We have improved the usage of the Brute Force functionality in all products of the PandwaRF Rogue family.
As you may already know, the PandwaRF Rogue Brute Force attack consists in sending all possible codewords values to a target device to find out the “magic codeword” that allows target to disarm/open/etc.
To obtain this magic codeword, attacker (you) must follow the following steps:
- Attacker creates or selects a brand/model of device to attack from the list of supported devices (Rogue Gov variant only)
- PandwaRF Rogue generates a brute force pattern to apply and compute all the possible codewords, from start value to stop value
- excluding the parts that do not change inside the codeword, like header, function value (ARM/DISARM/OPEN, …), etc…
- making variation only the for the changing parts (typically the serial number or device id)
- so the generated codewords are optimized as PandwaRF Rogue do not transmit redundant codewords.
- Please refer to Android Brute Force Tutorial & Brute Forcing a RF Device: A Step-by-Step Guide for more information.
- PandwaRF Rogue consecutively transmits the possible codewords. This can take from a few minutes to several days, depending on the device to attack.
- If the BF duration is above a few hours, we do not recommend the BF attack, but the capture-analyze-invert-transmit type of attack, aka Function Inversion attack.
- Please refer to PandwaRF Rogue Gov Demo: Analyzing and Transforming Captured Data From A Device for more information.
- All generated codes are constructed and sent from the lowest value to the highest value.
- Attacker must have a visual confirmation of the attack success to halt the processing and find the codeword value that opened/disarmed/whatever the target:
- Attacker needs to manually go back to a consequent amount (generally hundreds or thousands) of codes backward and restart BF from here to have a better estimate of the target codeword.
- After several back-and-forth & attempts, the start/stop range shall have been reduced to take only a few seconds, so the attacker has a quite good idea of the magic codeword value
Since the beginning of the Brute Force feature, PandwaRF Rogue was only able to perform a codeword attack in ascending order, so step 6-7 above were quite un-friendly.
Since Android App release 1.13.0, PandwaRF Rogue supports the backward brute force, which may seems trivial or not very useful at first glance but in fact it allows steps 6-7 above to be quite fast.
Using a classic dichotomy, attacker can navigate forward/backward in the codeword space. While searching the magic codeword, attacker will progressively reduce the brute force time.
As an example is worth a thousand words:
- Attacker (you) wants to attack a home alarm (target), which is deactivated by transmitted the “magic codeword” 12345.
- Of course attacker doesn’t what is the magic codeword
- Attacker start BF from 0 to 65535
- when PandwaRF Rogue transmits codeword 12345, the alarm emits a beep indicating it is disarmed
- but as attacker doesn’t react immediately, the PandwaRF continues the BF process and codeword keeps increasing
- attacker pauses the BF at codeword value 13678, and click on “Backward BF 1000“, which perform a BF from 13678 to 12678 (13678 – 1000)
- since codeword 12345 has not been transmitted, nothing happens
- attacker click again on “Backward BF 1000“, which perform a BF from 12678 to 11678 (12678 – 1000)
- alarm beeps because codeword 12345 has been transmitted
- attacker click several times on “Forward BF 100“, which perform a BF from 11678 to 12278, by steps of 100. nothing happens,
- attacker click another times on “Forward BF 100“, which perform a BF from 12278 to 12378
- alarm beeps because codeword 12345 has been transmitted
- same with “Backward BF 5” & “Forward BF 5” until alarm beeps
- same with “Backward BF 1” & “Forward BF 1” until alarm beeps
- Attacker can stop when alarm beeps within a few seconds after the BF has started
And as video is worth a thousand example: here is the link: PandwaRF Rogue Backward/Forward Brute Force