PandwaRF

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

PandwaRF.png

Description

PandwaRF is a family of pocket-sized, portable RF analysis tools operating the sub-1 GHz range produced by the Comthings, a French startup focused on the PandwaRF analysis tool and custom RF penetration testing tools for professionals and law enforcement agencies. [1] analysis and re-transmission of RF via an Android device or a Linux PC.

It can be connected to an Android smartphone using BLE or USB, and to Linux using USB. It is based on the well-known RfCat and Yard Stick One tools with the Texas Instruments CC1111 RF transceiver [2], but with a lot of new features, making PandwaRF the perfect portable RF analysis tool. Practically, it removes the ‘standard SDR Grind’ of capturing, demodulating, analyzing, modifying and replaying by hand – replacing it with a simple but powerful interface.

The PandwaRF system consists of two elements: the hardware device and the software controller, either an Android device or a PC. The hardware is a very capable device, tailored for beginners and advanced users alike. Beyond the functionality provided by the Android interface, the PandwaRF can be easily controlled and customized. No need to risk bricking your device or writing in C, the PandwaRF can be controlled by JavaScript, directly on the smartphone. The Rogue Pro was designed for advanced users like pentesters or security professionals and it is specialized on brute forcing wireless devices in order to test their security.

General Overview

PandwaRF is a Radio Frequency hacking tool used to:[3]

Receive

  • Capture any data in ASK/OOK/MSK/2-FSK/GFSK modulation from the frequency range: 300-348 MHz, 391-464 MHz and 782-928 MHz
  • Transfer the captured data to your smartphone & save/share it
  • The captured data can be displayed in hexadecimal or binary stream formats and exported for post-processing.
  • Send the captured data in JSON to your own server for post-processing
  • Write your own scripts or use a provided one

    Transmit

  • Transmit previously captured data or write your own
  • Transmit data from a smartphone or directly from PandwaRF
  • Brute force with a predefined transmission pattern (encoders or devices)
  • Transmit power: +10dBm

    Analyze

  • Visualize the frequency used by any device using the PandwaRF built-in Spectrum Analyzer
  • Directly show the maximum and average RSSI for a specific frequency band

    Technical Overview

    PandwaRF is composed of 2 elements:

  • PandwaRF HW dongle
  • PandwaRF Android application

    PandwaRF HW dongle

    The PandwaRF Rogue Pro dongle contains[4]:

  • Bluetooth Smart Module ISP130301, based on nRF51
  • CC1111 Low-Power SoC with Sub-1 GHz RF Transceiver
  • 16 Mbit Flash Memory to save custom RF protocols
  • Rechargeable battery powered for stand-alone operation
  • Battery fuel gauge
  • SMA connector
  • 4 buttons
  • 4 Status LEDs
  • Debug connectors & GPIOs

    Possible applications

  • Receive keyfobs transmission (car, alarm, gate opener, …)
  • Replay captured transmission from keyfobs
  • Replay a modified captured transmission
  • Transmit your own custom payload
  • Capture RF data and transmit it on another frequency
  • Brute force wireless devices (alarms, gate openers etc)[5]
  • Spectrum Analyzer
  • Find the frequency used by a RF device
  • Reverse engineer unknown protocols
  • Measure the data rate of a transmission
  • Check the RF jam-resistance of your own devices
  • Send captured data to a server for post-processing
  • Write custom Javascript scenarios
  • Develop your own Android application

    Hardware Antennas

    In its antenna pack version, PandwaRF is shipped with 3 miniature SMA antennas (315/433/868-915 MHz).

    Using the proper antenna is critical to have good RF performance. Antennas are labelled with the first digit of their frequency band:

  • 3 for 315 MHz,
  • 4 for 433 MHz,
  • 8/9 for 868/915 MHz

    Warning

    PandwaRF is a test equipment for RF systems. It has not been tested for compliance with the regulations governing the transmission of radio signals. You are responsible for using your PandwaRF legally. The intentional jamming of RF signals is ILLEGAL. PandwaRF should only be used for testing the robustness of your own devices.

    Mobile App

    PandwaRF offers a smartphone app to provide many tools for analysing RF signals:

    Pairing

    In order to use the PandwaRF, the device has to be connected to the mobile device via Bluetooth.

    PandwaRFPairing.png

    Spectrum Analyser

    The spectrum analyser helps measuring the frequency at which a device's signal is exactly operating at. It is also possible to discern the modulation, distortion, noise and bandwidth.

    PandwaRFSpecAnalyse.png

    Rx/Tx Data Transmission

    This tab is for capturing or transmitting the data of the device to be intercepted. It has two different modes: a beginner-friendly easy mode and hard mode designed for radio experts in order to fine-tune the eavesdropping. The easy mode needs three inputs: Device frequency operation, modulation type, and lastly the data rate.

    The operating frequency can be either manually or automatically filled in by the results of the spectrum analyser. The next parameter is the modulation type and it is usually in the device's technical manual. Last but not least, the data rate can be filled in manually or have the rate measured by sending an RF signal.

    Once set, the user can start the capture of the transmission and eavesdrop on the message. After having received data it will show in the mobile app as a hex or binary stream.

    PandwaRFRxTx.png


    Brute Force

    Another tool the app provides is the brute forcing code words on RF devices. With this feature the user can send multiple RF codes to the receiver after having configured the baselines for the code word. In order to start brute-forcing the code word and set-up the analysis tool, the user must gain insight on missing information first such as the RF parameters, codeword settings, etc [6].

    PandwaRFBruteForce.png

    Kaiju

    Kaiju is an online rolling code analyser and generator. It uses the captured payload of the RF signal, processes it, tries to break its encryption on a remote server by ComThings and returns several information including metadata about the victim such as [7]:

  • Brand/Model
  • Serial Number
  • Encryption Scheme
  • Kaiju.png

    Rolling Code

    One of the commonly used techniques when trying to securely gain access on vehicles or garage door openers is a rolling code implementation. This is also known as hopping code. It is an authentication scheme in order for the user to be able to remotely open up their car as an example. Therefore, no physical key is needed for systems using this technique but rather remote keys in the form of remote controls e.g. car key fobs.

    In general, this protocol operates on generating a code and having it validated by the receiving device. The transmitter and receiver using this protocol must, however, be synchronised first. The generation of this code happens on the sender side and must be unique. The uniqueness can be guaranteed by having the sender device hold an internal counter and increment it on every code generation. Every time the user presses the button on their transmission device, it will create a new code. That remote has a unique identifier (UID), which the receiver knows since the first step is to synchronise both devices. The message can be validated by the receiving end as it contains the UID of the remote control. Once accepted, the receiver marks the newly generated code to its list and increments its own counter [8].

    A good visualization can be found at https://harryli0088.github.io/rolling-code/

    License required

    However, to enable the rolling code generation against devices such as garage door openers, a Kaiju license has to be bought from the PandwaRF shop. Once bought, it has to be bound to a Kaiju account and the MAC address of a PandwaRF device. This association cannot be changed unless a request ticket is made to the support e-mail of the PandwaRF team [9].

    Example: Rolling Code Attack

    The following section presents an attempt to hack a garage door opener - the Chamberlain ML700EV Comfort [10] - with the help of the PandwaRF Rogue Pro. This device consists of a motor, several metal rails for the garage door and two remote controls to operate it. The motor acts as a receiver. The minimal required set-up for the opener to work is to plug in the motor and the remote control can send RF signals to open and close the gate by pressing a button.

    PandwaRFSetup.jpg


    Step 1: Setup RF Parameters

    In the first step it is important to know what RF parameters the device operates in. The RF parameters needed to capture in PandwaRF are the following:

  • Frequency
  • Modulation
  • Data rate
  • For the RF connectivity on the PandwaRF, it can connect two different antennas to its board. One is in the area of 433 MHz while the other operates on around 868 MHz. To find out the operating frequency of the device, there are multiple ways to figure it out. The simplest way to find out the frequency is to look at the vendor's shopping page and the product's technical details. Browsing the manual provided by the packaging is an alternative. Lastly, if the device has an Federal Communications Commission (FCC) ID [11], it is possible to search for the necessary data online. The operating frequency has been found inside the manual and it can operate on both the 433 MHz and the 868 MHz bands. For this example the antenna with the 868 MHz has been screwed in the PandwaRF. In order to start hacking, the data needs to be recorded and sent to Kaiju. The capturing of the data can be started in the Rx/Tx tab and have the capture displayed as either a binary or a hex data stream. Before we can start eavesdropping, the two remaining RF parameters (modulation and data rate) have to be found out. The data rate can be simply measured from the current tab whilst the modulation has to be figured out via trial and error.

