Resistance to Replay Attacks of Remote Control Protocols using the 433 MHz Radio Channel Olha Mykhaylova1, Artem Stefankiv1, Taras Nakonechny1, Taras Fedynyshyn1, and Volodymyr Sokolov2 1 Lviv Polytechnic National University, 12 Stepan Bandera str., Lviv, 79000, Ukraine 2 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str., Kyiv, 04053, Ukraine Abstract This study focuses on the analysis of replay attacks, which pose a significant risk to remote control systems using the 433 MHz radio frequency band. A replay attack occurs when an attacker intercepts communications between two legitimate parties and resends the intercepted data to activate a remotely controlled system or commit identity theft. Special attention is paid to the study of the EV1527 protocol and its structure, as well as potential vulnerabilities that can be exploited by attackers. The study includes a detailed analysis of the design documentation on modules using the EV1527 protocol, as well as an assessment of the characteristics of the corresponding antennas and the features of working with hardware and software. The work also includes a comparative analysis of the technical means that can be used to carry out the attack and a demonstration of a practical attack using the HackRF One software-controlled transceiver in a laboratory setting. The main goal of the work is to demonstrate the mechanisms for implementing a replay attack on remote control systems with static code and to develop recommendations for improving the security of these systems. The results of the study are aimed at increasing the understanding of potential risks and vulnerabilities, as well as at determining the feasibility of using such protocols in modern physical security and access control systems. Keywords 1 Radio channel, interception, replay, physical security, PT2262, HackRF One, EV1527, NanoVNA V2.2. 1. Introduction In this work, we focus on analyzing these vulnerabilities, using both theoretical and Remote control systems are an important part practical methods to demonstrate possible of modern security solutions, providing attacks in a laboratory setting. The importance convenience and efficiency in managing of such research lies in the increasing reliance physical perimeters—from barriers and on wireless technologies in security systems, automatic gates to alarm systems. However, making them a potential target for attackers radio communications, which are often the and reflecting the need to develop more robust backbone of these systems, can become security protocols [6–8]. vulnerable, opening the door to potential The motivation for this research was the attacks [1, 2]. Particular attention in this numerous cases of replay attacks highlighting context is paid to the vulnerability of remote- the vulnerability of existing systems. Our goal control protocols, particularly EV1527, which is not only to identify and demonstrate can be used to implement signal replay attacks vulnerabilities but also to develop [3–5]. recommendations for improving the security CPITS-2024: Cybersecurity Providing in Information and Telecommunication Systems, February 28, 2024, Kyiv, Ukraine EMAIL olha.o.mykhailova@lpnu.ua (O. Mykhaylova); artem.stefankiv.kb.2020@lpnu.ua (A. Stefankiv); t@online.ua (T. Nakonechny); fedynyshyn.taras@gmail.com (T. Fedynyshyn); v.sokolov@kubg.edu.ua (V. Sokolov) ORCID: 0000-0002-3086-3160 (O. Mykhaylova); 0009-0006-8851-8358 (A. Stefankiv); 0009-0003-4487-9424 (T. Nakonechny); 0009- 0006-8233-8057 (T. Fedynyshyn); 0000-0002-9349-7946 (V. Sokolov) ©️ 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) CEUR ceur-ws.org Workshop ISSN 1613-0073 Proceedings 98 of using remote control systems. To do this, we starting systems. One of the key features of the conducted a detailed analysis of the HCS301 is the use of a patented KeeLoq block documentation of the EV1527 and PT2262 cipher based on a nonlinear feedback shift protocols and studied the principles of their register, which provides a high level of operation, message structure, and data security. modulation. A comparative analysis of One of the important studies conducted by equipment capable of carrying out such attacks Tobias van Capelleven from Radboud was also carried out, including the software- University Nijmegen is devoted to a controlled HackRF One transceiver and the comparative analysis of the security of car NanoVNA V2.2 vector network analyzer [8–10]. alarm systems based on the EV1527 protocol. It is important to note that the development In his work, van Capelleven highlights the of remote-control technology has deep roots in vulnerability of EV1527 to replay attacks, history. From early host and wireless systems which calls into question its reliability in a developed in the late 19th century to meet the security context. control needs of autonomous vehicles, In addition, other sources, such as articles including torpedoes, to modern wireless on the Yaoertai website, go into detail about