Saturday, February 20, 2016

How we broke into your house

For my wireless security class (CIT 460) some friends and I did final project on hacking alarm systems. This was in Spring 2014. I did this because I had RTL-SDR dongle and I wanted to do something cool with it. Also a lot of cool stuf was already coming out from RTL-SDR research (I went to /r/rtlsdr a lot.) not to mention stuff like rfcat by atlas of doom. Another reason was that, people in this class always did 802.x related (wifi, bluetooth, and etc.) research and that was no longer interesting to me. 

We titled the presentation "How we broke into your house."

Here is threat identification:

  • Threat agent: burglars
  • Threat model: breaking and entering
  • Attack tree
    • Breaking in
      • Jamming
        • Requires attacker to find the alarm frequency
      • Disarming
        • Replay attack
          • Requires attacker to find the alarm frequency
          • Requires attacker to record the "disarm" signal
Some terms:
  • TX = transmitter / transmit
  • RX = receiver / receive
  • Transceiver = can transmit and receive
  • AM = Amplitude modulation
  • FM = Frequency modulation
  • SDR = software defined radio
ISM Band and importance of sub-GHz frequencies:
Many devices use sub-GHz ISM band.
Devices such as alarms, garage door openers, temperatures sensors, and etc. use this.

Communication methods:
  • ASK - amplitude shift keying (uses AM to transfer data)
  • AM - amplitude modulation
  • FM - frequency modulation
  • FSK - frequency shift keying (uses FM to transfer data)
  • OOK - On-Off keying (a form of ASK)
Methodology for researching and hacking the alarm system(this worked for what we did, it doesn't mean it will work for every one else):
  1. Get frequency
    1. FCC ID
    2. Frequency lookup
    3. Google
    4. Hardware pieces or datasheet
  2. Get modulation type
    1. Same resources to get frequency
    2. Signal comparison with RTLSDR's Signal ID guide/wiki
  3. Collection
    1. Collect the signal multiple times (helps to see if there is a pattern or not)
  4. Analysis
    1. Audacity
      1. Binary data - get low and highs (at least for OOK)
      2. Baud rate - 1 / (end time of a bit - start time of a bit)
        1. Datasheets can also help
    2. Binary to hex
      1. Use tools to convert binary data from your analysis to hex
    3. Look for patterns
      1. This was easy because "disarm" signal was the same every time
  5. Attack
    1. Since the disarm signal was the same every time, we could do a replay attack
    2. Doing replay attack
      1. Start rfcat
      2. Set correct frequency
      3. Set correct modulation
      4. Set correct baud rate
      5. Input your code to transmit
      6. Transmit
Tools we used:
RTL-SDR dongle (60-2000MHz RX)
Ham radio ( just to demonstrate jamming )

CC1111 (TX/RX with Rfcat)

SDR# (to capture signals)
Audacity (to look at the signals)
RFCat (to replay signal)

Alarm system:
I bought the alarm system from Amazon. It was cheap, I think around $50.
As you can see below, it as a receive and no transmitter
There are also four holes on middle right-hand side of the picture. I thought those were serial but I was not able to connect and get anything.

Doing the attack:
We knew the device frequency was around 433MHz because it was advertised on Amazon.
We used SDR# to find the exact frequency with was 433.800MHz.

To find the modulation type, we looked up part number on the transmitter and found a similar part that used ASK/OOK.

We captured the signal with the right configuration in SDR# and opened it with Audacity. We printed the Audacity visualization and started marking 0's and 1's on it.

We used Audacity and our captured data to find the baud rate.

The numbers in the paper picture below are bit different because we took the screenshot afterwards when we were making the presentation.

We converted the binary data from Audacity output and converted it to hex.

Here's what we did to perform the actual attack. 
RFCat was well documented so we used that. Later we found out that it was a lot easier to do the attack with an Arduino. There was a library that captured data for you and decoded it and the same library allowed you to transmit it. (I think it was )

We also had tell the class what some mitigation techniques.
We came up with:
  • Frequency hopping
  • Non-repeating signal
  • Jam detection
This was done in early 2014. I am sure there are better ways to do this now.

If I made any mistakes in the post, leave a comment below. I don't typically work with radios.

Sorry for bad writing style. I am trying to improve.


  1. great guide! Could you develop a bit more how to calculate the badurate? Which pulse length did you take? is it the smallest one? and the baudrate= 1/(that pulse length). Thank you!

  2. Keep on putting up! You completely match our expectation and the variety of our information. guesthouse booking in spings

  3. Graphics could be designed by using computer and forwarded to customers. Changes could be made as immediately as they are not satisfied by customers.glam tabletop

  4. Alarm Pro comes with 10 built in alarm sounds; alarm clock, beach waves, bell, bird, cow, fireplace, machine gun, rooster, sunny day and traffic jam.Complete Alarms CCTV & Alarm Systems

  5. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... sửa chữa nhà trọn gói

  6. While you improve your home, you can do administration to the planet by utilizing DIY items that are Earth-accommodating.check this website

  7. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. Empresa de reformas de locales

  8. It is a great website.. The Design looks very good.. Keep working like that!.
    Fire Alarm Security System

  9. This comment has been removed by the author.

  10. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. how to size my well pressure tank

  11. In some cities, you may find wholesale materials and supplies stores that offer a great selection of steeply discounted materials. If you must shop at local home improvement stores, be sure to look for sales, coupons and special offers that can save you money.SubZero, Viking Refrigerator Repair Manhattan Beach

  12. Nice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. Las Vegas

  13. Great knowledge, do anyone mind merely reference back to it best no pull harness for large dogs

  14. Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. best vacuum cleaner for hardwood floors and pet hair

  15. Fundamentally the same as how a plant can take in vitality from the sun for photosynthesis, solar cells work in an equivalent way. Installateur zonnepanelen

  16. For the social type, a wooden house is the perfect location for a community barbecue or gathering of friends. A typical log home is wrapped by a vast and ornate porch elevated off the ground. Land for sale near Clinton Missouri

  17. This comment has been removed by the author.

  18. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. sale dcondo sign

  19. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Oklahoma Marijuana

  20. The post is written in very a good manner and it contains many useful information for me.

    gexton safety system

  21. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. painters New lenox

  22. Space monkey meds Canna Pure Pharmacycanna pure pharmacy is known as McDonald’s of the cannabis industry. The American online distributor of marijuana (buy weed online USA, buy weed online Canada), hash oil for sale,buy edibles online and THC extracts accepts Bitcoin. Even in a legalized marijuana state, mail order marijuana | CANNA PURE PHARMACY

  23. Seems bit technical.. but understanding though!

    Thanks for sharing!
    Review To Buy Online

  24. People who buy older homes, however, shouldn't mind maintaining their home and making some repairs. Newer homes tend to use more modern architecture and systems, vaughan houses for sale are usually easier to maintain, and may be more energy-efficient.

  25. I am impressed. I don't think Ive met anyone who knows as much about this subject as you do. You are truly well informed and very intelligent. You wrote something that people could understand and made the subject intriguing for everyone. Really, great blog you have got here. Home Security Systems

  26. We hope you have enjoyed our jewelry tips! We specialize in jewelry (rings, necklaces, bracelets, anklets, earrings, belly rings, etc.) for all occasions. They make a great gift idea! Piedra blanca limpieza

  27. Next there will be land surveys, building permits, and the costs of architects or custom home builders, Flatmate finder interior design, building materials and more. These costs can quickly get out of hand if one doesn't have a great budget and stick to it.