Verification Of Primitive Sub Ghz Rf Replay Attack Techniques Based On Visual Signal Analysis



Similar documents
Breaking the Security of Physical Devices

DT3: RF On/Off Remote Control Technology. Rodney Singleton Joe Larsen Luis Garcia Rafael Ocampo Mike Moulton Eric Hatch

REMOTE KEYLESS ENTRY SYSTEM RECEIVER DESIGN

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Maximizing Range and Battery Life in Low-Cost Wireless Networks

Key Priorities for Sub-GHz Wireless Deployment

Software Defined Radio

Logitech Advanced 2.4 GHz Technology

Building a Basic Communication Network using XBee DigiMesh. Keywords: XBee, Networking, Zigbee, Digimesh, Mesh, Python, Smart Home

Logitech Advanced 2.4 GHz Technology With Unifying Technology

Wireless Medical Telemetry Laboratory

2.0 System Description

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Logging of RF Power Measurements

HAM FOR HACKERS TAKE BACK THE AIRWAVES. JonM DEFCON 16

Demystifying Wireless for Real-World Measurement Applications

Special Topics in Security and Privacy of Medical Information. Reminders. Medical device security. Sujata Garera

Analyzing 6LoWPAN/ZigBeeIP networks with the Perytons Protocol Analyzer May, 2012

Tri-Band RF Transceivers for Dynamic Spectrum Access. By Nishant Kumar and Yu-Dong Yao

MANAGEMENT OF BI-DIRECTIONAL AMPLIFIERS IN THE LAND MOBILE SERVICE IN THE FREQUENCY RANGE 29.7 MHz TO 520 MHz

Analysis of Immunity by RF Wireless Communication Signals

APPLICATION NOTE. AT05558: Wireless Manufacturing Test Kit. Atmel ATmega256RFR2. Description. Features

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Wireless Network Analysis. Complete Network Monitoring and Analysis for a/b/g/n

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

ASSET TRACKING USING RFID SRAVANI.P(07241A12A7) DEEPTHI.B(07241A1262) SRUTHI.B(07241A12A3)

Spectrum analyzer with USRP, GNU Radio and MATLAB

Shadow TX(A) Shadow RX

TCB Workshop. Unlicensed National Information Infrastructure Devices (U-NII)/Dynamic Frequency Selection (DFS)

Methodologies for Reducing Mobile Phone Test Time

Broadcasting your attack: Security testing DAB radio in cars

WIRELESS INSTRUMENTATION TECHNOLOGY

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Application Note AN-00125

COMMUNICATIONS AND MULTIMEDIA ACT 1998 CLASS ASSIGNMENTS NO. 1 OF 2015

Environmental Monitoring: Guide to Selecting Wireless Communication Solutions

BURGLAR ALARM SYSTEMS BURGLAR ALARM SYSTEMS BURGLAR ALARM SYSTEM EURO ALARM WIRELESS BURGLAR ALARM SYSTEM OASIS

Dynamic Frequency Selection (DFS) and the 5GHz Unlicensed Band

GRF-3300 RF Training Kits

Observer Analyzer Provides In-Depth Management

Zlinx Wireless I/O. Peer-to-Peer and Modbus I/O B&B ELECTRONICS PRODUCT INFORMATION

Adaptive Radio. Cognitive Radio

Quick Start Guide. MRB-KW01 Development Platform Radio Utility Application Demo MODULAR REFERENCE BOARD

Product Information S N O. Portable VIP protection CCTV & Alarm System 2

VEHICLE TRACKING ALONG WITH THE ADVANCED RTO TECHNOLOGY

Whitepaper 4 Level FSK/FDMA 6.25 khz Technology

How To Understand The Power Of An Freddi Tag (Rfid) System

Electronic Access Control Security. Matteo Beccaro HackInTheBox Amsterdam, May 27 th, 2016

Radio Frequency Identification (RFID)

Wireless Tools. Training materials for wireless trainers

Design and Certification of ASH Radio Systems for Japan

PRORAE REMOTE HOST CONTROLLER: COMMUNICATION TROUBLESHOOTING GUIDE

Wireless Temperature

How To Know If You Are Safe To Use An Antenna (Wired) Or Wireless (Wireless)

