Tag Archives: EnOcean

Security risk Smart Home – The Lives of Others

During IT Flash Paderborn #3 I gave a short presentation and demo concerning security risk smart home. With the described passive attack you can profile all residents of the smart home. And with the described active attack you can manipulate the smart home and the devices used there.

Picture of the film 'The Lives of Others'

From the movie ‘The Lives of Others’

In one of my previous blog post I described how to run a passive attack on a smart home in context of the protocol EnOcean. With the collected information you can set up a profile of all people living in this home.

For the passive attack I used a new tool that I own for a few weeks now: HackRF One. It’s an typical piece of hardware that you can use in context of Software Defined Radio (SDR). You can see this helpful tool on the following picture (Source: Great Scott Gadgets):

Picture of HackRF One

HackRF One

HackRF One was initiated as a Kickstarter project a few years ago and is used by a large community in the area of reengineering protocols. In my demonstration I used HackRF One on the one hand to find the exact frequency that is used by the EnOcean devices that I used. And on the other hand I used HackRF One to capture and replay the EnOcean telegram.

In a first step you need the exact frequency that is used by your EnOcean stuff. To find this frequency I used the tool gqrx. Gqrx is an open source software defined radio receiver powered by the project GNU Radio. The tool allows visualizing frequencies that are used in your environment. For example: EnOcean is works on 868 MHz, but gqrx helps you to find the exact frequency of this protocol, in my case: 868,290 MHz. The following screenshot shows the way gqrx works (Source gqrx-website):

Screenshot of gqrx

Screenshot of gqrx

As soon as you have found the exact frequency, you can use the software distributed with HackRF one to capture and to replay the messages in your smart home. In the demonstration I used a pushed button and a light actuator adapter to visualize the attack.

In case of EnOcean there are mechanisms to protect against these attacks available. One of these mechanisms is called ‘Rolling Code’ where telegrams are encrypted which makes the capture and replay attack above useless. The following command stores the traffic in a file:

hackrf_transfer -t switch.raw -f 869290000

Once the traffic is stored in a file, you can send this information again (capture and replay) with your HackRF One with the following command:

hackrf_transfer -t switch.raw -f 869290000 -x 47

You can find some more information in the slides of presentation. As you can see, smart home devices should be used carefully if you want to protect your privacy. Today it’s very easy to collect and manipulate a smart home. So always keep in mind the security risk smart home when you plan your smart home.

Sending EnOcean telegram

EnOcean is an energy harvesting wireless technology used primarily in building automation systems and smart homes. All modules based on this technology combine on the one hand micro energy converters with ultra low power electronics, and on the other hand enable wireless communications between battery-less wireless sensors, actors and even gateways. The communication is based on so called ‘EnOcean telegram’. Since 2012 the EnOcean standard is specified as the international standard ISO/IEC 14543-3-10.

The EnOcean Alliance is an association of several companies to develop and promote Logo of EnOCeanself-powered wireless monitoring and control systems for buildings by formalizing the interoperable wireless standard. On their website the alliance offers some of their technical specifications for everybody.

To send an EnOcean telegram you need a piece of hardware connected to your host, e.g. an EnOcean USB300 USB Stick for your personal computer or an EnOcean Pi SoC-Gateway TRX 8051 for your Raspberry Pi. In this sample we use the USB300 to send a telegram using a small piece of software implemented in Java. The following photography shows an USB300 stick:

EnOcean USB300 Stick used to send EnOcean telegram

EnOcean USB300 Stick

The EnOcean radio protocol (ERP) is optimised to transmit information using extremely little power generated e.g. by piezo elements. The information sent between two devices is called EnOcean telegram. Depending on the EnOcean telegram type and the function of the device the payload is defined in EnOcean Equipment Profiles (EEP). The technical properties of a device define three profile elements:

  1. The ERP radio telegram type: RORG (range: 00…FF, 8 Bit)
  2. Basic functionality of the data content: FUNC (range 00…3F, 6 Bit)
  3. Type of device in its individual characteristics: TYPE (range 00…7F, 7 Bit)