devices that are an integral part of our daily the mechanisms and features of the HCS301 lives. For example, in the late 1930s, Philco Rolling Code Technology. These articles pioneered a wireless remote controller for provide information on the operation of the consumer electronic devices, known as HCS301, its benefits, and applications in Mystery Control, which used low-frequency various fields including automotive and home radio transmission. This was a significant security systems. Particular attention is paid to breakthrough in remote control technology. how HCS301 technology protects against Another good example could be a set of various types of attacks, including protection modern wearable [12] Bluetooth-connected against replay attacks. devices, which are also used as a part of a This analysis of current research and Smart-home setup and may execute remote publications highlights the importance of control functions. understanding the various security protocols Also, a significant step forward in the and vulnerabilities that exist in modern remote development of remote-control technology control and keyless entry systems. They was the creation of the first television remote provide valuable information that can be used control by Zenith Radio Corporation in 1950. It to improve the security of these systems [11]. was originally connected to the TV using a wire, but in 1955 the “Flashmatic” wireless 3. Setting Objectives remote was developed, which controlled the TV using directional flashes of light [13, 14]. The main goal of this study is an in-depth The structure of the work includes a analysis of the EV1527 protocol, including its literature review, methodology, analysis design, principles of operation, and potential results, comparative study, and discussion of vulnerabilities. The study involves a thorough the results. We hope that this work will not review of the design documentation of the only highlight current challenges in remote modules that use this protocol, as well as an control security but also contribute to the analysis of the main characteristics of the development of safer solutions in this area. antennas and the features of working with hardware and software. 2. Analysis of Recent Research The main tasks of the research include: and Publications 1. Analysis of the Design of the EV1527 Protocol: Studying the technical Current research in the field of security of structure and main components of the remote control and keyless entry protocols protocol, as well as understanding its emphasizes the use of dynamic codes, functionality and data transmission especially focusing on the HCS301 protocol. mechanisms. This protocol is used in keyless entry systems 2. Vulnerability Detection: Identifying for vehicles, including car alarms and car potential weaknesses in the EV1527 99 protocol, including its susceptibility to documentation shows a typical circuit for replay attacks and other threats. turning on a microcircuit with a radio 3. Comparative Analysis of Equipment: transmitter [4, p. 3] (Fig.1). Evaluation and comparison of different types of equipment that can be used to carry out attacks on systems using the EV1527 protocol. 4. Practical Verification: Performing experiments and tests in laboratory conditions to verify theoretical conclusions and identify real system vulnerabilities. 5. Evaluation of Feasibility of Using the Figure 1: Typical wiring diagram of the EV1527 Protocol: Based on the received data and encoder chip analysis, conclude the practicality and The protocol used by this chip is more resistant safety of using the EV1527 protocol in to overrun and collision attacks. The protocol remote control systems. provides for one type of message with a fixed The results of this study will provide structure. The message consists of a preamble valuable information on the reliability and and a main part (Fig. 2). security of the EV1527 protocol, which is critical for its application in security and remote-control systems. This research is expected to help developers and engineers in Figure 2: Structure of the EV1527 protocol choosing the most secure and efficient message solutions for their systems. The preamble is 32 bits long and is used to synchronize the transmitter and receiver. The 4. Analysis of EV1527 Protocol structure of the preamble is as follows: one Documentation period of the dominant state and 31 periods of the recessive state at the output of the chip [4, EV1527 is a message encoder chip that uses the p. 2] (Fig. 3). protocol of the same name and was developed by Silvan Chip Electronics Tech. Co. Ltd (PRC) [4]. This protocol and the microcircuit of the same name and its clones are used in systems for remote control of mechanisms, automation Figure 3: Structure of the message preamble systems, control panels for “smart home” systems, self-made devices, etc. This widespread The main part of the message consists of a key use is due to the relative cheapness of the code and four