Hacking the Wireless World with Software Defined Radio - 2.0
Vložit
- čas přidán 2. 04. 2015
- By Balint Seeber
"Ever wanted to communicate with a NASA space probe launched in 1978, or spoof a restaurant's pager system? There are surprising similarities! How about use an airport's Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there's 'printing' steganographic images onto the radio spectrum...
Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur - widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by 'blindly' analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I'll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service's Traffic Message Channel.
I'll also look briefly at some other systems that are close to my heart: reversing satellite communications, tracking aircraft using Mode S and visualising local airspace in real-time on a 3D map, monitoring the health of aircraft with ACARS (how many faults have been reported by the next plane you'll be travelling on, e.g. do the toilets work?), and hunting down the source of an interfering clandestine radio transmission.
If you have any SDR equipment, bring it along!"
radio waves are so fascinating and something we rarely ever even think about but yet we use in every aspect of day to day life
Thoroughly enjoyed even after 6yrs of publication. 👏👏✌️
Balint is my hero
Thats saying a ton because you sir are my hero
lol hey samy
Samy is my hero
Respect as well ! I am also signal processor since USSR.
Great talk. I like it how he did not stop once the signals were decoded, but used all kind of plotting software to give nice views.
Thanks a lot for this SDR hands on !
Hello Balint, re 56:21: How can there be separate sets of waves from the reader and card as you have shown with red and green (yellow?) boxes on the scope screen shot if the card uses load modulation of each wave from the reader to send a coded response back to the reader?
When you mentioned _"came in with a B-210"_ ... I'm just old enough to think of a certain 1970s era *Datsun* (before it was rebranded as _"Nissan'.)_
Now all we need is for someone to hack _Microsoft Flight Simulator_ to import realtime ADS-B data ...
wonder how not everybody just commented to this one?!
this guy is a crazy scientist he got serious brains on that stuff
I impressed!
A wired mic would have been a better idea imo.
So interesting though, great to watch!
Just awesome, great job Balint!
good group of lads, good effort to amuse your coworkers
Balint = Brilliant
Superb presentation!
WOW Thank you for this vid this is exactly what i needed to know! :D
40:00 this would be a neat way to visualize/plot where all the airports in a particular area just by compiling enough data over a long period of time and letting it play... Just remove the green and every airport on the map is highlighted red.
The RDS encryption cracking is extremely clever, but I can't help thinking that it was a little bit unnecessary. You already have decoders available - the nav system of any suitably equipped car.
Isolate its receiver from the normal wavebands (disconnect the aerial, shove it in a faraday cage...) and pipe synthetic RDS signals into it direct from your SDR transmitter. For each encoding period, just exhaustively run through each combination of encryption key and location code, and set up a camera and OCR system to scrape the generated locations off the screen. Before too long you'll have a nice database of what location comes out when it's fed a certain key and location on a particular day, and can then apply some simple filtering / sorting to spit out a list of what sets of input data correlate to each location or vice versa.
You can then either apply decryption to that dataset if you like, or just use it as a lookup table. OK, so the actual search space will be somewhere in the millions (16 bits + 5 bits + however many bits for the period = probably at least 24 bits overall), which might imply it'll take some time simply generating the data depending on the reaction speed of your system, but it's not a particularly large data space for any modern system (say each location averages 32 characters, and you have 16 million of them, that's a modest 512mb memory card).
And even if you just use it as an incomplete source of data for decryption, maybe only pulling a couple thousand period-key-code + location output pairs out per day, it gives you a vastly increased spread of ciphertext plus ersatz plaintext to compare against, even if there's an additional job of work in coming up with what the actual decrypted locations are (...but knowing those is only really useful if you have direct access to a database, e.g. a ~512kb ROM inside the radio, that takes that 16-bit value as an input and spits out a, say, 32-character location name at the output; as that data is likely part of a larger system ROM, itself encrypted and signed if we take the example of the database SD cards that go in my own integrated satnav, you're probably better off just correlating ciphertext+key+period trios to human-readable output strings, assigning them your own arbitrary 16-bit code based on the initial order in which they appear, and figuring out which combinations you haven't yet had the time to run through will produce those strings in future).
