Tagged: security

Saveitforparts: Listening in on Russian Soldiers Hijacking US Military Satellites

Over on the saveitforparts YouTube channel, Gabe has uploaded a video showing how he uses WebSDR streams to show how Russians, including Russian soldiers, are using old US Military satellites for long-range communications around Ukraine.

In the '70s and '80s, the US government launched a fleet of satellites called "FLTSATCOM," which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other worldwide. However, the technology of the time could not support encryption or secure access. So security relied entirely on only the US military's technological superiority of being the only one to have radio equipment that could reach the 243 - 270 MHz frequencies in use by these satellites. Of course, as time progressed, equipment that could reach higher frequencies became commonplace.

In the video, Gabe explains how many Russian soldiers involved in the Ukraine war are using these legacy satellites to communicate with each other. He notes that apart from voice comms, some channels are simply Russian propaganda and music, as well as some channels that appear to be jammed. Gabe also notes that the "UHF Follow-On Satellite" (UFO) satellites that were launched as recently as 2003 are also being hijacked, as they also have no encryption or secure access.

In the past, we also posted a previous video by Gabe about attempting to receive these satellites from his home in North America. However, on that side of the world, the satellites are being hijacked by Brazilian pirates instead.

Russia Is Hijacking US Military Satellites

The Taylorator: Flooding the Broadcast FM Band with Taylor Swift Songs using a LimeSDR

Over on Hackaday and creator Stephen's blog, we've seen an article about the 'Taylorator,' open source software for the LimeSDR that floods the broadcast FM band with Taylor Swift music. In his blog post, Stephen explains how he wrote this software, explaining the concepts behind audio preparation, FM modulation, and what computing hardware was required to implement it.

The advertised use case of the Taylorator is obviously a bit of a joke; however, as the video on Stephen's blog shows, his software can play a different song on every broadcast FM channel. So, there could be some use cases where you might want people to be able to tune an FM radio to custom music on each channel. Of course, you could also just use it to play a practical joke on someone.

In terms of legality, in his blog post, Stephen notes that blasting the broadcast FM band on every channel is probably not legal and may go against the spirit of low-power FM transmitter laws in most countries. However, he notes that spreading a few mW over 20 MHz of bandwidth results in a weak signal that is unlikely to travel very far. Regardless, we would advise potential users of the software to check their local laws before going ahead and playing around with something like this.

The software is open source and available on Stephen's GitLab.

The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel
The Taylorator: Broadcasting Taylor Swift songs on every broadcast FM channel

CCC Conference Talk: BlinkenCity – Radio-Controlling Street Lamps and Power Plants

In another talk at the Chaos Computer Club (CCC) 2024 conference, Fabian Bräunlein, and Luca Melette talked about how vulnerable Europe's renewable energy production is to attacks via the longwave radio ripple control system. Essentially, attacks over radio could be used to remotely switch loads and power plants on and off in a way that could damage the grid.

The recorded talk can be viewed directly via the CCC website, or via the embedded YouTube player below.  

A significant portion of Europe's renewable energy production can be remotely controlled via longwave radio. While this system is intended to stabilize the grid, it can potentially also be abused to destabilize it by remotely toggling energy loads and power plants.

In this talk, we will dive into radio ripple control technology, analyze the protocols in use, and discuss whether its weaknesses could potentially be leveraged to cause a blackout, or – more positively – to create a city-wide Blinkenlights-inspired art installation.

With three broadcasting towers and over 1.3 million receivers, the radio ripple control system by EFR (Europäische Funk-Rundsteuerung) GmbH is responsible for controlling various types of loads (street lamps, heating systems, wall boxes, …) as well as multiple gigawatts of renewable power generation (solar, wind, biogas, …) in Germany, Austria, Czechia, Hungary and Slovakia.

The used radio protocols Versacom and Semagyr, which carry time and control signals, are partially proprietary but completely unencrypted and unauthenticated, leaving the door open for abuse.

This talk will cover:

  • An introduction to radio ripple control
  • Detailed analysis of transmitted radio messages, protocols, addressing schemes, and their inherent weaknesses
  • Hardware hacking and reversing
  • Implementation of sending devices and attack PoCs
  • (Live) demonstrations of attacks
  • Evaluation of the abuse potential
  • The way forward
38C3 - BlinkenCity: Radio-Controlling Street Lamps and Power Plants

CCC Conference Talk: Investigating the Iridium Satellite Network

Over the years, we've posted numerous times about the work of “Sec” and “Schneider,” two information security researchers who have been investigating the Iridium satellite phone network using SDRs. Iridium is a constellation of 66 satellites in low Earth orbit that supports global voice, data, and messaging services.

