 Hello everyone. So first of all, I'm giving this talk in English, but I'm happy to take questions in German afterwards. This is for the stream. So yeah. Okay. So I'm sure you saw the title already and you're thinking, what? Why would a doorbell need a firewall? That's like the last thing that you think about secure. So this is what I'm here to talk about today. So first of all, what? So I'll explain how I got into this and what I found out. Then I'll tell you how things can magically work and what's behind the magic and then we'll look at what these things are used for, what they could be used for by somebody with some evil streak and a bit of imagination and how we can protect ourselves. So what? Why? Well, there's two reasons I'm doing this and of course the first one is fun and the second one is profit. So a customer of mine that makes some household electronics, I'll leave it at that, wanted a remote activation possibility for their device. And this was a bit problematic because we've already gone through regulatory approvals of all sorts and adding a radio to an already approved device is a bit of a mess. So we figured out, okay, how can we do this very cheaply and without having to actually approve a radio transmitter? So I figured, okay, there's all sorts of devices that are very cheap already on the market, already approved and wireless. So can we just hack one of those and use that as an activation? So we settled on radio doorbells, which are they're very cheap. There's two main frequencies that they run on, 315 megahertz and 433.9. And in the end, we ended up using 315 because that's what was more available. Yeah, but first of all, I got one and I looked into it and tried to figure out how it works. Right, so there's the transmitter on the left there, there's the receiver on the right there and there's some very cheap mass produced magic in between. So looking inside, this is what you have, you have a speaker, you have the receiver board and those two wires go to the battery. And this is a close up and this is the other side. So there's two major components on this one. On the right there is the radio circuitry, which is extremely, extremely simple. Basically all it does is it resonates at the specific frequency and anything that's at that frequency it amplifies and anything that isn't, it rejects. And all the magic is on that little green board over there, which is a decoder and tone generator. So what I did was I attached my oscilloscope probe to various points on that and just found a signal that changes level when when a signal is received. So that's fine, job done right, project over. Yeah, I can finish here. Okay, but of course I didn't. So I picked another one, here's a, so this one is about four euros on the market. So you can get that for four euros. So there's really nothing fancy or expensive in there. And that's with batteries. Right. This one is much, much fancier. You can get that for about seven euros. So this one actually has a separate decoder chip. And you could look up its data sheet and it's apparently a remote decoder circuit, which is a clone of, it's a Chinese clone of, I believe a Panasonic product originally. So it has the two interesting things on it. It has a data input pin, which is, let me see if I can show you on there, 14 would be, so that's it. So it has a data input pin over here. And it has the output over here. So I decided to have a bit of a look at the signals. And this is what comes in on the input. And now on the left there, you can see the top, the bottom is a zoomed in version of the top. So at the top, you have all these random transitions, which is noise. And then you have these blocks of fast transitions. And that's where the signal is. So if you look at that a bit more closely, so you have noise here on the left. And then you have really regularly spaced transitions going up. And that is probably a clock of some kind. And then it goes down at different times. So you have, you have these short signals, the three short signals on the left and a long signal, and another three short signals, then another long signal, and three short signals, another long signal, short signal, a long signal. This is basically Morse code, right? Except the high tech version of it. It's very, very easy to decode. So we can recover the signal by just measuring the times at which the blue marks over there are. So the times when the clock goes up. And then compare to, compare that to the times when it goes down. So if it goes down between like before the middle point of the two clocks, it's a zero. And if it goes low after the middle point, then it's a one. And here's the code to do that. This is just an Arduino interrupt. Do you want me to go through this, or should I just leave it and give you a link later? Who wants me to go through it? One, two, three, four. Okay, enough people. Okay, so we have, this is triggered every time the pin level changes. So we store the time at which a change happened. And then if it went high, then it's a clock bit. And if it went low, it's a data bit. So if it's a clock bit, we save the interval, which is the time difference between this clock and the previous clock. And if that interval matches the previous interval, so it's within, within 10 microseconds of the previous interval, then it's a valid clock. So then we increase the counter and we shift the message left. So we make space for the next bit. And if the clock is not valid, then that's the end of the message. So I'm ignoring short messages here because you get a lot of noise that looks like a valid clock. So