LTE Tracking and Recon with RTLSDR
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36373 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2357 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
BitCommunications protocolLecture/Conference
00:21
Inclusion mapNoise (electronics)BitLecture/Conference
01:06
Different (Kate Ryan album)BitDirection (geometry)Process (computing)Water vaporExploit (computer security)Multiplication signLecture/Conference
01:41
Water vaporAuditory maskingLecture/Conference
01:55
Water vaporMessage passing
02:18
Web pageState of matterMultiplication signDisk read-and-write headDifferent (Kate Ryan album)Matter waveData transmissionDirection (geometry)Position operatorMereologyCAN busComputing platform
03:19
Line (geometry)TransmissionskoeffizientTime zoneMathematicsLecture/Conference
03:40
TimestampTransmissionskoeffizientMultiplication signLecture/Conference
03:58
Position operatorMultilaterationTimestampPosition operatorDistance
04:19
DistanceTrigonometric functionsMultiplication signLine (geometry)Different (Kate Ryan album)HyperbolaPoint (geometry)Uniform resource locatorTransmissionskoeffizientEndliche ModelltheorieAngle of attackAsymptotic analysisTrigonometry
05:11
Triangulation (psychology)BitTrigonometryShape (magazine)
05:26
Line (geometry)DivergenceSynchronizationShape (magazine)Multiplication signMeasurementTrigonometric functionsAngleSpacetime
05:58
MathematicsMultiplication signProjective planeLevel (video gaming)Right angleInternetworkingBitDirection (geometry)Lecture/Conference
06:35
Plane (geometry)Right angleSoftware-defined radioMusical ensembleTunisProjective plane
07:12
Function (mathematics)Game controllerIdentifiabilityInformationPosition operatorLecture/Conference
08:01
Drop (liquid)Software-defined radioLecture/Conference
08:12
Digital signal processorMathematical analysisDigital signal processingLecture/Conference
08:30
Software-defined radioDirection (geometry)HookingPosition operatorLecture/Conference
08:53
MathematicsCausalityPosition operatorMetreBlock (periodic table)Hand fanSynchronizationFrequencyMultiplication signPhysical systemBefehlsprozessorTransmissionskoeffizientBus (computing)OscillationSensitivity analysisNeuroinformatikControl flow1 (number)CalculationLecture/Conference
09:55
Multiplication signPersonal identification numberPhysical systemSynchronizationBefehlsprozessorBitDirection (geometry)Lecture/Conference
10:31
Direction (geometry)Transport Layer SecurityBitSynchronizationMathematicsGoodness of fitLecture/Conference
11:02
Digital signalSpacetimeTriangulation (psychology)Noise (electronics)Inheritance (object-oriented programming)Constructor (object-oriented programming)Dot productGSM-Software-Management AGLecture/Conference
12:07
FrequencyMultiplication signNumberMusical ensemblePhysical systemClique-widthOscillationGSM-Software-Management AG
12:54
FrequencyMultiplication sign
13:12
CuboidWireless LAN
Transcript: English(auto-generated)
00:02
Welcome. I'm going to get up here and talk a little bit about some research I've been doing on LTE emissions, not so much looking at protocol or data but just what can we see flying around in the air and I'm going to do it with RTL SDRs. A couple of people that have made this talk
00:26
happen or this story happen, a few years ago, Melissa did a talk on crazy stuff in the noise floor that she was exploring with RTL SDRs. When I saw that talk, that inspired me
00:40
to take up that research on what fun bits of data are flying around there. Also, if you're here, I'd love to talk to you and shake your hand. This guy has done a tremendous amount of research on fixing a lot of the clock drift problems when you're trying to synchronize two RTL SDRs. I used
01:01
everything that he did to get to where this talk is. So we're going to go down this road. It's going to wind a lot of different places, start with a little bit of history on direction finding, on radio exploitation, just straight RF,
01:20
why do we care? I'm going to give you a quick primer on time-of-arrival direction finding. Then I'm going to talk about why the RTL SDR is a terrible radio. And then go over some of the processes I'm using to do direction finding with RTLs. So here we are. We have a boat in the water
01:46
that's really hard to see. You're 1940, battle of the blue boats. They have these antenna masks on the top that occasionally when they pop out of the water emit signals.