Rinse and repeat for each separate region. With a suitably distributed effort, maybe with several people in each area tackling a particular portion of that area's codespace, you could have the location codes for the entire US figured out pretty quickly and reduce the decryption effort to a simple rainbow table style lookup.
NB of course it's probably a 1MB+ table in ROM that contains not only the road / location name but a pair of GPS coords (~24 bits per lat/long should provide more than ample ~1.5m / ~5ft accuracy, meaning an additional 12 bytes, leaving a somewhat less cramped 52 bytes for the ASCII name), for the start and end nodes, especially for long roads where you want to divide them into several segments, each inter-exit section of a freeway etc. That would require quite a bit more donkey work, most likely wholly human unless you're quite good at coding up soft AI systems, to manually correlate each ASCII name with the start/end points. Unless of course there's already a suitable database out there which one could refer to...? (I genuinely don't know, but I'd be surprised if there _isn't_ )
Hello I have a hackrf one portapack do you have a link to make the parameter thank you
Are any of the flowchart source available? I'd love to try the gsm/asterisk demo on a limesdr!
Regarding the reverse engineering of the rf transmitter, how does this compare to Michael Ossman's Clock Recovery technique presented at GRCon16? His video shows a way of automating the data recovery given a bunch of recorded files.
Finally, can gnuradio be used to transmit atsc? I'd love to test transmitting video and see if if my tv picks it up!
The basestation software he mentioned literally has "open" in the name, and the DSP filtergraph software is called "GNUradio" (with GNU being the original G in GPL), so I expect it's all out there if you look for it...
I found the RF tags under a table at Panera bread, I think they may have gotten those tables from somewhere else. Let's just say that the table will never say goodbye or make you cry.
Airplane text messages: "RIGHT ENGINE IS ON FIRE. LOL JK." Why does that guy have to interrupt to ask a stupid question? Last I checked he's not the only person in the audience. Good for him putting him in his place. That's my $0.02 and I hope that guy reads this post.
He has such a nice boss
really wonderfull
I'd have loved to have seen this without the time rush toward the end... However, fascinating one the less.
George M1GEO.
Agreed♡ 73
Hello I'm new today :) glad I got told about this ♡
Can this get a 1g network working to play with a old bag phone
hola, me interesa como usar el radar primario de un aeropuerto para tener un radar personal usando la la señal de potencia de ellos , interesante , hay alguna novedad del proyecto?
I have the ADS-b software but where can you get the google earth program?
Dave B Because it's from
earth I would go to earth.com and search for google earth.
its like war driving for gsm and any hf in his car!!!.... (my head just exploded)
I test GM 2.17 Software with a BTS System, it was unbelievable..
where can i download the software GM 2.17 ?
I was impressed until the end when it was thought important to listen to the transmission which drowned out his voice.
As a technical person, I am impressed by the material. But as a citizen, I find it concerning.
If one could transmit a false road report (the digital equivalent of "Aircraft crash into Golden Gate bridge - bridge closed"), GPS-directed traffic throughout the bay area could be stalled. This is more than a prank - it could cost lives (critical patients in ambulances), disrupt work (medical folks unable to get to work), etc., cost hundred of millions of dollars in lost productivity.
Rail systems rely on track-side diagnostic equipment. Some of those use RF to communicate. Imagine that a false indication of a switch malfunctioning was sent. Commuter train traffic into and out of NYC's Penn Station could be halted.
I suspect that there are fuel and natural gas pipelines with remote sensors using RF to provide status. Could a bogus status packet cause a shutdown of a natural gas pipeline (similar to the Colonial Pipeline incident)?
I think that private and railways communications systems are using some kind of encrypted protocol, so no one outside of the rail company will be able to control a switch (event by re-broadcating a frame, it should be ignored by the ref device since some kind of id, stored in the encrypted packet, would have been changed).
Of course the nature of publicly broadcasted signal is up to having. You could easily broadcast a fake FM radio saying an atomic bomb has been launched, that’s the same thing as the Golden Gate Bridge closed.
The sneeze at 32:56 haha.
I wish to work with him..
My brain exploded. Then I ordered an Rtl SDR board for 20 bux
TheMrKrause I'm sorry you bought the rtl, get the sdrplay and use hdsdr. I use the sdrplay on my ham radio station
Interesting presentation :)
Bálint.
