In our first part on software-defined radio and signal intelligence, we learned how to track down a radio listening station to find and decrypt hidden radio signals – just like the hackers that triggered the emergency siren system in Dallas, Texas has done. Now that we can hear in the radio spectrum, it is time to explore the possibilities of broadcasting in a radio-linked world.
So how did the hackers in Dallas send out the code they found to control the sirens? Was it a distraction to distract attention from its real purpose, a test of a foreign government investigating American infrastructure, or were they annoying in the time-honored American pastime?
Whatever their aim was, the attack was carried out by retransmitting a series of codes in the emergency band around 900 MHz to trigger a series of repeaters to scare the horror of some Texans. Did they need thousands of dollars of sophisticated equipment for that? Probably not. In fact, we can take over some radio systems without even knowing codes just by being closer to our destination.
This tutorial shows you a technique for hacking civilian FM radio bands and playing your social engineering payload. Maybe you do not like the music a radio station plays in a particular store or vehicle and you would like to play your own. You may want to play a message to achieve your goal of doing something that you want. Whatever the goal is, all you need to transmit signals in the radio spectrum is a $ 35 Raspberry Pi and a piece of wire for an antenna
The Raspberry Pi The addition of some free software is able to pulse the energy on one of its general purpose input-output (GPIO) pins to transmit from about 87.5 MHz to 108 MHz on each civil FM radio frequency. Without a cable, the range is only one or two feet. We focus on using that ability to put our messages in the most common kind of radio signals everyone has access to. FM radios are available in almost every car and in many shops and homes. The ability to send directly to them gives us a strong ability to speak anonymously with someone, seemingly from a trusted source.
Hobbyists have adopted the Pi FM radio hack with a cable as an antenna for streaming music, short-range communication, and even as an FM modem to exchange information between devices. Applications like rpitx can even transmit slow TV images via FM. This hack is fun and useful for generating a signal with a deliberately limited range, and some tests have found that the signal is just strong enough to overload FM stations at close range.
Overloading of a transmitter, also known as "broadcast signal intrusion", has the effect of hijacking the signal and inserting messages, songs, programming, or other seemingly legitimate information or messages around Social -Engineering strategies support. Signal hijacking on the Pi is especially useful against companies that play FM radio or car radio systems, and can help you influence the beliefs or actions of a destination by presenting yourself as a media outlet.
Why a Raspberry Pi Works Well
The fact that you can start broadcasting in the single-line radio spectrum is incredibly useful to anyone interested in radio projects or software-defined radio, but how does it work it?
Pi's GPIO pins allow connection to peripheral devices In this case, pin number 4 can be pulsed to the square wave oscillator using the Pi clock. While this works, there are a number of problems that must be considered because of the way the Pi creates the transfer. These issues mean that increasing the power also increases the likelihood of causing chaos in the radio frequency and being caught by the FCC, meaning that this tool is only suitable for surgical strikes without additional filters.
The biggest problem with using a Pi is the square wave oscillator that is used to generate the signal and generate harmonics that can interfere with frequencies beyond what you want to send to , In fact, these harmonics can go quite low outside the bandwidth into limited frequencies, which means that increasing the performance of a Pi FM transmitter without applying a filter interferes with all sorts of radio signals in your environment.
A broadcast signal intrusion is the abduction of a radio or TV signal to play another message about official programming, and it is relatively easy to radio stations deducted.
While more advanced techniques involve splicing the message In transmission by breaking into the receiver, all that is really needed is an FM transmitter that is able to feed the legitimate broadcast signal to the target antenna. If your target is just an antenna, the Raspberry Pi can easily perform a surgical application of broadcast intrusion.
Historically, broadcast signal instructions were used by hackers who wanted to publicize their message, although few, if any, attempted to hide the fact that the station had been abducted. The motives range from political protests to trolling and jamming of the Playboy Network for religious reasons. While most hackers who have been broadcasting large intrusions have been caught, one of the most notorious and weirdest incidents remains unresolved.
Perhaps the best-documented incident of deliberate signal collapse was the incident of Max Headroom in Chicago. In 1987, the television stations WGN and WTTW were broadcast during an episode of . Who played a slow-scan message with a man in a max-headroom mask who was waving and screaming, calling the radio operators "nerds" and finally being beaten with a fly swatter by a woman in a French maid outfit  The clip ran for almost 90 seconds and became even more confusing as the engineers were helpless to regain control, publish national news and lead the FBI into the case. Despite the attention, no one is sure who the max headroom hacker was or what the purpose of his bizarre and brazen takeover of WGN beyond tens of thousands of people should be.
It is assumed that this hack was performed without physical access to stations, using sophisticated radio stations instead to overwhelm the legitimate signal that was repeated to a larger broadcasting antenna. If you are a fan of Mr. The series Robot #fsociety, used this hack many times to get their video communication over the radio waves of the major television stations.
Surgical signal intrusions for social engineering
Overcoming the legitimate signal with ours we are presented Two options: Perform a denial-of-service attack or attempt to mimic the legitimate traffic on the channel. By the way, both options are illegal in most countries because we jam a legitimate radio broadcast.
In a DOS attack, we can flood a FM radio channel used for communication with a signal that prevents this legitimate transmission from being heard and makes no attempt to prove itself to be the actual transmission. In the second attack, we create a message that serves to be perceived as legitimate and insert it into the programming to provoke an answer. This can be as simple as reporting heavy traffic on a particular freeway requiring a different route, or as elaborate as playing a SIGALERT emergency call that describes the subject's car as the vehicle of a suspect.
