Tagged: usrp

WarDragon: Testing EMEye/TempestSDR with Wyze Cam Pan V2 Cameras and a USRP B210

Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.

Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.

In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.

I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.

Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.

If you're interested we reviewed WarDragon in a recent post as well.

WarDragon EMEye/TempestSDR Camera Eavesdropping Attack Research (B210, Airspy R2, Wzye Cam Pan v2)

EM Eye: Eavesdropping on Security Camera via Unintentional RF Emissions

Researchers from the University of Michigan and Zhejiang University have recently published their findings on how it's possible to eavesdrop and wirelessly recover images from security cameras via RF unintentionally leaking from the camera electronics.

EM side-channel attacks aka receiving and decoding data from the unintentional RF transmissions from electronics are nothing new.  In the past, we've posted how some laptops unintentionally broadcast audio from the microphone via RF, how a tool called TempestSDR can be used to spy on monitors/TV's via RF leakage, how encryption keys can be stolen from PCs via unintentional RF, and even how Disney is looking to use RF leakage for RF fingerprinting.

In their research, the team discovered that security cameras leak enough sensitive RF that an image can be recovered from the leakage over a distance. In their tests, they used a USRP B210 SDR as the receiver and tested twelve cameras including four smartphones, six smart home cameras, and two dash cams. They found that eight of the twelve leaked strongly enough for the reception of images through windows, doors, and walls. Cameras like the Xiaomi Dafang and Wyze Cam Pan 2 performed the worst, allowing for images to be recovered from distances of 500cm and 350cm respectively.

The team has not only released a paper on the topic but has also released the full code as open-source software on GitHub. The software is based on a modified version of TempestSDR, so it may also work for other supported SDRs, like the HackRF and RTL-SDR.

EM Eye: How Attackers Can Eavesdrop on Camera Videos

WarDragon Passive Radar with Blah2 and ADS-B Delay-Doppler Truth

Over on his YouTube channel, Aaron, creator of DragonOS and the WarDragon kit has uploaded a video showing the Blah2 passive radar software working with an SDRplay RSPDuo. In the video Aaron shows some setup steps before showing the passive radar range-doppler graph.

Blah2 is passive radar software that appears to be inspired by the KrakenSDR passive software that was removed for regulatory reasons. We note that it is legal for others to publish open source passive radar software, but KrakenSDR cannot legally publish their own open source passive radar software because it would be tied to their own physical product. Providing code would mean they essentially sell an off the shelf passive radar product which is restricted.

The notes in Blah2 specifiy that it currently only supports the SDRplay RSPduo and USRP devices, but in the future they are looking to add support for the KrakenSDR and modified RTL-SDR and HackRF hardware.

Aaron also briefly demonstrated the related adsbdd software, from the same author as Blah2. This software allows a user to convert ADS-B data to delay-doppler truth. Essentially allowing you to confirm is an aircraft position determined via ADS-B is on the range-doppler ellipse determined via passive radar. In the future the author hopes to be able to plot all aircraft in a 2D delay-doppler space graph. 

DragonOS FocalX Passive Radar Setup + Test w/ Open Source Code (RSPDUO, RTLSDR, Blah2)

ANTSDR E200 set to begin Crowdfunding on CrowdSupply soon

The AntSDR E200 is a software defined radio from Microphase which will come in two flavors. The first is the 'AD9363" version with 2x2 RX/TX and a 325 - 3.8 GHz tuning range, 20 MHz bandwidth and 12-bit ADC. The second is their higher end 'AD9361' version with 2x2 RX/TX, 70 MHz - 6 GHz tuning range, 56 MHz bandwidth and 12-bit ADC.

It is currently in the prelaunch phase on CrowdSupply.

The AntSDR E200 is is based on the AD9363 / AD9361 RF SDR chips which are used in many existing mid-range software defined radios like the PlutoSDR, bladeRF and Ettus USRP's.

