Radio Wave Open Source Intel Using SDR by Abi Waddell

i'm going to talk to you today about what open source intel or osint we can gather from radio waves using software define radio i hope this will be useful to red teamers and other infosec professionals who wouldn't normally consider including in the scope of an engagement radio transmissions especially outside of the bluetooth and wi-fi frequency bands i'm going to cover a bit on raw data capture and decoding along with ocean techniques derived from advanced searches and technical exploration to discover sensitive device and user data and i'll also touch on the legalities of such radio interception but why should we focus on open source intel the main reasons are to reduce the risk of fruitful pre-attack recon activity

and by fruitful i mean that such activity leads to a breach the probability that intel from public sources will be discovered and exploited is high especially as this does not usually require a high level of skill leaks that are accessible to the wider public have a high potential of causing reputational damage breach recon activities are not usually captured by existing tools and methods either pre or post-incident mainly because such activities occur away from the company network the good news is that open source leaks can largely be remedied with a small effort but with a large impact on the reduction of risk and finally by considering public sources outside of the corporate network one has a greater

visibility of the wider attack surface and now i'm just going to give you a very quick overview on getting started with sdr with some of the equipment used in radio scanning so traditional hardware based scanners look a bit like this on the left they are expensive usually costing between a few hundred pounds to several hundred thousand pounds and they have limited or dedicated functions but do it well and they require less user input it's usually a simple case of switching on and turning some dials however there is little potential for user customization and it's not usually possible to see the visual signal patterns a typical hobbyist setup may involve using an sdr dongle which is about the

size of a usb stick perhaps a little larger and then an antenna which can work on specific frequencies and may be able to transmit as well as receive some can be mounted on vehicles via a magnetized base and the sdr's dongle will usually be plug and play which will work with most operating systems and may or may not be able to work as a transceiver so this gives a brief brief spec of the spy and a typical antenna most such sdr equipment comes to between 30 and 250 pounds depending on what you want to use it for and how reliable you need it to be sorry i said that in pounds and not euros but yeah you get the idea

sdr sharp is a popular software app for sdr dongles and it's easy to use and has a multitude of modules that allows you to do some pretty cool things so many sdr programs share similar features and there is a screen showing the visual signal patterns and an option to select the frequencies and filters frequencies are shown clearly and the app has some helpful labels for some of the bandwidth allocations for instance military air fm radio and other bands and the peaks represent the signal strength and time and are extremely helpful when discerning what to listen to specific frequencies can be saved and communications recorded one of the most useful features is the automatic frequency scanner

which saves you the trouble of manually searching for communications that you might want to listen to and one other nifty module is the digital radio decoder which can decode various digital protocols such as p25 dmr and d-star web sdr allows one oops what's going on there there you go sorry my computer's slow uh okay

it's not gonna stay

[Music]

okay

okay okay um sorry about that i will just talk about web sdr without showing you that particular slide that's a bit odd [Laughter] so um so basically web sdr allows one to listen in on others sdr and antenna setup without having to get any special equipment yourself only a web browser is needed so it's possible to browse to various web sdl servers in the world and tune into whatever their antenna can pick up and the dashboard for each is very similar and very easy to use so you get the waterfall display and the option to fine tune the frequency that you want to and you can squelch background interference noise alter the volume and make recordings

and on the screen you can also see who else is connected to the server so this sometimes helps to see which bands and frequencies are the most popular to listen to if you actually need any inspiration um so the modulation such as usb cw or am can be changed along with other settings so this is it a bit better this time no okay let's see right so um here is a live police message i heard by a web sdr um a via a server based in cleveland ohio it's quite surprising the sort of sensitive information that one can pick up over the air such as usernames criminal records car license plate numbers physical and email addresses and

passwords so basically such sensitive information however has been removed from this particular clip but it kind of gives you an idea so i'm just gonna

i'm not a female called caller said inside of this location i can hear a female screaming also believes there's three other people inside caller is not too cooperative with questions which are called white restaurants will for larceny sentencing also who is brexitville pd white for traffic offense [Music] and uh this is a chat between two radio hams that was randomly stumbled on at various points people on this channel had mentioned usernames and passwords um in this clip they are discussing buying guns and ammunition apologies for the poor sound quality i think this will be um but note such conversations are not meant to be hidden from uh general scanners but it's actually surprising what is

