Penetration Testing mailing list archives
Re: RF code scanners
From: Maarten Van Horenbeeck <maarten () daemon be>
Date: Thu, 17 Jun 2004 05:27:15 +0000 (GMT)
Hi Amit, All vendors of preinstalled garage doors or similar devices do indeed have different transmission "data" being sent over the line. The exact protocol used is proprietary, at least most of the time. Keep in mind, though, that most of such devices installed by private contracters which are not affiliated with any of these companies use one of the "generic" models, such as Multicode. It should usually be quite easy to ascertain which company installed a certain door, and which brand of device they use. Obtaining a different remote from a known, existing company should also not be a very great problem. I'm not much of an electronics engineer myself, but I don't see too much problems in replacing the manual code definition system (e.g. the jumpers or buttons you use to set the code) by some form of electronic brute forcing system. If you can't get a new remote, the transmission frequency can be obtained from brochures on their devices (the technical notes should include frequency information). If you are investigating the security of a new application, for which none of this information is known, I would try to use a broad spectrum HF/VHF/UHF scanner, trying to catch the specific frequency on which a command is being broadcast. As this type of application has not yet been under a great deal of security scrutiny, it seems best to concentrate on that favorite of all attacks, a replay attack. Would such an application execute similarly when a command is being sent and when an identical command is sent five minutes later? While progress has been made in the last number of years, I doubt very much that the majority of installed devices already has built-in protection against such an attack. One fairly new (2001) device which I tested seems to send through the exact same signal each time. It doesn't seem rational to assume that most end users would upgrade their device due to security concerns. While I would advise you to use a standalone scanner (not one controlled by a PC, as this most definitely causes some additional interference/harmonics), winradio.com has some devices which can be used as a receiver for the 300mhz frequencies, used by a lot of these applications. A good tool to actually perform frequency analysis is Hamcom, an older shareware tool used by many radio amateurs. This can help you in comparing whether two signals are identical or not, and where the differences are. There is one small problem with this theory. Usually, even if you are scanning only a very limited frequency range (310-390 mhz for example), the short time during which a user presses the "open" button may be too short for the scanner to catch the entire channel. There are two solutions to this. First of all, you could scan once to assess the signal frequency, and afterwards put your scanners ear to this frequency permanently in order to catch the entire transmission next time it occurs. A second solution would be to run a very local jammer close to the receiver, while running your sniffer in a location closer to the place where the user actually attempts to open the door (e.g., put a scanner close to the garage door, while running the sniffer on the driveway, close to the roadside). The user will be tempted to press the button for a longer time, causing you to receive the entire transmission. As you may have guessed, there are no a catch-all solutions. Newer systems, such as Genie's IntelliCode, use more secure authentication, in which a different code is agreed between both receiver and sender upon each command transmission. This is valid for all their systems as of 1995. Similar systems are now also sold by other vendors. The most reasonable approach to the security assessment of such a system should consist, at least in the beginning, of signals intelligence, and would start by actually capturing different instances of the signal, comparing them, and analysing their differences. I'm not aware of any of these protocols which have been identified completely yet (though I do recall something of a court case against a company which built universal door openers for different brands, so this information should be obtainable). Cheers, good luck, Maarten -- Maarten Van Horenbeeck, GCIA <maarten () daemon be> http://www.daemon.be/maarten
Current thread:
- RF code scanners Amit Deshmukh (Jun 16)
- Re: RF code scanners Mister Coffee (Jun 17)
- Re: RF code scanners Richard Rager (Jun 17)
- Re: RF code scanners Mister Coffee (Jun 22)
- Re: RF code scanners Richard Rager (Jun 17)
- Re: RF code scanners Richard Rager (Jun 17)
- <Possible follow-ups>
- Re: RF code scanners Maarten Van Horenbeeck (Jun 21)
- RE: RF code scanners Ng, Kenneth (US) (Jun 23)
- Re: RF code scanners Mister Coffee (Jun 24)
- RE: RF code scanners Ng, Kenneth (US) (Jun 23)
- Re: RF code scanners Mister Coffee (Jun 27)
- Re: RF code scanners Mister Coffee (Jun 17)