[HN Gopher] Transmit Radio Signals via Ethernet
___________________________________________________________________
Transmit Radio Signals via Ethernet
Author : mmm_grayons
Score : 188 points
Date : 2020-11-08 13:06 UTC (9 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| PragmaticPulp wrote:
| Clever hack, but a lot of people are misinterpreting what's going
| on here. These devices emit some very low level of 125MHz energy
| during normal operation. This software is simply turning that on
| and off, but not doing anything to increase the amount of
| emissions.
|
| Presumably the 125MHz emissions are within the FCC allowed
| envelope anyway, so this isn't doing anything to exceed normal
| emissions limits. This only works in a quiet RF environment, as
| noted in the README.
|
| There is no need to be concerned about this signal reaching
| aircraft or otherwise interfering with normal transmissions.
| jcrawfordor wrote:
| Aviation radios on aircraft are typically 25w and ground
| stations the same to somewhat higher... and operations are
| generally line of sight and using analog AM modulation, which
| gets along nicely with CW. From a practical perspective (rather
| than regulatory), it is difficult to imagine miliwatt CW
| transmissions causing any meaningful problem with aircraft
| operations. Most radio systems used on aircraft are not really
| all that sensitive anyway, the most touchy thing would be the
| glideslope/localizer but it's only used at fairly short ranges
| and with fairly high power levels. This could perhaps cause a
| slight deflection of the ILS but that's assuming it's very
| close to the runway and at high power. This paper discusses
| security of the ILS system against tampering, which is
| generally the most "touchy" thing that aircraft use and the
| main interference concern:
| https://www.usenix.org/system/files/sec19-sathaye.pdf
|
| That's all sort of besides the point anyway as nav aids use the
| lower end of the aviation band, 125MHz is used for AM voice
| where the interference would be, at worst, audible but not
| strong enough to cause problems unless reception was already
| extremely marginal.
|
| Or to put it differently, two pilots hitting their PTT at the
| same time is already causing far more disruption to operations
| in the 125MHz range than this thing ever would.
| tyingq wrote:
| 125Mhz is the frequency you get with 100 base tx. It's
| basically the baud rate of 100mb plus the 5 bits to encode 4
| bits overhead. 100 * 5/4 = 125.
|
| As you mention, this is toggling the expected 125Mhz on and
| off. It's not noise, it's "the signal".
| zsellera wrote:
| Just out of curiosity: the tone appearing is me connecting my CE-
| certified Dell computer to a CE-certified Asus router, using a
| standard cat5-e cable.
|
| https://ibb.co/0rxKq6L
|
| (CubicSDR ran on the same DELL machine, however both tones
| disappeared after disconnecting the antenna from the SDR)
| austincheney wrote:
| Using an Ethernet line toner on a hot line in certain areas of
| Kuwait generates output from a local AM radio station.
| ChuckMcM wrote:
| This is a neat side channel attack for data exfiltration. The
| author is a radio amateur (Poland) and would do well to look at
| FT8 or other error correcting CW modulations other than simple
| Morse code. I would estimate you could pick up a signal at nearly
| a kM using such a scheme.
| bserge wrote:
| Billion dollar idea - RoI, Radio on Internet!
| coderjames wrote:
| Please don't try this at home! 118 MHz - 137 MHz is a protected
| Aviation band across the globe for airplanes to communicate with
| air traffic control. We already have enough industrial noise
| problems in this band; please don't contribute to pollution of
| protected spectrum. You will be interfering with the safe
| operation of the airspace.
|
| See: https://en.wikipedia.org/wiki/Airband
| 4gotunameagain wrote:
| This does not magically increase the power radiated by an
| ethernet cable or somehow change the base frequency of the
| interference. Furthermore, the power levels are very low. If
| you check the link at the bottom, he is using a directional
| (Moxon) antenna to receive this faint signal. If this could
| somehow pose an issue with anything, it would have been caught
| in EMI testing of all network equipment sold
| vvanders wrote:
| Part 15 is pretty clear that any harmful interference should
| be minimized[1]. Even though it's low power that doesn't mean
| that it still can't be picked up. Just because equipment is
| sold at retail doesn't give you a free pass on it.
