Please welcome the Great Scott Gadgets summer interns, Ellie Puls and Jacob Graves. They joined us at the beginning of June, and we are thrilled to have both of these bright students on our team. Ellie is a junior at CU Boulder and Jacob is a senior at CU Denver, and they are both majoring in Computer Science. They plan to write a short blog post every couple of weeks over the summer to let you know what they've been learning and what kind of projects they've been working on. Here's what they've been up to in their first couple of weeks:

"We helped finish a project in Python that fetches information about wireless devices from the Federal Communications Commission's website. We were able to take the information and put it into the user's home directory as well as into a user-friendly database. Additionally, we learned how to use the Lasersaur laser cutter and cut packaging for the new HackRF acrylic cases. Finally, we learned how to test HackRFs to look for any firmware or LED issues on the boards."

Going forward, we want to involve Ellie and Jacob in several of our software and firmware development projects (including GreatFET). They will be mentored by Mike and Dominic, and we hope that their time with us will amount to a meaningful educational and professional experience that they can take with them into their future careers.

Are you (or do you know someone who is) a match for our open position for a summer intern? See our new jobs page for details. Keep an eye on this page for future job opportunities at Great Scott Gadgets!

It's been a while since we've posted, but yes, we are still giving away free stuff! Even though we can't respond to each and every email, we do read and carefully consider all of them, and we choose at least one awesome group, project, or individual each month to send some free hardware to. Here are the free stuff recipients for the first half of 2016.

ADS-B Out Open Source Project

We gave a HackRF One to developer and pilot Christopher Young, whose latest development project is an in-flight ADS-B Out transponder. ADS-B Out allows pilots to broadcast position, ground speed, and altitude to air traffic controllers and aircraft that are equipped with ADS-B In. This project benefits general aviation pilots because NextGen, the FAA's new plan to increase aviation safety, mandates that all aircraft be equipped with ADS-B Out by the year 2020. Christopher's open source design is intended give pilots a more affordable means of complying with the new requirement (ADS-B out is a piece of avionics equipment that normally costs thousands of dollars). Chris is also the creator of the stratux project, an affordable open source aviation weather and traffic receiver solution based on low-cost SDRs, so we are excited to put a HackRF into his capable hands.

Visible Light Communication Research

We gave a HackRF One to Alexis Duque, a Phd candidate at INSA in Lyon, France. He is researching the possibilities of visible light communication, and wants to use SDR hardware and GNURadio for some tests. He plans to donate his HackRF to CorteXlab at INSA after the research is complete.

Fablab Hackerspace

We received a free stuff request for a YARD Stick One from Pedro, a high school student at a technical school in southern Brazil who has started a hackerspace called Fablab with a group of his friends. Their school has given them space to work in, but due to equipment costs and crippling taxes imposed on electronics equipment there, they have been unable to find the funds to stock their lab and are relying on donations from the community. We sent them a YARD Stick One so that their group can experiment with communications with a drone they received from a local university.

Argentinian Meetup Group

Speaking of South America, we gave a HackRF to Martin Gallo, coordinator of TandilSec, a meetup group in Tandil, Argentina who discuss infosec topics and learn about current trends. They have recently been experimenting with is SDR, and HackRF One was their hardware of choice.

Qspectrum Analyzer

We gave a HackRF One to the Qspectrumanalyzer open source project because it currently only supports rtl-sdr, and the developer of that program wanted to change that. He tells us that a popular request from users is that they would like to see support for HackRF One.

Amateur Radio Equipment Repair

Pavel is a ham radio operator, self-described tinkerer, and software developer. He is involved with a local amateur radio club, but lives in an area where good radio equipment is difficult to obtain, and the equipment they are able to get their hands on is usually in need of repair. Pavel asked us for a HackRF One to diagnose and test problems, which will help him repair the radio equipment of other amateur radio operators in his community.

Stay tuned; more free stuff updates are on the way! Visit our free stuff page to learn how to submit a request.

