Replay attacks using the Arduino module to implement wireless signals

The radio has been in use for a long time, and for a long time it was born a group called the Ham Tribe (^_^ cq), the man who ate ham all day. Radio and the Internet: There are also some security risks, such as: in the transmission of wireless signal does not take into account the CRC check, encryption and other security issues.

Small scenario: If you use the Wireless key card to unlock the car on one day and press the second time to unlock it, then your car has been targeted by hackers!

A new attack method called "Vehicle key signal replay attack" has been widely used by some hackers at home and abroad: they use radio technology to intercept your key card instructions, and then replay the signals of the car's electronic key to invade the car and unlock the door.

The feeling is not very big on it? Next, we'll discuss how to use the Arduino module to implement a replay attack on a wireless signal (to replay a signal that does not return a zero-encoded ask/ook modulation).

The 433.925MHz band is widely used in daily life: from the wireless doorbell to the garage remote control has its "shadow". The device used to replay the demo is a wireless control switch, which is more common in Europe, and it can remotely control the opening and closing of electrical appliances in a wireless manner.

The device looks like this:

In short, the signal is transmitted from the transmitting side to the receiving end in a non-zero encoded way, and then the receiving end decodes the signal and processes it. The non-zero code is a binary code: ' 1 ' Code positive voltage, ' 0 ' for negative voltage, the longer the width of the pulse represents the greater the amount of data. Here is an example of a non-zero code:

We use Arduino Uno and the very common RF module as well as an Arduino library file (RC Switch) of the RF module as our example.

Required Materials

● RTL_SDR Amazon link: http://www.amazon.com/NooElec-RTL-SDR-RTL2832U-Software-Packages/dp/B008S7AVTC (or other receiving equipment, USRP, etc.)
● SDR-Sharp: Official website: http://sdrsharp.com (Other software with similar functions include: gqrx, HDSDR)
● Arduino Uno website: http://arduino.cc/en/Main/Buy
● 433MHz RF Link Set website: http://www.seeedstudio.com/depot/433Mhz-RF-link-kit-p-127.html
● Some DuPont lines, bread version
● RC-Switch Library Website: https://code.google.com/p/rc-switch/
● Audacity website: http://audacity.sourceforge.net/download/
● RFCat website: https://bitbucket.org/atlas0fd00m/rfcat 

Step into the chase

First, we connect the Arduino and RF modules, and add the Rc-switch library to the Arduino compiler and download the program to the Arduino , which is the Arduino and RF module connection. For my wireless 433MHz transmitter module, it has 3 io feet: GND,VCC and data.

The IO pin of the module is connected directly to the Arduino IO pin, where the GND of the RF module connects the Arduino's GND,VCC to the Arduino's 5V pin, data any one of the digital pins.

After the Arduino and the wireless module are physically connected, download the following code to the Arduino.

</*
  Simple example for sending

  http://code.google.com/p/rc-switch/
*/

#include <RCSwitch.h>

RCSwitch mySwitch = RCSwitch();

void setup() {
  mySwitch.enableTransmit(2);  // Using Pin #2
}

void loop() {
  mySwitch.send("1100101"); // Send the message 0x65, in ASCII, ‘a’
  delay(1000);  // 1 second delay per transmission; 1000ms
}

Now that Arduino is working, we can capture the signal through RTL-SDR and Sdrsharp, considering that it is not a good choice to generate the signal through the wireless module, the frequency of the wireless module will change over time, Choose AM Modulation: The Sdrsharp frequency range is set between 433-434mhz.

When we find the signal transmitted by the wireless module, it is recorded and saved as WAV file. Using Audacity to open the recorded WAV file , as shown, it is a fairly straightforward signal, in the absence of source code, we assume that the signal is not zero code encoding, pulse width modulation (PWM), and is ask/ook (amplitude shift keying modulation/ Switching monitoring-This means that the presence and absence of data is expressed through ook control on and off, and the last thing we need to do is calculate the baud rate of the signal, calculated as follows:

1. Set the length at the bottom of the tool and select the length of the signal
2. Get the audio sample rate (here is 62500hz) 

Formula for calculating the baud rate:

1 1 /(62500) = ~2, 840bps

In most cases, the baud rate obtained is more accurate, and this parameter is also an important parameter of configuration Rfcat. Given that the signal is pulse-width modulated, we need to set each pulse at the appropriate width. Unfortunately this requires repeated experimentation and commissioning, fortunately, Andrewmac provides a very perfect script Rfcat solves these problems, through the Rfcat software, we are able to emit processing signals and can make the Arduino very easy to receive these signals, when using Rfcat, We need to set some parameters: as shown below:

 
d.setMdmModulation(MOD_ASK_OOK)
d.setFreq(frequency)
d.makePktFLEN(keyLen)
d.setMdmDRate(baudRate)
d.setMaxPower()
d.setMdmSyncMode(0)

First we set the modulation mode to Ask/ook, set our target frequency is 434042000Hz (433.925MHz), we need to set the length of the data, the baud rate is 2840bps, to ensure the maximum power transmission, and turn off synchronization, the synchronization mode is set to 0

Assuming we have enough knowledge of the rfcat and know how to use it, the following script helps us to perform the above configuration and PWM adjustment, so that we can receive a matching transmission signal.

