[HN Gopher] Transmit Radio Signals via Ethernet ___________________________________________________________________ Transmit Radio Signals via Ethernet Author : mmm_grayons Score : 188 points Date : 2020-11-08 13:06 UTC (9 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | PragmaticPulp wrote: | Clever hack, but a lot of people are misinterpreting what's going | on here. These devices emit some very low level of 125MHz energy | during normal operation. This software is simply turning that on | and off, but not doing anything to increase the amount of | emissions. | | Presumably the 125MHz emissions are within the FCC allowed | envelope anyway, so this isn't doing anything to exceed normal | emissions limits. This only works in a quiet RF environment, as | noted in the README. | | There is no need to be concerned about this signal reaching | aircraft or otherwise interfering with normal transmissions. | jcrawfordor wrote: | Aviation radios on aircraft are typically 25w and ground | stations the same to somewhat higher... and operations are | generally line of sight and using analog AM modulation, which | gets along nicely with CW. From a practical perspective (rather | than regulatory), it is difficult to imagine miliwatt CW | transmissions causing any meaningful problem with aircraft | operations. Most radio systems used on aircraft are not really | all that sensitive anyway, the most touchy thing would be the | glideslope/localizer but it's only used at fairly short ranges | and with fairly high power levels. This could perhaps cause a | slight deflection of the ILS but that's assuming it's very | close to the runway and at high power. This paper discusses | security of the ILS system against tampering, which is | generally the most "touchy" thing that aircraft use and the | main interference concern: | https://www.usenix.org/system/files/sec19-sathaye.pdf | | That's all sort of besides the point anyway as nav aids use the | lower end of the aviation band, 125MHz is used for AM voice | where the interference would be, at worst, audible but not | strong enough to cause problems unless reception was already | extremely marginal. | | Or to put it differently, two pilots hitting their PTT at the | same time is already causing far more disruption to operations | in the 125MHz range than this thing ever would. | tyingq wrote: | 125Mhz is the frequency you get with 100 base tx. It's | basically the baud rate of 100mb plus the 5 bits to encode 4 | bits overhead. 100 * 5/4 = 125. | | As you mention, this is toggling the expected 125Mhz on and | off. It's not noise, it's "the signal". | zsellera wrote: | Just out of curiosity: the tone appearing is me connecting my CE- | certified Dell computer to a CE-certified Asus router, using a | standard cat5-e cable. | | https://ibb.co/0rxKq6L | | (CubicSDR ran on the same DELL machine, however both tones | disappeared after disconnecting the antenna from the SDR) | austincheney wrote: | Using an Ethernet line toner on a hot line in certain areas of | Kuwait generates output from a local AM radio station. | ChuckMcM wrote: | This is a neat side channel attack for data exfiltration. The | author is a radio amateur (Poland) and would do well to look at | FT8 or other error correcting CW modulations other than simple | Morse code. I would estimate you could pick up a signal at nearly | a kM using such a scheme. | bserge wrote: | Billion dollar idea - RoI, Radio on Internet! | coderjames wrote: | Please don't try this at home! 118 MHz - 137 MHz is a protected | Aviation band across the globe for airplanes to communicate with | air traffic control. We already have enough industrial noise | problems in this band; please don't contribute to pollution of | protected spectrum. You will be interfering with the safe | operation of the airspace. | | See: https://en.wikipedia.org/wiki/Airband | 4gotunameagain wrote: | This does not magically increase the power radiated by an | ethernet cable or somehow change the base frequency of the | interference. Furthermore, the power levels are very low. If | you check the link at the bottom, he is using a directional | (Moxon) antenna to receive this faint signal. If this could | somehow pose an issue with anything, it would have been caught | in EMI testing of all network equipment sold | vvanders wrote: | Part 15 is pretty clear that any harmful interference should | be minimized[1]. Even though it's low power that doesn't mean | that it still can't be picked up. Just because equipment is | sold at retail doesn't give you a free pass on it. | | Take powerline ethernet where the power levels are "low" but | still can cause significant issues[2]. | | [1] http://www.arrl.org/part-15-radio-frequency-devices#Myths | | [2] http://www.elmac.co.uk/RF_Emissions_of_Powerline_Ethernet | _ad... | 60Vhipx7b4JL wrote: | It does not increase power. But it couples data instead of | static noise into the communication which might be more | annoying on the other end. | avian wrote: | As others have pointed out, EMC testing often only considers | typical use and this is not one. | | Another thing is that regulations don't only consider | radiated power. Constant-level spurious transmissions are | sometimes tolerated to a higher degree compared to modulated | ones (e.g. in some bands maximum allowed interference is | determined by quasy-peak level, not power). This is exactly | because modulated interference (which is what this produces) | is more harmful to communications systems. | jcims wrote: | I think the issue is introducing a signal (particularly morse | code) on a noise source that is typically steady state. I can | pick it up pretty easily with just a bare UHF