Blackhat 2014 Review - Breaking the Security of Physical Devices

At Blackhat 2014 Dr. Silvio Cesare did an excellent job talking about the security of physical devices. His talk focused on systems that are deployed that rely on radio frequency to function. This includes business, home, and car alarm systems, security gates, and any radio frequency controlled device. He started by describing these devices can easily be comprised by inexpensive solutions. He used a Spectrum RF Analyzer to monitor frequencies of alarm systems. He then replayed the traffic through a universal software radio peripheral (USRP) to deliver the proper frequency and sequence to unarm an armed alarm system. Of course he also used antennas to capture and replay the frequencies to a broad or focused range.

Using the above equipment he showed a video of his experiment process to compromise the alarm system on his vehicle. He had a video camera focused on his car and another on his lab. After he set the analyzer to monitor for frequency traffic he walked out to his vehicle and used the key fob to lock his car. He then walked back into the lab. After some analysis he replayed the traffic and was able to unlock his vehicle based on the frequency and sequence playback. This was a very interesting concept and one can see the potential of this vulnerability.

He also showed a process of modifying the hardware on a off the shelf alarm system purchased at his local hardware store. He went through a process of interfacing to the micro-controller through a very rigorous procedure. He used a PICkit and some citric acid to gain access to the controller. He then soldered header pins and then started his attacks on the PIC device. This allowed him access to implant his own code to retrieve data via wireless.

There are several ways to mitigate the risk of the above types of  compromises. Here are a few of the points he made regard defending from this attack.

1. Don’t buy an off-the-self solution from your local hardware store. Someone may have purchased, modified and returned the item to be restocked and sold so the attacker could comprise the system in the future. Do you want to be the buyer of that compromised system?

2. Buy a commercial alarm system. Make sure the system has rolling codes which will limited your exposure to analyzers

3. Custom non-dealership alarm systems for your vehicle can give you options of rolling codes. Check with your dealership as some of the newer vehicles come with rolling code alarms.

4. Log everything.  Always log your wireless router and monitor those logs on a regular basis to find unusual behavior. See if your provider will log you alarm system to determine unusual patterns of people testing and turning off and on your alarm outside of your normal activity.