Tagged: security

ESP32 Bus Pirate: Turn your ESP32 into a Multi-Purpose Hacker Tool

Thank you to "Geo" for writing in and sharing with us his open source project called "ESP32-Bus-Pirate" which he thinks might be of interest to those in the RTL-SDR community. The ESP32 is a popular low-cost microcontroller due to the fact that it has WiFi and Bluetooth capabilities built in. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in hardware radio components to achieve various interesting feats. Geo writes:

This firmware turns an inexpensive ESP32-S3 board into a multi-protocol debugging and hacking tool, inspired by the original Bus Pirate and the Flipper Zero.

It currently supports a wide range of protocols and devices, including I²C, SPI, UART, 1-Wire, CAN, infrared, smartcards, and more. It also communicates with radio protocols as Subghz, RFID, RF24, WiFi, Bluetooth.

Compared to existing solutions, the focus is on:

Accessibility — runs on cheap ESP32-S3 hardware (around $7–$10).

Versatility — one device can probe, sniff, and interact with multiple buses.

Extensibility — open-source and modular, making it easy to add new protocol support.

I believe this could be useful for hardware hackers, security researchers, and hobbyists looking for a low-cost, flexible alternative to commercial tools.

With the firmware installed on a compatible ESP32 device, it is possible to create WiFi, Bluetooth, and RF24 sniffers, scanners, and spoofers, as well as perform general sub-GHz and RFID sniffing, scanning, and replay attacks. It also has a host of non-RF capabilities useful for hacking devices.

Flipper Zero DarkWeb Firmware Bypasses Rolling Code Security

Over on YouTube Talking Sasquach has recently tested custom firmware for the Flipper Zero that can entirely break the rolling code security system used on most modern vehicles. Rolling code security works by using a synchronized algorithm between a transmitter and receiver to generate a new, unique code for each transmission, preventing replay attacks and unauthorized access.

In the past we've discussed an attack against rolling code security systems called RollJam, which works by jamming the original keyfob signal so the vehicle cannot receive it, and at the same time recording it for later use. However, this attack is difficult to perform in reality.

For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob's functions, including lock, unlock, and unlock trunk. A consequence of this is that the original keyfob gets out of sync, and will no longer function.

According to the Talking Sasquatch, the attack works by simply reverse engineering the rolling code sequence, either through sequence leaks or prior brute forcing of the sequence from a large list of known codes. However, another article mentions that the firmware is based on the "RollBack" attack, which works by playing back captured rolling codes in a specific order to initiate a 'rollback' of the synchronization system.

Regardless of the method, videos demonstrating the attack show that only a single capture is needed to emulate a keyfob completely.

Affected vehicles include Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru. As of yet, there appears to be no easy fix for this, other than mass vehicle recalls.

Flipper Zero DarkWeb Firmware Copies My Key Fob! I'll Explain How this Works!

TEMPEST-LoRa: Emitting LoRa Packets from VGA or HDMI Cables

University researchers from China have recently shown in a research paper that it is possible to maliciously cause a VGA or HDMI cable to emit LoRa compatible packets by simply displaying a full-screen image or video. This has potential security implications as a malicious program could be used to leak sensitive information over the air, completely bypassing any internet or air-gap security systems.

In the past, we have demonstrated that TEMPEST techniques can be used to spy on monitors and security cameras by analyzing the unintentional signals they emit. This research takes the idea a step further by determining what particular images need to be displayed to create a LoRa packet with data. 

In the paper, the researchers mention using either off-the-shelf LoRa devices or low-cost SDRs such as the HackRF to receive the packets. The advantage of the SDR method is that it allows for customization of the frequency and the use of LoRa-like packets, which can achieve even longer ranges and higher data rates. The team show that they were able to achieve a receive range of up to 132 meters and up to 180 kbps of data rate.

TEMPEST-LoRa Test Setup
TEMPEST-LoRa Test Setup
Geek Trick! This picture is transmitting LoRa wireless signals!

Saveitforparts: Listening in on Russian Soldiers Hijacking US Military Satellites

Over on the saveitforparts YouTube channel, Gabe has uploaded a video showing how he uses WebSDR streams to show how Russians, including Russian soldiers, are using old US Military satellites for long-range communications around Ukraine.

In the '70s and '80s, the US government launched a fleet of satellites called "FLTSATCOM," which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other worldwide. However, the technology of the time could not support encryption or secure access. So security relied entirely on only the US military's technological superiority of being the only one to have radio equipment that could reach the 243 - 270 MHz frequencies in use by these satellites. Of course, as time progressed, equipment that could reach higher frequencies became commonplace.

In the video, Gabe explains how many Russian soldiers involved in the Ukraine war are using these legacy satellites to communicate with each other. He notes that apart from voice comms, some channels are simply Russian propaganda and music, as well as some channels that appear to be jammed. Gabe also notes that the "UHF Follow-On Satellite" (UFO) satellites that were launched as recently as 2003 are also being hijacked, as they also have no encryption or secure access.

In the past, we also posted a previous video by Gabe about attempting to receive these satellites from his home in North America. However, on that side of the world, the satellites are being hijacked by Brazilian pirates instead.