|
| Take powerline ethernet where the power levels are "low" but
| still can cause significant issues[2].
|
| [1] http://www.arrl.org/part-15-radio-frequency-devices#Myths
|
| [2] http://www.elmac.co.uk/RF_Emissions_of_Powerline_Ethernet
| _ad...
| 60Vhipx7b4JL wrote:
| It does not increase power. But it couples data instead of
| static noise into the communication which might be more
| annoying on the other end.
| avian wrote:
| As others have pointed out, EMC testing often only considers
| typical use and this is not one.
|
| Another thing is that regulations don't only consider
| radiated power. Constant-level spurious transmissions are
| sometimes tolerated to a higher degree compared to modulated
| ones (e.g. in some bands maximum allowed interference is
| determined by quasy-peak level, not power). This is exactly
| because modulated interference (which is what this produces)
| is more harmful to communications systems.
| jcims wrote:
| I think the issue is introducing a signal (particularly morse
| code) on a noise source that is typically steady state. I can
| pick it up pretty easily with just a bare UHF connector, no
| antenna.
|
| Low risk overall but it's a good reminder.
| londons_explore wrote:
| EMI testing only tests a product during typical use.
|
| It's very possible to transmit illegal power levels with
| software mods, or even carefully crafted data packets in some
| cases.
| derefr wrote:
| > or even carefully crafted data packets
|
| Unless you've made custom PHY hardware for those data
| packets to be pushed onto the line through, your data
| packets are going to be line-coded to ensure that the
| signal is self-clocking. Which basically precludes boosted
| harmonics.
| JosephRedfern wrote:
| Does EMI testing consider "atypical" uses like this one? I'd
| assumed that they only tested normal use cases. I'd consider
| (wrongly, perhaps?) changing speed of a NIC several times per
| second to be an atypical use.
| Rebelgecko wrote:
| Does regular usage of ethernet cables cause problems for
| aircraft?
| _joel wrote:
| Would the cable length affect the tuning or is 125MHz specific to
| just the switching on the silicon?
| [deleted]
| zsellera wrote:
| I think what happens is the transformer inside the rj45
| connector couples a litte of the differential mode signal (that
| should not radiate significantly) to all wires in the cable
| harness (common mode), which will radiate. You can select the
| cable length so it resonates well, acting like a good antenna,
| but bad antennas radiate as well (worse efficiency). A few mV
| of noise is quite well detectable from 10m of distance.
| dkdk8283 wrote:
| There's a transformer inside the rj45 connector?
| detaro wrote:
| In the device, often integrated into the socket.
| _joel wrote:
| Thanks for that explanation, makes sense.
| jcims wrote:
| zsellera covered the mechanism of transmission very well.
| The 125MHz frequency is specifically coming from the
| Ethernet standard, as its essentially the operating
| frequency of each pair in typical hundred megabit and
| gigabit Ethernet. 10Mbps Ethernet operates at 10MHz.
|
| By flipping the port speed between 100 and 10Mbps they are
| essentially toggling the 125MHz oscillator. I don't think
| anything is intentially generating the frequency of the
| tone you hear, it's just intermodulation products of the
| noise and the LO in the receiver.
| [deleted]
| zsellera wrote:
| As someone recently participated in an EMC measurement, I really
| don't understand how anyone passes these tests without some kind
| of cheating (using double-shielded, very expensive industrial
| cables + hacking with functional earthing).
| R0b0t1 wrote:
| Paying special attention to power distribution tends to help,
| along with encasing the product in something conductive. It's
| also really beneficial to have some kind of test equipment in
| house to get a general idea, think of it like having a
| debugger.
