I should point out that I only used this research project toolset within controlled environments with willing participants. In public areas, only passive surveillance of open information was gathered, although this led to a deviation project, measuring the people throughput within Gibraltar by listening to their phone network, WiFi and Bluetooth beacons.
Confessions of a wireless junkie
Could criminals turn a car into a surveillance vehicle capable of intercepting telephone calls, jamming communications and manipulating electronic systems run by critical infrastructure providers? How would they do it? What would it cost?
WarDriving, a lovely term from the cybersecurity industry, means hacking or penetration testing from a land-based vehicle of some for. For my project, the "HackerWagon", I just happened to have an old VW Transporter T5 Multivan kicking around at the back of the offices. So with an idea and a donor vehicle, it was time to seriously upset the beancounters with yet another vehicle bourne project and see what it would take to build a surveillance vehicle.
Sniffing the Air
To function, we needed to make the HackerWagon listen on as many frequencies as possible. With the evolution of an excellent kit from Hak5 with the WiFi Pineapple and Scotts excellent HackRF One (I used these all the time on Wireless Penetration Tests), I already had a solid base for the WiFi analysis.
Listening to the airwaves
I started with a pair of low profile Ultra Wideband antennas for signals collection listening between the 700MHz and 2700MHz bands of the radio spectrum. I added two more for capturing signals in the 125MHz to 630MHz range. I then puzzled a lot around Bluetooth and ended up building a dedicated 2.45GHz long-range transceiver of my own.
Processing all the things
All of this was married up to a pair of Rasberry Pi4's. These are under the passenger seat of the HackerWagon. It was evident after several trial runs around my home town of Stoke that I did not have enough processing power. The mass of passively received signals data was huge. Replacing the Pi4's with a pair of Intel NUC i5's with 16GB of ram and a massive 1TB of storage meant that computing power was extreme (for being under the seat).
I also opted to use the USRP B210 SDR (software-defined radio) unit to tune into the various signals received as we drove around. Also connected to the mix was a pair of power amplifiers and low noise signal amplifiers to help with those weaker signals.
SDRs are handy for pentesters as they can be quickly tinkered with to pick up on signals from different frequencies. In recent engagements, we used a similar SDR to perform a playback attack on the luxury car of the CEO of our client so that we could lift a laptop out of the boot.
C0ndr Evolution - now with Wireless Wizardy
A lot of the software wizardry in the HackerWagon is my software and now forms part of the Hedgehog C0ndr attack suite. Key features include:
- Signal view - view a single signal as a graphical representation;
- Aggregated signals view - view all signals;
- Signal Jam - for the interruption of communications;
- Signals Analyzer - to the analysis of interesting but unknown signals; and
- Signal Repeat - for the playback of received signals
- ISMI Tap - for capturing IMSI data
- GNSS Zone - for capturing and modifying GNSS data
Throughout 2020/2021, the software evolved a lot as I learn more and more about some of the more shady areas of the radio spectrum. Several times I saw rouge mobile phone towers appear and then vanish. I was aware of OpenBTS, which is open-source Cell Tower infrastructure software. I knew that it could be modified to perform a similar task, and it performed beautifully. The integration of OpenBTS into the HackerWagon took a couple of months due to workloads and time constraints, and there were a few times when I managed to break my phone connection.
Cost after year 1
The cost building and developing the HackerWagon (the things I can remember as I write this) is as follows:
- VW Transporter MultiVan - around £12,000.00
- Engine adjustments (need to make more DC/AC current) - £4000.00
- Modifications (curtains, awning, fixtures and fittings) - £3000.00
- 2x Rasberry Pi4's plus ancillaries - £700.00
- 2x Intel NUC plus ancillaires - £1275.00
- SDR Radio - £3400.00
Hours spent on the project: ~3000.
The HackerWagon project was an exceptional primer for the Small Maritime Vessel Cyber Security project. With the HackerWagon parked next to the Linea Cipher, I can safely play attacker/defender in a very controlled manner. I can already manipulate GPS and GNSS data streams which has played absolute havok with the equipment onboard Linea Cipher.
So whats next? Time will tell.