It's a Hungarian name 😍 🇭🇺
Like Csíkszentmihályi Mihály 😍
Unfortunately he skipped the better parts of the (prepared) talk. Good video however.
That encryption scheme - maybe the _”Puzzle Palace”_ should take notes …
Just kidding - sort of. Or maybe .. it’s so _”ridiculous”_ that it might be useful because no one would suspect such a naive implementation. (Or use something _”super secure”,_ like *ROT13.)*
Didn't quite catch that last bit at the end there...
What's the software?
There are many pieces of software in use, which I think he mentions, but the main one he uses that I think you're referring to is probably Gnu Radio Companion
is it legal to use an airport's Primary Surveillance RADAR to build your own bistatic RADAR system ?!!
Wonder how many viewers are Ham Radio ops? -- de M1GEO.
yes tal
k over the raw frequencies you derpleton
Sure blame it on the nitrogen because the hydrazine isn't going to outgass.
i think i just had a stroke watching this video ....
59:59 - 01:01:20 WAT? I can't hear you.
haha
Yeah, I was diggin the vid until it gave me that headache. Ps. I’m from the future.... or past? Idk, time is confusing...
You can just write a simply flowgraph in GnuRadio to demodulate it and filter out his voice.
portapack h2 mayhem
WOuld anyone be kind enought to point me in the direction of building a GSM network of my own for fun? THanks :)
www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/
Up
Gray hat
Let's send bitcoin via SDRs!
NÅGOT ATT ENS HA?
i have a hacker doing this type of thing to my guitar amplifier, have you ever heard of that?
OpenBTS
My whole concern is... Why approach that question in that manner? I'm not qualified to speak on behalf on mathematics, although I was an A+ student in HS, trig, ap calc... I'd like to think that one has the capacity to resolve an equation from MULTIPLE angles of resolve. think Geometry.
Bot
That mic pop though
this was back in 2015? Interesting information just not presented very user friendly. Can't understand most of the stuff he talks about. Still is interesting.
anyway, Malasian 370 is gone to black hole. ;-(
Yeah, this is bad in the wrong hands. Our property was stolen from us. i have been testing our phones and pcs and have found that we are still hacked connected to asterisk pbx system.
U. S. army combat communications 31k, cellphone repair and installation, Central office equipment installation.
so expensive, my goodness
super but if you are student you dont have cash for such a super thing
You can buy a basic SDR for around $20 and a good one for $150. After that it mostly takes skill, not money to get better.
But cheap rtlsdr can not transmit, which is essential for me
Then get a HACKRF, greatscottgadgets.com/hackrf/
You can also get a YARD Stick One which is less than $150 but can also transmit.
For student 150$ is a lot. I bought rtlsdr from china for 35$ and it was little bit too much
Very unorganized and hectic. He could've done better :/
Officially it's illegal in the US to monitor cell traffic. Not sure why the FCC isn't all over him.
You sure? Granted, I've never done anything radio related in the US, but everywhere else I've been, it was perfectly legal to receive on any frequency, you just aren't allowed to decrypt (and in some places even demodulate) the signal (so receiving on the GSM band and even recording the data is OK, but demodulating it and looking at the data frames may not be). Again, don't know about the US, but it seems unlikely that just receiving the signal would be illegal (that would make tools like spectrum analyzers implicitely illegal) and IIRC that's all he's done, he's only shown FFT and waterfall plots in his slides.
Yup. Not even supposed to "look" at it. Not sure how the FCC will check, but no. Manufacturers aren't supposed to sell equipment that can monitor those frequencies.
So Ettus, the Californian company he's working for, based all of its business around developing and manufacturing devices they cannot sell? I'm sorry, but I find that _really_ hard to believe.
Well, police agencies require a warrant to listen to cell conversations, just like land line phones. It is also illegal to record cell phone conversations without both sides of the conversation agreeing. So I would guess a third party eavesdropping would have to ask both sides. Like I said, it would be pretty hard to detect a third party listening, but if you record it and get caught you can be in deep shit.
But that's not what I'm talking about. Cracking encryption (and in some places even demodulating the signal) is illegal, just capturing the signal is not.
The government should ban these sort of devices
paul anthony bulao are you suggesting a new way to the government to lock-up of people?