Exploits via Remotes

bevhoward · Post by **bevhoward** » Tue Aug 02, 2005 8:37 am

The following stories are disturbing plus the fact that it seems that JP1 technology has the potential to fall directly in the middle of a new and dangerous exploit technology.

http://www.watchguard.com/RSS/showartic ... LaurieDay2

http://www.wired.com/news/privacy/0,184 ... _2polihead

http://www.wired.com/news/print/0,1294,68370,00.html

I'm posting this with the thought of prompting an open discussion on this forum's position as this topic heats up as it is likely to do in the next weeks.

Note, I have intentionally omitted two key words in the subject and body of this message to keep it from being picked up by search engines and related to the topic in the above articles... reading the above articles will explain those omissions.

johnsfine · Post by **johnsfine** » Tue Aug 02, 2005 9:18 am

Unless I'm totally misunderstanding things, those pages seriously overstate the IR aspect of those issues:

1) Many of the devices described as IR are normally RF. I think always RF, but I can't be certain there isn't some bizare model out there.

2) The most serious issues relate to connecting a device to the internal cable system that wasn't expected to be connected. In other words an important layer of protection was assumed to be provided by the end devices on the internal cable system and is totally bypassed by connecting a different end device. That is an interesting exploit issue but no IR component.

The tiny IR component relates to things the TV may be programmed to do that the provided remote doesn't have buttons for. JP1 might be a tool for such things in the hands of an extreme amatuer. But I think direct PC capture and transmit of IR signals would be the method of choice for anyone serious about such things. In which case our reverse engineering of so many IR formats is much more relevent than JP1 itself.

bevhoward · Post by **bevhoward** » Tue Aug 02, 2005 9:54 am

>> overstate <<

That was my first impression as well (appears that ir is widely used in europe for car and garage entry,) but digging into the billing and related aspects of the articles was where my concern arose.

I think that these articles will result in an eventual "lockdown" but I also think that that happening will take time.

Since my post, have uncovered some additional facts that point to the direction of exploit being computer rather than remote based.

Page 2 of http://www.wired.com/news/privacy/0,184 ... _2polihead goes more into the threat details.

johnsfine · Post by **johnsfine** » Tue Aug 02, 2005 11:13 am

bevhoward wrote: Since my post, have uncovered some additional facts that point to the direction of exploit being computer rather than remote based.

That's what I meant by my "end device" comment: Connect an ordinary computer (with appropriate interface) in place of the custom TV to the internal cable system, and you have access to things on the cable that were intended to be managed by firmware in the custom TV.

Nothing you could do with the IR remote could give you anything you couldn't get via that computer approach and the computer approach can give you lots you couldn't get with IR. If the TV custom firmware is really simplistic (probably is) then using IR might be easier than using a computer for getting some subset of what you might get by computer.

underquark · Post by **underquark** » Tue Aug 02, 2005 2:09 pm

I have a much more sinister plan. My son and his friends have all got those Tamagotchi things that communicate (and breed) with each other via IR. Mini-bar, here I come

rhm5757 · Post by **rhm5757** » Fri Aug 05, 2005 7:17 pm

One of the more common backend systems is called LodgeNet. These usually have very crappy "stick" remotes with tiny square buttons. I learned all the buttons for it one time when I brought one of my JP1 remotes to a hotel that used that system, since it uses a unique NEC1 device and subdevice code not normally in a UEIC remote. I then made an upgrade when I got back home, which of course I still have, but never did anything with it. I never really got a chance to, as I don't think I've stayed at a hotel with LodgeNet since. Of course I was planning on looking for hidden codes to do things like unlock channels, because I have often been frustrated with these things locking channels on the system. I guess those hidden codes actually exist. Too bad they're likely going to be locked down now.

Post by **The Robman** » Sat Aug 06, 2005 1:35 pm

The g@rage door openers and key f0b remotes are not an issue as most of them (if not all of them) are RF based.

The h0tel TVs do offer more possibilites though.

I doubt that you can do anything that sinister (like the billing stuff) without a computer (as has been suggested) but you might be able to unlock channels and things like that. Most h0tels use special TVs which allow you to disable certain functions, which could be unlocked by a JP1 user.

underquark · Post by **underquark** » Sun Aug 07, 2005 1:19 am

The Robman wrote:Most h0tels use special TVs which allow you to disable certain functions, which could be unlocked by a JP1 user.

Equally U could try out various c0des & end up hitting on the p0rn0 film option and having to pay for it or argue loudly at the reception desk tht it wasn't U. I suspect tha' even if some systems are so lax as to allow U access that at least they might l0g where the commands originated from so that even if this was related to Jay-Pee-One and even if U could get it to work it wood be a bit lyke throuwing a brycke thrua jewellers' shop window - i.e. both illlegal and rather obvious.

Post by **The Robman** » Sun Aug 07, 2005 9:49 am

OK you-queue, I've got your numb3r!

underquark · Post by **underquark** » Mon Aug 14, 2006 5:38 pm

Bump.

One year on (hey, I'm patient) and no Tamagotchi codes yet? We're onto generation 3 of the little bu66ers.