sdr

302 Articles

London Bridge Has Fallen — By Radio

September 10, 2022 by 25 Comments

One of the global news stories this week has been the passing of the British monarch, Queen Elizabeth II. Since she had recently celebrated 70 years on the throne, the changing of a monarch is not something that the majority of those alive in 2022 will have seen. But it’s well known that there are a whole suite of “London Bridge has fallen” protocols in place for that eventuality which the various arms of the British government would have put in motion immediately upon news from Balmoral Castle. When it became obvious that the Queen’s health was declining, [Hackerfantastic] took to the airwaves to spot any radio signature of these plans. [Update 2022-09-11] See the comments below and a fresh Tweet to clarify, it appears these were not the signals they were at first suspected to be.

What he found in a waterfall view of the 4 MHz military band was an unusual transmission, a set of strong QPSK packets that started around 13:40pm on the 8th of September, and continued on for 12 hours before disappearing.  The interesting thing about these transmissions is not that they were a special system for announcing the death of a monarch, but that they present a rare chance to see one of the country’s Cold War era military alert systems in action.

It’s likely that overseas embassies and naval ships would have been the intended recipients and the contents would have been official orders to enact those protocols, though we’d be curious to know whether 2022-era Internet and broadcast media had tipped them off beforehand that something was about to happen. It serves as a reminder: next time world news stories happen in your part of the world, look at the airwaves!

Tracking Weather Balloons With SDR

September 8, 2022 by 26 Comments

The advent of cheap software-defined radio hardware means that what would have once been an exotic expensive undertaking can now be relatively cheap. [David] notes that using some pretty simple gear, he could track down weather balloons.

The U.S. National Weather Service sends up a large number of radiosondes attached to balloons twice a day. Their job is to measure conditions at high altitudes up to about 30km. Once the balloon gets too high, the pressure inside bursts the balloon, and a small parachute slows the instrument package’s descent back to Earth. [David] wanted to track these down and return them to the NWS for reuse.

Continue reading “Tracking Weather Balloons With SDR”

Introducing FISSURE: A Toolbox For The RF Hacker

August 27, 2022 by 4 Comments

No matter what the job at hand is, if you’re going to tackle it, you’re going to need the right kit of tools. And if your job includes making sense out of any of the signals in the virtual soup of RF energy we all live in, then you’re going to need something like the FISSURE RF framework.

Exactly what FISSURE is is pretty clear from its acronym, which stands for Frequency Independent SDR-Based Signal Understanding and Reverse Engineering. This is all pretty new — it looks like [Chris Poore] presented a talk at DEFCON a few weeks back about using FISSURE to analyze powerline communications between semi-trucks and their trailers, and they’ve got a talk scheduled for next month’s GNU Radio Conference as well. We’ve been looking through all the material we can find on FISSURE, and it appears to be an RF hacker’s dream come true. They’ve got a few examples on Twitter, like brute-forcing an old garage door opener with a security code set by a ten-position DIP switch, and sending tire pressure monitoring system (TPMS) signals to a car. They also mention some of the framework’s capabilities on the GitHub README; we’re especially interested in packet crafting for various protocols. The video below has some more examples of what FISSURE can do.

It looks like FISSURE could be a lot of fun, and very handy for your RF analysis and reverse engineering work. If you’ve been using Universal Radio Hacker like we have, this looks similar, only more so. We’ll be downloading it soon and giving it a try, so be on the lookout for a hands-on report.

Continue reading “Introducing FISSURE: A Toolbox For The RF Hacker”

Simple Breadboard SDR For Shortwave

August 26, 2022 by 20 Comments

One of the best ways to learn about radios is to build your own, even in the age of cheap SDR dongles. [Aniss Oulhaci] demonstrates this with a simple HF SDR receiver built on a breadboard.

