How to Hack Nearly Any Wireless Device

Credit: Alex Hliv/Shutterstock

(Image credit: Alex Hliv/Shutterstock)

LAS VEGAS — Nearly a century ago, the advent of commercial radio broadcasts gave birth to the first generation of hackers.

Today, the proliferation of wireless communications, from Wi-Fi and cellular networking to Zigbee machine-to-machine communications, has led to an explosion of research into vulnerabilities of radio-based systems.

Keyless car remotes, home alarm systems, restaurant diner pagers, traffic alert systems, toll-collection transponders, TV satellites, airliner communications, medical pagers and even space probes can all be disrupted, thanks to software-defined radio (SDR) devices, two Australian researchers demonstrated in separate presentations at the BlackHat security conference here last week.

MORE: 12 Things You Didn't Know Could Be Hacked

Radio unlock

Silvio Cesare, whose day job is at information-security firm Qualys, showed that anyone with a laptop, a device such as a USB TV tuner and software such as GNU Radio can "capture" transmissions between a wireless key fob that disables a home alarm system as the homeowner arrives.

With a device that transmits as well as receives signals, an attacker can "replay" the unlocking signal and disable the alarm when the owner's away.

Wireless car-entry key fobs can be a bit harder, Cesare said, because they often transmit coded messages that change every time. However, Cesare determined that the key fob for his (actually his girlfriend's) test vehicle had less than a million possible codes — and that there was no impediment to "brute force" the code by simply trying one possibility after another.

Cesare wrote a script so that his laptop could cycle through and transmit all possible codes within two hours. He found instead that he could actually unlock the car within five minutes.

It seemed that some codes in the brute-force list worked every time, despite the carmaker's policy of changing the remote code with every usage, Cesare said. Once those "backdoor" codes were discovered, they would work for about a week. He found that the backdoor codes were unique to each remote.

Cesare wouldn't disclose the make or model of the vehicle he researched, but said it was sold between 2000 and 2005 in Australia, was still built and sold in Malaysia and that a variant had been sold in North America.

Planes, medicine and satellites

Balint Seeber of Santa Clara, Calif.-based Ettus Research similarly started out small, showing how to intercept the signals sent to and from pagers that restaurants hand to waiting customers. He played video clips of himself pranking co-working waiting for their food, then setting off all the pagers in a restaurant at once.

Next Seeber showed how he decoded and learned to use FM-radio digital subchannels, which newer cars use to display both radio-station information and traffic alerts. Seeber said that if he ignored the law, as a malicious hacker would, he'd have been able to supersede an FM station's ID and information and broadcast false traffic alerts.

He briefly touched upon intercepting signals used by toll-collection systems such as FasTrak or E-Z Pass, a subject explored in greater detail in presentation slides posted to the BlackHat website. One could use SDR equipment to avoid paying tolls by masquerading as someone else, Seeber explained, or even disrupt traffic-management systems by transmitting hundreds of valid transponder IDs at once.

Like other presenters at this year's BlackHat conference, Seeber showed it was possible to transmit false messages to modern airliners, which use protocols that are unencrypted by design. "Phantom" aircraft could be made to "appear" in the air or on landing runways, or course changes could be transmitted to an airliner cockpit in mid-flight.

(Two pilots who spoke at the DEF CON hacker conference later in the week said any deviation from normal flight patterns would need to be confirmed with a voice query to air-traffic controllers.)

More serious still is the possibility that medical-pager systems can be disrupted, Seeber showed in his slides. Individual doctors or nurses could be sent on pointless errands throughout a hospital, bogus system-wide alerts could be broadcast to distract all medical staff, or doctors could be sent false last-minute surgery instructions just before cutting open a patient.

Radio-signal disruptions needn't be confined to planet Earth, Seeber showed. With sufficiently powerful hardware, a prankster could drown out uplink transmissions to a television-broadcast satellite, replacing regular programming with his or her own video feed.

Many of these activities are illegal, which is why Seeber didn't try them. However, he was on the team of amateurs who recently worked with NASA to revive the ISEE-3, a 36-year-old space probe that is currently passing close to the Earth.

Using software-defined radio, Seeber and his fellow team members were able to "wake up" the probe in May and resume communications with its computers, although they discovered later that there was not enough fuel left in the thrusters to make a course correction that would have put the probe into a stable near-Earth orbit.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.