Attack Some Wireless Devices With A Raspberry Pi And An RTL-SDR

If you own one of the ubiquitous RTL-SDR software defined radio receivers derived from a USB digital TV receiver, one of the first things you may have done with it was to snoop on wide frequency bands using the waterfall view present in most SDR software. Since the VHF and UHF bands the RTL covers are sometimes a little devoid of signals, chances are you homed in upon one of the ISM bands as used by plenty of inexpensive wireless devices for all sorts of mundane control tasks. Unless you reside in the depths of the wilderness, ISM band sniffing will show a continuous procession of chirps; short bursts of digital data. It is surprising, the number of radio-controlled devices you weren’t aware were in your surroundings.

Some of these devices, such as car security keys, are protected by rolling encryption schemes to deter would-be attackers. But many of the more harmless devices simply send a command in the open without the barest of encryption. The folks at put up a guide to recording these open data bursts on a Raspberry Pi and playing them back by transmitting them from the Pi itself.

It’s not the most refined of attack because all it does is take the recorded file and retransmit it with the [F5OEO] RPiTX software. But they do demonstrate it in action with a wireless lightbulb, a door bell, a wireless relay, and a remote-controlled switched socket. Since the data in question is transmitted as OOK, or on-off keying, the RPiTX AM mode stands in for the transmitter.

You can see it in action in the video below the break. Now, have you investigated the ISM band chirps in your locality?

Continue reading “Attack Some Wireless Devices With A Raspberry Pi And An RTL-SDR”

ISM Communications for Arduino

If you want to wirelessly communicate between devices, WiFi and Bluetooth are obvious choices. But there’s also the ISM (industrial, scientific, and medical) band that you use. There are inexpensive modules like the SX1278 that can handle this for you using LoRa modulation, but they haven’t been handy to use with an Arduino. [Jan] noticed the same thing and set out to build a shield that allowed an Arduino to communicate using LoRa. You can find the design data on GitHub. [Jan] calls it the LoRenz shield.

According to [Jan], the boards cost about $20 to $30 each to make, and most of that cost was in having PC boards shipped. LoRa lets you trade data rate for bandwidth, but typical data rates are fairly modest. As for range, that depends on a lot of factors, too, but we’ve seen ranges quoted in terms of miles.

Depending on where you live, there may be legal restrictions on how you use a radio like the SX1278. You should understand your local laws before you buy into using the ISM bands. We aren’t sure it would be wise, but the board can coexist with three other similar shields. So you could get 4 radios going on one Arduino if you had too and could manage the power, RF, and other issues involved. The breakout board the module uses has an antenna connector, so depending on your local laws, you could get a good bit of range out of one of these.

[Jan] promises a post on the library that makes it all work shortly, but you can find the code on GitHub now. If you look at the code in the examples directory, it seems pretty easy. You’d have to sling some software, but the SX1278 can support other modes in addition to LoRA including FSK and other data modulation techniques.

We’ve seen other LoRa shields, but not many. If you are interested in other wireless technologies, we’ve talked about them quite a bit. If you want a basic introduction to LoRa, [Andreas Spiess’] video below is a good place to start.

Continue reading “ISM Communications for Arduino”

Two Great Radios Taste Great Together

[Johan Kanflo] sent us his latest recipe: a blend of one part RFM69 sub-gigahertz radio transceiver with one part ESP8266 module. The resulting dish looks absolutely delicious!

We’re all charmed with the ease of use that the ESP8266 brings to the table — plug it in and you’re talking to your existing WiFi network — but we hate the power consumption for battery-powered applications. WiFi is a power hog. And although ISM-band radio modules make point-to-point communications cheap and power-saving, getting them to talk with your computer takes an adapter.

So [Johan] combined the two radios and made a sweet ISM-radio-to-WiFi bridge. His demo application takes whatever data is sent over the ISM band and pushes it to an MQTT broker on his WiFi network. Hardware and firmware are up on GitHub.

We’ve been wanting a device like this for our home network for a while now. Kudos, [Johan] for making it so easy!

THP Hacker Bio: Felix Rusu

As far as entries for The Hackaday Prize go, Moteino is exceptionally interesting. It’s the only project to be used in other projects for The Hackaday Prize. The two other projects making use of the Moteino, 433MHz transceiver and Plant Friends didn’t make the cut, but [Felix]’s Moteino did.

Like many of the Internet of Things project, Moteino is a radio module and a microcontroller in an extremely convenient package. The radio is a HopeRF RFM69 operating in the  315, 433, 868 and 915MHz ISM bands. The microcontroller is everyone’s favorite – the ATMega328, but [Felix] also has a Mega version with the ATMega1284 on board. Already there are a few great examples of what the Moteino can do, including a mailbox notifier, a sump pump monitor, and a way to Internetify a water meter.

[Felix]’s bio below.

Continue reading “THP Hacker Bio: Felix Rusu”

Green Light Your Commute with America’s Unsecured Traffic Lights

Remember that episode of Leverage (season 5, episode 3), where Alec uses Marvin to wirelessly change all the street lights green so they can catch up to an SUV? And you scoffed and said “that’s so not real!”… well actually they got it right. A new study out of the University of Michigan (PDF warning), shows just how easy it is to make your morning commute green lights all the way.

The study points out that a large portion of traffic lights in the United States communicate with each other wirelessly over the 900Mhz and 5.8Ghz ISM band with absolutely no encryption. In order to connect to the 5.8Ghz traffic signals, you simply need the SSID (which is set to broadcast) and the proper protocol. In the study the researchers used a wireless card that is not available to the public, but they do point out that with a bit of social engineering you could probably get one. Another route is the HackRF SDR, which could be used to both sniff and transmit the required protocol. Once connected to the network you will need the default username and password, which can be found on the traffic light manufacturer’s website. To gain access to the 900Mhz networks you need all of the above and a 16-bit slave ID. This can be brute forced, and as the study shows, no ID was greater than 100. Now you have full access, not to just one traffic signal, but EVERY signal connected to the network.

Once on the network you have two options. The completely open debug port in the VxWorks OS which allows you to read-modify-write any memory register. Or by sending a(n) UDP packet where the last byte encodes the button pressed on the controller’s keypad. Using the remote keypad you can freeze the current intersection state, modify the signal timing, or change the state of any light. However the hardware Malfunction Management Unit (MMU) will still detect any illegal states (conflicting green or yellow lights), and take over with the familiar 4-way red flashing. Since a technician will have to come out and manually reset the traffic signal to recover from an illegal state, you could turn every intersection on the network into a 4-way stop.

So the next time you stop at a red light, and it seems to take forever to change, keep an eye out for the hacker who just green lit their commute.

Thanks for the tip [Matt]

More small radio modules for your wireless needs

In the never-ending pursuit of cheap wireless communication for your microcontroller projects, [kiu] came up with a small board that allows for serial communication via a 433MHz radio link.

[kiu]’s transceiver uses an RFM12 wireless module available online for just a few dollars. Alongside this module is an ATMega8 and a USB to serial FTDI chip. When [kiu] plugs this board into his computer, he’s able to run a terminal, connect to this board, and receive and transmit hex values at 115,200 bps from another one of these boards.

According to [kiu]’s BOM, 10 boards only cost him 180 Euros, or about $225 USD. Considering off-the-shelf solutions such as an XBee could easily cost twice as much, we’re thinking [kiu] did a very nice job here.

[kiu] put all the board files, schematics, and code up on his GitHub, ready for your perusal. A very cool build, and very useful for a high altitude balloon, rocket, or wireless sensor build.