Academic paper: hacking with RF replay attacks

If you’re new to RF hacking you may have heard the term “replay attack” and wondered what it takes to implement one. In this academic presentation Practicing a Record-and-Replay System on USRP a group of researchers from the Shenzhen Key Lab of Advanced Communications and Information Processing and Shenzhen University, give a succinct and practical explanation of just how easy these attacks are. While this paper uses the costly USRP from Ettus, we found this attack just as effective using Michael Ossmann’s reasonably priced open source HackRF transceiver.

Essentially, with GNU Radio installed on your Linux machine and a HackRF attached you can easily record a chunk of RF spectrum to a file and later replay this file as the input to a transmitter (“sink”) block to exactly recreate the signal conditions over the air. The Shenzhen research paper demonstrates how to use this to replay FM broadcast signals as well as GPS. (We verified this works with a garage door opener of our own, one that did not use rolling-code security.) Good explanation of a practical RF hacking technique.

Leave a comment

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.