From: Richard Rager (kb8rln@penguinmaster.com)
Date: Thu Jun 17 2004 - 04:22:22 EDT
On Wed, 16 Jun 2004, Amit Deshmukh wrote:
> Has anyone had any experience with using radio frequency code scanners
> and/or grabbers to try and grab codes for garage doors and things like
> that?
Well let talk about car alarms, garage doors, home automatic doors
transmitter and receiver.
>
> What's the sort of hardware used for this?
The current active transmitters, I will limit myself too, because the
old one are just so bad that over loading the front end of the receiver
will open the door.
The transmitter are a very simple FM transmitter (FCC part 15) with a
CODEC IC that is feed a serial stream.
The receiver are also (FCC part 15) that hit a CODEC converted back to a
serial stream.
In all cases this are serial streams are handle with a microcontroller of
some type.
There are two main type of transmitters.
1.) The transmitter are programmable.
Dip switches are the simplest. The output of these can
be easily recorded and replayed. To do this use a digital recorder that
only need to record about 5 second.
2.) The transmitters are pre-program and the receiver learn a new
transmitter.
> Surely it cant be a matter of
> just cycling through the 2.4 Ghz (or appropriate) spectrum till u hit
> the right frequency and the door pops open! There is probably also a
> code burned into the firmware of the remote control device and the
> receiver which may need to match up.
>
That is all you needed to do in the old days with the 48-54 Mhz ones.
The newer ones I have see at 300 Mhz, 450 Mhz and 900 Mhz
I cost money to go that high in frequency.
Yes you are right. Just have a receiver output going to a sound card
is the only recording device you will need, over kill thou.
> I've heard of other devices which sort of "code hop" and use a different
> code each time. Any vulnerabilities with those? (maybe they use an
> "industry-standard" algorithm?)
>
You are speaking about something like KeeLoq (TM) is one type.
http://ww1.microchip.com/downloads/en/DeviceDoc/keeloq.pdf
This is a simple PKI the uses 32 bit encryption hoping code and a 32 bit
serial number. The weak point here if you get 3 or more transmission from
on remote it is easy to calculate the serial number. Please remember that
a 4 kilo hetz processor can decode this. It would be a joke for a 1 Ghz
processor to bypass it.
> Is it better to use a scanner or grabber with devices that use a static
> non-changing code?
>
Static code are easily replayed. Any one that can hear the signal can
resent it.
Code hopping is better but with the limited on the speed of the
microprocessor used. It would be a joke to circumvent with any laptop
computer.
The same hold true with those RFID cards for locks that I carry. The
locks also require a pin as well so that is a little better. But for me
to build a remote receiver to read the cards in your pocket would be easy
to make. Most RFID card are static serial transmissions.
I hope this helps.
Just on note about all digital lock. It is just a matter of time for
the digital lock picks are going to come out. Are you going to be ready
for the change?
Just a note about 10 years ago, I was installing digital locks for safe
and outher things. I found out that you could open them with RF
transmittions. I called the manufacturer never got a call back but about
8 month later going to a trade show they could talk about nothing else.
There are some digital locks today that still have that same
vulnerability. All of these electronic lock come down to a simple relay
that cost about 50 cents US. A chain is only as good as it weakest link.
I have pen-tested a lot of digital locks. Most of them I would no give
you a nickle for the security of them. But if it make your feel good do
it.
This is something that needs to be added to pen-testing. Since most of
the computer data center use electonic locks now. National security:
here we come with more bad news.
Enjoy,
Richard Rager
http://penguinman.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT