RSA Conference Talks: IOT Hacking with SDR, Tracking Rogue RF Devices & Wireless Offense and Defense

RSA Conference is an information security event that was recently held on March 4 - 8 in San Francisco. The talks have been uploaded to YouTube and from what we see there are three interesting SDR/RF related talks that may be worth looking at, which we show below. The full list of videos can be found on their YouTube channel.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Harshit Agrawal, Security Researcher, MIT Academy of Engineering, SPPU

Himanshu Mehta, Team Lead (Senior Threat Analysis Engineer), Symantec

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. SDR is changing the game for both offense and defense.Learning Objectives:1: Become familiar with common security concerns and attack surfaces in a wireless communication system.2: Understand the ease and prevalence of wireless exploitation, with sophisticated examples.3: Learn to view IoT devices, security and privacy collectively.

RF Exploitation: IoT and OT Hacking with Software-Defined Radio

Hunting and Tracking Rogue Radio Frequency Devices

Eric Escobar, Principal Security Consultant, SecureWorks

Rogue radio frequencies pose a substantial and often overlooked threat to both organizations and targeted individuals. This talk will explore the dangers of rogue radio frequencies and highlight tactics, techniques and tools which can be used to identify and locate potential threats.Learning Objectives:1: Understand the major ways rogue wireless frequencies can impact an organization.2: Develop a basic understanding of how to locate a rogue wireless signal.3: Gain a conversational knowledge of ways to identify and track a wireless signal.Pre-Requisites:Basic understanding of security principles. Basic understanding of wireless communication. Basic understanding of computer networks.

Hunting and Tracking Rogue Radio Frequency Devices

Wireless Offense and Defense, Explained and Demonstrated!

Rick Farina, Senior Product Manager, WLAN Software Security, Aruba
Rick Mellendick, Chief Security Officer, Process Improvement Achievers LLC

This session will discuss the use of radio frequency, often overlooked for network enumeration and attack. The techniques to be discuss are used to identify authorized and unauthorized signals in an organization. Without understanding the offensive attacks an organization can’t perform effective defense. The talk will explain and demonstrate how to enumerate and gain access to resources through RF signals.Learning Objectives:1: Understand that wireless doesn’t just mean WiFi.2: Understand that the Bluetooth protocol can allow for direct attacks against phones, PCs and other devices.3: Learn that other RF attacks are very difficult to detect, and gain an understanding of what they look like.Pre-Requisites:The biggest prerequisite for our talk is an open mind and the ability to understand risk, and after the talk to better assess risk on your environment.

Wireless Offense and Defense, Explained and Demonstrated!

Tweet1
Share120
Reddit
Vote
Email
121 Shares

SignalsEverywhere: Using DSDPlus Fastlane for Listening to Phase 1 P25 Trunking

DSDPlus is a popular piece of software often used with RTL-SDR dongles to listen to unencrypted digital voice signals such as P25 and DMR. Digital voice is now commonly used by many Police and emergency services as well as business radio. DSDPlus fastlane is DSD's paid upgrade which allows subscribers to access to the latest releases of DSDPlus early.

Over on the SignalsEverywhere YouTube channel, Corrosive has uploaded a quick video guide that shows how to use DSDPlus Fastlane and two RTL-SDR dongles to set up a Phase 1 P25 voice decoder that automatically follows a P25 trunking channel. The basic process involves running two FMP instances which is a program in the DSDPlus suite that connects to the RTL-SDR's and receives the signal. One DSDPlus instance monitors the trunking channel, and this tunes the second FMP+DSD instance to the frequency currently active in the trunking system.

Corrosive also explains how people who are subscribed to RadioReference can download pre-populated data files that will allow the DSDPlus event log to display talkgroup information so that you can see who is talking to who.

RTL SDR Digital Radio Scanning With DSDPlus Setup FastlaneTutorial

Tweet
Share124
Reddit
Vote
Email
124 Shares

Ghosts in the Air Glow HAARP Art Project: Transmitting Until March 28

The famous HAARP (High Frequency Active Auroral Research Program) antenna array will be transmitting again from March 25 - March 28, 2019. HAARP is an antenna array which is used to perform experiments on the Earth's ionosphere and thermosphere by transmitting HF RF energy into it. With an HF capable receiver like the RTL-SDR V3 it is often possible to receive these transmissions from some distance away. As HAARP only rarely transmits, it is an interesting signal to catch when it is transmitting.

