Insecure, Obsolete and Trivial: The Real IoT

[Music] so I'm gonna go ahead get started on the first part I think Justin's still have some stuff to set up for the demo but my name is Price MacDonald I'm a security consultant for coal fire labs and so is Justin very as well as you can see here is the coal fire labs we do all sorts of pen testing risk advisory all that kind of stuff it's kind of key note on the talk a couple ago if you're not sure about if it's a right pen test for you just ask for a sample deliverable that usually clears up the problem this happens to be a project that we were working on is more of a PD type

training project internally it started as a hardware hacking physical type scenario that we're gonna do for a client and then it sort of morphed a little bit into more of a radio thing which is what we'll demo for you guys later on so cybersecurity this is actually believe it or not a screenshot from an engagement that I was working on it was a device used to power really expensive cars that run on electricity and not gas and when you booted this up I mean I was I spent days reverse engineering the binaries we got from their websites looking at all the data Steve's trying to figure out what exactly what I was going to do actually

boot it up and connect into a console cable it actually stops at a prompt asking if you'd like to enter hack mode as you can see up there like that's real and sure enough even H and it dropped you into a rout prompt which is kind of impetus to this talk when I started to get into hardware I thought it was much more difficult than it actually is it's really not that hard it's a great training ground to learn other skills like web app hacking and network services hacking because you can go to Amazon Best Buy or whatever go spend 60 bucks and you've just got a custom written web service a custom women written web browser and all this other

stuff that you can play with this is kind of the methodology that we use that I helped develop so you start by taking the thing apart voiding the warranty if you will can identifying all the components what are the things how old or in this case trivial are they pin out reversing what's where how do you connect to what where is that you are a JTAG interface then you connect to it and kind of go through your normal pen test circle one thing that I'll illustrate it's very important is that pen testing is always an iterative process you don't just look at the first go-around and stop there like all right we got rude today we're

done write the report and give it to the compliance audit that's not how it works you really need to keep going through that process because inevitably you'll provide more value to your client in addition you'll find more findings as we discovered so where do we get the things to break that when I talk to people about this whether conferences are at work or at the bar like but all that stuff's cost money is expensive there's actually a lot of ways to get this stuff really cheap so beta programs are awesome make sure you read the EULA because because some of them do stipulate no reverse engineering or things along that mate nature or you can't break this open until after our

demo is done and that sort of thing but these companies and these are just a few if you search for IOT demo programs you'll find many of them out there actually have programs where they will give you the hardware if you agree to write in your house for 60 days or what what have you I mean it I did one where it was a home security system with cameras and everything I literally just pointed it in the corner in the basement it gave them all the data that they needed and I was able to do my testing so flea markets are great we're both from the Denver area we have this huge thing called the mile-high flea market

where the under stuff going get stuffed eBay is great for test hardware don't ever buy anything you actually want to rely on off of ebay if you're trying to learn reverse engineering a fun thing to do is buy the cheapest home router that you can find off of ebay and then go reverse engineer the code more than likely it's going to come with added value from whoever sold it to you Craigslist is another option opossum option including garage sales because everybody's got a little Comcast modems or Linksys routers if they don't care about anymore you go pick it up for 5 bucks and if you break it no harm no foul right so voiding the warranty I

always include this slide on here because it's always helpful to have when you go to Home Depot that being said I have somebody's seen somebody melt the end of a Bic pen and just mush it on to the screw and get it out that way too but waiting the warranty it is what it is some of the hardware we test for work obviously is a little more high-dollar and they know what's going to happen so you provide multiples but exacto knives heat guns are really nice too if you're taking apart like a little USB key or something along those lines where it's heat sealed in if you just hit it with the heat gun usually it will come come

apart without actually destroying it I have not used that but I wouldn't recommend playing interesting I look in that I've never tried that before so tamper resistance and if you've bought it for your home not such a big deal if it's a little higher in device that you're able to get off Craigslist a little more big of an issue the left screenshot is actually from a device that I was testing for work how do you guys have ever done any hardware work before anybody you guys ever run into epoxy where they have a poxy to chip so you can't read it that's what they did see you get all the black stuff do you notice it also looks kind of shiny so

this was meant for a marine type environment where electronics get corroded and they often cover things in silicone and stuff like that so the moisture and stuff doesn't get in there in this case they put silicone below and above the epoxy so literally my fingernail just took it off so sometimes tamper-resistant isn't actually and sometimes it doesn't matter so this is a similar picture from a device that I was testing for an engagement or they had a tamper resistant switch but when you took the cover off it was never depressed never ceases to amaze me but on our engagements we always try and test the customer's response as well as breaking their things to again provide

more value so over coffee one morning I sat there and I press the button for a good 40 minutes until I finally got a phone call they're a little bit perturbed they didn't know the alarm was gonna go off and I told that in this scenario where we sat there over coffee and pressed it until they called us and then they immediately went and fix that problem they had no idea that tamper switch never actually got activated so component identification we've torn it apart now we need to find the thing in the thing what do you guys see those of you that have done this before or have an air curious what seems interesting to

you guys about that picture yep we definitely got some antennas here anything else it is a wireless router I actually use this specific model because this talk is more about training and awareness that kind of thing I use this specific model because it's been around since wireless internet this is the Linksys wrt54g that they then spun off this is the L version which disables all tamper protections and things like that so it's these right here and I don't remember forgive me which one or which one of those is you aren't and the other one is JTAG so it's a great example because you can actually get in here and do this work without having to worry about being

foiled by protections yeah so we have a Broadcom tip here back to the obsolete part this is actually a new model that I bought off of Amazon sold last year and that specific system on chip or SOC has been end-of-life for almost six not a whole lot of development going on there I've got the wireless chipset under here some flash and some memory here which are a bit of interest once we get into the reverse engineering but not much these real headers are where it is at so now we know what we need to find how do we connect to it it's just so arts and crafts time it usually takes a second but that is actually for an

advertisement from a for-profit university on their electronics course that's great so these are some of the things that you need for arts and crafts diamonds I think I stole that for some classic to what debug headers wiring the soldering iron is really all you need to get through this part on a basic level that's a welder soldering unit you can get by for I think we saw one today at Walmart because we forgot part of our demo for five or six bucks and this is trial and error I took a class four or five years ago now with Joe grant and I after at the end of that class he gave me a little sticker that says you saw

her like a monkey which I have worked hard to rectify so finding ground is without ground this doesn't matter right voltage is great any voltage for current and you need voltage for input output data transfer but without a ground reference you're not gonna know about your testing one specific thing to note some more high-end hardware has what's called a floating ground so if it's supposed to operate five volts it'll have a floating ground that operates up and up and down in correspondence with all the data that's being transferred so not all ground is without the voltage something to keep in mind I've only seen that on a few medical devices but it's there and a

great way to use this is the multimeter is what I use they've got what I call FIFA mode I'm not an electrical engineer it beeps when I connect the two probes together its beat mode another caveat to that beat mode what it's really doing is sending power in one side to power the speaker back in through the other side and if you're working with sensitive electronics that can actually be enough power to damage the circuit so home stuff is you're learning not usually a big thing but as you go on in advance that could be a problem in this graphic over here ground usually on the side of the ground on the DC barrel plug is a

great way to physical countermeasures so know I saw some you guys in the stereo talk that they were doing earlier this is kind of something that they were talking about as well as pull-up pulldown resistors cut traces things like that this specific one was off of a SMB firewall that we were doing and engagement for as you can see here we've got some traces where they just left holes and nothing else we got some solder pads here and I couldn't represent this in a decent diagram but this is how this works if you connected to this pin to this pin and solder to this pad to this through-hole this pin is pin and this pin gave you you are

that took a really long time to figure so some of the common types of interfaces that you will see you aren't which is a form of serial do we have any old telecom guys in here like me that used rs-232 serial and old Cisco gear or anything like that yeah a few in here it's slightly different it operates at a lower voltage and if you connect your UART device like the sugar the bus fire things like that to an actual rs-232 interface bad things happen to your testimony I squared C chip-to-chip communications also something you see SPI for flash data transfer you see that quite a bit as well JTAG which we brush up on quickly here but not a lot just

because there is so much information to do with that and I believe there are some people that teach several day courses using JTAG CANbus is something that I'm starting to see more often some of these bigger devices typically associated with cars but not always the case we've seen can buses and ATMs and things like that as well and then rs-232 serial which you still student do see and some devices outside a networking arena so pin out reversing so how do we connect to the thing salii makes a great logic analyzer I know a lot of you guys in here are students they do have an edu discount you just email them in ahead of time and

you can get their believe this is the Salette eight and it's like fifty bucks after their student discount really affordable I often talk to folks that have bought these third-party black market off of ebay counterfeit from China kind of thing it's just really not worth it these function and are built better and for 50 bucks that's the cost of one of the cheaper devices you'll be working with so connecting interfaces these are some of the more popular ones the best part I seem to see a lot more often I don't know why the sugar is what I prefer made by senator senators in Rio they're gracious enough to sponsor this event as well and then this ti you know

USP ability protocol adapter this is kind of one I starred with and I still use it the reason being is you can do two interfaces at the same time so I don't have to have like a USB hub full of shakers sitting on my workstation all good options some faster and slower and cheaper than others but they're all I mean less than 50 bucks I think so connecting to you are this is that Linksys output so literally I had to change the screenshot here a little bits not exactly how it looks you hit the connect to the screen interface this is on a Linux device so on a Mac it'd be dev Cu dot TTY and that's how you

connect in there and become one through five on your Windows box but you hit enter and you get a prompt and you literally just have a root shell on the device so now we have a show but what now so I used to have a book when I first started InfoSec seven or eight years ago as information security officer we have a book called no tech hacking and it was just basically old Linux tips and tricks and a lot of this stuff comes down to this in this particular case this was that same device I was showing you the silicon thing on before and it's also a key reason why enumeration after you get access is so important so we connect to

this device we hit enter take a look at net stat or LSO F sometimes net stats not always available on these devices but you take a look at the running processes and we see here that on port five five five five it's running th TT PD most people don't know this but by default is configuration is to run it root if you don't specify a directory it's the root directory okay which is really really handy and also something very easy to fix on the bottom right hand side I protect the names of the not innocent it was the SSID and everything this was the wireless configuration file that it was using to connect to its

remote base station but also happy client passphrase the API passphrase and the SSID to connect to so I copied this over to my host and I'm now on the wireless network that is the exact same as everything else that they're connecting another simple example of this the top left-hand corner when you press the I want to see was like the restart button on the front of that Linksys router it just dumps the clear text passwords out which is not all that helpful unless you bought it used from your neighbor password reads is a thing so a file system fiddling this is probably the most fun thing that I enjoy on engagement when I'm doing a pen test

I love post exploitation popping shells is great but where's their good stuff at how do you make it valuable to the client a lot of cases we've seen where they include sections of flash memory that are mounted to build the system or upgrade various things like that that are not there under normal operating circumstances and this is one of those cases this is a resource that I use because I I am horrible if I don't do it every day I don't remember it these are kind of my cheat sheet on mounting different file system types and looking through devices on a machine will send the slides out afterwards and tweedle Inc or whatever but you guys will have

this too it's just no good resource and it pretty much all came from this link down here on the bottom but basically what we're trying to do is mount I mean think of it like your PC you have the secret stuff that you don't want normal users to see on your machine so maybe you haven't their removable hard drive or something like that this is mounting their secret stuff to see what so what else is on there in this case we didn't have any real good way of getting it off there was no netcat there was no that stuff so again coffee break fantastic we need coffee this took about 45 minutes to an hour I

want to say but we facing coded the entire memory device and then captured that through a screen log and then a 64 decoded and on our machine from the log and recreated the storage that way which I thought was kind of a waste of time until we came up with this so this is what I call SSH whoops so I was going through there in this they had the actual history of every command run to build the system this is their SSH private key without a password along with the known hosts did they have used it to connect to yeah not good so all right you've got a show to play with memory or do some other trick to

get access to the system this is another option where I'm like direct memory access or something like that the JTAG is a great thing again the Chikara will work for that the sega jail Inc I have a personal one that I use they give a educational type used a discount of cut a zero off and that's what you can buy the educational version for it does come with a little less functionality but it's also five hundred and forty dollars less so it'll get you going it's very helpful a larger box something like that over here on the right they get very expensive but some of the more intricate chipsets and stuff like that we have had to make up for our

knowledge with some technology and use something like that the jtagulator Joe grants Hardware project school that he created is phenomenal I equate this to changing every single pin in every combination possible by hand for a hundred and eighty bucks I want to say you can automate that and it happens much much quicker you'll see what you need to connect to where the type of device you have right here which allows you to connect through a typically open OCD open software package out there it's a great tool but how do you connect with it well here's the command for your guyses reference because again this is all with that same Linksys router as far as all the default installs and open

beat open OCD on BSD you hit enter and you see all these error messages that look really bad however it does open up for listeners on your machine you can then connect into port 4 4 4 4 is the telling interface you can actually connect into and get access to the debug information and here you can see that exact same target name is what we had found in the previous configuration file and from there you've done any Linux type exploit dev printing out graphing through memory registers cmips here on the side as long as you use a multi arch extension from GeV you can do that regardless of whether it's at MIPS or an arm core so

reverse engineering this is really kind of where it gets a little bit harder and diverts from the purposes of this type of talk these are some of the options that you have either Pro is definitely the most comments what I use for a personal research and for work stuff regard to is also good text-based multi-platform support although nobody compiler and another one worth noting is binary ninja it's a newer tool I believe they have a paid version out now but the really cool thing about that is they've developed this intermediate language that once you learn that one you can reverse engineer a reverse engineer or script anything using that reverse engineering intermediate language pretty awesome so other nice-to-haves

desktop power supply USRP really that's the one I have but any sort of SDR which we'll see here in just a moment a hot-air gun circuit reader proxmark also RFID is very common when you're dealing with hardware type devices and if there's one thing that's worse than hardware security is the RFID tags that we all use for authentication and a toaster oven or hot air reworks they're a hot rework station the only thing I have to say about that is know what type of connectors you're putting in there cuz some of the molex type connectors that you see on boards will actually melt under the heat if telling you doubt of that afterwards we don't want to

local hacker spaces where they they're toaster oven pull multiple duties in order to save cost and it's just not so what's next now it's time for the hacking two hands on one keyboard another game anyway so Justin Berry I'll let him do the SDR portion of this demo with the security systems that we were working on we do have an alarm that's gonna go off so if your ears are sensitive I apologize we're gonna wrap them with a t-shirt just to kind of dampen it so apologies if it's too low give me just two seconds to set a couple things here a little bit of backstory we actually had a slow kind of a few days at work so we wanted to

come up with some other project went out to Amazon and found this home security system here that we're working with it seems to be rebranded under about 17 or 18 different names all sold for relatively the same price on Amazon and what we discovered was a vulnerability in its implementation for its sensors it is not just for this type of device it has to do with others as well the home security system that my parents paid for a copper cable company has this exact same flaw in it which is unfortunate but it's kind of the society that we live in today it's also why we like working on these types of projects we're all about

security but when you implement something that's supposed to make you more secure and it does the exact opposite it's really kind of frustrating I don't like to drag people through the mud and we so I'd sort of ease a little Arduino hack sticker on the thing to obscure their logo we did reach out to them and they have yet to respond but again to not dredge any way through the mud we'll just leave their name out of it but I imagine if you go to Amazon or anything else you'll see something very similar to this again this is not a new attack vector by any means it's not like we're dropping some dirty or something

like that this is more of a a good real-world affordable education example where other people can you know learn from and reproduce and kind of get their feet wet themselves to get rid of your clear okay main reason we're plugging the cameras in so you can actually see the display we have to work off of just the siren

