Woefully Insecure: Remote Control 433Mhz Power Sockets

Hi Gough!

Great post and relevant information. To be honest most consumer remote power strips are insecure here too.

Although the ones I have seen have been built to a higher quality and using more reliable modulation schemes and at least did have a functioning learning capability. But insecure nevertheless, nothing that someone with a $10 SDR dongle and laptop couldn't grab and replay again and again.

It isn't great, but the thinking goes along the lines of:

(a) Question: what is the value of the impact to the "thing" that is to be secured?

      --> Answer: probably a few pennies/cents if the "thing" is remote controlled home lighting where malicious switching-on will result in a slightly higher power bill

(b) Question: what is a reasonable amount to do in order to provide reasonable protection from the risk of that impact (the impact being a few pennies in this case)

      --> Answer to date from most manufacturers: not publish the bitstream

It all breaks down of course if our answer to (a) is slightly different, such as if we use such remote control power sockets to operate (say) electric security gates or kettles that could run dry etc or if the particular lighting is visible from outside and causes a security issue for users.

Not disagreeing that manufacturers could do more (or at least publish guidelines on what the recommended use-cases for their products are based on a security perspective, because the average non-technical user may mistakenly presume such products are secure for all practical purposes which as you've shown clearly they are not).

Sad to say, but possibly the sort of thing that might need legislation so that such products meet a minimum published security standard (there will still be products that flout it of course) or declared in plain language on the packet, but today there is no legal requirement in the UK with respect to wireless security for home remote control products as far as I am aware (I could be totally wrong - not my main knowledge area!!).

Of relevance to (b), the ability to do reverse-engineering and replay attacks at low cost has changed dramatically in the past few years because of the availability of cheap SDR (not blaming SDR! just stating that some will misuse it).

Agreed on your views there shabaz, although I'd have to say that given the cost of rolling code "replacement" remotes for garage doors from China not being much, the cost of using a rolling code chip on both ends is probably trivial. It's not going to be as simple as a non-receiver-module based plug, but it's still not much more expensive, especially compared to two-way remotes which are much more sophisticated.

I think the issue is not only to do with what is "lost" in case that someone breaks the system - it's more so the user experience and usability. With a more complex chipset comes a better reliability - through either having more independent group controls, better verification of sent codes, more robust error correction for greater range or perhaps, less possibility of interference from a neighbour especially if you happen to accidentally discover they have the same system too and neither of you are willing to sacrifice it, meaning that neither can use it reliably without a virtual RF war.

Energy bills aside, as energy is pretty cheap, I've seen some sites actually sell this unit claiming it's good for remote switching of woodwork equipment. Ultimately, if consumers were informed and took the risk themselves, that would be fine, but consumers are none the wiser and throwing these things in even though they might be making their standby power bills worse and costing them money to buy it in the first place which is somewhat unforgivable.

The cost of reverse engineering has indeed gone down - my use of RTL-SDR was not the only (cheap) option - all OOK/ASK devices are trivial bypasses by looking at the output of a <$3 ASK/OOK receiver. If I was really trying to minimise my outlay, I would probably go and take the D-pin from the transmit module on the SMARTBox and voltage divide it into my soundcard to record the code. Once the timing is known, a <$3 ASK/OOK transmitter and an Arduino (as I have done) is all I'd need ... a similar approach to how I used to emulate IR signals using Arduino.

It's scary when the "primitive" radio technology used doesn't really need a radio to analyze it if you're willing enough ... and with the hard-coded all-unit broadcast, it could really become a nuisance. Of course, I'm still running the sockets, and I think the risk is low enough for my lighting uses, but I'm mindful that anything could happen at any time.

I suppose if it inspires others to check on theirs and maybe repurpose their switches and unshackle them from the limited push-button remote to open up scripting/schedule possibilities, that would be nice, and is part of the reason I did mine. What better way to share control of common area house lighting with the family than by making it network-controllable .

- Gough

Agree, yours don't need an SDR since there is no learning, so anyone who knew they owned the same ones as yours could figure out the encoding scheme, so yours are less secure.

Mine would need for someone to have either physical access to my hardware, or (say) an SDR (since mine do have a unique number, but no rolling code), so slightly more secure but not much!

Just out of interest - do you know how many bits of the message for yours are "unique" material? If the search space isn't too big, I've known for some people to emulate the protocol and avoid the retransmissions to speed up brute-force attempts - so if it's only a few "variable" unique bits, it still might not be "enough" if you know what I mean. I've seen some older systems with DIP-switch set fixed codes from 4 to 16 bits long depending on the device - at the low end, it's trivial, at the upper end, it's not too bad for security.

- Gough

I wrote some notes on the one that I used here:

Energenie Experiments – Remote Power Control for the Home

Basically about 1M combinations, so perhaps at max a week worth of continuous effort at a guess. It uses an off-the-shelf chip (Holtek I think, they usually offer such low-cost chips).

I wrote some notes on the one that I used here:

Energenie Experiments – Remote Power Control for the Home

Basically about 1M combinations, so perhaps at max a week worth of continuous effort at a guess. It uses an off-the-shelf chip (Holtek I think, they usually offer such low-cost chips).

I did some work on these during my Forget me Not.

Forget Me Not :  eLDERmon  Hardware Hacking #3

The code is 24 bit and they utilise bit 21 as ALL ON or ALL OFF.

You are right about the lack of security, but even if you explained that to someone, would they actually consider it.

Many people can even be bothered changing the password on their router, despite the warnings, hints and notes that tell them to.

Mark

Like me for internal test routers.

Aha! It looks like you looked at the RF-only version of the Watts Clever. Very nice to see their internal design shares some similarities, but it seems like they really do use some ICs of some sort and the coding scheme is different - mine utilizes a 25 bit message with four variable bits: one of the bits indicating on/off and three bits of binary address, where address 6 (0b110) is the "all plugs" address. Your one seems to have 24 bit message with 6 variable bits where bit 21 indicates on/off, bit 22+23 are a two bit "base" address with bits 19+20 being a "bank" address (or MSBs), bit 24 indicates light/socket. Again, not too complex and the space of possibilities not too big.

This makes me wonder where WattsClever and their parent companies got the 1M+ codes "claim" from. 6 variable bits with a defined structure where only 4 of the bits carry variable address data doesn't give me 1M codes ... (chuckle).

I was actually looking at Forget Me Not :  eLDERmon  Outlets  where you had the codes in a spreadsheet. Thanks for your work Mark! Enjoyed reading yours

The pictures do show quite a bit of difference.

I was hoping to pick up some next week when I jump across the ditch.

The RF ones are still on their website ...

I imagine that they could change the 'fixed' part of the address for different markets.

24 bits give 16,777,215 so even if you take a couple out, you're left with 4,194,303 ... IF you can alter the fixed parts.

The light v lamp had no real effect, it seems that some units had the second output wired to a light, but as long as you 'learnt' the code it worked.

Your comment ....

There appears to be a spot for an additional surface mounted push button, its use is not immediately obvious

If I recall the light and socket version has two pushbuttons ... unfortunately they are packed/piled/shifted while the painter is here.

Great blog and code breakdown.

I was aked to come up with a "Home Minder" and I used these which worked fine.

The one thing about them is they provide a safe way to switch mains using a micro, rather than some of the other awful and Dangerous stuff we've seen.

Mark

Ahh! Yes, I did hear of a version with an integrated nightlight from the manual, so that must be what it is for. It's starting to make sense now.

Of course, you can have more if you alter the fixed parts, all it takes is an alteration to the program in the microcontroller, which I suspect, is using the fixed parts as a sort of "preamble" to spot the transmission in the noise and can probably have that tailored to virtually anything not all zeroes or ones (for synchronization reasons). It would probably make most sense for different markets since they want to advertise "expandability", and changing the fixed parts will probably break compatibility somewhere along the chain. However, then again, when we're talking about other markets, they're a long (geographic) way away, so it's not likely that you will get interference, but it will just make hobbyists' jobs harder in having another variant to code for.

Agreed, it's a safer way ... and very inexpensive when you get lucky like I did on a clearance ...

- Gough