Woefully Insecure: Remote Control 433Mhz Power Sockets

10 Apr 2016

It's been a while since I've had the time to post anything around here. Luckily, I had recently just submitted my PhD thesis so that gives me a chance to take a short break and do some of the stuff that I like.

Recently, I came across a bunch of cheap remote controlled 433Mhz power sockets which I decided to pick up, tear down and reverse engineer on my blog site. Because of the recent discussions regarding remote control that I've been a part of on this forum, I thought it would be rather interesting to some of the people here as well. What I found was most intriguing - a fixed code system with no checksum/CRC, a 3-bit address space and 1-bit switch command for 4 variable bits in a 25-bit message, and hard coded broadcast-to-all switches including fresh un-learned switches out of the box.

I think it's probably worth a read as I go through the whole process from start to finish, and now I have an Ethernet bridge to the 433Mhz system built out of my efforts. It doesn't improve security, but it does improve usability. However, it's a key point that even if a system has a "learning" button and doesn't seem to respond to "other" codes that it's not necessarily secure by design. It may just give the impression of security.

Top Comments

mcb1 over 9 years ago in reply to shabaz

I did some work on these during my Forget me Not.
Forget Me Not : eLDERmon Hardware Hacking #3

The code is 24 bit and they utilise bit 21 as ALL ON or ALL OFF.

You are right about the lack of security, but even if you explained that to someone, would they actually consider it.
Many people can even be bothered changing the password on their router, despite the warnings, hints and notes that tell them to.

Mark
- Cancel
- Vote Up +2 Vote Down
- Sign in to reply
- More
- Cancel
mcb1 over 9 years ago in reply to Gough Lui

Do they make these in US standard plugs?
The 433 Mhz are available in US plug.

I did a bit about it in my "Forget-me-not" design challenge.
Forget Me Not : eLDERmon Hardware Hacking #3

The link I provided seems to detectign the source IP and pushing me to the Aus site.

Mark
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
DAB over 9 years ago

Good luck on your thesis.

I have seen some very brutal reviews when the group decides it does not like what you did.

As for the commercial links, few of the manufacturers even considered security, so I am not surprised that your devices are easy to hack.

Next step is to find a way to secure them without introducing a lot of cost.

DAB
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
shabaz over 9 years ago in reply to Gough Lui

I wrote some notes on the one that I used here:
Energenie Experiments – Remote Power Control for the Home
Basically about 1M combinations, so perhaps at max a week worth of continuous effort at a guess. It uses an off-the-shelf chip (Holtek I think, they usually offer such low-cost chips).
- Cancel
- Vote Up +2 Vote Down
- Sign in to reply
- More
- Cancel
Gough Lui over 9 years ago in reply to shabaz

Just out of interest - do you know how many bits of the message for yours are "unique" material? If the search space isn't too big, I've known for some people to emulate the protocol and avoid the retransmissions to speed up brute-force attempts - so if it's only a few "variable" unique bits, it still might not be "enough" if you know what I mean. I've seen some older systems with DIP-switch set fixed codes from 4 to 16 bits long depending on the device - at the low end, it's trivial, at the upper end, it's not too bad for security.

- Gough
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel