Together with my colleague Matthias Deeg I’ve done some more research on wireless input devices. This is considered a follow up research to our previous work on wireless desktop sets. This time the focus was on presenters (aka presentation clickers) and Bluetooth keyboards. Again, we were able to find several security issues and presented them at Confidence in Krakow. Read more

In 2016 my colleague, Matthias Deeg, and I have looked into the security of wireless alarm systems. At this time, the ABUS Secvest alarm system did not sign and/or encryption its packets, allowing an attacker to disarm it. Some time later they introduced rolling codes to their protocol. But as Thomas Detert found found out, they were still not secure. The used algorithm for generating the next valid code is predictable, just by looking at the communication. Read more

Together with my colleague Matthias Deeg I’ve done some research on several (cheap) wireless alarm systems. We found that it is possible to disarm all systems by a simple replay attack. Such an attack can be easily carried out using a Software Defined Radio (SDR). The results of our research have been documented by “Plusminus”, a German TV show. Read more

Together with my colleague Matthias Deeg I’ve done some research on several modern wireless desktop sets. All of the manufacturers claim they are secure because they encrypt data using AES 128. All keyboards and mice use a proprietary communication protocol (not Bluetooth), therefore we were interested in if they are really secure. The result of the analysis was presented at several IT security conferences including Ruxcon in Melbourne, Hacktivity in Budapest, ZERONIGHTS in Moscow, DeepSec in Vienna and hack.lu in Luxembourg. Read more

After playing around with my SDR and wireless sockets I had a look at other devices, which also use ASK/OOK modulated signals. I found a different wireless socket system, an alarm system and a sex toy. After analyzing the signals, I wanted do build a remote to control them all. I used an Adafruit Trinket (ATtiny85) as micro controller and a cheap OOK transmitter module at 433MHz. The code on the controller just sends the same signal as the original remote replay attack). Read more

In order to improve my understanding of Software Defined Radios (SDRs) and wireless communication in general, I tinkered with cheap wireless sockets. The results are two pieces of software. Sniffer: This script can eavesdrop on the signals the remote control sends to the sockets. It displays the address, the socket identifier (A, B, C, D or E) and the state (on/off). Remote control: This script allows you to change the state of any socket by supplying the address and the socket identifier. Alternatively you can use the brute-force mode to turn on/off every socket within range. Read more