RTL-SDR: Seven Years Later

July 31, 2019 by Tom Nardi 40 Comments

Before swearing my fealty to the Jolly Wrencher, I wrote for several other sites, creating more or less the same sort of content I do now. In fact, the topical overlap was enough that occasionally those articles would get picked up here on Hackaday. One of those articles, which graced the pages of this site a little more than seven years ago, was Getting Started with RTL-SDR. The original linked article has long since disappeared, and the site it was hosted on is now apparently dedicated to Nintendo games, but you can probably get the gist of what it was about from the title alone.

When I wrote that article in 2012, the RTL-SDR project and its community were still in their infancy. It took some real digging to find out which TV tuners based on the Realtek RTL2832U were supported, what adapters you needed to connect more capable antennas, and how to compile all the software necessary to get them listening outside of their advertised frequency range. It wasn’t exactly the most user-friendly experience, and when it was all said and done, you were left largely to your own devices. If you didn’t know how to create your own receivers in GNU Radio, there wasn’t a whole lot you could do other than eavesdrop on hams or tune into local FM broadcasts.

Nearly a decade later, things have changed dramatically. The RTL-SDR hardware and software has itself improved enormously, but perhaps more importantly, the success of the project has kicked off something of a revolution in the software defined radio (SDR) world. Prior to 2012, SDRs were certainly not unobtainable, but they were considerably more expensive. Back then, the most comparable device on the market would have been the FUNcube dongle, a nearly $200 USD receiver that was actually designed for receiving data from CubeSats. Anything cheaper than that was likely to be a kit, and often operated within a narrower range of frequencies.

Today, we would argue that an RTL-SDR receiver is a must-have tool. For the cost of a cheap set of screwdrivers, you can gain access to a world that not so long ago would have been all but hidden to the amateur hacker. Let’s take a closer look at a few obvious ways that everyone’s favorite low-cost SDR has helped free the RF hacking genie from its bottle in the last few years.

Continue reading “RTL-SDR: Seven Years Later” →

A Briefcase Pentesting Rig For The Discerning Hacker

July 3, 2019 by Tom Nardi 18 Comments

In the movies, the most-high tech stuff is always built into a briefcase. It doesn’t whether whether it’s some spy gear or the command and control system for a orbiting weapons platform; when an ordinary-looking briefcase is opened up and there’s an LCD display in the top half, you know things are about to get interesting. So is it any surprise that hackers in the real-world would emulate the classic trope?

As an example, take a look at the NightPi by [Sekhan]. This all-in-one mobile penetration testing rig has everything you need to peek and poke where you aren’t supposed to, all while maintaining the outward appearance of an regular briefcase. Well, admittedly a rather utilitarian aluminum briefcase…with antennas sticking out. OK, so it might not be up to 007’s fashion standards, but it’s still pretty good.

[Sekhan] has crammed a lot of gear into the NightPi beyond the eponymous Raspberry Pi 3B+. There’s an RFID reader, an RTL-SDR dongle, an external HDD, plus the 12V battery and 5V converter to power everything. All told, it cost about $500 USD to build, though that figure is going to vary considerably depending on what your parts bins look like.

To keep things cool, [Sekhan] has smartly added some vent holes along the side of the briefcase, and a couple of fans to get the air circulating. With these cooling considerations, we imagine you should be able to run the NightPi with the lid closed without any issue. That could let you hide it under a table while you interact with its suite of tools from your phone, making the whole thing much less conspicuous. The NightPi is running Kali Linux with a smattering of additional cools to do everything from gathering data from social media to trying to capture keystrokes from mechanical keyboards with the microphone; so there’s no shortage of things to play with.

If you like the idea of carrying around a Pi-powered security Swiss Army knife but aren’t too concerned with how suspicious you look, then the very impressive SIGINT tablet we covered recently might be more your speed. Not that we think you’d have any better chance making it through the TSA unscathed with this whirring briefcase full of wires, of course.