The receiver takes the form of a simplified Tayloe detector. An RF preamp circuit amplifies the signal from a shortwave antenna and feeds it into a 74HC4066D analog switch, which acts as a switching mixer. It mixes the input signal with the local oscillator’s I and Q signals to produce the intermediate frequency signals. The local oscillator consists of a SI5351 clock generator with a 74HC74D flip-flop to generate the I and Q pair. The signals pass through a low pass filter stage and get amplified by an LM358 op amp, resulting in the IQ signal pair being fed to a computer’s stereo sound card.

An Arduino is used to control the SI5351 clock generator, which in turn is controlled by the same program created for the SDR Shield. With the audio signal fed to HDSDR, [Aniss] was able to pick up a shortwave radio broadcaster.

While this is by no means a high-performance receiver, building an SDR on a breadboard is still a great weekend project, with plenty of potential for further experimentation.

Continue reading “Simple Breadboard SDR For Shortwave”

SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security

July 22, 2022 by 18 Comments

It seems like [Mordechai Guri]’s lab at Ben-Gurion University is the place where air-gapped computers go to die, or at least to give up their secrets. And this hack using a computer’s SATA cable as an antenna to exfiltrate data is another example of just how many side-channel attacks the typical PC makes available.

The exploit, deliciously designated “SATAn,” relies on the fact that the SATA 3.0 interface used in many computers has a bandwidth of 6.0 Gb/s, meaning that manipulating the computer’s IO would make it possible to transmit data from an air-gapped machine at around 6 GHz. It’s a complicated exploit, of course, and involves placing a transmitting program on the target machine using the usual methods, such as phishing or zero-day exploits. Once in place, the transmitting program uses a combination of read and write operations on the SATA disk to generate RF signals that encode the data to be exfiltrated, with the data lines inside the SATA cable acting as antennae.

SATAn is shown in action in the video below. It takes a while to transmit just a few bytes of data, and the range is less than a meter, but that could be enough for the exploit to succeed. The test setup uses an SDR — specifically, an ADALM PLUTO — and a laptop, but you can easily imagine a much smaller package being built for a stealthy walk-by style attack. [Mordechai] also offers a potential countermeasure for SATAn, which basically thrashes the hard drive to generate RF noise to mask any generated signals.

While probably limited in its practical applications, SATAn is an interesting side-channel attack to add to [Dr. Guri]’s list of exploits. From optical exfiltration using security cameras to turning power supplies into speakers, the vulnerabilities just keep piling up.

Continue reading “SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security”

Bringing Some Discipline To An SDR Transmitter

July 13, 2022 by 16 Comments

The proliferation of software-defined radio (SDR) technology has been a godsend for RF hobbyists. SDR-based receivers and transmitters have gotten so cheap that you’ve probably got a stick or two lying around your bench right now — we can see three from where we sit, in fact.

But cheap comes at a price, usually in the form of frequency stability, which can be prohibitive in some applications — especially amateur radio, where spectrum hygiene is of the utmost concern. So we were pleased to see [Tech Minds] tackle the SDR frequency stability problem by using a GPS-disciplined oscillator. The setup uses an ADALM-PLUTO SDR transceiver and a precision oscillator from Leo Bodnar Electronics. The oscillator can be programmed to output a rock-solid, GPS-disciplined signal over a wide range of frequencies. The Pluto has an external oscillator input that looks for 40 MHz, which is well within the range of the GPSDO.

Setup is as easy as plugging the oscillator’s output into the SDR’s external clock input using an SMA to UFL jumper, and tweaking the settings in the SDR and oscillator. Not all SDRs will have an external clock input, of course, so your mileage may vary. But if your gear is suitably equipped, this looks like a great way to get bang-on frequency — the video below shows just how much the undisciplined SDR can drift.

Like any good ham, [Tech Minds] is doing his bit to keep his signals clean and on target. His chief use case for this setup will be to work QO-100, amateur radio’s first geosynchronous satellite repeater. We’ve got to say that we hams living on the two-thirds of the globe not covered by this satellite are just dying to get a geosynchronous bird (or two) of our own to play with like this.

Continue reading “Bringing Some Discipline To An SDR Transmitter”

A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

July 8, 2022 by 76 Comments

Honda cars have been found to be severely  vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.