Hacking Radio Controlled Outlets

It’s no surprise that there’s a lot of devices out of there that use simple RF communication with minimal security. To explore this, [Gordon] took a look at attacking radio controlled outlets.

He started off with a CC1111 evaluation kit, which supports the RFCat RF attack tool set. RFCat lets you interact with the CC1111 using a Python interface. After flashing the CC1111 with the RFCat firmware, the device was ready to use. Next up, [Gordon] goes into detail about replaying amplitude shift keying messages using the RFCat. He used an Arduino and the rc-switch library to generate signals that are compatible with the outlets.

In order to work with the outlets, the signal had to be sniffed. This was done using RTL-SDR and a low-cost TV tuner dongle. By exporting the sniffed signal and analyzing it, the modulation could be determined. The final step was writing a Python script to replay the messages using the RFCat.

The hack is a good combination of software defined radio techniques, ending with a successful attack. Watch a video of the replay attack after the break.

5 thoughts on “Hacking Radio Controlled Outlets

  1. nice! do you or anyone else know if there is a software existing or a way how to decode the audio waveform automagically to binary format. so the the output from above audio file would be what you have done manually? I know it’s hard, but you should be able to setup first the analysis like frequency and how a 1 and 0 looks like. then analyize…

    1. I use Audacity. I record it then chop out the extraneous details. Then expand what is remaining to fill the screen. It is usually pretty crummy yet but if you amplify it and chop off heh peaks it comes out to be a nice waveform. I have looked at my LaCrosse temp. sensor and teh abo e works fine.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.