Mobile SIGINT Hacking On A Civilian’s Budget

June 5, 2019 by Tom Nardi 19 Comments

Signals Intelligence (SIGINT) refers to performing electronic reconnaissance by eavesdropping on communications, and used to be the kind of thing that was only within the purview of the military or various three letter government agencies. But today, for better or for worse, the individual hacker is able to pull an incredible amount of information out of thin air with low-cost hardware and open source software. Now, thanks to [Josh Conway], all that capability can be harnessed with a slick all-in-one device: the RadioInstigator.

In his talk at the recent 2019 CircleCityCon, [Josh] (who also goes by the handle [CrankyLinuxUser]) presented the RadioInstigator as an affordable way to get into the world of wireless security research beyond the traditional WiFi and Bluetooth. None of the hardware inside the device is new exactly, it’s all stuff the hacking community has had access to for a while now, but this project brings them all together under one 3D printed “roof” as it were. The end result is a surprisingly practical looking device that can be used on the go to explore huge swaths of the RF spectrum at a cost of only around $150 USD.

So what has [Josh] packed into this wireless toybox? It will probably come as little surprise to find out that the star of the show is a Raspberry Pi 3 B+, combined with a touch screen display and portable keyboard so the user can interface with the various security tools installed.

To help the RadioInstigator surf the airwaves there’s an RTL-SDR and a 2.4 Ghz nRF24LU1+ “Crazyradio”, both broken out to external antenna connectors on the outside of the device. There’s even an external SMA connector hooked up to the Pi’s GPIO pin, which can be used for low-power transmissions from 5 KHz up to 1500 MHz with rpitx. Everything is powered by a beefy 10,000 mAh battery pack which should give you plenty of loiter time to perform your investigations.

[Josh] has also written several Bash scripts which will get a trove of radio hacking tools installed on the Pi automatically, either by pulling them in through the official repositories or downloading the source and compiling them. Getting the software environment into a known-good state can be a huge time sink, so even if you don’t build your own version of the RadioInstigator, his scripts are still worth checking out.

You can do some pretty incredible things with nothing more than a Pi and an RTL-SDR, but we can’t help but notice there’s still plenty of room inside the RadioInstigator for more gear. It could be the perfect home for a Mult-RTL setup, or maybe even a VGA adapter for spoofing cell networks.

Continue reading “Mobile SIGINT Hacking On A Civilian’s Budget” →

A DIY EMC Probe From Semi-Rigid Coax And An SDR

April 24, 2019 by Dan Maloney 17 Comments

Do you have an EMC probe in your toolkit? Probably not, unless you’re in the business of electromagnetic compatibility testing or getting a product ready for the regulatory compliance process. Usually such probes are used in anechoic chambers and connected to sophisticated gear like spectrum analyzers – expensive stuff. But there are ways to probe the electromagnetic mysteries of your projects on the cheap, as this DIY EMC testing setup proves.

As with many projects, [dimtass]’ build was inspired by a video over on EEVblog, where [Dave] made a simple EMC probe from a length of semi-rigid coax cable. At $10, it’s a cheap solution, but lacking a spectrum analyzer like the one that [Dave] plugged his cheap probe into, [dimtass] went a different way. With the homemade probe plugged into an RTL-SDR dongle and SDR# running on a PC, [dimtass] was able to get a decent approximation of a spectrum analyzer, at least when tested against a 10-MHz oven-controlled crystal oscillator. It’s not the same thing as a dedicated spectrum analyzer – limited bandwidth, higher noise, and not calibrated – but it works well enough, and as [dimtass] points out, infinitely hackable through the SDR# API. The probe even works decently when plugged right into a DSO with the FFT function running.

Again, neither of these setups is a substitute for proper EMC testing, but it’ll probably do for the home gamer. If you want to check out the lengths the pros go through to make sure their products don’t spew signals, check out [Jenny]’s overview of the EMC testing process.

[via RTL-SDR.com]

Executing A Vehicle Keyless Entry Attack

March 30, 2019 by Jenny List 1 Comment

You read about well-publicised security exploits, but they always seem to involve somebody with a deity’s grasp of whatever technology is being employed, as well as a pile of impossibly exotic equipment. Surely a mere mortal could never do that!

