Tagged: rtl2832u

Opening and Starting Honda Civic Vehicles with a HackRF Replay Attack

A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.

Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:

This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.

In the videos on the GitHub demonstration page they show a laptop with GNU Radio flowgraph and a HackRF SDR being used to turn the engine of a Honda civic on, and to lock and unlock doors.

Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.

Laptop and HackRF used to turn on a Honda Civic Engine via simple Replay Attack.

In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.

More information about the hack can be found on HackingIntoYourHeart's GitHub page. He writes:

Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINE Whenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.

Lon.TV Demonstrates Decoding Various Digital Signals with RTL-SDR

Tech YouTuber Lon.TV has recently uploaded a video demonstrating how to identify and decode various digital transmissions with an RTL-SDR dongle. In the video he explains how to use VB Cable to pipe audio from SDR# into various decoders, and then goes on to show DMR, APRS, POCSAG, L-Band AERO, FT8, and JS8/JS8CALL all being decoded via an RTL-SDR Blog V3 dongle.

Software Defined Radio Part 2 - Decoding Digital Transmissions with an RTL-SDR USB Radio

SDR# and other Hobbyist Ham Radio Software Spotted in Netflix TV Show Yakamoz S-245

Thanks to all who submitted, we recently received some interesting tip offs about the Netflix TV Show Yakamoz S-245 featuring a scene with various hobbyist SDR and ham radio programs clearly visible. Yakamoz S-245 is a show about a submarine research mission, and the scene appears to depict military intelligence specialists using the programs.

In the scene we've spotted SDR#, MMSSTV, FUNcube dashboard, SATPC-32, and Orbitron. For those interested, the scene is in episode one time 11:20 - 12:00. 

SDRSharp Guide V4.2 Released

Paolo Romani (IZ1MLL) has recently released version 4.2 of his SDRSharp PDF Guide. The book is available for download on the Airspy downloads page, just scroll down to the title "SDR# Big Book in English".

As before the document is a detailed guide about how to use SDRSharp, which is the software provided by Airspy. While intended for Airspy devices, SDRSharp also supports a number of third party SDRs, including the RTL-SDR, and it is the software we recommend starting with when using an RTL-SDR.

Paolo writes:

My new v4.2 SDRsharp PDF is out. The guide is now 139 pages long, and covers all the settings, UI customization, included and third party plugins, and use of some external decoders and software, now with Spyserver integration with Raspberry Pi 3/4, etc etc...

Running GR-GSM and IMSI Catcher on a Raspberry Pi 4 with Dragon OS

DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. The creator Aaron also runs a YouTube channel showing how to use the various packages installed. 

In his latest video Aaron tests his Pi64 image with GR-GSM and IMSI Catcher running with the GNU Radio 3.10 platform on a Raspberry Pi 4. He tests operation with an RTL-SDR and LimeSDR.

GR-GSM is a GNU Radio based program capable of receiving and analyzing mobile GSM data. We note that it cannot decode actual messages without additional information about the encryption key, but it can be interesting to investigate the metadata. GSM is mostly outdated these days, but still used in some areas by some older phones and devices. IMSI Catcher is a script that will record all detected GSM 'IMSI' numbers received by the mobile tower which can be used to uniquely identify devices.

Short video setting up and testing GR-GSM on DragonOS Pi64 w/ GNU Radio 3.10 and the RTL-SDR. The current DragonOS Pi64 build has GNU Radio 3.8 and all the necessary tools to accomplish what's shown in this video. If you'd like to test the build shown in this video, it's temporarily available here until I finish and put it on Source Forge.

https://drive.google.com/drive/u/1/fo...

A LimeSDR and DragonOS Focal's Osmo-NITB-Scripts was used to create the GSM900 lab environment. The RTL-SDR was able to see and decode the GSM900 network and although only briefly shown in the video, the IMSI Catcher script works.

Here's the fork used for this video and for testing. There's also a pull request on the main GR-GSM repo for this code to be added.

https://github.com/bkerler/gr-gsm

DragonOS Pi64 Testing GR-GSM + IMSI Catcher w/ GNU Radio 3.10 (RTLSDR, Pi4, LimeSDR, OSMO-NITB)

Lightweight Windows Software uSDR Updated to Version 1.5.0

Since 2021 we've posted about Viol Tailor's "uSDR" (microSDR) software a couple of times. uSDR is a lightweight general purpose multimode program for Windows that supports the RTL-SDR, Airspy, BladeRF, HackRF and LimeSDR radios. The software can be downloaded from SourceForce.

Viol notes that recently the project has been updated to V1.5.0 which brings the following new features and changes.

  • lock device frequency on zoom option
  • keep waterfall history – the very great option, do not lose any rare signals
  •  advanced passband IQ recorder
  • passband IQ TCP server for remote processing, C/C++ client source examples included
  • advanced audio player, auto selectable sample rate, separate left/right channels
  • CTCSS decoder
  • markers import option convenient for merge markers 
  • Ctrl+Shift+Drag Up/Down – change spectrum magnitude offset
  • Ctrl+Shift+Mouse Wheel – change spectrum magnitude range (vertical zoom)
  • Ctrl+Mouse Hover – highlight nearest marker
  • Ctrl+Double Click– tune to highlighted nearest marker
  • band plan visualization, simple text format
  • frontend interface improvements
  • GUI improvements
  • spectrum and waterfall popup menus improvements
  • a lot of bug fixes
uSDR aka microSDR. A lightweight SDR receiver program from Windows.

Skies-ADSB: A Browser Based 3D Aircraft Tracker with RTL-SDR ADS-B Receiver

Thank you to Don for submitting news about the release of his new software titled "Skies-ADSB". Skies-ADSB is a browser based app that provides a 3D view of the air traffic around your area. The software can be served on a local networked Raspberry Pi, with ADS-B data being provided by an RTL-SDR connected to the Pi.

skies-adsb is a virtual plane spotting progressive web app (PWA) / virtual aquarium (with aircraft instead of fish) / interactive real-time simulation.

Aircraft are tracked via unfiltered ADS-B transponder data in real-time and rendered in 3D.

The ADS-B data source is meant to be a RTL-SDR receiver connected to a Raspberry Pi running on your home network.

Flight status data is provided by the FlightAware AeroAPI v2.

The aircraft photos are provided by Planespotters.net.

An RTL-SDR Panadapter for the TECSUN PL660 Shortwave Radio

Thank you to Joseph IT9YBG for submitting his article describing how he has made an RTL-SDR based panadapter for his TECSUN PL660 portable shortwave radio. The post is a series of pictures that show how Joseph was able to open the PL660 and connect a coax cable to the IF output, and mount the connector on the plastic cover for easy access. He then connects that IF output to the RTL-SDR via a 10pF capacitor.

The result is that Joseph is able to receive the IF output of the PL660 at 451 kHz in SDRUno with his RTL-SDR Blog V3 running in Q-Branch direct sampling mode. He notes that although the IF bandwidth from the PL660 is small, it is possible to decode digital signals by passing the audio demodulated by SDRUno into decoding software. 

RTL-SDR Blog V3 Panadapter for the Tecsun PL660