Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human


Black Hat 2007 : Day 2 : Andrea Barisani & Daniele Bianco

Many modern cars have built in navigation / traffic systems. In North America data is transmitted over FM radio using the Radio Data System (RDS). The system can display station names, time, program type, and news override. The signal piggybacks on standard FM radio signals. RDS Traffic Message Channel (RDS-TMC) transmits traffic data over RDS and was introduced in Germany in 1997. Although it is a 10 year old protocol, it is just now being implemented in modern satellite navigation systems. TMC can also be transmitted over digital radio like DAB and Satellite radio.

Daniele Bianco

RDS is a very simple protocol with each packet consisting of 104 bits. The security issue with RDS is that it has no data authentication built in, which makes is easy to sniff and send fake messages using off the shelf components. The components to make a sniffer cost under $20 and can be easily made with very little technical skill according to the speakers. The specs and code for the PIC can be downloaded from the Inverse Path development website if you want to make your own RDS sniffer / injector.

Andrea Barisani

The injection code is still quite crude, as you have to edit the source and recompile every time you want to change what you are injecting. What's important is that it works, although it does happen to look somewhat like a bomb. When they brought their setup through TSA checkpoint, the TSA officer upon inspecting it, flipped a switch and said "boom". Barsiani said "apparently TSA officers are allowed to make jokes about bombs, which would get anyone else arrested."

RDS-TMC Injector / Sniffer

One of the features of RDS-TMS is the news override which forces your tuner to change stations to a different frequency. Barisani said they tested their system during a Saturday soccer match, which potentially enraged numerous Italians when their match was overridden by their radios tuning to a station with a carrier tone.

Some of the fun things you can do by injecting RDS-TMC messages is show fake road closures, traffic slow downs, dangerous weather, road work. You can also close roads and tunnels. The wacky stuff you can do is to display codes like: Terrorist Incident, Air raid danger, Air Crash, Bomb Alert, and a more generic Security Alert. The best one they showed though was "Bull Fight".

According to Barisani, his father was never impressed with his software and kernel hacking research, but when he showed him the RDS-TMC hacking his father said, "Wow, you have a cool job."

You can download Andrea Barisani and Daniele Bianco's CanSecWest 2007 presentation here [13mb PDF] and all the supporting files and schematics to make your own sniffer / injector here. Their website is Inversepath.com. [A complete list of the codes you can send can be found after the jump.]

Andrea Barisani Andrea Barisani Andrea Barisani