Remote-updated commercial LED displays/signs, what method of communication?

[blackriver]

I was wondering if anybody every dug into how these signs work.

I have been googling some of the brands and types that I've encountered in my neighbourhood, and reading the documentation I could get my hands on. I'm interested in how these signs get updated with new text. The docs all stay pretty vague on this subject: usually they mention a "wireless method", and list bluetooth, wireless/wifi, or GSM/phone as possibilities.

I don't know how bluetooth or wireless could be useful, as you'd still have to drive over to the sign (if it's a fair distance from the building where the owner is) to be in close enough promixity. GSM (mobile phone) sounds like a better solution.

The signs I see around here are the same as on the pic, except they have a small 6" antenna on top. Is this a sign of GSM technology? (As I don't see any modern phones needing such an antenna). Is this interceptable in any way with "hobby hardware"?

I'd love to brainstorm about this with interested people.

[thegubble]

Well, a bit of fun!

Firstly, if it is GSM, i can't help you at all.

What you need to do is find out more about this sign (as in the electronics).

To start you will need the name of the company that makes the sign, and the model number of the sign. Then just use those trusty social engineering skills to call up and say 'blah blah blah... i was looking at installing one of your signs in my carpark/store/secret underground bunker, and i was wondering how you update the message on it... blah, blah, blah... well i like the look of the *model number here* that is installed in *location here* and would be very interested in getting some more info/datasheets/wireless communication specification sheets, on that model.'

Once this is done you should know how it communicates.

Then you need a way to use this information (everything below this line is purely theoretical :P)

If it is blue tooth: connect, have some fun, brute force the passkey, etc.

If it uses GSM: i can't help, been interested in GSM sniffing but sadly know very little about it.

If it uses a standard wireless communication frequency:

1. Find what sort of wireless chip/receiver/transceiver it has (either from the data sheets obtained earlier, or by taking a screwdriver to it at midnight

2. Purchase two matching receiver and a single transmitter (or more if you think you may destroy it)

3. Experiment with sending and receiving data to and from your choice of microcontoller (I prefer AVR)

4. Using the successful wireless link you created in step 3, use the second wireless receiver to attempt to sniff the data as it passes across

5. Find out when the sign will be updated and sniff the wireless link (and pray it works)

6. Take the data collected home, reverse engineer a protocol specification for it and reprogram your little transmitter.

7. Change the sign to what ever you like as you drive past (or walk)

And you have just pwned a sign.

Just a quick thought; because it has a 6" antenna, it sounds as if it is a RF wireless link (possibly 2.4GHz ZigBee)

I'd be very interested in helping you research this further, send me a PM if you are interested

[DingleBerries]

If you can get close enough to it take apicture of the back of one, where the manufacture and make/model are located.. from there we/you can work on more specific exploits. Trying to encompass a mass amount of machines to attack with one exploit is almost impossible. When we narrow it down it becomes easier to look for certain things and exploit those individual weaknesses.

[blackriver]

As I mentioned in my first post, I've already gathered all the info available online from the brands and models that are out there, but none disclose exactly what method they use in the documentation. Like thegubble suggested, I've already emailed the manufacturer of the signs in my neighbourhood with specific questions and I'm awaiting response.

I have also sat down close to one of these signs and sniffed for bluetooth/wireless info (using btscanner and airodump-ng) but unfortunately didn't pick anything up. I should try again with kismet as it seems to be better at picking up cloacked ESSIDs.

As for cellular/GSM data, I have been googling a bit and it seems one's going to need serious equipment to intercept/sniff its data, or even the phone number of the GSM device inside.

[metatron]

They just use a rugged GSM modem such as the Wavecom units hooked to the serial port. The best way to hack them would be to open one up and remove the sim, find the number and you can then expect the others to be not hugely different, war dial the range, then guess or brute force a password. I'd guess the password is similar for all the displays the company owns. You could also get into one of the units and dump the password but that would require some knowledge.

[Jayze]

Back in the days I did some "research" on a different kind of signalization. In Antwerp (Belgium) you've got signs near the road that tells you how many parking spaces are available at certain parking lots.

With some social engineering you can get very far!

Go for it!

[DingleBerries]

Hidden SSID's may have stomped you, but I was looking for more information for my own research in order to help you. With out that then I don't really know what to say.

[blackriver]

I have been digging deeper and found a couple of older posts on linux/tech forums by some of the company's employees. These contain some interesting tid-bits about projects they were working on, that sound very similar to something you'd find in these LED displays.

I can't but guess right now, but it seems indeed very likely they're using a GPRS modem setup like metatron suggests. I'll be taking a closer look (and taking pics) next time I'm near one of these signs again, see if I can open them up and take a look inside.

Also, a quick glance over the Wavecom documentation you can find online, learns that they also offer a web interface for the back-end to their products. It might pay off to dig into this, and find out more about the other side of the communication. I know the company that builds the displays has their own software suite to enable communication too.

(ps. DingleBerries, I'm not sure what you mean, but by all means be involved. I'm not at all looking for a "mass exploit" thing, I just wanna poke these displays with a stick and see what happens)

[blackriver]

Update:

I sat down at one of these signs again and tried to pick up anything bluetooth/wifi-like again, this time using several other tools (particularly Kismet). No signal whatsoever. It was too crowded to see how to open one of these, but it looks like high quality stuff so I'm sure its locked properly.

On the social engineering front, I'm still awaiting documentation per email, but the person at the company insists on calling me over the phone... I'll have to see how that turns out.

[roberttt]

Update:

I sat down at one of these signs again and tried to pick up anything bluetooth/wifi-like again, this time using several other tools (particularly Kismet). No signal whatsoever. It was too crowded to see how to open one of these, but it looks like high quality stuff so I'm sure its locked properly.

On the social engineering front, I'm still awaiting documentation per email, but the person at the company insists on calling me over the phone... I'll have to see how that turns out.

the small wall mount ones are infra red. there's one at the local bar im dyyyyying to get to. as for the antenna on top are you sure it isnt more of a lightning rod? if i paid 15k for that sign i sure wouldnt want my antenna there.

i make signs for a living, i have catalogs of these

call these people.

dont email, just call. i go there all the time. i stare at their LEDs till i see spots.

they will probably laugh and tell you what you need to know, i would.

[Swathe]

There is no way they are going to be setting up a lightning rod on a pedestrian footpath.

Have you ever seen how tall one of those rods are?

[roberttt]

There is no way they are going to be setting up a lightning rod on a pedestrian footpath.

Have you ever seen how tall one of those rods are?

they aren't all as large as you would imagine.

[Swathe]

I built houses for a living and those minescule rods aren't worth jack shit.

[will-wtf]

Swathe pwns you