Tapping Data From Radio-Controlled Bus Stop Displays

jones_supa writes "A couple of weeks ago hacker Oona Räisänen told about finding a 16 kbps data stream on FM broadcast frequencies, and her suspicion was that it's being used by the public transit display system in Helsinki, Finland. Now it's time to find out the truth. She had the opportunity to observe a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and it's made by the Swedish company Axentia. Sure enough, their website talks about DARC and how it requires no return channel, making it possible to use battery-powered displays in remote areas. Other than that, there are no public specs for the proprietary protocol. So she implemented the five-layer DARC protocol stack in Perl and was left with a stream of fully error-corrected packets on top of Layer 5, separated into hundreds of subchannels. Some of these contained human-readable strings with names of terminal stations. They seemed like an easy starting point for reverse engineering..."

wow, thanks Timothy

An interesting article on Slashdot... that's amazing... it's like ARM chips running windows... well, ok... we thought that was going to be amazing... :P

Re:wow, thanks Timothy

[davester666]

Well, she is about to be arrested for releasing technology that can help terrorists with an attack.

Re: wow, thanks Timothy

[BESTouff]

She's in Europe. Have no fear (for her).

The roots of hacking

This, my friends, is true hacking. While this sort of stuff has become less common over the years, it is people such as this that provide real value to the community in terms of improving security for the masses. I wish that I had more time (and equipment...and hand't forgotten so many of my skills) as there are a few projects like this that I'd like to dig into. For instance, I have a home security/automation system out at my farm. I am fully cognizant that the security provided by it is a joke, as any insider at the alarm company could turn off my alarm without my known, but that's beside the point. What I'm really interested in is the link between the alarm company and my system. I log into their super secure website (tongue in cheek here) and issue a command either from my computer or phone. The alarm company sends that command to my system via the local GSM network (2g or 3g). There's no documentation on this portion of the system. Is it secure? Encrypted? Could it be readily spoofed? Even if it is encrypted, is there sufficient proof of authority on the system issuing commands? Anyway, love this stuff!

Re:The roots of hacking

[diamondmagic]

You're blurring the definition of security and obscurity, which is already well defined. Obscurity refers to the logic of the system. Your system must be secure even if an attacker knows everything about how it works, because there is a separate part, the secret key, that is completely arbitrary and assumed to be kept secure. A key is only secret, arbitrary data; a cipher is only well-known logic; security though obscurity by definition means mixing your secret data with your public logic, a bad idea.

The biggest purpose of cryptography is to take big secrets (plaintext) and make them small secrets (private or secret keys). How it goes about doing that shouldn't be obscure.

A home invader shouldn't be able to break into my house even if they know everything about my lock and door, what matters is that they don't have the key (which has no mechanical components - it's not part of the system until I want to unlock the door).

Re:The roots of hacking

[AK+Marc]

A home invader shouldn't be able to break into my house even if they know everything about my lock and door, what matters is that they don't have the key (which has no mechanical components - it's not part of the system until I want to unlock the door).

But your key is nothing but obscurity. I had a car. It was 30 years old (a classic). The keys I had for it were wearing out, and became more tempermental. So I looked for a way to get original keys cut. I called the dealer, and they said "no, can't be done" (yes, they knew I was a legitimate owner of the car). So I ended up emailing a picture of the key to an Australian company, who cut a key to the factory spec, not a duplicate of the ancient, worn keys. Worked much better. Soon after, my glove-box latch broke. I took the pieces to the dealer and asked for a replacement lock-ring (as it wasn't staying on, and there's a part to hold it together). They couldn't get the part of the part, but could order a whole new assembly. I ordered it. When it came in, it came with 4 keys to it. The dealer had sent in my VIN to the factory. The factory had records of my key-pattern, and keyed the lock to match my doors, and included extra keys.

So, someone wanting to break in could look at my VIN, order a replacement glove-box latch with that VIN, then pick up the part (and 4 keys to my car). That's security through obscurity because the knowledge of the key is the only thing keeping it safe. I could also call up the Australian place and read off a string of numbers 1-3-2-3-3-2-1 (or whatever they were) and they'd send me a working key. They have my key record on file there as well.

So what's the security of the key, if a picture of your key can get it duplicated, or using your VIN can as well? Is obscurity involved in that process? Manufacturers keep the key patterns of most cars these days.

