Tagged: Software-defined radio

Black Hat Software Defined Radio Talks

Black Hat, a large conference about information security related topics has recently finished and videos of some of the talks given have now been uploaded to YouTube. This year we have found three talks related to Software Defined Radio.

Breaking the Security of Physical Devices by Silvio Cesare

We posted about Silvio’s successful attempt at breaking into a car wirelessly earlier this month and now here is his presentation.

In this talk, I look at a number of household or common devices and things, including a popular model car and physical security measures such as home alarm systems. I then proceed to break the security of those devices. The keyless entry of a 2004/2005 popular make and widely used car is shown to be breakable with predictable rolling codes.

The actual analysis involved not only mathematics and software defined radio, but the building of a button pushing robot to press the keyless entry to capture data sets that enable the mathematical analysis.

Software defined radio is not only used in the kelyess entry attack, but in simple eavesdropping attacks against 40mhz analog baby monitors. But that’s an easy attack. A more concering set of attacks are against home alarm systems. Practically all home alarm systems that had an RF remote to enable and disable the system were shown to used fixed codes. This meant that a replay attack could disable the alarm.

I built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay those codes to defeat the alarms. I also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm’s microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm.

In summary, these attacks are simple but effective in physical devices that are common in today’s world. I will talk about ways of mitigating these attacks, which essentially comes down to avoiding the bad and buying the good. But how do you know what’s the difference? Come to this talk to find out.

Breaking the Security of Physical Devices by Silvio Cesare

Bringing Software Defined Radio to the Penetration Testing Community

Online slides.

“The large adoption of wireless devices goes further than WiFi (smartmeters, wearable devices, Internet of Things, etc.).

The developers of these new types of devices may not have a deep security background and it can lead to security and privacy issues when the solution is stressed.

However, to assess those types of devices, the only solution would be a dedicated hardware component with an appropriate radio interface for each one of them.

That is why we developed an easy-to-use wireless monitor/injector tool based on Software Defined Radio using GNU Radio and the well-known scapy framework.

In this talk, we will introduce this tool we developed for a wide range of wireless security assessments: the main goal of our tool is to provide effective penetration testing capabilities for security auditors with little to no knowledge of radio communications.”

Bringing Software Defined Radio to the Penetration Testing Community

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0

Attacking AIS using software defined radio.

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0 by Marco Balduzzi

XiOne – A RTL2832U based Portable Software Defined Radio: Indigogo Funding Campaign

A new funding campaign for an RTL2832U based software defined radio has gone up on Indiegogo. The new SDR is called the XiOne and is intended to be the first SDR that is easy to use with smartphones and open to the maker community.

With its 100 kHz to 1.7 GHz receiving range, the XiOne has a similar tuning range to the standard RTL-SDR dongles when an upconverter or the direct sampling mod is used. What makes the XiOne different is that it will have a built in MIPS processor, an internal rechargeable battery for portability and it will connect directly through WiFi to a smart device. They are also developing SDR GUI software for mobile devices including decoders for things like ADS-B, AIS and NOAA Satellites.

The IndieGoGo backer price for a XiOne is $179 USD, but if you act fast there are 100 units available at the promotional price of $139 USD. At the moment they have a working prototype with completed firmware, portable Java based SDR GUI, iPhone demodulation software, a MacOS ADS-B receiver, an iPad AIS receiver and an iPad spectrum analyzer. The fundraiser is to help them begin serial production.

There is a Reddit thread discussing the project here.

XiOne Prototype Internals
XiOne Prototype Internals
XiOne Casing
XiOne Casing

Brute Force Unlocking a Car with a USRP Software Defined Radio

Wired.com has posted an article showing how security researcher Cesare was able to use his USRP software defined radio to unlock a car with wireless entry. Essentially his hack involves brute forcing the rolling security code used by the wireless unlocking security protocol. Even with just a brute force attack he was able to unlock his car in just a few minutes. While this hack probably won’t work with newer cars which disable unlocking for a few minutes after a number of failed code attempts, Cesare notes that the hack will probably work for many similar cars of the 10 years or older generation.