Today we are excited to announce the official release of ANT700, our new 300—1100 MHz telescopic antenna. Because this general purpose antenna was designed with YARD Stick One users in mind, it has a slim and lightweight form factor that works well with smaller devices. It has an SMA male connector to attach to your device of choice (including HackRF One) and can be extended from 9.5 cm to 24.5 cm.

We started distributing ANT700 last month, and it is already available for purchase from six of our authorized resellers on four continents. To find out where you can purchase yours, please visit the product page.

Earlier this month, we packed our things and moved our lab and offices to a new location in Evergreen, Colorado. We are are very excited to be in a bigger space (it was time!) and to celebrate, we are hosting an open house on Friday, September 16th from 5 pm to 8 pm. We welcome our friends, associates, and neighbors to come and see our new lab and enjoy food and drink with us.

Our address is:
31207 Keats Way
Suite 101
Evergreen, Colorado 80439

Please let us know you are coming so we don't run out of provisions! RSVP by September 10th to info@greatscottgadgets.com.

We hope to see you there!

The Great Scott Gadgets team has been hard at work sorting through all the Free Stuff requests for 2015, and now we are finally ready to announce the winners for May through December. We've had many interesting submissions, and we've enjoyed learning about all the ideas you have had for open source projects and education. After much discussion and some tough decisions, we've chosen the following seven individuals and groups to receive free hardware from Great Scott Gadgets.

Open Source Project: Universal Drone API Generator

Richard Doell wrote to us requesting a HackRF One for a project idea he is working on. We were intrigued by the project, and very excited to hear that it is going to be open source. Richard has a background in robotics and computer vision, and he wants to create a universal automatic drone API generator for hobbyists and robotics junkies that will allow remote control vehicles to be controlled from a computer using GNU Radio. His HackRF One will enable him to collect data from the RC vehicles' transmitters. Keep us updated about the progress of your project, Richard!

Information Security Workshops

Stefan Hessel (of the blog Causa Finita) is a security expert who works at the Department of Law and Informatics at Saarland University in Germany. After work, he gets involved in his community through an IT working group, offering free classes at a local clubhouse that help beginners develop skills and knowledge in the areas of Internet safety and security. Stefan asked us to donate a HackRF One to help him teach the basics of SDR to the people who attend his classes and to demonstrate ways that attackers could gain access to private data through hardware hacking. Thanks Stefan, for sharing your expertise and using your workshops to bring awareness to these issues.

Liquid Fueled Rocket Building

Let's Build Rockets is a talented group of young amateur engineers who are designing and building a flyable, liquid-fueled rocket. This has proved challenging because currently most of the commercially available model rocket engine systems and electronics components are designed for solid-fueled rockets. Therefore they have had to design, manufacture, and test all of the system's components themselves. They are planning to use their free HackRF One as a receiver in the downlink portion of the rocket's control system, the design of which is based on the Copenhagen Suborbitals Sapphire Telemetry System. The downlink transfers mission data from the accelerometer, gyroscope, altimeter, compass, GPS, pressure and temperature sensors of the engine and fuel tanks, and atmospheric temperature sensors to a ground control station. Eric Simms wrote to us on behalf of Let's Build Rockets, saying:

“The communication that the HackRF enables will help us recover the rocket after the launch and analyze potential failure points. After doing lots of research, the HackRF is the most accessible receiver we've found, requiring the least amount of additional hardware and providing opportunities for future expansion.”

Let's Build Rockets is publishing all of their design files, code, and test data on github so that others can benefit from their learning and experience. We're excited to support this awesome, educational, open source project. Rocket on!

Emergency Communications

The Wantagh-Levittown Volunteer Ambulance Corps is a dedicated group of paramedics and dispatchers who provide emergency services to their community by answering 911 calls. While each ambulance in their facility has its own radio, this small nonprofit organization has had a difficult time finding the funds to invest in a radio for communications training. Their free HackRF One will enable them to receive and decode multiple simultaneous transmissions on their county's radio system. Mark Tomlin, Chief of Operations, wrote to us saying,

“Communications are vital in EMS, just as important as the vital signs of the patient themselves. Missing information from an incomplete report can be devastating to a patients outcome. Presenting ones self to the doctor correctly on the other end of the radio can be the difference in getting the order for the medication or not. These are things that can only come with experience. We now have the opportunity to present our experience to those who were not physically present at the time of notification. This should greatly improve the time it takes a new provider to get up to speed on medical control notifications.”