868 MHz Traffic Detective: A Software-Based Tool for Radio Traffic Monitoring

Honeywell Primus HF 1050 HF Radio System

Guide to Wireless Communications. Digital Cellular Telephony. Learning Objectives. Digital Cellular Telephony. Chapter 8

APPLICATION NOTE GaGe CompuScope based Lightning Monitoring System

Evolution of Satellite Communication Systems

Professur Technische Informatik Prof. Dr. Wolfram Hardt. Network Standards. and Technologies for Wireless Sensor Networks. Karsten Knuth

Verifying Detection of Asset Tags in WLAN Controllers

Home Insecurity: No Alarms, False Alarms, and SIGINT

Department of Electrical and Computer Engineering Ben-Gurion University of the Negev. LAB 1 - Introduction to USRP

RFID BASED VEHICLE TRACKING SYSTEM

GNU Radio. An introduction. Jesper M. Kristensen Department of Electronic Systems Programmerbare digitale enheder Tuesday 6/3 2007

Smart Anytime, Safe Anywhere. Home Passport Gateway-G Series. The Epitome of Smart Living

WIRELESS MAGNETIC CONTACT

LTE Evolution for Cellular IoT Ericsson & NSN

EECC694 - Shaaban. Transmission Channel

Developer s Guide to Submetering Submetering Specifications for Multi-Housing Construction

FM Radio Transmitter & Receiver Modules

INDEPENDENT COMMUNICATIONS AUTHORITY OF SOUTH AFRICA

Possible Applications

ELETRONIC COMMUNICATIONS COMMITTEE

Wireless Transmission of JPEG file using GNU Radio and USRP

You don t hear me but your phone s voice interface does. José LOPES ESTEVES & Chaouki KASMI

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

ÇANKAYA ÜNİVERSİTESİ ECE 491 SENIOR PROJECT I ERDİNÇ YILMAZ

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Main Ways to Enhance Throughput

II. Radio equipment which transmits only under the control of electronic communications networks

Raptor RXi Ultra-fast scanning Countersurveillance Receiver

Introduction to FM-Stereo-RDS Modulation

Rapid Prototyping of a Frequency Hopping Ad Hoc Network System

Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study

COMMUNICATIONS AND MULTIMEDIA ACT 1998 NOTIFICATION OF ISSUANCE OF CLASS ASSIGNMENTS

NFC Test Challenges for Mobile Device Developers Presented by: Miguel Angel Guijarro

DKWF121 WF121-A B/G/N MODULE EVALUATION BOARD

APPLICATION NOTE. RF System Architecture Considerations ATAN0014. Description

Guarded community solutions Easy Series for villa and apartment projects

The cost and performance benefits of 80 GHz links compared to short-haul GHz licensed frequency band products

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Design And Implementation Of Bank Locker Security System Based On Fingerprint Sensing Circuit And RFID Reader

Technologies Supporting Smart Meter Networks

TBS Dominator 5G8 Receiver

Transcription:

Edith Cowan University Research Online Australian Digital Forensics Conference Security Research Institute Conferences 2013 Verification Of Primitive Sub Ghz Rf Replay Attack Techniques Based On Visual Signal Analysis Maxim Chernyshev Edith Cowan University, m.chernyshev@ecu.edu.au Originally published in the Proceedings of the 11th Australian Digital Forensics Conference. Held on the 2nd-4th December, 2013 at Edith Cowan University, Perth, Western Australia This Conference Proceeding is posted at Research Online. http://ro.ecu.edu.au/adf/117

