We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Drive it like you Hacked it: New Attacks and Tools to Wireles

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
88
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Kamkar, Samy

Formal Metadata

Title
Drive it like you Hacked it: New Attacks and Tools to Wireles
Title of Series
Number of Parts
109
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security? In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy). We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced "code grabbers" using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues. By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation. Ladies and gentlemen, start your engines. And other people’s engines. Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded: “Controversial”, -The Wall Street Journal “Horrific”, -The New York Times “Now I want to fill my USB ports up with cement”, -Gizmodo He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware. Twitter: @samykamkar
00:00
FeedbackBitGroup actionInstance (computer science)Point (geometry)TrailMultiplication signVulnerability (computing)Physical systemPOKE
02:30
Goodness of fitInformation securitySinc functionMultiplication signComputer animation
03:12
MyspaceProxy serverSoftwareQuicksortAreaInformation securityMultiplication signCombinational logicProjective planeDifferent (Kate Ryan album)Neuroinformatik2 (number)1 (number)Hacker (term)Meeting/InterviewLecture/Conference
04:01
CodeCryptographySoftwareTelecommunicationFrequencyBus (computing)Software testingUniverse (mathematics)MultilaterationPhysical systemQuicksortDependent and independent variablesOpen setRadio-frequency identificationMetreKey (cryptography)Moving averageCAN bus
07:49
Video gameMultiplication signComputer wormMyspaceHacker (term)
08:24
Hacker (term)2 (number)NumberOpen setRight angleLecture/Conference
09:35
Web pageWebsiteFrequency
10:15
InformationFrequencySoftware testingPoint (geometry)Traffic reportingDigital photographyMultiplication sign
10:50
Computer hardwareSoftware testingWaveformTraffic reporting2 (number)Shift operatorSoftware developerSoftwareHacker (term)Power (physics)Sampling (statistics)QuicksortSoftware-defined radioRaw image format
11:40
Musical ensembleRow (database)Hacker (term)FrequencyType theoryNumbering schemeVideo game consoleComputer fileBit rateSoftware-defined radioMobile appSoftwareQuicksortRevision controlRange (statistics)Spectrum (functional analysis)CuboidTV-KarteSampling (statistics)
12:58
WindowCartesian coordinate systemFreewareInstallation artQuicksortPoint (geometry)Lecture/Conference
13:36
BitInheritance (object-oriented programming)Video game consoleMobile app2 (number)
14:12
Information securityOpen setVulnerability (computing)Digital signalType theoryShift operatorFrequencyRevision controlNumbering schemeBit rateGreen's function
15:23
FrequencyShift operatorView (database)Multiplication signBounded variationRow (database)Open set
16:28
File viewerFreewareAudio file formatComputer programmingHacker (term)Directory serviceWaveComputer fileKey (cryptography)TouchscreenSystem callLecture/Conference
17:39
Main sequenceCodeBitQuicksortRemote procedure callInheritance (object-oriented programming)Zoom lensTouchscreenOntology1 (number)Presentation of a groupKey (cryptography)Lecture/ConferenceComputer animation
18:53
Remote administrationShift operatorMoment (mathematics)CodeCombinational logicCodeType theoryBitForcing (mathematics)Video GeniePasswordWebsiteKey (cryptography)Multiplication signSpacetimeMultilateration
20:32
CodeTransmitterExecution unitPoint (geometry)Data transmissionNeuroinformatikMultiplication signTransmissionskoeffizient
21:26
Hill differential equationSequenceFrequencyTrailMultiplication sign
22:11
CodeAlphabet (computer science)CodeShift operatorShift registerSynchronizationBitEmailWordRaw image formatSequenceCombinational logicSeries (mathematics)Uniqueness quantificationNumberMathematicianBuffer solutionSoftware testingFitness functionLecture/Conference
24:04
CodeTrailBit2 (number)SoftwareSoftware testingComputer-assisted translationVideo game consoleComputer animation
24:57
Software protection dongleAsynchronous Transfer ModeIntegrated development environmentCodeHacker (term)FrequencyCuboidBit rateLengthMobile appBinary codeComputer virus
25:36
Hacker (term)TouchscreenStapeldateiGoodness of fitPersonal identification numberKeyboard shortcutTouchscreenTelecommunication
26:44
Source codeInterface (computing)Open sourceComputer hardwareComputer programmingQuicksortLaptopOpen setOpen sourceNeuroinformatikFitness functionAuditory maskingMultiplication signHacker (term)VideoconferencingGroup actionComputer animation
27:22
Process (computing)Open setOpen sourceMultiplication signInstant MessagingMeeting/Interview
28:09