We are happy to put a free HackRF into the hands of someone who can use it to make the world a better place. It's very satisfying knowing that somewhere in New York, a HackRF One is enabling communication that could save lives.

MIT Splash Program

Every November, high school students from around the country and even around the world come to MIT for a program called Splash. It is a weekend where they can engage in unique and valuable learning experiences that are unavailable in a normal classroom setting. Riley Drake wrote to us asking for a HackRF One for a Software Defined Radio course he is planning to teach at Splash 2016, which will cover topics such as Digital Signal Processing, Decibels, Data Types, Sample Rates, Negative Frequencies, Quantization Error and Complex Numbers in Digital Signal Processing (course structure mirrors Michael Ossmann's online lessons). Having a HackRF One available for the class will allow students to run their code on a real radio and promote a discussion of the legal and regulatory issues of SDR. Good luck with your class Riley, and please send us pictures! We'd love to know how it goes.

Soldering Workshops

Hacklab Almeria is a growing group of developers and enthusiasts in Spain that are learning and collaborating together. When they first wrote to us in October of 2015, they had 30 members, but when we contacted them last month that number had increased to 50. Jesus Marin Garcia asked for several Throwing Star LAN Tap Kits for a workshop the group are offering to their newer members on electronics fundamentals and soldering. Spread the word, and good luck with your workshop!

OpenWebRX Support

András Retzler is the developer of a remote spectrum monitoring solution called OpenWebRX that gives users access to multiple SDR receivers worldwide. We gave András a free HackRF One, which he is using to improve support for that project. If you haven't already seen OpenWebRX, you should certainly check it out—it's really cool. He also plans to use his HackRF One to serve as a test station for another of his open source projects, qtcsdr, an open source amateur radio transceiver design using a Raspberry Pi 2 as a transmitter and an RTL-SDR as a receiver. As a company that is built on open source principles, we are very enthusiastic about supporting open source projects, and we are especially happy to help András with OpenWebRX.

Thanks again to everyone who has sent us a free stuff request. We are almost all caught up now, and we will announce winners for the first few months of 2016 soon. If you have an idea for a project using Great Scott Gadgets hardware and could benefit from free stuff, don't hesitate to tell us about it. If you don't ask, we can't say yes!

Fortunately in this video you can't hear the jackhammers at work in the hotel lobby while I gave this presentation at the ToorCon San Diego seminars in October, 2013. Apart from having to talk over the construction noise, it was great to share SDR techniques that can be used to point out flaws in security claims made about spread spectrum communication technologies.

One of the things I showed in the talk was how Direct Sequence Spread Spectrum (DSSS) communications can be reverse engineered. I used SPOT Connect, a device operating on the GlobalStar satellite network as an example. A couple years later, Colby Moore did a more complete job of showing how the GlobalStar system can be attacked.

If you aren't familiar with the Pastor Manul Laphroaig, mentioned at the beginning of this talk, check out our PoC||GTFO mirror.

download video
download slides

My, how time flies! The Great Scott Gadgets team has been busy, but we haven't forgotten all of your requests for FREE STUFF! We are working towards getting caught up, so please bear with us as we sort it all out. April had a lot of good submissions, and we are excited to reward several of you with free open source hardware. And to make up for being so behind, we even awarded a YARD Stick One this time, and we shipped it when it was brand new! Read on to learn about April's winning Free Stuff submissions.

Damon Wascom wrote to us requesting a HackRF One to assist AMSAT in testing transmission lines and filters for the next FOX-1C and Fox-1D CubeSats. Damon gave many convincing reasons and compelling arguments as to why we should award him a HackRF One for his project, but perhaps most compellingly Damon wrote:

"It would be awesome to apply this legendary and revolutionary RF hacking tool of the decade into the hacking together of the next amateur built, amateur radio spacecraft!"

