Most wireless OEM hardware traditionally use 433MHz OOK modules to exchange information. The encoding and encryption of this data stream is left as a task for the embedded software designer. In most cases, the system can be hacked using a replay attack where an RF packet is recorded and replayed to emulate a valid user. [Gilad Fride] hacked his parking gate using this technique but decided to go the extra mile of connecting it to the internet.
He used an RTL-SDR dongle and ook-decoder by [jimstudt] to sniff out the gate code and this code was tested using an Arduino. The final implementation was done around an Onion Omega which talks directly to the RF transmitter module using the fast-gpio binary. Internet connectivity was achieved using Onion Cloud API which is used to trigger the execution of code thereby sending the gate opening signal.
[Gilad Fride] uses the IFTTT Do button to provide a GUI and he demonstrates this in action using an iPhone in the video below. The project can be extended to open garage doors or turn off the lights of your room over the internet.
Long before everyone had a smartphone or two, the implementation of a telephone was much stranger than today. Most telephones had real, physical buttons. Even more bizarrely, these phones were connected to other phones through physical wires. Weird, right? These were called “landlines”, a technology that shuffled off this mortal coil three or four years ago.
It gets even more bizarre. some phones were wireless — just like your smartphone — but they couldn’t get a signal more than a few hundred feet away from your house for some reason. These were ‘cordless telephones’. [Corrosive] has been working on deconstructing the security behind these cordless phones for a few years now and found these cordless phones aren’t secure at all.
The phone in question for this exploit is a standard 5.8 GHz cordless phone from Vtech. Conventional wisdom says these phones are reasonably secure — at least more so than the cordless phones from the 80s and 90s — because very few people have a duplex microwave transceiver sitting around. The HackRF is just that, and it only costs $300. This was bound to happen eventually.
This is really just an exploration of the radio system inside these cordless phones. After taking a HackRF to a cordless phone, [Corrosive] found the phone technically didn’t operate in the 5.8 GHz band. Control signals, such as pairing a handset to a base station, happened at 900 MHz. Here, a simple replay attack is enough to get the handset to ring. It gets worse: simply by looking at the 5.8 GHz band with a HackRF, [Corrosive] found an FM-modulated voice channel when the handset was on. That’s right: this phone transmits your voice without any encryption whatsoever.
This isn’t the first time [Corrosive] found a complete lack of security in cordless phones. A while ago, he was exploring the DECT 6.0 standard, a European cordless phone standard for PBX and VOIP. There was no security here, either. It would be chilling if landlines existed anymore.
For those of us whose interests lie in radio, encountering our first software defined radio must have universally seemed like a miracle. Here is a surprisingly simple device, essentially a clever mixer and a set of analogue-to-digital or digital-to-analogue converters, that can import all the complex and tricky-to-set-up parts of a traditional radio to a computer, in which all signal procession can be done using software.
When your curiosity gets the better of you and you start to peer into the workings of a software defined radio though, you encounter something you won’t have seen before in a traditional radio. There are two mixers fed by a two local oscillators on the same frequency but with a 90 degree phase shift, and in a receiver the resulting mixer products are fed into two separate ADCs. You encounter the letters I and Q in relation to these two signal paths, and wonder what on earth all that means.
The usual way of adding GPS capabilities to a project is grabbing an off-the-shelf GPS module, plugging it into a UART, and reading the stream of NMEA sentences coming out of a serial port. Depending on how much you spend on a GPS module, this is fine: the best modules out there start up quickly, and a lot of them recognize the logical AND in ITAR regulations.
For [Mike], grabbing an off-the-shelf module is out of the question. He’s building his own GPS receiver from the ground up using a bit of hardware and FPGA hacking. Already he’s getting good results, and he doesn’t have to futz around with those messy, ‘don’t build ballistic missiles’ laws.
The hardware for this build includes a Kiwi SDR ‘cape’ for the BeagleBone and a Digilent Nexus-2 FPGA board. The SDR board captures raw 1-bit samples taken at 16.268 MHz, and requires a full minute’s worth of data to be captured. That’s at least 120 Megabytes of data for the FPGA to sort through.
The software for this project first acquires the GPS signal by finding the approximate frequency and phase. The software then locks on to the carrier, figures out the phase, and receives the 50bps ‘NAV’ message that’s required to find a position solution for the antenna’s location. The first version of this software was exceptionally slow, taking over 6 hours to process 200 seconds of data. Now, [Mike] has improved the channel tracking code and made it 300 times faster. That’s real-time processing of GPS data, using commodity off-the-shelf hardware. All the software is available on the Gits, making this a project that can very easily be replicated by anyone. We would expect the US State Department or DOD to pay [Mike] a visit shortly.
Have you got a spare Dish Network antenna lying about? They’re not too hard to come by, either curbside on bulk waste day or perhaps even on Freecycle. If you can lay hands on one, you might want to try this fun radio telescope build.
Now, don’t expect much from [Justin]’s minimalist build. After all, you’ll be starting with a rather small dish and an LNB for the Ku band, so you won’t be doing serious radio astronomy. In fact, the BOM doesn’t include a fancy receiver – just a hacked satellite finder. The idea is to just get a reading of the relative “brightness” of a radio source without trying to demodulate the signal. To that end, the signal driving the piezo buzzer in the sat finder is fed into an Arduino through a preamp. The Arduino also controls stepper motors for the dish’s azimuth and elevation control, which lets it sweep the sky and build up a map of signal intensity. The result is a clear band of bright spots representing the geosynchronous satellites visible from [Justin]’s location in Brazil.
If you live in a city, you’re constantly swimming in a thick soup of radio-frequency energy. FM radio stations put out hundreds of kilowatts each into the air. Students at the University of Washington, [Anran Wang] and [Vikram Iyer], asked themselves if they could harness this background radiation to transmit their own FM radio station, if only locally. The answer was an amazing yes.
The trailer video, embedded below, demos a couple of potential applications, but the paper (PDF) has more detail for the interested. Basically, they turn on and off an absorbing antenna at a frequency that’s picked so that it modulates a strong FM signal up to another adjacent channel. Frequency-modulating this backscatter carrier frequency adds audio (or data) to the product station.
One of the cooler tricks that they pull off with this system is to inject a second (stereo) channel into a mono FM station. Since FM radio is broadcast as a mono signal, with a left-minus-right signal sent alongside, they can make a two-channel stereo station by recreating the stereo pilot carrier and then adding in their own difference channel. Pretty slick. Of course, they could send data using this technique as well.
Why do this? A small radio station using backscatter doesn’t have to spend its power budget on the carrier. Instead, the device can operate on microwatts. Granted, it’s only for a few feet in any given direction, but the station broadcasts to existing FM radios, rather than requiring the purchase of an RFID reader or similar device. It’s a great hack that piggybacks on existing infrastructure in two ways. If this seems vaguely familiar, here’s a similar idea out of the very same lab that’s pulling off essentially the same trick indoors with WiFi signals.
So who’s up for local reflected pirate radio stations?
[Dan Englender] was working on implementing a home automation and security system, and while his house was teeming with sensors, they used a proprietary protocol which was not supported by the open source system he was trying to implement. The problem with home automation and security systems is the lack of standardization – or rather, the large number of (often incompatible) standards used to ensure consumers get tied in to one specific system. He has shared the result of his efforts at getting the two to talk to each other via his project decode345.
The result enabled him to receive signals from Honeywell’s 5800 series of wireless products and interface them with OpenHAB — a vendor and technology agnostic open source automation software. OpenHAB offers “bindings” that allow a wide variety of systems and hardware to be integrated. Unfortunately for [Dan], this exhaustive list does not yet include support for the (not very popular) 345MHz protocol used by the Honeywell 5800 system, hence his project. Continue reading “Using SDR to Take Control of Your Home Security System”→