Sunday, 13 January 2008

IR DoS: Wake Up!

A lot of virtual ink has flowed on the confession from Gizmodo regarding the stunt they pulled with TV-B-Gone utility with most of the articles appearing recently describing from unprofessional to a crime. Now before I continue, I would like to make a small disclaimer: «I don't condone what happened, don't approve it and certainly would not recommend this be done».

What Gizmodo pulled demonstrates a very basic DoS (denial of service) attack. The DoS is achievable because of the ease in which it is possible to obtain the right control codes. The prime issues are based on the fact that most of these systems work with «open» and well documented standards (e.g. many manufactures always use the same code for turning off their devices thus a controller from one manufacturer is able to turn off different devices from that same manufacturer) as well as a primal flaw in wireless communications protocols security. TV-B-Gone like a universal remote works on the premise that it is easy to learn, store and replay the remote controls IR sequences. These sequences are equal to the codes that control the target device.

So where is the problem: The receiving device does not validate the issuer... The receiver in fact is an open listen mode thus any IR sequence that is correctly formatted and contains the right code will active the associated command. There is in fact no handshaking or confirmation between the receiver and the emitter.

In their DoS Attack, Gizmodo demonstrated that this one way command issuance process is in fact a big security flaw and could be avoided by not using such an open unidirectional protocol. Manufacturer could in fact avoid openness through simple methods such as encrypting the protocol, using a handshake protocol, using a knocking protocol or some other form of authentication between the transmitter and the receiver.

Unfortunately this then becomes a debate between security, complexity, cost to produce and return on investment. This attack may actually wake manufacturers up and decide to actually address this flaw! To demonstrate how serious this can eventually get, it appears a kid in Poland managed to crash the trams with an IR hack.