I'm ignoring everything that has less than four bits. And I set the flag here so that whatever code is running in the main loop can deal with this. And if we have a data bit, so we, this, this right shift here is the same as a division by two. So we have our clock period here. And we divide that by two. And if the current time is more than that, then it's a one. And if it's less than that, then it's a zero. I'll give you a link to this code later on. So if you want to look at it, okay, so we have three, three data points that we can get out of this. So we have the time between, between each clock bit. We have the length of the message, how many clock bits there were. And then we have the content of the message. And using these three, we can, we have a unique signature for each transmitter. So transmitters from the same manufacturer will usually have same clock period, same clock length and different messages. So you can, you can identify different manufacturers of devices. You can identify different types of devices. And depending on the cold length, you can also identify how expensive the device is. So there's, there's some that actually advertise a very long, especially secure code. It's exactly the same thing. It's just more bits. Anyway, so what if I don't have a doorbell? You can get, this is a, a transceiver. So a transmitter on top and a receiver on the bottom. They're tiny. They're really cheap. That's like five euros with shipping for the two of them. And of course, if we have a transmitter, that means we can, we can replicate these messages and we can just pretend to be any, any device that we've seen so far. And there's, there's absolutely no security of any kind here. Right? So like, I can record someone's doorbell and then play that back and it will ring. And I can do that any number of times and it will, it will work. So we can receive signals, we can decode signals, we can generate and transmit them and we can identify them. Right. So what? It's a doorbell, right? Who cares? Yeah. Okay. So if we look at what these, these chips, these decoder chips are actually used in, we find of course, doorbells, right? Also, if you've ever been to one of these shops where you go in and it makes a horrible sound. So they're used in those too. So doorbells, annoyance generators. Yeah. They're used in remote control toys. Okay. So far, nothing too bad, right? You wouldn't worry too much about securing these things. They might get annoying. But then again, if you, if you ever buy one of these cheap remote controlled light switches or power outlets, they'll use the same code. And I'm sure there's now gears turning in your head like, what, what can we do if we can remote control someone's, someone's lamps and power switches? Okay, we'll get there. But then I looked at, I looked at the actual manufacturer recommendation on what you should be using these, these parts for. And intrusion sensors, motion detectors, remote home security, industrial remote control, garage doors. What? Network smoke detectors, car security. What? Seriously? Like, how can you use an unsecured, completely repeatable code that you can reproduce with, with five euros worth of equipment for security? It's ridiculous. So I figured, okay, that can't possibly be right. Maybe that's, that's what the manufacturer is imagining, but it can't possibly be right. So I tested with a car key and it uses a slightly different method. Okay, so first of all, the encoder, the encoding is different. So it uses Manchester encoding, which is the same encoding that you use for, for serial parts. But that's equally easy to decode really. But then it uses something called a rolling code, which means every time you send the code, it gets deactivated. So you can't send that code again. So okay, there's at least a little bit more security. But there's still, there's still issues because this rolling code is not synchronized both ways. So the car lock only knows the next set of codes that are likely to come. And the key, the key transmitter is just cycling through codes, which means if, if the lock has not heard the transmission, you can replay it and you can use it to, to unlock the car. And this works. So you can record, you can record a car key fob where the car cannot hear it, where it's out of range, and then replay it next to the car and it will unlock. Because from its point of view, it hasn't seen that code before. So it must be valid, right? Yeah. And also, if that was the only, if that was the only check, then pressing the button accidentally would mean that you could never unlock your car again. And obviously this is not the case. So in fact, the lock is looking for a set of codes, sometimes up to 512 of them, that are the next ones that are likely to come. Which means if you press the button 500, you can see that the lock which means if you press the button 512 times, it will no longer work. Okay. Right. So this is, this is okay for like these, these car keys which have an extra fob, but there's, there's already cars that no longer have a key at all. So the fob is the only way to unlock it. So if you just, if you just activated enough times, you can lock people out of their car. Great. And of course, these things, even if you, if you don't know the code, if you don't know what the correct code is, they still have the signature of clock rate and message length. So you can identify different car manufacturers just by the transmission. So okay, this is what they're used for. So what could somebody that, that is a somewhat evil mind actually use them for? So this, this is