Tagged: security

The KiwiSDR Backdoor Situation

Since it's announcement in early 2016 we've posted many times about the KiwiSDR, a 14-bit wideband RX only HF software defined radio created by John Seamons (ZL/KF6VO). The KiwiSDR has up to 32 MHz of bandwidth, so it can receive the entire 10 kHz - 30 MHz VLF/LF/MW/HF spectrum all at once.

Compared to most other SDRs the KiwiSDR is a little different as it is designed to be used as a public web based SDR, meaning that KiwiSDR owners can optionally share their KiwiSDR online with anyone who wants to connect to it. The public functionality allows for some interesting distributed applications, such as TDoA direction finding, which allows users to pinpoint the location of unknown HF transmissions such as numbers stations.

In order to implement this online capability, the KiwiSDR runs custom open source software on a Beaglebone single board computer which connects to your home network. Recently there has been vocal concern about a security flaw in the software which could allow hackers to access the KiwiSDR. The flaw stems from the fact that the KiwiSDR has 'backdoor' remote admin access that allows the KiwiSDR creator to log in to the device and troubleshoot or make configuration changes if required. This backdoor has been public knowledge in the KiwiSDR forums since 2017, although not advertised and explicit consent to have it active and used was not required.

The intent of the backdoor is of course not malicious, instead rather intended as an easy way to help the creator help customers with configuration problems. However, as KiwiSDR owner Mark Jessop notes, the KiwiSDR operates in HTTP only, sending the admin master password in the clear. And as KiwiSDR owner and security researcher @xssfox demonstrates, the admin page gives full root console access to the Beaglebone. These flaws could allow a malicious party to take over the Beaglebone, install any software and perhaps work their way onto other networked devices. Another tweet from xssfox implies that the password hashes are crackable, allowing the main admin password to be easily revealed.

Creator John Seamons has already released a patch to disable the admin access, and as of the time of this article 540 out of 600 public KiwiSDRs have already been auto-updated. Owners of KiwiSDR clones should seek out updates from the cloner.

It is clear that the KiwiSDR is a passion project from John who has dedicated much of his time and energy to consistently improving the technical RF engineering side of the device and software. However we live in an age where malicious hacking of devices is becoming more common, so anyone releasing products and software that network with the internet should be reminded that they have a responsibility to also dedicate time to ensuring security.

John has reached out to us in advance and noted that he currently cannot yet comment publicly on this topic due to legal advice.

The KiwiSDR
The KiwiSDR

Demonstrating How Speakers Can Become an Unintentional RF Transmitter

Over on YouTube channel Privacy & Tech Tips has uploaded a video showing how he used an RTL-SDR to pick up RF emissions coming from some speakers that were unintentionally acting as wireless microphones. He goes on to show how you can clean up the noisy received audio in Audacity using the noise reduction filter.

I show how electromagnetic emissions from personal devices many times turn our devices into (potential) remote listening + transmitting devices when active (as demonstrated). I discovered my speakers unintentionally transmitting audio (speaker acting as microphone) to a few different frequencies via GQRX recording (computer/Pinetab microphones completely disabled).

There are a few frequencies you can tune into to listen in remotely. This includes listening in to conversations in the room as the speaker also acts as a microphone when playing sound (***tested only on my own devices***).

When the speaker volume is turned down, the signal goes down and the broadcast goes away. When the speaker volume is down, it no longer functions as a remote microphone + transmitter.

We use Audacity to clean up the audio. GQRX is used to record the signals which are filtered on the Pinetab with internal RTL-SDR. Audio processing/noise reduction done running Parrot Linux using Audacity.

We touch on the fact all electronic devices give off their very own unique electromagnetic emissions which can act as device signatures (strength depends on shielding).

Sometimes speaker wire not properly shielded (as is found in most PC's) can act as a radio transmitter antenna without user knowledge. Here I discovered a few frequencies broadcasting the audio live (.25 second delay for SDR modulation).

📡 Laptop Speakers: Remote Listening Devices [SDR Side Channel]

Steve Mould Hacks Into his Car with a HackRF

Over on YouTube popular science content creator Steve Mould has uploaded a video showing how he was able to open his own car using a HackRF software defined radio. In the video Steve first uses the Universal Radio Hacker software to perform a simple replay attack by using his HackRF (and also an RTL-SDR V3) to record the car's keyfob signal away from the car and replay it near the car.

Steve goes on to note that most cars use rolling code security, so a simple replay attack like the above is impractical in most situations. Instead he notes how a more advanced technique called "rolljam" can be used, which we have posted about a few times in the past. Later in the video Steve interviews Samy Kamkar who was the security researcher who first popularized the rolljam technique at Defcon 2015. 

I Hacked Into My Own Car

RF Fingerprinting ADS-B Signals for Security

At this years ICNP 2020 IEEE conference a paper titled "Real-World ADS-B signal recognition based on Radio Frequency Fingerprinting" (pdf file) was presented by researchers from Harbin Engineering University in China. The idea presented in the paper is to use RF "fingerprinting" techniques to uniquely identify and confirm that the ADS-B signal originates from the correct aircraft source.

RF fingerprinting works on the premise that every transmitter has small manufacturing variances that result in slightly different signals be transmitted, resulting in a unique "fingerprint" that can be traced to a particular transmitter. The idea here is to use these fingerprints to ensure that a known aircraft is indeed transmitting an ADS-B signal and the signal is not being transmitted from a fake spoofer. ADS-B is completely unencrypted and not authenticated, so spoofing of ADS-B signals may be a real security threat.

In the teams research they use an RTL-SDR to collect ADS-B signals from five different aircraft. They then use that data to create "Contour Stellar Images" and train a deep learning neural network which after training accurately identifies which aircraft a signal comes from.

Aircraft ADS-B Fingerprinting

In previous posts we've seen the idea of fingerprinting used by Disney research and others to identify electronic devices, to authenticate RF IoT devices and to identify handheld transmitters via CTCSS fingerprints.

Unlocking a Car with an RTL-SDR and Yardstick One

Over on his YouTube channel Kalle Hallden has uploaded a video demonstrating how to perform a replay and "rolljam" attack on a wireless car key with an RTL-SDR and Yardstick One. His first experiment is a simple replay attack which involves recording the unlock signal from the car key with the Yardstick One in a place far away from the car so that it is not received, then replaying it close by.

This works well, but Kalle then explains rolling code security and how this would easily thwart any replay attack in the real world. However, he then goes on to explain and demonstrate the "rolljam" technique, which is one known way to get around rolling code security. The demonstrations are obviously not full tutorials, but are just high level overviews of how wireless security can be defeated.

DEFCON 2020 Aerospace Village SDR Talks

A few weeks ago we posted about the recently uploaded talks listed on the Defcon YouTube channel. However, there is a second YouTube channel dedicated to talks presented as part of the Defcon Aerospace Village which was also held virtually. A number of these talks involve software defined radios and RTL-SDRs and so may be of interest to readers. We have listed a few interesting talks below, but the full list can be found on their YouTube channel.

 

BSides Talk: It’s 2020, so why am I still able to read your pager traffic?

At the BSides OK 2020 virtual conference Cameron Mac Millan recently presented a talk titled "It’s 2020, so why am I still able to read your pager traffic?". On this blog we have posted numerous times about privacy breaches stemming from insecure wireless pager traffic. Anyone with a radio or SDR can receive and decode pager messages, and this has been known and done since the 1980's. Cameron's talk explains how paging systems work, who are the modern users of pagers, how to capture and decode pager messages and how to best log and filter through messages. He goes on to describe a number of major pager security breaches that he's personally seen. The talk preview reads:

This talk explores why pagers remain a potential threat vector in many environments despite the technology being 40 years old. This is not a the-sky-is-falling presentation: everything from paging history to how simple it is to decode pager traffic (and the associated risks) is covered without FUD.

I enjoy poking things with sticks and turn over rocks to see what crawls out from under them. One of my interests is seeing how technologies believed to be obsolete can still pose a problem for security today, and do that from the perspective of a 20-year career in infosec. When not creating tomorrow’s problems with yesterday’s technology, I can usually be found wrenching on unusual cars.

It’s 2020, so why am I still able to read your pager traffic? - Cameron Mac Millan - BSidesOK 2020

Eavesdropping on LTE Calls with a USRP Software Defined Radio

Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.

It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded. 

The Ars Technica article, the original paper and a website created about the ReVoLTE technique and software go into detail about how the attack works. On the website the team explain the attack in simple terms:

The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.

The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).

For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.

The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.