Russia Is Hijacking US Military Satellites

The Taylorator: Flooding the Broadcast FM Band with Taylor Swift Songs using a LimeSDR

Over on Hackaday and creator Stephen's blog, we've seen an article about the 'Taylorator,' open source software for the LimeSDR that floods the broadcast FM band with Taylor Swift music. In his blog post, Stephen explains how he wrote this software, explaining the concepts behind audio preparation, FM modulation, and what computing hardware was required to implement it.

The advertised use case of the Taylorator is obviously a bit of a joke; however, as the video on Stephen's blog shows, his software can play a different song on every broadcast FM channel. So, there could be some use cases where you might want people to be able to tune an FM radio to custom music on each channel. Of course, you could also just use it to play a practical joke on someone.

In terms of legality, in his blog post, Stephen notes that blasting the broadcast FM band on every channel is probably not legal and may go against the spirit of low-power FM transmitter laws in most countries. However, he notes that spreading a few mW over 20 MHz of bandwidth results in a weak signal that is unlikely to travel very far. Regardless, we would advise potential users of the software to check their local laws before going ahead and playing around with something like this.

The software is open source and available on Stephen's GitLab.

The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel
The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel

CCC Conference Talk: BlinkenCity – Radio-Controlling Street Lamps and Power Plants

In another talk at the Chaos Computer Club (CCC) 2024 conference, Fabian Bräunlein, and Luca Melette talked about how vulnerable Europe's renewable energy production is to attacks via the longwave radio ripple control system. Essentially, attacks over radio could be used to remotely switch loads and power plants on and off in a way that could damage the grid.

The recorded talk can be viewed directly via the CCC website, or via the embedded YouTube player below.  

A significant portion of Europe's renewable energy production can be remotely controlled via longwave radio. While this system is intended to stabilize the grid, it can potentially also be abused to destabilize it by remotely toggling energy loads and power plants.

In this talk, we will dive into radio ripple control technology, analyze the protocols in use, and discuss whether its weaknesses could potentially be leveraged to cause a blackout, or – more positively – to create a city-wide Blinkenlights-inspired art installation.

With three broadcasting towers and over 1.3 million receivers, the radio ripple control system by EFR (Europäische Funk-Rundsteuerung) GmbH is responsible for controlling various types of loads (street lamps, heating systems, wall boxes, …) as well as multiple gigawatts of renewable power generation (solar, wind, biogas, …) in Germany, Austria, Czechia, Hungary and Slovakia.

The used radio protocols Versacom and Semagyr, which carry time and control signals, are partially proprietary but completely unencrypted and unauthenticated, leaving the door open for abuse.

This talk will cover:

  • An introduction to radio ripple control
  • Detailed analysis of transmitted radio messages, protocols, addressing schemes, and their inherent weaknesses
  • Hardware hacking and reversing
  • Implementation of sending devices and attack PoCs
  • (Live) demonstrations of attacks
  • Evaluation of the abuse potential
  • The way forward
38C3 - BlinkenCity: Radio-Controlling Street Lamps and Power Plants

CCC Conference Talk: Investigating the Iridium Satellite Network

Over the years, we've posted numerous times about the work of “Sec” and “Schneider,” two information security researchers who have been investigating the Iridium satellite phone network using SDRs. Iridium is a constellation of 66 satellites in low Earth orbit that supports global voice, data, and messaging services.

In a talk at the Chaos Computer Club (CCC) 2024 conference, they provided updates on their work. The recorded video of their talk has recently been uploaded to YouTube.

The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.

We'll cover a whole range of topics related to listening to Iridium satellites and making sense of the (meta) data that can be collected that way:

  • Overview of new antenna options for reception. From commercial offerings (thanks to Iridium Time and Location) to home grown active antennas.
  • How we made it possible to run the data extraction from an SDR on just a Raspberry Pi.
  • Running experiments on the Allen Telescope Array.
  • Analyzing the beam patterns of Iridium satellites.
  • Lessons learned in trying to accurately timestamp Iridium transmissions for future TDOA analysis.
  • What ACARS and Iridium have in common and how a community made use of this.
  • Experiments in using Iridium as a GPS alternative.
  • Discoveries in how the network handles handset location updates and the consequences for privacy.
  • Frame format and demodulation of the Iridium Time and Location service.
38C3 - Investigating the Iridium Satellite Network

SDR and RF Videos from DEFCON 32

Recently some videos from this year's DEFCON 32 conference have been uploaded to YouTube. DEFCON32 was held on August 8-11, 2024 at the Las Vegas Convention Center. DEFCON is a major yearly conference about information security, and some of the talks deal with wireless and SDR topics.

During the Defcon 32 wireless village, there were several interesting talks and the full playlist can be found here. The talks include introductions to software-defined radio, information about synthetic aperture radar laws, transmitting RF signals without a radio,  information about the allen radio telescope array, an introduction to the electronic warfare being used in Ukraine and much more.

Over on the DEFCON 32 main stage, there were also several interesting RF-related talks including:

  • RF Attacks on Aviation's Defense Against Mid-Air Collisions (Video)
  • Breaking the Beam:Exploiting VSAT Modems from Earth (Video)
  • GPS spoofing it's about time, not just position (Video)
  • MoWireless MoProblems: Modular Wireless Survey Sys. & Data Analytics (Video)
DEFCON32 Logo
DEFCON32 Logo