IoT Radio Communication Attack – Part 2
This is part 2 of a series titled “IoT Radio Communication Attack”. If you didn’t go through the first part, go through it.
Radio Signal Analysis – In the last section, I went through the various modulation techniques used in radio signal transmission. The next step is to analyze these radio signals to identify the type of modulation being performed. Once the type of modulation is identified, the data present in the radio signal can be easily extracted by demodulating it. The process is analogous to decryption and encryption.
Process[IoT Radio Communication Attack]
I will be using some hardware device and software to analyze the radio signal. Hardware equipment is used to capture the radio signal and software is needed to process and modify the signal. Below is a list of hardware and software widely used in radio signal capture and analysis.
Hardware – Some hardware devices can capture or receive a radio signal, and some hardware devices can transmit and receive a signal. Based on the capability, the hardware device can be a transmitter or a receiver. A device that can only receive/capture a signal is called a receiver and a device that can not only receive a signal but also transmit a signal is called a transceiver i.e. Transmitter + Receiver = Transceiver.
The receiver is labeled Rx and the transceiver is labeled Rx/Tx.
Also Read:The ultimate guide to ethical hacking by Blackhat Pakistan 2023
The table below lists all the hardware devices that are widely used for radio signal analysis.
Depending on the frequency of the radio signal, the hardware selection will vary. Also, a longer range is a more expensive device. RTL-SDR is used for basic radio signal analysis, i.e. data reception only, and HackRF is widely used for data transmission.
Software – Like hardware, many software can be used for signal analysis and processing. Some of the software are – GQRX, Gnu Radio Companion (GRC), SDR#, Linrad, Cubic SDR, Inspectrum, HDSDR, etc. In Linux, GQRX and Windows, SDR# is widely used for signal analysis. The Gnu Radio Companion (hereinafter GRC) signal is used for processing. GRC can be used on both Linux and Windows.
In this series I will be using GQRX and GRC for signal processing and analysis. I request you to download the software in your laptop/PC. A simple Google search when installing software will give you plenty of resources.
If you don’t want to download software or if you’re looking for a VM with all the software pre-installed like Kali, you can check out Pentoo. Pentoo has been specifically designed for radio signal analysis and has all the necessary tools installed in it. You can download the ISO from its official site – http://www.pentoo.ch/download/ and open it in Virtualbox or VMware Player/Workstation.
Now let’s see how to use the RTL-SDR to receive an FM signal. I will be using GQRX for the demo.
RTL-SDR – The RTL-SDR is a cheap USB dongle used only to “RECEIVE” the radio signal. The price of RTL-SDR is around $20 and it is also called RTL2832U, DVB-T SDR, RTL dongle.
It looks like this –
Frequency Range – The RTL-SDR can receive any frequency in the range of 52Mhz-2200Mhz.
Procedure for capturing the FM signal – To receive FM data, a receiver for receiving the radio signal and software for demodulating the received data are needed. I will use RTL-SDR to receive the radio signal and GQRX to demodulate the received signal. I hope the role of RTL-SDR and GQRX is clear to you.
Now plug the RTL-SDR into the laptop’s USB port. Run the rtl_test command and if you get the output as shown, it means that the RTL-SDR has been detected and is ready to use.
You can press Ctrl+C to stop the test and release the RTL-SDR for GQRX to use.
Now run GQRX as shown below –
Selecting RTL-SDR as an I/O device in GQRX is the first step for GQRX to use it. To do this, click on the green icon as shown below. As you can see, the RTL-SDR device name is RTL2838UHIDIRS. The remaining options can be left as they are.
Now it’s time to pick up the radio signals. To do this, click on the white icon (to the left of the green icon) as shown below –
The frequency range for the FM channel is 88-108 MHz. So I will tune the RTL-SDR between 88-108Mhz. Click on the frequency ie 144.50 and tune it to 93.5 MHz as shown. Just click on 144 and change to 93.5.
In India, 93.5 is used to listen to the song. It will vary based on your district. So tune the RTL-SDR accordingly.
As seen above, the red line points to 93.5 Mhz. Below the red line are the yellow colored lines. It represents some received data, i.e. if any data is available on a certain frequency, GQRX represents in the form of yellow lines. This representation is called a waterfall sink.
Can you listen to the song?
I know you can’t listen to the song. This is because you have not demodulated the received signal ie FM signal. To do so, select the mode (on the right) as WFM (stereo) and change the gain (bottom right corner) accordingly to listen to the track clearly. The basic settings are given below –
So this is how you listen to FM. It was easy – just a few settings and you’re done. This means that when hacking the radio communication of an IoT device, the signal must be processed manually using various blocks in GNURadio. In GNURadio, the signal is processed and demodulated to extract the data present in the signal.
In the next post I will explain how to manually process the Radio signal in GNURadio to demodulate the FM signal to listen to the song. This will give us an idea of what is going on in the background and how the signal is processed in GQRX.