Recently I bought a X-RAY machine from China to have some ghetto-style desktop setup in order to inspect/reverse engineer some PCBs and hardware implants.
The first thing striked my curiosity, even before purchasing it, was its remote. Which were the odds that the little teeny-tiny remote was just using an ASK/OOK modulation with no replay-attack protection whatsoever?! Very high of course.
Nonetheless, I ordered it anyway and used it as an excuse to try again my WHIDelite and the new toy that Joel sent me over (EvilCrowRF).
But first let’s follow a more-systematic approach with HackRF and URH:
Frequency is confirmed being set around 315MHz
After recording a packet we can confirm that is using an ASK/OOK modulation.
After creating a simple substitution decoding, we get exactly the same values that both EvilCrowRF & WHIDelite showed during the initial tests.
☢ This crap is absolutely NOT secure! ☢
Just for the sake of confirmation, I did replay the packet with both HackRF, WHIDelite & EvilCrowRF. In all cases, the forged packet was successfully received and decoded by the unit, which fired X-RAYs like it was a Marie Curie’s party 🎉
Resources:
whid-injector/whid-31337
WHID Elite is a GSM-enabled Open-Source Multi-Purpose Offensive Device that allows a threat actor to remotely inject…
github.com
joelsernamoreno/EvilCrow-RF
Idea, development and implementation: Joel Serna (@JoelSernaMoreno). PCB design: Ignacio Díaz Álvarez (@Nacon_96) and…
github.com
eried/portapack-mayhem ⚠ BEFORE BUYING YOURS: ⚠ Beware of hardware mods that use a custom firmware, which are NOT COMPATIBLE with older forks… github.com
In case of more cool hacking stuff, do follow @whid_ninja on Twitter! 😎
P.S. Disclaimer, if you are planning to buy this model of Dental X-ray Machine… keep in mind that is NOT considered safe in Europe. The Health Protection Agency from UK, even released a report regarding these devices coming from China. Be prepared to use sheets of lead, dosimeters and protective vests.