02:05
Those signals are, you know, encoded messages, encrypted messages, but they are still RF emissions. Anyone can pick them up. You don't have to be able to decrypt them to put up your antenna and receive that data. So then we get a whole lot of these guys. They put cans on their head and
02:23
turn a whole bunch of knobs and try to figure out what the position of that signal is through a few different kinds of techniques using very expensive, very large equipment. The wavelengths on these transmissions were huge. So to do direction finding, you needed like national
02:41
infrastructure or at least real estate to park lots and lots of antennas. Today we have this guy. He's on the platform. This is the modern approach to direction finding. It's a really fun thing if you haven't gotten into it where somebody goes and puts a radio out in a state park and
03:01
you get your antenna and your headphones and you go and try and find it. So there he is. I guess you need a trendy headband. So it's going to get a little technical. This is how direction finding happens with time of arrival. The
03:23
principle here, the main piece of math that's going to happen is we're going to have two antennas or two antennae that are going to receive the same signal and then we're going to compare the time difference of that signal arriving at the antenna to get a line of bearing to the transmitter.
03:41
Basically what happens is the transmitter fires off a signal. This is obviously something that you have to have a really bursty or discrete signal. If it's always transmitting, you can't catch the time of arrival as easily. Receiver A has a time stamp for when the signal hits. Receiver B then has a slightly later time stamp and we have, let's
04:06
see, an identical signal traveling at or the same signal traveling at the same speed through a constant atmosphere. So a lot of assumptions here to arrive at two known positions. Based on the distance between the receivers
04:25
and the distance in the time of arrival or the difference in the time of arrival, you can create a hyperbola that shows all the possible locations of the transmitter. We don't care about modeling the actual hyperbola. I just want to know what the asymptotes are. If you dig back into your
04:43
high school trig, if you just take the cosine of that angle of attack or that line of bearing, it's going to be the time of arrival divided by the distance between the two points. So using that, we can draw two possible lines that this
05:02
transmitter can be from. If you only have two receivers, you're always going to have two different places to guess and go look for it. So how do we solve that problem and get to position? This is classic triangulation. When people are
05:21
saying I'm going to triangulate your signal, three antennas, a little bit of trigonometry and we get a shape that looks like this where we have three receivers, they're all getting time of arrival measurements. We're going to take those same cosines of the angles to get six lines.
05:40
Three of the lines are going to diverge off into space. Hopefully three of the lines are going to converge. If you've got clock drift in your radios, if you have really terrible RTL SDRs that you're using as your receivers, sometimes all six lines diverge and you just have to wait for everything to sync up. So we've talked about
06:02
the history of direction finding. I've given you a little bit on the math that's behind time of arrival. How many of you guys have heard of an RTL SDR? Awesome. Okay. They're cheap. That's something that I really like about playing with them, especially if I need three of them. I'm not going to go out and get three blade RFs to do a pet time of arrival project
06:23
on a couple of weekends. It's a lot of budget for an entry level exercise. But the RTL SDRs, I was like, all right, they're like $16 on the Internet, so how bad can they be? I'm using the E4000s because I was interested in tracking LTE signals and I had to get up into the higher band.
