Merge pull request #1195 from HackTricks-wiki/research_update_src_todo_radio-hacking_infrared_20250727_014907

carlospolop · web-flow · commit ec2d3d36721a · 2025-07-29T14:02:36.000+02:00
Research Update Enhanced src/todo/radio-hacking/infrared.md
diff --git a/src/todo/radio-hacking/infrared.md b/src/todo/radio-hacking/infrared.md
@@ -66,19 +66,76 @@ For **logic "0" and "1"** NEC uses Pulse Distance Encoding: first, a pulse burst
 Unlike other remotes, **air conditioners do not transmit just the code of the pressed button**. They also **transmit all the information** when a button is pressed to assure that the **air conditioned machine and the remote are synchronised**.\
 This will avoid that a machine set as 20ºC is increased to 21ºC with one remote, and then when another remote, which still has the temperature as 20ºC, is used to increase more the temperature, it will "increase" it to 21ºC (and not to 22ºC thinking it's in 21ºC).
 
-### Attacks
+---
+
+## Attacks & Offensive Research <a href="#attacks" id="attacks"></a>
 
 You can attack Infrared with Flipper Zero:
 
 {{#ref}}
 flipper-zero/fz-infrared.md
 {{#endref}}
 
-## References
+### Smart-TV / Set-top Box Takeover (EvilScreen)
 
-- [https://blog.flipperzero.one/infrared/](https://blog.flipperzero.one/infrared/)
+Recent academic work (EvilScreen, 2022) demonstrated that **multi-channel remotes that combine Infrared with Bluetooth or Wi-Fi can be abused to fully hijack modern smart-TVs**. The attack chains high-privilege IR service codes together with authenticated Bluetooth packets, bypassing channel-isolation and allowing arbitrary app launches, microphone activation, or factory-reset without physical access. Eight mainstream TVs from different vendors — including a Samsung model claiming ISO/IEC 27001 compliance — were confirmed vulnerable. Mitigation requires vendor firmware fixes or completely disabling unused IR receivers. 
 
-{{#include ../../banners/hacktricks-training.md}}
+### Air-Gapped Data Exfiltration via IR LEDs (aIR-Jumper family)
+
+Security cameras, routers or even malicious USB sticks often include **night-vision IR LEDs**. Research shows malware can modulate these LEDs (<10–20 kbit/s with simple OOK) to **exfiltrate secrets through walls and windows** to an external camera placed tens of metres away. Because the light is outside the visible spectrum, operators rarely notice. Counter-measures:
+
+* Physically shield or remove IR LEDs in sensitive areas
+* Monitor camera LED duty-cycle and firmware integrity
+* Deploy IR-cut filters on windows and surveillance cameras
+
+An attacker can also use strong IR projectors to **infiltrate** commands into the network by flashing data back to insecure cameras. 
+
+### Long-Range Brute-Force & Extended Protocols with Flipper Zero 1.0
+
+Firmware 1.0 (September 2024) added **dozens of extra IR protocols and optional external amplifier modules**. Combined with the universal-remote brute-force mode, a Flipper can disable or reconfigure most public TVs/ACs from up to 30 m using a high-power diode. 
+
+---
+
+## Tooling & Practical Examples <a href="#tooling" id="tooling"></a>
 
+### Hardware
 
+* **Flipper Zero** – portable transceiver with learning, replay and dictionary-bruteforce modes (see above).
+* **Arduino / ESP32** + IR LED / TSOP38xx receiver – cheap DIY analyser/transmitter. Combine with the `Arduino-IRremote` library (v4.x supports >40 protocols).
+* **Logic analysers** (Saleae/FX2) – capture raw timings when protocol is unknown.
+* **Smartphones with IR-blaster** (e.g., Xiaomi) – quick field test but limited range.
 
+### Software
+
+* **`Arduino-IRremote`** – actively-maintained C++ library: 
+  ```cpp
+  #include <IRremote.hpp>
+  IRsend sender;
+  void setup(){ sender.begin(); }
+  void loop(){
+    sender.sendNEC(0x20DF10EF, 32); // Samsung TV Power
+    delay(5000);
+  }
+  ```
+* **IRscrutinizer / AnalysIR** – GUI decoders that import raw captures and auto-identify protocol + generate Pronto/Arduino code.
+* **LIRC / ir-keytable (Linux)** – receive and inject IR from the command line:
+  ```bash
+  sudo ir-keytable -p nec,rc5 -t   # live-dump decoded scancodes
+  irsend SEND_ONCE samsung KEY_POWER
+  ```
+
+---
+
+## Defensive Measures <a href="#defense" id="defense"></a>
+
+* Disable or cover IR receivers on devices deployed in public spaces when not required.
+* Enforce *pairing* or cryptographic checks between smart-TVs and remotes; isolate privileged “service” codes.
+* Deploy IR-cut filters or continuous-wave detectors around classified areas to break optical covert channels.
+* Monitor firmware integrity of cameras/IoT appliances that expose controllable IR LEDs.
+
+## References
+
+- [Flipper Zero Infrared blog post](https://blog.flipperzero.one/infrared/)
+- EvilScreen: Smart TV hijacking via remote control mimicry (arXiv 2210.03014)
+
+{{#include ../../banners/hacktricks-training.md}}
