Saturday, February 20, 2016

How we broke into your house

For my wireless security class (CIT 460) some friends and I did final project on hacking alarm systems. This was in Spring 2014. I did this because I had RTL-SDR dongle and I wanted to do something cool with it. Also a lot of cool stuf was already coming out from RTL-SDR research (I went to /r/rtlsdr a lot.) not to mention stuff like rfcat by atlas of doom. Another reason was that, people in this class always did 802.x related (wifi, bluetooth, and etc.) research and that was no longer interesting to me. 

We titled the presentation "How we broke into your house."

Here is threat identification:

  • Threat agent: burglars
  • Threat model: breaking and entering
  • Attack tree
    • Breaking in
      • Jamming
        • Requires attacker to find the alarm frequency
      • Disarming
        • Replay attack
          • Requires attacker to find the alarm frequency
          • Requires attacker to record the "disarm" signal
Some terms:
  • TX = transmitter / transmit
  • RX = receiver / receive
  • Transceiver = can transmit and receive
  • AM = Amplitude modulation
  • FM = Frequency modulation
  • SDR = software defined radio
ISM Band and importance of sub-GHz frequencies:
Many devices use sub-GHz ISM band.
Devices such as alarms, garage door openers, temperatures sensors, and etc. use this.

Communication methods:
  • ASK - amplitude shift keying (uses AM to transfer data)
  • AM - amplitude modulation
  • FM - frequency modulation
  • FSK - frequency shift keying (uses FM to transfer data)
  • OOK - On-Off keying (a form of ASK)
Methodology for researching and hacking the alarm system(this worked for what we did, it doesn't mean it will work for every one else):
  1. Get frequency
    1. FCC ID
    2. Frequency lookup
    3. Google
    4. Hardware pieces or datasheet
  2. Get modulation type
    1. Same resources to get frequency
    2. Signal comparison with RTLSDR's Signal ID guide/wiki
  3. Collection
    1. Collect the signal multiple times (helps to see if there is a pattern or not)
  4. Analysis
    1. Audacity
      1. Binary data - get low and highs (at least for OOK)
      2. Baud rate - 1 / (end time of a bit - start time of a bit)
        1. Datasheets can also help
    2. Binary to hex
      1. Use tools to convert binary data from your analysis to hex
    3. Look for patterns
      1. This was easy because "disarm" signal was the same every time
  5. Attack
    1. Since the disarm signal was the same every time, we could do a replay attack
    2. Doing replay attack
      1. Start rfcat
      2. Set correct frequency
      3. Set correct modulation
      4. Set correct baud rate
      5. Input your code to transmit
      6. Transmit
Tools we used:
RTL-SDR dongle (60-2000MHz RX)
Ham radio ( just to demonstrate jamming )

CC1111 (TX/RX with Rfcat)

SDR# (to capture signals)
Audacity (to look at the signals)
RFCat (to replay signal)
alt

Alarm system:
I bought the alarm system from Amazon. It was cheap, I think around $50.
As you can see below, it as a receive and no transmitter
There are also four holes on middle right-hand side of the picture. I thought those were serial but I was not able to connect and get anything.


Doing the attack:
We knew the device frequency was around 433MHz because it was advertised on Amazon.
We used SDR# to find the exact frequency with was 433.800MHz.

To find the modulation type, we looked up part number on the transmitter and found a similar part that used ASK/OOK.

We captured the signal with the right configuration in SDR# and opened it with Audacity. We printed the Audacity visualization and started marking 0's and 1's on it.

We used Audacity and our captured data to find the baud rate.

The numbers in the paper picture below are bit different because we took the screenshot afterwards when we were making the presentation.

We converted the binary data from Audacity output and converted it to hex.

Here's what we did to perform the actual attack. 
RFCat was well documented so we used that. Later we found out that it was a lot easier to do the attack with an Arduino. There was a library that captured data for you and decoded it and the same library allowed you to transmit it. (I think it was https://github.com/ninjablocks/433Utils )

We also had tell the class what some mitigation techniques.
We came up with:
  • Frequency hopping
  • Non-repeating signal
  • Jam detection
This was done in early 2014. I am sure there are better ways to do this now.

If I made any mistakes in the post, leave a comment below. I don't typically work with radios.

Sorry for bad writing style. I am trying to improve.