connector, no | antenna. | | Low risk overall but it's a good reminder. | londons_explore wrote: | EMI testing only tests a product during typical use. | | It's very possible to transmit illegal power levels with | software mods, or even carefully crafted data packets in some | cases. | derefr wrote: | > or even carefully crafted data packets | | Unless you've made custom PHY hardware for those data | packets to be pushed onto the line through, your data | packets are going to be line-coded to ensure that the | signal is self-clocking. Which basically precludes boosted | harmonics. | JosephRedfern wrote: | Does EMI testing consider "atypical" uses like this one? I'd | assumed that they only tested normal use cases. I'd consider | (wrongly, perhaps?) changing speed of a NIC several times per | second to be an atypical use. | Rebelgecko wrote: | Does regular usage of ethernet cables cause problems for | aircraft? | _joel wrote: | Would the cable length affect the tuning or is 125MHz specific to | just the switching on the silicon? | [deleted] | zsellera wrote: | I think what happens is the transformer inside the rj45 | connector couples a litte of the differential mode signal (that | should not radiate significantly) to all wires in the cable | harness (common mode), which will radiate. You can select the | cable length so it resonates well, acting like a good antenna, | but bad antennas radiate as well (worse efficiency). A few mV | of noise is quite well detectable from 10m of distance. | dkdk8283 wrote: | There's a transformer inside the rj45 connector? | detaro wrote: | In the device, often integrated into the socket. | _joel wrote: | Thanks for that explanation, makes sense. | jcims wrote: | zsellera covered the mechanism of transmission very well. | The 125MHz frequency is specifically coming from the | Ethernet standard, as its essentially the operating | frequency of each pair in typical hundred megabit and | gigabit Ethernet. 10Mbps Ethernet operates at 10MHz. | | By flipping the port speed between 100 and 10Mbps they are | essentially toggling the 125MHz oscillator. I don't think | anything is intentially generating the frequency of the | tone you hear, it's just intermodulation products of the | noise and the LO in the receiver. | [deleted] | zsellera wrote: | As someone recently participated in an EMC measurement, I really | don't understand how anyone passes these tests without some kind | of cheating (using double-shielded, very expensive industrial | cables + hacking with functional earthing). | R0b0t1 wrote: | Paying special attention to power distribution tends to help, | along with encasing the product in something conductive. It's | also really beneficial to have some kind of test equipment in | house to get a general idea, think of it like having a | debugger. | | The first two options are somewhat expensive, the NRE for the | power supply design isn't attractive to manager types and | conductive coatings for plastic or a metal enclosure are not | the cheapest options. But if you're dead set on compliance it's | better to frontload the design costs instead of iterating 3 | times before you get to market. | avian wrote: | I've spent months and sleepless nights trying to get a product | through the EMC certification. It's certainly possible but it's | time consuming and expensive. With a shoestring engineering | budget and a product that needs to be on the shelves in a | month? Not really. | | I'm sure many devices on the market are not compliant. I follow | lists of products removed from market for non-compliance and | there are plenty each week. But the fact is that, if you're not | in one of the categories that are under special scrutiny | (aerospace, automobile, medical, etc.) or do something grossly | incompetent (e.g. interfere with a mobile operator or someone | else with a similar power to put you into the regulatory | spotlight) you're unlikely to get into trouble for shipping a | non-compliant device. | | Make someone's Wi-Fi a bit slower and a bit more packet-lossy? | Chances are nobody will care. It's a sad state of affairs | really because pervasive radio interference is just making | things worse for everyone. | [deleted] | semi-extrinsic wrote: | Yeah, I remember in the early 2000s we had a wireless RCA | audio/video transmitter, bought at a local electronics store, | that played absolute havoc with the WiFi in our house as well | as several neighbours. | | Another classic example is early cellphones that you would | pick up on stereo systems etc. - "dat-dara-dat-dara-dat-dara- | dat-dara-daaaaaa" going out in full blast. | jimmaswell wrote: | In GTA 4 (set in the early 2000s or so) you hear that on | your car stereo before your phone rings. I always loved | that detail. | avian wrote: | The effect of GSM phones on analog audio equipment was | actually an oversight in defining the standard. Fully | compliant equipment had that effect. | | Some years back when I had some small involvement in new EU | regulations that case was actually given as an example of | how, even after many reviews, some forms of harmful | interference can only become apparent after a technology is | already widely deployed. | jcrawfordor wrote: | Because those A/V transmitters used the same 2.4GHz ISM | band as WiFi at the time, there was actually no regulatory | protection against this interference - from a regulatory | perspective it's just a normal and expected part of using | an ISM band where there is no protection. The increasing | popularity of WiFi started to really surface the problems | in this area, similar issues are seen in 900MHz far less | often because it's mostly used with low-power, low-duty- | cycle