Time Turner - Hacking RF Attendance Systems (To Be in Two Places at Once)

Conference:  Defcon 29



Reverse engineering a remote control attendance system and exploiting its vulnerabilities
  • A remote control attendance system was reverse engineered by tapping into the data pins for the SPI bus and packet sniffing the RF signals
  • The device uses a basic transposition cipher to shuffle the bits of the device ID and encode the selected answer in the final two bytes of each packet
  • The system can be exploited by copying the most popular vote for any given question or performing a denial of service attack by submitting hundreds of votes per second
  • A hypothetical student used a self-contained device called a Time Turner to attend two lectures at the same time by hacking the attendance system
The hypothetical student used the Time Turner device to attend class for him while he attended another class. The device was effective and by mid-semester, the student had almost full points in both attendance and quiz correctness.


It's a tale as old as time: a graduating senior needs two more courses to graduate, but the lectures happen to be scheduled at the same time and the school's new high-tech wireless attendance tracking system makes it impossible to attend both courses... in theory. By reverse-engineering the attendance devices and emulating them using a hidden Arduino, the system can be tricked into giving attendance credit for both courses without being physically present. It's a real-life "time turner," allowing him to be in two places at once. REFERENCES: https://github.com/wizard97/iSkipper/releases/download/v1.0.0/iskipper.pdf https://courses.ece.ubc.ca/cpen442/termproject/reports/2010/iclicker.pdf https://people.ece.cornell.edu/land/courses/ece4760/FinalProjects/f2015/cs886_kdv8/cs886_kdv8/cs886_kdv8/index.html https://github.com/wizard97/iSkipper https://github.com/charlescao460/iSkipper-Software