Drone On Drone Warfare, With Jammers

July 24, 2019 by Pat Whetman 37 Comments

After the alleged drone attacks on London Gatwick airport in 2018 we’ve been on the look out for effective countermeasures against these rogue drone operators. An interesting solution has been created by [Ogün Levent] in Turkey and is briefly documented on in his Dronesense page on Crowdsupply. There’s a few gaps in the write up due to non-disclosure agreements, but we might well be able to make some good guesses as to the missing content.

Not one, but two LimeSDRs are sent off into the air onboard a custom made drone to track down other drones and knock them out by jamming their signals, which is generally much safer than trying to fire air to air guided missiles at them!

The drone hardware used by [Ogün Levent] and his team is a custom-made S600 frame with T-Motor U3 motors and a 40 A speed controller, with a takeoff weight of 5 kg. An Adventech single board computer is the master controller with a Pixhawk secondary and, most importantly, a honking great big 4 W, 2.4 GHz frequency jammer with a range of 1200 meters.

The big advantage of sending out a hunter drone with countermeasures rather than trying to do it on the ground is that, being closer to the drone, the power of the jammer can be reduced, thus creating less disturbance to other RF devices in the area – the rogue drone is specifically targeted.

One of the LimeSDRs runs a GNU radio flowgraph with a specially designed block for detecting the rogue drone’s frequency modulation signature with what seems to be a machine learning classification script. The other LimeSDR runs another *secret* flowgraph and a custom script running on the SBC combines the two flowgraphs together.

So now it’s the fun part, what does the second LimeSDR do? Some of the more obvious problems with the overall concept is that the drone will jam itself and the rogue drone might already have anti-jamming capabilities installed, in which case it will just return to home. Maybe the second SDR is there to track the drone as it returns home and thereby catch the human operator? Answers/suggestions in the comments below! Video after the break. Continue reading “Drone On Drone Warfare, With Jammers” →

Inside The Mysterious Global Navigation Outage You Probably Didn’t Notice

July 19, 2019 by Dan Maloney 19 Comments

The entire world has come to depend on satellite navigation systems in the forty or so years since the first Global Positioning System satellites took to orbit. Modern economies have been built on the presumption that people and assets can be located to within a meter or better anywhere on, above, or even slightly under the surface of the planet. For years, GPS was the only way to do that, but billions have been sunk into fielding other global navigation systems, achieving a measure of independence from GPS and to putting in place some badly needed redundancy in case of outages, like that suffered by the European Union’s Galileo system recently.

The problem with Galileo, the high-accuracy public access location system that’s optimized for higher latitudes, seems to be resolved as of this writing. The EU has been tight-lipped about the outage, however, leaving investigation into its root cause to a few clever hackers armed with SDRs and comprehensive knowledge of exactly how a constellation of satellites can use the principles of both general and special relativity to point you to your nearest Starbucks.

Continue reading “Inside The Mysterious Global Navigation Outage You Probably Didn’t Notice” →

A Briefcase Pentesting Rig For The Discerning Hacker

July 3, 2019 by Tom Nardi 18 Comments

In the movies, the most-high tech stuff is always built into a briefcase. It doesn’t whether whether it’s some spy gear or the command and control system for a orbiting weapons platform; when an ordinary-looking briefcase is opened up and there’s an LCD display in the top half, you know things are about to get interesting. So is it any surprise that hackers in the real-world would emulate the classic trope?

As an example, take a look at the NightPi by [Sekhan]. This all-in-one mobile penetration testing rig has everything you need to peek and poke where you aren’t supposed to, all while maintaining the outward appearance of an regular briefcase. Well, admittedly a rather utilitarian aluminum briefcase…with antennas sticking out. OK, so it might not be up to 007’s fashion standards, but it’s still pretty good.

[Sekhan] has crammed a lot of gear into the NightPi beyond the eponymous Raspberry Pi 3B+. There’s an RFID reader, an RTL-SDR dongle, an external HDD, plus the 12V battery and 5V converter to power everything. All told, it cost about $500 USD to build, though that figure is going to vary considerably depending on what your parts bins look like.

To keep things cool, [Sekhan] has smartly added some vent holes along the side of the briefcase, and a couple of fans to get the air circulating. With these cooling considerations, we imagine you should be able to run the NightPi with the lid closed without any issue. That could let you hide it under a table while you interact with its suite of tools from your phone, making the whole thing much less conspicuous. The NightPi is running Kali Linux with a smattering of additional cools to do everything from gathering data from social media to trying to capture keystrokes from mechanical keyboards with the microphone; so there’s no shortage of things to play with.

If you like the idea of carrying around a Pi-powered security Swiss Army knife but aren’t too concerned with how suspicious you look, then the very impressive SIGINT tablet we covered recently might be more your speed. Not that we think you’d have any better chance making it through the TSA unscathed with this whirring briefcase full of wires, of course.

