Bypassing Chamberlain myQ Garage Doors with a Jamming SDR Attack

McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform.  Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.

Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.

Although the system utilizes rolling codes for security,  McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.

McAfee Researchers Jam the actual signal (red) with a jamming signal (black)
McAfee researchers jam the actual MyQ signal (red) with a jamming signal (black)

In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

McAfee Advanced Threat Research Demo Chamberlain MyQ

Tweet20
Share94
Reddit
Vote
Email
114 Shares

RadarBox Optimized ADS-B Antenna + RTL-SDR Bundle Sale $39.95 + Shipping

Over in our store we're currently selling a RadarBox branded bundle that includes an ADS-B optimized antenna with 10 meters of coax, AND an ADS-B 1090 MHz optimized RTL-SDR dongle. RadarBox24 is an ADS-B aggregation flight tracking service similar to other services like FlightRadar24 and FlightAware. The set is RadarBox branded, but of course can be used with any tracking service, or just for your own private ADS-B station.

The bundle is now on sale for US$39.95 + shipping! The sale will last until stock runs out and this sale is only available from us. At other places like Amazon it is currently selling for US$64.95.

To purchase please visit our store and scroll down to find the RadarBox bundle "Add to Cart" button.

The antenna has 7 dBi gain, 50 (+-5) Ohm impedance, and is made from fiberglass and aluminum. It is fully waterproof and outdoor rated with 10 meters of coax cable and includes mounting clamps. The RadarBox RTL-SDR is specifically optimized for 1090 MHz ADS-B reception with it's built in filter and low noise amplifier.

The bundle ships out once per week and tracking is provided 1-2 days after shipping.

RadarBox Bundle: Includes 1x Outdoor ADS-B Antenna, 1x ADS-B Optimized RTL-SDR
RadarBox Bundle: Includes 1x Outdoor ADS-B Antenna AND 1x ADS-B Optimized RTL-SDR
Tweet
Share48
Reddit
Vote
Email
48 Shares

Receiving and Decoding NFC with an RTL-SDR and GNURadio

Having been inspired by an NFC activated coffee machine at his work, back in 2017 Jean Christophe Rona uploaded a blog post showing how he used an RTL-SDR and GNU Radio to sniff and decode NFC (Near-Field Communication) tags. His post first goes into detail showing how NFC works and goes on to create a GNU Radio flow graph with custom GNU Radio block for decoding the NFC Miller code. The final result was him being able to demodulate the coffee machine to tag communication. We note that in Jeans experiments he used a standard RTL-SDR dongle with the HF driver hack in order to receive the NFC frequency of 13.56 MHz, but these days it should also be possible to simply use direct sampling on an RTL-SDR Blog V3 unit.

More recently Martin Schaumburg (5ch4um1 on YouTube), wrote in and wanted to share his video showing his replication of Jean's experiments. Martin's video shows him using a simple coiled up wire antenna on his RTL-SDR to receive NFC communication from an NFC reader to NFC tag, and he shares a few tips on getting the software to work.

RTLSDR NFC decoding reader to tag communication with a rtl-sdr and gnuradio.

Update 13 January 2020: Martin has added a second video with some additional information and tests.

RTLSDR decoding NFC, or: how to get two signals for the price of one.

Tweet3
Share192
Reddit
Vote
Email
195 Shares

A Simple Step by Step Guide to Updating the NanoVNA Firmware

Thank you to RJ Juneau (ylabrj / VA3YLB) for sharing with us his NanoVNA firmware update guide for idiots. NanoVNA firmware is updated fairly often, so this is a good reference guide for those who want to test the latest code as updating the firmware is a multi-step process. He writes

I've put together a "for idiots" document (I'm both  the writer and the target audience) that holds your hand through the process of upgrading from Windows, and covers some important issues like:

  •  Are you using a nanoVNA or an updated nanoVNA-H? 
  • Where to pick up the right software for the board
  • Do you want the VNA or the antenna analyzer version?
  • The software you need to load it, drivers, etc.
The NanoVNA: A $50 Vector Network Analyzer
The NanoVNA-H: A $50 Vector Network Analyzer
Tweet
Share108
Reddit
Vote
Email
108 Shares

NanoVNA Version 2.0 First PCB Pictures Released + NanoVNA Naming & Credit Clarifications

Back in October 2019 we posted about the upcoming NanoVNA version 2.0 which back then was still being designed with a predicted release date of January 2020. Recently some photos of the NanoVNA 2.0 prototype have been uploaded to the NanoVNA groups.io forum.

The NanoVNA 2.0 is expected to retail at around US$60 which is around the same price as the current NanoVNA. The current NanoVNA is limited in that it can only measure from 50 kHz to 900 MHz, with performance being reduced above 300 MHz. It can be extended to 1.5 GHz, but with severely reduced performance. The NanoVNA 2.0 will be able to measure from 50 kHz to 3 GHz, and possibly up to 3.5 GHz. Version 2.0 will also have improved dynamic range.

The NanoVNA (v1.0) is a versatile Vector Network Analyzer (VNA) that was originally designed by @edy555 / ttrftech. What makes it so special is it's extremely low cost as it can be found on eBay & Aliexpress for under US$40 and on Amazon for around US$50-US$70. A VNA is an extremely useful tool in any ham or RF enthusiasts tool belt as it can be used to measure RF filters, tune antennas, measure coax cable loss, and find cable faults.

