Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers

October 27, 2021 by Dan Maloney 30 Comments

Good news, everyone! Security researcher [Mordechai Guri] has given us yet another reason to look askance at our computers and wonder who might be sniffing in our private doings.

This time, your suspicious gaze will settle on the lowly Ethernet cable, which he has used to exfiltrate data across an air gap. The exploit requires almost nothing in the way of fancy hardware — he used both an RTL-SDR dongle and a HackRF to receive the exfiltrated data, and didn’t exactly splurge on the receiving antenna, which was just a random chunk of wire. The attack, dubbed “LANtenna”, does require some software running on the target machine, which modulates the desired data and transmits it over the Ethernet cable using one of two methods: by toggling the speed of the network connection, or by sending raw UDP packets. Either way, an RF signal is radiated by the Ethernet cable, which was easily received and decoded over a distance of at least two meters. The bit rate is low — only a few bits per second — but that may be all a malicious actor needs to achieve their goal.

To be sure, this exploit is quite contrived, and fairly optimized for demonstration purposes. But it’s a pretty effective demonstration, but along with the previously demonstrated hard drive activity lights, power supply fans, and even networked security cameras, it adds another seemingly innocuous element to the list of potential vectors for side-channel attacks.

[via The Register]

Raspberry Pi Tablet Gets Radio Surgical Enhancement

October 20, 2021 by Al Williams 27 Comments

We always get excited when we buy a new tablet. But after a few months, it usually winds up at the bottom of a pile of papers on the credenza, a victim of not being as powerful as our desktop computers and not being as convenient as our phones. However, if you don’t mind a thick tablet, you can get the RasPad enclosure to fit around your own Raspberry Pi so it can be used as a tablet. Honestly, we weren’t that impressed until we saw [RTL-SDR] add an SDR dongle inside the case, making it a very portable Raspberry Pi SDR platform.

The box is a little interesting by itself, although be warned it costs over $200. For that price you get an LCD and driver board, a battery system, speakers, and an SD extension slot with some control buttons for volume and brightness. There’s a video of the whole setup (in German) below.

Continue reading “Raspberry Pi Tablet Gets Radio Surgical Enhancement” →

Phase Coherent Beamforming SDR

August 4, 2021 by Al Williams 16 Comments

The days when software defined radio techniques were exotic are long gone, and we don’t miss them one bit. A case in point: [Laakso Mikko’s] research group has built a multichannel receiver using 21 cheap RTL-SDR dongles to create a phase coherent array. This is useful for everything from direction finding and passive radar or beam forming. The code is also available on GitHub.

The phase coherence does require the dongle’s tuner can turn off dithering. That means the code only works with dongles that use the R820T/2. The project modifies the dongles to use a common clock and a switchable reference noise generator.

Continue reading “Phase Coherent Beamforming SDR” →

Tuning Into Medical Implants With The RTL-SDR

July 11, 2021 by Tom Nardi 12 Comments

With a bit of luck, you’ll live your whole life without needing an implanted medical device. But if you do end up getting the news that your doctor will be installing an active transmitter inside your body, you might as well crack out the software defined radio (SDR) and see if you can’t decode its transmission like [James Wu] recently did.

Before the Medtronic Bravo Reflux Capsule was attached to his lower esophagus, [James] got a good look at a demo unit of the pencil-width gadget. Despite the medical technician telling him the device used a “Bluetooth-like” communications protocol to transmit his esophageal pH to a wearable receiver, the big 433 emblazoned on the hardware made him think it was worth taking a closer look at the documentation. Sure enough, its entry in the FCC database not only confirmed the radio transmitted a 433.92 MHz OOK-PWM encoded signal, but it even broke down the contents of each packet. If only it was always that easy, right?

The 433 ended up being a coincidence, but it got him on the right track.

Of course he still had to put this information into practice, so the next step was to craft a configuration file for the popular rtl_433 program which split each packet into its principle parts. This part of the write-up is particularly interesting for those who might be looking to pull data in from their own 433 MHz sensors, medical or otherwise

Unfortunately, there was still one piece of the puzzle missing. [James] knew which field was the pH value from the FCC database, but the 16-bit integer he was receiving didn’t make any sense. After some more research into the hardware, which uncovered another attempt at decoding the transmissions from the early days of the RTL-SDR project, he realized what he was actually seeing was the combination of two 8-bit pH measurements that are sent out simultaneously.

We were pleasantly surprised to see how much public information [James] was able to find about the Medtronic Bravo Reflux Capsule, but in a perfect world, this would be the norm. You deserve to know everything there is to know about a piece of electronics that’s going to be placed inside your body, but so far, the movement towards open hardware medical devices has struggled to gain much traction.

The Evil Crow Is Ready To Cause Some RF Mayhem

April 27, 2021 by Tom Nardi 34 Comments

There’s no doubt that the RTL-SDR project has made radio hacking more accessible than ever, but there’s only so far you can go with a repurposed TV tuner. Obviously the biggest shortcoming is the fact that you can only listen to signals, and not transmit them. If you’re ready to reach out and touch someone, but don’t necessarily want to spend the money on something like the HackRF, the Evil Crow RF might be your ideal next step.

