TEMPEST In A Software Defined Radio

In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.

Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.

The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.

The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.

However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.

Decoding NRSC-5 with SDR to Get In Your Car

NRSC-5 is a high-definition radio standard, used primarily in the United States. It allows for digital and analog transmissions to share the original FM bandwidth allocations. Theori are a cybersecurity research startup in the US, and have set out to build a receiver that can capture and decode these signals for research purposes, and documented it online.

Their research began on the NRSC website, where the NRSC-5 standard is documented, however the team notes that the audio compression details are conspicuously missing. They then step through the physical layer, multiplexing layer, and finally the application layer, taking apart the standard piece by piece. This all culminates in the group’s development of an open-source receiver for NRSC-5 that works with RTL-SDR – perhaps the most ubiquitous SDR platform in the world. 

The group’s primary interest in NRSC-5 is its presence in cars as a part of in-car entertainment systems. As NRSC-5 allows data to be transmitted in various formats, the group suspects there may be security implications for vehicles that do not securely process this data — getting inside your car through the entertainment system by sending bad ID3 tags, for instance. We look forward to seeing results of this ongoing research.

[Thanks to Gary McMaster for the tip!]

Hackaday Prize Entry: Sub Gigahertz RF

For all the press WiFi and Bluetooth-connected Internet of Things toasters get, there’s still a lot of fun to be had below one Gigahertz. For his Hackaday Prize entry, [Adam] is working on an open source, extensible 915 and 433 MHz radio designed for robotics, drones, weather balloons, and all the other fun projects that sub-Gigaherts radio enables.

The design of this radio module is based around the ADF7023 RF transceiver, a very capable and very cheap chip that transmits in the usual ISM bands. The rest of the circuit is an STM32 ARM Cortex M0+, with USB, UART, and SPI connectivity, with support for a battery for those mobile projects.

Of course, you can just go out and buy an ISM radio, but that’s not really the point of this project. [Adam] has come up with an excellent board here, all designed in KiCad, all while flexing his RF muscle. There are RF shields here, too, so it’s far more than just a design challenge, this is an assembly and sourcing problem as well. It’s a great project, and an excellent example of what we’re looking for in The Hackaday Prize.

A Tube AM Transmitter In A Soup Can

A standard early electronics project or kit has for many years been the construction of a small broadcast transmitter with enough power to reach the immediate area, but no further. These days that will almost certainly mean an FM broadcast band transmitter, but in earlier decades it might also have been for the AM broadcast band instead.

The construction of a small AM transmitter presents some interesting problems for an electronic designer. It is extremely easy to make an AM transmitter with a single transistor or tube, but it is rather more difficult to make a good one. The modulation has to be linear across the whole amplitude range, and its effect must not pull the frequency of the oscillator and cause FM distortion.

It’s a task [Joe Sousa] has tackled, with his one tube AM transmitter in a Campbell’s soup can. His write-up of the transmitter contains a full description of the problems he faced, and how his design overcomes them. His oscillator is a cathode follower, with the tube biased in class A mode to ensure as undistorted a sine wave oscillation as possible. Modulation is provided through the suppressor grid of the pentode tube he’s using.

The completed transmitter is mounted inside the iconic soup can, with the mains transformer mounted on a removable bottom plate. There is a provision for both loop and wire antennas to be connected.

It is probable that this transmitter falls under the so-called “Part 15” rules for unlicenced low-power broadcasting in the USA, however it should be borne in mind that not every territory has this provision. If you build this transmitter, make sure you’re not going to attract the interest of your local equivalent of the FCC.

This article should have whetted your appetite for tiny broadcast transmitters. How about comparing the one here with a full-sized model?

Thanks [2ftg] for the tip.

A Remotely Tuned Magnetic Loop Antenna

If you are a radio amateur, you may be familiar with the magnetic loop antenna. It’s different from most conventional wire antennas, taking the form of a tuned circuit with a very large single-turn coil and a tuning capacitor. Magnetic loops have the advantage of extreme selectivity and good directionality, but the danger of a high voltage induced across that tuning capacitor and the annoyance of needing to retune every time there is a frequency change.

[Oleg Borisov, RL5D] has a magnetic loop, and soon tired of the constant retuning. His solution is an elegant one, he’s made a remote retuning setup using a stepper motor, an Arduino, and a Bluetooth module (translated here). The stepper is connected to the capacitor via a short flexible coupling, and tuning is performed with the help of a custom Android app. We’d be interested to know what the effect of a high RF field is on these components, but he doesn’t report any problems so it must be working.

He’s posted a video of the unit in operation which we’ve posted below the break, if you’ve ever had to constantly retune a magnetic loop you will appreciate the convenience.

Continue reading “A Remotely Tuned Magnetic Loop Antenna”

Phase Modulation With An FPGA

There are two radio modulation schemes everyone should know. Amplitude modulation changes the amplitude — or ‘volume’, if you will — of a carrier frequency and turns all radio into channels owned and operated by a church. Frequency modulation changes the pitch of a carrier frequency and is completely run by Clear Channel. Amateur radio operators are familiar with dozens of other modulation schemes, but there’s one hardly anyone touches. Phase modulation is weird and almost unheard of, but that doesn’t mean you can’t implement it on an FPGA. [nckm] is transmitting audio using phase modulation on an FPGA (Russian, here’s the Google Translatrix).

This hardware is just an Altera MAX10 board, with a single input used for serial data of the audio to be transmitted, and two outputs, each connected to a few bits of wire for a quarter-wave antenna. No, there’s no output filter or anything else except for a few bits of wire. It’s an experiment, chillax.

The Verilog for this project receives an audio signal as serial data in mono, 22050 BPS, 8-bit unsigned samples. These samples are fed into a dynamic PLL with phase shift in the FPGA. Shifting the phases also changes the frequency, so [nckm] can receive this audio signal with the FM transmitter on his phone.

Is this really phase modulation if it’s being received by an FM radio? Eh, maybe. PM and FM are closely related, but certainly distinguishable as modulation schemes in their own right. You can grab [nckm]’s code over on the gits, or check out the video demo below.

Continue reading “Phase Modulation With An FPGA”

Simple Range Testing for LoRa Modules

WiFi and Bluetooth have their use cases, but both have certain demands on things like battery life and authentication that make them unsuitable for a lot of low-power use cases. They’re also quite limited in range. There are other standards out there more suitable for low-power and wide area work, and thankfully, LoRa is one of them. Having created some LoRa pagers, [Moser] decided to head out and test their range.

Now, we’ve done range tests before. Often this involves sending one party out with a radio while the other hangs back at base. Cellphones serve as a communications link while the two parties go back and forth, endlessly asking “Is it working now? Hang on, I’ll take a few steps back — what about now?”

It’s a painful way to do a range test. [Moser]’s method is much simpler; set a cellphone to log GPS position, and have the pager attempt to send the same data back to the base station. Then, go out for a drive, and compare the two traces. This method doesn’t just report straight range, either — it can be used to find good and bad spots for radio reception. It’s great when you live in an area full of radio obstructions where simple distance isn’t the only thing affecting your link.

Build details on the pagers are available, and you can learn more about LoRa here. While you’re at it, check out the LoRa tag for more cool builds and hacks.