discussed

you don't have to worry about the background check but everybody thinks that when you fill out those papers it goes into a national registry it does not where i picked up my five seven uh and that's a fun little pistol you won't have you know what i'm i'm going to be planning on going to j g gun sales out there and and have a look and see what the availability is of the uh uh 22 magnum i bought my first ak from them one time they had a deal back in the early 90s where you could buy them ak and you got a thousand rounds or 1100 rounds or something with it and i'm going to tell

them i'll fix the check it right now tell me that 5.56

that's not a good price because i bought a thousand rounds and i didn't even have a gun they had them they were putting them in the shelves at walmart i said just throw that thousand rounds in my in my cart it was about a little over hundred dollars i think so a little over 40 cents around

um it's usually very useful when radio scanning to have the ability to physically locate the source of any transmission and this is just to summarize some of the methods of doing this triliteration requires the distance between the receiver and the transmitter to be measured each receiving station measures the length of time taken for the radio signal to reach their position and when the times from three or more such stations are known a position for the receiver can be calculated each receiving station has an omnidirectional antenna and a very precise clock in order to have any accuracy a variant on this is time difference of arrival where you can locate a signal source from the different arrival times at the receivers

triangulation can be used with multiple fixed position receiving stations or it can be used with a single mobile station which has a directional antenna and determines the angle which the receiver which signal is received from keeping the same reference point such as magnetic north and when this angle is taken from three or more different positions the location of the transmitter can be calculated it's also possible to use a directional antenna to determine the position of the transmitter by using the antenna orientation producing the strongest signal to indicate the direction of the transmitter you can then take two measurements from known transmitters in order to be able to apply the triangulation directional antennas show an increase or

decrease of the received signal strength depending on the physical location at rotation and the doppler shift method analyzes the received signals and determines the probable direction from which the signal originates correlative interferometry is about moving receivers perhaps in a vehicle and how different measurements at different positions of the vehicle's trajectory are taken into account transmissions sometimes have to be processed further in order to understand the content raw captured data which has been encoded or encrypted can either be processed on the fly at the time that they are received by the sdr software using various modules or this data could be saved to a file usually a packet capture file for offline analysis so what can we listen to so this is not

meant to be an exhaustive list and no i'm not saying you should listen to these but here are a few so illegal fishing boys can be detected especially as they often transmit in bands which they are not authorized to number stations these are shortwave radio stations that transmit encrypted secret messages in the form of numbers thought to be used by government agents the numbers are sent on pre-determined frequencies with the use of automated voice morse code or digital modes most use a one-time pad encryption and so only the person who has the has a copy of the one-time pub will be able to decode the message stations are usually given a nickname and many are well known because of the

music they play and each transmission usually has an intro and an end phrase so i'll just give you an example of one 9 5 5 2 6 1 3 8 3 9 3 5

[Applause]

right um sorry about that so the seti project aims to detect radio signals originating from intelligent species in a in space so it's like ocean for aliens basically multiple stations around the world monitor stars for a period of time to collect the data and the collected audio is analyzed using special software long range low power wide area network iot devices can be decoded and decrypted but this appears to be a work in progress nice decked cordless phones can be unencrypted and usually have weak encryption if encryption is used iridium and in satellite transmissions can be decoded some wireless keyboards are vulnerable to being sniffed by measuring the received signal strength of messages transmitted between the keyboard and the

dongle attached to the computer so looking at the timings between different keystrokes and also using machine learning you can look at the likelihood of a particular word being entered by the target user military radio transmissions can be picked up in the clear as particularly if commercial handsets are in use recently a set of bands for a particular country's alleged military were publicized on twitter fake 4g base stations can be detected using the crocodile hunter tool which essentially decodes the master information block and system information block for a group of cells and detects anomalies in these results whilst determining the probable location of these cells using radiolocation techniques and anomalies in the results include cells that move location or change

strength or have missing parameters and also cells being located in unexpected places and finally experiments have been done to fingerprint wi-fi adapters using radio frequency analysis and this has around a 95 accuracy pager messages can be intercepted and decoded on the fly using sdr sharp and other software pages are not so commonly used these days but have a high likelihood of their transmission being captured because the signal travels over over long distances hospital staff and taxis still use pages but the technology is being phased out pager transmissions have a very distinct waterfall view and sound sdr can also be used to detect oh sorry pages uh like baby monitors which can be listened to in the clear

