The first talk at 2016 Shmoocon was a great one. Joseph Hall and Ben Ramsey presented their work hacking Z-Wave, a network that has been gaining a huge market share in both consumer and industrial connected devices. EZ-Wave uses commodity Software Defined Radio to exploit Z-Wave networks. This is not limited to sniffing, but also used for control with the potential for mayhem.
Conference badges are getting more complex each year. DEFCON, LayerONE, Shmoocon, The Next Hope, Open Hardware Summit, The EMF, SAINTCON, SXSW Create, The Last Hope, TROOPERS11, ZaCon V and of course the CCC, have all featured amazing badges over the years. This years CCCamp 2015 rad1o badge is taking things several notches higher. The event will run from 13th through 17th August, 2015.
The rad1o Badge contains a full-featured SDR (software defined radio) transceiver, operating in a frequency range of about 50 MHz – 4000 MHz, and is software compatible to the HackRF One open source SDR platform. The badge uses a Wimax transceiver which sends I/Q (in-phase/quardrature-phase) samples in the range of 2.3 to 2.7 GHz to an ARM Cortex M4 CPU. The CPU can process the data standalone for various applications such as FM radio, spectrogram display, RF controlled power outlets, etc., or pass the samples to a computer using USB 2.0 where further signal processing can take part, e.g. using GnuRadio. The frequency range can be extended by inserting a mixer in the RF path. Its got an on-board antenna tuned for 2.5GHz, or an SMA connector can be soldered to attach an external antenna. There’s a Nokia 6100 130×130 pixel LCD and a joystick, which also featured in the earlier CCCamp 2011 badge known as the r0ket.
A 3.5mm TRRS audio connector allows hooking up a headphone and speaker easily. The LiPo battery can be charged via one of the USB ports, while the other USB port can be used for software updates and data I/O to SDR Software like GnuRadio. Check out the project details from their Github repository and more from the detailed wiki which has information on software and hardware. There’s also a Twitter account if you’d like to follow the projects progress.
This years Open Hardware Summit also promises an awesome hackable badge. We’ll probably feature it before the OHS2015 conference in September.
Thanks to [Andz] for tipping us off about this awesome Badge.
It hasn’t become a household term yet, but Software-Defined Radio (SDR) is a major player on the developing technology front. Whether you’re building products for mass consumption, or just playing around for fun, SDR is worth knowing something about and I’ll prove it to you.
For anyone getting into the world of Software Defined Radio, the first purchase should be an RTL-SDR TV tuner. With a cheap, $20 USB TV tuner, you can listen to just about anything between 50 and 1750 MHz. You can’t send, the sample rate isn’t that great, but this USB dongle gives you everything you need to begin your explorations of the radio spectrum.
Your second Software Defined Radio purchase is a matter of contention. There are a lot of options out there for expanding a rig, and the HackRF is a serious contender to expand an SDR rig. You get 10 MHz to 6 Gigahertz operating frequency, 20 million samples per second, and the ability to transmit. You have your license, right?
Unfortunately the HackRF is a little expensive and is unavailable everywhere. [Gareth] is leading the charge and producing the HackRF Blue, a cost-reduced version of the HackRF designed by [Michael Ossmann].
The HackRF Blue’s feature set is virtually identical, and the RF performance is basically the same: both the Blue and the HackRF One can get data from 125kHz RFID cards. All software and firmware is interchangeable. If you were waiting on another run of the HackRF, here ‘ya go.
[Gareth] and the HackRF Blue team are doing something rather interesting with their crowdfunding campaign: they’re giving away Blues to underprivileged hackerspaces, with hackerspaces from Togo, Bosnia, Iran, India, and Detroit slated to get a HackRF Blue if the campaign succeeds.
Thanks [Praetorian] and [Brendan] for sending this in.
Remember that episode of Leverage (season 5, episode 3), where Alec uses Marvin to wirelessly change all the street lights green so they can catch up to an SUV? And you scoffed and said “that’s so not real!”… well actually they got it right. A new study out of the University of Michigan (PDF warning), shows just how easy it is to make your morning commute green lights all the way.
The study points out that a large portion of traffic lights in the United States communicate with each other wirelessly over the 900Mhz and 5.8Ghz ISM band with absolutely no encryption. In order to connect to the 5.8Ghz traffic signals, you simply need the SSID (which is set to broadcast) and the proper protocol. In the study the researchers used a wireless card that is not available to the public, but they do point out that with a bit of social engineering you could probably get one. Another route is the HackRF SDR, which could be used to both sniff and transmit the required protocol. Once connected to the network you will need the default username and password, which can be found on the traffic light manufacturer’s website. To gain access to the 900Mhz networks you need all of the above and a 16-bit slave ID. This can be brute forced, and as the study shows, no ID was greater than 100. Now you have full access, not to just one traffic signal, but EVERY signal connected to the network.
Once on the network you have two options. The completely open debug port in the VxWorks OS which allows you to read-modify-write any memory register. Or by sending a(n) UDP packet where the last byte encodes the button pressed on the controller’s keypad. Using the remote keypad you can freeze the current intersection state, modify the signal timing, or change the state of any light. However the hardware Malfunction Management Unit (MMU) will still detect any illegal states (conflicting green or yellow lights), and take over with the familiar 4-way red flashing. Since a technician will have to come out and manually reset the traffic signal to recover from an illegal state, you could turn every intersection on the network into a 4-way stop.
So the next time you stop at a red light, and it seems to take forever to change, keep an eye out for the hacker who just green lit their commute.
Thanks for the tip [Matt]
What do you get when you combine one of the best (and certainly one of the best for the price) software defined radios with the user interface of a 10-year-old iPod? The HackRF PortaPack, developed by [Jared Boone], and demonstrated at DEFCON last weekend.
[Jared] is one of the original developers for the HackRF, a 10MHz to 6GHz software defined radio that can also transmit in half duplex. Since the development of the HackRF has (somewhat) wrapped up, [Jared] has been working on the PortaPack, an add-on for the HackRF that turns it into a portable, ARM Cortex M4-powered software defined radio. No, it’s not as powerful as a full computer running GNU Radio, but it does have the capability to listen in on a surprising amount of radio signals.
Because [Jared] is using a fairly low-power micro for the PortaPack, there’s a lot of tricks he’s using to get everything running smoothly. He gave a lightning talk at the Wireless Village at DEFCON going over the strengths and weaknesses of the chip he’s using, and surprisingly he’s using very little floating point arithmetic in his code. You can check out the video for that talk below.
Back in 2013, the NSA ANT Catalog was leaked. This document contained a list of devices that are available to the NSA to carry out surveillance.
[Michael Ossmann] took a look at this, and realized that a lot of their tools were similar to devices the open source hardware community had built. Based on that, he gave a talk on The NSA Playset at Toorcamp 2014. This covered how one might implement these devices using open hardware.
The above image is a parody of an ANT Catalog page, which shows [Michael]’s HackRF, an open source software defined radio. In the talk, [Michael] and [Dean Pierce] go over the ANT Catalog devices one by one, discussing the hardware that would be needed to build your own.
Some of these tools already have open source counterparts. The NIGHTSTAND WiFi exploitation tools is essentially a WiFi Pineapple. SPARROW II is more or less a device running Kismet attached to a drone, which we’ve seen before.
A video of the Toorcamp talk is available on [Michael]’s blog. There will also be a variety of talks on this subject at DEFCON next week, which we’re looking forward to. For further reading, Wikipedia has a great summary of the ANT Catalog.