Tagged: security

Defcon 2020 Online Talks: Satellite Eavesdropping & Detecting Fake 4G Base Stations

DEFCON 2020 was held online this year in and the talks were released a few days ago on their website and on YouTube. If you weren't already aware Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. We found two very interesting SDR and wireless related talks that we have highlighted below. The first talk investigates using commercial satellite TV receivers to eavesdrop on satellite internet communications. The second discusses using a bladeRF or USRP to detect fake 4G cellphone basestations. Slides for these talks are available on the Defcon Media server under the presentations folder.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.

The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.

The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.

The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.

In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).

GitHub: https://github.com/EFForg/crocodilehunter

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

Derpcon 2020 Talk: Breaking into the World of Software Defined Radio

Derpcon is a COVID-19 inspired information security conference that was held virtually between April 30 - May 1 2020. Recently the talks have been uploaded to their YouTube channel. One interesting SDR talk we've seen was by Kelly Albrink and it is titled "Ham Hacks: Breaking into the World of Software Defined Radio". The talk starts by giving a very clear introduction to software defined radio, and then moves on to more a complex topic where Kelly shows how to analyze and reverse engineer digital signals using a HackRF and Universal Radio Hacker.

RF Signals are basically magic. They unlock our cars, power our phones, and transmit our memes. You’re probably familiar with Wifi and Bluetooth, but what happens when you encounter a more obscure radio protocol? If you’re a hacker who has always been too afraid of RF protocols to try getting into SDRs, or you have a HackRF collecting dust in your closet, this talk will show you the ropes. This content is for penetration testers and security researchers to introduce you to finding, capturing, and reverse engineering RF signals. I’ll cover the basics of RF so you’re familiar with the terminology and concepts needed to navigate the wireless world. We’ll compare SDR hardware from the $20 RTLSDR all the way up to the higher end radios, so you get the equipment that you need without wasting money. I’ll introduce some of the software you’ll need to interact with and analyze RF signals. And then we’ll tie it all together with a step by step demonstration of locating, capturing, and reverse engineering a car key fob signal.

Ham Hacks: Breaking into the World of Software Defined Radio - Kelly Albrink

Performing a Side Channel TEMPEST Attack on a PC

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen could be captured, and converted back into a live image of what the screen is displaying. We have tutorials on how to do this with a program called TempestSDR available on a previous post of ours.

Recently Mikhail Davidov and Baron Oldenburg from duo.com have uploaded a write up about their TEMPEST experiments. The write up introduces the science behind TEMPEST eavesdropping first, then moves on to topics like software defined radios and antennas.

At the end of their post they perform some experiments like constantly writing data to memory on a PC, and putting the PCs GPU under varying load states. These experiments result in clear RFI bursts and pulsing carriers being visible in the spectrum, indicating that the PC is indeed unintentionally transmitting RF. They note that machine learning could be used to gather some information from these signals.

Their write up reminds us of previous TEMPEST related posts that we've uploaded in the past. One example is where an RTL-SDR was used to successfully attack AES encryption wirelessly via the unintentional RF emitted by an FPGA performing an encryption algorithm. Another interesting post was where we saw how a HackRF was used to obtain the PIN of a cyprocurrency hardware wallet via TEMPEST. Search TEMPEST on our blog for more posts like that.

TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.
TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.

Opening a Parking Barrier with a HackRF Portapack and a Replay Attack

Over on YouTube user kwon lee has uploaded a video demonstrating a replay attack against a parking barrier arm. The tools he uses are a HackRF and Portapack running the Havok firmware. A replay attack involves recording a control signal with the HackRF+Portapack, and then replaying it later with the transmit function of the HackRF. If no wireless security mechanism like rolling-codes are used, simply replaying the signal will result in the transmission being accepted by the controller receiver.

As he has access to the remote control he records the transmission that is sent when the open button is pressed on the remote. Later once outside he shows how transmitting with the HackRF+Portapack results in the barrier arm opening.

This reminds us of a previous post where we noted how a HackRF was used to jam a garage door keyfob to prevent people from leaving in the TV show "Mr. Robot".

RF Replay Attack _ Parking-Breaker via HackRFone+Portapack+havoc

Bypassing Chamberlain myQ Garage Doors with a Jamming SDR Attack

McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform.  Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.

Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.

Although the system utilizes rolling codes for security,  McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.

McAfee Researchers Jam the actual signal (red) with a jamming signal (black)
McAfee researchers jam the actual MyQ signal (red) with a jamming signal (black)

In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

McAfee Advanced Threat Research Demo Chamberlain MyQ

Using a HackRF for GPS Spoofing on Windows

Over on the TechMinds YouTube channel a new video titled "GPS Spoofing With The HackRF On Windows" has been uploaded. In the video TechMinds uses the GPS-SDR-SIM software with his HackRF to create a fake GPS signal in order to trick his Android phone into believing that it is in Kansas city.

In the past we've seen GPS Spoofing used in various experiments by security researchers. For example, it has been used to make a Tesla 3 running on autopilot run off the road and to cheat at Pokemon Go. GPS spoofing has also been used widely by Russia in order to protect VIPs and facilities from drones.

GPS Spoofing With The HackRF On Windows

Tutorial on Performing a Replay Attack with a HackRF and Universal Radio Hacker

Over on YouTube channel Tech Minds has uploaded a short tutorial video that shows how to perform a replay attack with a HackRF and the Universal Radio Hacker software. A replay attack is when you record a control signal from a keyfob or other transmitter, and replay that signal using your recording and a TX capable radio. This allows you to take control of a wireless device without the original keyfob/transmitter. This is easy to do with simple wireless devices like doorbells, but not so easy with any system with rolling codes or more advanced security like most car key fobs.

In the video Tech Minds uses the Universal Radio Hacker software to record a signal from a wireless doorbell, save the recording, replay it with the HackRF, and also analyze it.

Universal Radio Hacker - Replay Attack With HackRF

Vancouver Broadcasts Hospital Patient Data Over Unencrypted Wireless Pagers

Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.

Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.

Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.

In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.