Arduino + Software Defined Radio = Millions of Vulnerable Volkswagens

As we’ve mentioned previously, the integrity of your vehicle in an era where even your car can have a data connection could be a dubious bet at best. Speaking to these concerns, a soon-to-be published paper (PDF) out of the University of Birmingham in the UK, states that virtually every Volkswagen sold since 1995 can be hacked and unlocked by cloning the vehicle’s keyfob via an Arduino and software defined radio (SDR).

The research team, led by [Flavio Garcia], have described two main vulnerabilities: the first requires combining a cyrptographic key from the vehicle with the signal from the owner’s fob to grant access, while the second takes advantage of the virtually ancient HiTag2 security system that was implemented in the 1990s. The former affects up to 100 million vehicles across the Volkswagen line, while the latter will work on models from Citroen, Peugeot, Opel, Nissan, Alfa Romero, Fiat, Mitsubishi and Ford.

Continue reading “Arduino + Software Defined Radio = Millions of Vulnerable Volkswagens”

The Problem with Software Defined Radio

There’s a problem with software defined radio. It’s not that everyone needs to re-learn what TEMPEST shielding is, and it’s not that Bluetooth is horribly broken. SDR’s biggest problem is one of bandwidth and processing. With a simple USB TV Tuner, you can listen in on aircraft, grab Landsat images from hundreds of miles up, or sniff the low-power radios used in Internet of Things things. What you can’t do is make your own WiFi adapter, and you can’t create your own LTE wireless network. This is simply a problem of getting bits from the air to a computer for processing.

At HOPE last weekend, the folks behind the very capable LimeSDR and a new company working with Lime’s hardware laid out the possibilities of what software defined radio can do if you make a link to a computer very fast, and add some processing on the SDR itself.

Continue reading “The Problem with Software Defined Radio”

Amazing SDR Built by 16 Year Old

[Lukas] started his epic SDR-from-scratch build when he was 16. Projects like this aren’t completed overnight. (He’s now 18. We’re impressed.)

The project itself is a Software-Defined Radio built on top of the 12-bit Analog Devices AD9364 transceiver IC. A big fat FPGA takes the data and runs it off to a USB 3.0 interface, which is necessary for the amount of data this thing will be producing — he’s got it receiving 56 MHz of bandwidth. In short, this is an SDR peripheral that’s in the big leagues.

After two years of work and (only!) three revision, [Lukas] got the thing working. Read his writeup for the blow-by-blow account. In the end, a 6-layer board was necessary for the routing to get the full speed out of the clocking, and he discovered the reason that you use exactly the specified bias resistors — the expensive ADC chip gets very hot. But he didn’t give up, and in the end he pulled off a project of immense complexity. In his own words:

I have discovered that taking on large projects, even when not knowing how to tackle problems that might arise, is a very effective way of learning for me. It’s just important to be persistent, as I’ve seen that almost any problem can be solved on your own — which is incredibly rewarding — even if you get stuck and seem to not make progress for a while.

[Lukas] is now working on the software. He’s already got a hacked osmocom driver working, so it plays nice with GNURadio.

Of course, there are tons of ways to get into SDR without building your own from scratch, but we applaud [Lukas] for going the hard way. If you’re tempted to follow in his footsteps, have a look at [Michael Ossmann]’s great talk on making the RF design process as tractable as possible.

Pokemon Go Cheat Fools GPS with Software Defined Radio

Using Xcode to spoof GPS locations in Pokemon Go (like we saw this morning) isn’t that much of a hack, and frankly, it’s not even a legit GPS spoof. After all, it’s not like we’re using an SDR to spoof the physical GPS signal to cheat Pokemon Go.

To [Stefan Kiese], this isn’t much more than an exercise. He’s not even playing Pokemon Go. To squeeze a usable GPS signal out of his HackRF One, a $300 Software Defined Radio, [Stefan] uses an external precision clock. This makes up for the insufficient calibration of the HackRF’s internal clock, although he points out that this might also be fixed entirely in software.

Continue reading “Pokemon Go Cheat Fools GPS with Software Defined Radio”

LuaRadio Brings More Options to SDR

GNURadio is the swiss-army-knife of software-defined radio suites: it does everything and anything. It has a great GUI overlayer that makes creating radio flows fairly simple. There are only two areas where we could quibble with the whole system — it’s a gigantic suite of software, and it’s a lot harder to code up in Python than it is to use the GUI.

[Vanya Sergeev] started up his LuaRadio project to deal with these shortcomings. If you’re looking for the full-GUI experience, you’re barking up the wrong tree here. LuaRadio is aimed at keeping things easy to code and keeping the codebase small and tidy.

That doesn’t mean that it departs entirely from GNURadio’s very successful flow-graph programming paradigm, however, and if you’re comfortable with the procedure of hooking up a signal source to a filter block to an output, you’ll be doing fine here as well. Check out the obligatory FM radio demo — the “hello world” of SDR — and you’ll see how it works: instantiate the various blocks in code, and then issue “connect” commands to link them together.

LuaRadio’s main selling points are its size and the ease of programming it by hand. It’s got great documentation to boot. It’s written as a library that’s embeddable in your C code, so that you can write standalone programs that make use of its functionality.

LuaRadio is a new project and it doesn’t have a GUI either. It may not be the ideal introduction to SDR if you’re afraid of typing. (If you are new to SDR, start here.) But if you want to code up your SDR by coding, or run your radio on smaller devices, it’s probably worth a look. It’s at v0.1.1, so we’re looking forward to hearing more from LuaRadio in the future. Any of you out there use it? We’d love to hear in the comments.

Software Defined Radio App Store

Software defined radios (SDRs) can–in theory–do almost anything you need a radio to do. Voice? Data? Frequency hopping? Trunking? No problem, you just write the correct software, and you are in.

That’s the problem, though. You need to know how to write the software. LimeSDR is an open source SDR with a crowdfunding campaign. By itself, that’s not anything special. There are plenty of SDR devices available. What makes LimeSDR interesting is that it is using Snappy Ubuntu Core as a sort of app store. Developers can make code available, and end-users can easily download and install that code.

Continue reading “Software Defined Radio App Store”

Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.