data bits. The main part of the microcircuit, the presence of a collision message is coded using the sequences “3–1” prevention mechanism, and the simplicity of the (three periods in the dominant state and one implementation of the receiver and transmitter. period in the recessive state at the output of There are ready-made solutions based on this the microcircuit) to transmit a logical one and standard that can be easily integrated into the the inverted sequence “1–3” to transmit a existing structure, including access control logical zero [4, p. 2] (Fig. 4). Analogous coding devices such as barriers, automatic gates, is used in the microcircuit PT2262 [5, p. 7]. automatic shutters, etc. The EV1527 chip is manufactured in DIP-8 and TSOP-8 packages and has four data inputs, one clock input, power inputs, and one code output that can be transmitted via radio. The main frequencies for communication are 433 Figure 4: Coding at the output of the chip MHz for European countries and 315 MHz for The key code is specified in twenty bits, which the USA and Canada. The available allows for the existence of 1048576 unique 100 keys and greatly complicates the execution of a 6. Principle of Replay Attack traversal attack since it is necessary to go through not only the above number of key A replay attack is a form of cyber-attack where an codes but also the 16 button codes used in the attacker intercepts communications between attacked system. The total number of two legitimate parties and resends the combinations for a complete search is intercepted data. This method is used to gain 16777216 messages. unauthorized access to a system or initiate However, this protocol uses static code and unwanted actions on behalf of a legitimate does not use cryptographic means to increase user. Unlike a man-in-the-middle attack, where the level of security. The message does not the attacker actively interferes with change after each generation, so a replay attack communication, a replay attack is passive. is possible [3]. The attack scenario can be described as follows (Fig. 5): 5. Comparative Analysis of 1. An attacker, whom we’ll call Eve, listens EV1527 and PT2262 Protocols to the radio frequency range in which the signal’s receiver and transmitter operate This section provides a comparative analysis of and record the signal. two popular remote control protocols: EV1527 2. Alice sends a signal to Bob to activate a and PT2262. Both protocols are often used in certain mechanism, such as opening an remote control systems, but they have some automatic gate. key differences. 3. Bob receives and decodes the signal, and EV1527 is a chip developed by Silvan Chip if it matches the stored code, acts. Electronics Tech. Co. Ltd (PRC), which uses a 4. Eve replays the intercepted signal, and fixed message format and does not have the system, vulnerable to a replay attack, cryptographic protection. The protocol perceives this as a signal from Alice and provides one type of message with a fixed performs a response action. structure, including a 32-bit preamble and a main part with a key code and four data bits. EV1527 uses a collision avoidance mechanism and is easy to implement. PT2262, on the other hand, can have different message configurations from 6 to 12 bits of key code and 0 to 6 bits of button code. The protocol provides a synchronization sequence at the end of the message, which is a change from EV1527. PT2262 does not have Figure 5: Replay attack scheme built-in collision mitigation mechanisms and At the same time, the attacker must have uses static addressing. opportunities for passive interception and One key difference is that if a transmitter is reproduction. lost, PT2262-based systems require a code The importance of implementing stronger change on the receiver and other transmitters security mechanisms in these systems is to revoke the lost transmitter’s access. The becoming apparent to reduce the risks of system based on EV1527 does not have this unauthorized access or control. drawback, where you can revoke access by To protect against replay attacks, remote deleting the record of the lost transmitter from control systems must incorporate additional the receiver’s memory. layers of security, such as cryptographic In general, although both protocols lack encoding or the use of dynamic codes that cryptographic security and are vulnerable to change with each transmission. For example, the replay attacks, EV1527 proves to be more use of technologies similar to the HCS301 Rolling flexible to use and adapt to different user Code discussed earlier can significantly improve needs. This makes it a more attractive choice the security of remote-control systems. for modern remote-control systems, despite existing vulnerabilities. 