written on pretty much every cheap radio device. It has this FCC part 15 notice which includes this text. This device must accept any interference received, including interference that may cause undesired operation. So that got me thinking, what kind of undesired operation can we, can we get to? So here's the broad categories, right? So you can annoy people, you can spy on people, you can prevent people from using their stuff or you can use it for crime. So harassment is the easiest thing to think of. So you can, yeah, you can ring someone's doorbell at night, right? That's, I must say at this point, I live in a building with very thick walls, they're excellent radio insulators, and we have a wired doorbell, which of course is on a, on a bus, which means I can ring all my neighbors doorbells without having to use radio, but my neighbors are nice. I don't do this to them. Yeah. And I'm sure you can imagine the fun someone would have if their smoke alarm goes, goes on at night and the random intervals and preferably just when they've gone to bed, which you can notice because they've remotely switched off their lights. Yeah. Or you can, you can just make someone believe that they're seeing things. Yeah. About surveillance. So in the worst case, when somebody's using wireless everything, so you know, you know, when somebody's visiting them because they bring their doorbell, you know, when they're at home because their lights are on, you know, when their house is on fire. Now this is not very evil. This is actually a good idea. Knowing when your neighbor's house is on fire is actually a very, very good idea. So this, this I think is the only legitimate application that I'm presenting in this whole talk. Yeah. You can, you can know when people are unlocking their car. Even if you can't do the replay attack because they're in range, you can, you can identify which, which model it is. And by that, you can sort of build a profile like this person's car has this many bits at this rate and this person's car has that many at that rate. So you can know who is unlocking their car when. So just with the directional antenna, you can be the NSA slash Stasi of your street with five euros of investment, right? Right. Denial of service. These signals are not secured in any way. I said this before, but I'm repeating it. So it's very, very easy to interfere with them. So you can detect the starting clock bit, the first, the first three transitions. And then you can just transmit noise on top of that. And if you're transmitting noise, that's, that's at the same frequency. Okay. So I need to go back a bit. So the way these transmitters work and the way they are so cheap is that the only thing that the code does is switch the transmitter on and off. So if it's quiet, that's, that's like the low level. And if it's not quiet, that's a high level, which means if you transmit noise, it's high all the time. And the clock is lost and the the receiver cannot recover it. So you can trivially block a transmission. And there's also no error correction. So you can, if you're transmitting louder, you can transmit a different code. You can only change zeros to ones. You can change ones to zeros, but already you can do, you can do a lot with that. And the only error correction that this has is that it ignores things if they're not repeated often enough. So if, if you can block enough transmissions, or if you repeat your own signal often enough, it's accepted with, with absolutely no check summing or anything else. And with rolling codes, I already mentioned the denial of service attack where you just press the button enough times and it no longer works. Right. And the criminal applications of this, I think at this point should be obvious. And if somebody's stupid enough to have a garage door secured by just this, then anybody can trivially gain entry. Right. So why is it so bad? First of all, these things, those, those PCBs, I showed you, they were bought last year and they were manufactured in the newest one was manufactured in 2004. So this is old stuff. And as long as it works, and as long as nobody's complaining, it's not going to change because you can always resell your old stuff more cheaply than designing something new. And it's cheap. And you can imagine a cryptographic protection system with this where the transmitter sends out sends out a challenge gets a response with a challenge back and responds to that. And that way, even if you could, even if you could intercept the communication or replay it, that wouldn't work. Except as a man in the middle of that, of course. But the thing is, even a cryptographic processor costs incredibly much. It's like a euro and a half. And that's twice what the material cost of these things are. So there's no way you can fit that in the same budget. It would double the price. And of course, nobody actually gives a shit about security. So we could do better, but we really have to want to, we have to be willing to pay more than twice the cost for these things. And this is cheap mass produced magic. It's not going to happen. So there are ways to protect ourselves. So of course, the easiest way to protect yourself is don't broadcast your data. So don't use stuff that transmits your data in a completely unsecured way. But sometimes we have to. Sometimes there's no better option. So if you have to do it, do it quietly. So by lowering the voltage on the transmitter, it transmits in with a small range. So you can limit the range in which in which the signal can be recovered. Of course, if you have a nice directional antenna, you can