Over on YouTube popular science content creator Steve Mould has uploaded a video showing how he was able to open his own car using a HackRF software defined radio. In the video Steve first uses the Universal Radio Hacker software to perform a simple replay attack by using his HackRF (and also an RTL-SDR V3) to record the car's keyfob signal away from the car and replay it near the car.
Steve goes on to note that most cars use rolling code security, so a simple replay attack like the above is impractical in most situations. Instead he notes how a more advanced technique called "rolljam" can be used, which we have posted about a few times in the past. Later in the video Steve interviews Samy Kamkar who was the security researcher who first popularized the rolljam technique at Defcon 2015.
At this years ICNP 2020 IEEE conference a paper titled "Real-World ADS-B signal recognition based on Radio Frequency Fingerprinting" (pdf file) was presented by researchers from Harbin Engineering University in China. The idea presented in the paper is to use RF "fingerprinting" techniques to uniquely identify and confirm that the ADS-B signal originates from the correct aircraft source.
RF fingerprinting works on the premise that every transmitter has small manufacturing variances that result in slightly different signals be transmitted, resulting in a unique "fingerprint" that can be traced to a particular transmitter. The idea here is to use these fingerprints to ensure that a known aircraft is indeed transmitting an ADS-B signal and the signal is not being transmitted from a fake spoofer. ADS-B is completely unencrypted and not authenticated, so spoofing of ADS-B signals may be a real security threat.
In the teams research they use an RTL-SDR to collect ADS-B signals from five different aircraft. They then use that data to create "Contour Stellar Images" and train a deep learning neural network which after training accurately identifies which aircraft a signal comes from.
Over on his YouTube channel Kalle Hallden has uploaded a video demonstrating how to perform a replay and "rolljam" attack on a wireless car key with an RTL-SDR and Yardstick One. His first experiment is a simple replay attack which involves recording the unlock signal from the car key with the Yardstick One in a place far away from the car so that it is not received, then replaying it close by.
This works well, but Kalle then explains rolling code security and how this would easily thwart any replay attack in the real world. However, he then goes on to explain and demonstrate the "rolljam" technique, which is one known way to get around rolling code security. The demonstrations are obviously not full tutorials, but are just high level overviews of how wireless security can be defeated.
A few weeks ago we posted about the recently uploaded talks listed on the Defcon YouTube channel. However, there is a second YouTube channel dedicated to talks presented as part of the Defcon Aerospace Village which was also held virtually. A number of these talks involve software defined radios and RTL-SDRs and so may be of interest to readers. We have listed a few interesting talks below, but the full list can be found on their YouTube channel.
A Deeper Dive into ILS and ADS-B Spoofing - Harshad Sathaye discusses weaknesses in the security of the Instrument Landing System and ADS-B and how these can be spoofed.
Introduction to ACARS - Alex Lomas explains aircraft ACARS text messages in detail and discusses receiving them with an RTL-SDR
Low-Cost VHF Receiver - Alan Tart, Fabian Landis show how to build a low cost VHF airband receiver from an RTL-SDR, Raspberry Pi and the RTLSDR-Airband software.
At the BSides OK 2020 virtual conference Cameron Mac Millan recently presented a talk titled "It’s 2020, so why am I still able to read your pager traffic?". On this blog we have posted numerous times about privacy breaches stemming from insecure wireless pager traffic. Anyone with a radio or SDR can receive and decode pager messages, and this has been known and done since the 1980's. Cameron's talk explains how paging systems work, who are the modern users of pagers, how to capture and decode pager messages and how to best log and filter through messages. He goes on to describe a number of major pager security breaches that he's personally seen. The talk preview reads:
This talk explores why pagers remain a potential threat vector in many environments despite the technology being 40 years old. This is not a the-sky-is-falling presentation: everything from paging history to how simple it is to decode pager traffic (and the associated risks) is covered without FUD.
I enjoy poking things with sticks and turn over rocks to see what crawls out from under them. One of my interests is seeing how technologies believed to be obsolete can still pose a problem for security today, and do that from the perspective of a 20-year career in infosec. When not creating tomorrow’s problems with yesterday’s technology, I can usually be found wrenching on unusual cars.
It’s 2020, so why am I still able to read your pager traffic? - Cameron Mac Millan - BSidesOK 2020
Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.
It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded.
The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.
The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).
For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.
The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.
A few days ago we posted about two SDR related DEFCON talks which were recently released. One of the talks was about detecting fake 4G base stations with a bladeRF SDR and a tool they created called "Crocodile Hunter". It is currently compatible with the bladeRF x40 and USRP B200. The talk summary is posted below as it nicely summarizes what fake 4G base stations are and what Crocodile Hunter can do.
4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.
In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).
The Crocodile Hunter software is apparently a little difficult to install and get running, so Aaron who runs DragonOS YouTube tutorial channel has uploaded a video documenting how to install and configure the software. The tutorial assumes that you are the running the latest DragonOS image which already includes a lot of the prerequisite software, and in his example he uses a USRP B205mini-i SDR.
DEFCON 2020 was held online this year in and the talks were released a few days ago on their website and on YouTube. If you weren't already aware Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. We found two very interesting SDR and wireless related talks that we have highlighted below. The first talk investigates using commercial satellite TV receivers to eavesdrop on satellite internet communications. The second discusses using a bladeRF or USRP to detect fake 4G cellphone basestations. Slides for these talks are available on the Defcon Media server under the presentations folder.
DEF CON Safe Mode - James Pavur - Whispers Among the Stars
Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.
The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.
The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.
The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.
DEF CON Safe Mode - James Pavur - Whispers Among the Stars
DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time
4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.
In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).
