

In this video we are using a KrakenSDR to hunt for the location of a low power FM transmitter (LPFM) station at 106.7 MHz. These low power FM transmitters are legal as unlicensed transmitters as long as they operate under certain restrictions, the main one being that they transmit at under 1 watt EIRP. LPFM stations are typically operated by local communities or niche radio stations.

Because they are unlicensed, there is no official record and their location doesn't show up in the radio spectrum management database. A requirement of LPFM is that the station broadcast the contact information of the owners regularly, but it can be difficult to locate non-compliant stations that don't do this. But the KrakenSDR makes finding them easy.

The array is 45cm in radius, which is about the maximum that my RAV4 car roof can fit. Some of the antennas sit on a slight curve on the roof, but this appears to have negligible effect. The spacing factor is about 0.19 (optimal is 0.5 - a much larger radius), but even 0.19 is sufficient to find the transmitter fairly easily.

KrakenSDR Low Power FM Transmitter Hunt