06-29, 15:30–16:00 (US/Eastern), Grand Salon
The PowerG protocol for wireless security systems is proprietary and has no public specification or tooling for analysis. We will present our work on reverse engineering PowerG to understand the protocol, assess its security claims, and identify protocol-level issues. We will also release tooling for capturing PowerG packets with SDRs such as the HackRF, as well as decrypting and analyzing PowerG packets.
We reverse engineered firmware for a PowerG modem based on the CC13x0 chip and TI RTOS.
With this firmware we were able to determine how PowerG RF packets are transmitted,
how the protocol's channel hopping works, how different PowerG packet encryption modes work,
the header format for RF packets, and the content of several RF message types.
Using a HackRF and GNU Radio we are able to capture and decode PowerG GFSK transmissions across all its 50 channels.
For example, we have reversed the pairing process between a PowerG panel and sensor device, and can read the content of all the relevant packets.
Sultan Qasim Khan is a Technical Director at NCC Group, one of the largest security consultancies in the world with over 35 global offices, 2,000 employees and 15,000 clients. Based in Waterloo, Ontario, Canada, he specializes in assessment and development of secure embedded systems and wireless communication protocols. Sultan is experienced working in the land between software and hardware, specializing in the security analysis of embedded systems and wireless protocols from the physical layer up. Sultan is the creator of Sniffle, the first open-source Bluetooth 5 sniffer, Sniffle Relay, the first Bluetooth LE link layer relay attack, and nOBEX, a tool for testing and fuzzing Bluetooth Classic profiles.
James Chambers is a Senior Security Consultant in the NCC Group Hardware & Embedded Systems security practice. He enjoys reverse engineering video games to find opportunities for creative code execution, as well as resurrecting lost features. His past projects include reverse engineering Animal Crossing to discover an unused NES ROM loading feature that could also be used to patch code in memory, fuzzing GameCube games in emulation using Dolphin, and programming a Proxmark to fuzz Amiibo data over NFC.