Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool

May 6, 2022 by 45 Comments

Despite their claims of innocence, we all know that the big tech firms are listening to us. How else to explain the sudden appearance of ads related to something we’ve only ever spoken about, seemingly in private but always in range of a phone or smart speaker? And don’t give us any of that fancy “confirmation bias” talk — we all know what’s really going on.

And now, to make matters worse, it turns out that just listening to your keyboard clicks could be enough to decode what’s being typed. To be clear, [Georgi Gerganov]’s “KeyTap3” exploit does not use any of the usual RF-based methods we’ve seen for exfiltrating data from keyboards on air-gapped machines. Rather, it uses just a standard microphone to capture audio while typing, building a cluster map of the clicks with similar sounds. By analyzing the clusters against the statistical likelihood of certain sequences of characters appearing together — the algorithm currently assumes standard English, and works best on clicky mechanical keyboards — a reasonable approximation of the original keypresses can be reconstructed.

If you’d like to see it in action, check out the video below, which shows the algorithm doing a pretty good job decoding text typed on an unplugged keyboard. Or, try it yourself — the link above implements KeyTap3 in-browser. We gave it a shot, but as a member of the non-mechanical keyboard underclass, it couldn’t make sense of the mushy sounds it heard. Then again, our keyboard inferiority affords us some level of protection from the exploit, so there’s that.

Editors Note: Just tried it on a mechanical keyboard with Cherry MX Blue switches and it couldn’t make heads or tails of what was typed, so your mileage may vary. Let us know if it worked for you in the comments.

What strikes us about this is that it would be super simple to deploy an exploit like this. Most side-channel attacks require such a contrived scenario for installing the exploit that just breaking in and stealing the computer would be easier. All KeyTap needs is a covert audio recording, and the deed is done.

Continue reading “Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool”

SDR Listens In To Your Tires

April 9, 2022 by 26 Comments

[Ross] has a 2008 Toyota Tacoma. Like many late model cars, each tire contains a direct tire pressure monitoring sensor or TPMS that wirelessly sends data about the tire status to the car. However, unlike some cars, the system has exactly one notification to the driver: one of your tires is low. It doesn’t tell you which one. Sure, you can check each tire, but [Ross] had a different problem. One sensor was bad and he had no way to know which one it was. He didn’t have any equipment to test the sensor, but he did have an RTL-SDR dongle and some know-how to figure out how to listen in on the sensors.

The key was to use some software called RTL-433 that is made to pick up these kinds of signals. It is available for Linux, Windows, or Mac, and supports hundreds of wireless sensors ranging from X10 RF to KlikAanKlikUit wireless switches.

Continue reading “SDR Listens In To Your Tires”

The cluster of HackRFs described in the article, boards on top of each other, plugged into two 1x4 RF power splitters that are in turn plugged into a 1x2 RF power splitter. An LNA is connected to the input of the final splitter, and a cable goes off the frame from there.

A Gang Of HackRFs Makes For A Wideband SDR

April 1, 2022 by 13 Comments

[Oleg Kutkov] decided to build a wideband SDR – for satellite communication research and monitoring, you know, the usual. He decided on a battery of HackRF boards – entire eight of them, in fact. Two 1×4 and one 1×2 RF splitters and an LNA on their combined RF input made for a good start to the project, and from there, it only got more complex.

HackRF boards can be synchronized with a separate clock source, but you can’t just pull a single clock line to all of them in a star configuration. Thus, he’s built a clock distribution and amplifier board, with 4 ns propagation delay at 1 PPS, and only 10 ns delay at 10 MHz. Then, he integrated that board with the HackRF setup, adding a case, wiring up a purpose-built cable and dealing with the reflections that occurred.

HackRF boards are USB 2.0 and able to generate a stream of data up to 320 MB/s, and there’d be no viable way to aggregate eight 2.0 links into one. To solve that, he’s used eight separate PCI-E to USB 3.0 cards, each of them with one HackRF plugged in, all connected to an AMD Ryzen 9-powered PC through PCI-E risers we typically see used for mining purposes. To tie it all together, he created a gnuradio flowgraph and patched the osmocom source block to enable the external clock synchronization mechanisms he decided to use.

Each HackRF is connected to its own PCIe USB card.

In the end, [Oleg] shows us some promising results – two DVB-S transceivers visible on the waterfall display of the spectrum capture. The work is not over here, to be clear – he’s ran into a few roadblocks. The gnuradio flowgraph doesn’t lend itself well to multi-threading, even on a Ryzen 9 machine, and [Oleg] pledged to rewrite the capture mechanisms in C++ which can be nicely allocated to separate physical CPU cores, something gnuradio is apparently not quite good at.

More importantly, the spectrum captured is not continuous, and [Oleg] questions whether it can be demodulated properly. He had to resort to frequency overlaps due to upsampling, and he’s not quite sure how to compensate for that. Overall frequency stability is also in question. However, from here, seems like most of the work towards building a wideband receiver is done!

[Oleg] is typically seen on Twitter, lately doing some heavy tinkering with Starlink – as Kyiv, the city he’s currently in, is under bombardment of Russian Armed Forces. We can only respect and appreciate the dedication. In January, we’ve covered his work on an USA-imported Tesla LTE modem replacement to fix LTE band incompatibilities in Ukraine, and his blog is a treasure trove of experiments that we are yet to properly comb through, from astrophysics and satellite work to RS485 networks and Linux driver writing.

