Context and objective of the project
In that practical laboratory we had to perform a security analysis on a garage door.
The objective of this lab was to understand how the radio signal worked, to intercept the communication, and to put in evidence the need to protect sensitive systems against hacking.
The tools used
- Material: HackRF One & telescopic antenna
- OS: Kali Linux via Live CD
- Software: Universal Radio Hacker (URH) and the
hackrf_transferutility
Signal Interception
The first step of our audit was to isolate the frequency used by the garage door remote. Most consumer garage doors operate on the ISM (Industrial, Scientific, and Medical) radio bands, typically around 433.92 MHz.
Using the HackRF One, we initiated a listening phase to capture the raw radio frequency data while the legitimate remote button was being pressed. We used the following command to record the signal into a file:
hackrf_transfer -r capture_garage.raw -f 433920000 -s 8000000
Analysis with Universal Radio Hacker (URH)
Once the raw signal was captured, we imported the .raw file into URH to visualize and decode the waveforms.
By zooming in on the signal spectrum, we could clearly observe the modulation technique used by the manufacturer. In this case, it was OOK (On-Off Keying) / ASK (Amplitude Shift Keying), which is extremely common in older or cheaper remote controls.
URH allowed us to separate the background noise from the actual data and identify the binary sequence (the physical 1s and 0s) that constituted the “open” command.
The Replay Attack
Since we successfully intercepted the unencrypted radio signal, we proceeded with a classic Replay Attack. This consists of broadcasting the exact same recorded signal back to the garage door receiver to trick it into opening.
We used the HackRF One to transmit our captured file with a high enough gain (-x 47):
hackrf_transfer -t capture_garage.raw -f 433920000 -s 8000000 -a 1 -x 47
The attack was highly successful: the garage door opened without needing the original remote control.
Conclusion and Mitigation
This laboratory highlighted a critical security flaw in basic RF systems: the lack of dynamic authentication. The targeted remote was using a fixed code, meaning the exact same sequence of bits is sent every single time the button is pressed.
How to secure this infrastructure? Modern and secure access systems prevent this type of attack by implementing Rolling Codes (such as the Keeloq algorithm). With a rolling code, the signal changes mathematically every time the button is pressed. Even if an attacker successfully intercepts the signal, that specific code becomes invalid immediately after its first use, rendering replay attacks completely ineffective.