Signals Intelligence (SIGINT) refers to performing electronic reconnaissance by eavesdropping on communications, and used to be the kind of thing that was only within the purview of the military or various three letter government agencies. But today, for better or for worse, the individual hacker is able to pull an incredible amount of information out of thin air with low-cost hardware and open source software. Now, thanks to [Josh Conway], all that capability can be harnessed with a slick all-in-one device: the RadioInstigator.
In his talk at the recent 2019 CircleCityCon, [Josh] (who also goes by the handle [CrankyLinuxUser]) presented the RadioInstigator as an affordable way to get into the world of wireless security research beyond the traditional WiFi and Bluetooth. None of the hardware inside the device is new exactly, it’s all stuff the hacking community has had access to for a while now, but this project brings them all together under one 3D printed “roof” as it were. The end result is a surprisingly practical looking device that can be used on the go to explore huge swaths of the RF spectrum at a cost of only around $150 USD.
So what has [Josh] packed into this wireless toybox? It will probably come as little surprise to find out that the star of the show is a Raspberry Pi 3 B+, combined with a touch screen display and portable keyboard so the user can interface with the various security tools installed.
To help the RadioInstigator surf the airwaves there’s an RTL-SDR and a 2.4 Ghz nRF24LU1+ “Crazyradio”, both broken out to external antenna connectors on the outside of the device. There’s even an external SMA connector hooked up to the Pi’s GPIO pin, which can be used for low-power transmissions from 5 KHz up to 1500 MHz with rpitx. Everything is powered by a beefy 10,000 mAh battery pack which should give you plenty of loiter time to perform your investigations.
[Josh] has also written several Bash scripts which will get a trove of radio hacking tools installed on the Pi automatically, either by pulling them in through the official repositories or downloading the source and compiling them. Getting the software environment into a known-good state can be a huge time sink, so even if you don’t build your own version of the RadioInstigator, his scripts are still worth checking out.
Do you have an EMC probe in your toolkit? Probably not, unless you’re in the business of electromagnetic compatibility testing or getting a product ready for the regulatory compliance process. Usually such probes are used in anechoic chambers and connected to sophisticated gear like spectrum analyzers – expensive stuff. But there are ways to probe the electromagnetic mysteries of your projects on the cheap, as this DIY EMC testing setup proves.
As with many projects, [dimtass]’ build was inspired by a video over on EEVblog, where [Dave] made a simple EMC probe from a length of semi-rigid coax cable. At $10, it’s a cheap solution, but lacking a spectrum analyzer like the one that [Dave] plugged his cheap probe into, [dimtass] went a different way. With the homemade probe plugged into an RTL-SDR dongle and SDR# running on a PC, [dimtass] was able to get a decent approximation of a spectrum analyzer, at least when tested against a 10-MHz oven-controlled crystal oscillator. It’s not the same thing as a dedicated spectrum analyzer – limited bandwidth, higher noise, and not calibrated – but it works well enough, and as [dimtass] points out, infinitely hackable through the SDR# API. The probe even works decently when plugged right into a DSO with the FFT function running.
Again, neither of these setups is a substitute for proper EMC testing, but it’ll probably do for the home gamer. If you want to check out the lengths the pros go through to make sure their products don’t spew signals, check out [Jenny]’s overview of the EMC testing process.
You read about well-publicised security exploits, but they always seem to involve somebody with a deity’s grasp of whatever technology is being employed, as well as a pile of impossibly exotic equipment. Surely a mere mortal could never do that!
Happily, that’s not always the case, and to prove it [Gonçalo Nespral] replicated an attack against RF devices such as some garage doors and motor vehicle locks that use a rolling code. His inspiration came from a device from2015, that encouraged the owner of a key to keep transmitting fresh codes. It did this by swamping the receiver of the car, garage door, or whatever with a strong slightly off frequency signal. This would cause the lock to not work, so the user would try again and again. The attacker listens with a very narrow bandwidth receiver on-frequency that is good enough to reject the jamming signal, and can harvest a sequence of the rolling codes enough to compromise it.
[Gonçalo]’s set-up uses a YARD stick One transceiver dongle as its transmitter, and an RTL-SDR for receive. A GNU Radio setup is used to retrieve the key data, and some custom Python code does the remaining work. We wouldn’t advocate using this in the wild and it could conceivably also gain you access to another car with a flashing light on top, but it’s an interesting exposé of the techniques involved.
As we’ve seen time and time again, the word “hacker” takes on a different meaning depending on who you’re talking to. If you ask the type of person who reads this fine digital publication, they’ll probably tell you that a hacker is somebody who likes to learn how things work and who has a penchant for finding creative solutions to problems. But if you ask the average passerby on the street to describe a hacker, they might imagine somebody wearing a balaclava and pounding away at their laptop in a dimly lit abandoned warehouse. Thanks, Hollywood.
Naturally, we don’t prescribe to the idea of hackers being digital villains hell-bent on stealing your identity, but we’ll admit that there’s something of rift between what we call hacking versus what happens in the information security realm. If you see mention of Red Teams and Blue Teams on Hackaday, it’s more likely to be in reference to somebody emulating Pokemon on the ESP32 than anything to do with penetration testing. We’re not entirely sure where this fragmentation of the hacking community came from, but it’s definitely pervasive.
Two of these talks which should particularly resonate with the Hackaday crowd were Charles Sgrillo’s An Introduction to IoT Penetration Testing and Ham Hacks: Breaking into Software Defined Radio by Kelly Albrink. These two presentations dealt with the security implications of many of the technologies we see here at Hackaday on what seems like a daily basis: Bluetooth Low Energy (BLE), Software Defined Radio (SDR), home automation, embedded Linux firmware, etc. Unfortunately, the talks were not recorded for the inaugural WOPR Summit, but both presenters were kind of enough to provide their slides for reference.
Meteorological organisations across the world launch weather balloons on a regular basis as a part of their work in predicting whether or not it will rain on the weekend. Their payloads are called radiosondes, and these balloons deliver both telemetry and location data throughout their flightpath. Hobbyists around the globe have devoted time and effort to tracking and decoding these signals, and now it’s possible to do it all automatically, thanks to Radiosonde Auto RX.
The basis of the project is the RTL-SDR, everyone’s favourite low-cost software defined radio receiver. In this case, software is used to first hunt for potential radiosonde signals, before then decoding them and uploading the results to a variety of online services. Some of these are designed for simple tracking, while others are designed for live chase and recovery operations. Currently, the software only covers 3 varieties of radiosonde, but the team are eager to expand the project and have requested donations of other radiosondes for research purposes.
The month or so after the holidays have always been a great time to pick up some interesting gadgets on steep clearance, but with decorations and lights becoming increasingly complex over the last few years, the “Christmas Clearance” rack is an absolute must see for enterprising hackers. You might just luck out like [ModernHam] and find a couple packs of these dirt cheap wireless light controllers, which can fairly easily be hacked into the start of a home automation system with little more than the Raspberry Pi and a short length of wire.
In the video after the break, [ModernHam] walks the viewer through the start to finish process of commanding these cheap remote plugs. Starting with finding which frequencies the remotes use thanks to the FCC database and ending with using cron to schedule the transmission of control signals from the Pi, his video really is a wealth of information. Even if you don’t have this particular model of remote plug, or don’t necessarily want to setup a home automation system, there’s probably some element of this video that you could still adapt to your own projects.
The first step of the process is figuring out how the remote is communicating to the plugs. [ModernHam] noticed there was no frequency listed on the devices, but using their FCC IDs he was able to find the relevant information. In the United States, devices like these must have their FCC IDs visible (though they could be behind a battery door) by law, so the searchable database is an invaluable tool to do some basic reconnaissance on a poorly documented gadget.
An RTL-SDR receiver is then used to fine tune the information gleaned from the FCC filing. [ModernHam] found that the signals for all four of the remote plugs were being broadcast on the same frequency, which makes controlling them all the easier. Using the rtl-sdr command, he was able to capture the various signals from the transmitter and save them to separate files. Then it’s just a matter of replaying the appropriate file to get the plugs to do your bidding.
Of course, the RTL-SDR can’t transmit so you’ll have to leave your dongle behind for this last step. Luckily all you need to transmit is the rpitx package created by [F5OEO], along with a supported Raspberry Pi and a small length of wire attached to the appropriate GPIO pin. This package contains the tool sendiq which can be used to replay the raw captures made in the previous step. With some scripting, it’s fairly straightforward to automate these transmissions to control the remote plugs however you wish from the Pi.
[ByTechLab] needed an enclosure for his R820T2 based RTL-SDR, which sports an SMA connector. Resolving to design and 3D print one in less than a day, he learned a few things about practical design for 3D printing and shared them online along with his CAD files.
The RTL-SDR is a family of economical software defined radio receivers, and [ByTechLab]’s’ enclosure (CAD files available on GrabCAD and STL on Thingiverse) is specific to his model. However, the lessons he learned are applicable to enclosure design in general, and a few of them specifically apply to 3D printing.
He started by making a basic model of the PCB and being sure to include all large components. With that, he could model the right voids inside the enclosure to ensure a minimum of wasted space. The PCB lacks any sort of mounting holes, so the model was also useful to choose where to place some tabs to hold the PCB in place. That took care of the enclosure design, but it also pays to be mindful of the manufacturing method so as to play to its strengths. For FDM 3D printing, that means most curved shapes and rounded edges are trivial. It also means that the biggest favor you can do yourself is to design parts so that they can be printed in a stable orientation without any supports.
This may be nothing that an experienced 3D printer and modeler doesn’t already know, but everyone is a novice at some point and learning from others’ experiences can be a real timesaver. For the more experienced, we covered a somewhat more in-depth guide to practical 3D printed enclosure design.
[ByTechLab]’s desire for a custom enclosure was partly because RTL-SDR devices come in many shapes and sizes, as you can see in this review of 19 different units (of which only 14 actually worked.)