Tuesday, 10 September 2013

Cloning an Infrared Disarming Remote of a Consumer Grade Home Security System

Introduction

This blog post looks at a cheap home security system purchased from E-Bay and ways of defeating it by cloning the remote that disarms it.

This post can also serve as a taster for my Ruxcon talk in October.

 

The system consists of a motion sensor with an alarm and a remote control to arm and disarm the system. It can be bought on E-Bay for $7.80 AU and the listing reckons 326 of these have been sold. In particular, the remote used by this system is based on infrared.

Infrared is a common communication medium for consumer electronics and requires close to line of sight for a signal to be received. The next step above infrared is a Radio Frequency (RF) remote typically at 433mhz or 315mhz.

This post will look at how an attacker could clone the infrared remote used by this alarm system to arm and disarm it at will. This basically means that if your attacker knows that you use this type of alarm, they will be able to disarm it, so we'll look at a few possible ways of cloning the remote.

The first two methods require physical access to the original remote, while the 3rd method requires the ability to capture a transmission before replaying it later on.

In the 1st method, I'll look at reversing the disassembled remote and going from the Printed Circuit Board (PCB) to figure out what kind of signal is being transmitted before creating something that duplicates that signal.  In the 2nd method, I'll look at using a device known as a frequency counter to measure the signal, allowing us to create a clone.  The 3rd method, as hinted at earlier, will capture the remote's transmission and we'll replay it in a replay attack.

A First Failed Attempt

Before getting into reversing engineering some hardware, how about we try one of those “learning remote controls”.

You basically press your TV power button while the learning remote is in learning mode, then the signal is captured and your learning remote can now power off your TV.

The only trouble is, a learning remote doesn't seem to learn the signal from this alarm system.

Drats. So let's get into reverse engineering.

1. Making a Remote Using Circuit Theory

The 1st thing to do is to disassemble the remote. It's a pretty straightforward device and has discrete components in it such as capacitors, transistors and resistors. Naturally, it also an infrared LED that actually transmits infrared signals.

If you've done a bit of electronics before, you might be able to recognise a circuit that has 4 resistors, 2 capacitors, and 2 transistors. If you ever did an electronics kit as a kid that had 2 lights that alternate in flashing, then you might know that this is known as an astable multivibrator. It's basically an oscillator. An astable multivibrator makes sense doesn't it? This seems to suggest that a signal, that oscillates, is being sent to the LED.



What can we do with this information? Well, we can take the resistor and capacitor values and determine what frequency that signal being generated is. Looking at the Wikipedia page for astable multivibrators they give us a nice formula to determine the frequency.

T = ln(2)R2C1+ ln(2)R3C2
f = 1/T

Plugging in values, we get the frequency of 38.52khz.

Wait a minute. Don't many infrared recievers use 38khz as a carrier wave? Yep, they do. But in signals sent by your TV, this carrier wave is sent in a discrete number of pulses with well timed on and off periods. The alarm for this security system just sends the carrier wave on.

So let's build our own remote control that sends a 38.52khz carrier wave. We'll use an Arduino. Using the formula T=1/f, we know the period or length of one cycle in our carrier wave is 26ms. That's 13ms with the pulse on, and 13ms with the pulse off as a square wave.

We can take an IR LED and attach it to one of the GPIO pins on the Arduino, write some code to turn the LED on for 13ms, then turn it off for 13ms. Repeat this cycle, and we have our carrier wave. In the device I built, I took a IR remote from a completely different device and repurposed it to clone the security system's remote.

In total, I used a spare IR remote, some IC test hooks, some male-male jumpers, a small breadboard, a small resistor to limit the current in the LED, and an Arduino UNO. All of these can be found on E-Bay.The Arduino code is as follows (please change the IRPin to whatever GPIO pin you're going to use):

int IRPin = 8;
int IR_time_on = 13;
int IR_time_off = 13;

void setup()
{
    pinMode(IRPin, OUTPUT);
}

void loop()
{
    pulseIR(1000);
}

void pulseIR(long microsecs)
{
    cli();
    while (microsecs > 0) 
    {
        digitalWrite(IRPin, HIGH);
        delayMicroseconds(IR_time_on);
        digitalWrite(IRPin, LOW);
        delayMicroseconds(IR_time_off);
        microsecs -= IR_time_on + IR_time_off;
    }
    sei();
}

If you've never used an Arduino before, you can install the IDE from the Ubuntu software list, set your board in the IDE to UNO (if that's the Arduino that you bought), plug your Arduino via USB into your PC, possibly manually say which serial port your Arduino is using and then upload the “sketch” or program that you cut and pasted. Try to get the Blinky sketch to work if your a beginner from the examples. The cloned remote is just a bigger version of flashing a LED.



