When we hear GNU Radio was used in a build, the first thing we think of is, obviously, radio. Whether it’s a using extremely expensive gear or just a USB TV tuner dongle, GNU Radio is the perfect tool for just about everything in the tail end of the electromagnetic spectrum.
There’s no reason GNU Radio can’t be used with other mediums, though, as [Chris] shows us with his ultrasound data transmission between two laptops. He’s transmitting audio from the speakers of one laptop at 23 kHz. It’s outside the range of human hearing, but surprisingly able to be picked up by a cheap desktop mic connected to another laptop. His GNU Radio setup first converts a string of text to a 5-bit packet, modulates it with FSK, and bumps up the signal to 23 kHz. On the other end, the data is decoded by doing the same thing in reverse.
The setup is easily able to reject all audio that isn’t in the specified frequency range; in the video after the break, [Chris] successfully transmits a ‘hello world’ while narrating what he’s doing.
Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.
Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.
The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of receiving a message.
From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.
[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.
It seem [Balint] is becoming somewhat of a SDR guru around these parts; in the past few months, he’s gotten a USB TV tuner receiver working with GNU Radio, started a software defined radio tutorial YouTube channel, and even used this project to listen in on conversations between airplanes and air traffic control. This time, [Balint] is back using this cheap USB TV tuner forradio direction finding and running HDSDR in Linux and OS X.
[Balint]’s radio direction finding presentation goes over traditional means of direction finding using the doppler effect and mechanically rotated antennas. Because [Balint] is dealing with frequencies around 150MHz (about 2 meter wavelength), building a physical direction finding setup requires spinning antennas at around 40,000 RPM; much to fast for any hardware build. [Balint]’s solution was to attach 4 antennas around the circumference of a circle and electronically switch between them many thousands of times a second. [Balint] put up a wiki page going over all the theory and implementation details of his build.
[Balint] also put wrote up a neat app to control software defined radios – including the Realtek TV dongle – over a network. Spread over a wide enough geographic area, it could become extremely easy for anyone to play air traffic controller. The BorIP Server can also be used to run HDSDR in Linux and OS X under Wine; just connect HDSDR to the network loopback on the same machine, and you get around Wine’s distaste for accessing hardware natively.
Awesome work, and we can’t wait to see what comes out of [Balint]’s laboratory next.
Edit: instead of the dongle, [Balnt] is using a ‘real’ software radio board. A lot of people are messaging him asking if the same method of direction finding is possible with the dongle. Here’s what [Balint] has to say:
The trick, as I see it, would be to create some (more or less simple) additional hardware to take the clock signal straight off the dongle’s on-board oscillator and divide it down for use with the antenna switch, i.e. 28 MHz à tens of kHz (this is the bit that’s done in ‘software’ on the FPGA). One problem still remains however: the counter needs to remain calibrated against the known direction the antenna was pointing at the time – otherwise a stop/start of the data stream from the dongle will mean the direction will go out of sync by 90/180/270 degrees each stop/start. Perhaps someone will figure out an elegant solution for this slight hurdle!
When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.
The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.
The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.
This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.
A collaboration of various medical researchers in the academic field has led to proof that pacemakers can be remotely hacked with simple and accessible equipment. [Kevin Fu], an associate professor at the University of Massachusetts at Amherst, led the team. [Kevin] first tried to get documentation from the manufacturers, believing they would support the effort, but they were not interested in helping. They were forced to get access to an old pacemaker and reverse engineer it. They found that the communication protocol used to remotely program the device was unencrypted. They then used a GNU radio system to find access to some of the machine’s reprogrammable functions, including accessing patient data and even turning it off.