Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured...
Transcript of Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured...
![Page 1: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/1.jpg)
Living in a fool’s wireless-secured paradise
Stefan Kiese
![Page 2: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/2.jpg)
Topics
• Wireless (consumer) alarm systems
• Hardware
• Software
• Hacking it ;)
2015/10/02 Stefan Kiese 2
![Page 3: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/3.jpg)
About me
• Security Analyst @ ERNW
• Heidelberg, Germany
• Interested in hardwarehacking, SDR, IoT
• Beard ;)
• Twitter: @net0SKi
www.ernw.de
www.troopers.de
www.insinuator.net
2015/10/02 Stefan Kiese 3
![Page 4: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/4.jpg)
Wireless (consumer)alarm systems
• Cheap ($10 - $250)
• Easy to get
• Easy to install
• WIRELESS
• Mostly, you get whatyou pay for
2015/10/02 Stefan Kiese 4
![Page 5: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/5.jpg)
Hardware Tools
2015/10/02 Stefan Kiese 5
![Page 6: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/6.jpg)
2015/10/02 Stefan Kiese 6
SDR:HackRF OneYardstick One
Pix‘ sources:HackRF+YS, greatscottgadgets.comLogicPort, pctestinstruments.comMSO2012B, tek.comJTAGulator, jtagulator.comBus Pirate v3, dangerousprototypes.com
Logic Analyzer:Intronix LogicPort LA1034
Scope:Tektronix MSO2012B
All-rounder:JTAGulatorBus Pirate
![Page 7: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/7.jpg)
Software Tools
2015/10/02 Stefan Kiese 7
![Page 8: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/8.jpg)
2015/10/02 Stefan Kiese 8
Audacity:
GNU Radio Companion: Other useful tools:• E.g. minicom (for use of JTAGulator and BP)• Sigrok or other LA-soft• Baudline• Rfcat• Python
![Page 9: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/9.jpg)
Usual attack vectors
• Hardware:
• UART (Debug info, console)
• SPI (e.g. r/w EEPROM)
• JTAG (e.g. r/w flash, reprogram µC)
• I²C (e.g. comm. w/ components)
• Over the air:
• Wifi
• Bluetooth
• Proprietary protocols
2015/10/02 Stefan Kiese 9
![Page 10: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/10.jpg)
Comparison of the alarm systems
AS 1• Many
unidentifiedTPs exposed
• Simple record&replay
• Costs about$100
2015/10/02 Stefan Kiese 10
AS 2• JTAG + UART
exposed as TP
• Also simple record&replay
• Costs also about $100
AS 3• No interfaces
exposed
• Rolling Code implemented
• EEPROM
• Costs about$60
![Page 11: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/11.jpg)
Alarm system 1
Loooong transmissions…
2015/10/02 Stefan Kiese 11
![Page 12: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/12.jpg)
Alarm system 1
1. Let‘s start with a simple record&replay attack
successful
2. Trying to regain the RF transmission
288 Bits x 90, Manchester encoded
3. „Synthesizing“ signal in GNU Radio
successful
4. Manipulating messages
unsuccessful
2015/10/02 Stefan Kiese 12
![Page 13: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/13.jpg)
2015/10/02 Stefan Kiese 13
![Page 14: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/14.jpg)
2015/10/02 Stefan Kiese 14
![Page 15: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/15.jpg)
Alarm system 2
You shouldn‘t be allowed to issue this CMD, dude!
2015/10/02 Stefan Kiese 15
![Page 16: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/16.jpg)
Alarm system 2
1. Record&replay again…
successful
2. Motion Detector isallowed to disarm the base
Just bruteforce the Device ID
3. JTAGulating UART
2 UARTs exposed, no„valid“ output on common baudrates
4. JTAGulating JTAG
unsuccessful
2015/10/02 Stefan Kiese 16
![Page 17: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/17.jpg)
2015/10/02 Stefan Kiese 17
![Page 18: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/18.jpg)
Alarm system 3
Keep on rollin‘, baby!
2015/10/02 Stefan Kiese 18
![Page 19: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/19.jpg)
Alarm system 3
1. Record&replay again…
unsuccessful
2. Trying to regain the RF transmission
65 bits x 6, two-parted Rolling Code
3. Some interestingunlabelled ICs on PCB
acc. to russian boardone for signal horn
4. EEPROM
Connected to µC via SPI; no results yet
2015/10/02 Stefan Kiese 19
![Page 20: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/20.jpg)
2015/10/02 Stefan Kiese 20
![Page 21: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/21.jpg)
What could vendors do better?
• Use Rolling Code
• Remove IDs from ICs
• Use two-waycommunication
• Use encryption
• Be aware of the comm. protocols
• Use anti-tamperingtechniques
• Send keep-alive packets
2015/10/02 Stefan Kiese 21
![Page 22: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/22.jpg)
Any questions?
2015/10/02 Stefan Kiese 22
![Page 23: Living in a fool’s wireless-secured paradise - ERNW€¦ · Living in a fool’s wireless-secured paradise Author: Stefan Kiese, ERNW GmbH Keywords: SDR, alarm systems, hardwear.io,](https://reader034.fdocuments.us/reader034/viewer/2022050200/5f53be417a9fbf77c97736d5/html5/thumbnails/23.jpg)
Thanks for your…
2015/10/02 Stefan Kiese 23
…and have a nice day!