The Death Of A Weather Satellite As Seen By SDR

What is this world coming to when a weather satellite that was designed for a two-year mission starts to fail 21 years after launch? I mean, really — where’s the pride these days?

All kidding aside, it seems like NOAA-15, a satellite launched in 1998 to monitor surface temperatures and other meteorologic and climatologic parameters, has recently started showing its age. This is the way of things, and generally the decommissioning of a satellite is of little note to the general public, except possibly when it deorbits in a spectacular but brief display across the sky.

But NOAA-15 and her sister satellites have a keen following among a community of enthusiasts who spend their time teasing signals from them as they whiz overhead, using homemade antennas and cheap SDR receivers. It was these hobbyists who were among the first to notice NOAA-15’s woes, and over the past weeks they’ve been busy alternately lamenting and celebrating as the satellite’s signals come and go. Their on-again, off-again romance with the satellite is worth a look, as is the what exactly is going wrong with this bird in the first place.

Continue reading “The Death Of A Weather Satellite As Seen By SDR”

RTL-SDR: Seven Years Later

Before swearing my fealty to the Jolly Wrencher, I wrote for several other sites, creating more or less the same sort of content I do now. In fact, the topical overlap was enough that occasionally those articles would get picked up here on Hackaday. One of those articles, which graced the pages of this site a little more than seven years ago, was Getting Started with RTL-SDR. The original linked article has long since disappeared, and the site it was hosted on is now apparently dedicated to Nintendo games, but you can probably get the gist of what it was about from the title alone.

An “Old School” RTL-SDR Receiver

When I wrote that article in 2012, the RTL-SDR project and its community were still in their infancy. It took some real digging to find out which TV tuners based on the Realtek RTL2832U were supported, what adapters you needed to connect more capable antennas, and how to compile all the software necessary to get them listening outside of their advertised frequency range. It wasn’t exactly the most user-friendly experience, and when it was all said and done, you were left largely to your own devices. If you didn’t know how to create your own receivers in GNU Radio, there wasn’t a whole lot you could do other than eavesdrop on hams or tune into local FM broadcasts.

Nearly a decade later, things have changed dramatically. The RTL-SDR hardware and software has itself improved enormously, but perhaps more importantly, the success of the project has kicked off something of a revolution in the software defined radio (SDR) world. Prior to 2012, SDRs were certainly not unobtainable, but they were considerably more expensive. Back then, the most comparable device on the market would have been the FUNcube dongle, a nearly $200 USD receiver that was actually designed for receiving data from CubeSats. Anything cheaper than that was likely to be a kit, and often operated within a narrower range of frequencies.

Today, we would argue that an RTL-SDR receiver is a must-have tool. For the cost of a cheap set of screwdrivers, you can gain access to a world that not so long ago would have been all but hidden to the amateur hacker. Let’s take a closer look at a few obvious ways that everyone’s favorite low-cost SDR has helped free the RF hacking genie from its bottle in the last few years.

Continue reading “RTL-SDR: Seven Years Later”

Drone On Drone Warfare, With Jammers

After the alleged drone attacks on London Gatwick airport in 2018 we’ve been on the look out for effective countermeasures against these rogue drone operators. An interesting solution has been created by [Ogün Levent] in Turkey and is briefly documented on in his Dronesense page on Crowdsupply. There’s a few gaps in the write up due to non-disclosure agreements, but we might well be able to make some good guesses as to the missing content.

Not one, but two LimeSDRs are sent off into the air onboard a custom made drone to track down other drones and knock them out by jamming their signals, which is generally much safer than trying to fire air to air guided missiles at them!

The drone hardware used by [Ogün Levent] and his team is a custom-made S600 frame with T-Motor U3 motors and a 40 A speed controller, with a takeoff weight of 5 kg. An Adventech single board computer is the master controller with a Pixhawk secondary and, most importantly, a honking great big 4 W, 2.4 GHz frequency jammer with a range of 1200 meters.

The big advantage of sending out a hunter drone with countermeasures rather than trying to do it on the ground is that, being closer to the drone, the power of the jammer can be reduced, thus creating less disturbance to other RF devices in the area – the rogue drone is specifically targeted.

One of the LimeSDRs runs a GNU radio flowgraph with a specially designed block for detecting the rogue drone’s frequency modulation signature with what seems to be a machine learning classification script. The other LimeSDR runs another *secret* flowgraph and a custom script running on the SBC combines the two flowgraphs together.