Wireless LANFreewareRow (database)BitGodGraph coloringMultiplication sign2 (number)Right angle
29:14
WordCodierung <Programmierung>SpacetimeSynchronizationPhysical systemSimilarity (geometry)WordSpacetimeCodeKey (cryptography)Head-mounted displayConnected space
29:53
InformationWindowConnected spaceLink (knot theory)Remote procedure calloutputTouchscreenAndroid (robot)Mobile appInformationSoftwareNumberEmailQuicksortAddress spaceAuthorizationPublic key certificateMetropolitan area network
30:56
Computer iconProxy serverMenu (computing)Codierung <Programmierung>LoginAuthorizationLoginSoftwareConnected spacePasswordPublic key certificateMetropolitan area networkoutputDirect numerical simulationLecture/Conference
32:10
Computer iconInformationSimulationSoftwareDifferential (mechanical device)Table (information)Asynchronous Transfer ModeData storage devicePlastikkarteGSM-Software-Management AGOpen sourceWhiteboardPublic key certificateSoftware protection dongleDefault (computer science)Mobile appMaxima and minimaPiMetropolitan area networkAlpha (investment)Software development kit
33:30
Computer networkOpen setAlpha (investment)Turbo-CodeNon-standard analysisDifferential (mechanical device)NumberSoftwareHydraulic jumpCellular automatonLink (knot theory)Remote procedure callAdditionPlastikkarteAlpha (investment)Mobile appComputer hardwareElectric generatorMetropolitan area network
34:44
Computer hardwareGSM-Software-Management AGAlpha (investment)WhiteboardSoftware protection dongleSoftware testingMereologyLink (knot theory)Process (computing)Information securityPasswordCybersexMobile appLecture/Conference
36:07
Random numberHash functionWordComputer networkSoftwareValidity (statistics)Cellular automatonWeb browserPasswordAuthorizationPublic key certificateOffice suiteMobile WebMobile app
37:04
Moving averageCodeInformation securityKey (cryptography)Right anglePort scannerCodeBitMereologyMoving averageInformation securityDifferent (Kate Ryan album)
37:57
CodeCodeCodeSynchronizationBitPhysical systemNumberMoving averageArithmetic progressionPseudozufallszahlenKey (cryptography)40 (number)Multiplication sign2 (number)SpacetimeForcing (mathematics)
39:37
SineMoving averageCodeCodeRange (statistics)Key (cryptography)Remote administrationLecture/Conference
40:41
Metropolitan area networkCodeCodeCodeFrequencyWindowBand matrixPoint (geometry)PlastikkarteKey (cryptography)Software testing2 (number)Lecture/Conference
42:52
SineoutputFunction (mathematics)Normal (geometry)Frame problemLoginCodeFlow separationRemote procedure callField (computer science)Control flowMoving averageKey (cryptography)Right angleSoftware development kit
43:46
Open sourceMultiplication sign
44:23
TelecommunicationKey (cryptography)Duality (mathematics)Goodness of fitEncryptionAlgorithmImplementationBitDependent and independent variablesKey (cryptography)RSA (algorithm)Multiplication signInformation securityLecture/ConferenceMeeting/Interview
45:17
Hill differential equation
Transcript: English(auto-generated)
00:01
everybody doing? Boy, this conference would be more fun if more people came, right? A couple notes. How many first time attendees do we have here? That's awesome. That's awesome. This is DEF CON. This is not like a conference that you've
00:21
usually been to. There are shenanigans and shenanigans happen. Shenanigans may be encouraged in some instances. Some of those shenanigans may involve your badge. You never know. I have seen people wandering around with paper badges. That means if you have one of these fancy badges, they're probably going to be in high demand, right? Now, one
00:41
challenge that we had with the badge, as you probably already figured out, is how in the world do I wear this thing around my neck? Let me release a zero day vulnerability in the badge. If you are clipping this with the little clip, that is a bad idea. They will fall off or somebody will
01:01
take them and jerk them and take them. So if you've got the paper around there, that's dumb. Harden your badge while you're sitting here, poke the lanyard through the hole, find some paracord, something like that. The other thing is, yes, it's big. It may not be fun to wear, but you need to be wearing your badge at all times. Otherwise you're going to
01:22
be getting some feedback from the sock goons. And as you might be able to tell based on the situations in the hallway, they might be a little bit grumpy. So wear your badge at all times, secure your badge and we'll be good. I do want to
01:41
thank you guys for being so cooperative in moving around and getting plenty of people in. We've got a lot of great, great talks today. And this is the point where we're going to transition from talking about things that are broken, that we already know are broken, like our trust of the government and our regulatory system. And we're going to start
02:03
moving into where we're going to start breaking stuff. And that's awesome. How many of you like breaking stuff? And we're going to start breaking some really expensive stuff, too. Not that. That's expensive. We're not going to break that. We're going to break other things. So you
02:26
probably have read about this talk in the press, just like many talks that are in this track. Sammy's been doing some really, really interesting stuff and I think we're all really excited to see some of this research in person. I want you guys to give a big welcome to Sammy. Awesome. Everyone hear me
02:54
okay? Okay. Oh, man, I'm so excited. It's been years since I've been at DEF CON. It was five years ago. So today
03:04
you are at drive it like you hacked it. So we're going to talk about cars. And I'm super excited about this. My security researcher. That's pretty much what I look like when I wake up. And I pretty much spend my time doing
03:21
research. There's so many really cool areas of devices. All sorts of security from network to physical. I've worked on a couple different projects. These are some of the fun ones. I'll actually be doing a quick talk tomorrow if you have kids. It's kids only. I'll be showing the combo breaker which is a 3D printed Arduino based combo breaker. You can break
03:42
any combination lock in like 30 seconds. So we're going to talk about car hacking. Specifically I'm interested in a lot of the like radio and some portions of the connected computers that we have within our devices, within our cars. I think we first need to talk about the awesome work from some other
04:02
people. Who has heard about Charlie Miller and Chris Valsack? If you haven't heard about them, I feel bad for you son or daughter. But Charlie Miller and Chris Valsack, their work probably in the last few years has gotten me into this. Just seeing them like make Andy Greenberg go scared over and
04:25
over again. And there's so much other really interesting research in cars. So obviously they've been attacking all sorts of things over the mobile network, over the car, the CAN bus. There's some cool research in 2010 from UCSD and University of Washington where they're seeing
04:42
what else they can do to a car from the CD player, from Bluetooth, from any other wireless communication. Recently there's been talk about amplification attacks which is super interesting. It's basically saying a lot of our cars we have these keys that we can put in our pocket and we can go up to our car and we can hit a button on the
05:02
car and that will unlock the vehicle as long as the key fob is near us. So what's cool about this is that the car sends a radio signal to your key fob. It's a passive keyless entry system. And your key fob will see that signal and respond, essentially a challenge response. When it sees that it responds with a proper code and the car will unlock. As
05:23
you get in the car a couple of the receivers inside the car then send a signal when you hit the start button. So when you hit start engine it will actually send a signal to your key fob and your key fob is actually responding. That's actually been analyzed and there's a paper on this where they've actually been able to relay that communication
05:42
hundreds of meters away, either wirelessly or wired. And you can basically take a wireless device, go up to the vehicle, have a friend with another wireless device near the car key, so someone in their house, someone in a park, some of you at DEF CON, sorry, and can actually hit the start
06:02
button and that will trigger the system will send a signal to your key. The key will see it because it's been amplified by this device, radio device that's actually transmitting much further. The key responds and normally the RSSI or the signal within the car is actually the receivers within the car are looking at the signal, the RSSI, to see how
06:23
strong that signal is. And if it's strong enough that it's inside the car, the car turns on. The key is not in the car. The amplifier is. It's near the car. So that amplifies the signal, it re-amplifies it and now the car turns on. So this is existing research. People are getting their cars jacked like this. I'm also excited about the
06:42
Tesla talk later today. That's pretty cool. There's been cryptographic attacks on key lock. So key lock is a rolling code system. We'll talk about that later. It's been cracked over and over again in some pretty cool ways, specifically on the crypto side. A lot of cars have RFID
07:00
mobilizers as well. So some keys will actually have a passive RFID device inside so that when you put your key in the ignition, in turn, it's actually sending a low frequency, typically 125, 134 kilohertz signal to your key. The passive RFID key fob actually responds. So it has to
07:22
be within a few inches. You might be able to do some amplification attacks. There's some pretty cool attacks using Proxmark 3 penetration testing tool kit. That's pretty awesome. If you're interested in RFID, I suggest get a Proxmark 3. You can do so much crazy stuff. There's some cool talks. There's a BLE key that's coming out at DEF CON. That's pretty exciting. Also some cool work
07:43
from Open Garages, IM the Cavalry and some other people. So definitely check all of that out if you're interested in car research. I also want to thank the EFF. I've supported them for a long time and a few months ago I reached out and said, hey, like, I don't want to get sued. I mean, ten years ago I released something called the
08:02
MySpace worm and I ended up not being able to touch a computer for about three years of my life. So I want to prevent that from happening again. So I'm not releasing worms anymore. Not under my name. And I did use this image without asking. I hope that's okay, EFF. Please don't
08:23
sue me. So let's start talking about car hacking. We all want to be more like Nicolas Cage. So the first thing to get to a car, at least from what I learned and gone in 60 seconds is that you obviously need to locate the car, you need to find it and get into it. Now I know there's some pretty sweet cars behind this garage. So
08:40
how are we going to get behind this garage? So we're going to first take a look at garage doors. Who has a garage door with a clicker? Everyone? Okay. Hold on. Got it. So we're going to talk about some basic RF research. So the first thing you want to do, I'm going to walk you through from start to finish. I have like a garage door opener right
09:02
here. If you have a garage door opener, if you have any device, even if you pull your phone out right now, you'll see on the back, it will say FCC ID and an ID number. I want to learn what this garage door is sending. What is this clicker actually sending to my garage that makes it open? And how can we open it? So if you take your
09:20
clicker or your phone, you'll actually see an FCC ID on the back. We can actually take that FCC ID and the FCC puts up, publishes all the data about that device online. So if you have the device in your hand, you won't always have it in your hand, but you can actually take that FCC ID and we can go to a website called FCC.io which makes it really, the FCC website is awful. But if you use FCC.io
09:44
from Dominic Spill, you can actually just go to FCC.io slash whatever the FCC ID is and it will pull up the FCC page so you can actually access everything from the FCC on that. So if we do that, there's a couple cool things we see here. The first thing is we have the frequency. So we can
10:03
actually see the frequency that this is sending on. If you had a device and you didn't have an FCC ID, you could use a frequency scanner. We'll talk about a frequency scanner in a bit. But from here, we see that this is 390 megahertz for example. So FCC also has some other stuff. It has like internal photos is always really interesting because they'll
10:20
actually open it up and a small percentage of the time if you're lucky, you can actually see the chips that they're using. You can actually see the name of the chip set that's being used. At that point, without even having the device in your hand, you can then go find a data sheet of that device, learn all about it. Another thing that happens is there's a test report. So the FCC tests every device that they authorize. And
10:43
what's awesome about that is that they're actually putting information about the signal, the frequency, the modulation. A way that their test report looks because they're actually showing a spectrograph of the waveform that the device is creating. So here it looks like some amplitude modulation
11:02
or amplitude shift keying. We'll get into that in a second. So I want to tell you about the actual hardware that I use to do a lot of this development and research. The Hacker F1 has been pretty invaluable to me. This is by Michael Osman. It's an incredible device for software defined radio or SDR. It's a little over $300. Extremely
11:23
powerful. I mean some of the comparable stuff out there is $1,000 and up. It can receive and transmit between 1 megahertz and 6 gigahertz. You can get raw IQ samples. You can record, demodulate, use all sorts of really cool software. If you know nothing about SDR, like I didn't know
11:42
anything about SDR earlier this year, you can just be cool and use Hacker F transfer, a console app and just record and replay signals. So like half the garage is out there. You can just type that. Hacker F transfer, the frequency which we saw on the FCC and then save it to a file and then later when you want to open that garage, you can then replay.