Re:The roots of hacking

[diamondmagic]

If someone is using your VIN to make keys after, then the key isn't an arbitrary secret.

If someone has a picture of your key, then they know your secret outright, even if it is arbitrary.

What you describe is no better than me copying your passwords off a Post-It note you left on your monitor.

A proper key is not "obscurity" -- it is secret! No, those are not the same things, a key has no logic to obscure. This discussion is no longer at the point were we can employ layman's definitions and continue to talk sense.

Re:The roots of hacking

[AK+Marc]

The process of using a VIN to obtain your "Secret" is obscurity. Your secret isn't. It's stored openly at the manufacturer. It's available for $100 and a 1-week wait. How is that "secret"?

Obscurity: the state of being unknown, inconspicuous, or unimportant. Your "secret" is a "secret" because it's unknown, inconspicuous, or unimportant. What was the complaint again?

See, this is kinda what I meant

[50000BTU_barbecue]

when I said you don't need an oscilloscope anymore. Probably a SDR receiver that goes to a PC. What possible interest is there in looking at the raw RF at the antenna, which you won't see with an oscilloscope anyways (because I don't know any scopes with nV/cm settings yet), or the countless undocumented signals inside the receiver, which you won't access anyways because it's all on one chip?

You're better off just finding what's already done and buy it. I myself have looked at the FM band on my old analog spectrum analyzer to look for SCA signals. http://en.wikipedia.org/wiki/Subsidiary_Communications_Authority

It's all wonderful fun, but when you can do the same with a 15$ USB receiver and some software, it all starts to look rather silly, no?

Re:See, this is kinda what I meant

[Desler]

when I said you don't need an oscilloscope anymore. Probably a SDR receiver that goes to a PC.

At what stage in this project would an oscilloscope have been needed anyway? Yes, she used an SDR for scanning radio frequencies.

What possible interest is there in looking at the raw RF at the antenna, which you won't see with an oscilloscope anyways (because I don't know any scopes with nV/cm settings yet), or the countless undocumented signals inside the receiver, which you won't access anyways because it's all on one chip?

What is all on one chip? How is this rambling statement even applicable to this article?

It's all wonderful fun, but when you can do the same with a 15$ USB receiver and some software, it all starts to look rather silly, no?

You can decode these IBus messages with a $15 USB receiver? Link please?

Re:See, this is kinda what I meant

[fizzer06]

Yes, SCA. http://www.fcc.gov/encyclopedia/broadcast-radio-subcarriers-or-subsidiary-communications-authority-sca/

Re:See, this is kinda what I meant

[PPH]

How exactly is one supposed to gain knowledge if one never actually explores things?

Ask on Slashdot.

Re:See, this is kinda what I meant

You can decode these IBus messages with a $15 USB receiver? Link please?

OsmoSDR

Re:See, this is kinda what I meant

[HarrySquatter]

On what planet does 180 Euro translate into 15 USD?

Re:See, this is kinda what I meant

[ArchieBunker]

Its the RTL-SDR project. A Linux developer discovered that a digital TV receiver chip made by Realtek (used in $15 dongles) had the ability to receive the raw sampled RF data. The bandwidth is nearly 3Mhz so that means you can view a HUGE chunk of the RF spectrum at once and decode the signals via software. AM/FM/USB/LSB you name it. Dongles based on the R820T tuner receiver from 22Mhz to 1600Mhz! Pipe the output into some digital speech decoder programs and you have a police scanner that would normal cost hundreds of dollars.

Re:See, this is kinda what I meant

On what planet does 180 Euro translate into 15 USD?

I'm poster of that link OsmoSDR, not anyone you have been discussing above or ever earlier. I genuinely have no idea what you are smoking, and how did you ended up referring to that sysmocom.de site and $180, device.

The blog refers to RTL-SDR which probably cheapest SDR you can get, even though since it was discovered that some DVB-T USB sticks can be used as SDR's, compatible can be hard to find these days any more as models have changed and what's still left usually have been priced higher obviously because sellers now knows why it's been sought after. Anyway I bought mine (Hama Nano) just days after hearing that discovery and paid around $20, but some according to reddit got it around $15. And yes, of course you can pour more money to anything, but there is not saying you couldn't have gotten cheap SDR.

Re:See, this is kinda what I meant

[dlgeek]

www.amazon.com/gp/product/B00C37AZXK is $11 with free 2-day shipping for prime members (US). It's a cheap DV-B TV dongle using a chipset that has a "debug mode" where it spits out the raw RF data, and wide ranging tuning chip that makes it usable as a general purpose SDR reciever (known as an RTL-SDR). Windy's mentioned using one on her blog in many of her other posts.

I just got one this week, and it's been awesome to play with. Check out rtlsdr.org for more information about how to set it up, and rtl-sdr.com for a blog of cool projects you can do with it.

Re:See, this is kinda what I meant

[NoMaster]

[See, this is kinda what I meant] when I said you don't need an oscilloscope anymore.

And, if you only consider the tiny sub-set of 'electronics' that is 'dicking around writing software for pre-built toys', you were right.

Fortunately, real electronics engineers and technicians are designing and building those toys for you. And, even more fortunately, they know when oscilloscopes are still useful.

Re:See, this is kinda what I meant

[50000BTU_barbecue]

1) That's exactly my point. Who needs an oscilloscope for that?

2) Did you miss the part where I said " I myself have looked at the FM band on my old analog spectrum analyzer ". I bolded the important part for you.

Re:See, this is kinda what I meant

[50000BTU_barbecue]

Go to eBay and do some shopping. The point is you play with electronics these days by reverse-engineering existing products and using software to re-purpose things. Which is my point. You don't need an oscilloscope to be working in electronics on a hobby level anymore.

What is all on one chip? Um, the SDR receiver is certainly NOT a sprawling set of discrete LC filters and transistors, is it?

Just another example of why an oscilloscope is not the "must have" instrument it once was.

Is that rambling and incoherent? What do I need to clarify?

Re:See, this is kinda what I meant

[50000BTU_barbecue]

I don't think you understood what I was saying. I was saying that having a spectrum analyzer, which has always been an expensive and complex instrument, is silly when all you wanted to do can be done with a 15$ dongle.

I have to ask: am I that unclear? I have the feeling I am.

Re:See, this is kinda what I meant

[Agripa]

Oscilloscopes make very handy back end modulation analyzers when combined with a demodulator and would also be used in designing the demodulator itself. The common RF applications I see them used for are broadband envelope measurement and broadband RMS measurement where they can often be used to calibrate other instruments.

If you are buying turnkey solutions, then obviously an oscilloscope is of less use since even if you used it to diagnose a problem, you will be reliant on the vendor to fix it. Not every solution is best solved buy outsourcing.

Encryption

[sunderland56]

Pity she couldn't break the text encryption - then she could have displayed the station names in English, instead of nonsense strings.

Re:Encryption

[Desler]

For anyone who is not an aspie they would have recognized that the GP's post is this new thing called a "joke". Maybe your side of the world hasn't yet been informed of their invention?

Re:Encryption

[rubycodez]

"Finnish"?? hah, what a silly name. is that what your imaginery fish friends spoke in your childhood?

Re:Encryption

[PPH]

It takes a long time to learn as well. Which is why everyone is Russian.

Re:Encryption

[AK+Marc]

Finnish? He never even starrted.

Re:Encryption

[MotorMachineMercenar]

As a Finn, I'm offended at your jingoism. How could anyone not understand this: http://www.youtube.com/watch?v=4om1rQKPijI

Re:Encryption

[rubycodez]

not everyone is Russian, some are real Slovene

Re:While reading ...

[gl4ss]

Should she be a Bond villain or one of Bond's squeezes?

why not both? that maximizes the screen time(watch the movies and you'll agree).

A live map also available

[jones_supa]

As a sidenote, HSL has also set up a live map of the Helsinki trams buzzing around.

Developer community and open data

[tuukkah]

Cool reverse engineering indeed! For those who want it easier, the Helsinki Region Transport Authority HSL offers the arrival time predictions through a service called "Omat lähdöt", which has an open API too. However, the textual messages are not available so that's new. As the post mentions, the predictions are based on the GPS locations sent by the busses, which are not available to third parties (unlike the locations of the metro, trams and trains). For more information about the HSL Developer Community and open data at HSL, see dev.hsl.fi.

Re:While reading ...

[PPH]

Now, Oona is cute, a hacker and is into Kung Fu.