So now it’s the fun part, what does the second LimeSDR do? Some of the more obvious problems with the overall concept is that the drone will jam itself and the rogue drone might already have anti-jamming capabilities installed, in which case it will just return to home. Maybe the second SDR is there to track the drone as it returns home and thereby catch the human operator? Answers/suggestions in the comments below! Video after the break. Continue reading “Drone On Drone Warfare, With Jammers”

Inside The Mysterious Global Navigation Outage You Probably Didn’t Notice

The entire world has come to depend on satellite navigation systems in the forty or so years since the first Global Positioning System satellites took to orbit. Modern economies have been built on the presumption that people and assets can be located to within a meter or better anywhere on, above, or even slightly under the surface of the planet. For years, GPS was the only way to do that, but billions have been sunk into fielding other global navigation systems, achieving a measure of independence from GPS and to putting in place some badly needed redundancy in case of outages, like that suffered by the European Union’s Galileo system recently.

The problem with Galileo, the high-accuracy public access location system that’s optimized for higher latitudes, seems to be resolved as of this writing. The EU has been tight-lipped about the outage, however, leaving investigation into its root cause to a few clever hackers armed with SDRs and comprehensive knowledge of exactly how a constellation of satellites can use the principles of both general and special relativity to point you to your nearest Starbucks.

Continue reading “Inside The Mysterious Global Navigation Outage You Probably Didn’t Notice”

A Briefcase Pentesting Rig For The Discerning Hacker

In the movies, the most-high tech stuff is always built into a briefcase. It doesn’t whether whether it’s some spy gear or the command and control system for a orbiting weapons platform; when an ordinary-looking briefcase is opened up and there’s an LCD display in the top half, you know things are about to get interesting. So is it any surprise that hackers in the real-world would emulate the classic trope?

As an example, take a look at the NightPi by [Sekhan]. This all-in-one mobile penetration testing rig has everything you need to peek and poke where you aren’t supposed to, all while maintaining the outward appearance of an regular briefcase. Well, admittedly a rather utilitarian aluminum briefcase…with antennas sticking out. OK, so it might not be up to 007’s fashion standards, but it’s still pretty good.

[Sekhan] has crammed a lot of gear into the NightPi beyond the eponymous Raspberry Pi 3B+. There’s an RFID reader, an RTL-SDR dongle, an external HDD, plus the 12V battery and 5V converter to power everything. All told, it cost about $500 USD to build, though that figure is going to vary considerably depending on what your parts bins look like.

To keep things cool, [Sekhan] has smartly added some vent holes along the side of the briefcase, and a couple of fans to get the air circulating. With these cooling considerations, we imagine you should be able to run the NightPi with the lid closed without any issue. That could let you hide it under a table while you interact with its suite of tools from your phone, making the whole thing much less conspicuous. The NightPi is running Kali Linux with a smattering of additional cools to do everything from gathering data from social media to trying to capture keystrokes from mechanical keyboards with the microphone; so there’s no shortage of things to play with.

If you like the idea of carrying around a Pi-powered security Swiss Army knife but aren’t too concerned with how suspicious you look, then the very impressive SIGINT tablet we covered recently might be more your speed. Not that we think you’d have any better chance making it through the TSA unscathed with this whirring briefcase full of wires, of course.

An SDR Transceiver The Old-School Way

Software-defined radios or SDRs have provided a step-change in the way we use radio. From your FM broadcast receiver which very likely now has single-application SDR technology embedded in a chip through to the all-singing-all-dancing general purpose SDR you’d find on an experimenter’s bench, control over signal processing has moved from the analogue domain into the digital. The possibilities are limitless, and some of the old ways of building a radio now seem antiquated.

[Pete Juliano N6QW] is an expert radio home-brewer of very long standing, and he’s proved there’s plenty of scope for old-fashioned radio homebrewing in an SDR with his RADIG project.  It’s an SDR transceiver for HF which does all the work of quadrature splitting and mixing with homebrewed modules rather than the more usual technique of hiding it in an SDR chip. It’s a very long read in a diary format from the bottom up, and what’s remarkable is that he’s gone from idea to working SDR over the space of about three weeks.

A block diagram of the N6QW SDR
A block diagram of the N6QW SDR

So what goes into a homebrew SDR? Both RF preamplifier, filters, and PA are conventional as you might expect, switched between transmit and receive with relays. A common transmit and receive signal path is split into two and fed to a pair of ADE-1 mixers where they are mixed with quadrature local oscillator signals to produce I and Q that is fed to (or from in the case of transmit) a StarTech sound card. The local oscillator is an Si5351 synthesiser chip in the form of an SDR-Kits USB-driven module, and the 90 degree phased quadrature signals are generated with a set of 74AC74 flip-flops as a divider.

Running the show is a Raspberry Pi running Quisk, and though he mentions using a Teensy to control the Si5351 at the start of his diary it seems from the pictures of the final radio that the Pi has taken on that work. It’s clear that this is very much an experimental radio as it stands with wired-together modules on a wooden board, so we look forward to whatever refinements will come. This has the feel of a design that could eventually be built by many other radio amateurs, so it’s fascinating to be in at the start.

If I and Q leave you gasping when it comes to SDR technology, maybe we can help.

Thanks [Bill Meara N2CQR] for the tip!

Impersonate The President With Consumer-Grade SDR

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.