TEMPEST In A Software Defined Radio

In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.

Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.

The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.

The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.

However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.

Fail of the Week: Tracking Meteors with Weather Radio

It’s not hard to detect meteors: go outside on a clear night in a dark place and you’re bound to see one eventually. But visible light detection is limiting, and knowing that meteors leave a trail of ions means radio detection is possible. That’s what’s behind this attempt to map meteor trails using broadcast signals, which so far hasn’t yielded great results.

Passing jet’s Doppler signature

The fact that meteor trails reflect radio signals is well-known; hams use “meteor bounce” to make long-distance contacts all the time. And using commercial FM broadcast signals to map meteor activity isn’t new, either — we’ve covered the “forward scattering” technique before. The technique requires tuning into a frequency used by a distant station but not a local one and waiting for a passing meteor to bounce the distant signal back to your SDR dongle. Capturing the waterfall display for later analysis should show characteristic patterns and give you an idea of where and when the meteor passed.

[Dave Venne] is an amateur astronomer who turns his eyes and ears to the heavens just to see what he can find. [Dave]’s problem is that the commercial FM band in the Minneapolis area that he calls home is crowded, to say the least. He hit upon the idea of using the National Weather Service weather radio broadcasts at around 160 MHz as a substitute. Sadly, all he managed to capture were passing airplanes with their characteristic Doppler shift; pretty cool in its own right, but not the desired result.

The comments in the RTL-SDR.com post on [Dave]’s attempt had a few ideas on where this went wrong and how to improve it, including the intriguing idea of using 60-meter ham band propagation beacons. Now it’s Hackaday’s turn: any ideas on how to fix [Dave]’s problem? Sound off in the comments below.

CPLD-Based Synchronization of Multiple Software Defined Radios

Forgive the click bait headline, but the latest work from [Marco Bartolucci] and [José A. del Peral-Rosado] is really great. They’re using multiple HackRFs, synchronized together, with hybrid positioning algorithms to derive more precise localization accuracy. (PDF)

Like all SDRs, the HackRF can be used to solve positioning problems using WIFi, Bluetooth, 3G, 4G, and GNSS. Multiple receivers can also be used, but this requires synchronization for time-based or frequency-based ranging. [Bartolucci] and [Peral-Rosado] present a novel solution for synchronizing these HackRFs using a few convenient ports available on the board, a bit of CPLD hacking, and a GNSS receiver with a 1 pps output.

This is technically two hacks in one, the first being a sort of master and slave setup between two HackRFs. Using the Xilinx XC2C64A CPLD on board the HackRF, [Bartolucci] and [Peral-Rosado] effectively chain two devices together. The synchronization error is below one sampling period, and more than two HackRFs can be chained together with the SYNC_IN port of each connected together in parallel. Read more about it in their pull request to the HackRF codebase.

This simplest technique will not work if the HackRF receivers must be separated, which brings us to the second hack. [Bartolucci] and [Peral-Rosado] present another option in that case: using the 1 pps output of a GNNS receiver for the synchronization pulse. As long as both HackRFs can see the sky, they can act as one. Very cool!

SDR Sniffing Electric Gates

Most wireless OEM hardware traditionally use 433MHz OOK modules to exchange information. The encoding and encryption of this data stream is left as a task for the embedded software designer. In most cases, the system can be hacked using a replay attack where an RF packet is recorded and replayed to emulate a valid user. [Gilad Fride] hacked his parking gate using this technique but decided to go the extra mile of connecting it to the internet.

He used an RTL-SDR dongle and ook-decoder by [jimstudt] to sniff out the gate code and this code was tested using an Arduino. The final implementation was done around an Onion Omega which talks directly to the RF transmitter module using the fast-gpio binary. Internet connectivity was achieved using Onion Cloud API which is used to trigger the execution of code thereby sending the gate opening signal.

[Gilad Fride] uses the IFTTT Do button to provide a GUI and he demonstrates this in action using an iPhone in the video below. The project can be extended to open garage doors or turn off the lights of your room over the internet.

If you are looking to hack your home security system, look no further as SDRs have be used to communicate with wireless products effectively in the past. We are hoping manufacturers take a hint and start using better encryption.  Continue reading “SDR Sniffing Electric Gates”

Exposing Dinosaur Phone Insecurity With Software Defined Radio

Long before everyone had a smartphone or two, the implementation of a telephone was much stranger than today. Most telephones had real, physical buttons. Even more bizarrely, these phones were connected to other phones through physical wires. Weird, right? These were called “landlines”, a technology that shuffled off this mortal coil three or four years ago.

