Hacking

How to Reverse Engineer, Sniff & Bruteforce Vulnerable RF Adult Toys with WHID Elite

Expert Luca Bongiorni was looking for new targets to test WHID Elite’s Radio Hacking capabilities and found an interesting one: Electrocuting Cock Ring

Last week I was looking for new targets to test WHID Elite’s Radio Hacking capabilities and suddenly I found an interesting one: an Electrocuting Cock Ring. Yes, you read it correctly (What you cannot find on Amazon…).

Long-story short… Yesterday arrived home the new toy and guess what? No Rolling-Code, No MSK/FSK/GMSK or other strange modulations… Just a classic 433MHZ Amplitude Shifting Key modulation with On-Off Key. Which translated for the non-RF folks… easy to:

  • Sniff
  • Replay
  • And of course… Fuzz.

First of all, I have followed the usual Reverse Engineering approach I use for investigating new RF devices and turned on the winning combination LimeSDR/RTL-SDR + URH. (Disclaimer: since I was focusing on the RF side, I started with the RF analysis. If it wouldn’t have lead to any low-hanging fruit result, I would have started the HW Reverse Engineering approach: tear-down, BoM enumeration and fingerprinting, FCC ID hunting, etc. Luckily for my scarce spare time, I didn’t need it.)

As you can see the center Frequency is around 433MHz, which is a standard frequency for commercial consumer-grade RF devices.

From the Spectrogram we can clearly see that the modulation is ASK, despite some harmonics on the side (caused by the low-cost transmitter used by the manufacturer most-likely).

Now we need to decode the packets and see if we are really dealing with ASK and eventually confirm the sub-modulation type (i.e. OOK, in my assumption).

As you can see, URH successfully managed to decode the packets (with minor tweaking of the Error Tolerance and Bit Length parameters).

Now that we have the binary sequence, we clearly see the duty-cycle of this RF device, where a:

  • 1 is encoded as 1110
  • 0 is encoded as 1000

No preambles. No ACK packet from the receiving unit. Just a simple broadcast packet. Always repeating itself. Which allows us to eliminate the Rolling-Code assumption.

With all these data we can finally compose the packet that is transmitted to trigger the Vibration mode:

Now we are ready to give it a try with the Standalone Firmware of WHID Elite and see if it is able to decode them too.

As assumed, WHID Elite can perfectly sniff and decode the packets. In the image above you can see the two types of packets:

  • 14656516 Vibration Mode
  • 14656520 Electroshock Mode

As you can easily spot the decimal distance between the two types of packets is just matter of few integers. Which means, we can easily fuzz and thus exhaust the space between them with the main WHID Elite Firmware.

Therefore no more text to read, enjoy the audio/video 🙂

Keep an eye on my Twitter https://twitter.com/WHID_Injector soon I will make GIVEAWAY for a full set of WHID Elite!

For sake of information though, the internal TX is a SYN470R. According to its datasheet: is a single chip ASK/OOK (ON-OFF Keyed) RF receiver IC. Which once again confirms the whole RF analysis.

About the author: Luca Bongiorni

Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Adult Toys, WHID Elite)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.