How To Control Siri Through Headphone Wires

Last week saw the revelation that you can control Siri and Google Now from a distance, using high power transmitters and software defined radios. Is this a risk? No, it’s security theatre, the fine art of performing an impractical technical achievement while disclosing these technical vulnerabilities to the media to pad a CV. Like most security vulnerabilities it is very, very cool and enough details have surfaced that this build can be replicated.

The original research paper, published by researchers [Chaouki Kasmi] and [Jose Lopes Esteves] attacks the latest and greatest thing to come to smartphones, voice commands. iPhones and Androids and Windows Phones come with Siri and Google Now and Cortana, and all of these voice services can place phone calls, post something to social media, or launch an application. The trick to this hack is sending audio to the microphone without being heard.

googleThe ubiquitous Apple earbuds have a single wire for a microphone input, and this is the attack vector used by the researchers. With a 50 Watt VHF power amplifier (available for under $100, if you know where to look), a software defined radio with Tx capability ($300), and a highly directional antenna (free clothes hangers with your dry cleaning), a specially crafted radio message can be transmitted to the headphone wire, picked up through the audio in of the phone, and understood by Siri, Cortana, or Google Now.

There is of course a difference between a security vulnerability and a practical and safe security vulnerability. Yes, for under $400 and the right know-how, anyone could perform this technological feat on any cell phone. This feat comes at the cost of discovery; because of the way the earbud cable is arranged, the most efficient frequency varies between 80 and 108 MHz. This means a successful attack would sweep through the band at various frequencies; not exactly precision work. The power required for this attack is also intense – about 25-30 V/m, about the limit for human safety. But in the world of security theatre, someone with a backpack, carrying around a long Yagi antenna, pointing it at people, and having FM radios cut out is expected.

Of course, the countermeasures to this attack are simple: don’t use Siri or Google Now. Leaving Siri enabled on a lock screen is a security risk, and most Androids disable Google Now on the lock screen by default. Of course, any decent set of headphones would have shielding in the cable, making inducing a current in the microphone wire even harder. The researchers are at the limits of what is acceptable for human safety with the stock Apple earbuds. Anything more would be seriously, seriously dumb.

SDR Tutorials From Michael Ossmann

If you’re just getting into software-defined radio (SDR) but you find some of the math and/or terminology a bit of hurdle, you could absolutely do worse than to check out these SDR tutorials by [Michael Ossmann]. While they’re aimed at people using his HackRF One tool (which we love), most of the tutorial videos are very generally applicable, and we realized that we hadn’t mentioned them explicitly before. Shame on us!

Ossmann focuses on SDR using the open-source GNURadio Companion GUI tool, which makes implementing a lot of cool SDR techniques as easy as dragging and dropping items into a flow diagram. If you want an overview of GNURadio or SDR in general, these videos are a must-watch.

In particular, we loved his entries on complex numbers and complex numbers in DSP because he goes through the whole rationale behind using imaginary numbers in radio work with a graphical presentation that helps add rationale to the otherwise slightly spooky math. Heck, watch these two even if you’re not interested in radio.

The newest entry, covering DSP filters includes a great hands-on introduction to finite impulse response (moving average) digital filters. We really like the practical, simulation-based approach presented in the video — it’s just perfect for a quick introduction.

So if you’re looking for a relatively painless way to get into SDR, grab yourself an RTL-SDR dongle, burn yourself a GNURadio Live DVD, and work through these videos.

Mid-Priced Hardware Gets Serious About Software Defined Radio

Regular Hackaday readers are used to seeing the hacks that use a cheap USB TV dongle as a software defined radio (SDR). There’s plenty of software that will work with them including the excellent GNU Radio software. However, the hardware is pretty bare-bones. Without modifications, the USB dongle won’t get lower frequencies.

There’s been plenty of other SDR radios available but they’ve had a much heftier price tag. But we recently noticed the SDRPlay RSP, and they now have US distribution. The manufacturer says it will receive signals with 12-bits of resolution over the range of 100 kHz to 2 GHz with an 8MHz bandwidth. The USB cable supplies power and a connection to the PC. The best part? An open API that supports Windows, Linux, Mac, Android, and will even work on a Raspberry Pi (and has GNU Radio support, too).

Continue reading “Mid-Priced Hardware Gets Serious About Software Defined Radio”

Strange Signals? Sigidwiki!