This Creative Commons licensed board combines two CC1101 radio transceivers and an ESP32 in one handy package. The radios give you access to frequencies between 300 and 928 MHz (with some gaps), and the fact that there are two of them means you can listen on one frequency while transmitting on another; opening up interesting possibilities for relaying signals. With the standard firmware you connect to a web interface running on the ESP32 to configure basic reception and transmission options, but there’s also a more advanced RFQuack firmware that allows you to control the hardware via Python running on the host computer.

Using the Evil Crow RF without a computer.

One particularly nice feature is the series of buttons located down the side of the Evil Crow RF. Since the device is compatible with the Arduino IDE, you can easily modify the firmware to assign various functions or actions to the buttons.

In a demonstration by lead developer [Joel Serna], the physical buttons are used to trigger a replay attack while the device is plugged into a standard USB power bank. There’s a lot of potential there for covert operation, which makes sense, as the device was designed with pentesters in mind.

As an open source project you’re free to spin up your own build of the Evil Crow RF, but those looking for a more turn-key experience can order an assembled board from AliExpress for $27 USD. This approach to hardware manufacturing seems to be getting popular among the open source crowd, with the Open-SmartWatch offering a similar option.

[Thanks to DJ Biohazard for the tip.]

Tightly Packed Raspberry Pi Tricorder Impresses

April 15, 2021 by Tom Nardi 22 Comments

We’ll say upfront that we don’t have nearly as much information about this 3D printed Star Trek: The Next Generation tricorder as we’d like. But from the image galleries [Himmelen] has posted we know it’s running on the Raspberry Pi Zero W, has a color LCD in addition to a monochrome OLED, and that it’s absolutely packed with gear.

So far, [Himmelen] has fit an NESDR RTL-SDR dongle, a GPS receiver, an accelerometer, and the battery charging circuitry in the top half of the case. Calling it a tight fit would be something of an understatement, especially when you take into account all the wires snaking around in there. But as mentioned in the Reddit thread about the device, a custom PCB backplane of sorts is in the works so all these modules will have something a little neater to plug into.

There are a lot of fantastic little details in this build that have us very excited to see it cross the finish line. The female USB port that’s been embedded into the top of the device is a nice touch, as it will make it easy to add storage or additional hardware in the field. We also love the keyboard, made up of 30 individual tact switches with 3D printed caps. It’s hard to imagine what actually typing on such an input device would be like, but even if each button just fired off its own program or function, we’d be happy.

Judging by the fact that the LCD shows the Pi sitting at a login prompt in all the images, we’re going to go out on a limb and assume [Himmelen] hasn’t gotten to writing much software for this little gadget yet. Once the hardware is done and it’s time to start pushing pixels though, something like Pygame could be used to make short work of a LCARS-style user interface that would fit the visual style of The Next Generation. In fact, off the top of our heads we can think of a few turn-key projects out there designed for creating Trek UIs, though the relatively limited computational power of the Pi Zero might be a problem.

We’ve seen several projects that tried to turn the iconic tricorder into a functional device. Some have focused on the arguably more recognizable Next Generation style such as this one, and others have targeted the more forgiving brick-shaped unit from Kirk and Spock’s era. The Wand Company is even working on a officially licensed tricorder that will supposedly be as close to we can get to the real thing with modern tech and a $250 USD price tag, though we’d wager COVID has slowed progress down on that one. In any event, whether you build it or buy it, the tricorder seems destined to become reality before too long.

Fan-tastic Misuse Of Raspberry Pi GPIO

April 6, 2021 by Stephen Ogier 36 Comments

[River] is a big fan of home automation. After moving into a new house, he wanted to assimilate two wirelessly controlled fan lights into his home automation system. The problem was this: although the fans were wireless, their frequency and protocol were incompatible with the home automation system.

Step one was to determine the frequency the fan’s remote used. Although public FCC records will reveal the frequency of operation, [River] thought it would be faster to use an inexpensive USB RTL-SDR with the Spektrum program to sweep the range of likely frequencies, and quickly found the fans speak 304.2 MHz.

Next was to reverse-engineer the protocol. Universal Radio Hacker is a tool designed to make deciphering unknown wireless protocols relatively painless using an RTL-SDR. [River] digitized a button press with it and immediately recognized it as simple on-off keying (OOK). With that knowledge, he digitized the radio commands from all seven buttons and was quickly able to reverse-engineer the entire protocol.

[River] wanted to use a Raspberry Pi to bring the fans into his home automation system, but the Raspberry Pi doesn’t have a 304.2 MHz radio. What it does have is user-programmable GPIO and the rpitx package, which converts a GPIO pin into a basic radio transmitter. Of course, the Pi’s GPIO pin’s aren’t long enough to efficiently transmit at 304.2 MHz, so [River] added a proper antenna, as well as a low-pass filter to clean up the transmitted signal. The rpitx package supports OOK out of the box, so [River] was quickly able get the Pi controlling his fan in no time!

If you’d like to do some more low-cost home automation, check out this approach to using a Raspberry Pi to control some bargain-bin smart plugs.