Since version 2.5 of EEP the various Radio-Telegram types are grouped ORGanisationally:

TelegramRORGDescription
RPSF6Repeated Switch Communication
1BSD51 Byte Communication
4BSA54 Byte Communication
VLDD2Variable Length Data
MSCD1Manufacturer Specific Communication
ADTA6Addressing Destination Telegram
SM_LRN_REQC6Smart Ack Learn Request
SM_LRN_ANSC7Smart Ack Learn Answer
SM_RECA7Smart Ack Reclaim
SYS_EXC5Remote Management
SEC30Secure Telegram
SEC_ENCAPS31Secure Telegram with RORG encapsulation

In this context we use the type VLD (Variable Length Data) to have a closer look to EnOcean telegrams. VLD telegrams can carry a variable payload of data. The following graphic shows the structure of on EnOcean telegram (based on EnOcean Serial Protocol 3, short: ESP3):

This graphic describes the structure of an EnOcean telegram

Structure of EnOcean telegram

ESP3 is a point-to-point protocol with a packet data structure. Every packet (or frame) consists of header, data and optional data. As you can see in the structure, the length of the complete telegram is encoded in the header with two bytes. This suggests a maximum telegram length of 65535 bytes. Unfortunately, the maximum length of such a telegram is reduced to 21 bytes (data) due to limitations of low power electronics. Reduced by overhead information wasted in field data, the resulting net payload has finally a size of 14 Bytes. The following code snippet demonstrates how to send a telegram with 14 bytes payload ’00 11 22 33 44 55 66 77 88 99 AA BB CC DD’. At first we have look at the telegram:

Telegram: 55 00 14 07 01 65 D2 00 11 22 33 44 55 66 77 88 99 AA BB CC DD 00 00 00 00 00 01 FF FF FF FF 44 00 0B
Sync. byte: 55
Header: 00 14 07 01
CRC8 Header 65
Length data: 20 (0x14)
Length optional data: 7 (0x07)
Packet Type: 01
Data: D2 00 11 22 33 44 55 66 77 88 99 AA BB CC DD 00 00 00 00 00
RORG: D2
ID: 00 00 00 00
Status: 00
Data Payload: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD
Optional data: 01 FF FF FF FF 44 00
SubTelNumber: 01
Destination ID: FF FF FF FF
Security: 00
Dbm: 68 (0x44)
CRC8 Data 0B

The following Java code demonstrates one way to send this telegram via USB300. The code snippet uses the library of RXTX to access the serial port.

import java.io.OutputStream;

import gnu.io.CommPort;
import gnu.io.CommPortIdentifier;
import gnu.io.SerialPort;

public class EnOceanSample {
	
	static SerialPort serialPort;
	static String serialPortName = "COM3";

	public static void main(String[] args) {
		
		byte[] sampleTelegram = new byte[] { (byte) 0x55, (byte) 0x00, (byte) 0x14, (byte) 0x07, (byte) 0x01, (byte) 0x65, 
				(byte) 0xD2, (byte) 0x00, (byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, (byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, (byte) 0x99, (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD, 
				(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0x44, (byte) 0x00, (byte) 0x0B};
		
		try {
			CommPortIdentifier portIdentifier = CommPortIdentifier
					.getPortIdentifier(serialPortName);
			if (portIdentifier.isCurrentlyOwned()) {
				System.err.println("Port is currently in use!");
			} else {
				CommPort commPort = portIdentifier.open("EnOceanSample", 3000);
	
				if (commPort instanceof SerialPort) {
					serialPort = (SerialPort) commPort;
	
					// settings for EnOcean:
					serialPort.setSerialPortParams(57600, SerialPort.DATABITS_8,
							SerialPort.STOPBITS_1, SerialPort.PARITY_NONE);
					
					System.out.println("Sending Telegram...");
					OutputStream outputStream = serialPort.getOutputStream();
					outputStream.write(sampleTelegram);
					outputStream.flush();
					outputStream.close();
					serialPort.close();
					System.out.println("Telegram sent");
					
				} else {
					System.err.println("Only serial ports are handled!");
				}
			}
		}
		catch (Exception ex) {
		}
	}
}

On this way it’s not possible to send telegrams with a huge payload. If the information to be sent is longer than the described limit above, you can use a mechanism called ‘chaining’. To chain telegram a special sequence of telegrams is necessary. All protocol steps for chaining are specified in EO3000I_API.

