How To: Hack Your Way Into Your Own Gated Community

RF Signal Decryption and Emulation

Does your Gated Community make you feel secure due to the remote-controlled gate keeping the riffraff out? Residents of such Gated Communities in Poland are now shaking in fear since [Tomasz] has hacked into his own neighborhood by emulating the signal that opens the entrance gate. Shockingly, this only took about 4 hours from start to finish and only about $20 in parts.

Most of these type of systems use RF communication and [Tomasz’s] is no difference. The first step was to record the signal sent out by his remote. A USB Software Defined Radio transmitter/receiver coupled with a program called SDR# read and recorded the signal without a hitch. [Tomasz] was expecting a serialized communication but after recording and analyzing the signal from several people entering the community it became clear that there was only one code transmitted by everyone’s remote.

Now that he knows the code, [Tomasz] has to figure out a way to send that signal to the receiver. He has done this by making an RF transmitter from just a handful of parts, the meat and potatoes being a Colpitts oscillator and a power amplifier. This simple transmitter is connected to a DISCOVERY board that is responsible for the modulation tasks. [Tomasz] was nice enough to make his code available on his site for anyone that is interested in stopping by for a visit.

39 thoughts on “How To: Hack Your Way Into Your Own Gated Community

    1. Imagine my surprise when an upstairs neighbor in my apartment building asked to borrow my key to get into her apartment. Now imagine my horror when it worked. The building has over a hundred units.

      1. Heh, even the apartments where everyone has their own individual key are very insecure- the superintendent/janitor usually has a key to open every door. Fun thing is, the way those systems work is inherently insecure too. Such locks actually support a exponential amount of keys depending on the competency of the locksmith. So a standard 6 pin masterkeyed lock can have up to 36 possible keys. Aka, you could wiggle a bobby pin around in it and it would open. Fun!

    2. It’s quite common. The apartment complex I lived in had the exact same key to get into any of the buildings and laundry rooms as well as storage access, clubhouse, pool, and the entry gates. The remote for the cars was a simple Chamberlain garage door opener that had the rolling code feature disabled.

      1. Usually called maison keying. It just means that common area locks are not fully pinned and all the resident keys share the common factor. Easy for lazy and/or cheap landlords. Can be found in slummy or rundown places along with very old (100+ year) houses.

  1. What kind of company installs security gates and choose to use unsecure remotes ? That’s just stupid. Any kind of remote-system that chances code every time should have been the minimum requirement. Well, at least it’s not expensive to upgrade the remote-system, it’s not like the have to buy a new gate, but it will properly newer get done.

    1. If I’m correct (I’m from Poland too) – this system is used by hunderds of people who are living in the buildings that are behind those gates. Upgrade cost will be significant. Usually they are not there for security but for restricting access to parking space :) My community is using HID proxy card for gates control that can be cloned using Attiny85 :) What they made to solve problem of using one card for many cars in my situation is software upgrade so its check which gate (in,out) was last opened and you can’t open any gate more than one time before using it on oposite gate. In gate can be opened if your card counter==0, and out gate when counter==1.
      Sometime this is PITA since those are long range sensors and you can trigger one with card in your pocket :)

    2. Most of them do, the high rise in town here for the richie-rich uses a freaking barcode sticker on the car window to open the gate, you drive up until it opens as it reads the barcode.

  2. To be fair, is it really hacking if he already has his own remote for the reference signal? It’s like claiming you were able to hack your way into your own house, but then reveal that you just copied your own key.

    1. I would say so. His key is used as the reference. The expectation would be that everyone has a different key. That expectation wasn’t met.

      The problem is compounded by the chance that no one using that system anywhere in the city is using a different key.

      A good safe cracker practices and learns on safes that (s)he buys (or has unencumbered access to, same thing) before cracking the big prize. This process was no different.

    2. It is hacking as he took items not designed for that specific purpose and used them to do it. That being said we do this all the time on pentests, RFID creds are usually a pretty easy target, Spoofing and cloning these access fobs and cards is nothing new but usually involves a bit of reverse engineering, this was low hanging fruit. We’ve done it with alot of 125Khz based systems but this example is on another level of management stupidity. What’s really funny is many of these gates in the US can be beat with a kick to the bottom of the gate, once in a call to someone random on the intercom can often result in getting past the locked apartment complex door as well (or worse sometimes they don’t change the passcodes to get full access to the system and you can do it yourself). Security in places like this are more often than not just an illusion.

  3. If there’s a keypad, 0911 or #0911 usually works to open it (in the U.S.). Sometimes the last for digits of the local non-emergency police phone number work, and all the usual suspects are worth a try (1234,1111,2468, etc.).

    I grew up down the road from a large gated community with a 24/7 security guard and recall an instance when someone walked in, broke into several houses, stacked what they intended to steal outside, then stole a new Mercedes from the last house that he (or they) hit and drove around picking up all the piles of stuff and then drove right out the front gate, most likely getting a friendly wave from the guard as he/they departed. The other time I recall the community suffering a series of thefts it turned out to be the guard.

    So the presence of gates without a high wall surrounding the community that prevents someone from simply walking in or climbing over a merely-decorative, useless “fence” (or communities that don’t vet their guards very well) means it’s just for show to make the residents feel safer and only effective at keeping the law-abiding general public out, at least in the U.S..

    1. The dirty truth is nobody can afford what it costs to stop a skilled criminal. Luckily they are very rare. What we can do is make ourselves the least easy target. These gated communities do that (to a tradeoff point based on local wealth). In the process they really do reduce crime from lesser thieves. Most importantly they instill a sense of community, which really helps deter the most common type of property criminal: your neighbors.

      1. Gated communities are for appearances only, and provide no security. All you have to do is say you’re a plumber or delivery guy or use one of the generic codes. They exist because they are a symbol of wealth and exclusivity. And if you think they instill a sense of community you have never been to a gated community.

        1. Have you actually looked at statistics? Crime is lower in a gated community, that’s a fact.

          It’s just like the “club” for your car. Two cars, side by side, of equal value. One with a club, one without. Which one will the thief steal? The one without because it’s just that much less effort and risk.

          It doesn’t stop any determined criminal, then again nothing does. However it will deter as there are simply easier targets.

    2. This is why I prefer to roll my own security, I’m not particularly trusting of others abiding by appropriate security practices when I’ve seen many places bypass them in the name of good customer service.

    3. Makes sense really. I remember a local fire department had a similar thing for the firehouse locks. It was all volunteer so the station was rarely manned 24/7 so everyone who worked there needed the code and it rarely changed. I had an idiot friend “invite” me the firehouse one day, thankfully I refused. Not surprisingly he and another kid disappeared for nearly three months after that. Not sure how he got caught and never cared to ask.

  4. So would using something like PIFM also be able to play back an audio file of the recorded frequencies and open the gates?
    I’m not too knowledgeable in RF so I’m interested in what the answer is.

  5. In addition to the fixed remote code issue: I did gate automation and service work for a couple of years and found that if you have a key for one Faac operator(for manual release) then you have a key for them all….same with Liftmaster swing gate operators…Linear keyless entry enclosures. It was that way with Cat and John Deere excavators too, as I recall.

  6. But wait… That’s not an Arduino OR a Raspi! It’s an STM Discovery! I highly recommend one of those little buggers for your next battery powered project. They consume so little juice.

  7. SDR# ? Too bad there isn’t something like that in Linux. God damn I hate these Windows-only programers. There is a lot of cool stuffs that deserve to be on Linux too !

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.