Executing A Vehicle Keyless Entry Attack

You read about well-publicised security exploits, but they always seem to involve somebody with a deity’s grasp of whatever technology is being employed, as well as a pile of impossibly exotic equipment. Surely a mere mortal could never do that!

Happily, that’s not always the case, and to prove it [Gonçalo Nespral] replicated an attack against RF devices such as some garage doors and motor vehicle locks that use a rolling code. His inspiration came from a device from2015, that encouraged the owner of a key to keep transmitting fresh codes. It did this by swamping the receiver of the car, garage door, or whatever with a strong slightly off frequency signal. This would cause the lock to not work, so the user would try again and again. The attacker listens with a very narrow bandwidth receiver on-frequency that is good enough to reject the jamming signal, and can harvest a sequence of the rolling codes enough to compromise it.

[Gonçalo]’s set-up uses a YARD stick One transceiver dongle as its transmitter, and an RTL-SDR for receive. A GNU Radio setup is used to retrieve the key data, and some custom Python code does the remaining work. We wouldn’t advocate using this in the wild and it could conceivably also gain you access to another car with a flashing light on top, but it’s an interesting exposé of the techniques involved.

Rolling code keyfob attacks are something we covered a few years ago, back when these attacks were all shiny and new.

WOPR: Security Loses Some of its Obscurity

As we’ve seen time and time again, the word “hacker” takes on a different meaning depending on who you’re talking to. If you ask the type of person who reads this fine digital publication, they’ll probably tell you that a hacker is somebody who likes to learn how things work and who has a penchant for finding creative solutions to problems. But if you ask the average passerby on the street to describe a hacker, they might imagine somebody wearing a balaclava and pounding away at their laptop in a dimly lit abandoned warehouse. Thanks, Hollywood.

The “Hollywood Hacker” Playset

Naturally, we don’t prescribe to the idea of hackers being digital villains hell-bent on stealing your identity, but we’ll admit that there’s something of rift between what we call hacking versus what happens in the information security realm. If you see mention of Red Teams and Blue Teams on Hackaday, it’s more likely to be in reference to somebody emulating Pokemon on the ESP32 than anything to do with penetration testing. We’re not entirely sure where this fragmentation of the hacking community came from, but it’s definitely pervasive.

In an attempt bridge the gap, the recent WOPR Summit brought together talks and presentations from all sections of the larger hacking world. The goal of the event was to show that the different facets of the community have far more in common than they might realize, and featured a number of talks that truly blurred the lines. The oscilloscope toting crew learned a bit about the covert applications of their gadgets, and the high-level security minded individuals got a good look at how the silicon sausage gets made.

Two of these talks which should particularly resonate with the Hackaday crowd were Charles Sgrillo’s An Introduction to IoT Penetration Testing and Ham Hacks: Breaking into Software Defined Radio by Kelly Albrink. These two presentations dealt with the security implications of many of the technologies we see here at Hackaday on what seems like a daily basis: Bluetooth Low Energy (BLE), Software Defined Radio (SDR), home automation, embedded Linux firmware, etc. Unfortunately, the talks were not recorded for the inaugural WOPR Summit, but both presenters were kind of enough to provide their slides for reference.

Continue reading “WOPR: Security Loses Some of its Obscurity”

Automated Radiosonde Tracking Via Open Source

Meteorological organisations across the world launch weather balloons on a regular basis as a part of their work in predicting whether or not it will rain on the weekend. Their payloads are called radiosondes, and these balloons deliver both telemetry and location data throughout their flightpath. Hobbyists around the globe have devoted time and effort to tracking and decoding these signals, and now it’s possible to do it all automatically, thanks to Radiosonde Auto RX.

The basis of the project is the RTL-SDR, everyone’s favourite low-cost software defined radio receiver. In this case, software is used to first hunt for potential radiosonde signals, before then decoding them and uploading the results to a variety of online services. Some of these are designed for simple tracking, while others are designed for live chase and recovery operations. Currently, the software only covers 3 varieties of radiosonde, but the team are eager to expand the project and have requested donations of other radiosondes for research purposes.

The team recently conducted a talk at linux.conf.au regarding the project, which goes into detail as to the decoding and tracking of the radiosonde data. If you’re eager to try it out, download the software, fetch your TV dongle and get cracking. You might also consider tracking cubesats while you’re at it. Video after the break.

via [crazyoperator], thanks to Slds Ernesto for the tip!

Continue reading “Automated Radiosonde Tracking Via Open Source”

Automate Your Home From the Clearance Rack

The month or so after the holidays have always been a great time to pick up some interesting gadgets on steep clearance, but with decorations and lights becoming increasingly complex over the last few years, the “Christmas Clearance” rack is an absolute must see for enterprising hackers. You might just luck out like [ModernHam] and find a couple packs of these dirt cheap wireless light controllers, which can fairly easily be hacked into the start of a home automation system with little more than the Raspberry Pi and a short length of wire.

In the video after the break, [ModernHam] walks the viewer through the start to finish process of commanding these cheap remote plugs. Starting with finding which frequencies the remotes use thanks to the FCC database and ending with using cron to schedule the transmission of control signals from the Pi, his video really is a wealth of information. Even if you don’t have this particular model of remote plug, or don’t necessarily want to setup a home automation system, there’s probably some element of this video that you could still adapt to your own projects.

