Tagged: usrp

Exploring the Limits of General Purpose SDR Devices

Back in August 2019 the Chaos Communication Camp was held in Germany. This is a 5 day conference that covers a variety of hacker topics, sometimes including SDR. At the conference Osmocom developer Harald Welte (aka @LaF0rge) presented a talk titled "The Limits of General Purpose SDR devices". The talk explains how general purpose TX capable SDRs like HackRFs and LimeSDRs have their limitations when it comes to implementing advanced communications systems like cellular base stations.

If you prefer, the talk can be watched directly on the CCC website instead of YouTube.

Why an SDR board like a USRP or LimeSDR is not a cellular base station

It's tempting to buy a SDR device like a LimeSDR or USRP family member in the expectation of operating any wireless communications system out there from pure software. In reality, however, the SDR board is really only one building block. Know the limitations and constraints of your SDR board and what you need around it to build a proper transceiver.

For many years, there's an expectation that general purpose SDR devices like the Ettus USRP families, HackRF, bladeRF, LimeSDR, etc. can implement virtually any wireless system.

While that is true in principle, it is equally important to understand the limitations and constraints.

People with deep understanding of SDR and/or wireless communications systems will likely know all of those. However, SDRs are increasingly used by software developers and IT security experts. They often acquire an SDR board without understanding that this SDR board is only one building block, but by far not enough to e.g. operate a cellular base station. After investing a lot of time, some discover that they're unable to get it to work at all, or at the very least unable to get it to work reliably. This can easily lead to frustration on both the user side, as well as on the side of the authors of software used with those SDRs.

The talk will particularly focus on using General Purpose SDRs in the context of cellular technologies from GSM to LTE. It will cover aspects such as band filters, channel filters, clock stability, harmonics as well as Rx and Tx power level calibration.

The talk contains the essence of a decade of witnessing struggling SDR users (not only) with running Osmocom software with them. Let's share that with the next generation of SDR users, to prevent them falling into the same traps.

The Limits of General Purpose SDR devices

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

USRP SDRs used to Break 3G to 5G Mobile Phone Security

According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.

In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too.

Theregister.co.uk writes:

"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.

The full paper is available here in pdf form.

Tools used including a laptop, USRP B210 and a sim card reader.
Tools used including a laptop, USRP B210 and a sim card reader.

Aerial Landmine Detection using USRP SDR Based Ground Penetrating Radar

Over the last few years researchers at Universidad Javeriana Bogotá, a University in Colombia, have been looking into using SDRs for aerial landmine detection. The research uses a USRP B210 software defined radio mounted on a quadcopter, together with two Vivaldi antennas (one for TX and one for RX). The system is then used as a ground penetrating radar (GPR).  GPR is a method that uses RF pulses in the range of 10 MHz to 2.6 GHz to create images of the subsurface. When a transmitted RF pulse hits a metallic object like a landmine, energy is reflected back resulting in a detection.

Recently they uploaded a demonstration video to their YouTube channel which we show below, and several photos of the work can be found on their Field Robotics website. We have also found their paper available here as part of a book chapter. The abstract reads:

This chapter presents an approach for explosive-landmine detection on-board an autonomous aerial drone. The chapter describes the design, implementation and integration of a ground penetrating radar (GPR) using a software defined radio (SDR) platform into the aerial drone. The chapter’s goal is first to tackle in detail the development of a custom designed lightweight GPR by approaching interplay between hardware and software radio on an SDR platform. The SDR-based GPR system results on a much lighter sensing device compared against the conventional GPR systems found in the literature and with the capability of re-configuration in real-time for different landmines and terrains, with the capability of detecting landmines under terrains with different dielectric characteristics.

Secondly, the chapter introduce the integration of the SDR-based GPR into an autonomous drone by describing the mechanical integration, communication system, the graphical user interface (GUI) together with the landmine detection and geo-mapping. This chapter approach completely the hardware and software implementation topics of the on-board GPR system given first a comprehensive background of the software-defined radar technology and second presenting the main features of the Tx and Rx modules. Additional details are presented related with the mechanical and functional integration of the GPR into the UAV system.

Drone with USRP Ground Penetrating Radar Setup
Drone with USRP Ground Penetrating Radar Setup

Aerial landmine detection using SDR-based Ground Penetrating Radar and computing vision

Decapping the AD9361 SDR Transceiver Chip: Hi-Res Images and Cost Analysis

The AD9361 is a highly versatile full transceiver SDR chip released by Analog Devices back in 2013. With a frequency range from 70 MHz - 6 GHz, 56 MHz bandwidth and 12-bit ADC, it is most commonly found in high end SDRs such as the USRP range and PicoZed. On Digikey purchasing the chip today would set you back about USD $280. A cheaper but similar AD9363 chip is found in the PlutoSDR.

If you are unaware, decapping is the process of removing the outer shell on silicon chips with acid, and revealing their silicon structure. Over on the 'Zeptobars' decapping blog the author has recently shared some beautiful and extremely hi-res (80 mB) photos of a decapped AD9361.

At the end of the post the author does a brief cost analysis on the chip, determining that  while the total manufacturing cost of the chip is estimated at less than $5, the cost of R&D and IP per chip is about $33, and additional costs make up another $32 per chip. Profit between distributors and Analog Devices is about even, which each party taking about $100 per chip each.

If you're interested, in the past we've also seen decapped images of the the R820T and the RTL2832U from 'electronupdate'.

AD9361 Decapped
AD9361 Decapped on the Zeptobars blog

EOD Robots now packing USRP and HackRF Software Defined Radios

Thanks to the team of Robotics company Servosila for sharing the following press release with us which describes how their new EOD robot makes use of SDR technologies for electronic warfare.

We also wrote back to them and asked for a bit more information on the SDRs used. They wrote that there are two SDR options available for the EOD robot. Option one uses the Ettus Research USRP B205mini-i, and option two uses the HackRF One. This provides a good trade off between cost and functionality.

Servosila introduces Mobile Robots equipped with Software Defined Radio (SDR) payloads

Servosila introduces a new member of the family of Servosila “Engineer” robots, a UGV called “Radio Engineer”. This new variant of the well-known backpack-transportable robot features a Software Defined Radio (SDR) payload module integrated into the robotic vehicle.

“Several of our key customers had asked us to enable an Electronic Warfare (EW) or Cognitive Radio applications in our robots”, – says a spokesman for the company, “By integrating a Software Defined Radio (SDR) module into our robotic platforms we cater to both requirements. Radio spectrum analysis, radio signal detection, jamming, and radio relay are important features for EOD robots such as ours. Servosila continues to serve the customers by pushing the boundaries of what their Servosila robots can do. Our partners in the research world and academia shall also greatly benefit from the new functionality that gives them more means of achieving their research goals.”

Coupling a programmable mobile robot with a software-defined radio creates a powerful platform for developing innovative applications that mix mobility and artificial intelligence with modern radio technologies. The new robotic radio applications include localized frequency hopping pattern analysis, OFDM waveform recognition, outdoor signal triangulation, cognitive mesh networking, automatic area search for radio emitters, passive or active mobile robotic radars, mobile base stations, mobile radio scanners, and many others.

A rotating head of the robot with mounts for external antennae acts as a pan-and-tilt device thus enabling various scanning and tracking applications. The neck of the robotic head is equipped with a pair of highly accurate Servosila-made servos with a pointing precision of 3.0 angular minutes. This means that the robot can point its antennae with an unprecedented accuracy.

Researchers and academia can benefit from the platform’s support for GnuRadio, an open source software framework for developing SDR applications. An on-board Intel i7 computer capable of executing OpenCL code, is internally connected to the SDR payload module. This makes it possible to execute most existing GnuRadio applications directly on the robot’s on-board computer. Other sensors of the robot such as a GPS sensor, an IMU or a thermal vision camera contribute into sensor fusion algorithms.

Since Servosila “Engineer” mobile robots are primarily designed for outdoor use, the SDR module is fully enclosed into a hardened body of the robot which provides protection in case of dust, rain, snow or impacts with obstacles while the robot is on the move. The robot and its SDR payload module are both powered by an on-board battery thus making the entire robotic radio platform independent of external power supplies.

Servosila plans to start shipping the SDR-equipped robots to international customers in October, 2017.

Web: https://www.servosila.com
YouTube: https://www.youtube.com/user/servosila/videos

About the Company
Servosila is a robotics technology company that designs, produces and markets a range of mobile robots, robotic arms, servo drives, harmonic reduction gears, robotic control systems as well as software packages that make the robots intelligent. Servosila provides consulting, training and operations support services to various customers around the world. The company markets its products and services directly or through a network of partners who provide tailored and localized services that meet specific procurement, support or operational needs.

Servosila EOD Robot
Servosila EOD Robot

Performing a Replay Attack on a Wireless Doorbell with a USRP SDR

A replay attack consists of recording a signal, and then simply replaying it back at the same frequency at a later time. To do this a receive and transmit capable software defined radio like a USRP/HackRF/bladeRF can be used.

Over on his blog, the admin of the dxwxr group has posted a tutorial showing how he performs a replay attack on a simple wireless doorbell using a USRP, GNURadio and the audio editor Audacity. This is a very simple process and is a great tutorial for those looking to get started in reverse engineering signals. First he determines the frequency of the doorbell which turned out be be around 315 MHz. Then using GNURadio he records the signal emitted by the doorbell remote and opens up the audio file in Audacity. He then isolates a section of the signal and saves it as a raw aiff file. Finally, he uses GNURadio to transmit the isolated signal via the USRP.

Captured wireless doorbell signal.
Captured wireless doorbell signal.
Replay Attack – DoorBell