Re: RF code scanners

• Previous message: Joey Peloquin: "Re: Database Scanners"
• Maybe in reply to: Amit Deshmukh: "RF code scanners"
• Next in thread: Ng, Kenneth (US): "RE: RF code scanners"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 17 Jun 2004 05:27:15 +0000 (GMT)
To: pen-test@securityfocus.com

Hi Amit,

All vendors of preinstalled garage doors or similar devices do indeed have
different transmission "data" being sent over the line. The exact protocol
used is proprietary, at least most of the time. Keep in mind, though,
that most of such devices installed by private contracters which are not
affiliated with any of these companies use one of the "generic" models,
such as Multicode. It should usually be quite easy to ascertain which
company installed a certain door, and which brand of device they use.
Obtaining a different remote from a known, existing company should also
not be a very great problem. I'm not much of an electronics engineer
myself, but I don't see too much problems in replacing the manual code
definition system (e.g. the jumpers or buttons you use to set the code) by
some form of electronic brute forcing system. If you can't get a new
remote, the transmission frequency can be obtained from brochures on their
devices (the technical notes should include frequency information).

If you are investigating the security of a new application, for which none
of this information is known, I would try to use a broad spectrum
HF/VHF/UHF scanner, trying to catch the specific frequency on which a
command is being broadcast. As this type of application has not yet been
under a great deal of security scrutiny, it seems best to concentrate on
that favorite of all attacks, a replay attack. Would such an application
execute similarly when a command is being sent and when an identical
command is sent five minutes later? While progress has been made in the
last number of years, I doubt very much that the majority of installed
devices already has built-in protection against such an attack. One
fairly new (2001) device which I tested seems to send through the exact
same signal each time. It doesn't seem rational to assume that most end
users would upgrade their device due to security concerns.

While I would advise you to use a standalone scanner (not one controlled
by a PC, as this most definitely causes some additional
interference/harmonics), winradio.com has some devices which can be used
as a receiver for the 300mhz frequencies, used by a lot of these
applications. A good tool to actually perform frequency analysis is
Hamcom, an older shareware tool used by many radio amateurs. This can
help you in comparing whether two signals are identical or not, and where
the differences are.

There is one small problem with this theory. Usually, even if you are
scanning only a very limited frequency range (310-390 mhz for example),
the short time during which a user presses the "open" button may be too
short for the scanner to catch the entire channel. There are two
solutions to this. First of all, you could scan once to assess the signal
frequency, and afterwards put your scanners ear to this frequency
permanently in order to catch the entire transmission next time it occurs.
A second solution would be to run a very local jammer close to the
receiver, while running your sniffer in a location closer to the place
where the user actually attempts to open the door (e.g., put a scanner
close to the garage door, while running the sniffer on the driveway, close
to the roadside). The user will be tempted to press the button for a
longer time, causing you to receive the entire transmission.

As you may have guessed, there are no a catch-all solutions. Newer
systems, such as Genie's IntelliCode, use more secure authentication, in
which a different code is agreed between both receiver and sender upon
each command transmission. This is valid for all their systems as of
1995. Similar systems are now also sold by other vendors.

The most reasonable approach to the security assessment of such a system
should consist, at least in the beginning, of signals intelligence, and
would start by actually capturing different instances of the signal,
comparing them, and analysing their differences. I'm not aware of any of
these protocols which have been identified completely yet (though I do
recall something of a court case against a company which built universal
door openers for different brands, so this information should be
obtainable).

Cheers, good luck,
Maarten

--
Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
http://www.daemon.be/maarten

• Previous message: Joey Peloquin: "Re: Database Scanners"
• Maybe in reply to: Amit Deshmukh: "RF code scanners"
• Next in thread: Ng, Kenneth (US): "RE: RF code scanners"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]