There’s a problem with software defined radio. It’s not that everyone needs to re-learn what TEMPEST shielding is, and it’s not that Bluetooth is horribly broken. SDR’s biggest problem is one of bandwidth and processing. With a simple USB TV Tuner, you can listen in on aircraft, grab Landsat images from hundreds of miles up, or sniff the low-power radios used in Internet of Things things. What you can’t do is make your own WiFi adapter, and you can’t create your own LTE wireless network. This is simply a problem of getting bits from the air to a computer for processing.
At HOPE last weekend, the folks behind the very capable LimeSDR and a new company working with Lime’s hardware laid out the possibilities of what software defined radio can do if you make a link to a computer very fast, and add some processing on the SDR itself.
To [Stefan Kiese], this isn’t much more than an exercise. He’s not even playing Pokemon Go. To squeeze a usable GPS signal out of his HackRF One, a $300 Software Defined Radio, [Stefan] uses an external precision clock. This makes up for the insufficient calibration of the HackRF’s internal clock, although he points out that this might also be fixed entirely in software.
We are entering a new era of radio technology. A new approach to building radios has made devices like multi-band cell phones and the ubiquitous USB TV receivers that seamlessly flit from frequency to frequency possible. That technology is Software Defined Radio, or SDR.
A idealized radio involves a series of stages. Firstly, an antenna receives the radio signal, converting it into an electrical signal. This signal is fed into a tuned resonator which is tuned to a particular frequency. This amplifies the desired signal, which is then sent to a demodulator, a device which extracts the required information from the carrier signal. In a simple radio, this would be the audio signal that was encoded by the transmitter. Finally, this signal is output, usually to a speaker or headphones.
A replica foxhole crystal set. Photo: Bill Jackson
That’s how your basic crystal radio works: more sophisticated radios will add features like filters that remove unwanted frequencies or additional stages that will process the signal to create the output that you want. In an FM radio, for example, you would have a stage after the demodulator that detects if the signal is a stereo one, and separates the two stereo signals if so.
To change the frequency that this radio receives, you have to change the frequency that the resonator is tuned to. That could mean moving a wire on a crystal, or turning a knob that controls a variable capacitor, but there has to be a physical change in the circuit. The same is true of the additional mixing stages that refine the signal. These circuits may be embedded deeply in the guts of the radio, but they are still there. This is the limitation with normal receivers: the radio can’t receive a signal that is outside the range that the resonator circuit can tune to, or change the way it is demodulated and processed. If you want to receive multiple frequency bands or different types of signals, you need to have separate pathways for each band or type of signal, physically switching the signal between them. That’s why you have physical AM/FM switches on radios: they switch the signal from an AM radio processing path to an FM one.
Software Defined Radios remove that requirement. In these, the resonator and demodulator parts of the radio are replaced by computerized circuits, such as analog to digital converters (ADCs) and algorithms that extract the signal from the stream of data that the ADCs capture. They can change frequencies by simply changing the algorithm to look for another frequency: there is no need for a physical change in the circuit itself. So, an SDR radio can be tuned to any frequency that the ADC is capable of sampling: it is not restricted by the range that a resonator can tune to. Similarly, the demodulator that extracts the final signal you want can be updated by changing the algorithm, changing the way the signal is processed before it is output.
This idea was first developed in the 1970s, but it didn’t really become practical until the 1990s, when the development of flexible field-programmable gate array (FPGA) chips meant that there was enough processing power available to create single chip SDR devices. Once programmed, an FPGA has no problem handing the complex tasks of sampling, demodulating and processing in a single device.
Most modern SDRs don’t just use a single chip, though. Rather than directly converting the signal to digital, they use an analog front end that receives the raw signal, filters it and converts it down to a fixed frequency (called the intermediate frequency, or IF) that the ADCs in the FPGA can more easily digitize. This makes it cheaper to build: by converting the frequency of the signal to this intermediate frequency, you can use a simpler FPGA and a cheaper ADC, because they don’t have to directly convert the maximum frequency you want to receive, only the IF. As long as the front end can convert a band of signals down to an intermediate frequency that the FPGA can digitize, the SDR can work with it.
