Stealing cars and ringing doorbells with radio

audacity-am-zoom

The cheap software defined radio platforms that can be built out of a USB TV tuner aren’t getting much love on the Hackaday tip line of late. Thankfully, [Adam] sent in a great guide to cracking sub-GHz wireless protocols wide open, and ringing doorbells, opening cars, and potentially setting houses on fire in the process.

The first wireless hack [Adam] managed to whip up is figuring out how a wireless doorbell transmitter communicates with its receiver. [Adam] connected a FUNcube software defined radio dongle (although any one of the many USB TV tuner dongles we’ve seen would also work) and used GNU Radio to send the radio signals received to a WAV file. When looking at this audio file in Audacity, [Adam] saw the tell-tale signs of digital data, leaving with a string of 1s and 0s that would trigger his wireless doorbell.

The FUNcube dongle doesn’t have the ability to transmit, though, so [Adam] needed a more capable software defined radio to emulate the inner workings of a doorbell transmitter. He found one in the Ettus Research USRP, a software designed radio that’s doing a good job of keeping [Balint], Hackaday SDR extraordinaire, very busy. By sending the data [Adam] decoded with the FUNcube dongle over the USRP, he was able to trigger his wireless doorbell using nothing but a few hundred dollars of radio equipment and software ingenuity.

Doorbells are a low-stakes game, so [Adam] decided to step things up a little and unlock his son’s car by capturing and replaying the signals from a key fob remote. Modern cars use a rolling code for their keyless entry, so that entire endeavour is just a party trick. Other RF-enabled appliances, such as a remote-controlled mains outlet, are a much larger threat to home and office security, but still one [Adam] managed to crack wide open.

Comments

  1. smilr says:

    Currently I see two links to the funcubedongle website, and a link to a previous hackaday SDR article…

    Does Adam not have a writeup for all this available online? Or am I just blind / not seeing the link to his fine article?

  2. William says:

    I wonder how far he got with his sons car.

  3. Null says:

    Didn’t he not use the USRP? He kept mentioning that the USRP would work, but wanted something smaller. I thought he used the RFCat?

  4. Andriej says:

    You can do it all on arduino. I controll all my lights and power-switches with RF433MHz using basic libraries which ‘sniff’ code from air. And I also decoded weather-station signal from sensor unit outside.

  5. Kris Lee says:

    This is the reason why I do not use unencrypted wireless technology to control my house.

    Still, I’m not really sure that unencrypted wired technology is any better on long term perspective.

  6. Truth says:

    Why does the link for “Ettus Research USRP” above link to http://www.funcubedongle.com/ and not to http://www.ettus.com/ ?

  7. JoeS says:

    I wouldn’t be too sure about the rolling code, they might just say that. I have decoded my Subaru remote using a RTL-SDR. The code is not really rolling, more like incrementing by a slightly random number. The last nibble of the rolling code even follows a 16 digit long pattern repeating changing only every 250 or so presses. Sending the next lock code after hearing the recent lock code was easy to do. In my testing I would say I have a worst a 1 in 3 shot of guessing the next lock code, try all three and it is re-locked. I have at worst a 1 in 16 chance of guessing the unlock code after listening to a handful of lock codes. I haven’t tried to see if the car locks me out with too many bad attempts, I would guess it does not. I should write my attempts up if people would be interested.

    • Mental2k says:

      I would definitely be interested seeing how this works. It’d be very handy for when I walk down the street to my or my wife’s car and realise I’ve taken the keys for the other car and have to walk back for the correct keys.

      It’d also be interesting to see how my Ford’s setup (separate buttons for lock, unlock and open boot) differs from my wife’s Peugeot (one button for both lock and unlock). Presumably the Ford has a set of 3 rolling keys and the Peugeot only one.

      It’s also a tad scary that car thieves can program a key from the dash of a BMW, if they can also unlock the door (and presumably disarm the alarm), then a laptop and a couple of peripherals is all that’s really required to steal a car.

  8. bob says:

    And this is why we need encrypted door bells.

  9. Doktor Jeep says:

    It’s looking like GNU Radio is to radio signals what Audicity is to audio. Sure wish I had time to play with these things.

  10. Galane says:

    Potentially setting houses on fire. Y’know, this ain’t the rather more lax 1970’s when Steve Jobs and Steve Wozniak were illegally tampering with telephone systems.

  11. truthspew says:

    Back in the day when Ford used TRW based systems for the remotes you’d occasionally find your fob opened more than one car. I had a 1993 Ford Tempo at the time. I go out to the parking lot, hit the button and I see not just my car blink it’s lights, but a Lincoln Continental two cars down does the same. I hit the button to re-arm and both cars re-arm.

    Then of course there’s the RF sensitivity of the alarm systems on most cars. Key up on the 2m band at 5W PEP and you’ll set off alarms from here to Timbuktu.

  12. I did something similar with a garage remote using just an RTLSDR and RFCat to replay it: https://andrewmohawk.com/2012/09/06/hacking-fixed-key-remotes/

  13. makomk says:

    Neat! The RfCat stuff is a little overkill though – you can do OOK transmission on 433.92 MHz using a dirt cheap generic 433 MHz transmitter module like https://www.sparkfun.com/products/10534 and a single pin on an Arduino or other preferred microcontroller. (ChipCon CC11xx-based boards are handy if you need to speak something more complicated than OOK, but most cheap RF-controlled hardware doesn’t do anything fancy.)

  14. Kevin2600 says:

    Maybe you guys will like this video demo, I tested with USRP to replay the raw 443mhz sginal to unlock the RF-PC lock. http://v.youku.com/v_show/id_XNDUzNTAzNDUy.html

  15. 1337 says:

    Add a parabolic dish and then you could talk to satelites. Probably wouldn’t work though; one of those easier said than done moments.

  16. MadSquirrel says:

    All of this has been possible with a simple Discriminator/IF tap and a cheap scanner for years. Modulating the signals back out required a little more ingenuity.. A wide band crystal controlled PLL synthesized transmitter capable of FSK would suffice for most of these cheap household devices. Most simply key the transmitter on/off using manchester encoded bits…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,423 other followers