VERIFICATIONOFPRIMITIVESUBGHZRFREPLAYATTACKTECHNIQUESBASEDONVISUAL SIGNALANALYSIS MaximChernyshev SecurityResearchInstitute,EdithCowanUniversity Perth,Australia m.chernyshev@ecu.edu.au Abstract Asthelowcostoptionsforradiotrafficcapture,analysisandtransmissionarebecomingavailable, somesecurityresearchershavedevelopedopensourcetoolsthatpotentiallymakeiteasiertoassess the security of the devices that rely on radio communications without the need for extensive knowledgeandunderstandingoftheassociatedconcepts.recentresearchinthisareasuggeststhat primitivevisualanalysistechniquesmaybeappliedtodecodeselectedradiosignalssuccessfully.this studybuilds upon thepreviousresearchin theareaofsubghz radiocommunications andaims to outlinetheassociatedmethodologyaswellasverifysomeofthereportedtechniquesforcarryingout radiofrequencyreplayattacksusinglowcostmaterialsandfreelyavailablesoftware. Keywords Radio frequency (RF) communications, replay attack methodology, visual signal analysis, protocol analysis,rfsignaldecoding,rfcat,subghzrfspectrum,softwaredefinedradio(sdr) INTRODUCTION Radiotrafficissaidtoberarelyusedinpenetrationtestingduringthereconnaissancephase,yetone is able to collect potentially valuable information through its capture and analysis (Neely, Hamerstone, & Sanyk, 2013). The modern equipment that is needed to facilitate the protocol analysis,aswellassubsequentsignalretransmission,doesnothavetobecostlyorunwieldy. Withtheproliferationofsoftwaredefinedradios(SDRs),whichmaybepurchasedforlessthan$20 USD,interestedradioamateursaswellasresearcherswithlimitedfundingareabletoexplorethe field of radio communications (Smith, 2012). While SDRs are theoretically able to operate on frequencies between 55MHz and 2300MHz, with some specialised devices designed by Ossmann (2013) being able to cover the extended 30MHz6000MHz range, this study focuses on the frequenciesbelow1000mhz,orthe"subghz"range.thesubghzrangeisofimmenseinterestdue tothehighnumberandvarietyofdevicesthatoperatewithinthatrange.theaimofthestudyisto verifyprimitivevisualsignalanalysistechniquesthatcouldpotentiallybeusefulinexecutingreplay attacks against devices in the subghz range without the need to acquire detailed knowledge of radiocommunicationsorexpensiveequipment. DEVICESINTHESUBGHZSPECTRUM Devices that operate in the subghz range commonly include alarm systems, various meters and sensors(suchasproximity,pressure,andacceleration),homeautomationsystems,remotecamera flashes and shutter triggers, garage door openers (GDE), remote keyless entry systems (RKE), tyre pressuremonitoringsystems(tpms),wirelessdoorchimes,smartgridtechnologycomponentsfor metertoutilitycommunications,cordlessphones,mobilephones,medicaldevicesaswellasradio frequency identification (RFID) devices (Atlas, 2012b; Harizanov, 2012; Liang & Liu, 2011; Sikken, 2009;SiliconLabs,2010;Smith,2012;Weber,2013). AccordingtoLiangandLiu(2011)andSiliconLabs(2010),subGHzfrequenciestendtobetherational choice for such devices because utilising this portion of the spectrum facilitates the following features: Range Lowinterference 26

Lowpowerconsumption Whileitisalsonotunusualforthedevicedesignerstoturntothe2.4GHzbandtoachieveglobal interoperabilitythroughtheutilisationofcommonstandardssuchasbluetooth,wlanandzigbee, devicesthatrequireprolongedbatterybasedoperationareoftendesignedtofunctioninthesub GHzbands. Table1.SomeCommonRegionalSubGhzBands(Harney&O Mahony,2006) MostofthebandspresentedinTable1arealsocommonlyknownastheindustrialscientificmedical (ISM)bands(Frenzel,2010).Specifically,the433MHzbandisoftenthepopularchoiceoftheglobal manufacturers, as it only requires a minor frequency adjustment to operate in Japan (Harney & O Mahony,2006).ItshouldbenotedthatinAustraliasuchdevicesarealsoreferredtoasthelow interference potential devices (LIPDs), and their operation in the 433.05434.79MHz band is supported through the relevant class licence as long as the maximum equivalent isotropically radiatedpower(eirp)doesnotexceed25milliwatt(mw).historically,theadoptionofthe433mhz band in Australia was driven in the late 1990s by the growing demand for the importation and adoption of the devices from Europe, where, unlike in Australia, the 433MHz band is also the designatedismband(acma,1999). ATTACKMETHODOLOGY Atthetimeofwriting,anumberofarticlesandblogentriesthatdescribetheapproachestakento capture and reverseengineer radio frequency (RF) signals are available on the Internet (Hohawk, 2012;Laurie,2013;Weber,2013).Unfortunately,theresearcherhasnotbeensuccessfulinlocating publishedpeerreviewedarticlesspecifictothistopicinthecontextofdevicescommonlyfoundin residentialproperties,apartfromtheonesthatemploythekeeloqblockcipher(aertsetal.,2012). Perhaps,thiscouldbeduetopoorkeywordselection,orotherwisegoestoaccentuatetheperceived noveltyofusinglowcostmaterialstocarryoutrfreplayattacksonconsumerelectronics. Inthecontextofthisstudy,theactivitiesassociatedwiththecapture,decodingandretransmission oftherfsignalsarereferredtoas"attacks",becausesuccessfulsignaldecodingandretransmission areexpectedtoresultintakingpartialor,insomecases,fullcontrolofthetargetdevicecontraryto thedesireofitsownerortheintentionofthemanufacturer.basedonthecurrentlyavailablereports, itispossibletoderiveastructuredtheoreticalmethodologyforcarryingouttheseattacks. 27

Figure1.RFReplayAttackMethodology Figure 1 represents the stages typically involved when attempting to carry out RF replay attacks. Essentially,theprocesscommenceswiththeselectionofthetargetdevice.Inamoderndomestic setting, wireless door chimes, GDEs and RKEs are typically available and present a number of opportunitiesaspotentialtargets. Oncethetargetisidentified,theprotocolanalysisphasebegins.Thisphaseseemstobethemost complexpartoftheprocessasitconsistsofmultiplestepsandoftenrequirestherepetitionofsome of the steps to achieve a successful outcome, which in this context means being able to reliably decodeandretransmitthecapturedsignalsothatthetargetreactstoit. Thefirststepofthisphaseis concerned with theidentification oftheoperatingfrequencyof the selecteddevice.intheunitedstates,thefederalcommunicationscommissionidentification(fcc ID)labelattachedtothedeviceitselfmaybeusedtolookuptheoperatingfrequencyofthedevice online(weber,2013).intheunitedkingdom,theradio&telecommunicationsterminalequipment (R&TTE) approval label is claimed to provide the ability to determine the frequency in a similar fashion(laurie,2013).additionally,theinformationcontainedinvariousrelevantpatentsmayalso beusedtoidentifythefrequencyandeventhespecificationofthecommunicationprotocolinsome cases(atlas,2012b).finally,theidentificationoftheoperatingfrequencymaybeachievedthrougha more tedious process of systematically scanning the spectrum for radio signals while ensuring an activetransmissionfromthedeviceinparallel.variousopensourcecommandlinetoolsaswellas SDRgraphicaluserinterface(GUI)frontendsarereadilyavailabletoassistandpotentiallyautomate thistask. Figure2.HDSDR(left)andGqrx(right)SDRGUIFrontends The next step is to demodulate the raw signal and capture it into one of the common audio file formats,suchasawavfile.therecordingofthesignalmaybeperformedusingansdrguisuchas HDSDRorGqrx(Figure2)andalsoviathemeansofacustomGNURadioprocessingchain(Hohawk, 2012;Laurie,2013).Itshouldbenotedthat,whileothermethodspotentiallyexisttoachievethe sameoutcome,thisapproachisbeingdescribedbecauseitdoesnotrequiredeepunderstandingof RFbased communications. Also, the description of the various modulation schemes and the associatedconceptsisoutsidethescopeofthisresearch.thecaptureusuallyinvolvestuningansdr tothedesignatedoperatingfrequencyofthetargetdevice,usingamplitudemodulation(am)asthe demodulationscheme,sinceitisclaimedtobethemostlikelyused,andinitiatingthetransmission fromthedevicewhilerecordingatthesametime. 28

Figure3.CapturedSignalWave(top),SquareSignalWave(middle),DecodedBinaryValuePortion(bottom)(Laurie,2013) Oncethesignalhasbeencaptured,decodingissuggestedtobecarriedoutviathemeansofvisual waveform analysis and decomposition. Essentially, the successful decoding relies on the ability to match the waveform peaks to respective data bits. Knowing the signal modulation scheme is requiredtoconvertthesignalintobinaryform.essentially,amplitudeshiftkeying(ask)andonoff Keying(OOK)modulationschemes,thelatterbeingasimplificationofASK,aregenerallyclaimedto bethemostlikelyschemesusedduetolowimplementationcostandlongbatterylife(brown,bagci, King,&Roedig,2013;Holenarsipur,2009).InthecaseofOOK,energysavingisachievedbecausethe transmitter does not spend power when sending 0 or 1 bits depending on the specifics of the implementation pertinent to a particular device. Interestingly, previous research suggests that without having access to the specification of the communication protocol, it is not feasible to determineinadvancewhetherawavepeakrepresentsa0bitora1bitandviceversa(hohawk, 2012).Consequently,decodingislikelytoturnintoaniterativeprocesswiththeoutcomeverification performedviasignalretransmission. Tofacilitateabettervisualbasisfortheanalysis,thecapturedsignalmayalsobeconvertedtosquare wave through the process of amplification. Figure 3 shows the visual differences between the originally captured wave and the resulting amplified square wave. Furthermore, the figure also representsthevisualconversionprocessthatisbasedonassumingthemodulationprotocolbeing OOK. In this case, the "highs" are assumed to represent the 1 bits and the "lows" the 0 bits respectively.thebitlengthalsocorrespondstothelengthoftheshortestpulse.itshouldalsobe noted that it is common for the repeated bursts padded with whitespace to be transmitted as opposedtosinglesignalinstances.thefinalcrucialcomponentistheabilitytodeterminethesignal datarateorbaudrate(atlas,2012b).inthecontextofvisualanalysis,measuringthelengthofthe shortestpulseinaburstanddividing1bythemeasuredlengthinsecondsmaybeusedtocalculate the data rate (Hohawk, 2012). Given that this study is only concerned with primitive techniques, othermodulationschemes,suchasfrequencyshiftkeying(fsk),areconsideredtobeoutofscope. Analogically, sync words, modes and programmatic data (baud) rate detection are also not being described. Havingconvertedthesignalintobinaryformprovidesthebasisforsubsequentreplay.Itissuggested that a tool called RfCat is well suited for this purpose, as it provides an easily accessible Python basedpromptforcarryingoutvariousrfrelatedresearchtasksinteractively(hohawk,2012;laurie, 2013;Weber,2013).Thetoolisdescribedinmoredetailinthenextsection.Forthepurposeofsignal transmission,thebinaryformneedstobeconvertedtohexadecimalformsupportedbypython.for example,thevalueof01011100,whichcorrespondsto5c,maybepassedtotheinteractiveshellas \x5c.providedthatacompatibledongleisavailableandtherfcatfirmwarehasbeenloadedonto 29

it,replayingthesignalisamatterofusingtheinteractiveshellto: 1. Tunetotherequiredoperatingfrequency 2. Setthemodulationscheme 3. Setthedatarate 4. Transmitthestringderivedfromthebinaryrepresentation 5. Observethereactionofthetargetdevice Ifthereplayissuccessful,thedeviceisexpectedtorespondtothesignal.Forinstance,inthecaseof awirelessdoorchime,oneshouldhearthebellring.inthecaseofagaragedooropener,thedoor shouldopenorclosedependingonitspreviousstate.assuggested,itisnotgrantedthatasuccessful replaywilloccuronthefirstattempt,atwhichpointsteps3to6willneedtoberepeateduntila successfulreplaytakesplace.finally,toeasethesubsequentreplays,onemaychoosetoautomate thestepsrequiredtoconfigurethedongleandsendthesignalbywritingacustompythonscript. Interestingly, the ez430chronos wireless development kit may also be used to carry out the transmission and there is an opensource tool available that aids with programming the watch (Laurie,2013). Using the process based on the methodology described above, a number of security researchers havebeensuccessfulincarryingoutreplayattacksagainstawirelessdoorchime,remotegateand garage door opener, automotive remote car entry systems and a wireless power saver adaptor (Hohawk, 2012; Laurie, 2013). In the latter case, the consequences could be as dire as setting a residentialpropertyonfire,whichwouldbelikelytoresultinextensivepropertydamage,injuryor death(tung,2013).subsequentcommentsleftontheblogentrypagesalsoindicatethatongoing researchintocommunicationprotocolsemployedbywirelessalarmsystemshavebeentakingplace. RFCAT TheopensourceprojectthatfacilitatesRFbasedsecurityresearchcalledRfCatisdubbedthe"the Swiss army knife of subghz radio" (Atlas, 2012a). The project has undergone a phase of active developmentbymultiplecontributorsoverthelasttwoyearswiththelastchangecommittedinmay 2013atthetimeofwriting.Officially,onlythefollowingthreedevicescurrentlysupporttheRfCat firmware: RadicaIMMewirelesshandhelddevice TexasInstrumentsCC1111USBevaluationmodulekit TexasInstrumentseZ430Chronoswirelessdevelopmentkit(specifically,theCC1111based USBaccesspoint) In addition, a custom electronic badge has been specifically designed and built to support RfCat (Ossmann,2012).Whiletheprojectdocumentationcontainsadetailedsetofinstructionsonloading thefirmwareontothesupporteddevice,theinteractiveshellissparselydocumentedandsuccessful application of the tool in practice is said to require a sufficient level of understanding of radio communications(weber,2013). 30

Figure4.RfCatInteractiveShellWelcomeMessage Figure4presentsthescreenshotoftheinteractiveRfCatshellthatisshownimmediatelyuponits launch.theshellprovidesaglobalobject"d",whichfacilitatesthenecessaryinterfacetotheusb dongle.basedonthebriefexaminationofthesourcecode,theinbuilthelpandthepresentationby theoriginalauthor,anumberofkeymethodsusefulinthecontextofthestudyhavebeenidentified. Table2.RfCatMethodsFoundUsefulintheContextoftheStudy Method help(d) help(d.[method]) d.printradioconfig d.setfreq d.setmdmmodulation d.setmdmdrate d.makepktflen d.rfxmit d.rflisten Description Displaystheinbuilthelpavailableforallsupportedcommands Displaystheinbuilthelpforthespecifiedmethod,where[METHOD]shouldbe replacedbynameofthedesiredmethod Printsthecurrentdetailedconfigurationofthedongle Setstheoperatingfrequency Setsthemodulationscheme(suchasOOK) Setstheoperatingdata(baud)rate Setsthelengthofthetransmittedorreceivedpackettoanarbitraryvalue Transmitsthesignalcorrespondingtothesupplieddatavalue Putsthedongleintomonitoringmodethatdisplayspacketsastheyarrive d.specan Opensthespectrumanalyserwindow Table2onlylistsasmallsubsetofthemethodsavailable,additionalmethodsthatsupportlowlevel signaldiscoverymodes,aswellasautomatedfrequencyscanningroutinesarealsoreadilyavailable. RfCatappearstobeaversatiletoolthathasanumberofpotentialapplicationstoRFbasedsubGHz securityresearch.thepresentedabilitytolistentoradiotrafficinrealtimeandhavethedecoded datapresentedonscreeninstringformcouldpotentiallyeliminatetheneedforthetediousvisual protocol decomposition process and speed up the signal decoding phase by multiple orders of magnitude.ultimately,theintentionbehindthetoolwastoimplementameansofconvenientaccess tothesubghzspectrum,sothatsecurityconcernsassociatedwithradiocommunicationsprotocols employed by respective devices could be verified, justified and subsequently mitigated through informeddeviceandprotocoldesignimprovements. 31

VERIFICATION AimsandAssumptions To verify the reported signal decoding and retransmission techniques in practice, the author has acquiredthenecessaryequipmentandselectedatargetdevicetoachievethefollowingaims: 1. CapturethesignalusinganSDR 2. Decodethecapturedsignalusingvisualwaveformanalysismethod 3. Verifytheaccuracyoftheresultingdecodedsignalviathemeansofasuccessfulreplay 4. Identifyotherpotentialwaysofachievingthesameoutcome Thedescribedverificationprocessisbasedontheassumptionthathavingadetailedunderstanding ofradiocommunicationsisnotrequiredtobeabletoachieveasuccessfuloutcome.furthermore, theauthordidnotpossessanyofsuchknowledgepriortocarryingoutthisresearch. Materials Inordertofollowthepreviouslydescribedmethodology,thefollowingmaterialswereobtained: TerratecTStickDVBTUSBStick(E4000)withmetalantennaandantennamount TexasInstrumentseZ430Chronoswirelessdevelopmentkit TexasInstrumentsCCDebugger Genericsolderingkitandsolderwire Acommoditylaptopcomputerwithx2USBports,GqrxandAudacityinstalled BecausetheeZ430ChronosUSBaccesspointbasedontheCC1111systemonchipdoesnotcome with development header pins, debug interface connection to the CCDebugger needs to be facilitatedviathemeansofsoldering. 32

Figure5.eZ430ChronosRFAccessPointConnectiontoCCDebuggerSolderingSpecification(top),theResultingSuccessful DebuggingInterface(bottom)(TI,2013) Figure5representsthesolderingschematicappropriatefortheUSBdongleusedinthisstudy(top), aswellastheresultinginterfacecableconnectedtotheccdebuggerwiththegreenledindicatinga successfulconnection(bottom).oncethedebugginginterfaceisfunctioning,thecustomrfcatboot loaderfirmwareneedstobeloadedontotheaccesspointusingthetexasinstrumentssmartrfflash Programmersoftware.Havingsatisfiedthenecessaryprerequisites,thecustomRfCatfirmwaremay beloadedontothedonglebyfollowingtheinstructionssuppliedwiththetool.subsequentcapture and protocol analysis described in the next sections were carried out in an isolated laboratory setting. FollowingtheMethodology Alocallymanufacturedwirelessdoorchimewasacquiredforthepurposeofthisstudy.Thistarget wasassumedtoyieldahigherpotentialofsuccessfulreplaycomparedtodevicesthatareknownto employ sophisticated security mechanisms, such as RKEs (Aerts et al., 2012). The operating frequencyofthedevicewasinitiallydiscoveredbyvisuallyinspectingthechimecomponentcase,as itwasconvenientlyprovidedontheattachedlabel.subsequently,tuningthesdrtothediscovered value and testing for signal presence while pushing the button on the remote verified the found operatingfrequency,whichinthiscasewas433.92mhz. Figure6.CapturedSignalWave(top),SquareSignalWave(middle),DecodedBinaryandHexValues(bottom) Analogouslytothepreviousreports,themodulationschemeemployedbythedevicewasassumed tobeam.atthatstage,thefrequencyvalueandmodulationschemeprovidedsufficientbasisfor signal capture. Once the signal was captured, it was established that the demodulated waveform comprisedofabout60shortbursts,allofwhichwereidentical.atthispoint,duetothesimplicityof the originally captured waveform the signal decoding could also be done without the need for conversiontosquarewave.nevertheless,conversionwasperformedforsubsequentdemonstration purposes.figure6representsthecapturedsignalinitsoriginalform,aswellastheresultingsquare waveandthedecodedbinaryandhexadecimalvalues.thedecodingassumesthattheshortestpeak represents the 1 bit. Measuring the length of the shortest peak in seconds and dividing 1 by the measuredvalueprovidedthedatarateof2500bitspersecond. Theinitialreplaywasnotsuccessfulbecausethewhitespacebetweentheburstsdidnotmatchthat expected by the device. The length of the required whitespace was determined in an iterative mannertobe3nullbytes.finally,sendingthedecodedbinaryvalueof \x12\xd9\x65\x96\xd9 (payload) immediately followed by \x00\x00\x00 (whitespace) 60 times resulted in a successful 33

replayasthetargetrespondedtothesignal.later,itwasalsodeterminedthatsendingaslittleas18 bursts also resulted in a successful replay. While subsequent automation was out of scope of the study, one could potentially create a script to brute force the associated signal key space to determine how quickly a successful replay may be achieved automatically after a code change or usinganothertargetofasimilarkind. CONCLUSION Buildinguponthepreviousresearch,thestudyhaspresentedabasicRFreplayattackmethodology based on visual signal analysis. In the context of simple devices that utilise the OOK modulation scheme,thepresentedmethodologyhasbeenverifiedtobesuccessfulandprovesthatcarryingout simplerfreplayattacksdoesnotrequiresubstantialknowledgeofradiocommunications.thestudy has shown that a lowcost SDR coupled with a USB dongle compatible with the RfCat firmware provideasolidfoundationfor carryingout RFsignalanalysisandretransmissiontasks. Ultimately, thisemphasisesthelowlevelofskillandfundsrequiredtocarryoutrfattacksagainstotherdevices andtheassociatedsecuritychallenges. Thestudyhighlightsanumberofopportunitiesforfutureresearch.Firstly,otherdevicesandmore complex communication protocols could be analysed in greater detail to derive additional and potentiallymoreefficientdecodingtechniques.forexample,conversionofwavepulsesintobinary and hexadecimal representations could be automated using a custom script. Secondly, RF signals could potentially be used in locational fingerprinting. Thirdly, the features of RfCat that facilitate automatedsignaldiscoveryanddecodingwithouttheneedforvisualwaveforminspectioncouldbe studied in more detail. Finally and most importantly, research into ways of securing weak radio communicationprotocolscouldassistwithprotectingthesubghzspectrumfrompotentialattacks inthefuture. REFERENCES ACMA.(1999).Spectrumat434MHzforlowpowereddevices.from http://www.acma.gov.au/theacma/spectrumat434mhzforlowpowereddevices Aerts,W.,Biham,E.,Moitié,D.,Mulder,E.,Dunkelman,O.,Indesteege,S.,...Verbauwhede,I. (2012).APracticalAttackonKeeLoq.JournalofCryptology,25(1),136157.doi: 10.1007/s0014501090919 Atlas.(2012a).RfCatSupportedDongles.RetrievedSeptember30,2013,from https://code.google.com/p/rfcat/wiki/supporteddongles Atlas.(2012b).SubGhzorBust.PaperpresentedattheBlackHatUSA2012Conference. Brown,J.,Bagci,I.E.,King,A.,&Roedig,U.(2013).Defendyourhome!:jammingunsolicited messagesinthesmarthome.paperpresentedattheproceedingsofthe2ndacmworkshop onhottopicsonwirelessnetworksecurityandprivacy,budapest,hungary. Frenzel,L.(2010).ElectronicsExplained:Newnes. Harizanov,M.(2012).Controlling433MhzRFpowersocketswithaRFM12Bmodule.Retrieved October12,2013,fromhttp://harizanov.com/2012/04/controlling433mhzrfpower socketswitharfm12bmodule/ Harney,A.,&O Mahony,C.(2006).WirelessShortRangeDevices:DesigningaGlobalLicenseFree SystemforFrequencies<GHz.AnalogDialogue,4003. Hohawk,A.(2012).Hackingfixedkeyremotes.RetrievedSeptember12,2013,from http://andrewmohawk.com/2012/09/06/hackingfixedkeyremotes/ Holenarsipur,P.(2009).I'mOOK.You'reOOK?RetrievedOctober17,2013,from 34

http://pdfserv.maximintegrated.com/en/an/an4439.pdf Laurie,A.(2013).Youcanringmybell!AdventuresinsubGHzRFland...RetrievedOctober3,2013, fromhttp://adamsblog.aperturelabs.com/2013/03/youcanringmybell adventuresinsub.html Liang,F.,&Liu,B.(2011).ResearchofSubGHzWirelessSensorNetworkandItsApplicationinGrain MonitoringSystem.JournalofComputationalInformationSystems,7(10). Neely,M.,Hamerstone,A.,&Sanyk,C.(2013).WirelessReconnaissanceinPenetrationTesting. Boston:Syngress. Ossmann,M.(2012).TheToorCon14Badge.RetrievedOctober22,2013,from http://ossmann.blogspot.com.au/2012/10/thetoorcon14badge.html Ossmann,M.(2013).HackRF,anopensourceSDRplatform.RetrievedOctober21,2013,from http://www.kickstarter.com/projects/mossmann/hackrfanopensourcesdr platform Sikken,B.(2009).433MHzprojects.RetrievedOctober18,2013,from http://bertrik.sikken.nl/433mhz/ SiliconLabs.(2010).KeyPrioritiesforSubGHzWirelessDeployment. Smith,C.(2012).Trackingplanesfor$20orless.RetrievedOctober22,2013,from http://www.irrational.net/2012/08/06/trackingplanesfor20orless/ TI.(2013).eZ430Chronos DevelopmentTool:TexasInstruments. Tung,L.(2013).BurningdownthehousewithanRFhackingwatch.RetrievedOctober17,2013, from http://www.cso.com.au/article/456198/burning_down_house_an_rf_hacking_watc h/ Weber,D.C.(2013).RadioCommunicationAnalysisusingRfCat.RetrievedOctober20,2013,from http://labs.inguardians.com/ 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information