Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.
[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.
Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.
Thought GNU Radio was just for radio? Think again. [Chris] has been hard at work turning the signal generation and analysis of the best tool for software defined radio into a networking device for speakers and a microphone.
The setup uses GNU Radio to generate a carrier signal whose frequency is modulated with a data stream. With this modulated signal piped over a laptop’s speakers, [Chris] is able to send UDP packets across his desk using nothing but sound.
[Chris] had recently used a similar technique to transmit data via audio with GNU Radio, but this latest build is a vast improvement; this is now a duplex networking, meaning two computers can transmit and receive at the same time.
In the end, [Chris] created a strange, obsolete device called a “modem”. It’s not exactly fast; sending ‘Hello World’ takes quite a bit of time, as you can see in the video below.
When we hear GNU Radio was used in a build, the first thing we think of is, obviously, radio. Whether it’s a using extremely expensive gear or just a USB TV tuner dongle, GNU Radio is the perfect tool for just about everything in the tail end of the electromagnetic spectrum.
There’s no reason GNU Radio can’t be used with other mediums, though, as [Chris] shows us with his ultrasound data transmission between two laptops. He’s transmitting audio from the speakers of one laptop at 23 kHz. It’s outside the range of human hearing, but surprisingly able to be picked up by a cheap desktop mic connected to another laptop. His GNU Radio setup first converts a string of text to a 5-bit packet, modulates it with FSK, and bumps up the signal to 23 kHz. On the other end, the data is decoded by doing the same thing in reverse.
The setup is easily able to reject all audio that isn’t in the specified frequency range; in the video after the break, [Chris] successfully transmits a ‘hello world’ while narrating what he’s doing.
Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.
Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.
The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of receiving a message.
From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.
[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.
It seem [Balint] is becoming somewhat of a SDR guru around these parts; in the past few months, he’s gotten a USB TV tuner receiver working with GNU Radio, started a software defined radio tutorial YouTube channel, and even used this project to listen in on conversations between airplanes and air traffic control. This time, [Balint] is back using this cheap USB TV tuner forradio direction finding and running HDSDR in Linux and OS X.
[Balint]’s radio direction finding presentation goes over traditional means of direction finding using the doppler effect and mechanically rotated antennas. Because [Balint] is dealing with frequencies around 150MHz (about 2 meter wavelength), building a physical direction finding setup requires spinning antennas at around 40,000 RPM; much to fast for any hardware build. [Balint]’s solution was to attach 4 antennas around the circumference of a circle and electronically switch between them many thousands of times a second. [Balint] put up a wiki page going over all the theory and implementation details of his build.
[Balint] also put wrote up a neat app to control software defined radios – including the Realtek TV dongle – over a network. Spread over a wide enough geographic area, it could become extremely easy for anyone to play air traffic controller. The BorIP Server can also be used to run HDSDR in Linux and OS X under Wine; just connect HDSDR to the network loopback on the same machine, and you get around Wine’s distaste for accessing hardware natively.
Awesome work, and we can’t wait to see what comes out of [Balint]’s laboratory next.
Edit: instead of the dongle, [Balnt] is using a ‘real’ software radio board. A lot of people are messaging him asking if the same method of direction finding is possible with the dongle. Here’s what [Balint] has to say:
The trick, as I see it, would be to create some (more or less simple) additional hardware to take the clock signal straight off the dongle’s on-board oscillator and divide it down for use with the antenna switch, i.e. 28 MHz à tens of kHz (this is the bit that’s done in ‘software’ on the FPGA). One problem still remains however: the counter needs to remain calibrated against the known direction the antenna was pointing at the time – otherwise a stop/start of the data stream from the dongle will mean the direction will go out of sync by 90/180/270 degrees each stop/start. Perhaps someone will figure out an elegant solution for this slight hurdle!
When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.
The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.
The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.
This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.