Yup! Damon, make it so.

Jesus Sanchez wrote to us on behalf of the Advanced Communications Research Laboratory he founded at his university last February. The Advanced Communications Research Laboratory encourages its members to conduct research in the wide field of SDR and to promote open source software and hardware. We are happy to support these goals by awarding the Advanced Communications Research Laboratory a free HackRF One!

Tamer Çelik is a member of Hackerspace Istanbul. Tamer plans to use his HackRF One to introduce SDR to his hackerspace as well as other hackerspaces in his area. Tamer, thanks for spreading the word and sharing SDR technology with your community!

David De La Hoz Joaquin is a student of Systems and Computer Engineering at Pontificia Universidad Católica Madre y Maestra in Santiago De Los Caballeros, Dominican Republic. David plans to use his HackRF One in his research. He will also be giving talks about SDR at his school and beyond. David is even planning to start a hackerspace at his school. Good luck David!

José Perez Junior is a graduate student at ABC Federal University in Santo André, Brazil. He plans to use his HackRF One to teach students at the university about RF and SDR. He also plans to use it for his own research on SDR and electronic motor control. Congratulations José, and let us know how your research goes!

Sean Semple wrote to us as president of the Association of Cyber Engineers (ACE) at Louisiana Tech University. ACE is an organization that was established a couple of years ago to promote the new Cyber Engineering degree program at Louisiana Tech, but also to help students learn about the cyber landscape as early in their career as possible. Great Scott Gadgets is happy to provide ACE with their very own YARD Stick One!

Once again, thanks to everyone that sent us a request. If you didn't send us a request, why not? It never hurts to ask. We look forward to seeing what you come up with next!

Earlier this week, Dr. Andrew Zonenberg of IOActive published a security advisory and blog post describing weaknesses in the SimpliSafe home security system. He showed that components of the system, such as the keypad, transmit unencrypted radio signals that can be captured and replayed. He also pointed out the significant problem that SimpliSafe devices are physically incapable of being reprogrammed with improved firmware that might address such vulnerabilities.

I know Andrew and have great respect for his reverse engineering and hardware hacking talents. He implemented a replay attack by making small modifications to SimpliSafe devices, monitoring and controlling them from his own hardware platform. To demonstrate the impact of the technique, he showed how it could be used to replay a PIN that disarms a SimpliSafe system. While I found his attack very effective, I was intrigued by his inability to fully decode PINs. I wanted to take a crack at the problem myself, and I thought it would be worthwhile to confirm that the radio interface of the system can be attacked at a lower cost to the attacker, without any SimpliSafe hardware, and without physical proximity to the target system.

I borrowed a SimpliSafe system to use as a target system, and I took the approach I have demonstrated in my presentation, Rapid Radio Reversing, using a combination of Software Defined Radio (SDR) and non-SDR tools. The primary tool I used was YARD Stick One with RfCat software.

First I used HackRF One to monitor transmissions from the SimpliSafe keypad. I visualized a captured radio waveform with inspectrum and quickly identified an Amplitude Shift Keying (ASK) signal being transmitted by keypad. Andrew labeled this On-Off Keying (OOK), but the difference between ASK and OOK is subtle and does not affect his findings.

After determining the frequency, modulation, and symbol rate of the transmission, I turned to YARD Stick One for further analysis. Within seconds I was able to decode raw symbols being transmitted by the keypad. It was easy to identify which packets were transmitted by the keypad after entering a PIN, so I entered a few different PINs and saved the resulting packets for analysis.

It took me a couple hours of staring at packets and fiddling with short decoding functions in Python before I was able to understand the encoding. This was the most difficult part of the project. The system uses a somewhat uncommon Pulse Interval and Width Modulation (PIWM) to encode data onto the ASK signal, and the order of bits was not immediately obvious. With a little time, however, I was able to implement real-time decoding of received packets and to recover the PIN entered on the keypad by another person at a distance. I was also able to replay keypad transmissions.

I could have implemented capture and replay even without fully decoding the packets. This is what Andrew was able to accomplish with his hardware hack. Full decoding, however, demonstrates that some additional attacks are possible. An attacker with a good antenna can monitor PINs from a great distance and can, without ever transmitting a radio signal, learn those PINs and later use them at the keypads. An attacker can craft packets with chosen PINs or other contents, so an automated brute force attack on a PIN is possible even if the attacker has not observed the valid PIN. The system uses 4-digit pins, so only 10,000 guesses are required for an exhaustive brute force attack.

I could have accomplished all of this with only HackRF One or only YARD Stick One, but I used the combination of the two for convenience. If I had to choose just one for a project like this, it would be YARD Stick One which, at $100, costs less than half of the equipment used by Andrew. It could be done with almost any 433 MHz ASK transceiver, including the covert TURNIPSCHOOL or my favorite children's toy, the IM-Me, but YARD Stick One with RfCat is the most convenient tool for the job in my toolbox.

Andrew included with his blog post a video demonstrating his attack over-the-air. In his video, he mentions that his hardware hack was the "quickest and easiest way" to accomplish his attack. That may be true for Andrew, but personally I found it easier to use radio tools. I wrote dozens of lines of Python compared to his hundreds of lines of C, and I never needed to crack open any SimpliSafe device. It took me about half a day, and most of that time was spent puzzling over the data encoding. I could have implemented a simple capture and replay within seconds of identifying the radio signal.

Andrew's video shows him disarming an alarm from only a few inches away which unfortunately could be interpreted as meaning that his attack is only effective at such close range. His attack, in fact, works from anywhere the keypad can operate. According to the manual, it works within 100 feet of the base station. Even greater range can be achieved easily with the use of low cost radio test tools instead of a modified keypad. I estimate that, for less than the $250 Andrew spent, an attacker can execute PIN replay from about a mile away.

Since Andrew's advisory, SimpliSafe has responded in predictable fashion while information security professionals filled their bingo cards. One of the things SimpliSafe has pointed out is that customers are notified whenever their systems are disarmed. Unfortunately this is only true for those customers who pay an extra $10 per month for SMS and email notifications. Moreover, in my testing, I verified that it is possible for an attacker to wirelessly command the SimpliSafe system to enter test mode even while the system is armed. This is something that normally can be done from the SimpliSafe keypad only while the system is disarmed. Alarms and notifications are disabled in test mode, but the documentation states that test mode is indicated in the online dashboard available to customers who pay for notifications.

Following Andrew's lead, I am not publishing any attack software developed during my testing. However, it is important to realize that I employed only tools and techniques that are well known and commonly used throughout the wireless security community. Effective attacks, including PIN replay, can be implemented without writing a single line of code. Passive monitoring attacks, such as the ability to learn a PIN at a distance, require somewhat more reverse engineering effort but can be implemented with even less expensive equipment such as off-the-shelf TV tuners that cost as little as $10.

Andrew's and my investigations only scratch the surface of the security of the SimpliSafe system. Andrew's key finding is not that PINs can be replayed but that the absence of basic cryptographic protections illustrates a total lack of wireless security engineering. Further weaknesses will very likely be discovered if anyone takes the time to look for them. For example, the cellular interface is an attack vector that remains unexplored as far as I know.

SimpliSafe is not alone in deploying alarm systems with vulnerable wireless interfaces. Sadly, almost every wireless alarm system I've ever looked at suffers from similar weaknesses. As we hurtle toward a future of ubiquitous digital wireless technology embedded in the objects of our daily lives, we would be wise to pay more attention to the security of those wireless interfaces. Burglar alarm systems seem like a good place to start.

P.S. Dr. Zonenberg's dissertation is fascinating.

In this video of Michael Ossmann’s presentation at ToorCon 2015, he demonstrates how helpful it can be to use a combination of both SDR and non-SDR tools for reverse engineering wireless systems. Michael uses both HackRF One and YARD Stick One to reverse engineer a wireless cabinet lock.

You can download and watch the video on Internet Archive here.

The code from the presentation is in Michael Ossmann’s stealthlock repository.