How To Control Siri Through Headphone Wires

Last week saw the revelation that you can control Siri and Google Now from a distance, using high power transmitters and software defined radios. Is this a risk? No, it’s security theatre, the fine art of performing an impractical technical achievement while disclosing these technical vulnerabilities to the media to pad a CV. Like most security vulnerabilities it is very, very cool and enough details have surfaced that this build can be replicated.

The original research paper, published by researchers [Chaouki Kasmi] and [Jose Lopes Esteves] attacks the latest and greatest thing to come to smartphones, voice commands. iPhones and Androids and Windows Phones come with Siri and Google Now and Cortana, and all of these voice services can place phone calls, post something to social media, or launch an application. The trick to this hack is sending audio to the microphone without being heard.

googleThe ubiquitous Apple earbuds have a single wire for a microphone input, and this is the attack vector used by the researchers. With a 50 Watt VHF power amplifier (available for under $100, if you know where to look), a software defined radio with Tx capability ($300), and a highly directional antenna (free clothes hangers with your dry cleaning), a specially crafted radio message can be transmitted to the headphone wire, picked up through the audio in of the phone, and understood by Siri, Cortana, or Google Now.

There is of course a difference between a security vulnerability and a practical and safe security vulnerability. Yes, for under $400 and the right know-how, anyone could perform this technological feat on any cell phone. This feat comes at the cost of discovery; because of the way the earbud cable is arranged, the most efficient frequency varies between 80 and 108 MHz. This means a successful attack would sweep through the band at various frequencies; not exactly precision work. The power required for this attack is also intense – about 25-30 V/m, about the limit for human safety. But in the world of security theatre, someone with a backpack, carrying around a long Yagi antenna, pointing it at people, and having FM radios cut out is expected.

Of course, the countermeasures to this attack are simple: don’t use Siri or Google Now. Leaving Siri enabled on a lock screen is a security risk, and most Androids disable Google Now on the lock screen by default. Of course, any decent set of headphones would have shielding in the cable, making inducing a current in the microphone wire even harder. The researchers are at the limits of what is acceptable for human safety with the stock Apple earbuds. Anything more would be seriously, seriously dumb.

Party Balloon Crosses Atlantic, Tours Europe & Phones Home

For the past few months, [David VE3KCL] has been launching balloons from his Canadian home fitted with radio transmitters. Nothing unusual there: quite a few people do this, including schools, hackerspaces, and individuals. What is remarkable is how far he has gotten. His S-4 flight in August of this year crossed the Atlantic, reached France and took a tour of Germany, Denmark, Sweden, Finland and Norway before finally landing in the Norwegian Sea. That’s over 10,000 kilometers (6200 miles): not bad for a couple of party balloons strung together.

The flight payload of one of the balloon flights.
The flight payload of one of the balloon flights.

Although the distance these balloons have travelled is quite remarkable, the interesting part is how [David] is tracking the balloons. Cell phones obviously won’t work over the Atlantic, and satellite transmitters are expensive, so he used a low-cost transmitter that was programmed to broadcast using a variety of Ham radio signals. The most effective seems to be WSPRnet (the Weak Signal Propagation Network), a system used by Hams to see how far low strength signals will go. This system relies on Hams leaving their receivers on and running software that uploads the received signals to a central server.

By cleverly encoding information such as height and position into this signal, he was able to turn this worldwide network into a tracking network that would report the balloon’s position pretty much anywhere on the globe. [David] is continuing to launch balloons: his latest went up on the 24th of September and travelled over 4300km (2600 miles) before the signal was lost over the Atlantic.

Minimal Mighty Mite

If you’re getting started building your own ham radio gear, it’s hard to imagine a more low-tech transmitter than the Mighty Mite, but [Paul Hodges, KA5WPL] took it one step further and rolled his own variable capacitor. (That’s the beer can with tape and alligator clips that you see on the left.)

A Mighty Mite is barely a radio at all. One transistor, capacitor, crystal and inductor in the form of a bunch of wire wrapped around a pill bottle form a minimalist oscillator, and then by keying this on and off with a switch, you’re sending Morse code. [Bill Meara], of the Soldersmoke Podcast, has been a passionate advocate of the Mighty Mite, suggesting that it can be made by scrounging the 3.57954 MHz colorburst crystal from an old analog TV set, which tunes the radio to a legal frequency for ham radio operators. (It will also probably work with other low-MHz crystals from your junkbox, but it won’t necessarily be legal.)

michigan_mighty_mite_schematicIf the crystal is “easily” scavengeable, and the rest of the radio is easily home-made, the tuning capacitor (obtainable from old AM/FM radios) can become the sticking point. So [Paul] cut up two aluminum “beverage” cans, wrapped the inner one in electrical tape, hooked up wires and made his own variable capacitor. By sliding the cans in or out so that more or less of them overlap, he can tune the radio to exactly the crystal’s natural frequency.

If you’re interested in building a Mighty Mite, you should definitely look at the topic on Soldersmoke. There are more build instructions online as well as plans for an optional filter to take off the harmonics if you’re feeling ambitious.