Now.. Does it work? ... Yes!

We can successfully arm and disarm the alarm system using our home built remote control.

2. Making a Remote Using a Frequency Counter


Let's tackle the problem of determining the frequency of the carrier wave a different way than using that mathematical formula.

We'll use a frequency counter for this, I bought mine off Ebay. It's reportedly not the greatest of frequency counters, but it's enough for my purpose here.

Simply attach a probe to the LED, and a probe to ground of the alarm system's original remote control and measure the frequency. The frequency counter measures 38.80khz. This is close to the theoretical 38.52kz, but taking into account tolerances for resistors and capacitors, it kind of makes sense.

Our frequency counter can even tell us the length of a single cycle, the period, so we don't really have to do any math at all!


Need to check that it's a stable signal? Try using an oscilloscope. The scope I'm using is a Rigol 1102E. I bought mine from here. This is reportedly a pretty decent entry level scope.



You can see a stable square wave as we predicted. And the scope even tells us the frequency!

3. Making a Remote Using a USB Infrared Toy


The final method I'm going to discuss is using a “USB Infrared Toy v2” sold by Dangerous Prototypes, which you can buy from here. This is a cool and affordable device that will capture araw IR signal, and allow you to replay it.

It may take a few goes to capture it, but once captured you can replay it at will. How easy is that?

Does it work on this alarm system? Yep, you can disarm and arm the alarm system at will.

Conclusion

So there you go, 3 methods of disarming a consumer grade home alarm system. If you thought this post was cool, then come see me talk at Ruxcon in October where I'll continue on with what I've done in this post and look at other alarm systems.

What can we take away from this post? Where does it put the security of such cheap alarm systems? Criminals might be able to capture IR signals if they can get a line of sight to when the system is being armed or disarmed. If a criminal knows what type of alarm system you're using then they could do what we did here and reverse it for cloning a remote.

A more likely scenario is just to buy a duplicate system and use that remote. Not all IR remotes can be switched from the same system. It depends on whether a code is being transmitted and how many variations of the code and remote exist. In the system described in this post, there is no code, just a carrier signal. If a a code is being transmitted, then the Infrared toy can capture it and replay it. So that's your best bet for a criminal
looking at a completely unknown remote.

We've looked at alarm systems, but lots of devices using similar methods of entry or activation based around infrared or RF which I'll discuss shortly. Garage door openers, gates, wireless mains switches, and wireless door chimes to name a few. The list of hacking opportunities is pretty big.

Where to from here? Well, as I talked about IR systems using different but fixed codes, these more expensive infrared-based home alarm systems don't just use a carrier wave to disarm the system – they use pulse width modulation to send across a code. Then there are those RF based systems using fixed or even rolling codes. Fixed-code RF systems are vulnerable to the same type of replay attacks described here. Rolling codes are what most cars use these days for keyless entry and these remotes don't retransmit the same code. You can't just capture a code and replay it.

So that's it. Have fun and remember to buy a decent home alarm system next time you go shopping instead of the cheapest one you can find.

Silvio (@silviocesare)

Monday, 23 April 2012

A Year of Mining Twitter

Background

A year ago a small project was put together to mine Twitter for vulnerability ID prefixes.  There were two big motivators at the time that sparked this mini-experiment:
  1. Recent project work with integrating vulnerability intelligence feeds into a VM system raised a realisation that decent technical write-ups were rarely referenced in public feeds such as NVD
  2. Keeping up to date with day to day security news and research is difficult and time-consuming
Twitter seemed like a potential medium for tackling these two issues.  Twitter itself is rather fascinating - in the vast amounts of utter rubbish that flows through it every second, there is some genuinely excellent data in there.  

Mining for vulnerability prefixes was chosen for several reasons, including:
  • They are relatively unique character sequences
  • The mining process still works with unicode text 
  • People referring to public vulnerabilities often refer to them by ID explicitly
  • People who refer to vulnerabilities usually have some security relevance
  • Hash tags are stupid

A year has passed and this post is to share some observations over this time and to accompany an update to Talkback that now has general statistics and individual vulnerability ID lookups.

Disclosure Trends

The combination of research teams, vendor bug-bounties and vulnerability brokers appear to have made important changes to the way vulnerability information is publicised.  A stream of technical information that can be correlated to vulnerability ID's is often available from multiple sources.  This includes independent bug-hunters releasing write-ups once one of their vulnerabilities is published and research teams releasing technical advisories covering exploitability.  

Despite the fact that there will always be bug-finders who choose non-disclosure, these observed improvements to the quality of public technical information on vulnerabilities is invaluable. 

Demographics

As the demographic charts show, there is quite a lot of variation between the location and language codes of the users captured in the inventory. It is likely that the dip in certain high population countries is due to the fact that Twitter is not as widely used in these particular countries. Conversely, the relatively high peak in Japan for example shows that it's a popular online communication medium there.
A strength of capturing foreign language items and tying in the Google language translate gadget in the Talkback UI is that it's not rare for technical write-ups and comments on vulnerabilities to be spread over many languages.  In 2012, language barriers for information such as this should not be a factor.

Vulnerability Hype

The most popular and heavier weighted vulnerabilities are generally related to a combination of community hype and solid technical research.
An example of hyped vulnerabilities were MS11-083 and MS12-020 due to the nature of both Windows issues, however at the time of this writing reliable RCE for both issues is not public. The general conclusion for this sub-point is there's unfortunately a lot of vulnerability fanboys out there. 

Funnily enough, the heaviest single tweet captured to date was a Chuck Norris joke regarding MS11-083.

Mining Gold

The biggest strength of the tool is to sift through the noise and pluck out the excellent research coming out from individuals and research teams. A few notable examples include j00ru's write-up on his Windows CSRSS privesc (CVE-2011-1281), VUPEN's write-up on a ProFTPd use-after-free (CVE-2011-4130), and Offensive Security's blog-post on a Afd.sys privesc (MS11-080).


Certain vulnerability spikes relate directly to observed malware, incidents, etc. Two examples of vulnerabilities with good timelines are CVE-2012-0507 (JDK) and CVE-2011-3544 (JRE).  To my knowledge, current public vulnerability intelligence feeds don't dynamically capture such detailed timelines.


More work is required to help distinguish such items programmatically from the rest.  In the meantime, it is recommended to have a look at the Popular Items section of the Talkback Statistics and the Trending Items section to see other items that received a high rating by the tool.

User Inventory

Out of the large amount of users in the inventory, it's important to note not all users have security backgrounds - there's the occasional sysadmin referring to patching systems and IT companies concerned of an issue, but this is still interesting data to capture.  However, on the whole, a large number of security-relevant users are in the inventory just due to the fact that being in this field it's almost inevitable to either mention or at least see a vulnerability ID when on Twitter.
A fun exercise is to simply browse the user inventory by using the different views and filters. There is the occasional upcoming or unknown researcher who mentions a vulnerability they discovered or researched but they have a tiny Twitter following. It is possible for this tool to be used for recruiting and the like, but more work would be required to make this facet truly powerful, and sparks a curiosity to what others with decent resources are doing in this space.

Next Steps

First thing on the table is to make improvements to the algorithms for highlighting popular research items, growing the statistics and analytics, and potentially bringing on more mediums to expand the geographic scope.

A goal for the near future is to enable viewing general trending items from security-relevant users across the globe.  This work is in progress and is still being tuned, but will in essence be like a view in Twitter, but span many languages, cut out a lot of the line-noise, and have careful consideration for how it's presented so catching up on daily news is efficient. 


Suggestions, bugs, and feedback can be sent to talkback@volvent.org.