Due to the trust in the media and the secret nature of the kidnapping, it is unlikely that a subject learns that the signal has been abducted if the beginning or end of the transmit switch does not appear out of place.
We do not need much to start broadcasting. A Raspberry Pi 2 or 3 works, and the wire can come from cables or whatever you have. I used both stranded and solid copper wire and both worked well, although the solid core was better.
Here is all the hardware and software you'll need for this guide:
- a piece of wire, about 3 feet long an antenna
- a fully updated Raspberry Pi 2/3
- Know what frequency you have try to jam (or a $ 20 RTL-SDR dongle to find it yourself)
- a source .wav file
- make and libsndfile1-dev
- PiFmRds of GitHub
Begin we with the execution of apt-get update and apt-get install upgrade ]. Once our version of Kali has been updated and updated, we can install dependencies by running the following in a terminal window:
apt-get install make libsndfile1-dev
Connect your Pi to an HDMI display or SSH in from your laptop. To clone PiFmRds, enter the following four lines in a terminal window. Remember to execute make clean because versions for different Raspberry Pis are not compatible.
git clone https://github.com/ChristopheJacquet/PiFmRds.git CD PiFmRds / src clean up do gcc -Wall -std = gnu99 -c -g -03 -marsch + armv7-a-mtune + arm1176jzf -s -mfloat-ab1 = heavy -mfpu = vfp -ffast-math -DRASPI = 2 rds.c gcc -Wall -std = gnu99 -c -g -03 -marsch + armv7-a-mtune + arm1176jzf -s -mfloat-ab1 = hard-mfpu = vfp -ffast-math -DRASPI = 2 wav.form gcc -Wall -std = gnu99 -c -g + -03 -marsch ARMv7 a-mtune + ARM1176JZF-s -mfloat-ab1 = severe -mfpu = VFP -ffast-math -DRASPI = 2 pi_fm_rss.c gcc -Wall -std = gnu99 -c -g + -03 -marsch ARMv7 a-mtune + ARM1176JZF-s -mfloat-ab1 = severe -mfpu = VFP -ffast-math -DRASPI = 2 fm_mpx.c gcc -Wall -std = gnu99 -c-g-03 -marsch + armv7-a-mtune + arm1176jzf -s-mfloat-ab1 = heavy -mfpu = vfp -ffast-math-DRASPI = 2 control_pipe.c gcc -Wall -std = gnu99 -c -g -03 -marsch + armv7-a-mtune + arm1176jzf -s -mfloat-ab1 = heavy -mfpu = vfp -ffast-math -DRASPI = 2 mailbox.c gcc -o pi_fm_rds rds.o wellenformen.o mailbox.o pi_fm_rss.o gm_mpx.o control_pipe.o lm -lsndfile
Step 3: Test your first transfer
That should be! After navigating to the folder PiFmRds / src You should be able to test PiFmRds, by doing the following:
sudo ./pi_fm_rds -freq 107.0 -audio sound.wav
This is a test radio transmission started on the Frequency 100.1. Since we have not yet connected our wire antenna, we can not expect it to transmit anything, right?
It turns out that even the GPIO pin is capable of transmitting short distances. Here I can see a test transmission from several meters away, even without attaching an antenna.
You should use the GPIO pin to test your messages whenever possible to avoid unnecessary interference with other frequencies. While it's good for testing, the pen alone can not overwhelm a station. Once you have confirmed that you are sending, let us try to get a signal.
Now that we know we're sending, let's increase the power. Attach a piece of wire (solid gauge or stranded do) to the 4th GPIO pin (see diagram to find out that's).
You can use the insulation around the wire to put it well on the pin when working the pin between the insulation and the copper inside the cable. Here's how I installed a solid core wire:
This setup dramatically improves range. I can receive the radio transmission anywhere in the building, including the floors above and below me.
Now that we have increased the performance, we can assume that we will be able to to hijack every radio station. within about twenty to thirty feet of the transmitter. Identify the station you want to hijack and record the frequency in megahertz. For this example, suppose that the station we are transmitting against is 107.9 MHz.
Run to camouflage on your Pi with connected antenna following comments to 107.9 and to hijack and play the audio file audio.wav
sudo ./pi_fm_rds -freq 107.9 - audio audio.wav
You should hear the audio demo break into legitimate transmission.
Use any WAV file in the PiFmRds / src folder and change the name in the above command to play your own custom message.
While the methods described are extremely simple and effective, deliberately disrupting a legitimate mission in the US is illegal and most likely elsewhere. While the likelihood of being detected on a small scale is low, increasing power or using out-of-band frequencies can get you into trouble and disrupt the radio signals from the military, police, and first responders.
This device is short and by experimenting with a radio to measure the range, you can vary the length of the wire to adjust the range. In addition, playing messages that deliberately alert or frighten people is also a great way to get in trouble. Although my upcoming North Korean nuclear missile example (in the video above) is insane, it could cause panic, so it's best used only in a lab environment.
Use common sense if you choose the message you want to transmit Probably the topic will really believe it.
As always, thanks for reading, and be sure to keep an eye on zero bytes for more hacking tutorials. You can ask me questions here or @ sadmin2001 on Twitter or Instagram.