101 A replay attack is particularly dangerous The main requirement for antennas is the because it does not require the attacker to have compliance of their operating frequency range deep technical knowledge or sophisticated with a given band with a minimum value of equipment. The ease of implementation of such SWR. attacks makes them a threat to a wide range of The portable electrical circuit analyzer wireless systems, from home automation NanoVNA [17] and the NanoVNA-Saver systems to more sophisticated access control software [18] were used for the comparative systems. analysis. Four types of antennas were Understanding these risks and vulnerabilities compared according to the parameters of the is critical for security developers and hardware standing wave coefficient and the operating manufacturers. This research highlights the need frequency range. The limit value of SWR for to continuously update cybersecurity knowledge determining the range of operating and develop more resilient and robust solutions frequencies is 2.000. to prevent similar attacks in the future. The antennas were measured in vertical polarization and averaged over five 7. Comparative Analysis of the consecutive measurements. Main Characteristics of 7.1. Antenna 1 Antennas for Signal Interception Telescopic antenna with SMA connector, with a minimum length of 17 cm and a maximum Conducting a comparative analysis of the main length of 102 cm. The measurement was characteristics of the antennas allows you to carried out in two antenna length determine the suitability of each of the configurations—minimum and maximum. available antennas for signal interception and Below are the results of measuring the re-play and to identify their shortcomings parameters of antenna 1 at the minimum and/or defects. length (Fig. 6, Table 1) and the maximum The existing receiver and transmitters use length (Fig. 7, Table 2). the LPD433 band (433.050 MHz—434.79 MHz), which is within the 70 cm radio amateur band (430 MHz—440 MHz). The range of the LPD433 is divided into 69 channels with a step of 25 kHz, this range is used for low-power, short-range transmitters. Short-range transmitters include remote control systems, home automation systems, car keyless access systems, low-power a) b) portable walkie-talkies, etc. In Ukraine, the use Figure 6: Parameters of antenna 1 at the of this range is regulated by DSTU ETSI EN 300 minimum length: (a) Smith chart and (b) 220-1:2018 and DSTU ETSI EN 300 220- frequency dependence graph 2:2017, which is a harmonization of the Table 1 standard ETSI EN 300 220-1 V3.2.1 [15] and Values of antenna 1 parameter at the minimum length in ETSI EN 300 220-2 V3 .1.1 [16]. The limits of marks 1–3 the range are determined by the Mark 1 Mark 2 Mark 3 recommendation document authored by Frequency, MHz 391.966 415.851 445.286 SWR by voltage 2.000 1.191 2.000 CEPT/ERC Rec 70-03 [9]. In the USA, this range Return losses. dB –9.543 –1.213 –9.545 is not used for unlicensed broadcasting, so the Impedance, Ohm 26.6–j10.8 46.9+j7.9 99.8+j3.3 Federal Communications Commission (FCC) allocated the 315 MHz range for short-term operation of short-range devices with a limit on the output electric field strength of 300 μV/m with a transmission duration of up to 3 minutes [11, with. 20]. 102 which are used in most circuit analyzers in the NanoVNA-Saver program. Round 1. A pair of copies No. 1 and No. 2 is compared. The results of the comparison are shown in Fig.8. a) b) Figure 7: Parameters of antenna 1 at the maximum length: (a) Smith chart and (b) graph of dependence of SWR on frequency Table 2 Values of antenna 1 parameter at maximum length in Mark 1–3 a) b) Mark 1 Mark 2 Mark 3 Figure 8: Parameters of specimens No. 1 and Frequency, MHz 69.9772 72.9504 76.1219 SWR by voltage 1.996 1.021 1.977 No. 2 of antenna 2 at the optimal length: (a) Return losses, dB –9.566 –39.615 –9.676 Smith diagram and (b) graph of dependence of Impedance, Ohm 42.2–j31.5 49.0+j0.1 57.1+j36.5 SWR on frequency. The obtained results indicate the suitability In Fig. 8, we can see that the values of the wave of antenna 1 at the minimum length for resistance for both specimens on the SWR 1.0 working with the target signal. line are quite close. Still, specimen No. 2 shows an additional resonance at a frequency of 882 7.2. Antenna 2 MHz, uncharacteristic of specimen No. 1. Also, Fig. 8 demonstrates the superiority of instance Telescopic antenna with SMA connector, #1 over instance #2 in the 430–440 MHz range. minimum length 11.5 cm and maximum length The minimum value of SWR of instance #2 is at 47.5 cm. Four copies of this antenna are the beginning of the range and reaches a value available. For each of the specimens, of 1.357 at the end of this range. Specimen No. measurements were made in a length 1 shows a slightly larger value of SWR of 1.208 configuration that corresponds to a quarter of at a frequency of 435.058 MHz. the wavelength of the target range (17.5 cm). From the conducted data analysis, it can be Using the method of pairwise comparison, the concluded that instance 2 shows the best specimen with the best characteristics was indicators in this range. selected (Figs. 10–12). The minimum value