[Sigh] And all US culture can produce is the Kardashians.

Any existing apps that give the same info?

[grimJester]

I'd like an app that shows the arrival predictions for the stop(s) nearest my current location.

Re:That bus time system does not work.

[Deadstick]

Likewise the Denver light rail system...just a timetable expressed in a crude multiple-bulb display.

Recieve only, do not transmit.

[VortexCortex]

That which can be received unsecured, can be broadcast as such. Only a matter of time now before the displays feature zombie attack warnings.

Re:Recieve only, do not transmit.

[foobar+bazbot]

Not necessarily. Instead of script kiddie packages this requires actual electronics knowledge. No one apart Oona bothers these days.

No, not necessarily, but given that it's in the FM broadcast band, it sounds quite likely that it can be spoofed with an unmodified FM transmitter and a script generating an appropriate audio signal.

Of course in the grand /. tradition, I haven't RTFA yet, and they could be using a modulation scheme that can't be emulated with FM (IMO unlikely, as it's probably some flavor of FSK or PSK), or too wide a modulation range, and even if it's all doable off-the-shelf, range will be quite limited without at least a little hardware competence to boost the transmit power.

Re:Recieve only, do not transmit.

[foobar+bazbot]

Ignore above, I just RTFAed.

Turns out it's not a separate FM signal as I assumed, but an extra subcarrier (beyond the stereo and RDS signals) in an existing FM signal. This does indeed require electronics skills to generate, though it wouldn't be very hard to add in to a kit transmitter like the mpx-96 we built in my advanced electronics lab.

What is this magick you speak of?

[Applehu+Akbar]

This couldn't happen in America because we don't have your fancy-dancy electronic bus annunciators. We believe that standing on a street corner in the rain builds character. Apparently, it also opens up new venues for hacking.

FYI $10,- RTL-SDR available, link below

Right, this RTL-SDR is sold at $10.

http://www.hamradioscience.com/10-ads-b-receiver-rtl2832u-r820t/

ps. I'm the guy who linked that OsmoSDR.

An article about the subject

[Cee]

There's an excellent article about how the signs work in Stockholm with some technical details.

Now if only it could TRANSMIT. B-)

[Ungrounded+Lightning]

Its the RTL-SDR project. A Linux developer discovered that a digital TV receiver chip made by Realtek (used in $15 dongles) had the ability to receive the raw sampled RF data. The bandwidth is nearly 3Mhz so that means you can view a HUGE chunk of the RF spectrum at once and decode the signals via software.

Now if only it could transmit.

Or if it could also convert digital signals into I/Q and we could feed that into the Rx mixer of the block downconverter, run backward. Then two $11 - $15 dongles, one of them hacked slightly and with a small power amplifier added, would be a two-way software defined radio for very cheap.

(Supposedly) Broken for only some buses

[Ungrounded+Lightning]

One of the cited article talks about the system having two cases:
  - The buses with the tracking hardware are displayed based on the tracking.
  - the buses without the tracking hardware are displayed based on the schedule.

Now maybe the line you're on has buses without tracking. (Or maybe the tracking system doesn't work and it's all a crock.) But the anecdote that your particular line is just showing an automated schedule doesn't show that all others are doing the same.

Re:Now if only it could TRANSMIT. B-)

[Muad'Dave]

The dongle receivers are typically I/Q receivers.

Re:Now if only it could TRANSMIT. B-)

[Ungrounded+Lightning]

The dongle receivers are typically I/Q receivers.

Yes, I understand that. I guess I phrased it ambiguously.

What I meant is "convert data from the USB to I/Q OUTPUT, i.e. do the TRANSMIT side of a transceiver, too, not convert the receive side to I/Q from something else.

Then we need a local oscillator and mixer to boost it back UP to the desired frequency band (which might be done with the companion block downconverter chip if the appropriate signals are accessible or if it is actually also a transciever chip). Add a "power" amplifier (for suitably small values of "power"), a diplexer (if you really need to use a single antenna for both directions) and you're done.

Re:Now if only it could TRANSMIT. B-)

[Muad'Dave]

Gotcha. Regulatory issues aside, there are chips that do I/Q upconverting. I've always wanted to get one and play with it. They're actually becoming commodity hardware, potentially illegal as they may be.