Group Actions
Engagement
  • Author Author: Gough Lui
  • Date Created: Date Created
  • Views 1914 views
  • Likes 4 likes
  • Comments 15 comments
Related
Recommended

Woefully Insecure: Remote Control 433Mhz Power Sockets

Gough Lui

It's been a while since I've had the time to post anything around here. Luckily, I had recently just submitted my PhD thesis so that gives me a chance to take a short break and do some of the stuff that I like.

 

Recently, I came across a bunch of cheap remote controlled 433Mhz power sockets which I decided to pick up, tear down and reverse engineer on my blog site. Because of the recent discussions regarding remote control that I've been a part of on this forum, I thought it would be rather interesting to some of the people here as well. What I found was most intriguing - a fixed code system with no checksum/CRC, a 3-bit address space and 1-bit switch command for 4 variable bits in a 25-bit message, and hard coded broadcast-to-all switches including fresh un-learned switches out of the box.

 

I think it's probably worth a read as I go through the whole process from start to finish, and now I have an Ethernet bridge to the 433Mhz system built out of my efforts. It doesn't improve security, but it does improve usability. However, it's a key point that even if a system has a "learning" button and doesn't seem to respond to "other" codes that it's not necessarily secure by design. It may just give the impression of security.

  • in reply to Gough Lui

    Agree, yours don't need an SDR since there is no learning, so anyone who knew they owned the same ones as yours could figure out the encoding scheme, so yours are less secure.

    Mine would need for someone to have either physical access to my hardware, or (say) an SDR (since mine do have a unique number, but no rolling code), so slightly more secure but not much!

  • in reply to shabaz

    Agreed on your views there , although I'd have to say that given the cost of rolling code "replacement" remotes for garage doors from China not being much, the cost of using a rolling code chip on both ends is probably trivial. It's not going to be as simple as a non-receiver-module based plug, but it's still not much more expensive, especially compared to two-way remotes which are much more sophisticated.

     

    I think the issue is not only to do with what is "lost" in case that someone breaks the system - it's more so the user experience and usability. With a more complex chipset comes a better reliability - through either having more independent group controls, better verification of sent codes, more robust error correction for greater range or perhaps, less possibility of interference from a neighbour especially if you happen to accidentally discover they have the same system too and neither of you are willing to sacrifice it, meaning that neither can use it reliably without a virtual RF war.

     

    Energy bills aside, as energy is pretty cheap, I've seen some sites actually sell this unit claiming it's good for remote switching of woodwork equipment. Ultimately, if consumers were informed and took the risk themselves, that would be fine, but consumers are none the wiser and throwing these things in even though they might be making their standby power bills worse and costing them money to buy it in the first place which is somewhat unforgivable.

     

    The cost of reverse engineering has indeed gone down - my use of RTL-SDR was not the only (cheap) option - all OOK/ASK devices are trivial bypasses by looking at the output of a <$3 ASK/OOK receiver. If I was really trying to minimise my outlay, I would probably go and take the D-pin from the transmit module on the SMARTBox and voltage divide it into my soundcard to record the code. Once the timing is known, a <$3 ASK/OOK transmitter and an Arduino (as I have done) is all I'd need ... a similar approach to how I used to emulate IR signals using Arduino.

     

    It's scary when the "primitive" radio technology used doesn't really need a radio to analyze it if you're willing enough ... and with the hard-coded all-unit broadcast, it could really become a nuisance. Of course, I'm still running the sockets, and I think the risk is low enough for my lighting uses, but I'm mindful that anything could happen at any time.

     

    I suppose if it inspires others to check on theirs and maybe repurpose their switches and unshackle them from the limited push-button remote to open up scripting/schedule possibilities, that would be nice, and is part of the reason I did mine. What better way to share control of common area house lighting with the family than by making it network-controllable image.

     

    - Gough

  • Hi Gough!

     

    Great post and relevant information. To be honest most consumer remote power strips are insecure here too.

    Although the ones I have seen have been built to a higher quality and using more reliable modulation schemes and at least did have a functioning learning capability. But insecure nevertheless, nothing that someone with a $10 SDR dongle and laptop couldn't grab and replay again and again.

     

    It isn't great, but the thinking goes along the lines of:

    (a) Question: what is the value of the impact to the "thing" that is to be secured?

          --> Answer: probably a few pennies/cents if the "thing" is remote controlled home lighting where malicious switching-on will result in a slightly higher power bill

    (b) Question: what is a reasonable amount to do in order to provide reasonable protection from the risk of that impact (the impact being a few pennies in this case)

          --> Answer to date from most manufacturers: not publish the bitstream

     

    It all breaks down of course if our answer to (a) is slightly different, such as if we use such remote control power sockets to operate (say) electric security gates or kettles that could run dry etc or if the particular lighting is visible from outside and causes a security issue for users.

    Not disagreeing that manufacturers could do more (or at least publish guidelines on what the recommended use-cases for their products are based on a security perspective, because the average non-technical user may mistakenly presume such products are secure for all practical purposes which as you've shown clearly they are not).

     

    Sad to say, but possibly the sort of thing that might need legislation so that such products meet a minimum published security standard (there will still be products that flout it of course) or declared in plain language on the packet, but today there is no legal requirement in the UK with respect to wireless security for home remote control products as far as I am aware (I could be totally wrong - not my main knowledge area!!).

    Of relevance to (b), the ability to do reverse-engineering and replay attacks at low cost has changed dramatically in the past few years because of the availability of cheap SDR (not blaming SDR! just stating that some will misuse it).

  • in reply to clem57

    Thanks for the comment .

     

    When I looked at the wholesale listings on made-in-china.com, they claimed that they do export market to USA, which I suppose means that they do have US-standard plug versions as well. They no longer list any IR+RF units on their profiles, so I suspect this unit is now considered obsoleted, but the PCB marking code of SK-5808 still has ties with the RF remote versions. Local sellers here in AU won't ever stock these, but there might be a chance some of them could be found on Aliexpress or the like.

     

    C-Union also does an RF-only version which has 3 control channels + all channels + a bank switch to expand to 6 channels, and I'm not sure how that works, but I have a sneaking suspicion those might also be quite similar (although I'm not willing to bet on it) based on the fact it has 6 channels and based on identical model codes. It does, however, claim to have greater than 1-million codes ... I wonder if that's truly rolling-code or whether that's just an outright lie. Maybe it's a tall tale based on a 25 bit message = 2^25 possibilities = 33 million.

     

    Disclosure: I have no links with the companies, and I have no interests in promoting their products. In fact, I do not endorse their products for obvious reasons.

     

    - Gough

  • Long read, but a great learning about hacking that you went through. Do they make these in US standard plugs?

    Clem