The design itself is very similar to the PlutoSDR and Errus B205mini, and in fact the developer has ported firmware from PlutoSDR and the Ettus UHD that allows the device to work just like those devices. It is not yet known if the AD9363 frequency range extension hack available on the PlutoSDR, and the bandwidth overclock hack on the bladeRF will be possible with the AntSDR E200 as well.

Pricing is yet to be displayed on CrowdSupply, however the the AD9363 version appears to already be available for purchase on Aliexpress for US$364.25. Update: Microphase have explained that the units on Aliexpress are not officially authorized units and the Aliexpress price is much higher than what they will charge during the crowdfunding phase.

The AntSDR E200
ANTSDR-E200 demo video

Also, over on YouTube DragonOS creator Aaron has already been testing his AntSDR with srsRAN, which is an open-source program that can create 4G and 5G basestations with compatible SDRs like the USRP. Using the modified UHD firmware, Aaron was able to get up and running with the AntSDR E200 very quickly.

DragonOS FocalX E200 w/ Osmo-Nitb-Scrips, srsRAN, and SDRAngel Preview (ANTSDR, b205mini, R29+)

Fissure: An Open Source RF Reverse Engineering Framework

FISSURE (Frequency Independent SDR-Based Signal Understanding and Reverse Engineering) is a recently released open source framework that runs on Linux, and includes a whole suite of previously existing software that is useful for analyzing and reverse engineering RF signals. On top of that it includes a custom GUI with a bunch of custom software that ties everything together in a full reverse engineering process.

Recently the developers spoke at this years Defcon conference, and the talk video is supplied at the end of this post. In their talk they explain the purpose of FISSURE, before going on to demonstrate it being used to reverse engineer a wireless X10 doorbell. FISSURE makes analyzing the signal easy, starting with spectrum analysis to find the signal, then signal recording, signal cropping, signal replay, crafting packets and crafting attacks.

News and developments about FISSURE can also be seen on their Twitter.

FISSURE is an open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, IQ manipulation, vulnerability analysis, automation, and AI/ML. The framework was built to promote the rapid integration of software modules, radios, protocols, signal data, scripts, flow graphs, reference material, and third-party tools. FISSURE is a workflow enabler that keeps software in one location and allows teams to effortlessly get up to speed while sharing the same proven baseline configuration for specific Linux distributions.

The framework and tools included with FISSURE are designed to detect the presence of RF energy, understand the characteristics of a signal, collect and analyze samples, develop transmit and/or injection techniques, and craft custom payloads or messages. FISSURE contains a growing library of protocol and signal information to assist in identification, packet crafting, and fuzzing. Online archive capabilities exist to download signal files and build playlists to simulate traffic and test systems.

The friendly Python codebase and user interface allows beginners to quickly learn about popular tools and techniques involving RF and reverse engineering. Educators in cybersecurity and engineering can take advantage of the built-in material or utilize the framework to demonstrate their own real-world applications. Developers and researchers can use FISSURE for their daily tasks or to expose their cutting-edge solutions to a wider audience. As awareness and usage of FISSURE grows in the community, so will the extent of its capabilities and the breadth of the technology it encompasses.

FISSURE RF Framework - Griffiss Institute & AIS Monthly Lecture + Education Series

Remoticon 2021: Smart Meter Hacking Talk

Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.

In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.

Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Decoding and Logging GPS Coordinates From Wireless Smart Meters

Back in April we posted about "Hash's" RECESSIM YouTube series on hacking electricity smart meters using a software defined radio. Recently his series continues with a video on decoding and logging the GPS coordinates sent by the smart meters used in his area. Using a car, SDR and laptop he was able to drive down the freeway collecting smart meter data as he travelled, decode the data, and plot it on a map. In his video Hash explains why there is GPS data in the signal, and how he was able to reverse engineer and determine the GPS data.

Smart Meter Hacking - Decoding GPS Coordinates

Reverse Engineering Wireless Mesh Smart Meters with Software Defined Radio

Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.

In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.

In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.

Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.

Playlist: Smart Meter Hacking