Ash Allen

The details below discuss the vulnerabilities found in the following devices:

• Suleve 5-in-1 Smart Door Lock (firmware v1.0)
• Digoo DG-HAMB Smart Home Security System (firmware v1.0)
• Etekcity 3-in-1 Smart Door Lock (firmware v1.0)

The use of low-frequency (LF) RFID tags is a significant security issue. These tags do not support any form of encryption and so can be read using an NFC-equipped mobile phone or dedicated reader in under a second. The only information encoded is a number, and so using software to write to blank tags it is possible to create any number of duplicate tags possessing the same permissions as the original. In addition, no indication would be given to the owner of the original tag that it had been compromised.

As of 5th August, 2023, none of the devices has been issued with a fix for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

Recently I had a chance to look at a number of intruder alarm systems sold via Amazon and eBay. These devices sell for up to £150, and a number are best sellers

• Kerui W18 Alarm
• Blitzwolf BW-IS22 Smart Home Security Alarm
• Digoo DG-HAMB Smart Home Security System
• AGSHome Smart Alarm

As discussed in my last post, RF frequency communication can be captured relatively easily, using a software-defined radio (SDR). All four devices use 433MHz RF to communicate between the sensors and the base station. Capturing transmissions from each device proved extremely simple; the following shows the result of triggering one of the door sensors included with the Kerui alarm:

I decided to capture the results of pressing the alarm arm/disarm fob for each device. These are used to remotely enable or disable the alarm. Using SDR# I captured both the AF and IQ transmissions. The results for each are as follows:

The top line shows keypress 1, and the bottom keypress 2. As you can see, for each device the two are identical. This means that once the code is captured it can be reused by an attacker to arm and disarm the alarm at will. Not something that is desirable for a security system!

It appears that the majority of these generically named devices use 433MHz and non-rolling codes. More expensive devices seem to prefer the 868MHz band, and also rolling codes. These are more secure, but can still be jammed to stop a sensor activation from registering at the base station and triggering the alarm. They are also vulnerable to RollJam-type attacks. The moral of the story? Use something with wires!

The following CVEs are related to this work: CVE-2023-31759, CVE-2023-31761, CVE-2023-31762, CVE-2023-31763.

Have you ever wondered how wireless devices like remote controls or wireless sensors work? Chances are they use 433MHz radio technology. However, as with any technology, 433MHz radio signals can be vulnerable to hacking and exploitation. In this blog post, we’ll take a closer look at how 433MHz radio signals work, the tools and techniques used for hacking them, and the potential risks and benefits of such activities.

To understand how to hack 433MHz radio, it’s important to first understand the basics of how these signals work. 433MHz radio signals operate on a specific frequency range and use various modulation and encoding techniques to transmit information.

Modulation is the process of changing the frequency, phase, or amplitude of a radio signal to carry information. There are several types of modulation that you may encounter when working with 433MHz radio, including amplitude shift keying (ASK), frequency shift keying (FSK), on-off keying (OOK), and phase shift keying (PSK).

If you’re interested in hacking 433MHz radio, you’ll need specialized hardware and software tools like software-defined radios (SDRs), signal analyzers, and decoders. SDRs are radio communication systems that use software to control radio hardware, allowing you to manipulate radio signals and analyze them in real-time. Popular SDRs for hacking 433MHz radio include HackRF One and RTL-SDR. Signal analyzers are devices that can capture and analyze radio signals, helping you to better understand the signals and how to decode them. Popular signal analyzers for 433MHz radio hacking include the RF Explorer and the Signal Hound USB-SA44B. Decoders are software tools that can help you decode and interpret 433MHz radio signals. Popular decoders for 433MHz radio include Universal Radio Hacker (URH) and GNU Radio.

There have been several notable vulnerabilities related to 433MHz radio hacking. For example, researchers have demonstrated how vulnerable wireless home security systems can be to hacking, with some systems using 433MHz radio signals that can be easily intercepted and decoded. Additionally, replay attacks have been used to remotely control garage doors and other devices that use 433MHz radio signals. For further reading on these vulnerabilities, see “Hacking Alarm Systems with an RTL-SDR and RFCAT” and “How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It”.