of A comparison of pair 2 (specimens #3 and the standing wave coefficient in terms of #4) is shown in Fig. 9. voltage, the frequency at which the minimum value of CSC was reached, and the input resistance of the antenna at the frequency with the minimum CSC were chosen as the criteria for comparison. The comparison took place in two rounds, in the first two pairs of specimens (No. 1 and No. 2 and No. 3 and No. 4, respectively), were compared in the second round, and specimens with better characteristics from the previous rounds were compared. a) b) Graphs were constructed using the sci-kit- Figure 9: Parameters of instances 3 and 4 of of library for the Python programming antenna 2 at the optimal length: (a) Smith language [10]. This library supports the diagram and (b) graph of the dependence of creation and import of Touchstone save files, CSC on frequency 103 In Fig. 10 we can observe that the values of the through the supplied magnetic stand, and reactive component of the support for both black—is when connecting the antenna with a instances on the SWR 1.0 line are quite close. 5-meter-long RG-58U70 cable through an Still, instance 2 demonstrates an additional SMA-SO-239 adapter to the antenna. resonance at a frequency of 882 MHz, which is uncharacteristic of instance 1. Fig. 11 shows the advantage of Instance 1 over Instance 2 in the 430–440 MHz range. Instance 2’s minimum SWR value is at the beginning of the range and reaches a value of 1.357 at the end of the range. Instance 1 exhibits a slightly higher SWR of 1.208 at a) b) 435.058 MHz. Figure 11: Antenna 3 parameters: (a) Smith From the data analysis, we can conclude chart and (b) graph of SWR versus frequency that specimen 2 demonstrates the best From Fig. 11, it can be observed that the performance in this range. magnetic stand hurts the antenna performance. A comparison of Pair 2 (Instances №3 and There is no SWR peak in the 440 MHz range №4) is shown in Figs. 12–13. declared by the manufacturer when using a magnetic stand. Table 3 Parameter values for antenna 3 without stand- in marks 1–3 Mark 1 Mark 2 Mark 3 Frequency, MHz 419.373 439.469 451.821 SWR by voltage 1.998 1.022 1.999 Return losses, dB –9.552 –39.356 –9.551 a) b) Impedance, Ohm 54.9–j36.7 51.0–j0.3 25.5+j5.7 Figure 10: Parameters of instances 1 and 3 of The results indicate that this antenna can antenna 2 at optimal length: (a) Smith chart handle the target signal, but its performance and (b) graph of SWR versus frequency will be less optimal than that of Antenna 2. Considering the above similarity between the frequencies of the minimum SWR value and the 7.4. Antenna 4 corresponding values shown in Fig. 15, we can conclude that among the available ones, the A “Ground plane” antenna with a BNC best performance is demonstrated by connector and a complete BNC-SMA cable of specimen No. 3, and it is suitable for working RG-174 type, 3 meters long, the range declared with the target signal. by the manufacturer is 65–375 MHz. The antenna consists of a printed circuit board on which BNC connectors are fixed for the output 7.3. Antenna 3 and input of the central element and holes for four grounding elements, made in the form of The quad-band car antenna with PL-259 telescopic antennas with a length of 20 to 95 connector is part of the QYT KT-7900D car cm. Experimentally, it was possible to tune this radio kit, which is designed to operate in the antenna to the target range (length of the 136–174 MHz, 220–270 MHz, 350–390 MHz central element—47.5 cm, length of grounding and 400-4 bands. The antenna is equipped elements—51.5 cm). The antenna was with a magnetic stand with a SO-239 input mounted on a homemade mast at a height of connector and a 7-meter long SYWV 50-3 cable approximately 175 cm from the floor level. with a PL-259 connector. Below are the results Below are measurements of this antenna in the of measuring the parameters of antenna 3 in above optimal configuration (Fig. 12, Tab.4). the signal frequency range (Fig. 13, Table 3). Blue color indicates the measurement of parameters when connecting the antenna 104 8. The process of performing a replay attack demonstration In this chapter, we will focus on the detailed study and practical application of signal interception and replay techniques in wireless a) b) communication systems. Our goal is to explore Figure 12: Parameters of antenna 4 at optimal and demonstrate how an attacker can use length: (a) Smith chart and (b) graph of SWR specialized hardware and software to versus frequency intercept and imitate signals to illegally access or control systems. This process, known as a Table 4 replay attack, is a key element in studying Values of the parameters of antenna 4 at the wireless security and developing effective optimal length in marks 1–3 countermeasures [3–5, 9, 15, 16]. Mark 1 Mark 2 Mark 3 Equipment: Frequency, MHz 406.237 432.313 483.779 SWR by voltage 2.000 1.157 1.996 • Signal transmitters. Return losses, dB –9.545 –22.766 –9.566 • Signal receiver with actuator. Impedance, Ohm 26.4+j10.3 51.8–j7.2 53.6+j36.3 • Transceiver with software control HackRF From the data obtained, we can conclude One. that this antenna is suitable for working with • USB 2.0 A—USB 2.0 Micro-B cable. the target signal in this configuration, but • Antenna and connecting cables with stability of the parameters cannot be achieved adapters. due to the operation of the antenna outside the • Computer running Kali Linux. characteristics declared by the manufacturer • Radiofrequency spectrum analyzer and the calculated values of the length of the gqrx [9]. elements (for the range of 430–440 MHz, the length of the central element should be • Universal Radio Hacker software package approximately 16.5 cm, and the length of the for reverse engineering of wireless grounding elements is 18.3 cm) [11]. protocols [19]. Therefore, for working with the target Description of equipment: signal in laboratory conditions, the best 1. Signal transmitters: transmitter A is a performance is demonstrated by specimen No. miniature control transmitter with two 3 of antenna No. 2. To determine the stability buttons labeled A and B and an LED, black of the indicators over time, a series of with silver accents, powered by a 23A cell; consecutive measurements were taken over 16 transmitter B is a miniature control hours. Measurements were made at intervals transmitter with four buttons marked A, B, of 2–2.5 hours. C, D, and LED, silver color with protective cover, powered by a 23A element. 2. Signal receiver with actuator—developed by JoyDeal, a compact receiver and command decoder of EV1527 and PT2262 standards with a memory for 15 buttons and a standard helical antenna. The supply voltage ranges from 3.6 to 24 V; an LED with a limiting resistor is used as an actuator. 3. HackRF One software-controlled transceiver—portable transceiver with software control HackRF One in the Figure 13: Testing the stability of performance PortaPack H1 version with the ability to over time operate autonomously. The transceiver The measurement results are in the same has connectors for connecting an antenna, range and do not go beyond the established a built-in oscillator output, and a range, limited by the SWR value of 2.000. synchronization input, as well as a USB 105 Micro-B power/data connector and a 3.5 3. Assessing the radio frequency range and mm TRS connector for connecting checking signal reception. headphones and outputting a The radio frequency spectrum is estimated demodulated audio signal. using gqrx [20]. 4. USB 2.0 A to USB 2.0 Micro-B cable—data Gqrx is a program for real-time radio cable with USB 2.0 A and USB 2.0 Micro-B frequency spectrum analysis, distributed under connectors, 1 meter long. the open GPL license [9]. 5. Antenna and connecting cables with Execution order: adapters—instance 3 of antenna 2 was • Connect an antenna to HackRF One and selected as the working antenna; the connect it to a computer. comparative analysis process is described • Switch HackRF One to computer mode. in paragraph 7. Adapters and connecting • Launch gqrx on your computer. cables are not used. • Select HackRF One from the list of devices 6. Computer running Kali Linux—Asus Vivo and establish a connection. book 15 X509FJ laptop with Kali Linux • Set the receiving frequency to 433.92 MHz. 2024.1 special purpose operating system • Enable monitoring. installed. A description of the procedure A waterfall graph and a line graph of the signal for preparing a computer to perform an will appear on the screen. When you press the attack is given below. buttons on transmitter A, we observe the Attack Sequence: appearance of a signal on the graphs (Fig. 14). • The attacker starts intercepting the signal using Universal Radio Hacker and waits for the legitimate user (victim) to send a signal. • A legitimate user sends a signal. • The receiver performs the specified action. • An attacker, using Universal Radio Hacker, a) b) sends a signal imitating a legitimate user of Figure 24: Waterfall graphs of transmitter A the system (victim). button signals a) button A; b) button B • The receiver performs the specified action We will carry out a similar procedure for buttons because it cannot distinguish an attacker A, B, C, and D of transmitter B (Fig. 15): from a legitimate user. Performing an attack: 1. System preparation. To prepare the system to work with HackRF One, you need to install the hackrf, hackrf-doc, hackrf-firmware, libhackrf-dev, libhackrf0 packages from the operating system’s package manager a) b) repositories. 2. Receiver programming. Programming the receiver occurs by pressing the programming button a certain number of times to switch to the required switching mode (instant, switching, latching, timer) and pressing the desired button c) d) on the transmitter. As previously noted, the Figure 35: Waterfall graphs of transmitter B receiver memory has 15 cells. The following button signals: (a) button A; (b) button B; positions have been programmed: (c) button C and (d) button D 2.1. Button A of transmitter A to instantaneous mode. From the data obtained, we can conclude that the 2.2. Button B of the transmitter to switch connection and configuration of the transceiver mode. and computer are correct, and assume that 2.3. Button A of transmitter B to timer mode transmitter B is partially operational or does not with a delay of 5 seconds. have the declared functions. Signals from buttons 106 that do not transmit a signal (buttons B, C, and D wait for the serial number to appear in the of transmitter B) are not considered further. field. 4. Signal interception and analysis. • Set the interception frequency to To intercept and analyze the signal, the 433.92 MHz. Universal Radio Hacker software package is used • Press the “Start” button. [19]. This software package has the capabilities • Wait for the signal to arrive. to record signals, analyze them, reverse engineer • After recording the signal, press the “Stop” wireless protocols, play back recorded signals, button. and create new signals based on arbitrary data. • Save the signal to a file using the Save This software package is written in Python and is button. distributed under the free license GPLv3. • Close the recording window, the saved Installation is done using the pipx package signal will automatically open in the main manager. program window. Execution order: Signals from transmitters A and B, • Connect an antenna to HackRF One and recognized by the JoyDeal receiver (buttons A connect it to a computer. and B of transmitter A and button A of • Switch HackRF One to computer mode. transmitter B) were intercepted (Fig. 16) and • In the File menu, select Record signal. interpreted (Fig. 17). • Select HackRF One from the list of The signal was intercepted with a available devices. configured transceiver bandwidth of 2.0 MHz • Click the update button, which is located and a scanning frequency of 2 million samples opposite the “Device Identifier” field, and per second. a) b) c) Figure 46: Signal capture from transmitters: (a) button A of transmitter A; (b) button B of transmitter A and (c) button A of transmitter B 107 a) b) c) Figure 57: Interpretation of the transmitter signal: (a) button A of transmitter A; (b) button B of transmitter A and (c) button A of transmitter B The intercepted signals use amplitude shift keying and are recorded at a resolution of 700 samples per symbol. The PT2262 and EV1527 standards use the same bit encoding—“3–1” to encode a logic one and “1–3” to encode a logic zero. At a resolution of 700 samples per symbol, these would be the sequences “1110” and “1000”, respectively. When adding these parameters to the Universal Radio Hacker analysis template (Fig. Figure 79: Received messages (repeated 18), we receive the following messages (Fig. 19): messages hidden) • Button A of transmitter A—0xFF5F7 1 Additional storage is stored on 24 bits, indicating (11111111010111110111 0001) (Fig. 19, the use of the EV1527 protocol. The protocol message 1). consists of 20-bit transmission addresses and 4- • Button B of transmitter A—0x38860 8 bit mail, which is confirmed by the (00111000100001100000 1000) (Fig. 19, documentation [4, p. 2]. message 47). 5. Signal opening. • Transmitter B Button A—0x1F40C 0 To open a closed signal, a Universal Radio (00011111010000001100 0000) (Fig. 19, Hacker is also used, the procedure is below: message 91). • Connect to HackRF One and recognize it from your computer. • HackRF One in computer mode. • Open the file with the useful signal. • For interpretation tabs, click the open button. • Change the view of the HackRF One seller and find out other connections of the seller (similarly to points 3–4 of the previous preparations). Figure 68: Signal encoding parameters • Repeat the selection of the number of transmission repetitions by half. • Click the “Start” button. As a result of the signal transmission, a signal programmed for the day was received. 108 9. Conclusions References In the modern world, where digital technologies [1] M. TajDini, V. Sokolov, P. Skladannyi, penetrate all areas of our lives, the issue of Performing Sniffing and Spoofing Attack security becomes very important. Remote Against ADS-B and Mode S using control systems that use static codes are open to Software Define Radio, in: IEEE several potential threats, of which the replay International Conference on Information attack is one of the simplest and most effective. and Telecommunication Technologies This publication analyzes in detail the and Radio Electronics (2021) 7–11. doi: vulnerability of the EV1527 protocol, widely 10.1109/UkrMiCo52950.2021.9716665. used in simple remote-control systems, to this [2] M. TajDini, V. Sokolov, V. Buriachok, type of attack. The laboratory study Men-in-the-Middle Attack Simulation on demonstrates how a replay attack can be carried Low Energy Wireless Devices using out using specialized equipment, thereby Software Define Radio, in: 