[kloch]

Another place to look is DSD/mbelib, although to exploit you would have to transmit on a frequency they were monitoring and any replies/confirmation would have to come from another path (Internet). Since a common use case for that software is monitoring public safety frequencies an exploit might actually be practical for law enforcement agencies.

[rickostuff]

I'm not familiar with DSD/mbelib but based on what I saw with a quick web search this sounds like a really interesting attack vector. I do want to perform some more research in this area, so thanks for the idea.

[jcims]

Be sure to look at both the control channel and voice codecs. It's been a minute but IIRC there are a few open source implementations for both.

Finding a bug in RDS would be pretty funny - https://en.wikipedia.org/wiki/Radio_Data_System

[thereddaikon]

There was an unintentional one earlier this year. Seattle's local NPR station bricked some Mazda infotainment sets by sending malformed data. https://arstechnica.com/cars/2022/02/radio-station-snafu-in-...

[ugjka]

That wasn't RDS but HD radio's data stream

[Gordonjcp]

I can't find it now, but in the olden days of the Internet I read an article about how an up-and-coming band had "hacked" RDS to switch radios to play their song when it was played out on the local station.

The local station had a UHF link from the studio to the TX site that was audio only, a very common setup in the mid-90s, and the RDS flag on the transmitter was switched "in band" by sending a burst of tones over the audio feed, right at the start of the traffic jingle. Slap the traffic announce jingle cart in, hit the button, tune starts with just three quick DTMF digits. Uh-huh, you're seeing where this is going, right?

So if you put those three DTMF digits at the start of your single... :-D

[jcims]

I know this isn’t a substantive reply to your content but that’s amazing! I love it.

[rickostuff]

I'm going to have to see what I can find about this incident. Sounds like the early days of phone phreaking. Awesome!

[GekkePrutser]

Mbelib is of questionable legality as it implements a codec patented by DVSI. Indeed you might trigger some vulnerability at a hobbyist but a professional would never use it.

And public safety channels here are all encrypted so there's nothing to listen to, perhaps in the US that's not the case.

[codys]

There's a long history of open source software implementing patented algorithms, especially in the video and audio codec space. Those open source implementations are definitely used by professionals, so I would recommend not being so assured about the scope of use of software that may contain patented algorithms.

The vocal data on public safety channels being reported as encrypted does not necessarily say that there could be no vulnerability there. There's lots of control data that may or may not be encrypted, and encryption does not prevent all kinds of attacks here.

[GekkePrutser]

No I was just talking about the codec of course.

But nobody sells radio sets based on mbelib except the Chinese budget brands (e.g. baofeng) which have circumvented DVSI's patent by setting up a local company that sells the patent because they say they own it (even though they have no right to do it, but DVSI can't sue them in China). But all the public safety ones I've seen are brands like motorola and hytera that buy the real DVSI codecs.

But I'm not saying there are no other vulnerabilities. I'm just saying that there will not be many people using mbelib to listen to public safety frequencies because there is nothing to listen to as it's encrypted.