While hacking 433MHz radio can be a fascinating and powerful tool, it’s important to be aware of the potential risks and ethical considerations involved. By acting responsibly and using the right tools and techniques, you can help ensure that your hacking activities are safe and beneficial. If you want to learn more about 433MHz radio technology, there are many resources available that can help you explore this fascinating area of wireless technology.

With all the hype around ChatGPT, I thought I’d give it a go at writing this next post. So here we are:

The Internet of Things (IoT) has revolutionized the way we live and work, connecting a vast array of devices and enabling them to communicate and share data. However, as the number of IoT devices continues to grow, so too do the challenges surrounding their security. In the coming year, these challenges will only become more pressing, as IoT technology becomes even more deeply integrated into our daily lives.

One of the biggest challenges facing IoT security in 2023 will be the sheer scale of the IoT. As more and more devices are connected to the internet, the potential attack surface for hackers and cybercriminals grows exponentially. This makes it difficult for security professionals to keep up with the latest threats and vulnerabilities, and leaves many IoT devices vulnerable to attack.

Another major challenge will be the diversity of IoT devices. The IoT encompasses a wide range of devices, from smart thermostats and security cameras to industrial control systems and medical devices. Each of these devices has its own unique security requirements and vulnerabilities, making it difficult for security professionals to develop a comprehensive security strategy that covers all of them.

In addition, many IoT devices are designed with convenience in mind, rather than security. This means that they often have weak passwords and lack advanced security features such as encryption and two-factor authentication. As a result, these devices can be easily compromised by hackers, putting the security of the entire IoT ecosystem at risk.

Finally, the decentralized nature of the IoT makes it difficult to implement effective security measures. With so many different devices and systems connected to the internet, it can be difficult to identify and address security vulnerabilities in a timely manner. This makes it harder to prevent attacks and respond to security breaches, leaving the entire IoT ecosystem vulnerable to a wide range of threats.

Overall, the challenges facing IoT security in 2023 are significant and will require a concerted effort from both security professionals and device manufacturers to overcome. By prioritizing security and working together, we can ensure that the IoT remains a safe and secure environment for all.

So, overall not bad. It has captured a lot of pretty generic threats, and the writing is good if a little devoid of colour. Expect to see a lot of “creators” leveraging this sort of shortcut in 2023. An interesting challenge would be to try and fingerprint computer-generated posts…

So, for the past two years I have been studying for a Masters in Cybersecurity part time, and thankfully managed to pass with a Distinction. Yay! It’s an itch that I’ve been wanting to scratch for a good long while, and I’m glad to have done it.

This leads me on to my next announcement. I’m going to be studying for a PhD in IoT Security part time, alongside my current work commitments. A couple of people have asked me why I’m doing it, so I thought I’d lay out my reasons here:

1. It sounds like fun! Seriously; I’m a bit of a nerd with this stuff, and the ability to really dig down into the weeds of a topic is really appealing!
2. I want to discover something new! The thesis has to show originality, and again that appeals. I’m not expecting to discover gravitational waves, or evolution, but having a little bit of the tree of knowledge that I found first is a really cool thought.
3. I think I’ll be good at it! Having had a 20 year break between undergraduate and Masters study, I wasn’t sure what to expect, but thankfully I managed to pick things up pretty quickly. Speaking to my now supervisor and putting together a proposal, it seems that I have the ability to do this, and that others agree.
4. I want to be Doctor Allen! Maybe it’s an ego thing, but I like the idea of knowing I can use that title. I’m not going to, but it’s a cool thing, and it’s a validation. So yeah, Dr. Ash!

I’m not doing this for career progression; there are much shorter and cheaper ways of getting qualifications that employers want. I also don’t want to transfer to academia full time – I’ve seen enough to know that I’m happy in my current little niche! So, that’s the announcement. Let’s see what the next six (!) years bring…