Happily, that’s not always the case, and to prove it [Gonçalo Nespral] replicated an attack against RF devices such as some garage doors and motor vehicle locks that use a rolling code. His inspiration came from a device from2015, that encouraged the owner of a key to keep transmitting fresh codes. It did this by swamping the receiver of the car, garage door, or whatever with a strong slightly off frequency signal. This would cause the lock to not work, so the user would try again and again. The attacker listens with a very narrow bandwidth receiver on-frequency that is good enough to reject the jamming signal, and can harvest a sequence of the rolling codes enough to compromise it.

[Gonçalo]’s set-up uses a YARD stick One transceiver dongle as its transmitter, and an RTL-SDR for receive. A GNU Radio setup is used to retrieve the key data, and some custom Python code does the remaining work. We wouldn’t advocate using this in the wild and it could conceivably also gain you access to another car with a flashing light on top, but it’s an interesting exposé of the techniques involved.

Rolling code keyfob attacks are something we covered a few years ago, back when these attacks were all shiny and new.

WOPR: Security Loses Some Of Its Obscurity

March 28, 2019 by Tom Nardi 11 Comments

As we’ve seen time and time again, the word “hacker” takes on a different meaning depending on who you’re talking to. If you ask the type of person who reads this fine digital publication, they’ll probably tell you that a hacker is somebody who likes to learn how things work and who has a penchant for finding creative solutions to problems. But if you ask the average passerby on the street to describe a hacker, they might imagine somebody wearing a balaclava and pounding away at their laptop in a dimly lit abandoned warehouse. Thanks, Hollywood.

Naturally, we don’t prescribe to the idea of hackers being digital villains hell-bent on stealing your identity, but we’ll admit that there’s something of rift between what we call hacking versus what happens in the information security realm. If you see mention of Red Teams and Blue Teams on Hackaday, it’s more likely to be in reference to somebody emulating Pokemon on the ESP32 than anything to do with penetration testing. We’re not entirely sure where this fragmentation of the hacking community came from, but it’s definitely pervasive.

In an attempt bridge the gap, the recent WOPR Summit brought together talks and presentations from all sections of the larger hacking world. The goal of the event was to show that the different facets of the community have far more in common than they might realize, and featured a number of talks that truly blurred the lines. The oscilloscope toting crew learned a bit about the covert applications of their gadgets, and the high-level security minded individuals got a good look at how the silicon sausage gets made.

Two of these talks which should particularly resonate with the Hackaday crowd were Charles Sgrillo’s An Introduction to IoT Penetration Testing and Ham Hacks: Breaking into Software Defined Radio by Kelly Albrink. These two presentations dealt with the security implications of many of the technologies we see here at Hackaday on what seems like a daily basis: Bluetooth Low Energy (BLE), Software Defined Radio (SDR), home automation, embedded Linux firmware, etc. Unfortunately, the talks were not recorded for the inaugural WOPR Summit, but both presenters were kind of enough to provide their slides for reference.

Continue reading “WOPR: Security Loses Some Of Its Obscurity” →

Automated Radiosonde Tracking Via Open Source

February 10, 2019 by Lewin Day 3 Comments

Meteorological organisations across the world launch weather balloons on a regular basis as a part of their work in predicting whether or not it will rain on the weekend. Their payloads are called radiosondes, and these balloons deliver both telemetry and location data throughout their flightpath. Hobbyists around the globe have devoted time and effort to tracking and decoding these signals, and now it’s possible to do it all automatically, thanks to Radiosonde Auto RX.

The basis of the project is the RTL-SDR, everyone’s favourite low-cost software defined radio receiver. In this case, software is used to first hunt for potential radiosonde signals, before then decoding them and uploading the results to a variety of online services. Some of these are designed for simple tracking, while others are designed for live chase and recovery operations. Currently, the software only covers 3 varieties of radiosonde, but the team are eager to expand the project and have requested donations of other radiosondes for research purposes.

The team recently conducted a talk at linux.conf.au regarding the project, which goes into detail as to the decoding and tracking of the radiosonde data. If you’re eager to try it out, download the software, fetch your TV dongle and get cracking. You might also consider tracking cubesats while you’re at it. Video after the break.

via [crazyoperator], thanks to Slds Ernesto for the tip!

Continue reading “Automated Radiosonde Tracking Via Open Source” →