Why the 433 MHz remotes and sensors on your garage, gate, alarm and doorbell are easier to attack than most people realise — and the practical steps that actually fix it.
433 MHz Device Vulnerabilities — and How to Prevent Them
The 433 MHz band is everywhere. It’s the invisible workhorse behind garage door remotes, gate openers, wireless doorbells, weather stations, TPMS tyre sensors, remote power sockets, and a huge share of the cheap alarm sensors and “smart” gadgets sold online. It’s popular because the hardware is tiny, cheap, and licence-free to use in most countries. But that same cheapness means security is very often an afterthought — or missing entirely.
For under fifty dollars and with freely available software, a curious teenager can listen to, record, and replay these signals. This article explains the real weaknesses, the common tools used against them, and — most importantly — what you can do to protect yourself.
Why 433 MHz Is So Exposed
Radio at 433 MHz isn’t insecure by nature — the problem is how cheaply most devices implement it. Common design shortcuts leave the door wide open:
- Fixed codes: Many cheap remotes send the exact same code every single time. Record it once, replay it forever.
- No encryption: The signal is sent in the clear. Anyone listening sees exactly what’s transmitted.
- No authentication: The receiver can’t tell a genuine remote from an attacker’s transmitter — it just acts on any valid-looking code.
- Short code space: Some devices use so few possible codes that every combination can be tried in minutes (brute force).
- No replay protection: Even where a code looks complex, if the device accepts the same code twice, a recording is enough.
How an Attack Actually Works
The most common attacks against 433 MHz devices are surprisingly simple:
- Replay attack: Record a fixed-code signal and re-transmit it. Works on cheap garage doors, gates, sockets and doorbells.
- Brute force: Cycle through every possible code until the receiver responds — feasible where the code space is small.
- Jamming + capture (RollJam-style): Even rolling-code remotes can be attacked by jamming the receiver while capturing the code the victim just sent, then replaying that unused code later.
- Sensor spoofing: Inject fake readings or “all clear” signals into alarm sensors, weather stations or TPMS — or trigger false alarms to cause nuisance.
- Denial of service: Continuously jam the band so genuine remotes and sensors simply stop working.
The Hardware and Software Involved
None of this requires specialist lab equipment. The tools below are sold openly as legitimate hobbyist, research and engineering devices — which is exactly why awareness matters. We describe what these categories do, not how to run an attack.
| Tool category | What it does | Legitimate use |
|---|---|---|
| RTL-SDR receiver dongle | Cheap USB radio that can listen across the band and view signals | Radio hobby, learning, spectrum monitoring |
| Transmit-capable SDR | Can both receive and transmit arbitrary RF | RF engineering, research, development |
| Multi-tool RF gadgets | Pocket devices that capture and re-send sub-GHz signals | Pen-testing, learning, hardware research |
| Cheap 433 MHz TX/RX modules | A few dollars of parts wired to a microcontroller | DIY electronics, home automation |
| Signal-analysis software | Decodes and visualises captured waveforms and protocols | Protocol research, device debugging |
⚠ Important
Transmitting on these bands to interfere with, jam, or gain unauthorised access to someone else’s devices is illegal in Australia and most countries, regardless of the equipment used. The point of understanding these tools is defence — knowing what you’re up against so you can choose devices and settings that hold up. Only ever test equipment you own, in an environment you control.
What’s Actually at Risk
| Device | Typical weakness | Consequence |
|---|---|---|
| Old garage / gate remotes | Fixed code, no rolling code | Replay opens your garage or gate |
| Cheap alarm sensors | Unauthenticated, unencrypted | Sensors spoofed or suppressed; false alarms |
| Wireless doorbells | Fixed code | Nuisance ringing; presence signalling |
| Remote power sockets | Fixed code, tiny code space | Attacker switches your power on/off |
| TPMS / weather sensors | Broadcast in the clear | Tracking, spoofed readings |
Prevention — Choosing and Deploying Safely
You don’t have to abandon wireless convenience. The goal is to raise the bar so casual attacks simply don’t work:
- Insist on rolling code (code-hopping): For garage, gate and car remotes, choose KeeLoq-style rolling-code or encrypted systems — the code changes every press, so a recording is useless.
- Prefer encrypted, authenticated protocols: For alarms and home automation, favour Z-Wave, Zigbee 3.0 or proprietary AES-encrypted RF over bare 433 MHz sensors.
- Choose devices with tamper and jam detection: Good alarm systems raise an alert if a sensor stops reporting or the band is being jammed, instead of silently failing.
- Don’t rely on a single wireless layer: Back critical points (doors, gates, safes) with a wired sensor or a second, different technology so one jammed band can’t disable everything.
- Buy from reputable brands: Cheap unbranded gear from marketplaces is where fixed-code, no-encryption designs are most common.
- Keep firmware updated: Where a hub or controller supports updates, apply them — RF vulnerabilities do get patched.
✓ Key Point
Rolling code beats replay; encryption beats eavesdropping; a second layer beats jamming.
1. Replace fixed-code garage and gate remotes with rolling-code units
2. Use encrypted, authenticated protocols for alarms and automation
3. Add jam / tamper detection and a wired backup on anything that really matters
4. Buy reputable hardware and keep hubs updated
Cure — If You Already Own Vulnerable Gear
Already have older 433 MHz devices? You have options short of ripping everything out:
- Retrofit rolling-code receivers: Many garage and gate motors accept a replacement rolling-code receiver and remote kit — a low-cost upgrade that closes the replay hole.
- Move critical sensors to a modern hub: Migrate door, window and motion sensors to a Z-Wave or Zigbee system with encryption and tamper alerts.
- Add a monitored alarm layer: A properly monitored alarm that alerts on sensor loss or jamming turns a silent bypass into a noticed event.
- Physically secure the fallback: Deadbolts, manual locks and a wired reed switch on the critical door mean a defeated remote isn’t the end of the story.
- Retire the worst offenders: Fixed-code remote power sockets controlling anything important, and no-name alarm kits, are cheap to replace and worth it.
- Have it assessed: If you’re not sure what you’re running, a technician can identify which of your devices are fixed-code and which are safe.
Not sure if your remotes and sensors are exposed?
A fixed-code garage remote or a bargain-bin alarm sensor can quietly undo the rest of your home or business security. Mobile Techs IT Service can assess your 433 MHz and wireless devices, identify the ones that can be replayed or spoofed, and upgrade them to rolling-code and encrypted alternatives with proper jam and tamper detection — for homes and businesses across the Gold Coast, or remotely anywhere in Australia.
Book a wireless security check → or call 1300 644 588