HAARP (High Frequency Active Auroral Research Program)
HAARP (High Frequency Active Auroral Research Program)

The current set of experiments are being combined with an art project by artist Amanda Dawn Christie (@magnet_mountain). Amanda is an interdisciplinary artist working at Condordia University. On the project website she explains the project:

Ghosts in the Air Glow is an ionospheric transmission art project using the HAARP Ionospheric Research Instrument to play with the liminal boundaries of outer space.

Pairing air glow experiments in the ionosphere—false auroras creating soft, glowing spots in the sky—with SSTV images, audio and image signals articulated by artist Amanda Dawn Christie will be received and decoded via SDR (Software Defined Radio) equipment by amateur radio operators around the world, and streamed live online for audiences who do not have the equipment or expertise for reception.

She also talks about the project on a Concordia University article:

“The facility, which was used by the military, has an air of mystery about it and has been the subject of many conspiracy theories over the years — that’s something I reflected upon when creating the piece.”

Ghosts in the Air Glow will consist of an hour-long transmission containing eight movements, each created for a specific frequency and intended to explore different concepts related to radio science and the HAARP site itself.

From Arctic wolves meeting the aurora to poetic texts written in Morse code and the NATO phonetic alphabet, the motifs covered by this transmission art work address issues related to military research, surveillance, political territories, ionospheric science, and conspiracy theories.

The first art transmission was sent earlier today, and if you missed it Amanda live streamed the signals being received on YouTube and the recording is available here. Future live streams will be available here. DK8OK has also posted about his reception on his blog.

Further transmissions are scheduled every day until March 28, and the transmissions schedule is available here. Each transmission consists of several 'movements', which consist of differing antenna array arrangements, frequencies being used, and signals being transmitted. If the text formatting of the movements is a bit difficult to read, Reddit user 
grink has formatted it into a nice table in his post. To follow the transmissions it would be also wise to follow Amanda on Twitter, where she is posting the most up to date transmission frequencies.

As to how the idea for this project came about, the Concordia University article writes:

The idea for the project came about when Christie met Christopher Fallen, the chief scientist at HAARP, at a hackers conference earlier this year. Fallen, who is an amateur radio operator, was intrigued by Christie’s proposition to use the IRI to create site-specific transmission art.

He agreed to open the facility to her, and when she gained backing from the Canada Council for the ArtsGhosts in the Air Glow officially became the first Canadian-funded project to take place at HAARP.

“Art and science are often seen as separate efforts but they actually share many of the same inspirations and techniques. I’m excited to see HAARP, a unique scientific instrument, used for a comparably unique artistic performance,” says Fallen.

“Amanda’s project will be a valuable contribution to the 50-year collection of scientific work in the field of ionosphere radio modification, and also to the brand new collection of artistic work using powerful high-frequency radio transmitters and the upper atmosphere — it’s art directed from the ground but created in space!”

Interdisciplinary artist Amanda Dawn Christie. Photo by Concordia University
Interdisciplinary artist Amanda Dawn Christie. Photo by Concordia University

If you prefer a video explanation of the project, YouTube user OfficialSWLchannel has prepared a video which is shown below.

HAARP tests and Ghost in the Air Glow from Amanda Dawn Christie

Tweet1
Share200
Reddit
Vote
Email
201 Shares

SDRplay Spectrum Analyzer Software Updated to V1.0a

Steve Andrew, the author of the SDRplay Spectrum Analyzer software has recently released an update which enables several new features. This software allows you to use SDRplay SDRs to scan a wide swath of bandwidth by rapidly scanning in 10 MHz (or less) chunks over the SDRplay's frequency range. The SDRplay team write:

We are pleased to announce the availability of V1.0a of the Spectrum Analyser software developed by Steve Andrew specifically for the RSP line of products. This is a very-much upgraded version of the original alpha release and includes many new features as well as removing the limitations imposed on the previous version. New features include multiple traces, a versatile marker system with maths, peak find and display functions, Zero or non-Zero IF options and an upgraded tracking generator system. Currently support are: 

RSP1
RSP2/RSP2pro
RSP1A
RSPduo (single tuner mode)

SDRplay Spectrum Analyzer
SDRplay Spectrum Analyzer
Tweet
Share234
Reddit
Vote
Email
234 Shares

Othernet Dreamcatcher On Sale for Only $49

Over on the Othernet website the Dreamcatcher hardware is currently on sale for only US$49. This is the lowest we've ever seen it for sale.

