Tracking Company Jets with ADS-B to Give an Edge to Hedge Fund Investors

Financial news site Bloomberg recently ran an article about how hedge fund managers are using ADS-B to track private company aircraft in order to help predict the next megadeal between companies. They explain with an example:

In April, a stock research firm told clients that a Gulfstream V owned by Houston-based Occidental Petroleum Corp. had been spotted at an Omaha airport. The immediate speculation was that Occidental executives were negotiating with Buffett’s Berkshire Hathaway Inc. to get financial help in their $38 billion offer for rival Anadarko Petroleum Corp. Two days later, Buffett announced a $10 billion investment in Occidental.

There’s some evidence that aircraft-tracking can be used to get an early read on corporate news. A 2018 paper from security researchers at the University of Oxford and Switzerland’s federal Science and Technology department, tracked aircraft from three dozen public companies and identified seven instances of mergers-and-acquisitions activity. “It probably shouldn’t be your prime source of investing information, but as a feeder, as an alert of something else what might be going on, that’s where this work might be useful,” says Matthew Smith, a researcher at Oxford’s computer science department and one of the authors.

"Alternative data" collection firms like Quandl Inc. have services like "corporate aviation intelligence", where they use ADS-B data to keep tabs on private aircraft, then sell their data on to hedge funds and other investors who are hoping to gain an edge in the stock market.

Popular flight tracking sites that aggregate ADS-B data like FlightAware and FlightRadar24 censor data from private jets on their public maps upon the request of the owner, but it's not known if they continue to sell private jet data on to other parties. ADS-B Exchange is one ADS-B aggregator that promises to never censor flights, however the data is only free for non-commercial use. The value from using companies like Quandl is that they probably have a much more accurate database of who each private jet belongs to.

The Bloomberg article also mentions another use case for tracking private flights, which is  tracking the movements of known dictators via their private jets. We previously posted an article about this too. We've also in the past seen ADS-B data used to track world leaders, and help United Nations advisers track flights suspected of violating an arms embargo.

ADS-B data is typically collected these days with a low cost SDR like the RTL-SDR. We have a tutorial on setting up your own ADS-B home tracker here.

Features of Quandl Inc's Corporate Aviation Intelligence Service.
Features of Quandl Inc's Corporate Aviation Intelligence Service.
Tweet
Share48
Reddit
Vote
Email
48 Shares

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.
Tweet86
Share570
Reddit
Vote
Email
656 Shares

Medtronic Minimed Insulin Pumps Recalled due to Wireless Security Vulnerabilities

A MiniMed Insulin Pump

Back at the 2018 Black Hat conference it was revealed by security researchers Billy Rios and Jonathan Butts that a HackRF could be used to take control of a Medtronic insulin pump. Back then FDA advisories were issued, but recently a new warning noting that Medtronic MiniMed 508 and Paradigm series insulin pumps could be vulnerable to wireless attacks was again issued. The vulnerabilities could allow hackers to wireless cause the device to deliver excessive amounts of insulin or stop insulin delivery. 

Apparently the vulnerabilities cannot be fixed with a software update, so Medtronic have issued a voluntary recall, asking customers to contact their healthcare providers so that they can upgrade to their newer units which are more secure (although these newer units are not available everywhere outside the USA). We also note that Medtronic implantable cardiac defibrillators (ICDs) which appear to share the same vulnerability do not appear to have been recalled. For both the insulin pumps and ICDs, the issues stem from the fact that the "Conexus" wireless protocol used in the products do not use encryption, authentication or authorization.

A newspaper article at theregister.co.uk writes:

Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure. An attacker who was in close enough physical proximity to the pump could masquerade as a CareLink unit, and send potentially life-threatening commands to the insulin pump over the air using a software-defined radio or similar kit.

"The vulnerabilities affect the radio features," Rios told The Register. "They use a custom radio protocol and the vulnerabilities were exploited through the use of software-defined radios."

Previously we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Tweet
Share76
Reddit
Vote
Email
76 Shares

Rdio Scanner: A Web Based UI for Trunk Recorder

Trunk Recorder is an RTL-SDR compatible open source Linux app that records calls from Trunked P25 and SmartNet digital voice radio systems which are commonly used by Police and other emergency services in the USA. It can be used to set up a system that allows you to listen to previous calls at your leisure, however it does not have any UI for easy browsing.

Recently Chrystian Huot wrote in and wanted to share his new program called "Rdio Scanner", which is a nice looking UI for Trunk Recorder. Rdio Scanner uses the files generated by Trunk Recorder to create a web based interface that looks like a real hardware scanner radio. Some of the features include:

  • Built to act as a real police radio scanner
  • Listen to live calls queued to listen
  • Hold a single system or a single talkgroup
  • Select talkgroups to listen to when live feed is enabled
  • Search past calls stored in the database
  • Just upload Trunk Recorder files with Curl
Rdio Scanner Interface Screenshots
Rdio Scanner Interface Screenshots
Tweet
Share148
Reddit
Vote
Email
148 Shares

Meteor M2 is Currently Experiencing Orientation Issues

Russian weather satellite Meteor M2 is a popular reception target for RTL-SDR radio enthusiasts, as it allows you to receive high resolution images of the Earth. However, currently it appears to be exhibiting orientation issues, causing off center and skewed images and sometimes poor/no reception. Russian blog "aboutspacejornal", writes that the orientation of the satellite can sometimes be restored presumably by a reset command from Earth, but shortly after goes back into uncontrolled rotation.

These sorts of off-axis images were commonly received from the older decommissioned Meteor-M1 satellite, which woke up from the dead in 2015. The resurrection was speculated to be from the batteries shorting out, allowing power to directly flow from the solar panels while in full sunlight. These days Meteor-M1 is no longer transmitting.

Meteor M2 proving the curvature of the earth due to it's orientation issues.
Meteor M2 proving the curvature of the earth due to it's orientation issues.  Image source aboutspacejornal.

Hopefully Meteor-M2 can be fixed, but if not, Meteor M2-2 is due to be launched on July 5 which should also have an LRPT signal that can be received easily with an RTL-SDR. Hopefully the launch is more successful than the November 2017 launch of Meteor M2-1 which unfortunately was a complete loss as it failed to separate from the rocket.

Tweet
Share178
Reddit1
Vote
Email
179 Shares

Hak5: Hacking Ford Key Fobs with a HackRF and Portapack

This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.

In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.

Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.

The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.

The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.

Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]

Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]

Tweet35
Share260
Reddit
Vote
Email
295 Shares

SignalsEverywhere: SDR Bias-Tee’s and Enabling the V3 Bias Tee

Today's video from Corrosive on the SignalsEverywhere YouTube channel discusses Bias Tee's. He explains what they're used for, and how to enable them on various SDRs. In particular he shows how to use the software to enable the bias tee on our RTL-SDR Blog V3 dongles. A bias tee allows you to power antenna side devices like low noise amplifiers by putting DC voltage on the coaxial cable.

The RTL-SDR Blog V3 dongle has a built in software selectable bias tee. By default it is turned off, and can easily be turned on by running some simple software. Instructions are available on the V3 users guide at www.rtl-sdr.com/V3

Bias T | Enable The Bias Tee on the RTL-SDR v3

Tweet
Share50
Reddit
Vote
Email
50 Shares

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Tweet204
Share924
Reddit79
Vote3
Email
1K Shares