35 comments:

  1. great guide! Could you develop a bit more how to calculate the badurate? Which pulse length did you take? is it the smallest one? and the baudrate= 1/(that pulse length). Thank you!

    ReplyDelete
    Replies
    1. Hello Everyone !

      USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
      All Leads have genuine & valid information.

      **DETAILS IN LEADS**
      First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
      ->$5 PER EACH

      ->Hope for the long term Business
      ->Interested buyers will be welcome

      **Contact 24/7**
      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. Keep on putting up! You completely match our expectation and the variety of our information. guesthouse booking in spings

    ReplyDelete
    Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      fixitrogers@gmail.com

      Delete
  3. Graphics could be designed by using computer and forwarded to customers. Changes could be made as immediately as they are not satisfied by customers.glam tabletop

    ReplyDelete
  4. Alarm Pro comes with 10 built in alarm sounds; alarm clock, beach waves, bell, bird, cow, fireplace, machine gun, rooster, sunny day and traffic jam.Complete Alarms CCTV & Alarm Systems

    ReplyDelete
  5. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... sửa chữa nhà trọn gói

    ReplyDelete
  6. While you improve your home, you can do administration to the planet by utilizing DIY items that are Earth-accommodating.check this website

    ReplyDelete
  7. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. Empresa de reformas de locales

    ReplyDelete
  8. It is a great website.. The Design looks very good.. Keep working like that!.
    Fire Alarm Security System

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. how to size my well pressure tank

    ReplyDelete
  11. In some cities, you may find wholesale materials and supplies stores that offer a great selection of steeply discounted materials. If you must shop at local home improvement stores, be sure to look for sales, coupons and special offers that can save you money.SubZero, Viking Refrigerator Repair Manhattan Beach

    ReplyDelete
  12. Nice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. Las Vegas

    ReplyDelete
  13. Great knowledge, do anyone mind merely reference back to it best no pull harness for large dogs

    ReplyDelete
  14. Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. best vacuum cleaner for hardwood floors and pet hair

    ReplyDelete
  15. Fundamentally the same as how a plant can take in vitality from the sun for photosynthesis, solar cells work in an equivalent way. Installateur zonnepanelen

    ReplyDelete
  16. For the social type, a wooden house is the perfect location for a community barbecue or gathering of friends. A typical log home is wrapped by a vast and ornate porch elevated off the ground. Land for sale near Clinton Missouri

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. sale dcondo sign

    ReplyDelete
  19. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Oklahoma Marijuana

    ReplyDelete
  20. The post is written in very a good manner and it contains many useful information for me.


    gexton safety system

    ReplyDelete
  21. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. painters New lenox

    ReplyDelete
  22. Space monkey meds Canna Pure Pharmacycanna pure pharmacy is known as McDonald’s of the cannabis industry. The American online distributor of marijuana (buy weed online USA, buy weed online Canada), hash oil for sale,buy edibles online and THC extracts accepts Bitcoin. Even in a legalized marijuana state, mail order marijuana | CANNA PURE PHARMACY

    ReplyDelete
  23. Seems bit technical.. but understanding though!

    Thanks for sharing!
    Review To Buy Online

    ReplyDelete
  24. People who buy older homes, however, shouldn't mind maintaining their home and making some repairs. Newer homes tend to use more modern architecture and systems, vaughan houses for sale are usually easier to maintain, and may be more energy-efficient.

    ReplyDelete
  25. I am impressed. I don't think Ive met anyone who knows as much about this subject as you do. You are truly well informed and very intelligent. You wrote something that people could understand and made the subject intriguing for everyone. Really, great blog you have got here. Home Security Systems

    ReplyDelete
  26. We hope you have enjoyed our jewelry tips! We specialize in jewelry (rings, necklaces, bracelets, anklets, earrings, belly rings, etc.) for all occasions. They make a great gift idea! Piedra blanca limpieza

    ReplyDelete
  27. Next there will be land surveys, building permits, and the costs of architects or custom home builders, Flatmate finder interior design, building materials and more. These costs can quickly get out of hand if one doesn't have a great budget and stick to it.

    ReplyDelete
  28. I really impressed after read this because of some quality work and informative thoughts . I just wanna say thanks for the writer and wish you all the best for coming!. roofer Dallas Texas

    ReplyDelete
  29. I read that Post and got it fine and informative. singapore renovation

    ReplyDelete
  30. Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome! homestay in melaka

    ReplyDelete
  31. Hello Everyone !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete