Best IR Tools for Security Research
Table of Contents
Infrared in Security Research
Infrared communication is one of the most overlooked attack surfaces in physical security. Nearly every television, air conditioning unit, projector, sound system, and set-top box responds to IR commands. Most of these devices have zero authentication - any signal on the correct frequency with the correct protocol is accepted without question.
IR operates by sending modulated pulses of infrared light, typically at 38 kHz carrier frequency, encoding data using protocols like NEC, Sony SIRC, RC5, or RC6. The range is short (usually under 10 meters with line of sight), but within that range, the control is absolute. There is no pairing, no encryption, and no logging.
This makes IR interesting for physical security assessments. Can someone walk into a conference room and shut down the projector during a presentation? Can they change the temperature settings in a server room? Can they disable a TV-based information display in a lobby? The answer is usually yes, and the tools to do it are cheap.
The IR Attack Surface
IR-controlled devices fall into several categories, each with different security implications.
Presentation equipment: Projectors in conference rooms almost universally use IR remotes. Turning off a projector during a board meeting is a denial-of-service attack that requires nothing more than knowing the manufacturer's IR codes. Most projector IR codes are publicly documented.
Climate control: Many commercial HVAC systems use IR for local control. Changing the temperature in a server room from 18C to 30C could cause hardware damage over time. Split-unit air conditioners in offices are particularly vulnerable since their IR receivers face the room.
Display systems: Digital signage, lobby TVs, menu boards - all commonly IR-controlled. Changing the input source or powering off public displays is trivial with a universal IR blaster.
Access control: Some older automated gates and barriers use IR triggers. While rare compared to RF-based systems, they exist in legacy installations.
graph TD
subgraph "IR Attack Surface by Environment"
subgraph "Conference Room"
A[Projector] --> B[Power Off / Input Switch]
C[Sound System] --> D[Volume / Mute]
end
subgraph "Server Room"
E[AC Unit] --> F[Temperature Change]
G[UPS Display] --> H[Menu Navigation]
end
subgraph "Public Area"
I[Lobby TV] --> J[Channel / Power]
K[Digital Signage] --> L[Input Source]
end
end
M[IR Blaster Tool] --> A
M --> C
M --> E
M --> I
M --> K
Common IR-controllable devices grouped by physical environment
Dedicated Hardware Tools
BLEShark Nano - $37
The BLEShark Nano has a built-in IR blaster and receiver. It can transmit IR codes, receive and decode incoming IR signals, clone remote control signals, and run TV-B-Gone (a rapid sequence of power-off codes for hundreds of TV brands).
The clone function is useful for testing: point a target remote at the Nano, press a button, and the Nano records the raw signal. You can then replay it at any time. This works even with proprietary protocols because the Nano captures the raw modulation pattern rather than trying to decode a specific protocol.
The TV-B-Gone mode cycles through power codes for hundreds of TV and display manufacturers in about 60 seconds. In a physical security test, this demonstrates how easily public displays can be disrupted.
Advantages: pocket-sized, self-contained, combines IR with WiFi and BLE so you carry one device for multiple test types. The IR blaster has reasonable range (5-8 meters in typical conditions).
Flipper Zero IR Module - $170
The Flipper Zero includes an IR transceiver as one of its many modules. It offers similar capabilities to the BLEShark Nano's IR functions: transmit, receive, record, and replay. The Flipper adds a larger built-in database of remote control codes and a more detailed UI for browsing and selecting specific device codes.
The Flipper's IR range is comparable to the Nano's. The main difference is that the Flipper is a broader multi-tool (sub-GHz, RFID, NFC, IR, GPIO) while the Nano focuses on WiFi, BLE, and IR. If you specifically need sub-GHz RF or NFC capabilities alongside IR, the Flipper covers more ground. If your work centers on WiFi and BLE with IR as an addition, the Nano is more relevant and less than a quarter of the price.
USB IR Toy - $25 (clones)
The original USB IR Toy by Dangerous Prototypes has been discontinued, but clones based on the same PIC18F2550 design are available from various sellers. It connects via USB and acts as a raw IR transceiver. You control it from a host computer through serial commands.
The IR Toy is useful for scripted IR attacks. You can write Python scripts to send specific sequences, add delays, loop through code databases, and log received signals. For automated testing scenarios, this programmability is valuable. The downside is that it requires a computer and is not portable on its own.
flowchart TB
subgraph "Tool Selection by Use Case"
A{What do you need?} -->|Portable field test| B[BLEShark Nano]
A -->|Multi-protocol assessment| C[Flipper Zero]
A -->|Scripted automation| D[USB IR Toy + PC]
A -->|Learning and experiments| E[Arduino + IR LED]
A -->|Linux integration| F[LIRC + Raspberry Pi]
B --> G[Self-contained - no laptop needed]
C --> H[Covers sub-GHz and NFC too]
D --> I[Python scriptable]
E --> J[Cheapest entry point]
F --> K[Remote automation capable]
end
Choosing an IR tool based on the primary use case
DIY Options
Arduino + IR LED - $5
The cheapest way to get into IR research is an Arduino (or clone) with an IR LED and an IR receiver module (like the TSOP4838). Total cost is under $5 if you use a Nano clone.
The IRremote library for Arduino supports all major IR protocols - NEC, Sony, RC5, RC6, Samsung, LG, Panasonic, and raw capture for unknown protocols. You can build a simple IR blaster in about 20 lines of code.
Limitations: you need a computer for programming and serial communication, the range with a single IR LED is limited (2-4 meters without a transistor driver circuit), and there is no display or standalone operation. For learning how IR protocols work at the bit level, though, nothing beats building it yourself.
LIRC + Raspberry Pi - Free software + $35 hardware
LIRC (Linux Infrared Remote Control) turns a Raspberry Pi into a programmable IR transceiver. Wire an IR LED to a GPIO pin, configure LIRC, and you have a network-connected IR blaster that you can control via SSH, scripts, cron jobs, or web APIs.
LIRC has the largest database of remote control codes available - thousands of devices from hundreds of manufacturers. You can also record new codes from any remote.
For physical security testing, LIRC on a Pi offers unique capabilities: schedule IR commands to run at specific times, trigger IR sequences from network events, or set up a web interface for remote control. You can hide a Pi with an IR LED in a conference room and control it remotely over WiFi. This demonstrates the threat of persistent IR-based attacks in a way that handheld tools do not.
graph LR
subgraph "DIY IR Setup"
A[Raspberry Pi] --> B[GPIO Pin]
B --> C[IR LED - Transmit]
B --> D[TSOP4838 - Receive]
A --> E[LIRC Daemon]
E --> F[Code Database]
E --> G[Raw Recording]
end
subgraph "Control Methods"
H[SSH] --> E
I[Web API] --> E
J[Cron Schedule] --> E
K[Python Script] --> E
end
subgraph "Output"
C --> L[Target Device]
D --> M[Captured Codes]
end
LIRC on a Raspberry Pi provides network-connected IR control with multiple input methods
Software and Libraries
IRremote (Arduino) - Free
The most popular Arduino library for IR. Encodes and decodes NEC, Sony, RC5, RC6, Samsung, LG, JVC, Panasonic, and many other protocols. Supports raw capture for unknown protocols. Essential for any Arduino-based IR project.
IRLib2 (Arduino) - Free
An alternative to IRremote with better support for some protocols and a cleaner API. Useful when IRremote does not decode a specific device's signals correctly.
Python IR Libraries - Free
For Raspberry Pi and Linux systems, Python libraries like pigpio (for raw GPIO IR control) and python-lirc (for LIRC integration) provide programmatic IR access. These are useful for building custom testing tools and automated IR scan scripts.
Practical Testing Scenarios
Conference room audit: Walk into the room with a BLEShark Nano or Flipper Zero. Test whether the projector, sound system, and any other IR-controlled devices respond to generic power-off codes. Document which devices can be disrupted and from what distance. Report finding: "IR-controlled equipment in conference room B can be powered off by anyone within 8 meters using publicly available IR codes. Recommend IR-opaque covers for receiver windows on critical equipment."
Server room HVAC test: Record the IR codes from the AC unit's remote. Demonstrate that temperature setpoints can be changed remotely. Evaluate whether the HVAC system has a lockout mode that disables IR control. Most split units do not.
Persistent access demonstration: Deploy a Raspberry Pi with LIRC and an IR LED near a target device. Schedule commands to demonstrate that IR attacks can be automated and persistent, not just one-time disruptions.
Tool Comparison
| Tool | Price | Standalone | Record | Replay | Database | Best For |
|---|---|---|---|---|---|---|
| BLEShark Nano | $37 | Yes | Yes | Yes | TV-B-Gone | Portable multi-protocol testing |
| Flipper Zero | $170 | Yes | Yes | Yes | Large built-in | Multi-protocol with sub-GHz/NFC |
| Arduino + IR LED | $5 | No | Yes | Yes | Via library | Learning and prototyping |
| USB IR Toy | $25 | No | Yes | Yes | Manual | Scripted automation |
| LIRC + Pi | $35 | Yes* | Yes | Yes | Largest | Persistent/remote IR testing |
* Requires initial setup with keyboard/monitor or SSH, but runs headless after configuration.
IR security research does not require expensive equipment. A BLEShark Nano covers most field testing needs, and an Arduino setup costs less than a cup of coffee. The real value is in understanding the attack surface - once you know what responds to IR, the tools to exploit it are simple and cheap.
Get the BLEShark Nano - $36.99+