It gets even more bizarre. some phones were wireless — just like your smartphone — but they couldn’t get a signal more than a few hundred feet away from your house for some reason. These were ‘cordless telephones’. [Corrosive] has been working on deconstructing the security behind these cordless phones for a few years now and found these cordless phones aren’t secure at all.

The phone in question for this exploit is a standard 5.8 GHz cordless phone from Vtech. Conventional wisdom says these phones are reasonably secure — at least more so than the cordless phones from the 80s and 90s — because very few people have a duplex microwave transceiver sitting around. The HackRF is just that, and it only costs $300. This was bound to happen eventually.

This is really just an exploration of the radio system inside these cordless phones. After taking a HackRF to a cordless phone, [Corrosive] found the phone technically didn’t operate in the 5.8 GHz band. Control signals, such as pairing a handset to a base station, happened at 900 MHz. Here, a simple replay attack is enough to get the handset to ring. It gets worse: simply by looking at the 5.8 GHz band with a HackRF, [Corrosive] found an FM-modulated voice channel when the handset was on. That’s right: this phone transmits your voice without any encryption whatsoever.

This isn’t the first time [Corrosive] found a complete lack of security in cordless phones. A while ago, he was exploring the DECT 6.0 standard, a European cordless phone standard for PBX and VOIP. There was no security here, either. It would be chilling if landlines existed anymore.

Continue reading “Exposing Dinosaur Phone Insecurity With Software Defined Radio”

If The I And Q Of Software Defined Radio Are Your Nemesis, Read On

For those of us whose interests lie in radio, encountering our first software defined radio must have universally seemed like a miracle. Here is a surprisingly simple device, essentially a clever mixer and a set of analogue-to-digital or digital-to-analogue converters, that can import all the complex and tricky-to-set-up parts of a traditional radio to a computer, in which all signal procession can be done using software.

A quadrature mixer. Jugandi (Public domain).
A quadrature mixer. Jugandi (Public domain).

When your curiosity gets the better of you and you start to peer into the workings of a software defined radio though, you encounter something you won’t have seen before in a traditional radio. There are two mixers fed by a two local oscillators on the same frequency but with a 90 degree phase shift, and in a receiver the resulting mixer products are fed into two separate ADCs. You encounter the letters I and Q in relation to these two signal paths, and wonder what on earth all that means.

Continue reading “If The I And Q Of Software Defined Radio Are Your Nemesis, Read On”

A Full Stack GPS Receiver

The usual way of adding GPS capabilities to a project is grabbing an off-the-shelf GPS module, plugging it into a UART, and reading the stream of NMEA sentences coming out of a serial port. Depending on how much you spend on a GPS module, this is fine: the best modules out there start up quickly, and a lot of them recognize the logical AND in ITAR regulations.

For [Mike], grabbing an off-the-shelf module is out of the question. He’s building his own GPS receiver from the ground up using a bit of hardware and FPGA hacking. Already he’s getting good results, and he doesn’t have to futz around with those messy, ‘don’t build ballistic missiles’ laws.

The hardware for this build includes a Kiwi SDR ‘cape’ for the BeagleBone and a Digilent Nexus-2 FPGA board. The SDR board captures raw 1-bit samples taken at 16.268 MHz, and requires a full minute’s worth of data to be captured. That’s at least 120 Megabytes of data for the FPGA to sort through.

The software for this project first acquires the GPS signal by finding the approximate frequency and phase. The software then locks on to the carrier, figures out the phase, and receives the 50bps ‘NAV’ message that’s required to find a position solution for the antenna’s location. The first version of this software was exceptionally slow, taking over 6 hours to process 200 seconds of data. Now, [Mike] has improved the channel tracking code and made it 300 times faster. That’s real-time processing of GPS data, using commodity off-the-shelf hardware. All the software is available on the Gits, making this a project that can very easily be replicated by anyone. We would expect the US State Department or DOD to pay [Mike] a visit shortly.

Of course, this isn’t the first time someone has built a GPS receiver from scratch. A few years ago, less than 1-meter accuracy was possible with an FPGA and a homebrew RF board.