NanoVNA V2.0 PCB Photos
NanoVNA V2.0 PCB Photos

NanoVNA Version, Model, Naming and Credit Confusion

Eddy555's original NanoVNA design has already been released for several years prior to the current NanoVNA popularity boom, but during those years eddy555 was only selling the product in small quantities as a DIY kitset.

The current low cost NanoVNA's available on the market now are mostly the "hugen" version known as the NanoVNA-H. Hugen is a ham who innovated on eddy555's original open source design, adding features like battery management, improved PCB layout, PC software and extending the frequency range from 300 MHz to 900 MHz.

Hugen began by making 50 units of his design to sell to some hams who had been following his design improvements online. However, hugen's design was soon cloned by other Chinese factories and this is when the NanoVNA product took off and became a well known name for an affordable VNA. The Hugen NanoVNA-H is now being sold at nanovna.com, and there are several clones available on Aliexpress that are both black and white in color. Some of the clones omit the shielding which can cause issues in some RF environments. As far as we know, the only NanoVNA-H distributor that decided to pay royalties to back eddy555 (after this exchange [part 2 resolution] on Twitter) is NooElec who sell a full NanoVNA bundle for US$109.

There is now also the "NanoVNA-F" version available which is a clone of the "NanoVNA-H" but with a larger 4.3" screen, larger battery, range extended to 1 GHz, and firmware based on a RToS. It sells at a much higher price of US$110 - US$129.

Finally, we note that the NanoVNA 2.0 project described in the first part of this post does not appear to be affiliated with eddy555 or hugen in any way. Development of the NanoVNA 2.0 is apparently based on completely original design work, and only shares similarity to the original NanoVNA in terms of pricing, name, and firmware compatibility. NanoVNA 2.0 is being developed by OwOComm which is a Japanese research unit that aims to promote "intellectual communism".

OwOComm note that they will release the designs as open source without actually manufacturing the product. It's then up to any factory to manufacture and sell the design as they please. OwOComm themselves appear to be sponsored by an unnamed customer of theirs who wanted an "improved NanoVNA" to be designed. It's not clear what the goals of OwOComm or their unnamed sponsor is, other than perhaps philanthropic.

At the same time we note that eddy555 appears to be designing his own NanoVNA 2.0 version which is not affiliated with the NanoVNA 2.0 described in this post. In the forum thread eddy555 has urged OwOComm to rename their project to avoid confusion, but it is unclear if they will do so.

The story of an open source project running away from the original developer seems to be a fairly common one these days. While eddy555's original open source design has started something truly great, it is at the same time sad that he won't see much credit or profit from future designs.

All NanoVNA versions that we are currently aware of
All NanoVNA versions that we are currently aware of
Tweet
Share208
Reddit
Vote
Email
208 Shares

Tracking down a Water Leak with RTLAMR

Earlier in the year Clayton discovered that his water bill had suddenly gone up one month. Suspecting a leaky appliance he set out to discover what it was by using an RTL-SDR and the rtlamr decoder. The rtlamr decoder is able to decode water meters that transmit usage data wirelessly via the Itron ERT protocol which is typically found in the unlicensed 900 - 920 MHz band in the USA and Canada.

Clayton wrote a simple Python script to plot the usage data extracted by rtlamr, and after a week determined that water was being consumed at 10 liters an hour even while away from home. Suspecting a leak in the toilets he turned off their valves and the next day saw that the reading remained constant when away, indicating that he'd found the leak.

A water leak graphed by decoding an Itron ERT water meter with RTL-SDR
A water leak graphed by decoding an Itron ERT water meter with RTL-SDR
Tweet
Share78
Reddit
Vote
Email
78 Shares

Using a HackRF for GPS Spoofing on Windows

Over on the TechMinds YouTube channel a new video titled "GPS Spoofing With The HackRF On Windows" has been uploaded. In the video TechMinds uses the GPS-SDR-SIM software with his HackRF to create a fake GPS signal in order to trick his Android phone into believing that it is in Kansas city.

In the past we've seen GPS Spoofing used in various experiments by security researchers. For example, it has been used to make a Tesla 3 running on autopilot run off the road and to cheat at Pokemon Go. GPS spoofing has also been used widely by Russia in order to protect VIPs and facilities from drones.

GPS Spoofing With The HackRF On Windows

Tweet
Share184
Reddit
Vote
Email
184 Shares

KiwiSDR Now Supports DRM Decoding

KiwiSDR have recently implemented DRM decoding into their OpenWebRX implementation. Digital Radio Mondiale (DRM) is a type of digital shortwave radio signal that is used by some international shortwave radio broadcasters. It provides superior audio quality compared to AM stations thanks to digital audio encoding.

The KiwiSDR is a US$299 HF SDR that can monitor the entire 0 - 30 MHz band at once. It is designed to be web-based and shared, meaning that the KiwiSDR owner, or anyone that they've given access to can tune and listen to it via a web browser over the internet. Many public KiwiSDRs can be found and browsed from the list at sdr.hu.

The new DRM implementation is based on DREAM 2.1.1 which is an opensource DRM decoder that can be used with any HF capable SDR. Due to computational limits of the BeagleBone singleboard computer which the KiwiSDR runs on, only one DRM channel can be decoded at any one time, restricting this capability to only one user at a time. However, if the KiwiSDR is running on the newer BeagleBone AI, it can support up to four DRM channels. KiwiSDR write that work is still ongoing to improve the code, so this situation may improve in the future.

KiwiSDR Decoding DRM
KiwiSDR Decoding DRM
Tweet
Share124
Reddit
Vote
Email
124 Shares