devices.... the same as was intended for 2.4GHz | before widespread consumer WiFi. | hansjorg wrote: | Very nice, could be used for exfiltration with some tuning. | | The most advanced example of this kind of inadvertent | transmission I've seen is Fabrice Bellards DVB-T transmitting | with a standard VGA card: | | https://bellard.org/dvbt/ | skunkworker wrote: | I was thinking the same thing, have it exfil a secret key out | of a server room (theoretically). | | I also got reminded about the method to send data from one | computer to another over low frequency sound | https://www.extremetech.com/computing/171949-new-type-of-aud... | jcims wrote: | Also through HDD noise | | https://arstechnica.com/information- | technology/2016/08/new-a... | norrius wrote: | I love how a (metaphorically) air-gapped system can be | attacked (literally) through the air. Maybe the truly | critical things should also be vacuum-gapped (and put into | Faraday cages while we're at it)?.. | | But the system still has _some_ connection to the outside | world, right? That means we could run some heavy GPU load | and measure the variation in its power consumption, which | apparently has been tried before: | https://www.helpnetsecurity.com/2018/04/13/data- | exfiltration... | | Along these lines, the excess heat has to go somewhere, so | maybe one could measure the variation in the work of the | coolant system. I couldn't find any research about it right | away (BitWhisper is similar, but a bit different), but I | trust someone has already tried that. | sidpatil wrote: | https://en.m.wikipedia.org/wiki/Tempest_(codename) | Darkphibre wrote: | I wanted to spin up a hardening service back in the mid-90s, | based around what we knew of Tempest. I even named it Echelon | Consulting (as in "upper echelon," but with a nod to | ECHELON). My spouse wouldn't let me, they felt it'd be too | risky to get involved with that environment, and we were just | starting our family. | | But... yeah. You could tune into VGA monitors up to a mile a | way using consumer hardware, and reception is perfectly legal | (lots of case history to back this up)! | | I figured my pitch would be to walk in with a briefcase | setup, flip a switch, and show them what the receptionist was | working on. Then ask if they were worried if competitors | could know what _they_ were working on (not a threat, just | bringing awareness), or would they be were interested in some | expensive cables /hardware. | | Now that the kids are grown up and divorce pending, I've | debated getting back into the netsec field. Lots of | fascinating angles to be had in unexpected hardware | boundaries... and my background in data science/machine | learning/DSPs could prove fruitful in signals | reconstruction... | JosephRedfern wrote: | Related Reading: https://hackaday.com/2018/04/23/spoofing-cell- | networks-with-... | vitplister wrote: | Previously posted here: | https://news.ycombinator.com/item?id=25012469 | flerchin wrote: | In college we had an I2C to ethernet adapter on our drone testbed | that caused all sorts of RF interference for us. We eventually | wrapped the whole fuselage in a farraday cage so that the | datalink and flight controls wouldn't be overwhelmed. It was | responsible for transmitting data at a 1 Hz rate, and we could | visualize the interference on a spectrometer over a broad range | of Rf at exactly 1 Hz. | | Anyway, we totally could have made a transmitter out of that | thing. | snypher wrote: | I thought i2c slowest clock was 100kb/s, how did this end up in | a 1Hz rate? | zw123456 wrote: | Of course, on the RPI there is the good ole GPIO4 abuse: | https://tutorials-raspberrypi.com/build-raspberry-pi-radio-t... | Works a lot better and has been around a long time. | xncl wrote: | From reading the comments there it seems newer RPi (>3) don't | work for this or mangle the GPIO port in some way to prevent | this. I do have some 3s lying around so I may try this soon. | zeckalpha wrote: | The original Ethernet used similar hardware as ham radio. | AlohaNet predates it of course, but Thicknet used local RF loops. | jcims wrote: | (Note: As coderjames points out this could be dangerous | tinkering. There is typically steady-state noise at 125MHz from | Ethernet so it's not that we're putting more energy into the | spectrum with this, but adding signal in the form of morse code | could draw a lot of attention/distraction to pilots and ATC in | the area.) | | FWIW very brief example of 125MHz tone loss when going to 10MHz | demonstrated here when my slow internet gets done uploading: | | (Unpleasant sound warning) | | https://youtu.be/JmyA5QEtAxA | Dahoon wrote: | If your Ethernet emissions can be picked up by pilots or air | traffic control, your are doing something wrong on purpose. | jcims wrote: | Sure but I could see this being used as a side-channel attack | to exfil data from a customer in a red team assessment. | Practitioners love little tools like this. | | Also I'm not talking about 30 miles away...but if a | completely intact cable can be detected with a directional | antenna from 100m, an intentionally buggered patch cable | installed at a client site for this purpose could pose a | bigger concern for pilots in the area. (edit: I might be more | tuned in to this (har har) because I live in the flight path | of a medical helicopter that flies over at ~500' almost | daily.) | | Ham folks can seem a bit hair-triggered chicken littles with | RF hygiene but it's the product of decades of fighting noise | from people that aren't aware of the externalities of their | actions. ___________________________________________________________________ (page generated 2020-11-08 23:01 UTC)