If you weren't already aware, the Othernet project aims to bring live data such as news, weather, video, books, Wikipedia articles and audio broadcasts to the world via a free satellite service and cheap receivers. Although an internet connection provides the same data, Othernet's satellite broadcast is receivable in remote areas, will continue working in disasters, and costs nothing to continually receive roughly 200MB of data a day. The trade off is that the service is downlink only, so the data that you get is only what is curated by the Othernet team.

Currently the public service is in a test period and is only available in North America. Europe has come online recently too, however they write that the current version of Dreamcatcher that is for sale may not be optimal for receiving the EU signal.

While currently active, they write that the Othernet satellite service is not guaranteed to continue long term. However even if the service discontinues, the Dreamcatcher can still be used as a TX/RX capable LoRa radio. In a previous post we demonstrated a fun application with two Dreamcatchers and a LoRa chat application.

Othernet Dreamcatcher
Othernet Dreamcatcher
Tweet
Share182
Reddit
Vote
Email
182 Shares

Building a Transmit/Receive Relay System for a “Boat Anchor” Transmitter and SDRplay

Over on YouTube user ElPaso TubeAmps has uploaded a video showing his transit/receiver relay system that allows a "boat anchor" (old radio) ham radio transmitter and SDRplay SDR receiver to coexist. In order to protect the SDRplay's front end from being destroyed by a ham radio transmitting on the same antenna, a relay should be used to ground the SDRplay during a ham radio transmission. He writes:

How to build a small chassis and relay system to switch the antenna from the SDR input to ground and open the speaker connection from the PC to the speakers during transmit. I use "boat anchor", i.e. separate VFO for transmitter and receiver equipment and this video is about that type of connection and is not for transceivers.

SDRPlay, RTL-SDR, Transmit-Receive , PC Speaker, T/R Switch

Tweet
Share68
Reddit
Vote
Email
68 Shares

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SIGINTOS IMSI Catcher
SigintOS IMSI Catcher
Tweet
Share490
Reddit2
Vote2
Email
494 Shares

QIRX SDR Beta 2.0.1.0 Released: Improvements to DAB Scanner, Recorder and Spectra Display

QIRX SDR is a multimode SDR program compatible with the RTL-SDR. One of its defining features is that it has a built in DAB+ decoder. Recently beta version 2.01 of QIRX SDR was released which has some scanner, recording and spectra display improvements. We note that the beta version appears to be a DAB decoder only, with no multi-mode features. The new features and improvements include:

Scanner:

  • Configurable w/r to the Muxes to be scanned and/or included in the usual set of Muxes being used.
  • New algo, considerably faster
  • "Scan forever" feature, interesting for DX-ers wishing to observe Muxes over a longer time, particularly together with TII logging.
  • Selectable waiting time after recognition of a Mux, for TII logging.

Recorders:

  • TII Recorder: File structure improved, now directly importable into Excel, with TAB as separator.
  • Audio Recorder (DAB+ only): Format selectable between WAV (as usual) and pure AAC (with ADTS headers). The latter allows for high-quality recordings compressed by at least a factor of 10 compared to WAV. The popular Foobar2000 app is able to play these files. Not seekable yet though, because embedding in a suitable container is not yet implemented.

Spectra:

  • CIR with different scales (Samples, Distance, Time)
  • Indication of the correlation peaks used for the "FFT Window" determination in the CIR spectrum.
QIRX SDR Beta 2.0.1.0
QIRX SDR Beta 2.0.1.0
 
Tweet
Share268
Reddit
Vote
Email
268 Shares