This spoofing is relatively easy because the actual GPS signal is weak. There are very cheap short distancr GPS jammers. The cheapest equipment required to perform GPS spoofing attacks costs a couple of hundred USD (for example HackRF One and computer), while the software to simulate realistic GPS satellite radio signals is generally widely available. Please note that disturbing GPS signals is illegal in very many countries.

Reas more:
Finnish govt agency warns of unusual aircraft GPS interference
https://www.bleepingcomputer.com/news/technology/finnish-govt-agency-warns-of-unusual-aircraft-gps-interference/

https://www.facebook.com/groups/majordomo/permalink/10162357184499522/

Now an Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup. Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

The research paper says:
“The computers are equipped with 10/100/1000 Mbps Gigabit Ethernet
card. We tested three types of widely used Cat 5e and Cat
6A Ethernet cables listed in Table V. We also tested a laptop
computer and an embedded device (Raspberry Pi) to evaluate
the attack on these types of devices.”

“For the reception we used two types of
software-defined radio (SDR) receivers, as specified in Table
III. The R820T2 RTL-SDR is capable of sampling up to 16bit
at narrow band and has RF coverage from 30 MHz to 1.8 GHz
or more. The HackRF device has 1 MHz to 6 GHz operating
frequency and 8-bit quadrature samples (8-bit I and 8-bit Q)”

LANTENNA ATTACK: Leaking Data from Air-Gapped Networks via Ethernet Cables

Ethernet cables emit electromagnetic waves in the frequency bands of 125 MHz and its harmonics (e.g., 250 MHz and 375 MHz). “Ethernet cable emits electromagnetic waves in the frequency bands of 125 MHz. Changing the adapter speed or turning it on and off makes it possible to regulate the electromagnetic radiation and its amplitude,” says Guri. This can potentially opening the door to fully developed cable-sniffing attacks because “From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri. LAN cables sniffing can reveal details from network traffic. In one test data could be transmitted from an air-gapped computer through its Ethernet cable and received 200 cm apart.

In experiment UDP packets with single letters were sent over the target cable to a very low speed and, via a simple algorithm, be turned back from received RF signal back into human-readable characters. Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. So RF noise from un-shielded LAN cables can be used to lead information air-gapped networks. The experts explained that often air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited to avoid data leaks. But clearly even wired networks can leak information when you can get near to them with an SDR radio hardware.

The researchers proposed several defensive measures that can be adopted against the LANTENNA attack such as:

• implementing zone separation banning radio receiver from the area of air-gapped networks;
• monitoring the network interface card link activity at the user and kernel levels. Any change of the link state should trigger an alert;
• using RF monitoring hardware equipment to identify anomalies in the LANETNNA frequency bands;
• blocking the covert channel by jamming the LANTENNA frequency bands;
• Cable Shielding;

Paper:

LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables

Sources:

https://nakedsecurity.sophos.com/2021/10/15/lantenna-hack-spies-on-your-data-from-across-the-room-sort-of/

https://www.theregister.com/2021/10/14/lantenna_ethernet_cable_rf_emissions/

https://securityaffairs.co/wordpress/123008/hacking/lantenna-attack-exfiltration-technique.html

https://www.bankinfosecurity.com/lantenna-attacks-exploit-air-gapped-networks-via-ethernet-cables-a-17688

https://arxiv.org/pdf/2110.00104.pdf

In this first article the writer uses audio analyzing tools to to debunk spurious claims made by audiophiles, HiFi journalists, and the high-end audio industry about the quality of their products. This article covers using audio analyzers and also using SDR software to analyze audio signals.

Gold Cables Really Do Work The Best
https://hackaday.com/2020/04/01/gold-cables-really-do-work-the-best/

In this second article the writer takes baby carrot and simply tried to use them for audio connections. The writer proved the original story to be true that you can use a carrot in an audio interconnect. But how would we describe its sound?

Organic Audio: Putting Carrots As Audio Couplers To The Test
https://hackaday.com/2020/01/06/organic-audio-putting-carrots-as-audio-couplers-to-the-test/

Universal Radio Hacker – Replay Attack With HackRF

Download here: https://github.com/jopohl/urh

Radio Hacking: Cars, Hardware, and more! – Samy Kamkar – AppSec California 2016

Hacking Car Key Fobs with SDR

Getting Started With The HackRF, Hak5 1707

Hacking Ford Key Fobs Pt. 1 – SDR Attacks with @TB69RR – Hak5 2523

Hacking Ford Key Fobs Pt. 2 – SDR Attacks with @TB69RR – Hak5 2524

Hacking Ford Key Fobs Pt. 3 – SDR Attacks with @TB69RR – Hak5 2525

Hacking Restaurant Pagers with HackRF

Software Defined Spectrum Analyser – Hack RF

Locating Cellular Signal with HackRF Spectrum Analyzer SDR Software

GSM Sniffing: Voice Decryption 101 – Software Defined Radio Series #11

How To Listen To Trunked Police Radio And Why Im Done

Transmitting NTSC/ATSC Video With the HackRF One and Gnuradio

Check also Using a HackRF SDR to Sniff RF Emissions from a Cryptocurrency Hardware Wallet and Obtain the PIN article.

