Recently some videos from this year's DEFCON 32 conference have been uploaded to YouTube. DEFCON32 was held on August 8-11, 2024 at the Las Vegas Convention Center. DEFCON is a major yearly conference about information security, and some of the talks deal with wireless and SDR topics.
During the Defcon 32 wireless village, there were several interesting talks and the full playlist can be found here. The talks include introductions to software-defined radio, information about synthetic aperture radar laws, transmitting RF signals without a radio, information about the allen radio telescope array, an introduction to the electronic warfare being used in Ukraine and much more.
Over on the DEFCON 32 main stage, there were also several interesting RF-related talks including:
RF Attacks on Aviation's Defense Against Mid-Air Collisions (Video)
Breaking the Beam:Exploiting VSAT Modems from Earth (Video)
GPS spoofing it's about time, not just position (Video)
MoWireless MoProblems: Modular Wireless Survey Sys. & Data Analytics (Video)
Over on YouTube the Linus Tech Tips channel has recently released a video about the HackRF titled "It’s TOO Easy to Accidentally Do Illegal Stuff with This". Linus Tech Tips is an extremely popular computer technology YouTube channel. The HackRF is a popular transmit capable software defined radio that was released about 10 years ago. The portapack is an add-on for the HackRF that allows the HackRF to be used as a handheld device, and when combined with the Mayhem firmware, it enables easy access to some controversial tools that could get a user into a lot of legal trouble very fast.
In the video Linus, whose team is based in Canada, mentions that they decided to purchase the HackRF and similar devices because of the Canadian government's plan to ban various RF tools, including the Flipper Zero and HackRF.
Linus then discusses and demonstrates "van eck phreaking" with TempestSDR, showing how he can use the HackRF to recover the video from a PC monitor wirelessly. He then goes on to demonstrate how the Portapack can be used to jam a wireless GoPro camera transmitting over WiFi.
Finally, Linus discusses the legality and morality of such devices being available on the market.
It’s TOO Easy to Accidentally Do Illegal Stuff with This
Over on his YouTube channel, Rob VK8FOES has started a new video series about Iridium Satellite Decoding. Iridium is a constellation of low-earth orbiting satellites that provide voice and data services. Iridium was first decoded with low cost hardware by security researchers back in 2016 as mentioned in this previous post. Being unencrypted it is possible to intercept private text and voice communications.
Rob's video is part of a series, and so far only part one has been uploaded. The first video outlines the hardware and software requirements for Iridium decoding and demonstrates the gr-iridium software. An Airspy and RTL-SDR Blog Patch Antenna are used for the hardware, and the software runs on DragonOS.
Rob writes that in part two he will demonstrate the use of iridium-toolkit, which can be used to extract data and recordings from the Iridium data provided from gr-iridium.
Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.
Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.
In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.
I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.
Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.
In their research, the team discovered that security cameras leak enough sensitive RF that an image can be recovered from the leakage over a distance. In their tests, they used a USRP B210 SDR as the receiver and tested twelve cameras including four smartphones, six smart home cameras, and two dash cams. They found that eight of the twelve leaked strongly enough for the reception of images through windows, doors, and walls. Cameras like the Xiaomi Dafang and Wyze Cam Pan 2 performed the worst, allowing for images to be recovered from distances of 500cm and 350cm respectively.
SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as the RTL-SDR and TX capable SDRs like the HackRF, bladeRF and USRP radios.
The OS has a built in launcher UI that helps to automatically launch and set up parameters for various programs and GNU Radio scripts that are commonly used. Examples include an FM transmitter, GPS transmitter, GSM base station searcher, IMSI catcher, LTE base station searcher, LTE decoder and a jammer.
SigintOS 2.0 Community Edition; It was developed to provide a much better experience to its users. With a new interface, more stable and powerful infrastructure and development environment, it allows users to develop new tools in addition to existing tools.
Developing Signal Intelligence tools is now much easier with SigintOS™
It is now much easier to develop your own tools with SigintOS™, which contains the world’s most famous and free signal processing and communication software. You can develop them effortlessly with tools such as QT and KDevelop.
Say hello to the 5G World!
SigintOS™ offers you all the possibilities of the 5G world, free of charge and effortlessly!
TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.
Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.
The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.
The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.
The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.
For more detail about the possible implications the team write:
The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.
The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.
The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.
Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.
Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.
Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.
We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.
A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.
The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.
In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.
However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.
Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.
So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system.
It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.
(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)
Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023