Introduction
This blog post looks at a cheap home security system purchased from E-Bay and ways of defeating it by cloning the remote that disarms it.This post can also serve as a taster for my Ruxcon talk in October.
The system consists of a motion sensor with an alarm and a remote control to arm and disarm the system. It can be bought on E-Bay for $7.80 AU and the listing reckons 326 of these have been sold. In particular, the remote used by this system is based on infrared.
Infrared is a common communication medium for consumer electronics and requires close to line of sight for a signal to be received. The next step above infrared is a Radio Frequency (RF) remote typically at 433mhz or 315mhz.
This post will look at how an attacker could clone the infrared remote used by this alarm system to arm and disarm it at will. This basically means that if your attacker knows that you use this type of alarm, they will be able to disarm it, so we'll look at a few possible ways of cloning the remote.
The first two methods require physical access to the original remote, while the 3rd method requires the ability to capture a transmission before replaying it later on.
In the 1st method, I'll look at reversing the disassembled remote and going from the Printed Circuit Board (PCB) to figure out what kind of signal is being transmitted before creating something that duplicates that signal. In the 2nd method, I'll look at using a device known as a frequency counter to measure the signal, allowing us to create a clone. The 3rd method, as hinted at earlier, will capture the remote's transmission and we'll replay it in a replay attack.
A First Failed Attempt
Before getting into reversing engineering some hardware, how about we try one of those “learning remote controls”.You basically press your TV power button while the learning remote is in learning mode, then the signal is captured and your learning remote can now power off your TV.
The only trouble is, a learning remote doesn't seem to learn the signal from this alarm system.
Drats. So let's get into reverse engineering.
1. Making a Remote Using Circuit Theory
The 1st thing to do is to disassemble the remote. It's a pretty straightforward device and has discrete components in it such as capacitors, transistors and resistors. Naturally, it also an infrared LED that actually transmits infrared signals.If you've done a bit of electronics before, you might be able to recognise a circuit that has 4 resistors, 2 capacitors, and 2 transistors. If you ever did an electronics kit as a kid that had 2 lights that alternate in flashing, then you might know that this is known as an astable multivibrator. It's basically an oscillator. An astable multivibrator makes sense doesn't it? This seems to suggest that a signal, that oscillates, is being sent to the LED.
What can we do with this information? Well, we can take the resistor and capacitor values and determine what frequency that signal being generated is. Looking at the Wikipedia page for astable multivibrators they give us a nice formula to determine the frequency.
T = ln(2)R2C1+ ln(2)R3C2
f = 1/T
Plugging in values, we get the frequency of 38.52khz.
Wait a minute. Don't many infrared recievers use 38khz as a carrier wave? Yep, they do. But in signals sent by your TV, this carrier wave is sent in a discrete number of pulses with well timed on and off periods. The alarm for this security system just sends the carrier wave on.
So let's build our own remote control that sends a 38.52khz carrier wave. We'll use an Arduino. Using the formula T=1/f, we know the period or length of one cycle in our carrier wave is 26ms. That's 13ms with the pulse on, and 13ms with the pulse off as a square wave.
We can take an IR LED and attach it to one of the GPIO pins on the Arduino, write some code to turn the LED on for 13ms, then turn it off for 13ms. Repeat this cycle, and we have our carrier wave. In the device I built, I took a IR remote from a completely different device and repurposed it to clone the security system's remote.
In total, I used a spare IR remote, some IC test hooks, some male-male jumpers, a small breadboard, a small resistor to limit the current in the LED, and an Arduino UNO. All of these can be found on E-Bay.The Arduino code is as follows (please change the IRPin to whatever GPIO pin you're going to use):
int IRPin = 8; int IR_time_on = 13; int IR_time_off = 13; void setup() { pinMode(IRPin, OUTPUT); } void loop() { pulseIR(1000); } void pulseIR(long microsecs) { cli(); while (microsecs > 0) { digitalWrite(IRPin, HIGH); delayMicroseconds(IR_time_on); digitalWrite(IRPin, LOW); delayMicroseconds(IR_time_off); microsecs -= IR_time_on + IR_time_off; } sei(); }
If you've never used an Arduino before, you can install the IDE from the Ubuntu software list, set your board in the IDE to UNO (if that's the Arduino that you bought), plug your Arduino via USB into your PC, possibly manually say which serial port your Arduino is using and then upload the “sketch” or program that you cut and pasted. Try to get the Blinky sketch to work if your a beginner from the examples. The cloned remote is just a bigger version of flashing a LED.
Now.. Does it work? ... Yes!
We can successfully arm and disarm the alarm system using our home built remote control.
2. Making a Remote Using a Frequency Counter
Let's tackle the problem of determining the frequency of the carrier wave a different way than using that mathematical formula.
We'll use a frequency counter for this, I bought mine off Ebay. It's reportedly not the greatest of frequency counters, but it's enough for my purpose here.
Simply attach a probe to the LED, and a probe to ground of the alarm system's original remote control and measure the frequency. The frequency counter measures 38.80khz. This is close to the theoretical 38.52kz, but taking into account tolerances for resistors and capacitors, it kind of makes sense.
Our frequency counter can even tell us the length of a single cycle, the period, so we don't really have to do any math at all!
Need to check that it's a stable signal? Try using an oscilloscope. The scope I'm using is a Rigol 1102E. I bought mine from here. This is reportedly a pretty decent entry level scope.
You can see a stable square wave as we predicted. And the scope even tells us the frequency!
3. Making a Remote Using a USB Infrared Toy
The final method I'm going to discuss is using a “USB Infrared Toy v2” sold by Dangerous Prototypes, which you can buy from here. This is a cool and affordable device that will capture araw IR signal, and allow you to replay it.
It may take a few goes to capture it, but once captured you can replay it at will. How easy is that?
Does it work on this alarm system? Yep, you can disarm and arm the alarm system at will.
Conclusion
So there you go, 3 methods of disarming a consumer grade home alarm system. If you thought this post was cool, then come see me talk at Ruxcon in October where I'll continue on with what I've done in this post and look at other alarm systems.What can we take away from this post? Where does it put the security of such cheap alarm systems? Criminals might be able to capture IR signals if they can get a line of sight to when the system is being armed or disarmed. If a criminal knows what type of alarm system you're using then they could do what we did here and reverse it for cloning a remote.
A more likely scenario is just to buy a duplicate system and use that remote. Not all IR remotes can be switched from the same system. It depends on whether a code is being transmitted and how many variations of the code and remote exist. In the system described in this post, there is no code, just a carrier signal. If a a code is being transmitted, then the Infrared toy can capture it and replay it. So that's your best bet for a criminal
looking at a completely unknown remote.
We've looked at alarm systems, but lots of devices using similar methods of entry or activation based around infrared or RF which I'll discuss shortly. Garage door openers, gates, wireless mains switches, and wireless door chimes to name a few. The list of hacking opportunities is pretty big.
Where to from here? Well, as I talked about IR systems using different but fixed codes, these more expensive infrared-based home alarm systems don't just use a carrier wave to disarm the system – they use pulse width modulation to send across a code. Then there are those RF based systems using fixed or even rolling codes. Fixed-code RF systems are vulnerable to the same type of replay attacks described here. Rolling codes are what most cars use these days for keyless entry and these remotes don't retransmit the same code. You can't just capture a code and replay it.
So that's it. Have fun and remember to buy a decent home alarm system next time you go shopping instead of the cheapest one you can find.
Silvio (@silviocesare)