Talk Title:

Weaknesses and Vulnerabilities in the PowerG Wireless Radio Protocol

Abstract:

PowerG is a two-way wireless radio protocol developed by Johnson Controls for building security systems. It is used around the world by various popular alarm panels and security sensors. The protocol is proprietary and has no public specification or tooling for analysis. We will present our work on reverse engineering PowerG to understand the protocol, assess its security claims, and identify protocol-level and implementation issues. This talk will include the first public disclosure of a major vulnerability impacting the most common deployments of PowerG, together with descriptions and analyses of PowerG protocol issues we have previously published. Alongside this talk, we will also release tooling for capturing PowerG packets with SDRs such as the HackRF, as well as decrypting and analyzing PowerG packets.

In this talk, we will describe our process of reverse engineering the protocol, including signal analysis using SDR and binary analysis of the PowerG modem firmware running on a CC13x0 chip with TI-RTOS. Through this process, we were able to determine how PowerG RF packets are transmitted, how the protocol's channel hopping works, how different PowerG packet encryption modes work, the header format for RF packets, and the content of several RF message types. Using a HackRF and GNU Radio we are able to capture and decode PowerG GFSK transmissions across all its 50 channels. We will show a capture and analysis of the pairing process between a PowerG panel and sensor device.

Speaker Bio:

James Chambers is a Senior Security Consultant in the NCC Group Hardware & Embedded Systems security practice. He enjoys reverse engineering video games to find opportunities for creative code execution, as well as resurrecting lost features. His past projects include reverse engineering Animal Crossing to discover an unused NES ROM loading feature that could also be used to patch code in memory, fuzzing GameCube games in emulation using Dolphin, and programming a Proxmark to fuzz Amiibo data over NFC.

Sultan Qasim Khan is a Technical Director in the Hardware and Embedded Systems practice at NCC Group, one of the largest security consultancies in the world. Based in Waterloo, Ontario, Canada, he specializes in assessment and development of secure embedded systems and wireless communication protocols. Sultan is experienced working in the land between software and hardware, specializing in the security analysis of embedded systems and wireless protocols from the physical layer up. Sultan is the creator of Sniffle, the first open-source Bluetooth 5 sniffer, Sniffle Relay, the first Bluetooth LE link layer relay attack, and nOBEX, a tool for testing and fuzzing Bluetooth Classic profiles.