ZeroNights 2017 Conference, Hardware Challenge
By Nikita Kurtin and Roman Zaikin.
On November 16th, 2017, we participated in one of the hardware challenges at the ZeroNights conference. The challenge was created by Gleb Cherbov.
This challenge immediately captured our attention: a remotely controlled miniature model of a rails barrier.The goal of the challenge was to hack the controlling system and open the barrier remotely.
So, What Do We See Here?
There is a barrier, an LCD, a button and two Arduinos. One is connected to the button and the transmitter, and the second is connected to the receiver and a barrier.
By clicking on the button, the first Arduino sends an RF signal to the second Arduino that opens the barrier.
The Arduino modules that handle the RF signal look like this:
Figure 1 RF 433MHz transmitter
Figure 2 RF 433MHz receiver
So basically, clicking on the button triggers the RF transmitter to send a secret message to the RF receiver, which will parse the secret message. If it is correct, the barrier will be opened.
The mission here is to find a way to create our own remote that can send the secret message to the Arduino receiver module and open the barrier for us.
Our Attack Strategy
We have split our attack strategy into three parts.
First, we had to build a RF receiver module to capture the secret message to investigate it.
In order to achieve this, we took the following parts:
- Arduino Uno.
- Dupont cables.
- RF receiver & RF transmitter module.
Note: All the needed equipment was generously supplied to the participants by request.
We searched the internet for more information about RF Arduino modules, in order to understand how to work with those modules and build our prototype:
After a short amount of time we were able to capture some secret messages:
We noticed that these secret messages are made of 2 parts:
- A counter which is the first 4 bytes
- 0x7d6 = 2006
- 0x7d7 = 2007
- 0x7d8 = 2008
- A message which is the next 8 bytes – a rolling code to prevent a replay attack that consists of a counter + secret key with some algorithm.
Second, we need to find a way to get the secret key. So we though that it might be possible to decrypt the message if we will take the known part and bruteforce the unknown part with some Python code:
Bingo! We got the secret message in no time!
[+] The password is: 1339 in 0.640000104904s
Note that the message part D0 87 FF 2E 43 E6 95 65 is the first 8 bytes from counter + a secret key with a md5 hashing algorithm.
counter(4 bytes) + (first 8 bytes of: MD5(counter + secret key))
Third, now that we know how to capture the transmission and we know the secret key, all we need to do is to build a transmission module that will capture the transmission with the receiver module. Then add 1 to it and build the correct message part with the key 1339 and send it back again.
This is the main part of our Arduino code which is used to receive the message:
This is the main part of our Arduino code which is used to transmit the message:
And that’s it. The barrier opened and we won the challenge!