Tagged: wireless power outlets

Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets
HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets

 

Reverse Engineering Radio Controlled Power Outlets with Help from the RTL-SDR

Radio controlled electricity power outlets are outlets that can be turned on or off using a wireless radio controlled remote. Over on the blog leetupload.com the author has written an article showing how he was able to reverse engineer the wireless power outlets radio protocol.

The author used an RTL-SDR and SDR# to listen to the outlets wireless AM transmissions at 434 MHz. He then recorded the signal audio and then used audacity to view the waveform. By analyzing the audio output he discovered that the signal was a Non-Return-To-Zero (NRZ), pulse width modulated (PWM), Amplitude Shift Keying / On Off Keying (ASK/OOK) signal.

Later he was also able to use the RFCat USB dongle to transmit an on off signal from his computer. RFCat is an USB dongle that is capable of transmitting on 433 MHz.

RTL-SDR Software Radio used to Reverse Engineer the Wireless Power Outlet
RTL-SDR RTL2832U Software Radio Audio output Analyzed in Audacity for Reverse Engineering a Wireless Power Outlet
Remote Control Outlet Replay With RFCat

Remote Control Outlet Replay With RFCat

Source Hackaday