8th confirming the critical vulnerability of the International Conference on protocol. "Mathematics. Information The importance of this research cannot be Technologies. Education": Modern overstated, as it highlights fundamental security Machine Learning Technologies and flaws in static code-based systems. The Data Science, vol. 2386 (2019) 287–296. conclusions we have reached provide a strong [3] R. Banakh, A. Piskozub, Attackers’ Wi-Fi argument in favor of moving from using Devices Metadata Interception for Their outdated technologies to more modern and Location Identification, IEEE 4th secure solutions. Systems using dynamic codes, International Symposium on Wireless such as HCS301, provide a significantly higher Systems within the International level of security by using cryptographic data Conferences on Intelligent Data protection techniques that make such attacks Acquisition and Advanced Computing difficult or even impossible. Systems 8525538 (2018)112–116. doi: However, the transition to safer technologies 10.1109/IDAACS-SWS.2018.8525538. must be deliberate and systematic. It is necessary [4] Building a Poor Man’s Quarter-Wave to consider not only the security of protocols but 433MHz Antenna: Antenna’s also the specifics of their application, the Construction, Element14. URL: convenience of end users, and the cost of https://community.element14.com/cha implementation. In some cases, the use of llenges-projects/project14/rf/b/blog general-purpose or specialized protocols that /posts/building-a-poor-man-s-quarter- include complex security mechanisms may be wave-433mhz-antenna-antenna-s- more appropriate. It is especially applicable to construction objects of critical infrastructure, which [5] Small Range Radio Equipment Operating undoubtedly need to be well-protected and in the Frequency Range from 25 MHz to resilient from a cybersecurity perspective [21]. 1000 MHz, Part 1. Technical Considering the research conducted, it can be Characteristics and Test Methods, DSTU concluded that the security of remote-control ETSI EN 300 220-1:2018 (2018). systems is a critical aspect that requires [6] V. Sokolov, P. Skladannyi, N. Korshun, immediate attention. The choice of equipment ZigBee Network Resistance to Jamming and technologies should be based not only on Attacks, in: IEEE 6th International their effectiveness and ease of use but also on Conference on Information and ensuring an adequate level of safety. The use of Telecommunication Technologies and dynamic codes and cryptographic protocols is a Radio Electronics (2023) 161–165. doi: key step towards increasing the security of 10.1109/UkrMiCo61577.2023.10380360. remotely controlled systems from unauthorized [7] V. Sokolov, P. Skladannyi, A. Platonenko, access. Jump-Stay Jamming Attack on Wi-Fi Systems, in: IEEE 18th International Conference on Computer Science and 109 Information Technologies (2023) 1–5. [20] Princeton Technology Corp, PT2262 doi: 10.1109/CSIT61576.2023.10324031. remote control encoder, LCSC. URL: [8] V. Sokolov, P. Skladannyi, V. Astapenya, https://datasheet.lcsc.com/lcsc/18092 Bluetooth Low-Energy Beacon 91408_PTC-Princeton-Tech-PT2262- Resistance to Jamming Attack, in: IEEE S_C42793.pdf 13th International Conference on [21] S. Yevseiev, et al., Modeling of Security Electronics and Information Systems for Critical Infrastructure Technologies (2023) 270–274. doi: Facilities (2022). doi: 10.15587/978- 10.1109/ELIT61488.2023.10310815. 617-7319-57-2. [9] Gqrx SDR—Open source software defined radio by Alexandru Csete OZ9AEC. URL: https://www.gqrx.dk/ [10] GitHub—jopohl/urh: Universal Radio Hacker: Investigate Wireless Protocols Like a Boss, GitHub. URL: https://github.com/jopohl/urh [11] History of Remote Control, Wikipedia. URL: https://en.wikipedia.org/wiki/ Remote_control#History [12] I. Opirskyy, et al., Security Research of Bluetooth Devices Based on Smart Watches, Ukrainian Sci. J. Inf. Secur. 29(1) (2023). doi: 10.18372/2225- 5036.29.17548. [13] What is the History of the Remote Control? HowStuffWorks. URL: https://science.howstuffworks.com/inn ovation/everyday-innovations/remote- control-history.htm [14] S. Yevseiev, et al., Method of Assessment of Frequency Resolution for Aircraft, Eastern-European J. Enterprise Technol. 2, no. 9(122) (2023) 34–45. doi: 10.15587/1729-4061.2023.277898. [15] Small Range Radio Equipment Operating in the Frequency Range from 25 MHz to 1000 MHz, Part 2. General Technical Requirements, DSTU ETSI EN 300 220- 2:2017 (2019). [16] GitHub—NanoVNA-Saver/nanovna- saver: A tool for reading, displaying and saving data from the NanoVNA, GitHub. URL: https://github.com/NanoVNA- Saver/nanovna-saver [17] NanoVNA|Very tiny handheld Vector Network Analyzer. URL: https://nanovna.com/ [18] Open Source RF Engineering. GitHub— scikit-rf/scikit-rf: RF and Microwave Engineering Scikit. GitHub. URL: https://github.com/scikit-rf/scikit-rf [19] Rec 70-03, Relating to the Use of Short- Range Devices (SRD), Montreaux: CEPT (1997). 110