In the context of pentesting, “wireless” is generally taken to mean WiFi, and possibly Bluetooth. That’s not because those are the only two wireless technologies deployed in the wild, but because these are the primary types of wireless communications that testers can get access to. The economies of scale push the cost of high-end WiFi and Bluetooth radios down to the point that even amateur pentesters can afford them, but traditionally, the same has not been true for other forms of wireless.
But a chance discovery a few years ago revealed that cheap USB TV tuners based on the Realtek RTL2832U chipset could be tuned into frequencies well outside of their advertised capability. With just a bit of driver modification, the hacking community got their hands on a highly capable software defined radio (SDR) that could be purchased for as low as $10 from some vendors.
With SDR, instead of having expensive radio equipment to receive and decode each specific wireless technology, one radio can be tuned into an arbitrary frequency, and software can do the decoding. This opens up a huge swath of the radio spectrum; everything from pager transmissions to satellite transmissions can be received with inexpensive hardware and open source software.
Even better, with powerful mobile devices like the Pwn Pad and Pwn Phone, it’s now possible to take SDR on the go. Penetration testing no longer has to be limited to WiFi and Bluetooth, but can include things such as two-way radio communications and pager messages.
TV tuners based on the RTL2832U chipset are fairly common, and a number of online retailers stock them specifically for SDR use. Searching eBay or Amazon for “RTL-SDR” will bring up plenty of hardware choices.
The RTL-SDR project website maintains a basic compatibility list of devices known to work, though it’s by no means exhaustive. A somewhat more detailed compatibility list, maintained by the community, is available on Reddit.
Currently, the best SDR software available for Android is “SDR Touch”, developed by Martin Marinov. SDR Touch will work out of the box on both the Pwn Phone and Pwn Pad, all you need is the included USB On-The-Go (OTG) cable and a supported RTL device.
After your hardware is connected, open up SDR Touch and tap the On/Off button at the top right of the screen. That will show the following message, confirming you want to let SDR Touch communicate with the hardware. Selecting the checkbox will prevent you from seeing this dialog every time you start the app.
SDR Touch is a full featured software defined radio, allowing you to tune the radio to whatever frequency you wish, visualize received signals with a “waterfall” spectrum analyzer, and even decode a number of protocols automatically.
Dragging the spectrum analyzer in the center allows you to adjust the frequency you’re currently listening to, and pinching will let you zoom in to make fine adjustments. Signals which are stronger than the background noise (which is to say, something that’s likely to be an interesting transmission) will show up as large spikes in the upper region of the display and colored tracks on the bottom of the display.
In the following image, the radio is tuned to 462.583 MHz, listening in on a transmission from a standard handheld walkie talkie.
While SDR Touch is running you’ll be hearing live audio as it’s received from the radio hardware. When tuned to a transmission such as this, you’ll be able to hear whatever the users are saying as if you had your own walkie talkie. You can even press the “Record” button on the bottom right of the screen to save the audio.
Scratching the Surface
With the appropriate hardware and working knowledge of SDR Touch under your belt, a whole new world is opened up. Searching around the spectrum with an eye out for strong signals can uncover some very surprising things.
For example, in many areas pager networks are still operating in the 900 MHz band. Pager broadcasts by their nature tend to be very strong, and will be easy to identify by both the bright wide track they will leave on the waterfall, and their distinctive sound (not unlike an old analog modem). Connecting the Pwn Pad or Phone’s headphone jack to a computer’s audio input will allow using advanced software to process digital signals such as these, and can allow recovering the plaintext content of pager messages.
One simply can’t overstate just how much new territory is opened up by mastering SDR techniques. As we become increasingly reliant on wireless technology, having the tools and knowledge to discover and interpret wireless signals will become indispensable for the pentester.