Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One
Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.
Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.
If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.
If you don’t have a HackRF there’s a useful free guide to doing this with a Raspberry Pi and $10 worth of hardware here http://www.securipi.co.uk/remote-433-receivers.pdf – it works with almost all 433.92Mhz and 315Mhz OOK devices and can replay and fuzz codes too.
in relation to the article I would like to share all my tests with you:
OnePlus One and HackRF using to send a parrot signal on 347 MHz of Chinese wireless doorbell:
OnePlus One and HackRF Library for Android using to send a parrot signal on 433MHz Remote Control: