November 23, 2016

Alarm System Security

Together with my college Matthias Deeg I’ve done some research on several (cheap) wireless alarm systems. We found that it is possible to disarm all systems by a simple replay attack. Such an attack can be easily carried out using a Software Defined Radio (SDR). The results of our research have been documented by “Plusminus”, a German TV show. Read more

November 20, 2016

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets

Together with my college Matthias Deeg I’ve done some research on several modern wireless desktop sets. All of the manufacturers claim they are secure because they encrypt data using AES 128. All keyboards and mice use a proprietary communication protocol (not Bluetooth), therefore we were interested in if they are really secure. The result of the analysis was presented at several IT security conferences including Ruxcon in Melbourne, Hacktivity in Budapest, ZERONIGHTS in Moscow, DeepSec in Vienna and hack.lu in Luxembourg. Read more

February 21, 2016

433MHz OOK Remote

After playing around with my SDR and wireless sockets I had a look at other devices, which also use ASK/OOK modulated signals. I found a different wireless socket system, an alarm system and a sex toy. After analyzing the signals, I wanted do build a remote to control them all. I used an Adafruit Trinket (ATtiny85) as micro controller and a cheap OOK transmitter module at 433MHz. The code on the controller just sends the same signal as the original remote replay attack). Read more

November 8, 2015

Wireless Socket Remote

In order to improve my understanding of Software Defined Radios (SDRs) and wireless communication in general, I tinkered with cheap wireless sockets. The results are two pieces of software. Sniffer: This script can eavesdrop on the signals the remote control sends to the sockets. It displays the address, the socket identifier (A, B, C, D or E) and the state (on/off). Remote control: This script allows you to change the state of any socket by supplying the address and the socket identifier. Alternatively you can use the brute-force mode to turn on/off every socket within range. Read more

© 2018 - Gerhard Klostermeier - Some rights reserved - Legal Notice