Since I was a child, I was interested in garage doors that can be remote controlled. As I grew older and advanced at my job, I decided to resolve my curiosity and dig into analyzing these systems that communicate via RF as a security researcher.

As I started to ask questions like, how the doors are communicating via remote control, is it possible to trace the signals, is it possible to open the doors by brute force attack or by replaying the signals that were sent before, I started to feel like an ambitious but an amateur sailor trying to pass through RF ocean with a rowboat.

Throughout the years as I kept reading a lot of articles about RF, I began to ask more questions. Just when I was getting smashed by these questions, Ahmet CIHAN came into my rescue whom I listened his presentation in NOPcon security conference and then the world of RF was no more a mystery.

For answering my questions day and night sincerely and without tiring since 2014, for all of his efforts allowing me to write this post today, I’d like to appreciate Ahmet CIHAN :)

In this work where I look for the answers to the questions I mentioned in the second paragraph, my first task was to find the frequency of the remote controller works (most probably 433 MHZ but could be 315 MHZ too) and find which modulation it uses (most probably Amplitude-Shift Keying (ASK) but could be FSK, PSK too) respectively.

Author of Abusing the Internet of Things book which I read recently, explained the modulation with a good analogy. If I am proceeding from the same analogy, the pressure waves that came out of our mouth move through a medium we call air when they are reaching to the other side. Based on this example, what we call modulation is when the pressure waves that came out of our mouth transforms into a radio signal when they are moving through the air. Another wave this radio signal uses while transmitting to the other side is called carrier wave.

To find which frequency the remote control was working on, I could have opened up the remote and look at the number written on the resonator (like R433T). Because I didn’t want to mess with a screwdriver much, I decided to detect the frequency by using RTL2832U digitall tv reciever which I bought for 10$ from Deal Extreme and HDSDR software which can be obtained for free.

After I connected the digital TV receiver to the USB port and then started up the HDSDR program, I set the frequency to 433MHZ (I estimated according to ISM band planning), modulation to AM and then I clicked F2 (start), I saw that the remote controller is using the related band and frequency. (When you click a button on the remote and see an activity on the related frequency, this means the remote controller is working on that frequency or one that is close to it.)

RF Sniffing
RF Sniffing
RF Sniffing
RF Sniffing



To detect the modulation, I examined the signal that was recorded with HDSDR with a free sound editing and recording software Audacity, I saw that it was ASK / OOK. By looking at the dip switch, I could have thought that the signal is 10 bit however, when I looked at the recorded signal with Audacity I saw that it was 12 bit. (With the bit in the end it might seem like 13 bit but you can see it is actually 12 bit and the bit in the end is a footer later on in the post.)

RF Sniffing



By sorting out the signal in itself and translating it into a high, low, open marks, 0, 1 and O data, I saw that it overlaps with dipswitch array and I successfully translated the signal into a data. Briefly, I saw that I had the RF code to be able to copy the remote controller.

RF Sniffing



After that it was up to sending the data to the garage door by modulating the data with ASK by using either Arduino or Raspberry Pi. Of course for this, first I had to spend 3$ and buy a RF receiver and transmitter kit. (In a security research like this if any of you don’t want to be bothered you can spend 330$ like me and buy HackRF One kit and be free of all the trouble.) By the way you can reach the free Software Defined Radio (SDR) and HackRF One training from here.

Because I paid so much for the HackRF device, I wanted to experience how much easier it made the things for me. For this, I worked on the RF power plugs I bought before to use in RF security research. By holding the RF plug’s remote controller to HackRF One device’s antenna and holding the button (ON) on the remote that is used to give a current to the socket, I easily recorded the signals sent by HackRF One with the command below like it is shown in the video below.

hackrf_transfer -r Funk-433Mhz-8M-8bit.bin -f 433000000 -s 8000000 -l 40

RF Sniffing



After recording the signals around 30 seconds by running the command below, I ensured that signals recorded by HackRF One device got sent to the RF plug. After a short period of time, I experienced that the lamp connected to the RF plug was light up and the signal was easily repeatable (REPLAY) by HackRF One.

hackrf_transfer -t Funk-433Mhz-8M-8bit.bin -f 433000000 -s 8000000 -x 47



People who want to go with Raspberry Pi instead of HackRF One, after buying a 3$ RF receiver and transmitter and connecting it to Raspberry Pi’s GPIO pins, can take advantage of pilight which is a tool to control smart devices from Raspberry Pi.

RF Sniffing



To go forward with Raspberry Pi, first of all I recorded the pilight tool that starts to capture RF signals with the pilight-debug command and the signal garage remote transmits when open, close button is pressed (RF code). After that, by sending the RF code I located via pilight-send -p raw -c command to the door, I was able to successfully open the door as it is shown in the video below :)

RF Sniffing





To find an answer to “How easy it is to conduct brute force attack to garage doors that use the same system and similar code string as pilight tool?”, I began with grouping the RF code in 1,0 and O’s. (You can use pilight’s wiki page for grouping examples and detailed information.)

(Censored) O

510 255 510 255 1
510 510 255 255 0
510 510 255 255 0
510 510 255 255 0
510 510 255 255 0
510 510 255 255 0
510 255 510 255 1
510 510 255 255 0
510 255 510 255 1

510 255 510 255 1
510 510 255 255 0

(Censored) altbaşlık (footer)

Because I knew the remote controller sends a 12 bit long signal, by taking into consideration that values that are 1 would be 0, and values that are 0 would be 1 and the first bit O would be a different value (In short, like high if low, low if high sign), it was easy to calculate that the door would open to one of the 2 over 12 (4096) RF codes.

With Python programming languge, I created a tool named Garage Door Bruteforcer which sends the 4096-piece RF code I prepared before with pilight to the garage door. In the end of 3 minutes I saw that this tool can send 500 RF code to the garage door. (With simple math we can say that this tool can produce the code that opens the garage door in ~30 minutes. With a tool like OpenSesame it is possible to downgrade this time to seconds.)

RF Sniffing



When we look at these types of attacks, we see that brute force attacks and replay attacks are successful against RF receivers that use static code. When we look at the modern car lock and remote systems, alarm systems, garage door systems which are produced in recent years, we can see most of them use rolling code which we accept as secure. As a result, it is a good choice to use rolling code systems against these types of attacks.

I hope this post is beneficial for security experts and security researchers who want to enter the world of RF. Hope to see you on the next post, have a secure day.

Original Article: RF Dünyası ve Güvenlik
Translated to English by: Hüseyin Fatih Akar | Twitter: @thehakar)