gnu radio

39 Articles

Two Software Defined Radio Hacks From Our Resident SDR Guru

June 16, 2012 by 13 Comments

It seem [Balint] is becoming somewhat of a SDR guru around these parts; in the past few months, he’s gotten a USB TV tuner receiver working with GNU Radio, started a software defined radio tutorial YouTube channel, and even used this project to listen in on conversations between airplanes and air traffic control. This time, [Balint] is back using this cheap USB TV tuner for radio direction finding and running HDSDR in Linux and OS X.

[Balint]’s radio direction finding presentation goes over traditional means of direction finding using the doppler effect and mechanically rotated antennas. Because [Balint] is dealing with frequencies around 150MHz (about 2 meter wavelength), building a physical direction finding setup requires spinning antennas at around 40,000 RPM; much to fast for any hardware build. [Balint]’s solution was to attach 4 antennas around the circumference of a circle and electronically switch between them many thousands of times a second. [Balint] put up a wiki page going over all the theory and implementation details of his build.

[Balint] also put wrote up a neat app to control software defined radios – including the Realtek TV dongle –  over a network. Spread over a wide enough geographic area, it could become extremely easy for anyone to play air traffic controller. The BorIP Server can also be used to run HDSDR in Linux and OS X under Wine; just connect HDSDR to the network loopback on the same machine, and you get around Wine’s distaste for accessing hardware natively.

Awesome work, and we can’t wait to see what comes out of [Balint]’s laboratory next.

Edit: instead of the dongle, [Balnt] is using a ‘real’ software radio board. A lot of people are messaging him asking if the same method of direction finding is possible with the dongle. Here’s what [Balint] has to say:

The trick, as I see it, would be to create some (more or less simple) additional hardware to take the clock signal straight off the dongle’s on-board oscillator and divide it down for use with the antenna switch, i.e. 28 MHz à tens of kHz (this is the bit that’s done in ‘software’ on the FPGA). One problem still remains however: the counter needs to remain calibrated against the known direction the antenna was pointing at the time – otherwise a stop/start of the data stream from the dongle will mean the direction will go out of sync by 90/180/270 degrees each stop/start. Perhaps someone will figure out an elegant solution for this slight hurdle!

So there you go. Up for a challenge?

ShmooCon 2009: Chris Paget’s RFID Cloning Talk

February 16, 2009 by 13 Comments

[googlevideo=http://video.google.com/videoplay?docid=-282861825889939203]

When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.

The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.

Continue reading “ShmooCon 2009: Chris Paget’s RFID Cloning Talk”

MBTA Drops Lawsuit Against MIT Subway Hackers

December 23, 2008 by 8 Comments

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.

Defcon 16: Pacemaker-B-Gone

August 9, 2008 by 24 Comments

A collaboration of various medical researchers in the academic field has led to proof that pacemakers can be remotely hacked with simple and accessible equipment. [Kevin Fu], an associate professor at the University of Massachusetts at Amherst, led the team. [Kevin] first tried to get documentation from the manufacturers, believing they would support the effort, but they were not interested in helping. They were forced to get access to an old pacemaker and reverse engineer it. They found that the communication protocol used to remotely program the device was unencrypted. They then used a GNU radio system to find access to some of the machine’s reprogrammable functions, including accessing patient data and even turning it off.

Although this was only done with one particular pacemaker, it proves the concept and should be taken seriously by the medical companies who produce these devices. If you are interested in the technical aspects, check out the paper the team released in May disclosing the methods.