you can still recover it, but you have to know where to point it to. So if you have to do it loud, that is over a long distance, do it as little as you can. So keep the transmitter off whenever possible and have some shielding. So if you're in a place with thick walls that already solves the problem. And if you have to do it loud in public, you have to be aware of the risks. So use devices that you've verified yourself to be secure or known at all. And don't trust the manufacturer, because seriously, the manufacturer of that decoder chip actually want the people to use it to unlock their cars. Seriously, like that's that's a recommended application. Okay, so I'm going to use a bit of time now for some shameless promotion, and then I'm going to take questions. Right, so shameless promotion. The only place that I heard about one C2 from was the DinkPublic, which is an absolutely awesome hack space over in Nippus. And if you haven't been there, you should go check it out. And it's open to non members every Friday night. And it's open to members always. So if you didn't know about it, you do now, and it's a really cool place. Go check it out. And I also have some shameless self promotion to do. So I do custom electronics, mechanics, automation and embedded software. Reverse engineering as well, if necessary, and general fun stuff. I will charge you double to triple for anything close source. And this is my contact information. And I'll take questions now. Yes. First, I think we should applause for Klamath because it was, I think, really interesting. And yeah, maybe a bit scary. And I ask everybody to keep your seats until the question answer is over. We have about a quarter of an hour now for the questions answers. The first question was there and I come to you in English. Okay. I have two questions. The first question is, how did you find the decoding code? And the second question is, you said you can't produce nulls. There is no something like interferences with which you can make a single null, so a counter-signal control. Would that be possible? Okay. So I'll show you this decoding code again. I'll show you. What do you mean by that? This is now written based on this principle. There is nothing else. And the second question was, how do you... So it's very easy to make a null because you just have to make it a little louder, a little longer, so to speak. Yeah, you could probably make a single null with some kind of interferences, by breaking this trigger frequency. My question was if you have also found some more secure devices that are also still pretty cheap. Nowadays it seems like there's all sorts of stuff on 2.4 gigahertz around and maybe there's more modern doorbells. Have you found any of those devices that are more modern and more secure? Not with doorbells. So doorbells are universally cheap and crap. Yeah. There are other devices that have better security. They're mostly targeted at the security market. So people are willing to pay more for more security. And the way they usually work is with a challenge response. So you have two-way communication. But already having two-way communication has dramatic impacts on battery life and on cost. So for the one-way communication devices, even the higher frequency fancier ones are usually fairly insecure. So that if you just put in a lot louder, tenfold intensity, you can give me a break at the end of the day. Yeah, that can also be done so that you just do everything on your own, that the whole signal is gone and then something goes on top of it. So something that is temporarily pushed on top of it. And that's a lot easier. Yeah, two things. First of all, you also have the radio remote control for the connectors that you can choose. Yeah, most of them set the same protocol. There is a nice Arduino lib that you can use for that. And there are enough projects that said, oh, randomly, I always switch on and off at home with all my neighbors. That's all there is for the outdoor manufacturers. Now my question is, I mean, the security things are known for a long time and that would be such a fail that an outdoor manufacturer even uses it. Do current outdoor manufacturers still use it? Seriously? Have you ever looked at who does that? So I haven't found anyone who doesn't have a rolling code. So this, this decoder manufacturer, the, the, the wheel hasn't had a car manufacturer that I know yet. So that's good enough. But more complicated than a rolling code I haven't seen yet. There are certain worlds, but I haven't tested a lot of them. It's sort of same question going to the rolling code. Depending on the length of the code itself, you could just replay like all the numbers and then bring the key and the car out. You don't even need to replay all the numbers. You only need to replay every 512th number. Okay, because, because the receiver is expecting the transmitter to, to have skipped some codes in between. It listens to a window of 512 different codes. No, no, the codes change after each one, but after each one is invalidated, the window shifts. So you have 512 valid codes up to 512. Yeah. Um, and whenever one of them is used, that becomes the start of the, of the next window. So you, you don't need to check every code. You just need to check every 512th code and eventually you'll find one. Yeah. Yeah. They're fairly long. They're, they're, I've seen 60 something bit codes. So it will take a while, but it is possible. If you had all night, you could definitely just run through every code. Are there more questions? I think we're done. Yeah. Then again, a big applause for climate.