Penetration Testing mailing list archives
Re: RF code scanners
From: Richard Rager <kb8rln () penguinmaster com>
Date: Thu, 17 Jun 2004 02:22:22 -0600 (MDT)
On Wed, 16 Jun 2004, Amit Deshmukh wrote:
Has anyone had any experience with using radio frequency code scanners and/or grabbers to try and grab codes for garage doors and things like that?
Well let talk about car alarms, garage doors, home automatic doors transmitter and receiver.
What's the sort of hardware used for this?
The current active transmitters, I will limit myself too, because the old one are just so bad that over loading the front end of the receiver will open the door. The transmitter are a very simple FM transmitter (FCC part 15) with a CODEC IC that is feed a serial stream. The receiver are also (FCC part 15) that hit a CODEC converted back to a serial stream. In all cases this are serial streams are handle with a microcontroller of some type. There are two main type of transmitters. 1.) The transmitter are programmable. Dip switches are the simplest. The output of these can be easily recorded and replayed. To do this use a digital recorder that only need to record about 5 second. 2.) The transmitters are pre-program and the receiver learn a new transmitter.
Surely it cant be a matter of just cycling through the 2.4 Ghz (or appropriate) spectrum till u hit the right frequency and the door pops open! There is probably also a code burned into the firmware of the remote control device and the receiver which may need to match up.
That is all you needed to do in the old days with the 48-54 Mhz ones. The newer ones I have see at 300 Mhz, 450 Mhz and 900 Mhz I cost money to go that high in frequency. Yes you are right. Just have a receiver output going to a sound card is the only recording device you will need, over kill thou.
I've heard of other devices which sort of "code hop" and use a different code each time. Any vulnerabilities with those? (maybe they use an "industry-standard" algorithm?)
You are speaking about something like KeeLoq (TM) is one type. http://ww1.microchip.com/downloads/en/DeviceDoc/keeloq.pdf This is a simple PKI the uses 32 bit encryption hoping code and a 32 bit serial number. The weak point here if you get 3 or more transmission from on remote it is easy to calculate the serial number. Please remember that a 4 kilo hetz processor can decode this. It would be a joke for a 1 Ghz processor to bypass it.
Is it better to use a scanner or grabber with devices that use a static non-changing code?
Static code are easily replayed. Any one that can hear the signal can resent it. Code hopping is better but with the limited on the speed of the microprocessor used. It would be a joke to circumvent with any laptop computer. The same hold true with those RFID cards for locks that I carry. The locks also require a pin as well so that is a little better. But for me to build a remote receiver to read the cards in your pocket would be easy to make. Most RFID card are static serial transmissions. I hope this helps. Just on note about all digital lock. It is just a matter of time for the digital lock picks are going to come out. Are you going to be ready for the change? Just a note about 10 years ago, I was installing digital locks for safe and outher things. I found out that you could open them with RF transmittions. I called the manufacturer never got a call back but about 8 month later going to a trade show they could talk about nothing else. There are some digital locks today that still have that same vulnerability. All of these electronic lock come down to a simple relay that cost about 50 cents US. A chain is only as good as it weakest link. I have pen-tested a lot of digital locks. Most of them I would no give you a nickle for the security of them. But if it make your feel good do it. This is something that needs to be added to pen-testing. Since most of the computer data center use electonic locks now. National security: here we come with more bad news. Enjoy, Richard Rager http://penguinman.com
Current thread:
- RF code scanners Amit Deshmukh (Jun 16)
- Re: RF code scanners Mister Coffee (Jun 17)
- Re: RF code scanners Richard Rager (Jun 17)
- Re: RF code scanners Mister Coffee (Jun 22)
- Re: RF code scanners Richard Rager (Jun 17)
- Re: RF code scanners Richard Rager (Jun 17)
- <Possible follow-ups>
- Re: RF code scanners Maarten Van Horenbeeck (Jun 21)
- RE: RF code scanners Ng, Kenneth (US) (Jun 23)
- Re: RF code scanners Mister Coffee (Jun 24)
- RE: RF code scanners Ng, Kenneth (US) (Jun 23)
- Re: RF code scanners Mister Coffee (Jun 27)
- Re: RF code scanners Mister Coffee (Jun 17)