It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.
The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to [LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.
With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.
The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.
Continue reading “Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised”
GPS jammers are easily available on the Internet. No, we’re not linking to them. Nevertheless, GPS jammers are frequently used by truck drivers and other people with a company car that don’t want their employer tracking their every movement. Do these devices work? Are they worth the $25 it costs to buy one? That’s what [phasenoise] wanted to find out.
These tiny little self-contained boxes spew RF at around 1575.42 MHz, the same frequency used by GPS satellites in high Earth orbit. Those signals coming from GPS satellites are very, very weak, and it’s relatively easy to overpower them with noise. That’s pretty much the block diagram for these cheap GPS jammers — put some noise on the right frequency, and your phone or your boss’s GPS tracker simply won’t function. Note that this is a very low-tech attack; far more sophisticated GPS jamming and spoofing techniques can theoretically land a drone safely.
[phasenoise]’s teardown of the GPS jammer he found on unmentionable websites shows the device is incredibly simple. There are a few 555s in there creating low-frequency noise. This feeds a VCO with a range of between 1466-1590 MHz. The output of the VCO is then sent to a big ‘ol RF transistor for amplification and out through a quarter wave antenna. It may be RF wizardry, but this is a very simple circuit.
The output of this circuit was measured, and to the surprise of many, there were no spurious emissions or harmonics — this jammer will not disable your cellphone or your WiFi, only your GPS. The range of this device is estimated at 15-30 meters in the open, which is good enough if you’re a trucker. In the canyons of skyscrapers, this range could extend to hundreds of meters.
It should be said again that you should not buy or use a GPS jammer. Just don’t do it. If you need to build one, though, they’re pretty easy to design as [phasenoise]’s teardown demonstrates.
Terminology is something that gets us all mixed up at some point. [Seytonic] does a great job of explaining the difference between WiFi jammers and deauthenticators in the video embedded below. A lot of you will already know the difference however it is useful to point out the difference since so many people call deauth devices “WiFi Jammers”.
In their YouTube video they go on to explain that jammers basically throw out a load of noise on all WiFi channels making the frequencies unusable in a given distance from the jammer. Jammers are also normally quite expensive, mostly illegal, and thus hard to find unless of course you build your own.
WiFi deauthentication on the other hand works in a very different way. WiFi sends unencrypted packets of data called management frames. Because these are unencrypted, even if the network is using WPA2, malicious parties can send deauthentication commands which boot users off of an access point. There is hope though with 802.11w which encrypts management frames. It’s been around for a while however manufacturers don’t seem bothered and don’t implement it, even though it would improve the security of a WiFi device from these types of attacks.
Continue reading “WiFi Deauthentication VS WiFi Jamming: What Is The Difference?”
In a move that would induce ire in Lord Helmet, [Kedar Nimbalkar] has recreated Instructables user spacehun’s version of WiFi jammer that comes with a handful of features certain to frustrate whomever has provoked its wrath.
The jammer is an ESP8266 development board — running some additional custom code — accessed and controlled by a cell phone. From the interface, [Nimbalkar] is able to target a WiFi network and boot all the devices off the network by de-authenticating them. Another method is to flood the airspace with bogus SSIDs to make connecting to a valid network a drawn-out affair.
This kind of signal interruption is almost certainly illegal where you live. It does no permanent damage, but once again raises the existing deauth exploit and SSID loophole. [Nimbalkar]’s purpose in recreating this was for educational purposes and to highlight weaknesses in 802.11 WiFi protocols. The 802.11w standard should alleviate some of our fake deauth woes by using protected frames. Once the device authenticates on a network it will be able to detect fake deauth packets.
We featured a more targeted version of this hack that can be done using a PC — even targeting itself! And more recently there was a version that can target specific devices by jumping on the ACK.
Continue reading “Sir, It Appears We’ve Been Jammed!”
This is the simplest version of a jamming gripper that we’ve seen yet. The only component that might not be readily available is the pump in the upper left, but the rest is all hardware or grocery store stuff. It’s based on the concept we saw from a research video where the air in a bladder full of coffee grounds is removed to grip an item. In this case the bladder is a party balloon which is held in place by parts from a cheap shower head. A theaded-to-barbed right angle connector makes it easy to connect the vinyl tubing up to the pump.
The video after the break shows that this works quite well for small items. But we see a lot of downward force is exerted to firmly embed them in the grounds. We’re not sure if this is par for the course, or if it would work a bit better if more air were in the bladder initially. This other jamming gripper build uses a servo to release pressure from the system, and we think that might be of help here too.
Continue reading “Jamming Gripper That’s Super Easy To Build”
[Elliot] put together an intriguing proof-of-concept script that uses repeated deauthentication packet bursts to jam WiFi access points. From what we can tell it’s a new way to use an old tool. Aircrack-ng is a package often seen in WiFi hacking. It includes a deauthentication command which causes WiFi clients to stop using an access point and attempt to reauthenticate themselves. [Elliot’s] attack involves sending repeated deauthenitcation packets which in essence never allows a client to pass any data because they will always be tied up with authentication.
After the break you can see a video demonstration of how this works. The script detects access points in the area. The attacker selects which ones to jam and the script then calls the Aircrack-ng command. If you’ve got an idea on how to protect against this type of thing, we’d love to hear about. Leave your thoughts in the comments.
Continue reading “WiFi Jamming Via Deauthentication Packets”
Bring communications jamming technology into your TV viewing experience by building this infrared LED driver circuit. You’re probably familiar with the TV-B-Gone, which let’s you turn off any television at the touch of a button. But what if you actually want to watch the program that’s currently on the screen when the person with remote-in-hand doesn’t? That’s where this little marvel comes in.
[KipKay’s] IR jammer uses a 555 timer to constantly transmit infrared traffic. The signals it’s sending out don’t correspond to commands the TV (or any other IR remote-controlled device) will respond to. But if the light intensity is strong enough, they will interfere with any signals coming in from a remote or even from a TV-B-Gone. [KipKay] wisely hides this circuit inside of another remote control so that the other couch potatoes you are thwarting won’t get wise to what’s happening. If they want to watch something else they’ll have to get up and walk over to the entertainment center to do something about it, and what’s the chance that’s going to happen?
Don’t miss [KipKay’s] infomercial-esque presentation of this gadget after the break.
Continue reading “IR Remote Control Jammer Makes You Lord Of The Livingroom”