06:43
If you buy a brand new RTL SDR, like just straight off of Amazon, it's a newer chip that doesn't tune all the way up to LTE1900, which is what we have here in Las Vegas. So this project with newer radios, you've got to find a place where they're using the 800 band LTE. This is the E4000 on
07:03
the right. On the left is the stock terrible antenna that comes with the E4000. But that stock terrible antenna and the E4000 are able to pick up clean ADS-B signals, which is
07:21
what's coming off the airplanes to the air traffic control to show their heading and position and flight identifiers, that kind of information. If you go on Reddit and you get in the RTL SDR community and say I want to pick up ADS-B, everyone is going to tell you you've got to get a better antenna and you've got to run wires out to
07:41
your house and get it high up in the air and throw away the antenna that comes with your chip. Don't do any of that. Just use the stock antenna when you're getting started playing. It lowers that initial investment and it works. I mean, this was live data from actually from here this morning. Yeah. It's not garbage. It's terrible, but it's
08:06
not garbage. So if you want to get started, it will work. So this is my disclaimer. I am not a radio guy by trade. I've definitely done a lot of analysis of precollected
08:21
signals, but digital signal processing is not my formal education. So I'm about to do a lot of terrible things. Let's do direction finding with the RTL SDR. So we said before that we need to have three antennas to do position direction
08:43
finding. So I'm just going to buy three of these $16 things, hook them all up to my PC and this is just going to work, right? There's my RTL SDR. I'm going to replace each of the transmitters, my original diagram, sorry, each of the receivers with RTLs and it's just going to work. It's not
09:03
going to work. One of the major problems with these is the oscillator is extremely sensitive to temperature. If you have like a fan blowing near your computer and you have two RTLs sitting next to each other and one is getting the fan more directly than the other, your center frequencies can
09:21
start to drift very quickly, which breaks time of arrival. There's also issues with the clock. Because they're coming in over USB, if you try to sync two of these devices on the system with the CPU, there's bus lag from the USB, there's clock drift across the devices, the temperature sensitive oscillator is just going to break down all your
09:43
calculations. You're going to attempt to geolocate something and it's going to tell you that it's 25,000 miles away and it doesn't make any sense. So what do we do about clock synchronization? This is where U.S. work came in. He had spent a lot of time trying to solve this problem. Turns out that the
10:03
reference for the RTLs that have come out has a pin that you can use for a clock in. So all you've got to do is crack open your $16 radio and solder on the clock out from one of them onto the other two and now suddenly you're using
10:22
the same system clock for all three devices. You're not trying to sync on the CPU. And you can actually do a little direction finding if you get a good signal. And there's a rig with three RTLs sharing a single clock. So like I said
10:42
before, it doesn't make the RTL a great radio. It's still bad. But with a little bit of clock sync and math and good signals, that's what I'll get into next is what kind of signals does this work with. You can go and direction find devices using a couple of RTLs, three RTLs. This is where it
11:06
works. This is where we get into why I chose LTE. When I was surveying the space around where I live, there are a lot of LTE uplinks and I thought, hey, that would be really cool if I could use my triangulation technique to track
11:22
all the cell phones. And some of them are cars and some of them are other devices. But basically I'm assuming if it's LTE and it's uplink and I can receive it, it's probably a phone. GSM is also good. It's pretty wide. It's not as loud. It's closer to the noise floor. And the RTLs really
11:43
struggle with that because everything looks like noise on one with the stock antenna. CB radio is pretty good, too, because it's super loud. You get a very clear signal when you're trying to play with this. Walkie talkies are the same way. A lot of construction guys around us that I've been able to put very precise dots on where they're
12:03
sitting in their yellow iron. One of the other things that's kind of exciting, this is a signal that I collected in the U.S. and you'll see that it's in the 900 uplink. Well, maybe you can see. There's some numbers right there. That's not a licensed band for GSM in the U.S. That's a European
12:25
channel. So this was a signal that I was interested in geolocating because obviously somebody is using a system that either is completely undocumented or they shouldn't be. And because the width of the signal is fairly wide, unlike
12:43
kind of the walkie talkie CB stuff that gets very narrow, if the clocks drift on the RTLs or the oscillators drift and my center frequencies get off, my time of arrival is still the same. I'm going to show that if I have one RTL where the true center frequency is slightly to the left of where I'm trying to tune it and another slightly to the right, I'm
13:03
still going to get the same time of arrival. So that's why LTE is easy to track with three RTLs. That's my research. So far I'm going to be hanging out at the wireless village tomorrow. If anybody wants to see this thing fly, my cabana
13:25
box does not plug into a VGA. I'm not going to show it live in here. Thanks for coming out.
Recommendations
Series of 3 media