Hey

alright let's just find out hello this is none apparently alright we'll just go with the screen then you're welcome honestly it's pretty piercingly loud alright so kind of a pivot from what price was talking about with all the hardware stuff how many people have experience with SDR very few alright cool then this will be valuable to a lot of people hopefully all right so SDR what does it mean yeah I actually have it as no you're incorrect it's Special Drawing right created by the IMF in 1969 as the sub no just kidding all right that's the Steve Harvey there so SDR it is in fact software-defined radio it's a radio communication system where components that are are that have

typically been implemented in hardware or instead implemented by means of software running on a personal computer or embedded system so here's just a few different types in my opinion these are probably the most popular STRs you might you know your mind your mileage may vary the one on the left there's the rtl-sdr can be had for about 25 bucks off of Amazon it's very similar from what I saw to the one they're selling out there in the lobby it's advantaged as it's cheap and it will let you sort of get your feet wet with this year to determine if you want to invest money in one of the nicer ones the disadvantage to it is it's

receive-only so you can't actually transmit it which is only gonna net you so much fun so it's only gonna be fun for about this amount of time it took all in about 20 minutes of me playing with it before I realized that I was gonna have to spend some money to actually have a good time with it the hacker f1 there in the middle and that's all we're gonna be using today take a look at significantly more expensive about 315 bucks off of Amazon it's a great Scot gadgets project Michael Osman actually designed it he runs great times great Scot gadgets he's doing a class in blackhat in Vegas this year highly recommended you can receive

and transmit with it only at half duplex however I haven't come across any sort of event where I needed full duplex thus the reason I did not spend any $900 on the USRP it is full duplex receive and transmit like price said this is the one he has because he always has to win up me whatever reason this one is more high-end it's got dual antennas they are configurable there again like I said full duplex is probably the big selling point for it with the dual antennas just not anything I've needed for it at this point so the price point the feature set wasn't really worth it for me and apparently I don't know if you guys knew

but these cause tornadoes sure you guys all recently heard the Dallas tornado siren hack all the tornado sirens were triggered they did come out undisclosed that it was not a network level attack based on how those are triggered the assumption is it was probably an SDR attack so how could they have done this they could have recorded the commands during a system test or an actual tornado and just on a replay attack and replayed there's no authentication I mean there's no real details on it yet so no way that really knows at this point but me and a couple guys in our office have had a few good laughs and think this is probably how it happens

the little that's my favorite part the only way to actually stop those sirens was to unplug the radio systems and the repeater it took them a long time to actually power down that entire thing did they we will get it to a similar conundrum of whether or not this was done maliciously or were they just trolling will kind of get into a same working I don't a little bit so a couple types of software here again I think these are the most popular I don't have a ton of experience of this but enough for this project to actually make it worthwhile so on the Left we've got Guinea radio in my personal opinion ooo radio seemed very sort of a steep

learning curve at first it's block based it is very powerful from from what I've seen but uh there's a steep learning curve the great Scot gadgets website they've got a ton of material on it to go and learn if you want to learn how to use it personally for me gee qrx didn't have didn't find a logo for himself hey there interface was much more intuitive my opinion it was pretty much dive right in and get going on it a few tweaks here and there and you're pretty good go in all actuality I was walking through her office one day and a co-worker had with this is called the waterfall have the waterfall up and of

course if this didn't immediately attract your attention something's wrong with you so this caught my attention asked him what's going on he showed me then I bought the little tiny SDR and then I spent three hundred thirty bucks buying this bigger one so thanks oh and a quick thing G qrx is actually built on top of GNU radio so it's more of just a better interface to unit so I'm not further ado let's get us some demos

