Hacking Alarm Systems with an RTL-SDR and RFcat

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

  1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
  2. Record the signal and visually study the waveform in Audacity.
  3. Look up system part info and determine encoding type (e.g. ASK/OOK)
  4. Determine the bit string and baud rate.
  5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

$50 home alarm system broken by an RTL-SDR and RFcat.
$50 home alarm system broken by an RTL-SDR and RFcat.
Tweet29
Share50
Reddit
Vote1
Email
80 Shares

Related posts:

  1. Bypassing Rolling Code Systems – CodeGrabbing/RollJam
  2. Reverse Engineering the SimpliSafe Wireless Burglar Alarm
  3. Reverse Engineering Radio Controlled Power Outlets with Help from the RTL-SDR
  4. Reverse Engineering a Wireless Alarm with the HackRF
  5. Chaos Communications Congress Talks – Iridium Pager Hacking
Subscribe
Notify of
guest

4 Comments
Inline Feedbacks
View all comments
qdq
#85066

yea

0
Reply
qdq
#85065

0
Reply
No
#80542

So how to deal with an Rolling Code?

0
Reply