There is an interesting looking project called “RedHawk” which is described as:

“A software-defined radio (SDR) framework designed to support the development, deployment, and management of real-time software radio applications.”

github link: https://github.com/redhawksdr

Here’s the documentation:

https://redhawksdr.github.io/Documentation/index.html

This reminds me of Analog and Digital TV (DVB-T) Signal Generation using VGA card idea I mentioned at Interesting VGA hacks posting.

Here is the device:

Here is circuit diagram from the product page:

Here is test setup for testing a 450 MHz antenna with RF noise generator and RTL-SDR:

Here are two pictures: First is output terminated to 50 ohms and second with 450 MHz antenna connected to RF bridge output

Those measurements show that this RF bridge can be used successfully for antenna measurements. It gives quite similar performance than my previous measurements with directional coupler. The advantage of this bridge is that this can be used to measure matching other impedance than just 50 ohms – just use a suitable reference against which you want to compare matching (it can be 75 ohms resistor or something mote complicated). Based on this tests the RF BRIDGE 0.1 – 3000 MHz from http://www.transverters-store.com/rf_bridge/rf_bridge.html seems to deliver what it promises.

Here are some measurements on RF bridge with Rigol spectrum analyzer tracking generator up to 1.5 GHz. Those small grey adapters on the SMA connectors you see on the pictures are 10dB and 20dB 50 ohms attenuators that I use as close to 50 ohm terminator in this quick measurement…

When I saw a cheap (20 EUR) 100KHz-1.7GHz Full-Band Software Radio HF FM AM RTL-SDR Receiver Radio Frequency Modulation Kit I decided I must test this. The kit promises:

Using RTL2832U + R820T program , taking advantage of the Q channel RTL2832U on adding support for the frequency of 100KHz-24MHz , to achieve the reception of 100KHz-1.7GHz .
You can use the SDR software receives support 100KHz-1.7GHz waves AM, FM (NFM, WFM), CW, DSB, LSB, USB demodulation.

Before buying, I did my normal research on Internet, and found the following videos that show this could be a promising approach:

ASSEMBLING THE CHINESE RTL-SDR DIRECT SAMPLING KIT (BA5SBA)

RTL SDR do it yourself build & how to solder

TESTING THE CHINESE RTL SDR DIRECT SAMPLING KIT BA5SBA

After viewing those promising videos, I got the kit. Most parts of the kit were quite easy to solder, and I got this built:

The building included soldering the components, making some coils, making balun transformer and modifying RTL-SDR stick (take it out of case, put to circuit board and add some improvements to it). Here is the circuit diagram from the kit manual:

Disassembling the supplied DVB-T stick to circuit board needed some work where you need to be careful not to damage the circuit board when de-soldering the connectors. It is easy to damage the circuit board in this process if you are not very careful. I damaged one soldering pad of the USB connector, bit I could fortunately fix the damage with tiny jumper wire.

Hardest was soldering of the output from balun transformer to Q channel input pins in the RTL2832U chip. It was very hard to do, even though I have done quite a bit of soldering. I was much harder to do than what it looked in the soldering videos. The pins are very near each other and hard to reach tight spot. It took quite many attempts to do the soldering – I first tried with magnifying glass and a very tiny soldering iron, but I needed several attempts even with good professional soldering station under microscope to do this.

Soldering those tiny wires was so hard to solder it that it I can’t recommend to try to build this kit unless you have good tools and are up to very tricky challenge.

Ready kit in the supplied nice metal case

I finally got the kit ready. It seemed to work somehow when I did some initial testing with SDRSharp software and signal generator. Next I need to get some suitable antenna to receive those quite weak low frequency signals – I live in Finland, where AM radio broadcasting is no used much so there is no nearby strong AM station to receive.

As the popularity of IoT devices grow, it’s only natural that security holes in some of the systems will become apparent. IoT Devices May Be Susceptible to Replay Attacks with a Raspberry Pi and RTL-SDR Dongle andAttack Some Wireless Devices With A Raspberry Pi And An RTL-SDR articles tell that an easy way to make a wireless replay attack attack against RF controlled devices is demonstrated on rtl-sdr.com, As RTL-SDR shows us that  all you need to record and replay the 433MHz modulation signal is a Raspberry Pi, one of the RTL-SDR dongles (for software-defined radio), and a wire for an antenna (you don’t need to build special hardware like 433.92MHz OOK frame cloner).

The folks at RTL-SDR.com put up a guide to recording these open data bursts on a Raspberry Pi and playing them back by transmitting them from the Pi itself.Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX tutorial shows how to perform replay attacks on simple OOK modulated 433 MHz ISM band devices using an RTL-SDR dongle and RPiTX. The RTL-SDR will be used to record an AM audio file of the signal, and then RPiTX software will do it’s magic to transform that recording into a file that can be transmitted back on the same frequency via one of the Raspberry Pi’s GPIO pins. The article has ha nice Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX video that shows how it works:

The video shows how to perform a simple record and replay attack on 433 MHz ISM band devices using nothing more than an RTL-SDR and Raspberry Pi. The Raspberry Pi runs RPiTX which allows it to transmit from a GPIO port with just a wire attached. No extra transmitter hardware is required.

