Wireless Hacks

1108 Articles

SDR Sniffing Electric Gates

June 11, 2017 by 11 Comments

Most wireless OEM hardware traditionally use 433MHz OOK modules to exchange information. The encoding and encryption of this data stream is left as a task for the embedded software designer. In most cases, the system can be hacked using a replay attack where an RF packet is recorded and replayed to emulate a valid user. [Gilad Fride] hacked his parking gate using this technique but decided to go the extra mile of connecting it to the internet.

He used an RTL-SDR dongle and ook-decoder by [jimstudt] to sniff out the gate code and this code was tested using an Arduino. The final implementation was done around an Onion Omega which talks directly to the RF transmitter module using the fast-gpio binary. Internet connectivity was achieved using Onion Cloud API which is used to trigger the execution of code thereby sending the gate opening signal.

[Gilad Fride] uses the IFTTT Do button to provide a GUI and he demonstrates this in action using an iPhone in the video below. The project can be extended to open garage doors or turn off the lights of your room over the internet.

If you are looking to hack your home security system, look no further as SDRs have be used to communicate with wireless products effectively in the past. We are hoping manufacturers take a hint and start using better encryption.  Continue reading “SDR Sniffing Electric Gates”

Radar Sensors Put To The Test

May 24, 2017 by 68 Comments

[Andreas Spiess] picked up a few inexpensive radar sensors. He decided to compare the devices and test them and–lucky for us–he collected his results in a video you can see below.

The questions he wanted to answer were:

  • Are they 3.3 V-compatible?
  • How much current do they draw?
  • How long to they show a detection?
  • How far away can they detect the motion of a typical adult?
  • What is the angle of detection?
  • Can they see through certain materials?
  • Can the devices coexist with other devices in the same area? What about WiFi networks?

Good list of questions, and if you want to know the answers, you should watch the video.

Continue reading “Radar Sensors Put To The Test”

On Point: The Yagi Antenna

May 24, 2017 by 86 Comments

If you happened to look up during a drive down a suburban street in the US anytime during the 60s or 70s, you’ll no doubt have noticed a forest of TV antennas. When over-the-air TV was the only option, people went to great lengths to haul in signals, with antennas of sometimes massive proportions flying over rooftops.

Outdoor antennas all but disappeared over the last third of the 20th century as cable providers became dominant, cast to the curb as unsightly relics of a sad and bygone era of limited choices and poor reception. But now cheapskates cable-cutters like yours truly are starting to regrow that once-thick forest, this time lofting antennas to receive digital programming over the air. Many of the new antennas make outrageous claims about performance or tout that they’re designed specifically for HDTV. It’s all marketing nonsense, of course, because then as now, almost every TV antenna is just some form of the classic Yagi design. The physics of this antenna are fascinating, as is the story of how the antenna was invented.

Continue reading “On Point: The Yagi Antenna”

Attack On The Clones: A Review Of Two Common ESP8266 Mini D1 Boards

May 15, 2017 by 34 Comments

ESP8266-based development boards have proliferated rapidly. One favorite, the WEMOS Mini-D1 is frequently imitated and sold without any branding. As these boards continue to ship to hobbyists and retailers around the world, we thought it might be interesting to conduct a little experiment.

There are a few ESP8266 development boards available, and the most popular seem to be the NodeMCU ‘Amica’ board. Of course, there are dozens of other alternatives including the WiFiMCU, Sparkfun’s ESP8266 Thing, and Adafruit’s HUZZAH ESP8266. Given that, why is this review limited to the Mini D1 boards? Because the Mini D1 is the cheapest. Or was, until it was cloned.

We took a look at some of these ‘clone’ boards to figure out the differences, find out if they work as intended, and perhaps most importantly, are these clone boards shipped out reliably. What are the results? Check that out below.

Continue reading “Attack On The Clones: A Review Of Two Common ESP8266 Mini D1 Boards”

Son Of Sonoff

May 12, 2017 by 19 Comments

We’ve covered the Sonoff a few times–a very inexpensive box with an ESP8266, a power supply, and an AC relay along with a way to tap into a power cord. Very inexpensive means $5 or $6. The supplied software will work with several systems (including, recently, Alexa). But what self-respecting hacker wants to run the stock firmware on something with an ESP8266 inside?

[Tzapu] certainly didn’t. But he also knew he didn’t want to start from scratch every time he wanted to deploy a switch. So he built SonoffBoilerplate and put the code on GitHub. The code manages taking configuration (including network settings) using a web-portal, can update itself over the air, and integrates with Blynk and MQTT. If you don’t like that code base, there are other choices including one that has a failsafe reconfiguration mode.

Continue reading “Son Of Sonoff”

TI 99/4A Weather Station

April 30, 2017 by 21 Comments

If you still have a drawer full of slap bracelets from the 1990s because, you know, they might come back, then you’ll appreciate [Vorticon’s] latest project. Sure, we see lots of weather stations, but this one is controlled by a TI 99/4A computer. This home computer from the 1980s was actually ahead of its time with a 16-bit processor.

The sensors use Xbee modules and an Arduino Uno. Of course, the Uno has more power than the TI computer, but that’s not really the point, right? He’s made a series of videos detailing the construction (you can see the first one below, but there are five, so far).

Continue reading “TI 99/4A Weather Station”

Stealing Cars For 20 Bucks

April 27, 2017 by 85 Comments

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob.  One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk.  We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]