Tagged: security

Using a Drone and HackRF to Inject URLs, Phish For Passwords on Internet Connected TVs by Hijacking Over the Air Transmissions

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.

At this years Defcon conference security researcher Pedro Cabrera held a talk titled  "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.

Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.

While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.

The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.

Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.

SDR Against Smart TVs: Drones carrying SDRs

SDR Against Smart TVs: Social engineering


Tracking Company Jets with ADS-B to Give an Edge to Hedge Fund Investors

Financial news site Bloomberg recently ran an article about how hedge fund managers are using ADS-B to track private company aircraft in order to help predict the next megadeal between companies. They explain with an example:

In April, a stock research firm told clients that a Gulfstream V owned by Houston-based Occidental Petroleum Corp. had been spotted at an Omaha airport. The immediate speculation was that Occidental executives were negotiating with Buffett’s Berkshire Hathaway Inc. to get financial help in their $38 billion offer for rival Anadarko Petroleum Corp. Two days later, Buffett announced a $10 billion investment in Occidental.

There’s some evidence that aircraft-tracking can be used to get an early read on corporate news. A 2018 paper from security researchers at the University of Oxford and Switzerland’s federal Science and Technology department, tracked aircraft from three dozen public companies and identified seven instances of mergers-and-acquisitions activity. “It probably shouldn’t be your prime source of investing information, but as a feeder, as an alert of something else what might be going on, that’s where this work might be useful,” says Matthew Smith, a researcher at Oxford’s computer science department and one of the authors.

"Alternative data" collection firms like Quandl Inc. have services like "corporate aviation intelligence", where they use ADS-B data to keep tabs on private aircraft, then sell their data on to hedge funds and other investors who are hoping to gain an edge in the stock market.

Popular flight tracking sites that aggregate ADS-B data like FlightAware and FlightRadar24 censor data from private jets on their public maps upon the request of the owner, but it's not known if they continue to sell private jet data on to other parties. ADS-B Exchange is one ADS-B aggregator that promises to never censor flights, however the data is only free for non-commercial use. The value from using companies like Quandl is that they probably have a much more accurate database of who each private jet belongs to.

The Bloomberg article also mentions another use case for tracking private flights, which is  tracking the movements of known dictators via their private jets. We previously posted an article about this too. We've also in the past seen ADS-B data used to track world leaders, and help United Nations advisers track flights suspected of violating an arms embargo.

ADS-B data is typically collected these days with a low cost SDR like the RTL-SDR. We have a tutorial on setting up your own ADS-B home tracker here.

Features of Quandl Inc's Corporate Aviation Intelligence Service.
Features of Quandl Inc's Corporate Aviation Intelligence Service.

Medtronic Minimed Insulin Pumps Recalled due to Wireless Security Vulnerabilities

A MiniMed Insulin Pump

Back at the 2018 Black Hat conference it was revealed by security researchers Billy Rios and Jonathan Butts that a HackRF could be used to take control of a Medtronic insulin pump. Back then FDA advisories were issued, but recently a new warning noting that Medtronic MiniMed 508 and Paradigm series insulin pumps could be vulnerable to wireless attacks was again issued. The vulnerabilities could allow hackers to wireless cause the device to deliver excessive amounts of insulin or stop insulin delivery. 

Apparently the vulnerabilities cannot be fixed with a software update, so Medtronic have issued a voluntary recall, asking customers to contact their healthcare providers so that they can upgrade to their newer units which are more secure (although these newer units are not available everywhere outside the USA). We also note that Medtronic implantable cardiac defibrillators (ICDs) which appear to share the same vulnerability do not appear to have been recalled. For both the insulin pumps and ICDs, the issues stem from the fact that the "Conexus" wireless protocol used in the products do not use encryption, authentication or authorization.

A newspaper article at theregister.co.uk writes:

Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure. An attacker who was in close enough physical proximity to the pump could masquerade as a CareLink unit, and send potentially life-threatening commands to the insulin pump over the air using a software-defined radio or similar kit.

"The vulnerabilities affect the radio features," Rios told The Register. "They use a custom radio protocol and the vulnerabilities were exploited through the use of software-defined radios."

Previously we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

SignalsEverywhere Podcast: Satcom Piracy Interview

Corrosive from the SignalsEverywhere YouTube channel has released a new episode of his podcast. In this episode Corrosive interviews an anonymous informant who has an interesting story about his involvement with the UHF Military SATCOM pirate radio scene in Brazil. Corrosive also explains a bit further about what SATCOM is and why it's so susceptible to piracy. He also notes that piracy on Inmarsat L-band frequencies is also becoming more common.

The UHF-SATCOM band is anywhere between 243 - 270 MHz and contains fairly strong signals from many several US satellites that can be received with a simple antenna and any UHF radio/SDR. Many of the satellites are simple repeaters without security, and pirates from Mexico and South America often hijack the satellite for their own personal use. In the past, and possibly even still today hijackers involved in drug trafficking and other illegal activities made use of these insecure military satellites for long range communications. Reception of these satellites is generally available in Canada, US, Mexico, South America, Europe and Africa.

Satcom Crackdown; Satellite Piracy on After The Show Podcast

Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.