Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.
In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.
In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.
Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.
The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.
To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern.
Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.
Over on YouTube Black Hills Information Security (aka Paul Clark) has uploaded a one hour long presentation that shows how to use a software defined radio to reverse engineer digital signals using GNU Radio.
One of the most common uses of Software Defined Radio in the InfoSec world is to take apart a radio signal and extract its underlying digital data. The resulting information is often used to build a transmitter that can compromise the original system. In this webcast, you'll walk through a live demo that illustrates the basic steps in the RF reverse engineering process, including:
- tuning - demodulation - decoding - determining bit function - building your own transmitter - and much, much more!
In order to create a second transmitter he decided to reverse engineer the doorbells wireless signal, and use that information to create an Arduino based transmitter. His process involves first using an RTL-SDR to determine the transmission frequency, then using the rtl_433 software to capture the raw waveform which he then analyzes manually using Audacity. Once the binary string, length and pulse width is known he is able to program an Arduino connected to a 433 MHz transmitter to replicate the signal.
In future posts Shreyas hopes to explore other ways to transmit the signal, and eventually design a simple but configurable 433 MHz push button that supports RF, WiFi, and can support the IFTTT web service.
If you're interested, check out some of our previous posts that highlight many other successful reverse engineering experiments with RF devices and SDR.
Amazon Alexa is a smart speaker that can be programmed to control home automation devices via voice commands. For example, Stuart Hinson wanted to be able to control his wirelessly controlled blinds simply by verbally asking Alexa to close or open them. Stuart's blinds could already be controlled via a 433 MHz remote control, so he decided to replicate the control signals on an ESP8266 with 433 MHz transmitter, and interface that with Alexa. The ESP8266 is a cheap and small WiFi capable microchip which many people are using to create IoT devices.
Fortunately replicating the signal was quite easily as all he had to do was record the signal from the remote control with his RTL-SDR, and use the Universal Radio Hacker software to determine the binary bit string and modulation details. Once he had these details, he was able to program the ESP8266 to replicate the signal and transmit it via the 433 MHz transmitter. The remaining steps were all related to setting up an HTTP interface that Alexa could interface with.
If you're interested, we've also previously posted about another Alexa + RTL-SDR mashup which allows Alexa to read out ADS-B information about aircraft flying in your vicinity.
Johannes Smit wanted to be able to view the live data from his SWR WH2303 weather station and send it to a database. Whilst the weather data acquisition software that he paid for worked well, he thought that there must be a cheaper and more fun way to grab the data. But unfortunately the manufacturers would not respond to his request for the RF protocol specifications. So Johannes decided to reverse engineer the protocol using his RTL-SDR instead.
Next he fired up Universal Radio Hacker (URH) and captured a sample of the weather station signal. Using URH he was able to determine the modulation type (FSK) and the bit length parameter (150us). Johannes' next step was to open the weather station, find the RF chip, look up the RF chip information on the web and find the spec sheet. From the spec sheet and internet forum searches he was able to determine the properties of the packet including the sync word and preamble. With this data he was able to determine the packet structure.
Finally he captured a packet and recorded the exact data shown on the weather station at the time of the packet. With this he was able to search the binary data string for the data shown on the weather station, indicating the location of a particular piece of data within the string.
Johannes' tutorial shows just how powerful tools like Universal Radio Hacker can be, and his tutorial is an excellent start for those looking at reverse engineering any of their own local RF protocols.
Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.
If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.
In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.