    Step 2: Capturing the Data

    The eavesdrop can now start by initiating the capture in the app and then sending an RF signal from the remote control.

    The RF parameters are as follows:

  • Frequency - 868.225 MHz
  • Modulation - ASK/OOK
  • Data rate - 3.999 Bit/s
  • PandwaRFRxTx.png PandwaRFRxTx-Eavesdropped.png

    Step 3: Send to Kaiju

    After a successful interception, the payload has already been evaluated and it is shown that the captured signal has a pattern that resembles a rolling code implementation. To have Kaiju correctly break through the encryption it is required to change the found Pattern to the Chamberlain Security+ 2.0 (rolling code).

    The button on the bottom left will send the selected payload to Kaiju and will automatically generate 10 new rolling codes to use.

    PandwaRF-Patterns.jpg PandwaRFTransmitToKaiju.png

    Step 4: Use Rolling Codes

    The payload is sent to the Kaiju servers and they process the data and try to break the encryption. The process behind how it attempt to break it is not stated on the Kaiju website. It cracks the input stream and returns a positive result. The signal has been figured out. Kaiju will automatically generate ten new rolling codes for each payload that was sent to it to be analysed. It is now possible to send these codes from the mobile app to the PandwaRF. The analysis tool will act as an impostor remote control and trigger an action from the actuator.

    PandwaRFTransmitRollingCodes.png

    Evaluation on the Kaiju Website

    KaijuHistory.png KaijuMetadata.png KaijuRollingCodes.png

    Example: Simple Replay Attack on a Smart Plug

    This section demonstrates a Simple Replay Attack on a smart plug with fixed codes, emphasizing the detection of "6 known codes" for brute force testing.

    Step 1: Setup RF Parameters

    The smart plug operates on the 433 MHz frequency band, which is commonly used for simple RF devices. Using the Spectrum Analyzer, the frequency and parameters were identified:

  • Frequency: 433.900 MHz
  • Modulation: ASK/OOK
  • Data Rate: 2722 Bit/s
  • The 433 MHz antenna was connected to the PandwaRF for signal interception.

    Step 2: Capturing the Data

    The signal from the smart plug's remote control was captured using the Rx/Tx mode. The data was displayed in binary and hexadecimal formats.


    6 Fixed Codes Detected: The PandwaRF app successfully identified 6 fixed codes matching the signal's pattern. These codes are used in fixed-code systems, making them vulnerable to replay attacks.

    Pandwarf replay code.png Pandwarf known codes.png

    Step 3: Replay the Signal

    The captured fixed code was replayed using the Tx mode in the PandwaRF app. The smart plug responded to the replayed signal, successfully switching on and off.

    Outcome: The smart plug was turned on and off using the replayed signal.

    Step 4: Evaluation of Vulnerability

    The replay attack highlights the weaknesses in systems using fixed codes:

  • Static Signals: Easily captured and replayed.
  • No Rolling Codes: Lacks dynamic security, making devices susceptible to unauthorized access.
  • Solution: Implementing Rolling Codes or encryption would prevent such replay attacks.

    Conclusion

    The PandwaRF Rogue Pro successfully demonstrated two types of attacks:

  • Rolling Code Attack: Breaking a dynamic security system (garage door opener).
  • Simple Replay Attack: Exploiting fixed codes on a smart plug, with functionality to detect and analyze 6 known codes.
  • These experiments emphasize the need for stronger security measures in RF-based systems, such as rolling codes, AES encryption, or frequency hopping techniques.

    Hardware

    PandwaRF Rogue Pro

    References