Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.
In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).
Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.
Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.
Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.
However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.
According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.
In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too.
"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."
Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.
Over the last few years researchers at Universidad Javeriana Bogotá, a University in Colombia, have been looking into using SDRs for aerial landmine detection. The research uses a USRP B210 software defined radio mounted on a quadcopter, together with two Vivaldi antennas (one for TX and one for RX). The system is then used as a ground penetrating radar (GPR). GPR is a method that uses RF pulses in the range of 10 MHz to 2.6 GHz to create images of the subsurface. When a transmitted RF pulse hits a metallic object like a landmine, energy is reflected back resulting in a detection.
Recently they uploaded a demonstration video to their YouTube channel which we show below, and several photos of the work can be found on their Field Robotics website. We have also found their paper available here as part of a book chapter. The abstract reads:
This chapter presents an approach for explosive-landmine detection on-board an autonomous aerial drone. The chapter describes the design, implementation and integration of a ground penetrating radar (GPR) using a software defined radio (SDR) platform into the aerial drone. The chapter’s goal is first to tackle in detail the development of a custom designed lightweight GPR by approaching interplay between hardware and software radio on an SDR platform. The SDR-based GPR system results on a much lighter sensing device compared against the conventional GPR systems found in the literature and with the capability of re-configuration in real-time for different landmines and terrains, with the capability of detecting landmines under terrains with different dielectric characteristics.
Secondly, the chapter introduce the integration of the SDR-based GPR into an autonomous drone by describing the mechanical integration, communication system, the graphical user interface (GUI) together with the landmine detection and geo-mapping. This chapter approach completely the hardware and software implementation topics of the on-board GPR system given first a comprehensive background of the software-defined radar technology and second presenting the main features of the Tx and Rx modules. Additional details are presented related with the mechanical and functional integration of the GPR into the UAV system.
Aerial landmine detection using SDR-based Ground Penetrating Radar and computing vision
The AD9361 is a highly versatile full transceiver SDR chip released by Analog Devices back in 2013. With a frequency range from 70 MHz - 6 GHz, 56 MHz bandwidth and 12-bit ADC, it is most commonly found in high end SDRs such as the USRP range and PicoZed. On Digikey purchasing the chip today would set you back about USD $280. A cheaper but similar AD9363 chip is found in the PlutoSDR.
At the end of the post the author does a brief cost analysis on the chip, determining that while the total manufacturing cost of the chip is estimated at less than $5, the cost of R&D and IP per chip is about $33, and additional costs make up another $32 per chip. Profit between distributors and Analog Devices is about even, which each party taking about $100 per chip each.
Thanks to the team of Robotics company Servosila for sharing the following press release with us which describes how their new EOD robot makes use of SDR technologies for electronic warfare.
We also wrote back to them and asked for a bit more information on the SDRs used. They wrote that there are two SDR options available for the EOD robot. Option one uses the Ettus Research USRP B205mini-i, and option two uses the HackRF One. This provides a good trade off between cost and functionality.
Servosila introduces Mobile Robots equipped with Software Defined Radio (SDR) payloads
Servosila introduces a new member of the family of Servosila “Engineer” robots, a UGV called “Radio Engineer”. This new variant of the well-known backpack-transportable robot features a Software Defined Radio (SDR) payload module integrated into the robotic vehicle.
“Several of our key customers had asked us to enable an Electronic Warfare (EW) or Cognitive Radio applications in our robots”, – says a spokesman for the company, “By integrating a Software Defined Radio (SDR) module into our robotic platforms we cater to both requirements. Radio spectrum analysis, radio signal detection, jamming, and radio relay are important features for EOD robots such as ours. Servosila continues to serve the customers by pushing the boundaries of what their Servosila robots can do. Our partners in the research world and academia shall also greatly benefit from the new functionality that gives them more means of achieving their research goals.”
Coupling a programmable mobile robot with a software-defined radio creates a powerful platform for developing innovative applications that mix mobility and artificial intelligence with modern radio technologies. The new robotic radio applications include localized frequency hopping pattern analysis, OFDM waveform recognition, outdoor signal triangulation, cognitive mesh networking, automatic area search for radio emitters, passive or active mobile robotic radars, mobile base stations, mobile radio scanners, and many others.
A rotating head of the robot with mounts for external antennae acts as a pan-and-tilt device thus enabling various scanning and tracking applications. The neck of the robotic head is equipped with a pair of highly accurate Servosila-made servos with a pointing precision of 3.0 angular minutes. This means that the robot can point its antennae with an unprecedented accuracy.
Researchers and academia can benefit from the platform’s support for GnuRadio, an open source software framework for developing SDR applications. An on-board Intel i7 computer capable of executing OpenCL code, is internally connected to the SDR payload module. This makes it possible to execute most existing GnuRadio applications directly on the robot’s on-board computer. Other sensors of the robot such as a GPS sensor, an IMU or a thermal vision camera contribute into sensor fusion algorithms.
Since Servosila “Engineer” mobile robots are primarily designed for outdoor use, the SDR module is fully enclosed into a hardened body of the robot which provides protection in case of dust, rain, snow or impacts with obstacles while the robot is on the move. The robot and its SDR payload module are both powered by an on-board battery thus making the entire robotic radio platform independent of external power supplies.
Servosila plans to start shipping the SDR-equipped robots to international customers in October, 2017.
About the Company Servosila is a robotics technology company that designs, produces and markets a range of mobile robots, robotic arms, servo drives, harmonic reduction gears, robotic control systems as well as software packages that make the robots intelligent. Servosila provides consulting, training and operations support services to various customers around the world. The company markets its products and services directly or through a network of partners who provide tailored and localized services that meet specific procurement, support or operational needs.
A replay attack consists of recording a signal, and then simply replaying it back at the same frequency at a later time. To do this a receive and transmit capable software defined radio like a USRP/HackRF/bladeRF can be used.
Over on his blog, the admin of the dxwxr group has posted a tutorial showing how he performs a replay attack on a simple wireless doorbell using a USRP, GNURadio and the audio editor Audacity. This is a very simple process and is a great tutorial for those looking to get started in reverse engineering signals. First he determines the frequency of the doorbell which turned out be be around 315 MHz. Then using GNURadio he records the signal emitted by the doorbell remote and opens up the audio file in Audacity. He then isolates a section of the signal and saves it as a raw aiff file. Finally, he uses GNURadio to transmit the isolated signal via the USRP.
In the HF region between about 0 – 30 MHz it is common to see and hear “chripers” – signals which quickly sweep through the HF frequency band and produce an audible chirp. These chirps are actually signals from Ionosondes which is a type of radar system used to monitor the Ionosphere. The Ionosphere exists about 50km above the surface of the earth and is the atmospheric layer responsible for a large part of long range HF communications. In a previous post by Mario Filippi we also discussed Ionosondes.
The Ionograms show at what frequencies HF propagation is currently optimal for a specific distance (or number of signal bounces from the Ionosphere). Below is an example Ionogram animation showing the reception of Ionosondes taken over time. Video from the GNU Chirp Sounder page.