|
| The first two options are somewhat expensive, the NRE for the
| power supply design isn't attractive to manager types and
| conductive coatings for plastic or a metal enclosure are not
| the cheapest options. But if you're dead set on compliance it's
| better to frontload the design costs instead of iterating 3
| times before you get to market.
| avian wrote:
| I've spent months and sleepless nights trying to get a product
| through the EMC certification. It's certainly possible but it's
| time consuming and expensive. With a shoestring engineering
| budget and a product that needs to be on the shelves in a
| month? Not really.
|
| I'm sure many devices on the market are not compliant. I follow
| lists of products removed from market for non-compliance and
| there are plenty each week. But the fact is that, if you're not
| in one of the categories that are under special scrutiny
| (aerospace, automobile, medical, etc.) or do something grossly
| incompetent (e.g. interfere with a mobile operator or someone
| else with a similar power to put you into the regulatory
| spotlight) you're unlikely to get into trouble for shipping a
| non-compliant device.
|
| Make someone's Wi-Fi a bit slower and a bit more packet-lossy?
| Chances are nobody will care. It's a sad state of affairs
| really because pervasive radio interference is just making
| things worse for everyone.
| [deleted]
| semi-extrinsic wrote:
| Yeah, I remember in the early 2000s we had a wireless RCA
| audio/video transmitter, bought at a local electronics store,
| that played absolute havoc with the WiFi in our house as well
| as several neighbours.
|
| Another classic example is early cellphones that you would
| pick up on stereo systems etc. - "dat-dara-dat-dara-dat-dara-
| dat-dara-daaaaaa" going out in full blast.
| jimmaswell wrote:
| In GTA 4 (set in the early 2000s or so) you hear that on
| your car stereo before your phone rings. I always loved
| that detail.
| avian wrote:
| The effect of GSM phones on analog audio equipment was
| actually an oversight in defining the standard. Fully
| compliant equipment had that effect.
|
| Some years back when I had some small involvement in new EU
| regulations that case was actually given as an example of
| how, even after many reviews, some forms of harmful
| interference can only become apparent after a technology is
| already widely deployed.
| jcrawfordor wrote:
| Because those A/V transmitters used the same 2.4GHz ISM
| band as WiFi at the time, there was actually no regulatory
| protection against this interference - from a regulatory
| perspective it's just a normal and expected part of using
| an ISM band where there is no protection. The increasing
| popularity of WiFi started to really surface the problems
| in this area, similar issues are seen in 900MHz far less
| often because it's mostly used with low-power, low-duty-
| cycle devices.... the same as was intended for 2.4GHz
| before widespread consumer WiFi.
| hansjorg wrote:
| Very nice, could be used for exfiltration with some tuning.
|
| The most advanced example of this kind of inadvertent
| transmission I've seen is Fabrice Bellards DVB-T transmitting
| with a standard VGA card:
|
| https://bellard.org/dvbt/
| skunkworker wrote:
| I was thinking the same thing, have it exfil a secret key out
| of a server room (theoretically).
|
| I also got reminded about the method to send data from one
| computer to another over low frequency sound
| https://www.extremetech.com/computing/171949-new-type-of-aud...
| jcims wrote:
| Also through HDD noise
|
| https://arstechnica.com/information-
| technology/2016/08/new-a...
| norrius wrote:
| I love how a (metaphorically) air-gapped system can be
| attacked (literally) through the air. Maybe the truly
| critical things should also be vacuum-gapped (and put into
| Faraday cages while we're at it)?..
|
| But the system still has _some_ connection to the outside
| world, right? That means we could run some heavy GPU load
| and measure the variation in its power consumption, which
| apparently has been tried before:
| https://www.helpnetsecurity.com/2018/04/13/data-
| exfiltration...
|
| Along these lines, the excess heat has to go somewhere, so
| maybe one could measure the variation in the work of the
| coolant system. I couldn't find any research about it right
| away (BitWhisper is similar, but a bit different), but I
| trust someone has already tried that.
