Security researcher Silvio put together his process for defeating a cheap infra-red based security system. The security system uses an infra-red remote to arm and disarm the alarm. The alarm is triggered by any motion that happens while it is armed.
In his first attempt he tried to use an off the shelf learning remote to record the signal and play it back. For whatever reason the remote didn’t like the signal and didn’t even try to learn it. So in his second attempt, he whipped out a frequency counter and an oscilloscope and was able to replicate the signal using an Arduino and an infra-red LED. For fun he also made a third attempt using a more hacker friendly open source board called a USB Infrard Toy made by Dangerous Prototypes.
A good read if you want to learn the process of simple reverse engineering. Full article here.
Believe it or not there’s actually a USB Host shield for the Arduino. The shield and accompanying libraries will let you communicate with USB client devices… like this USB digital scale. Normally this USB digital scale is plugged into a PC which will read the weight (I assume for weighing packages for mailing).
Oleg decided to to add an LCD to the device so it could be used stand alone. He’s using your run-of-the-mill 16×2 hd44780 compatible display, an Arduino, and the USB Host shield. The scale reports itself as a HID device to the host but still a little reverse engineering was needed to extract the weight information from the HID report. Once the target packets were identified, Oleg whipped up a sketch to read the USB report packets and throw the info out to the LCD display.
I probably wouldn’t have the patience for doing it this way, I would have tried to open it up and read data from one of the sensors directly, but this hack just introduces you to another vector of modification or input method. For instance using a USB joystick or flight stick with the USB host shield might be a great addition to a flame-throwing robot or something (lol).
Peter got an idea to turn his Raspberry Pi into an WIFI access point in order to sniff out the traffic for research purposes. So after following some tutorials on Adafruit to get his Pi in AP mode he started dumping traffic.
He’s using hostapd for authentication, and started out just using good ol’ tcpdump to dump the traffic. After noticing the traffic was a little hard to follow from tcpdump he moved into running a man in the middle proxy script which allows him to see the traffic in a little more sane manor.
In his example he is spying on the traffic an app on his phone generates, but this method could be useful similar applications.
He has a bash script with his firewall rules up on his site, as well as some explanation of his test app on his site.
Dragorn has a couple of tutorials up on his site about working with the HackRF SDR. Just like decoding weather satellite signals, decoding wireless remotes and other signals is cool too. If you’re familiar with the cheap RTL-SDR, then just know the HackRF is like that but more powerful (and can transmit).
Dragorn starts out with part 1: inspecting a pair of car keyfobs. In this tutorial, he records the signals and inspects them using baudline. You can see the different encoding mechanisms the 2 different keyfobs use. Dragorn points out that actually decoding the data is pointless as the data transmitted uses a rolling key pair that constantly changes the data sent for security.
And thus he moves on to part 2: using GNU Radio this time with something that decoding the data might be useful. For this one he is using a cheapo 433mhz transmitter you would use on an arduino like the ones use in this post. GNU Radio is a little more complex than baudline. You get to visually pipe inputs and outputs together for different modules until you achieve the proper filtering and decoding.
Unless you’re just upgrading from windows 3.1, you’ve seen the cheap SDR (software defined radio) rtl-sdr project. SDR’s aren’t new but someone figured out how to turn a cheap sub-20$ dongle into a decent SDR bringing the entry price low enough for everyone to experiment with them.
Every electronic device you own is screaming its name into the infinite void
Melissa Elliott has put together a presentation titled “exploring the world of unintentional radio emissions” that was presented at DEF CON. After talking about the concept itself, she shows you how almost everything that runs on electricity emits some sort of electronic signature. That signature can be profiled and sometimes data can be decoded from it.
No it’s not time to break out the tin foil hats or anything but if you really are paranoid, Melissa gives some tips how to shield this information in the form of Faraday cages. You don’t have to be an old ham radio buff or even a budding electronics engineer to appreciate how cool SDR’s are.
Steve already had a pretty smart thermostat running his house, but he wanted more control. After shopping around at some of the newer wifi thermostats he decided they still didn’t provide the level of control he wanted. So rather than buying one he decided to hack the one he had. His thermostat already had some wireless control so it was up to him to figure out how it communicates and control it himself.
By using one of those cheapo 433mhz wireless boards you see everywhere, and a home brew soundcard logic analyzer he was able to capture the broadcasts as an audio signal. Once decoded he used the arduino and a 433mhz transmitter to simulate the messages he had captured. Now his PC can control when the system is on and off on a very algorithmic schedule / and or make use of other sensors.