12:02
That's it. You don't need to know anything. You don't need to know about the modulation. You don't need to know about any other schemes or the baud rate. It's like copy and paste. It's amazing. Another tool I use is RTL-SDR which is another software-defined radio. Specifically it was meant as a TV tuner card but the chip set inside, someone discovered a few
12:20
years ago can actually be used as a software-defined radio. So you can actually see all sorts of cool stuff on the spectrum. This is a much, you get a much smaller range. You get like 24 to 1.7 gigahertz. You can get up to about 2.2 gigahertz if you have, there's an E4000 version. It only receives so you won't be able to transmit with this. It
12:40
also has a much smaller sample rate. Then another piece of software that a lot of people use is Gnu Radio which I haven't used because I don't understand all these boxes. You need to like draw a lot of boxes to do stuff and I just don't understand that. But most people use it. So I'm going to have to learn that soon. Another tool I've been using is GQRX. This is a free tool. It's for Linux. It's for OSX. It
13:04
looks pretty. I like pretty applications. It makes it very easy to see signals. Actually I mean we can, we'll test that in a second. It's only for Linux and OSX. So if you're on Windows, oh man. I don't know if this happened to anyone trying to install. Something happened. Looks like nothing
13:24
has actually happened. If you're on Windows you can actually use something called SCR Sharp. SCR Sharp also sort of kind of works on OSX. I tried to compile it with Mono but it kind of looked awful at that point. I think it was Mono's fault. Another tool I use is RTLFM. RTLFM is a console app that can use RTL-SDR and demodulate a signal. I'll
13:44
talk about modulation in a second. So these are all the tools I'm using. The cost of the tools, I told you like HackRF, a little over $300. RTL-SDR about $20. That's it. I'm using one or two other tools that I'll talk about in a bit. But this is very inexpensive and my research is
14:02
always focused on making this stuff super inexpensive. I want everyone to be able to access this stuff. So that's why I believe everything is open source, fully documenting everything and I hope more of you will get into this research because there's so much to be done. There's so many things that are just pwnable and they need to be pwned. We can demonstrate like the crazy security
14:22
weaknesses everywhere. So let's get back to this. Let's check out the FCC document for a garage door opener. So this says ask, modulation type. Ask is amplitude shift keying. It's a way of actually sending digital data. So what that looks like is here we have a signal. At the top we have our actual binary signal. So 00110100010. An amplitude shift keyed
14:46
signal would look like the ASK or ask version there in green. So basically when you want to send a signal, you want to send a one, you go high. When you don't, you send nothing. Frequency shift keying actually changes the frequency. Now amplitude shift keying is just like AM radio. So AM radio
15:02
is amplitude modulation. So when you listen to AM radio in your car, it's actually doing amplitude modulation where the amplitude of the signal is changing based off the frequency of the sound that it's trying to send. Where frequency FM or FM radio is actually doing what FSK is doing. FSK is just for digital data and ask is for digital data. There's PSK and a couple other modulation schemes.
15:23
This is what it looks like. If you're taking a device that you have no idea what it looks like and half the time I'm looking at signals that I don't know where they're coming from, I don't know what they are, you want to be able to figure out what they look like. So here's an example of two FSK. Two simply means that the frequency shifting is between two different frequencies. You can have
15:43
like four FSK and other variations. So what you'll see in something like GQRX or a waterfall view is you'll see two separate signals kind of like going back and forth. For amplitude shift keying or OOK which is on off keying, you'll just see like on off, on off, on off. That's why it's called
16:01
on off keying. Actually I'm going to like alt tab. Maybe we can just open GQRX and see if that works. Sweet. So I have a remote here. Is there a spike? Okay, sweet. That's a
16:21
remote. So that's amplitude shift keying. We can see exactly what that looks like. And we can actually just record that. But I'll just quit. Okay. Let's go back to this. Cool. So we can do that. Now with RTLFM or GQRX, you can actually save that data. You can save it as an audio file and then look at it in Audacity. It's a free audio viewer. So actually
16:45
why don't we do that too? Should we? Yeah, okay. We'll do that. All right. So we're going to do, I can't see that.