what's your favorite radio station around here anyone good rock station anyone Oh got it all right we'll just pick her anyone let's give it a shot it doesn't work it's your fault thanks and I'll go over some of the the tweaking parameters everything not seeing a lot man look gonna lie we got four choices see if any of those well I'll just try one sister it's really just a quick demo through the matter so this is the waterfall it's like I was talking about earlier so you got all these little different colored streams without a problem those are obviously different signals this that's the reason we're in the spectrum that we're in is 104.3 so

obviously everything right here at this area is gonna be radio stations right so I would say the easiest way to look at this is based on signal strength blue is kind of like your control test you got the yellows which are more intense obviously that's kind of run-of-the-mill so that means it's wrong right the ants 500 yen C 500 they came with him that guy right there it's better than clothes hanger but not it gets the job done

[Applause] [Music] [Applause] $315 radio comes free with any car you like thank you good night alright so that's just a quick demo to get your feet wet and take a look at you know what you can do up here at the top is the spectrum panel down here is the waterfall those are the two main components obviously over here on the side you've got a couple different things you can change in the interest of time I'll just kind of skip over most of it and just kind of talk about the high points the let's go some of the sliders here so this frequency zoom if you can see right here there's 101 there's 108 so this is the entire

spectrum between 101 108 megahertz you can take this frequency zoom and actually dial in to whatever frequency it is that you're trying to see obviously in-stream gets bigger long story short

if you're trying to pull down like a police radio or something along those lines or pagers as we'll see here in a few minutes that fine-grained detail actually makes sense because once you get out of the core band of that signal it really distorts and you get awkward beeps and other things and yeah sometimes you have to dial it in really fine to what you need so that's Brandi the general with um that I'm sorry some yes they actually like come from that background they have the ability to encrypt a lot of it is still an encrypted and most of the encryption that they do use is still our seacoast

doing good questions we don't condone it we're just saying it's possible yeah the general with um that the guy that actually got me into this general fund that he told me might be true I don't know seems to work well for me as you want to get your waterfall a dark blue color so like I said high-level review some of these sliders you can tweak kind of move it around till you get that background to a sort of darker blue color which just helps you realize this a new signal especially for more faint signals yeah so as you see when the background gets darker the signal kind of stands out a whole lot more so it

helps you identify really faint signals same with this up here at the top if this this lighter here can adjust your spectrum where it lands I'd like to keep it right on top of the waterfall and make it pretty prominent as such so any really faint signals like this one right here you're gonna see a spike it's really easy to identify visually makes that a lot easier I talked like I've identified some really weak signals before haven't I'm just saying if it ever came about that's probably how I would do it I'm guessing all right so in a nutshell that's why I like gqr X because you pretty much dive right in play with some settings I'm sure you

guys are all tinkerers I didn't really look up half-assed yet before I even played with it I just try to play with it until I realized what it did and they kind of did some research on me but yeah you can dive right in and it's really easy to to get some some fun stuff out of it pretty quick so next demo pagers disclaimer this is something you can do pretty easily but the information that you can obtain can be sensitive so it should be treated properly obviously we've made every effort to make sure that no sensitive data gets distributed or seen or anything like that basically if you're scared don't do this just pretty

much correct a couple prerequisites for this you need socks installed as well as multi 1ng whatever distro you're using or for using Mac maybe Windows I haven't really checked you'll probably need those installed through various package managers or through sort of complete packages binaries that sort of thing so one of the abilities that grx has is to be able to stream the data out over a UDP port and then you can then receive that data over UDP decoded yeah right so basically are gonna be listening on UDP port so you 355 we can tune into the frequency that pagers come across I don't remember exactly what it is up top of my head but we'll look at it shortly

kinda bookmarked you can dump that all out to the UDP port which is what we're gonna do so that raw output is gonna come to the UDP port it's gonna get piped into socks with a few parameters it's gonna go from there to get piped into multi one-ing with a few other parameters we're actually gonna dump that out to a file then we're gonna tail that file so we can grab out any sensitive information which is how we're preventing any sense of information from this closed