If you’re not a Morse code wiz, we can’t help but note that you could replace the key with a simple FET (we’d use a 2N7000, but whatever) and then you’ve got the radio under microcontroller control. Scavenge through Hackaday’s recent Morse code projects for ideas, and we’re sure you’ll come up with something good.

Continue reading “Minimal Mighty Mite”

Deep Sweep: A Home Made SigInt Platform

Signals Intelligence (SigInt) isn’t something that you normally associate with home hackers, but the Deep Sweep project is looking to change that: it is a balloon platform that captures radio signals in the stratosphere, particularly conversations between drones and satellites. Created by three students at the Frank Ratchye Studio for Creative Inquiry at Carnegie-Mellon, Deep Sweep is a platform that is attached to a balloon and which captures signals over a wide range of frequencies, logging them for later analysis. The current version captures data on three frequency bands: LF/HF (10KHz-30KHz), UHF (650 – 1650MHz) and SHF (10-20GHz). The latter are often the bands used for satellite links between drones and satellites. They are difficult to intercept from the ground, as the signals are directed upwards towards the satellite. By creating a platform that can fly several kilometers above the earth, they are hoping to be able to capture some of this elusive traffic.

So far, the team has made two flights in Europe, both of which encountered technical issues. The first had a battery fault and only captured 10 minutes of data, and the second flew further than expected and ended up in Belarus, a country that isn’t likely to welcome this kind of thing. Fortunately, they were able to recover the balloon and are working on future launches in Europe and the USA. It will be interesting to see how the Department of Homeland Security feels about this.

Reverse Engineering Traffic Lights with Software Defined Radio

Construction crews tearing up the street to lay new internet fiber optic cable created a unique opportunity for [Bastian Bloessl]. The workers brought two mobile traffic lights to help keep the road safe while they worked. [Bastian] had heard that these lights use the 2 meter band radios, so he grabbed his RTL-SDR USB stick and started hacking. Mobile traffic lights are becoming more common in Europe. They can be controlled by a clock, traffic volume via an on-board camera, wire or radio. They also transmit status data, which is what [Bastian] was hoping to receive.

A quick scan with GQRX revealed a strong signal on 170.760 MHz. Using baudline and audacity, [Bastian] was able to determine that Audio Frequency Shift Keying was used to modulate the data. He created a simple receiver chain in GNU radio, and was greeted with a solid data stream from the lights. By watching the lights and looking at the data frames, [Bastian] was able to determine which bits contained the current light status. A quickly knocked up web interface allowed him to display the traffic light status in real-time.

It’s a bit scary that the data was sent in plaintext, however this is just status data. We hope that any command data is sent encrypted through a more secure channel.

Continue reading “Reverse Engineering Traffic Lights with Software Defined Radio”

Reverse Engineering An Obsolete Security System

[Veghead] recently went to a surplus warehouse filled with VHS editing studios, IBM keyboards, electronic paraphernalia from 40 years ago, and a lot of useless crap. His haul included a wooden keypad from an old alarm system that exuded 1980s futurism, and he figured it would be cool to hook this up to an alarm system from 2015. How did he do that? With software defined radio.

After pulling apart the alarm panel, [Veghead] found only a single-sided board with a 9V battery connector. There were no screw terminals for an alarm loop, meaning this entire system was wireless – an impressive achievement for the mid-80s hardware. A quick search of the FCC website showed this alarm panel was registered to two bands, 319MHz and 340MHz, well within the range of an RTL-SDR USB TV tuner dongle.

After capturing some of the raw data and playing it back in Audacity, [Veghead] found a simple OOK protocol that sends two identical binary patterns for each key. A simple program takes the raw bit patterns for each key press and codes them into a map for each of the twelve buttons.

Although the radio still works, [Veghead] found the waveforms captured by his RTL-SDR were an abomination to RF. All the components in this security system are more than 30 years old at this point, and surely some of the components must be out of spec by now. Still, [Veghead] was able to get the thing working again, a testament to the usefulness of a $20 USB TV tuner.

Thanks [Jose] for sending this one in

Strange Signals? Sigidwiki!

If you’ve gotten into software-defined radio (SDR) in the last five years, you’re not alone. A lot of hackers out there are listening in to the previously unheard. But what do you do when you find an interesting signal and you don’t know what it is? Head on over to the Signal Identification Wiki! You’ll find recordings and waterfall plots for a ton of radio signals categorized by frequency band as well as their use.

Or, conversely, maybe you’ve just got a new radio and you want to test it out. What would be a fun challenge to receive? Signals in the catalog range from the mundane, like this smart home energy meter from California, or a Chrysler tire-pressure monitoring system to (probably) secret military or intelligence transmissions.

If you’re looking at a waterfall plot and you’re not sure what to make of it, the sigidwiki is worth a look. And it’s a wiki, so if you’ve got a cool signal and you want to add it, create an account and get to it!

Thanks to [mkie] for the tip!