For RF signal experimenters those tools allow much more than just replaying remote control signals. RPiTX Turns Rasberry Pi into Versatile Radio Transmitter few years back article tells that using just an appropriately-sized wire connected to one of the GPIO pins, the Raspberry Pi is capable of broadcasting using FM, AM, SSB, SSTV, or FSQ signals. This greatly increases the potential of this simple computer-turned-transmitter and anyone should be able to get a lot of use out of it. Transmitting FM, AM, SSB, SSTV and FSQ with just a Raspberry Pi tells that PiTx is a software which permit to transmit HF directly through a pin of Raspberry Pi GPIO. Unlike PiFM which transmit only in FM, PiTx is able to perform multi modulation (FM,AM,SSB,SSTV,FSQ) : it has an I/Q input to be agnostic.Pitx is now a real TRANSMIT SDR at very low cost. Be aware that it generate lot of harmonics (you need to add filtering to pass radio regulations – there is a Pi shield for that). Here is PiTxSDR video:

Building a Ham Transceiver with an RTL-SDR, Raspberry Pi and Rpitx about a Qtcsdr sotware that runs on the Raspberry Pi and interfaces with an RTL-SDR dongle and RpiTx to create a simple transceiver radio. As always with this type of thing only transmit if you are licensed and take care with the transmitted distance and filter the antenna output when transmitting. GitHub page the author mentions that a Raspberry Pi shield called the QRPi filter + amplifier is currently in development (white paper). To get idea of it, take a look at Testing qtcsdr: receiving the transmission with an RTL-SDR via attenuator video:

In the end I must say that I am amazed what can be done with such cheap radio hardware (RTL-SDR and Raspberry Pi). rpitx is a radio transmitter for Raspberry Pi (B, B+, PI2, PI3 and PI zero) that transmits RF directly to GPIO. It can handle frequencies from 5 KHz up to 500 MHz. Plug a wire (acts as antenna) on GPIO 18, means Pin 12 of the GPIO header (header P1). The software can accept an I/Q signal as an input, so now a Pi can be used as a general purpose SDR transmitter. Check out Application note on using GNU Radio and csdr with rpitx and Evariste Courjaud, F5OEO: Rpitx : Raspberry Pi SDR transmitter for the masses video:

I am amazed that it can go to this high frequencies and all this can be made with Raspberry Pi with some software magic.

Because I did not have a nice 50 ohms directional coupler at the moment and getting one would need some investment (time and money to get one), thought if I had something suitable already.

I found some TV antenna network taps and remember that they are actually directional couplers. The downside with them is that they would be made for 75 ohms impedance and work best only at TV antenna network frequencies (around 40 MHz to 900 MHz or slightly more). But I though that they might be somehow used as directional couplers for 50 ohms antenna measurements if I an lucky. Let’s try to test them. I fortunately had access to some RF measurement instruments to see how those antenna taps work as directional couplers. And I also had antenna to measure (antenna tuned for 450 MHz).

First directional coupler I had: FA 1-8

Taps 5-1000 MHz

http://www.polytron.de/index.php/en/splitters-taps-5-1000mhz/230-taps-5-1000-mhz

FA 1-8

Abzweigdämpfung / Tap loss (IN-TAP) 8,5 dB

Durchgangsdämpfung / Through loss (IN-OUT) 2 dB

Entkopplung / Isolation (OUT-TAP) 23 dB

Rückflussdämpfung / Return loss (IN/OUT/TAP) 18 dB

Measurements of this directional coupler on 50 ohms system (50 ohms source, 50 ohms load):

Results with 5o ohms terminator,  FA 1-8 and Spektrum RTL-SDR Spectrum Analyzer Software:

Measurement setup with antenna:

Results with 450 MHz antenna connected:

Second directional coupler: FA 2-12

FA 2-12 D

https://www.satpoint.at/produkt-kategorien/verteilertechnik/fa-2-12-d-

Abzweiger/Taps 5-1000 MHz

Technische FA 2-12 D Daten:

• Frequenzbereich: 5-1000 MHz
• 12dB Abzweigedämmpfung
• Schirmungsklasse A
• CE-Prüfzeichen
• Anschlüsse: F-Connectoren
• Massives Gehäuse aus Zink-Spritzguss
• Ein- und Ausgänge brummentstört

 1 Signal Eingang
1 Signal Ausgang
2 Signal Abzweigung 12dB

Measurements of this directional coupler on 50 ohms system (50 ohms source, 50 ohms load):

Results with 450 MHz antenna:

End results

The end result was that those antenna taps worked quite acceptably as directional coupler for antenna measurement. They are not ideal, but they are useful tools. In my measurements it seems that the first 8 dB tap was slightly better for this application.