Software Defined Radio 101Mike Saunders @hardwaterhacker

About Mike

• Started IT in 1998

• Security since 2007

• Avid ice fisherman

http://nickolaylamm.com/

Signals Around Us• Cell phones (900/1,800/1,900 MHz)

• Wifi (2.4 & 5 GHz)

• Bluetooth (2.4 GHz)

• Zigbee (2.4 GHz)

• Broadcast TV (54 - 900 MHz)

• Pagers (35/43/152/157/163/454/462/929 MHz)

• ADSB (978/1090 MHz)

• AIS (162 MHz)

• HAM radio (varied)

• Police & military comms (varied)

• Satellite comms (varied)

• Cordless phones (1.7/27/43-50/900 MHz, 1.9/2.4/5.8 GHz)

• Radar (varied)

• Car remotes (315 / 433 MHz)

• Garage door openers (310/315/390 MHz)

• TV remotes (varied)

• Wireless presenter remotes (varied)

• Etc. etc. etc.

What is SDR?

• Radios used to be implemented in hardware

• Software Defined Radio - software tunes receiver hardware to desired frequency

• Additional software can decode transmission to reveal data

• Signals can be transmitted with certain hardware

What You Need

• Hardware

• rtl, HackRF One, Ubertooth One, Yardstick, Funcube, etc.

• Antenna

• Software

• GNU Radio, SDR#, GQRX, etc.

Getting Started - Hardware

• Generic RTL2832U / R820T

• ≈ $15

• 25 - 1700 MHz

• RX only

Getting Started - Hardware

• Generic RTL2832U / R820T

• Aluminum case limits noise

• ≈ $25

• 25 - 1700 MHz

• RX only

Getting Started - Hardware

• HackRF One

• ≈ $330

• 10 MHz - 6GHz

• TX & RX

• 20M samples/second

Getting Started - Software

• Windows

• SDR#, HDSDR, SDR-RADIO.COM

• Mac & Linux

• GNU Radio, GQRX, Linrad

• Android

• SDR Touch, Wavesink Plus, RFAnalyzer

Getting Started - SDR#

• SDR# - www.airspy.com

• Quick start guide - http://www.rtl-sdr.com/rtl-sdr-quick-start-guide/

Getting Started - Tuning

• http://www.nws.noaa.gov/nwr/coverage/station_listing.html

• https://www.youtube.com/watch?v=gFXMbr1dgng

Getting Started - FM Radio

Common Problems

• Don’t forget to install Zadig driver with generic RTL

• Some USB 3.0 ports don’t work well

• Issues with USB passthrough in VMs

• Frequency drift due to temperature differences (non-TCXO chipset)

SDR# Common Problems

• Slower processors = dropped samples, choppy audio

• Even an issue in VMs on more powerful hardware

• HDSDR is harder to use, but less overhead

SDR# Common Problems

ID an unknown signal

• Spend time sweeping through frequencies

• Search for known frequencies at radioreference.com

• Look up signal waterfall on sigidwiki.com

• Signal @ 152.480 Mhz

radioreference.com

FCC License Search

Search Results

Review Frequencies

Review Registration

Check SigIDWiki

Captured sample waterfall SigIDWiki Reference

Legal Disclaimer

• I am not a lawyer, this may or may not be illegal

• Research and decide for yourself

• 18 U.S.C § 2511

• 18 U.S.C § 2510

Decoding Pages• Walk through:

• http://www.rtl-sdr.com/rtl-sdr-tutorial-pocsag-pager-decoding/

• You need:

• SDR#

• VBCable

• http://vb-audio.pagesperso-orange.fr/Cable/index.htm

• PDW

• http://www.discriminator.nl/pdw/index-en.html

More Common Problems

More Common Problems

PHI/PII Galore

Houston, we have a problem

Now *That’s* Interesting

Look! Free Voicemail!

Next Steps

• Garage door hacking - http://samy.pl/opensesame/

• Ding Dong Ditch - http://samy.pl/dingdong/

• Decode a signal using GNU Radio

Wrap Up

• Get started cheap

• All kinds of signals to listen to and analyze

• Be responsible with what you find

• Report issues

Resources

• http://www.rtl-sdr.com/rtl-sdr-quick-start-guide/

• http://www.radioreference.com/apps/db/

• http://www.sigidwiki.com/wiki/Database

• http://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp

• Noise Floor - @0xabad1dea -https://www.youtube.com/watch?v=5N1C3WB8c0o

Resources

• https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-leaking-beeps-healthcare.pdf

• https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_leaking-beeps-industrial.pdf

• http://www.fieldxp.com/ - Book series on SDR & GNURadio

• https://www.blackhat.com/docs/us-14/materials/us-14-Picod-Bringing-Software-Defined-Radio-To-The-Penetration-Testing-Community.pdf

Resources

• http://gnuradio.org/redmine/projects/gnuradio/wiki/Guided_Tutorial_Introduction

Questions?

• mike@hardwatersecurity.com

• https://hardwatersec.blogspot.com

• @hardwaterhacker