If a couple of generations of spy movies have taught us anything, it’s that secret agents get the best toys. And although it may not be as cool as a radar-equipped Aston Martin or a wire-flying rig for impossible vault heists, this DIY TEMPEST system lets you snoop on computers using secondary RF emissions.
If the term TEMPEST sounds familiar, it’s because we’ve covered it before. [Elliot Williams] gave an introduction to the many modalities that fall under the TEMPEST umbrella, the US National Security Agency’s catch-all codename for bridging air gaps by monitoring the unintended RF, light, or even audio emissions of computers. And more recently, [Brian Benchoff] discussed a TEMPEST hack that avoided the need for thousands of dollars of RF gear, reducing the rig down to an SDR dongle and a simple antenna. There’s even an app for that now: TempestSDR, a multiplatform Java app that lets you screen scrape a monitor based on its RF signature. Trouble is, getting the app running on Windows machines has been a challenge, but RTL-SDR.com reader [flatfishfly] solved some of the major problems and kindly shared the magic. The video below shows TempestSDR results; it’s clear that high-contrast images at easiest to snoop on, but it shows that a $20 dongle and some open-source software can bridge an air gap. Makes you wonder what’s possible with deeper pockets.
RF sniffing is only one of many ways to exfiltrate data from an air-gapped system. From power cords to security cameras, there seems to be no end to the ways to breach systems.
It’s not hard to detect meteors: go outside on a clear night in a dark place and you’re bound to see one eventually. But visible light detection is limiting, and knowing that meteors leave a trail of ions means radio detection is possible. That’s what’s behind this attempt to map meteor trails using broadcast signals, which so far hasn’t yielded great results.
The fact that meteor trails reflect radio signals is well-known; hams use “meteor bounce” to make long-distance contacts all the time. And using commercial FM broadcast signals to map meteor activity isn’t new, either — we’ve covered the “forward scattering” technique before. The technique requires tuning into a frequency used by a distant station but not a local one and waiting for a passing meteor to bounce the distant signal back to your SDR dongle. Capturing the waterfall display for later analysis should show characteristic patterns and give you an idea of where and when the meteor passed.
[Dave Venne] is an amateur astronomer who turns his eyes and ears to the heavens just to see what he can find. [Dave]’s problem is that the commercial FM band in the Minneapolis area that he calls home is crowded, to say the least. He hit upon the idea of using the National Weather Service weather radio broadcasts at around 160 MHz as a substitute. Sadly, all he managed to capture were passing airplanes with their characteristic Doppler shift; pretty cool in its own right, but not the desired result.
The comments in the RTL-SDR.com post on [Dave]’s attempt had a few ideas on where this went wrong and how to improve it, including the intriguing idea of using 60-meter ham band propagation beacons. Now it’s Hackaday’s turn: any ideas on how to fix [Dave]’s problem? Sound off in the comments below.
Cheap consumer WiFi devices are great for at least three reasons. First, they almost all run an embedded Linux distribution. Second, they’re cheap. If you’re going to break a couple devices in the process of breaking into the things, it’s nice to be able to do so without financial fears. And third, they’re often produced on such low margins that security is an expense that the manufacturers just can’t stomach — meaning they’re often trivially easy to get into.
The hack begins with [Benajmin] finding a telnet prompt on port 11880 and simply logging in as root, with the same password that’s used across all Zsun devices: zsun1188. It’s like they want to you get in. (If you speak Chinese, you’ll recognize the numbers as being a sound-alike for “want to get rich”. So we’ve got the company name and a cliché pun. This is basically the Chinese equivalent of “password1234”.) Along the way, [Benjamin] also notes that the device executes arbitrary code typed into its web interface. Configure it to use the ESSID “reboot”, for instance, and the device reboots. Oh my!
From here [q3k] and co. took over and ported OpenWRT to the device and documented where its serial port and GPIOs are broken out on the physical board. But that’s not all. They’ve also documented how and where to attach a wired Ethernet adapter, should you want to put this thing on a non-wireless network, or use it as a bridge, or whatever. In short, it’s a tiny WiFi router and Linux box in a package that’s about the size of a (Euro coin | US quarter) and costs less than a good dinner out. Just add USB power and you’re good to go.
Since the discovery that some USB TV tuner dongles could be used to monitor radio waves across a huge amount of spectrum, the software-defined radio world has exploded with interest. The one limiting factor, though, has been that the dongles can only receive signals; they can’t transmit them. [Evariste Okcestbon, F5OEO] (if that is his real name! Ok c’est bon = Ok this is good) has written some software that will get you transmitting using SDR with only a Raspberry Pi and a wire.
There have been projects in the past that use a Pi to broadcast radio (PiFM), but this new software (RPiTX) takes it a couple steps further. Using just an appropriately-sized wire connected to one of the GPIO pins, the Raspberry Pi is capable of broadcasting using FM, AM, SSB, SSTV, or FSQ signals. This greatly increases the potential of this simple computer-turned-transmitter and anyone should be able to get a lot of use out of it. In the video demo below the break, [Evariste] records a wireless doorbell signal and then re-transmits it using just the Rasbperry Pi.
Once again the ubiquitous USB TV tuner dongle has proved itself more than capable of doing far more than just receiving broadcast TV. Over on the RTL-SDR blog, there’s a tutorial covering the measurement of filter characteristics using a cheap eBay noise source and an RTL-SDR dongle.
For this tutorial, the key piece of equipment is a BG7TBL noise source, acquired from the usual online retailers. With a few connectors, a filter can be plugged in between this noise source and the RTL-SDR dongle. With the hardware out of the way, the only thing remaining is the software. That’s just rtl_power and this wonderful GUI. The tutorial is using a cheap FM filter, and the resulting plot shows a clear dip between 50 and 150 MHz. Of course this isn’t very accurate; there’s no comparison to the noise source and dongle without any attenuation. That’s just a simple matter of saving some scans as .csv files and plugging some numbers in Excel.
The same hardware can be used to determine the VSWR of an antenna, replacing the filter with a directional coupler; just put the coupler between the noise source and the dongle measure the attenuation through the range of the dongle. Repeat with the antenna connected, and jump back into Excel.
The dongles are based on the ATMega88PA and work on three levels to provide something for everyone. The no-experience-necessary option is to plug it in to a USB port and admire the light show sequences. If you know enough to be dangerous, you can remotely control the LEDs from a USB host using [kiu]’s sldtool for Linux or Mac. He originally included examples that visualize CPU utilization and ultimately added a Ruby-based departure countdown for the next outbound train at the nearby station.
If you’re 1337 enough you can flash your own C or assembly code via USB. Holding down the button during power-up lets you use the dongle as a USBasp so it can be flashed with avrdude. [kiu] says the bootloader can’t be unlocked through software and is theoretically unbrickable. Stick around after the break to see the full demo.
This pair of dongles is a fun way to get your feet wet working with MIDI hardware. They’re called MIDIvampire-I and MIDIvampire-II. Just plug one end into your MIDI-ready instrument and the other into a pair of speakers and you’re off and running. Mark I is a polyphonic synth, and Mark II is a drum machine, but both use basically the same hardware which you may already have on hand.
The single chip on each board is an ATmega328 often found anchoring Arduino boards. The other silicon component is an S1112B30MC voltage regulator. The rest of the components are passives, with MIDI and headphone jacks for connectivity. They’re selling these if you want the easy way out, but we thought we’d bring them to your attention in case you needed a breadboarding project this weekend. The firmware, BOM, schematic, and board artwork are all available on the Wiki pages linked in the articles above. After the break you can see a couple of demo videos which walk through all of the features.