| sidpatil wrote:
| https://en.m.wikipedia.org/wiki/Tempest_(codename)
| Darkphibre wrote:
| I wanted to spin up a hardening service back in the mid-90s,
| based around what we knew of Tempest. I even named it Echelon
| Consulting (as in "upper echelon," but with a nod to
| ECHELON). My spouse wouldn't let me, they felt it'd be too
| risky to get involved with that environment, and we were just
| starting our family.
|
| But... yeah. You could tune into VGA monitors up to a mile a
| way using consumer hardware, and reception is perfectly legal
| (lots of case history to back this up)!
|
| I figured my pitch would be to walk in with a briefcase
| setup, flip a switch, and show them what the receptionist was
| working on. Then ask if they were worried if competitors
| could know what _they_ were working on (not a threat, just
| bringing awareness), or would they be were interested in some
| expensive cables /hardware.
|
| Now that the kids are grown up and divorce pending, I've
| debated getting back into the netsec field. Lots of
| fascinating angles to be had in unexpected hardware
| boundaries... and my background in data science/machine
| learning/DSPs could prove fruitful in signals
| reconstruction...
| JosephRedfern wrote:
| Related Reading: https://hackaday.com/2018/04/23/spoofing-cell-
| networks-with-...
| vitplister wrote:
| Previously posted here:
| https://news.ycombinator.com/item?id=25012469
| flerchin wrote:
| In college we had an I2C to ethernet adapter on our drone testbed
| that caused all sorts of RF interference for us. We eventually
| wrapped the whole fuselage in a farraday cage so that the
| datalink and flight controls wouldn't be overwhelmed. It was
| responsible for transmitting data at a 1 Hz rate, and we could
| visualize the interference on a spectrometer over a broad range
| of Rf at exactly 1 Hz.
|
| Anyway, we totally could have made a transmitter out of that
| thing.
| snypher wrote:
| I thought i2c slowest clock was 100kb/s, how did this end up in
| a 1Hz rate?
| zw123456 wrote:
| Of course, on the RPI there is the good ole GPIO4 abuse:
| https://tutorials-raspberrypi.com/build-raspberry-pi-radio-t...
| Works a lot better and has been around a long time.
| xncl wrote:
| From reading the comments there it seems newer RPi (>3) don't
| work for this or mangle the GPIO port in some way to prevent
| this. I do have some 3s lying around so I may try this soon.
| zeckalpha wrote:
| The original Ethernet used similar hardware as ham radio.
| AlohaNet predates it of course, but Thicknet used local RF loops.
| jcims wrote:
| (Note: As coderjames points out this could be dangerous
| tinkering. There is typically steady-state noise at 125MHz from
| Ethernet so it's not that we're putting more energy into the
| spectrum with this, but adding signal in the form of morse code
| could draw a lot of attention/distraction to pilots and ATC in
| the area.)
|
| FWIW very brief example of 125MHz tone loss when going to 10MHz
| demonstrated here when my slow internet gets done uploading:
|
| (Unpleasant sound warning)
|
| https://youtu.be/JmyA5QEtAxA
| Dahoon wrote:
| If your Ethernet emissions can be picked up by pilots or air
| traffic control, your are doing something wrong on purpose.
| jcims wrote:
| Sure but I could see this being used as a side-channel attack
| to exfil data from a customer in a red team assessment.
| Practitioners love little tools like this.
|
| Also I'm not talking about 30 miles away...but if a
| completely intact cable can be detected with a directional
| antenna from 100m, an intentionally buggered patch cable
| installed at a client site for this purpose could pose a
| bigger concern for pilots in the area. (edit: I might be more
| tuned in to this (har har) because I live in the flight path
| of a medical helicopter that flies over at ~500' almost
| daily.)
|
| Ham folks can seem a bit hair-triggered chicken littles with
| RF hygiene but it's the product of decades of fighting noise
| from people that aren't aware of the externalities of their
| actions.
___________________________________________________________________
(page generated 2020-11-08 23:01 UTC)