If you’ve gotten into software-defined radio (SDR) in the last five years, you’re not alone. A lot of hackers out there are listening in to the previously unheard. But what do you do when you find an interesting signal and you don’t know what it is? Head on over to the Signal Identification Wiki! You’ll find recordings and waterfall plots for a ton of radio signals categorized by frequency band as well as their use.

Or, conversely, maybe you’ve just got a new radio and you want to test it out. What would be a fun challenge to receive? Signals in the catalog range from the mundane, like this smart home energy meter from California, or a Chrysler tire-pressure monitoring system to (probably) secret military or intelligence transmissions.

If you’re looking at a waterfall plot and you’re not sure what to make of it, the sigidwiki is worth a look. And it’s a wiki, so if you’ve got a cool signal and you want to add it, create an account and get to it!

Thanks to [mkie] for the tip!

Reverse Engineering a Different Kind of Bus

Radio enthusiasts have a long history of eavesdropping on non-broadcast stations–police, fire, and public transportation frequencies, for example. These days, though, a lot of interesting communications are digital. When [bastibl] wanted to read data displayed on bus stop signs, he turned to software defined radio. He used gr-fosphor to monitor the radio spectrum as buses drove by and discovered a strong signal near 151 MHz (see photo below).

That, however, was just the start. Using a variety of tools, he figured out the modulation scheme, how the data framing worked, and even the error correction scheme. Armed with all the information, he built a GNU Radio receiver to pick up the data. A little number crunching and programming and [bastibl] was able to recover data about  individual buses including their position and schedule.

Continue reading “Reverse Engineering a Different Kind of Bus”

Spectrum Painting on 2.4 GHz

Give a software-defined radio (SDR) platform to a few thousand geeks, and it’s pretty predictable what will happen: hackers gotta hack. We’re only surprised that it’s happening so soon. Spectrum Painter is one of the first cool hacks to come out of the rad1o badge given out at the CCCamp 2015. It makes it dead-simple to send images in Hellschreiber mode on a few different SDR hardware platforms.

What we especially like about the project is its simplicity. Don’t get us wrong, we’re tremendous fans of GNURadio and the GNURadio Companion software radio hacking environment. But if you just want to do something simple, like send a picture of a smiley-face, the all-capable GNURadio suite is overkill.

Continue reading “Spectrum Painting on 2.4 GHz”

Decoding Satellite-based Text Messages with RTL-SDR and Hacked GPS Antenna

[Carl] just found a yet another use for the RTL-SDR. He’s been decoding Inmarsat STD-C EGC messages with it. Inmarsat is a British satellite telecommunications company. They provide communications all over the world to places that do not have a reliable terrestrial communications network. STD-C is a text message communications channel used mostly by maritime operators. This channel contains Enhanced Group Call (EGC) messages which include information such as search and rescue, coast guard, weather, and more.

Not much equipment is required for this, just the RTL-SDR dongle, an antenna, a computer, and the cables to hook them all up together. Once all of the gear was collected, [Carl] used an Android app called Satellite AR to locate his nearest Inmarsat satellite. Since these satellites are geostationary, he won’t have to move his antenna once it’s pointed in the right direction.

Hacked GPS antenna
Hacked GPS antenna

As far as antennas go, [Carl] recommends a dish or helix antenna. If you don’t want to fork over the money for something that fancy, he also explains how you can modify a $10 GPS antenna to work for this purpose. He admits that it’s not the best antenna for this, but it will get the job done. A typical GPS antenna will be tuned for 1575 MHz and will contain a band pass filter that prevents the antenna from picking up signals 1-2MHz away from that frequency.

To remove the filter, the plastic case must first be removed. Then a metal reflector needs to be removed from the bottom of the antenna using a soldering iron. The actual antenna circuit is hiding under the reflector. The filter is typically the largest component on the board. After desoldering, the IN and OUT pads are bridged together. The whole thing can then be put back together for use with this project.

Once everything was hooked up and the antenna was pointed in the right place, the audio output from the dongle was piped into the SDR# tuner software. After tuning to the correct frequency and setting all of the audio parameters, the audio was then decoded with another program called tdma-demo.exe. If everything is tuned just right, the software will be able to decode the audio signal and it will start to display messages. [Carl] posted some interesting examples including a couple of pirate warnings.

If you can’t get enough RTL-SDR hacks, be sure to check out some of the others we’ve featured in the past. And don’t forget to send in links to your own hacking!