The Security of RF Devices - Investigating Products at Home
There is a lot of talk in the media regarding security of Internet of Things (IoT) devices. It got me wondering about all the RF devices @ 433MHz - e.g. doorbells and thermostats that populate our homes. Whilst their range is much shorter, it might be possible for an attacker to compromise your house whilst sitting in their car outside your home - or even an annoyed neighbour. So I bought a receiver/transmitter for less than £5 and coupled that to a micro-controller (particle devices are my favourite at the moment and sell for around £20). And had a look what I could do...
I have 4 RF devices in my house, a weather station, an energy monitor, a boiler thermostat and an intruder alarm. I looked at them one by one.
It took me a while to understand what the receiver was telling me. It’s a super-heterodyne with automatic gain control. Which means in the absence of a signal it just returns amplified noise. Once I had realised that and filtered the signal, I started to see obvious Manchester encoded data. The device’s manufacturer had taken some effort to encode the data (why I’m not sure) but the device was popular and somebody on the Internet had decoded it. So after a couple of days coding, my microcontroller was receiving the signals and displaying the temperature, wind speed, etc from the various sensors. A couple of extra days coding and I was transmitting my own data over the top and changing the values on the weather station to whatever I wanted. Now I can’t actual think how the data could be exploited, but an attacker could be somewhat annoying if they wanted to be.
The device wasn’t very popular or at least nobody had published their findings so I had to decode the protocol from scratch. However, with the experience from the weather station it didn’t take very long to get the basic protocol understood. It did take a further few weeks to reverse engineer the checksum algorithm, and the monitor still refuses to accept any transmissions I put out - I’m probably slightly off with the pulse timings so I’ll need to get an oscilloscope onto the receiver output. However, the energy usage is transmitted in the clear and somebody outside could use that to determine if anybody was in the house or even determine when I was on holiday.
Security: Not good
I couldn’t detect any signal from the thermostat so I did a bit of internet searching and found that the device uses a modified wifi protocol with encrypted key exchange between itself and the boiler. Wow, first device that is secure! I don’t really have any experience on finding holes in encryption algorithms but I did find a White Hat hack report which couldn’t find anything, so I’m fairly confident nobody is going to take control of my central heating system.
This is the device I’ve been building up to. At first I couldn’t detect any transmissions but the manual handily told me it transmitted on 418MHz (Ofcom restricted usage of this band 15 years ago). So I managed to buy another receiver/transmitter from the US as it’s illegal to sell them in the UK now – note: not illegal to buy. Now the manual says the alarm sensors encrypt their data over the RF link, so you can imagine my horror when I found this was an outright lie. The master code to my alarm system was transmitted completely in the clear! So what could an attacker do:
- They could record the remote setting of the alarm and play it back with the disarm variant instead
- If they didn’t do that then the master code is only 8-bits long and you can simply cycle through the codes. I thought the alarm system might lock out if had too many attempts so I wrote a program to test it, and no it didn’t. After 5 minutes I could disarm the alarm without knowing the code ☹
- They can set the siren off whenever they wanted making the system so annoying the owner simply turns the power off
- Through the PIR sensors they can track the movements of people within the house
Now admittedly this was a very cheap alarm system but rolling codes have been present in car key fobs for decades now so I don’t understand why similar technology isn’t built into the device – especially when the manual says it is!
So the message is, if you are buying a device which uses RF frequencies for communication - be aware that these are easy to hack/spy on and can be done for around £25. My thermostat was secure but it was an expensive variety and cheaper ones are probably insecure. If you have one and also have a tech savvy neighbour – don’t annoy them! Finally, I would stay well clear of alarm systems that had any form of wireless link or if you can’t, insist on one that has been certified and uses rolling codes over that radio link.