An SDR Transceiver The Old-School Way

June 29, 2019 by Jenny List 4 Comments

Software-defined radios or SDRs have provided a step-change in the way we use radio. From your FM broadcast receiver which very likely now has single-application SDR technology embedded in a chip through to the all-singing-all-dancing general purpose SDR you’d find on an experimenter’s bench, control over signal processing has moved from the analogue domain into the digital. The possibilities are limitless, and some of the old ways of building a radio now seem antiquated.

[Pete Juliano N6QW] is an expert radio home-brewer of very long standing, and he’s proved there’s plenty of scope for old-fashioned radio homebrewing in an SDR with his RADIG project. It’s an SDR transceiver for HF which does all the work of quadrature splitting and mixing with homebrewed modules rather than the more usual technique of hiding it in an SDR chip. It’s a very long read in a diary format from the bottom up, and what’s remarkable is that he’s gone from idea to working SDR over the space of about three weeks.

So what goes into a homebrew SDR? Both RF preamplifier, filters, and PA are conventional as you might expect, switched between transmit and receive with relays. A common transmit and receive signal path is split into two and fed to a pair of ADE-1 mixers where they are mixed with quadrature local oscillator signals to produce I and Q that is fed to (or from in the case of transmit) a StarTech sound card. The local oscillator is an Si5351 synthesiser chip in the form of an SDR-Kits USB-driven module, and the 90 degree phased quadrature signals are generated with a set of 74AC74 flip-flops as a divider.

Running the show is a Raspberry Pi running Quisk, and though he mentions using a Teensy to control the Si5351 at the start of his diary it seems from the pictures of the final radio that the Pi has taken on that work. It’s clear that this is very much an experimental radio as it stands with wired-together modules on a wooden board, so we look forward to whatever refinements will come. This has the feel of a design that could eventually be built by many other radio amateurs, so it’s fascinating to be in at the start.

If I and Q leave you gasping when it comes to SDR technology, maybe we can help.

Thanks [Bill Meara N2CQR] for the tip!

Impersonate The President With Consumer-Grade SDR

June 26, 2019 by Tom Nardi 43 Comments

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Mobile SIGINT Hacking On A Civilian’s Budget

June 5, 2019 by Tom Nardi 19 Comments

Signals Intelligence (SIGINT) refers to performing electronic reconnaissance by eavesdropping on communications, and used to be the kind of thing that was only within the purview of the military or various three letter government agencies. But today, for better or for worse, the individual hacker is able to pull an incredible amount of information out of thin air with low-cost hardware and open source software. Now, thanks to [Josh Conway], all that capability can be harnessed with a slick all-in-one device: the RadioInstigator.

In his talk at the recent 2019 CircleCityCon, [Josh] (who also goes by the handle [CrankyLinuxUser]) presented the RadioInstigator as an affordable way to get into the world of wireless security research beyond the traditional WiFi and Bluetooth. None of the hardware inside the device is new exactly, it’s all stuff the hacking community has had access to for a while now, but this project brings them all together under one 3D printed “roof” as it were. The end result is a surprisingly practical looking device that can be used on the go to explore huge swaths of the RF spectrum at a cost of only around $150 USD.

So what has [Josh] packed into this wireless toybox? It will probably come as little surprise to find out that the star of the show is a Raspberry Pi 3 B+, combined with a touch screen display and portable keyboard so the user can interface with the various security tools installed.

To help the RadioInstigator surf the airwaves there’s an RTL-SDR and a 2.4 Ghz nRF24LU1+ “Crazyradio”, both broken out to external antenna connectors on the outside of the device. There’s even an external SMA connector hooked up to the Pi’s GPIO pin, which can be used for low-power transmissions from 5 KHz up to 1500 MHz with rpitx. Everything is powered by a beefy 10,000 mAh battery pack which should give you plenty of loiter time to perform your investigations.

[Josh] has also written several Bash scripts which will get a trove of radio hacking tools installed on the Pi automatically, either by pulling them in through the official repositories or downloading the source and compiling them. Getting the software environment into a known-good state can be a huge time sink, so even if you don’t build your own version of the RadioInstigator, his scripts are still worth checking out.

You can do some pretty incredible things with nothing more than a Pi and an RTL-SDR, but we can’t help but notice there’s still plenty of room inside the RadioInstigator for more gear. It could be the perfect home for a Mult-RTL setup, or maybe even a VGA adapter for spoofing cell networks.

Continue reading “Mobile SIGINT Hacking On A Civilian’s Budget” →

Pluto (SDR) Goes Ethernet

May 10, 2019 by Al Williams 14 Comments

Pluto may no longer be a planet, but it is still a fun software defined radio (SDR) set up from Analog Devices. The inexpensive radio uses a USB connector and looks somewhat like a network connection to your PC. But what if you want to really use it with a network? [SignalsEverywhere] shows you how to do it using a USB network adapter and a USB connection adapter.

Just plugging a USB dongle into the box isn’t sufficient, an extra power supply is required as well as a minor bit of configuration. The IP address will be static so you might want to use an IP that your DHCP server won’t hand out, or reserve the IP on your local network.

Continue reading “Pluto (SDR) Goes Ethernet” →