The BladeRF, a modern SDR device that can receive and transmit signals between 300 MHz and 3 GHz
This flexibility means that SDR devices can handle a huge range of signals at relatively low cost. The $420 BladeRF, for instance, can receive and transmit signals from 300 MHz to 3.8 GHz at the same time, while the $300 HackRF One can work with signals from 1 MHz up to an incredible 6 GHz. The ability of the BladeRF to both receive and transmit means that you can use it to build your own GSM phone network, while the low cost of the HackRF One makes it a favorite of radio hackers who want to do things like make portable radio analyzers. Mass produced models are even cheaper: by hacking a $20 USB TV receiver that contains an SDR, you can get a radio that can, with a suitable antenna, do things like track airplanes or receive satellite weather images. And all of this is possible because of the idea of Software Defined Radio.
Software defined radios (SDRs) can–in theory–do almost anything you need a radio to do. Voice? Data? Frequency hopping? Trunking? No problem, you just write the correct software, and you are in.
That’s the problem, though. You need to know how to write the software. LimeSDR is an open source SDR with a crowdfunding campaign. By itself, that’s not anything special. There are plenty of SDR devices available. What makes LimeSDR interesting is that it is using Snappy Ubuntu Core as a sort of app store. Developers can make code available, and end-users can easily download and install that code.
The SimpliSafe home security system is two basic components, a keyboard and a base station. Sensors such as smoke detectors, switches, and motion sensors can be added to this system, all without a wired installation. Yes, this security system is completely wireless. Yes, you can still buy a software defined radio for ten dollars. Yes, the device has both “simple” and “safe” in its name. We all know where this is going, right?
Last week, [Andrew Zonenberg] at IOActive published a security vulnerability for the SimpliSafe wireless home security system. As you would expect from an off-the-shelf, wireless, DIY security system, the keypad and base station use standard 433 MHz and 315 MHz ISM band transmitters and receivers. [Dr. Zonenberg]’s attack on the system didn’t use SDR; instead, test points on the transmitters were tapped and messages between the keypad and base station were received in cleartext. When the correct PIN is entered in the keypad, the base station replies with a ‘PIN entered’ packet. Replaying this packet with a 433 MHz transmitter will disable the security system.
[Michael Ossmann] took this one step further with a software defined radio. [Ossmann] used a HackRF One to monitor the transmissions from the keypad and turned to a cheap USB SDR dongle to capture packets. Replaying keypad transmissions were easy, but with a little bit more work new attacks can be found. The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.
It’s a hilarious failure of wireless security, especially given the fact that this exploit can be performed by anyone with $100 in equipment. With a little more effort, an attacker can execute a PIN replay from a mile away. Sadly, failures of security of this magnitude are becoming increasingly common. There will assuredly be more attacks of this kind in the future, at least until hardware manufacturers start taking the security (of their security products) seriously.
Regular Hackaday readers are used to seeing the hacks that use a cheap USB TV dongle as a software defined radio (SDR). There’s plenty of software that will work with them including the excellent GNU Radio software. However, the hardware is pretty bare-bones. Without modifications, the USB dongle won’t get lower frequencies.
There’s been plenty of other SDR radios available but they’ve had a much heftier price tag. But we recently noticed the SDRPlay RSP, and they now have US distribution. The manufacturer says it will receive signals with 12-bits of resolution over the range of 100 kHz to 2 GHz with an 8MHz bandwidth. The USB cable supplies power and a connection to the PC. The best part? An open API that supports Windows, Linux, Mac, Android, and will even work on a Raspberry Pi (and has GNU Radio support, too).
Construction crews tearing up the street to lay new internet fiber optic cable created a unique opportunity for [Bastian Bloessl]. The workers brought two mobile traffic lights to help keep the road safe while they worked. [Bastian] had heard that these lights use the 2 meter band radios, so he grabbed his RTL-SDR USB stick and started hacking. Mobile traffic lights are becoming more common in Europe. They can be controlled by a clock, traffic volume via an on-board camera, wire or radio. They also transmit status data, which is what [Bastian] was hoping to receive.
A quick scan with GQRX revealed a strong signal on 170.760 MHz. Using baudline and audacity, [Bastian] was able to determine that Audio Frequency Shift Keying was used to modulate the data. He created a simple receiver chain in GNU radio, and was greeted with a solid data stream from the lights. By watching the lights and looking at the data frames, [Bastian] was able to determine which bits contained the current light status. A quickly knocked up web interface allowed him to display the traffic light status in real-time.
It’s a bit scary that the data was sent in plaintext, however this is just status data. We hope that any command data is sent encrypted through a more secure channel.