not just to listen to the immediate vicinity but pick up sounds in other rooms both of these pages and baby monitors shouldn't be really listened to from an ethical standpoint but it's worth mentioning because it's what people can do and people need to be aware of that so sdr can also be used to detect emanations coming from electrical equipment commonly known as a tempest attack so this works by positioning the sdr and antenna close to the monitor of the victim computer and then picking up the live image being displayed on this device but on the attack computer which is running the sdr software and whilst it's easy and straightforward to run the the tempest attack software

getting the technique to work effectively is a bit hit and miss and also requires being in very close like within a few meters of the target device ocean gathering can be put into different categories according to the type of repository of the data the expected levels of permission to to this data and the level of sensitivity so this is an ocean data retrieval model i created as the tears go down the data generally but not always is more sensitive and requires more permission to access so at the very top the mainstream category includes anything freely available to the public the select category is data that's only meant to be shared with a specific group so this includes most free deep websites

down to privileged which requires an applied for accounts in order to access it and such accounts usually require payment or further verification beyond a simple device 2fa for instance and examples of this include pay for news or media subscription size and then down below the more invasive methods usually result in obtaining more sensitive data but require greater permission levels any data out in the open from these methods is likely to be from unintentional leakage so an example could be i'm emailing a hotel reception about my room booking but they respond to me with an email that is intended for a different customer by mistake or a web page is misconfigured and shows a list of hidden files and directories which

anyone can access if they are technically able to find the misconfigured url so what follows now are ways of obtaining ocean data relating to radio transmitters and users the radio reference site and this area on the ofcom site allow one to search for organizations owned license frequencies with location details of their transmitters in the example is one such big blue chip companies transmitters in the uk i'm not saying who but this again is freely open and available this sort of information in the united states the fcc site has a search facility to look up callsign frequencies and use and site addresses of licensees and other information the signal identification there we go sorry okay it's taking a long time sorry about

this okay we skipped ahead um the signal identification wiki site which is on the previous slide it's not working i'm sorry about that okay that's useful for looking up the frequency bands and include samples of what these signals look like and here there are various sites that show live movements and of flights and ships such as radar box and vessel finder the wspr or whisper network which stands for weak signal propagation reporter is a global set of transmitting and receiving whisper radio stations that document any spots or detections on specific radio transmissions of specific radio transmissions so a single whisper link can provide detection of an aircraft along its propagation path using using high frequency transmissions over

several thousand kilometers multiple whisper links synchronized at the same time can provide more specific data and it's possible to track an aircraft as it will produce a scatter of radio signals it was possible to track some of the journey of the doomed missing malaysian flight mh370 using this method as all search efforts hadn't met with any success

open cell id is a useful site to see the location and details of cell towers and the helium explorer map shows the location of all the active helium crypto currency mining devices if you suspect a particular device of interest either because it of its owner or its possible geographical location it's possible to find out more about this device if it's an iphone and has the find my iphone service enabled and you know the user's icloud credentials because one can skip the two-factor authentication in order to use the app via a browser obviously this is a feature which is there by design as it allows users who have lost their phone to find it and they only need to log into icloud to

do this

so if an unauthorized user user has possession of the victim's icloud credentials they can go right in and see the phone model they use and also their geographical location knowing that the user has an iphone 12 here we can assume that ultra wideband may be in use and this information may be useful if conducting further assessments in the locality ultra wideband is a radio technology that can use a very low energy level for a short range high bandwidth communications and is particularly suited to precision location activities apple was the first to introduce this in smartphones and the advantage of this over wifi and bluetooth is that it uses less power has greater location accuracy some of the ultra wide band applications

for phones include the apple car key improved seamless media file transfers and connection with home iot devices the sby server map shows users who have registered their sdrs as servers on this site and this show which are live their location and other details like the operating system the type of device in use i p address and username

and with the location coordinates given in the previous step or even with the ip address from which one can discover a related map location it is then possible to target surrounding radio frequency transmitters including wi-fi hotspots by using the advertised sdr server to scan for signals in the locality this is within the bounds of open source as the sdr server is meant to be accessed by the public another way of looking for iot device information is to access their enabled and open ports and services routers which also run cellular and rf services are often accessible this way so this nebra hotspot miner device was accessed over this specific port and showed the device's version the mac

address the helium address and frequency the other example on the right shows the files accessible over anonymous ftp on port 21 on a samsung dvr device this 4g iot netcom device login screen was accessed over a browser in the same way it wasn't necessary to log in in order to see the status details which showed the imei the mz firmware and other details one way of discovering the two-way radio frequencies in use by a target company is to discover the handset models in use different radio models usually have their own default frequencies which may not be changed by the users one particular way of establishing this is to use tender or contract award databases and websites as these may

