TrustedSec - SIGINT to Synthesis

Not too long ago, I was at a hardware store and I came across some lights that I wanted to play with because I had a feeling they could be fun for Halloween and make for a decent blog post. Before I purchased the lights, I looked at their online manual and checked to see if they were compliant with Part 15 of the Federal Communications Commission (FCC) rules. This notice is an indication that the lights use radio frequencies to communicate rather than infrared signals. Since these lights use a simple remote and not a mobile application, it was a relatively safe bet that the signal would not use a complicated modulation.

Figure 1 – Target Device
Figure 2 – Manual Confirms Part 15 FCC Compliance

Since the device is FCC-compliant, I popped open the package and looked at the back of the remote for its FCC ID.

Figure 3 – FCC ID From Remote

In the United States, whenever a device transmits radio frequencies, it has to undergo a series of tests before it can be sold, and the results of the tests can be accessed on the FCC’s website. However, trying to find the information within the FCC’s site can be a bit confusing. Luckily, someone created a site, fcc.io, that performs the search for you. So, we can enter our FCC ID from the transmitting device like in the picture below:

Figure 4 – Automated FCC Search

Normally, after you perform this web request, you will be presented with display exhibits that are usually PDFs and images of the tests performed, details of the tests, the frequency range the device occupies, and sometimes internal images of the device. However, this device was originally under a different FCC ID and that ID was found in the Power of Attorney (POA) file.

Figure 5 – Redirect From fcc.io
Figure 6 – Original FCC ID

Another request to fcc.io was made using the newly discovered FCC ID and I had my first piece of valuable information: the target frequency of the device.

Figure 7 – Upper and Lower Frequencies of the Device
Figure 8 – Detail of Display Exhibits

The RF Test Report typically documents the type of modulation the transmitting device utilized, the amount of bandwidth the signal utilized, and other useful information. I am not sure what the justification is for claiming this device uses frequency-shift keying (FSK) modulation, since the transmitted signal does not occupy a range of frequencies. Also, the transmitted signal appears to be present and then absent rapidly, which is indicative of amplitude-shift keying (ASK).

Figure 9 – Reported Modulation
Figure 10 – Transmission From RF Test Report

Now that we have a lot of basic information about the signal, it is time to capture a transmission and try to replay it. It is generally advised to have your target signal be slightly offset to avoid the DC offset that is present in software-defined radios. In the image below, we can see a large frequency spike about one (1) megahertz above the DC offset, which is at zero (0) hertz.

Figure 11 – Target Signal Captured

Now that we have a raw signal saved to a file and we verified that we have a valid capture by replaying the signal, we can start to dissect it. The way I do this is by utilizing Inspectrum to get a clearer picture of the transmitted signal and, more importantly, find the symbol duration or symbol period. If you installed GNURadioCompanion with PyBOMBS, you could do ‘pybombs install inspectrum’ from within your PyBOMBS prefix. In a previous post where I covered getting the LimeSDR Mini setup, I made my prefix the ‘sdr’ directory in my home folder. After the captured signal is loaded in Inspectrum, make sure the sample rate is the same as what was captured and locate the shortest transmission or the smallest amount of time between transmissions. Once this is located, enable cursors and try to align the cursor with the signal.

Figure 12 – Aligning Cursors

After you align the cursors, increase the ‘Symbols’ to cover a larger portion of the whole transmission and make sure your cursors are as close to accurate as possible. With simple devices like these lights, they are built to tolerate some inaccuracies, so your cursors do not have to be 100% accurate. One (1) thing you may have noticed is the signal appears to repeat itself a few times. In the case of this device, there are three (3) identical transmissions. It is my belief that this behavior is to help compensate for errors in transmission.

Figure 13 – Increased Cursors Aligned

Now that we know the symbol period, we will build a flowgraph to help turn our captured signal into 1s and 0s. Some things to note about this flowgraph are the ‘Add Const’ and the ‘Keep 1 in N’ blocks. The ‘Add Const’ block lowers the signal so the binary slicer is not capturing the noise that was present and the ‘Keep 1 in N’ block multiplies the sample rate and our symbol period (I call it symbolDuration in my flowgraph), which we found with Inspectrum.

Figure 14 -Flowgraph For Binary Output
Figure 15 – Keep 1 in N

With the help of a simple Python script (at the bottom of this article), we can turn the 00s and 01s to 1s and 0s and join them using commas. This output will be used in our transmission flowgraph. Since our signal repeats itself, we only need to copy one (1) instance.

Figure 16 – Binary File Processed Through Python Script

Now that we have our string of 1s and 0s that represents our signal, we can attempt to recreate it. First, we add a ‘Vector Source’ block that contains the binary representation of our signal. The ‘Vector Source’ block has a limitation of 255 symbols. Because of this, it may not be possible to use all of the output from the Python script.

Figure 17 – Completed Transmission Flowgraph

Connected to the ‘Vector Source’ block is a ‘Repeat’ block with an ‘Interpolation’ value that is the product of the sample rate and symbol period. Then we multiply the output of those blocks by a signal source to generate our series of transmission pulses. As far as I know, the waveform does not matter as long as it is not a square wave. I am also unsure what the minimum frequency of the signal source should be, but I have not had an issue using the default frequency of 1k.

Figure 18 – Repeat Block’s Interpolation Value

Typically, before transmitting a generated signal, I will connect the output to different sinks to view the signal at a glance to make sure it looks close to what the original signal was. If my transmission is still failing, it can be helpful to save the generated signal to a file and then compare the original in Inspectrum.

Figure 19 – Captured Signal Above Recreated Signal Below

Hopefully, this post helped to shine some light on a process that, at least when I first was trying to learn, was not covered very well, with information was scattered across multiple incomplete blog posts.

#Python Script

 import io
 import sys
 from struct import *
 waveformFileName = "/path/to/your/binOUt.bin"
 waveformFile = io.open(waveformFileName, 'rb')
 waveformData = list(waveformFile.read())
 waveformFile.close()
 segmentList = []
 tempSegment = []
 for symbolByte in waveformData:
     if symbolByte == b'\x00':
         tempSegment.append("0")
     else:
         tempSegment.append("1")
 print ",".join(tempSegment)

The post SIGINT to Synthesis appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/sigint-to-synthesis/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more