This article goes along with their previous one discussing how thieves could hack into a home alarm system using a software defined radio.

The USRP is an advanced software defined radio that sells for around a thousand dollars but we note that the same attack could be performed with the cheaper and almost available HackRF SDR.

SoftRock Lite II Build and Test Tutorial Video

The SoftRock Lite II is a (now fairly old) soundcard based software defined radio kitset that is capable of receiving on the HF bands. Over on YouTube user w2aew has uploaded a video showing the entire kitset build process for the SoftRock Lite II SDR radio. He also goes over the circuit blocks explaining their function and how they work.

This is an excellent video if you are interested in learning more about the components and circuits used in some SDRs.

#148: Software Defined Radio kit | Tutorial | Build | Test | Softrock Lite II

Reverse Engineering a RF Controlled Ceiling Fan with the RTL-SDR

Using an RTL-SDR Clayton Smith was able to reverse engineer his remote controlled ceiling fan. To do this he first used his BladeRF to determine that the remote control was transmitting a signal at 303.747 MHz. He then used a simple GNU Radio flow graph with the RTL-SDR to plot the amplitude of the signal over time which suggested that the signal was using on-off keying. From the plot he was then able to visually determine the bit pattern sent from each button on the ceiling fan remote.

Next he used his bladeRF and another GNU Radio flowgraph to replicate and transmit the the bit pattern which was able to control the ceiling fan from the PC.

Clayton notes that all this reverse engineering was done in half an hour, demonstrating the power of software defined radio.

Ceiling Fan Bit Pattern Recovered with an RTL-SDR and GNU Radio
Ceiling Fan Bit Pattern Recovered with an RTL-SDR and GNU Radio

Register your interest in Airspy

You can now register your interest in purchasing an AirSpy software defined radio dongle on the new AirSpy website. AirSpy is a new software defined radio similar to the RTL-SDR currently under development by the creator of SDR#.

AirSpy promises to be an improvement on the RTL-SDR with its large 10 MHz bandwidth, 24-1750 MHz tuneable range, 12-bit ADC and a programmable Cortex M4F @ 204 MHz on board CPU. In comparison the typical RTL-SDR has ~2.4 MHz of usable bandwidth, a 24-1750 MHz tuneable range and an 8-bit ADC. A higher bit ADC can help in receiving weaker signals. AirSpy is expected to sell at around the $100-$150 mark, with it being on the cheaper end if there is greater interest.

AirSpy Dongle
AirSpy Software Defined Radio Receiver

Nooelec RTL-SDR Giveaway on AmateurRadio.com

AmateurRadio.com has teamed up with Nooelec.com to give away RTL-SDR packages to 10 hams. To be eligible to enter the competition, you must be a registered amateur radio operator, and you must comment on the competition page. The prizes are

Two (2)
Complete HF sets including:
NESDR Mini receiver
Ham It Up upconverter
SMA to MCX cable
SMA to BNC adapter
SMA to PL259 adapter
SMA to F adapter

Two (2)
Complete Touch SDR sets including:
NESDR Nano receiver
SDR Touch license (for Android tablets)
USB OTG micro & mini cables

Three (3)
NESDR Mini receivers

Three (3)
NESDR Nano receivers

The competition runs until the 11th of December.

Nooelec AmateurRadio.com Giveaway Prize
Nooelec AmateurRadio.com Giveaway Prize

Software Defined Radio for Mariners: AIS Antenna Design Review

On a new blog called ‘Software Defined Radio for Mariners‘ aimed at mariners wanting to get into cheap software defined radio with the RTL-SDR, the author has posted an article for beginners on choosing a type of AIS antenna to build.

He reviews the performance of multiple homemade AIS antennas with his RTL-SDR, and finds that a Monopole antenna with two radials gave the best value/performance trade off.

He has also written a hardware guide article, explaining some of the most common antennas adapters and cable ends that might be found.

AIS Monopole Antenna