Hack a Day » sniffer

Garage door… packet sniffer

Jacob Woj — Sat, 03 Oct 2009 20:00:51 +0000

Some type of logger or sniffer exists for almost every form of electronic communication. Your keystrokes, phone conversations, and wireless networks could all be monitored. In this awesome proof-of-concept project, [James] expanded that array to include garage door openers. After receiving a piece of chain mail which stated that criminals have the technology to record any remote code and play it back, [James] wondered if he could build such a device that would work on at least his opener model.

[James] started off with a trip to the hardware store. He was unable to find both a transceiver that worked on the frequency of his remote control (308MHz clocked MAX7042 chip), so at least for this incarnation (he plans to build another one that is capable of replaying a captured signal), only a receiver was implemented. The receiver was connected to a logic analyzer in order to determine its protocol. Since the signal coming from the receiver was very low, [James] had to amplify it through a buffer before it could be detected.

An ATtiny26 and a 4 line x 20 character backlit LCD were used to interpret and display info from the receiver. [James] built the sniffer around a custom PCB (though he ran into a few layout errors that he had to fix post-production). All of the firmware was written in C. It is fairly straightforward, but takes up 98% of the microcontroller’s memory. The program is designed to monitor pin change interrupts and timers to filter out invalid codes as well as noise. Any info (the door codes that have been sniffed) is displayed through a 4-bit interface on the LCD, for easy recording. With the codes, one can configure another garage remote to open the door. If you have any suggestions for V2, We’re sure [James] will be reading the comments.

Update: The code and PCB files (with the error) are available through one of the following mirrors:
filesavr.com/codegrabber
filefactory.com/file/a0eb0gg/n/code_grabber_zip
filedropper.com/codegrabber_1
mediafire.com/?sharekey=7c4692dd4f3ad2c36e7203eb87368129e04e75f6e8ebb871

Posted in home hacks, security hacks

Black Hat 2009: Powerline and optical keysniffing

Eliot — Wed, 29 Jul 2009 21:11:58 +0000

The 2009 edition of the Black Hat security conference in Las Vegas has just begun. The first interesting talk we saw was [Andrea Barisani] and [Daniele Bianco]‘s Sniff Keystrokes With Lasers/Voltmeters. They presented two methods for Tempest style eavesdropping of keyboards.

The first attack was against PS/2 keyboards. Inside the PS/2 cord, the data line isn’t shielded very well from the ground line, so all data could end up being transmitted back to the building’s electrical ground. The clock signal is also very slow compared to other signals generated by the computer. At about 10-16.7kHz, it should be easy to sample and filter out of the ground noise. They decided to monitor the ground line in an outlet 20meters from the keyboard in question. They used a ~150ohm resistor between the electrical ground and their reference ground. The reference ground was the building’s plumbing and is used to determine what’s actually noise in the electrical ground. They measured the voltage drop across the resistor and used finite impulse response to act as a bandpass filter for 1-20kHz. They were easily able to pick up the keyboard’s signal. It worked so well that they built a remote monitoring board that uses an AVR ATxmega128A1 to do the sampling and send the data over ethernet. In closing, they noted that USB uses differential signaling which should negate any leakage but the processor is more intensive and may end up being easy to pick up. They also stated that many ATMs are probably using PS/2 style keypads that leak this information.

For the second part of their talk, they covered using lasers to collect keystrokes. They pointed a laser at the back of a laptop lid and recorded the resulting vibrations just like a normal laser mic (closer to the hinge provided a cleaner signal). One of the first things they noticed was that the spacebar, being physically larger, created a very distinct signal that was much larger than all others. They used this information to determine where word breaks were. By comparing the captured waveforms to each other using dynamic time warping, they could determine the letter patterns. They then used these sequences with a dictionary to figure out what words had the same pattern and made sense in the same order. It worked quite well and they said it would go much faster if you can guess the context. They mentioned that logos on laptop lids were very reflective and worked well even in daylight and through glass.

You can find whitepapers and example code on their site.

Posted in cons, laser hacks, peripherals hacks

Chumby hacking by Bunnie

Will O'Brien — Wed, 09 Apr 2008 05:36:00 +0000

[bunnie] is one of the main people behind the Chumby, and even he can’t resist modding the things. He decided to outfit one with a larger LCD – using a stereo microscope to do the really fine pitch work – and a laser cutter to create a custom bezel for the finished piece. The new LCD is still a touchscreen and allows the Chumby to display 640×480 resolution over the stock 320×240. The mod requires a few parts, but the ultimate difficulty is caused by the surface mount connectors. If you’d rather have some software fun, you might want to check out [bunnie]‘s Chumby wifi sniffer.