Category: Security

Using RTL_433 to Decode SimpliSafe Home Security Systems

SimpliSafe is an American DIY home security system company that claims over 2 million customers. Their system relies on 433/315 MHz ISM band wireless radio communications between its various sensors, control panels and remote controls. Back in 2016 we already posted about research from Dr. Andrew Zonenberg and Micheal Ossmann who showed that the SimpliSafe wireless communications are unencrypted, and can easily be intercepted, decoded, and spoofed. SimpliSafe responded to those concerns by downplaying them and mentioning that sophisticated hardware was required.

However, now Adam of simpleorsecure.net has recently disclosed a security advisory and a blog post discussing how easy it is to decode SimpliSafe wireless communications with an RTL-SDR and the rtl_433 software. He also also released slides from a recent talk that he did that go over his entire process and findings.

Adam began with some initial manual RF analysis with an RTL-SDR, and then later worked with rtl_433 dev Christian Zuckschwerd to add PiWM demodulation capability, which is the modulation used by SimpliSafe systems. Now Adam is able to easily decode the serial number, pin codes, and status codes transmitted by SimpliSafe sensors and key pads in real time with just an RTL-SDR.

This is very concerning as not only could a burglar easily learn the alarm disarm pincode, but they could also profile your behavior to find an optimal time to break in. For example if you arm your alarm before bed, and disarm in the morning your sleep schedule is being broadcast. It is also possible to determine if a particular door or window has been left open. With a tuned Yagi antenna Adam was able to receive signals from 200+ feet (60m) in free space, and 115 feet (35m) through walls.

In addition to the lack of encryption, Adam also discovered that the SimpliSafe system was susceptible to jamming attacks, and that the tamper detection system can be easily compromised. Adam has disclosed all concerns and findings to SimpliSafe who are aware of the problems. They assure him that next generation systems will not suffer from these flaws. But unfortunately for current generation owners, the hardware will need to be eventually replaced as there is no over the air update capability. 

An RTL-SDR and SimpliSafe KeyPad
An RTL-SDR and SimpliSafe KeyPad

YouTube Talk: Investigating RF Controls with RTL-SDR

During the SANS Pen Test HackFest which was held back in 2017, speaker Katie Knowles who is a security consultant at MWR Infosecurity did a very informative talk on how an RTL-SDR can be used to investigate RF signals. The video has recently been uploaded to YouTube and is shown below. In the talk she goes over how to reverse engineer and understand simple RF protocols, like those used by common RF remote controls found in the home. She then goes on to talk about the basics of software like GNU Radio and rtl_433. The talk blurb reads:

Cranes, trains, theme park rides, sirens, and …ceiling fans? Modern RF protocols have made secure wireless communications easier to implement, but there’s still a horde of simpler RF control systems in the wireless world around us.

Lucky for us, the onset of affordable Software Defined Radios (SDRs) means that exploring these devices is easier than ever! In this talk, Katie examines capturing and understanding basic RF control signals from a common household controller with the affordable RTL-SDR so you can start your own investigations.

With a little knowledge of these protocols we can better explain what makes them risky to the environments we assess, practice thinking in the offensive mindset, and have some fun examining the signals around us.

Slides available here.

Signal Safari: Investigating RF Controls with RTL-SDR – SANS Pen Test HackFest 2017
Signal Safari: Investigating RF Controls with RTL-SDR – SANS Pen Test HackFest 2017

Hacker Warehouse Demonstrates Pager Decoding with an RTL-SDR

Over on YouTube the web show Hacker Warehouse have created a video explaining wireless pagers and how RTL-SDRs can be used to sniff them. In the video host Troy Brown starts by explaining what pagers are and how they work, and then he shows how to decode them with SDR# and PDW. We have a tutorial on this project available here too.

Later in the video he shows some examples of pager messages that he's received. He shows censored messages such as hospital patient data being transmitted in plain text, sports scores, a memo from a .gov address claiming allegations of abuse from a client, office gossip about a hookup, a message about a drunk man with a knife, a message from a Windows server with IP address and URL, a message from a computer database, and messages from banks.

In the past we've also seen an art installation in New York which used SDR to highlight the blatant breach of privacy that these pager messages can contain.

Decoding Pager Data with RTLSDR - Tradecraft
Decoding Pager Data with RTLSDR - Tradecraft

SirenJack: Rebuttal by ATI Systems

Last week we posted news about the "SirenJack" radio security vulnerability which was released by Balint Seeber of the Bastille security research agency. SirenJack describes how a cheap TX capable SDR or a $30 handheld radio could allow an attacker to take over wirelessly controlled emergency sirens that are found in many cities around the US. In particular, it was discussed how Acoustic Technology, Inc (ATI Systems) sirens' were the first to be found as vulnerable.

Today Dr. Ray Bassiounim, President & CEO of ATI Systems wrote to us (and presumably other news agencies that ran the SirenJack story) a rebuttal which we paste below.

ATI Siren Vulnerability Misrepresented by Bastille Networks

Balint Seeber of Bastille Networks, Inc. has released information that he has been able to hack Acoustic Technology, Inc.’s wireless protocol. ATI believes that Seeber misrepresents his claims that he did so using only a $35 radio and a laptop. ATI understands the great lengths, time, effort, and expertise that Seeber and Bastille went through.  However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.

Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk? Other discrepancies discovered include:

  • Bastille’s SirenJack white paper states in part “...nor was there access to equipment...”  However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.
  • Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.
  • In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?
  • In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren.  Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.
  • None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.

When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.

“For the past 30 years ATI has had thousands of clients, both nationally and internationally.  Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.

It's true that Balint and Bastille do have years of knowledge and the equipment to find vulnerabilities, however we believe that Bastille was only claiming that a $30 radio can be used to take over the system now that the vulnerability is already known. If a more malicious hacker found the vulnerability first, and then released the details to 'script kiddies' or other malicious people, it could have caused major issues.

The white paper on SirenJack is now available and can be found at sirenjack.com. From the white paper it appears that Bastille analyzed the RF spectrum to find the weekly siren test signal. Once found they were able to characterize the modulation scheme, and since no encryption was used, they were able to dissect the packet. They then determined that the packets could easily be reproduced and thus any transmit capable radio could be used to attack the system. Also although Bastille used USRP SDRs in the reverse engineering stage, it seems that the same reverse engineering work could be done with a simple RTL-SDR.

SirenJack: Could sirens be taken over with a $30 radio?
SirenJack: Could sirens be taken over with a $30 radio?

SirenJack: Security Vulnerability Found in Wirelessly Controlled Emergency Sirens

Balint Seeber from security research firm Bastille has recently disclosed a major security vulnerability found in wirelessly controlled emergency sirens called "SirenJack". These sirens are used in many states and cities within the USA to warn large populations of disasters or other dangers, although at the moment only sirens by ATI System in San Francisco have been identified as vulnerable. The vulnerability stems from the fact that the wireless protocol used to activate the sirens is not encrypted, so a bad actor could record the monthly test activation transmissions, analyze them and forge control signals of his own. This would allow a hacker to take control the sirens at will using a simple $30 handheld radio and a laptop, or a transmit capable software defined radio.

This security research release comes after the Dallas tornado siren hack, which occurred in early 2017. During that hack a hacker activated 156 tornado sirens placed around the city of Dallas, Texas. In contrast to SirenJack, the Dallas siren hack was most likely caused by a more standard replay or brute force attack, since simple DTMF tones are used to activate Dallas' siren system.

ATI Systems have indicated that they have already patched the vulnerability as Bastille responsibly disclosed the vulnerability to them 3 months prior. However, it is likely that sirens created by other contractors in other states may have the same or similar vulnerabilities.

In the video below Balint shows the SirenJack vulnerability in action on a test siren setup. During the test he is able to take control of the siren and transmit any arbitrary audio to it using a software defined radio. Several other SirenJack video are available on Bastille's YouTube channel

SirenJack Proof of Concept
SirenJack Proof of Concept

A Review of the HackRF PortaPack (With Havoc Firmware)

The PortaPack is a US$220 add-on for the HackRF software defined radio (HackRF + PortaPack + Accessory Amazon bundle) which allows you to go portable with the HackRF and a battery pack. It features a small touchscreen LCD and an iPod like control wheel that is used to control custom HackRF firmware which includes an audio receiver, several built in digital decoders and transmitters too. With the PortaPack no PC is required to receive or transmit with the HackRF.

Of course as you are fixed to custom firmware, it's not possible to run any software that has already been developed for Windows or Linux systems in the past. The official firmware created by the PortaPack developer Jared Boone has several decoders and transmitters built into it, but the third party 'Havoc' firmware by 'furrtek' is really what you'll want to use with it since it contains many more decoders and transmit options.

As of the time of this post the currently available decoders and transmit options can be seen in the screenshots below. The ones in green are almost fully implemented, the ones in yellow are working with some features missing, and the ones in grey are planned to be implemented in the future. Note that for the transmitter options, there are some there that could really land you in trouble with the law so be very careful to exercise caution and only transmit what you are legally allowed to.

Some screenshots from the HackRF Portapack Havok Firmware
Some screenshots from the HackRF Portapack Havoc Firmware
More Havok firmware screenshots from the GitHub page.
More Havoc firmware screenshots from the GitHub page.

Although the PortaPack was released several years ago we never did a review on it as the firmware was not developed very far beyond listening to audio and implementing a few transmitters. But over time the Havok firmware, as well as the official firmware has been developed further, opening up many new interesting applications for the PortaPack.

Doing a replay attack on a wireless keyfob using the Portapack.
Doing a replay attack on a wireless keyfob using the PortaPack.

Testing the PortaPack with the Havoc Firmware

Capture and Replay

One of the best things about the PortaPack is that it makes capture and replay of wireless signals like those from ISM band remote controls extremely easy. To create a capture we just need to enter the "Capture" menu, set the frequency of the remote key, press the red 'R' Record button and then press the key on the remote. Then stop the recording to save it to the SD Card.

Now you can go into the Replay menu, select the file that you just recorded and hit play. The exact same signal will be transmitted over the air, effectively replacing your remote key.

We tested this using a simple remote alarm system and it worked flawlessly first time. The video below shows how easy the whole process is.

Portapack Replay
Portapack Replay

Continue reading

Explaining and Demonstrating Jam and Replay Attacks on Keyless Entry Systems with RTL-SDR, RPiTX and a Yardstick One

Thank you to Christopher for submitting to us an article that he's written for a project of his that demonstrates how vulnerable vehicle keyless entry systems are to jam and replay attacks. In the article he explains what a jam and replay attack is, the different types of keyless entry security protocols, and how an attack can be performed with low cost off the shelf hardware. He explains a jam and replay attack as follows:

The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.

In his demonstrating the attack he uses the RTL-SDR to initially find the frequency that they keyfob operates at and to analyze the signal and determine some of it's properties. He then uses a Raspberry Pi running RPiTX to generate a jamming signal, and the YardStick One to capture and replay the car keyfob signal.

Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.
Jam and Replay Hardware: Raspberry Pi running RpiTX for the Jamming and a Yardstick One for Capture and Replay.

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.