apartment is you guys can imagine who still uses old-school drug dealer pagers

you

you actually capture this I'm going to use the hack RF transfer binary I'm sure you can do this with DQ rx or probably gonna do radio but this was just way simpler and clicker and I worked really well for me so your mileage may vary on however you want to do it this is how I did it so we're going to receive into a file we'll call it disarm frequency is for $33.99 one zero zero will turn on the amplifier you will turn on listen gain to 26

so that is receiving the caption all right so we're getting armed this everybody make out what that says this aren't apparently gonna hit it twice so it's armed and then to transfer it same thing except we're going to use transmit gain instead and we're going to transmit the file instead of receiving your $3,000 it's hard now is hitting my basement just so you know so what else we do let's have some fun with it remember that conundrum about security versus throwing so the SOS button let's go and capture that yeah basically this part of you can yeah we continue on or even the remote with rolling codes as well with most garage doors nowadays actually so we just captured the SOS

button which is essentially the panic button obviously it's SOS alarming now so basically if you're sitting about a block away from your targets house and they happen to use this remote I mean gonna have some fun mode for example they didn't test it they're gonna walk and half the two blocks away from my house

yeah question this is delivered but if you've ever had a wireless doorbell a longer the street is the more likely there isn't somebody else has the same frequency yep all right so the other thing is that these capture files can be treated exactly just like any other file so literally all I did there was just append one file to another mm-hmm see it's disarmed SSO West alarming yes disarmed again so the other cool thing is the hack RF binary has a repeat function armed alarming is earned alarming so on and so forth right yeah left fun stuff there so the other thing that we discovered was the door sensor obviously you screw one wood piece into

the wall one piece to your door your window whenever the sensor breaks it alarms and it gives it a specific zone number it's got a hard to read but it says zone - 2 0 1 0 so this specific sensor is tied to a specific zone in your house runs on the same frequency as everything else so that's capture that

she transmitted as you see it's armed and now someone's chasing down a window in their house and you're laughing is there anyone is a little harder to capture the reverse of this is as well that retransmission we saw where it said closed you can replay that as well and the system never know that the window or door yeah it transmitted a difference different commands same frequency it's a little bit race condition opportunistic but yes you can just repeatedly transmit the close code and kick a door open and you know it's not so again if you wanted to have some more fun with that we did let's see not to my knowledge no no so we're picking this specific one out we

kind of went with the cheaper it is the more sensors we have newer footprint we can play with typically the cheaper the hardware the more problems it has this unit was actually so not smart it didn't actually have much of an underlying OS or any logging or anything the only option you had was adding a 3G card to be reported but that wasn't even a service they offered you had to go through and get the SIM card and do it all yourself yeah the interesting time I won't do that next part but you can also append that door sensor to the same running file that we have so it can SOS disarm the system arm the system trigger this

and then disarm it again and just play it on repeat and just watch the order just go haywire with our alarm system no I wouldn't put this in my house yes they were just made last time what we have frequency jamming is illegal so we did frequency fuzzing we basically wired up an RF transmitter to a 9-volt battery and it just transmits a whole lot of crap on the same frequency 4:33 same frequency ranges also so yeah just so you can see what that looks like and this also is a technique that we've used on red teams to not set off their motion sensors because literally you can do this while walking through a decent

amount of businesses and it doesn't actually set off the motion sensors and they don't alarm out or heartbeat out or anything like that actually check in so that's obviously this is where it's just broadcasting a bunch of junk this is normal looking just back and forth right we tested that with this unit and it interferes so much with the communication between the sensors in the unit that it doesn't even trigger an alarm so we can actually arm it armed

and we tested this about 19 feet away this works so you got transmitting

these little Arduino transmitters worked up to about 19 volts after that they get warm looks like a laptop power supply into it they just stopped working so the Borla story of this whole thing this thing is the garbage don't use a remote with an alarm system it's a risk versus reward scenario all you're doing is extending your capacity for laziness and you're introducing way more risk into your the system is supposed to keep you and all your stuff secure right some resources on SDR stuff

[Music]