The first step of the process is figuring out how the remote is communicating to the plugs. [ModernHam] noticed there was no frequency listed on the devices, but using their FCC IDs he was able to find the relevant information. In the United States, devices like these must have their FCC IDs visible (though they could be behind a battery door) by law, so the searchable database is an invaluable tool to do some basic reconnaissance on a poorly documented gadget.

An RTL-SDR receiver is then used to fine tune the information gleaned from the FCC filing. [ModernHam] found that the signals for all four of the remote plugs were being broadcast on the same frequency, which makes controlling them all the easier. Using the rtl-sdr command, he was able to capture the various signals from the transmitter and save them to separate files. Then it’s just a matter of replaying the appropriate file to get the plugs to do your bidding.

Of course, the RTL-SDR can’t transmit so you’ll have to leave your dongle behind for this last step. Luckily all you need to transmit is the rpitx package created by [F5OEO], along with a supported Raspberry Pi and a small length of wire attached to the appropriate GPIO pin. This package contains the tool sendiq which can be used to replay the raw captures made in the previous step. With some scripting, it’s fairly straightforward to automate these transmissions to control the remote plugs however you wish from the Pi.

The RTL-SDR Blog put together their own guide for “brute forcing” simple remote control devices like this as well, and we’ve even seen similar techniques used against automotive key fobs in the past. Amazing what a piece of wire and some clever code can pull off.

Continue reading “Automate Your Home From the Clearance Rack”

Lessons Learned From A 1-Day RTL-SDR Enclosure Project

[ByTechLab] needed an enclosure for his R820T2 based RTL-SDR, which sports an SMA connector. Resolving to design and 3D print one in less than a day, he learned a few things about practical design for 3D printing and shared them online along with his CAD files.

The RTL-SDR is a family of economical software defined radio receivers, and [ByTechLab]’s’ enclosure (CAD files available on GrabCAD and STL on Thingiverse) is specific to his model. However, the lessons he learned are applicable to enclosure design in general, and a few of them specifically apply to 3D printing.

He started by making a basic model of the PCB and being sure to include all large components. With that, he could model the right voids inside the enclosure to ensure a minimum of wasted space. The PCB lacks any sort of mounting holes, so the model was also useful to choose where to place some tabs to hold the PCB in place. That took care of the enclosure design, but it also pays to be mindful of the manufacturing method so as to play to its strengths. For FDM 3D printing, that means most curved shapes and rounded edges are trivial. It also means that the biggest favor you can do yourself is to design parts so that they can be printed in a stable orientation without any supports.

This may be nothing that an experienced 3D printer and modeler doesn’t already know, but everyone is a novice at some point and learning from others’ experiences can be a real timesaver. For the more experienced, we covered a somewhat more in-depth guide to practical 3D printed enclosure design.

[ByTechLab]’s desire for a custom enclosure was partly because RTL-SDR devices come in many shapes and sizes, as you can see in this review of 19 different units (of which only 14 actually worked.)

It Might Be Possible To Build A Stingray With A Raspberry Pi

If there’s one thing that’s making you insecure, it’s your smartphone. Your smartphone is constantly pinging the cell towers, giving out your location and potentially leaking your private information to anyone with a radio. This is the idea behind an IMSI catcher, or Stingray in common parlance, and now you too can build one with parts you can buy off of Amazon.

The key to this hack is a software defined radio dongle, or RTL-SDR, that has been repurposed to listen in on a GSM network. Literally the only hardware required is an RTL-SDR that can be bought online for less than fifteen dollars, and you can identify the IMSI, or unique ID linked to every SIM card, in smartphones around you. The only bit of software required is a small Python script from [Oros42], freely available on GitHub.

Of course, building an IMSI catcher with a desktop is of limited utility, and using a laptop is still a bit too bulky to surreptitiously conceal in a public location. No, to really get the bang for your buck out of this, you need to do this with a small single-board computer running off a battery pack. Luckily, [Joseph Cox] over at Motherboard reports, “It is likely possible” to run this on a Raspberry-Pi. We’re guessing it’s even more than “likely” possible.

All The Goodies You Need For Your RTL-SDR

When the RTL2832-based USB digital TV sticks were revealed to have hidden capabilities that made the  an exceptionally cheap software-defined radio receiver, it was nothing short of a game-changing moment for the home radio experimenter. The RTL might not be the best radio available, but remains a pretty good deal for only $10 from your favourite online supplier.

Having bought your RTL SDR, you will soon find yourself needing a few accessories. A decent antenna perhaps, an HF upconverter, and maybe an attenuator. To help you, [IgrikXD] has come up with a repository containing open-source implementations of all those projects and more. There’s an HF upconverter handily in both SMD and through-hole versions, as well as a wideband active antenna. A resonant antenna for a single band will always out-perfom a wideband device if your interest lies on only one frequency, but when your receiver has such a wide range as that of the RTL it’s irresistible to look further afield so the wideband antenna is a useful choice.

The RTL SDR is a device that just keeps on giving, and has featured innumerable times here since since its first appearance a few years ago. Whether you are into passive radar or using it to decode data from RF-equipped devices it’s the unit of choice, though we rather like it as a piece of inexpensive test equipment.

Via Hacker News.

Header image: Joeceads [CC BY-SA 4.0].