Saturday, February 20, 2016

How we broke into your house

For my wireless security class (CIT 460) some friends and I did final project on hacking alarm systems. This was in Spring 2014. I did this because I had RTL-SDR dongle and I wanted to do something cool with it. Also a lot of cool stuf was already coming out from RTL-SDR research (I went to /r/rtlsdr a lot.) not to mention stuff like rfcat by atlas of doom. Another reason was that, people in this class always did 802.x related (wifi, bluetooth, and etc.) research and that was no longer interesting to me. 

We titled the presentation "How we broke into your house."

Here is threat identification:

  • Threat agent: burglars
  • Threat model: breaking and entering
  • Attack tree
    • Breaking in
      • Jamming
        • Requires attacker to find the alarm frequency
      • Disarming
        • Replay attack
          • Requires attacker to find the alarm frequency
          • Requires attacker to record the "disarm" signal
Some terms:
  • TX = transmitter / transmit
  • RX = receiver / receive
  • Transceiver = can transmit and receive
  • AM = Amplitude modulation
  • FM = Frequency modulation
  • SDR = software defined radio
ISM Band and importance of sub-GHz frequencies:
Many devices use sub-GHz ISM band.
Devices such as alarms, garage door openers, temperatures sensors, and etc. use this.

Communication methods:
  • ASK - amplitude shift keying (uses AM to transfer data)
  • AM - amplitude modulation
  • FM - frequency modulation
  • FSK - frequency shift keying (uses FM to transfer data)
  • OOK - On-Off keying (a form of ASK)
Methodology for researching and hacking the alarm system(this worked for what we did, it doesn't mean it will work for every one else):
  1. Get frequency
    1. FCC ID
    2. Frequency lookup
    3. Google
    4. Hardware pieces or datasheet
  2. Get modulation type
    1. Same resources to get frequency
    2. Signal comparison with RTLSDR's Signal ID guide/wiki
  3. Collection
    1. Collect the signal multiple times (helps to see if there is a pattern or not)
  4. Analysis
    1. Audacity
      1. Binary data - get low and highs (at least for OOK)
      2. Baud rate - 1 / (end time of a bit - start time of a bit)
        1. Datasheets can also help
    2. Binary to hex
      1. Use tools to convert binary data from your analysis to hex
    3. Look for patterns
      1. This was easy because "disarm" signal was the same every time
  5. Attack
    1. Since the disarm signal was the same every time, we could do a replay attack
    2. Doing replay attack
      1. Start rfcat
      2. Set correct frequency
      3. Set correct modulation
      4. Set correct baud rate
      5. Input your code to transmit
      6. Transmit
Tools we used:
RTL-SDR dongle (60-2000MHz RX)
Ham radio ( just to demonstrate jamming )

CC1111 (TX/RX with Rfcat)

SDR# (to capture signals)
Audacity (to look at the signals)
RFCat (to replay signal)
alt

Alarm system:
I bought the alarm system from Amazon. It was cheap, I think around $50.
As you can see below, it as a receive and no transmitter
There are also four holes on middle right-hand side of the picture. I thought those were serial but I was not able to connect and get anything.


Doing the attack:
We knew the device frequency was around 433MHz because it was advertised on Amazon.
We used SDR# to find the exact frequency with was 433.800MHz.

To find the modulation type, we looked up part number on the transmitter and found a similar part that used ASK/OOK.

We captured the signal with the right configuration in SDR# and opened it with Audacity. We printed the Audacity visualization and started marking 0's and 1's on it.

We used Audacity and our captured data to find the baud rate.

The numbers in the paper picture below are bit different because we took the screenshot afterwards when we were making the presentation.

We converted the binary data from Audacity output and converted it to hex.

Here's what we did to perform the actual attack. 
RFCat was well documented so we used that. Later we found out that it was a lot easier to do the attack with an Arduino. There was a library that captured data for you and decoded it and the same library allowed you to transmit it. (I think it was https://github.com/ninjablocks/433Utils )

We also had tell the class what some mitigation techniques.
We came up with:
  • Frequency hopping
  • Non-repeating signal
  • Jam detection
This was done in early 2014. I am sure there are better ways to do this now.

If I made any mistakes in the post, leave a comment below. I don't typically work with radios.

Sorry for bad writing style. I am trying to improve.