reveal the radio supplier and or security company that the target has engaged to work with in the uk bid stats is an example of such a site and this is freely accessible the redacted contract award here shows the supplier which is a manned security company

another useful source of spreadsheets and other databases on public spending so in this example a security company was paid several thousand pounds to provide stewarding services to an event being held by the organization listed also useful for finding a company supplies are the web statistics functionality that is sometimes on company websites such stats show site visitors which may include suppliers and they're also paid for site search engine analytics services that can show much more detailed site backlinks and referrers so once the radio or security supplier is found one can look into the likely radio device models and from then frequencies in use i did an assessment of the likely oops is that right yes sorry i did an

assessment of the likely frequencies that the man security guards of a big blue chip organization were using for their two-way radio communications by just talking to them i found out that they used analog two-way two-way radios at one of their sites and so this would have been easy to pick up with a scanner and at the head office site the security guards used a mixture of digital and analog radios a search of their suppliers and equipment showed that there was a high probability that hetero radios were in use which would have been set on a specific set of frequencies if left of course to the default settings images of devices in use can sometimes be found on public sources and it's

often useful to get creative with the search terms in use if a particular image is of a poor quality so this example shows the x-ray scanner in an airport on a military base the first search term that were used uh x-ray scanner and the name of the base in google um brought up the image on the left which is pretty blurry can't really read or see what what the make is however a search for screening device plus the name of this base shows another photo which shows the device make quite clearly high tracks so whilst this isn't a typical iot device it's the basically the same principles

another place to pick up open source data on iot websites are bug bounty sites which show which allow organizations to make freely accessible details of their servers and applications and pointers to where they believe vulnerabilities are this information can then be used for further exploitation obviously this is not to discourage companies from seeking help and wanting to improve their security but it's to make you aware of how someone with little scruples could make use of this data so in this example we see a well-known crypto miner development site details showing the url that isn't in public sources and a description of possible ways that they believe it could be exploited

it's possible to pick up quite a bit of ocean from the d-star dmr and other common standard gateways and servers using such sites as d-stargateway.org where you can get information on the last known crawlers in their location very often one sees gateway or server owners publicizing in great detail the configuration of the hardware with photos and admin console readily accessible likewise the radio id.net database shows dmr and nxdn users and repeater details it's easy to forget or not to worry too much about whether you'll be breaking the law owning and using an sdr the laws are often different in each country or even in different jurisdictions within the same country and the likelihood of getting caught is very low

here are some general rules however to abide by if in doubt don't have a scanner in your car not just actively working but just physically in your car switched on or off don't use your scanner to transmit an obvious one but don't use your scanner to commit a crime don't obtain material benefit from your scanning activities don't use your scanner to decrypt communications don't scan cellular frequencies don't possess the scanner if you've been convicted of a crime in the last five years some some states in the in the united states have that as a rule and finally look into whether you need to get a license from your national communications regulatory body in the uk the main law of interest is

section 48 of the wireless telegraphy act and this says there must be no intent to obtain or disclose information from any private message except where the information would have come to the person's knowledge via non-rf sources from others so the journalist who shows up at a site of a burning building to report on it as a result of hearing a fire service emergency transmission virus scanner would be acting illegally you don't need a license to use a scanner unless it's capable of transmission so in practice it's difficult to police anyone contravening these laws ofcom only investigated three event offenses under this section between 2016 and 2021 so that's an average of one every 18 months or so

it's a plausible defense to say that certain frequencies were stumbled on by accident and the owners therefore should be on the people transmitting the confidential transmissions they should be encrypting or encoding them the law here states uh varies considerably between the different states in general the fcc and communications act does not forbid the interception of overhearing your neighbor's conversation over a cordless telephone or listening to emergency service reports media broadcasts and transmissions by amateur radio operators now this bit is interesting it's legal to intercept communication that is readily accessible to the general public this may be open to interpretation clearly a cordless telephone conversation is not meant to be heard by the general public but they can be

readily accessed by the public emergency services communications in the uk are encrypted by default as opposed to in the united states most are unencrypted by default some police forces there have made the deliberate decision to leave their transmissions unencrypted to enable different police forces and emergency services in other jurisdictions to be able to communicate with them effectively and also provide a level of accountability to the general public who may be listening into their communications and here it's illegal to manufacture imports sell or lease equipment that can intercept or disrupt the cellular service many thanks i hope that was useful