In a talk at the Chaos Computer Club (CCC) 2024 conference, they provided updates on their work. The recorded video of their talk has recently been uploaded to YouTube.

The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.

We'll cover a whole range of topics related to listening to Iridium satellites and making sense of the (meta) data that can be collected that way:

  • Overview of new antenna options for reception. From commercial offerings (thanks to Iridium Time and Location) to home grown active antennas.
  • How we made it possible to run the data extraction from an SDR on just a Raspberry Pi.
  • Running experiments on the Allen Telescope Array.
  • Analyzing the beam patterns of Iridium satellites.
  • Lessons learned in trying to accurately timestamp Iridium transmissions for future TDOA analysis.
  • What ACARS and Iridium have in common and how a community made use of this.
  • Experiments in using Iridium as a GPS alternative.
  • Discoveries in how the network handles handset location updates and the consequences for privacy.
  • Frame format and demodulation of the Iridium Time and Location service.
38C3 - Investigating the Iridium Satellite Network

SDR and RF Videos from DEFCON 32

Recently some videos from this year's DEFCON 32 conference have been uploaded to YouTube. DEFCON32 was held on August 8-11, 2024 at the Las Vegas Convention Center. DEFCON is a major yearly conference about information security, and some of the talks deal with wireless and SDR topics.

During the Defcon 32 wireless village, there were several interesting talks and the full playlist can be found here. The talks include introductions to software-defined radio, information about synthetic aperture radar laws, transmitting RF signals without a radio,  information about the allen radio telescope array, an introduction to the electronic warfare being used in Ukraine and much more.

Over on the DEFCON 32 main stage, there were also several interesting RF-related talks including:

  • RF Attacks on Aviation's Defense Against Mid-Air Collisions (Video)
  • Breaking the Beam:Exploiting VSAT Modems from Earth (Video)
  • GPS spoofing it's about time, not just position (Video)
  • MoWireless MoProblems: Modular Wireless Survey Sys. & Data Analytics (Video)
DEFCON32 Logo
DEFCON32 Logo

HackRF and Portapack Featured in Recent Linus Tech Tips Video

Over on YouTube the Linus Tech Tips channel has recently released a video about the HackRF titled "It’s TOO Easy to Accidentally Do Illegal Stuff with This". Linus Tech Tips is an extremely popular computer technology YouTube channel. The HackRF is a popular transmit capable software defined radio that was released about 10 years ago. The portapack is an add-on for the HackRF that allows the HackRF to be used as a handheld device, and when combined with the Mayhem firmware, it enables easy access to some controversial tools that could get a user into a lot of legal trouble very fast.

In the video Linus, whose team is based in Canada, mentions that they decided to purchase the HackRF and similar devices because of the Canadian government's plan to ban various RF tools, including the Flipper Zero and HackRF.

Linus then discusses and demonstrates "van eck phreaking" with TempestSDR, showing how he can use the HackRF to recover the video from a PC monitor wirelessly. He then goes on to demonstrate how the Portapack can be used to jam a wireless GoPro camera transmitting over WiFi. 

Finally, Linus discusses the legality and morality of such devices being available on the market.

It’s TOO Easy to Accidentally Do Illegal Stuff with This

YouTube Video Series on Iridium Satellite Decoding with an Airspy, RTL-SDR Blog Patch Antenna and DragonOS

Over on his YouTube channel, Rob VK8FOES has started a new video series about Iridium Satellite Decoding. Iridium is a constellation of low-earth orbiting satellites that provide voice and data services. Iridium was first decoded with low cost hardware by security researchers back in 2016 as mentioned in this previous post. Being unencrypted it is possible to intercept private text and voice communications.

Rob's video is part of a series, and so far only part one has been uploaded. The first video outlines the hardware and software requirements for Iridium decoding and demonstrates the gr-iridium software. An Airspy and RTL-SDR Blog Patch Antenna are used for the hardware, and the software runs on DragonOS.

Rob writes that in part two he will demonstrate the use of iridium-toolkit, which can be used to extract data and recordings from the Iridium data provided from gr-iridium.

Be sure to subscribe to his YouTube channel so that you are notified when part two is released.

Iridium Satellite Decoding Part 1: The Tutorial That Goes Over Your Head, Literally!

WarDragon: Testing EMEye/TempestSDR with Wyze Cam Pan V2 Cameras and a USRP B210

Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.

Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.

In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.

I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.

Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.

If you're interested we reviewed WarDragon in a recent post as well.

WarDragon EMEye/TempestSDR Camera Eavesdropping Attack Research (B210, Airspy R2, Wzye Cam Pan v2)