Attention: In Europe EnOcean products are using the frequency 868,3 MHz. This frequency can be used by everybody for free but the traffic is limited, e.g. in Germany where it’s only allowed to send 36 seconds within one hour.

In one of my last blog posts I gave you the know how to receive EnOcean telegrams. Now, based on the information above, you can send your own EnOcean telegram in context of your Smart Home or your IoT environment.

EnOceanSpy as Java version available

In 2013 I’ve released a small tool called EnOceanSpy on github. This tool can be used on a Raspberry Pi (RasPi) to log all incoming EnOcean telegrams and was implemented in C. The following photography describes the composition of Raspberry Pi, EnOcean USB300 stick (and a WakaWaka as a portable power bank):

Raspberry Pi with EnOcean USB300

Raspberry Pi with EnOcean USB300

The post at that time described the usage of this composition.

Now I’ve release a Java implementation of EnOceanSpy also on github: https://github.com/hfunke/org.protocolbench.enoceanspy. This tool logs all incoming EnOcean telegrams as well, but this time in Java. You can set the used <com port name at> the command line and EnOceanSpy logs all incoming telegrams.

And here is a Java code snippet where you can find a way to connect the USB300 stick with RXTX:

    void connect(String portName) throws Exception {
        CommPortIdentifier portIdentifier = CommPortIdentifier
                .getPortIdentifier(portName);
        if (portIdentifier.isCurrentlyOwned()) {
            System.err.println("Port is currently in use!");
        } else {
            CommPort commPort = portIdentifier.open(this.getClass().getName(),
                    3000);

            if (commPort instanceof SerialPort) {
                serialPort = (SerialPort) commPort;

                // settings for EnOcean:
                serialPort.setSerialPortParams(57600, SerialPort.DATABITS_8,
                        SerialPort.STOPBITS_1, SerialPort.PARITY_NONE);

                InputStream in = serialPort.getInputStream();
            
                serialPort.addEventListener(new SerialReader(in));
                serialPort.notifyOnDataAvailable(true);
                
            } else {
                System.err.println("Only serial ports are handled!");
            }
        }
    }

EnOcean allows on the one hand one-way and on the other hand bidirectional communication between devices. Currently most of this communication is not decrypted, so you can read all information communicated via air. There is a first specification to use cryptography for EnOcean protocol. I will give you an overview on this way of encryption in the next time.

Have fun to seek your environment after EnOcean devices 🙂

 

Use RasPi to seek after EnOcean telegrams

During the last months I spent some hours in the specifications of EnOcean telegrams. These telegrams are used in domain of home automation. The EnOcean Alliance publishes all necessary specification on their website. One of the relevant specifications is EnOcean Serial Protocol 3 (ESP3). In this description you can find all information to understand the protocol used by EnOcean.The specification of this protocol is also standardized and published as ISO/IEC 14543-3-10.

If you are interested in collecting telegrams to analyze them and to understand the protocol behind them, the following project may be interesting for you: EnOceanSpy. I’ve hosted this small piece of software on GitHub. It’s written in C and there is a binary version available for Raspberry Pi (RasPi). On this way you can use your RasPi in combination with an USB300 stick. The following photo demonstrates a buildup including a WakaWaka as power source.

RasPi_WakaWaka_USB300EnOcean allows on the one hand one-way and on the other hand bidirectional communication between devices. Currently most of this communication is not decrypted, so you can read all information communicated via air. There is a first specification to use cryptography for EnOcean protocol. I will give you an overview on this way of encryption in the next time.

Have fun to seek your environment after EnOcean devices 🙂

 

Author: .