SDR Toolkit Bends Weather Station To Hacker’s Whims

December 17, 2021 by 9 Comments

We probably don’t have to tell most Hackaday readers why the current wave of low-cost software defined radios (SDRs) are such a big deal for hackers looking to explore the wide world of wireless signals. But if you do need a refresher as to what kind of SDR hardware and software should be in your bag of tricks, then this fantastically detailed account from [RK] about how he hacked his La Crosse WS-9611U-IT weather station is a perfect example.

Looking to brush up his radio hacking skills, [RK] set out to use the ADALM-PLUTO software defined radio from Analog Devices to intercept signals between the La Crosse base station and its assorted wireless sensors. He notes that a $20 USD RTL-SDR dongle could do just as well if you only wanted to receive, but since his ultimate goal was to spoof a temperature sensor and introduce spurious data into the system, he needed an SDR that had transmit capabilities.

No matter your hardware, Universal Radio Hacker (URH) is the software that’s going to be doing the heavy lifting. In his write-up, [RK] walks the reader through every step required to find, capture, and eventually decode the transmissions coming from a TX29U wireless temperature sensor. While the specifics will naturally change a bit depending on the device you’re personally looking to listen in on, the general workflow is going to be more or less the same.

In the end, [RK] is not only able to receive the data coming from the wireless sensors, but he can transmit his own spoofed data that the weather station accepts as legitimate. Getting there took some extra effort, as he had to figure out the proper CRC algorithm being used. But as luck would have it, he found a Hackaday article from a couple years back that talked about doing exactly that, which help put him on the right path. Now he can make the little animated guy on the weather station’s screen don a winter coat in the middle of July. Check out the video below for a demonstration of this particular piece of radio prestidigitation.

Continue reading “SDR Toolkit Bends Weather Station To Hacker’s Whims”

Four Band Digital HF SDR Transceiver Offers High Performance For Only $60

December 8, 2021 by 31 Comments

Amateur radio is a hobby that is often thought of as being exclusive to those with a healthy expendable income. In recent years however, the tides have turned. Cheap microcontrollers and signal generators have helped turned things around, and the $60 USD QDX from QRP Labs goes even further by sending the performance/price ratio through the roof. You can see more details in the video below the break.

The QDX is the creation of [Hans Summers] who is well known for producing affordable high performance amateur radio kits that are focused on low power transmission, called “QRP” in ham radio parlance. What is it? It’s a pocket sized four band (80, 40, 30, 20 Meters) software defined radio (SDR) that is designed to be used with some of the most popular digital radio modes: FT8 and JS8Call, as well as any other FSK based mode such as RTTY. It’s also been tested to work well (and within spec) on 60 Meters.

While classic radios have to be connected to a computer through a special hardware interface, the QDX is designed to connect directly to a computer through a standard USB A>B cable. CAT control, PTT, and Audio are all handled directly by the QDX, and no special interface is needed. While the radio is essentially plug and play, configuration, testing, and troubleshooting can be done by connecting to the QDX’s unique serial console, which among other things contains a text based waterfall. For those who want to run their own SDR receiver, I/Q output can be sent directly through the sound card.

Now for the bad news: due to global chip shortages, the QDX is out of stock at the moment, and there’s no telling when they might start shipping again. QRP Labs is looking to source parts wherever they can to get more of the units made, but of course, so is everyone else right now. Continue reading “Four Band Digital HF SDR Transceiver Offers High Performance For Only $60”

Eavesdropping By LED

August 25, 2021 by 23 Comments

If you ever get the feeling someone is watching you, maybe they are listening, too. At least they might be listening to what’s coming over your computer speakers thanks to a new attack called “glow worm.” In this novel attack, careful observations of a power LED on a speaker allowed an attacker to reproduce the sound playing thanks to virtually imperceptible fluctuations in the LED brightness, most likely due to the speaker’s power line sagging and recovering.

You might think that if you could see the LED, you could just hear the output of the speaker, but a telescope through a window 100 feet away appears to be sufficient. You can imagine that from a distance across a noisy office you might be able to pull the same trick. We don’t know — but we suspect — even if headphones were plugged into the speakers, the LED would still modulate the audio. Any device supplying power to the speakers is a potential source of a leak.

Continue reading “Eavesdropping By LED”

SBITX: Hackable HF SDR For The Raspberry Pi

August 6, 2021 by 32 Comments

Cheap, easy to use SDR dongles are an immensely powerful tool for learning about radio technology. However, building your own SDR is not something too many hackers are confident to tackle. [Ashhar Farhan, VU2ESE] hopes to change this with the sBITX, a hackable HF SDR transceiver designed around the Raspberry Pi.

[Ashhar] introduced the project in talk at the virtual “Four Days In May” annual conference of the QRP Amateur Radio Club International. Watch the full talk in the video after the break. He first goes over the available open source SDR radios, and then delves into his design decisions for the sBITX. One of the primary goals of the project was to lower the barrier of entry. To do this, he chose the Raspberry Pi as base, and wrote C code that that anyone who has done a bit of Arduino programming should be able to understand and modify. The hardware is designed to be as simple as possible. On the receive side, a simple superheterodyne architecture is used to feed a 25 kHz wide slice of RF spectrum to an audio codec, which send the digitized audio to the Raspberry Pi. The signal is then demodulated in software using FFT. For transmit, the signal is generated in software, and then upconverted to the desired RF frequency. [Ashhar] also created a GUI for the 7″ Raspberry Pi screen.

At the moment the sBITX is still in the development stage, information is spread between the video after the break, it’s accompanying PDF, the GitHub repo, and a thread on the BITX20 group.

[Ashar Farhan] is well known in the ham radio community for low cost radio designs like the BITX, and it’s successor, the μBITX. He also created the Antuino, an Arduino based antenna tester. Continue reading “SBITX: Hackable HF SDR For The Raspberry Pi”