 
/*
Script by AndrewMac of andrewmohawk.com
*/

#!/usr/bin/env python

import sys
import time
from rflib import *
from struct import *
import argparse
import pprint
import bitstring

keyLen = 0
baudRate = (1 / 0.000350) #because the pulse width is 350 in the code
frequency = 434042000
repeatNum = 30

def ConfigureD(d):
d.setMdmModulation(MOD_ASK_OOK)
d.setFreq(frequency)
d.makePktFLEN(keyLen)
d.setMdmDRate(baudRate)
d.setMaxPower()
d.setMdmSyncMode(0)

print "[+] Radio Config:"
print " [-] ---------------------------------"
print " [-] MDMModulation: MOD_ASK_OOK"
print " [-] Frequency: ",frequency
print " [-] Packet Length:",keyLen
print " [-] Baud Rate:",baudRate
print "[-] ---------------------------------"

#raw what we are sending  
bin_str_key = "1100101"; 

#adjust the key to make it longer so that the pulse width is correct
long_bin_key = "";

for k in bin_str_key:
x = "*"
if(k == "1"):
x = "11100" # <mossmann> A zero is encoded as a longer high pulse (high-high-low)
if(k == "0"):
x = "1000" #<mossmann> and a one is encoded as a shorter high pulse (high-low-low).
long_bin_key = long_bin_key + x

print "[+] Binary (PWM) key:\n\t",long_bin_key,"\n"

padAmount = len(long_bin_key) % 8
for x in range(0,8-padAmount):
long_bin_key = "0" + long_bin_key

print "[+] Binary Padded (PWM) key:\n\t",long_bin_key,"\n"

key_packed = bitstring.BitArray(bin=long_bin_key).tobytes()

keyLen = len(key_packed)

print "[+] Key len:\n\t",keyLen,"\n"
print "[+] Key:\n\t", key_packed.encode(&#039;hex&#039;),"\n"
print ""

d = RfCat()
ConfigureD(d)

print "[%] Transmitting key: ",repeatNum," times\n"

#startString = "11101";
startStringBin = "000000000000000" + "1000100010001000111001000"
startkey_packed = bitstring.BitArray(bin=startStringBin).tobytes()
d.RFxmit(startkey_packed)

d.makePktFLEN(keyLen)
for i in range(0,repeatNum):
sys.stdout.write( "." )
d.RFxmit(key_packed)

#endString = "011";
d.RFxmit(&#039;\xFF&#039;)
sys.stdout.write("Done.\n")

Explain the above code:

First we set the modulation mode, baud rate, etc., and write these configurations to RFCat and make it effective
Then we set the key, which is the raw data we want to send and assign it to the variable binstrkey
Then we change the key and think ‘1’ means 111000 and ‘0’ means 1000
In this way, our original key (11001101) is defined as the new binary PWM key 11100111001000100011100100011100. 

The width of our pulses is accurate. The next step is to convert the binary PWM key into a bit type so that the data is not sent in ASCII and then configured with the length of the binary PWM key to configure D.makepktflen (Keylen) so that the RFCAT has a fixed-length key when it is sent . Now that the information is nearly set up, we also need to create the start and end bits so that the Arduino knows when our data will start to be sent and when it will end. When these definitions are executed, we execute the Rfxmit () function, D.rfxmit (startkeypacked), D.rfxmit (keypacked), and D.rfxmit (' \xff '), which are finally sent as:

00000000000000010001000100010001110010001110011100100010001110010001110011111111

This information is sent 30 times and is sent 10 times to be considered a complete message request. However, in order to check and ensure that the signal is sent correctly, the modified repeatnum equals ' 1 ', re-recorded with Sdrsharp and compared with the original signal, it is found that the two are the same.

Receive code for Arduino:

 
 
/*
  Simple example for receiving

  http://code.google.com/p/rc-switch/
*/

#include <RCSwitch.h>

RCSwitch mySwitch = RCSwitch();

void setup() {
  Serial.begin(9600);
  mySwitch.enableReceive(0);  // Receiver on interrupt 0 => that is pin #2
}

void loop() {
  if (mySwitch.available()) {

int value = mySwitch.getReceivedValue();

if (value == 0) {
  Serial.print("Unknown encoding");
} else {
  Serial.print("Received ");
  Serial.print( mySwitch.getReceivedValue() );
  Serial.print(" / ");
  Serial.print( mySwitch.getReceivedBitlength() );
  Serial.print("bit ");
  Serial.print("Protocol: ");
  Serial.println( mySwitch.getReceivedProtocol() );
}

mySwitch.resetAvailable();
  }
}

Thereafter, the receiving circuit follows the connection:

If you are lucky, your signal will soon match and the receiver receives the signal from the Rfcat, so you have successfully replayed the signal.

Replay attacks using the Arduino module to implement wireless signals