17:01
All right. So RTL, I'll put it on your screen in a sec. We know that this is 300 megahertz and then RTL is just a simple program that actually swaps between RTLFM and HackRFFM depending on which I have plugged in. And we'll call it
17:20
DefCon.wave. So I'm now recording a signal. I'm going to hit something. I'm going to hit something. I'm going to control C. We're going to open this directory. I'm going to take that file. I'm going to put it on Audacity. DefCon.wave. Cool. So here we actually have the signal. And if we zoom
17:46
in, zoom, zoom, zoom. Enhance. Enhance. Enhance. Okay. Cool. So we see, all right, you see some cool stuff here. What just happened? All right. So what you're seeing is
18:03
if you look closely, zoom in a little bit more if I can. Man, I can't see that screen. I lost my mouse. Okay. I'll zoom in a little bit more here so you can see it really clearly.
18:22
All right. It refuses to zoom. So what you can see here is you can see sort of long signals and short signals. Now if I open this key, I will actually see those long signals as ones or ons in your key. Who's seen these remotes which have like dip switches in them? They're garage remotes, right? So they have a bunch of dip switches and that's essentially
18:42
your code and that's on a fixed code garage. So what's happening is those long signals are a one and the short ones are zero. So it's super easy to understand what's happening here. So we just recorded that live. Let's go back to this presentation. So that's essentially what we see here. We see that those dip switches within the remote control are exactly correlating to what we have here. Now this
19:03
after doing amplitude shift key demodulation from RTLFM, it does it for you. You just say I want to record at 300 megahertz and demodulate as asked and that's what we get. So let's think about this for a moment. A lot of us have garages. Most garages will have like 10 or 12 bit dip
19:21
switches. So if we think about that, we will see that that means there's 2 to the 12 possible combinations which is not a lot. Let's calculate that real quick. 2 to the 12. 4,000 possible combinations for garages. So that's on the 12
19:41
bit garage. 4,000 combinations. If you have a two letter password for a website with just alphanumeric and a couple of keys on top, that will be more secure than your 12 bit garage code. So let's see how we can crack that. Now we don't even know if you have a 12 bit or an 11 bit or a 10 bit, 9 bit, 8 bit garage code. So let's say we just want to brute force the whole key space. If we do
20:02
that, each signal or each bit of a signal is 2 milliseconds plus another 2 millisecond delay from what I saw in audacity. And every time I hit the button, it actually transmits five times. So if we do that for every type of garage or every type of dip switch, then it will take about 30 minutes to open a fixed code garage. This is not applied to rolling
20:22
code garages. Newer garages like Intellicode, Genie, a couple of others actually use rolling codes. We'll talk about that later. So this will take 30 minutes to brute force. But I didn't want to stand outside for 30 minutes and my neighbors were looking at me really weird because I live with a bunch of other units and I'm just always outside with my
20:41
computer. And the garage is just like randomly opening and closing and opening and closing. So if we take a look at that signal closer, we see this. We can actually remove, instead of taking the five transmissions that we see on top, we only need to send one transmission. There's no point of sending code over and over and over. The reason that
21:02
devices do that is because they're cheap transmitters, they're cheap receivers. Sometimes the signal will be hard to hear. There could be some interference. So sending it more times helps ensure that the signal will be heard. But for hacking, we just assume we'll have something good enough that transmits well and that we will get it. So instead of doing five times, we only do it one time per
21:20
code. So that reduces, we divide by five, we get six minutes. Six minutes to open any fixed code garage. From there, I was chatting in the Uber tooth IRC channel and Mike Ryan suggested that I actually take away the wait times. So what happens is when you send a signal, you'll see at the top there's the signal on the top left and then a wait period
21:41
before the next signal. So he suggested just removing the wait period and just send them. Red, green, purple, blue, just in sequence without that wait period. So that removed another 50% of the time that it would take to actually open that. That reduced down to three minutes. Also, he's doing an awesome talk on hacking electric skateboards where he
22:02
just takes over your skateboard. So I'm pretty excited about that talk with Mike Ryan and Rico. I believe that's Saturday at 3 p.m., track two. All right. Let's hear it. Let me check that out. So that's pretty cool. But as I was looking at the signal, there's something interesting about the signal. There's no preamble or sync word. There's nothing to delineate and tell the garage
22:21
door that this is the beginning of a garage code. It's just raw data. It's like sending a packet without TCPIP header and just sending like an HTTP request without any IP header. Like it doesn't know where it's going or anything. So the garage is just blindly listening. And the question is how does it know where one code starts and the other ends?
22:41
I thought maybe it's using a bit shift register. And a bit shift register is essentially something that will take in a sequence of bits and as the buffer fills, once you have more bits available, it only drops one bit and then pulls in the next one. And then drops one bit and pulls in the next one. So what if I could do that with a garage? What if I could send, let's say, instead of 12 bits for one garage and 24
23:04
bits for two codes, what if I sent 13 bits? If it's a bit shift register, we'll have 12 bits that go in, it checks, is that the correct code? It will say no. And then it shifts off one bit, pushes everything over one bit and then takes in the next bit, the 13th bit and tests a brand new unique 12-bit code. So there must be an efficient way to do this. And
23:24
there's a guy named De Bruijn. De Bruijn? How do I pronounce his name? Who knows? De Bruijn? Okay, De Bruijn. De Bruijn was a mathematician who came up with a sequence to efficiently produce every unique combination of a number or a series of numbers so that you produce every possible
23:42
overlapping code. So here we see, if I want, let's say the garage was only two bits long, then I would need to send 00, 01, 11, 10, eight bits to cover everything. But with the De Bruijn sequence, we can actually just send five bits, 00, 11, zero, because everyone overlaps, right? The garage will first test 00, then it will test 01 in blue,
24:01
then 11 in red, then 10. So if we do that with 12 bits, it takes eight seconds. Now, theoretically we know how to do
24:21
it. So we actually have to implement this. So one of the things that I love using is the yardstick one. This is another device from Michael Osman. They'll be for sale soon. In the interim, you can also use something called the CC-111EMK. This device has something called the CC-111 chipset from Texas Instruments. It's basically, we'll talk
24:42
about that in a bit, but it's basically a sub-gigahertz radio. It can receive and transmit. And the software I use a lot for this kind of testing is called RFCat by Atlas. He's also doing a talk later today at 5 p.m. So I'm pretty excited about that. And RFCat is awesome. It's just a console app, known like boxes like in radio where you're like
25:01
dragging and dropping with your mouse. Who uses the mouse anyway? With this, you can just talk to this command line, this Python command line, and here it says it will set the frequency to 433 megahertz. It will set it as ask or on off keying as we talked about earlier. It will set the packet length. We don't even need to do that. And then it will transmit hello. Instead of hello, we
25:21
could just transmit, you know, some binary. The garage code, for example. We need to set our baud rate to whatever the baud rate of the garage is. And another tool I've been using is from one of the most heinous, devious companies out there. Mattel. So a couple years ago, a hacker
25:44
found that the Mattel IME actually has something called the Texas Instruments Chipcon 1101 chipset. It's a sub-gigahertz transceiver. It has a screen. It has a backlight. It has a keyboard. It has a little buzzer. It's battery powered.
26:02
And conveniently, there are pins for reprogramming on the back when you open it up. It's not protected. You can entirely rewrite everything. So this is actually a picture of Michael Lawson's spectrum analyzer that he built. A couple of people have done some really awesome work on this. Dave, I think, originally found that you could hack it
26:21
and reflash it. And the amazing thing is Mattel created this. So they did batch creation of this essentially $20 toy for kids that's for communicating. It's for like texting your friends with this device. It's now discontinued so it's really cheap. It's like $20, $30 usually. Travis Goodspeed has done a ton of work with
26:40
GoodFET. Michael Lawson has done a ton of work. This is a spectrum analyzer. Here's the GoodFET device by Travis Goodspeed. So I use the GoodFET for all sorts of things. Do it for 2.4 gigahertz hardware hacking. It's an open source JTAG adapter. You can use it for all sorts of stuff. So ultimately I didn't want to have to use the yardstick one in my computer to transmit because I already
27:01
wear a C mask all the time. I don't want to have to sit with the laptop as well. So instead I just programmed the IME to do that eight second attack. And that's what I call open sesame. Let's see if this video plays as an example of it in action. How much time do I have? Because I keep going
27:31
out of my thing so it keeps resetting the clock. What time am I good till? Like 1.45, 1.50? What time am I good
27:43
for? How much time? 20 minutes. Cool. I just want to know what time I am. Cool. 1.50. Sweet. So you can actually buy these IMEs. Unfortunately I released almost all of the source for open sesame. I bricked it just slightly. Something that probably everyone here could fix but just common thieves and
28:00
criminals wouldn't be able to. Unless they learn to code which is great. They'll probably just get a job. Unfortunately after I released it the prices went up a little bit. So I do have a brand new one that I programmed with Michael Osman's spectrum analyzer. So it's like a live spectrum
28:22
analyzer on here. Would anyone like this? It's a $900 value. Cool. I'll just run out and give it to somebody here. Who wants it? Oh my God. Damn it. Someone is going to have to come up here. No one who ran. Sorry. All right. Someone
28:43
in the second row. Second row. All right. Yeah. You. Do it. Here you go. What's that? So that has a spectrum analyzer
29:07
on it. I use it all the time. It's like more convenient than anything else I use because it's in your pocket. It's portable. It's my favorite color. So what do we learn from this? If you're implementing a garage door system or similar system based off simple radio signals, A,
29:23
don't use a small key space. No. Don't use fixed codes at all. Use like a preamble or sync word so that the DeBruyn attack doesn't work. Or use rolling codes. So now we're in
29:41
these awesome cars. And let's ‑‑ if I use my special VR headset, I can actually see all these connected cars. Amazing. Connected cars. So I started looking at some of these basic connections. Just the basic stuff that some of these devices have. This is a screen grab of the OnStar remote link
30:03
app. So remote link is actually a really cool mobile app for Android, iOS and Windows. What it allows you to do is locate your car wherever it is via GPS, lock, unlock, remote start, horn and lights. Definitely the most fun. And
30:22
also grab all sorts of PII from the user. So the owner. So you can actually see your name, your email address, your phone number, your home address, some billing information. So I was taking a look at this because my friend had a car that had this remote link app. And I thought, okay,
30:41
well, it's obviously going over the network. Let's see if we can see some of that network traffic. So I got out my iOS device and I saw the certificate authority. I wanted to do some like SSL man in the middle sniffing. And I remember ‑‑ yeah, I always have sort of an SSL man in the middle certificate authority on there so that I can sniff. So I started sniffing this and this is a log‑in
31:02
request that we see. It's pretty much ‑‑ it's an HTTPS post to API.GM.com and there's some base64 encoding here. When we unzip ‑‑ when we ‑‑ sorry ‑‑ remove base64 we see the user name and password. Now it's not a big deal because I had like a certificate authority. This is my own phone. And then I remembered I had actually just
31:22
reflashed my iOS device. And I never installed that certificate authority. So I was man in the middling an SSL connection with an invalid certificate that my phone essentially behaving as a fresh phone didn't even know about. So there's actually no certificate handling. There's no certificate
31:41
checking at all. And what that means is if I'm on ‑‑ let's say if I'm on your network, I can then potentially ARP spoof or DNS spoof and ‑‑ who's texting me? I can ARP spoof or DNS spoof and take over that API.GM connection, do an SSL man
32:00
in the middle, no certificate warning, no issues, just for that host and we'll be able to see all the traffic such as user name and password. So we can do this pretty easily. We can ‑‑ you can take ‑‑ what I did was I took a raspberry pie. I took a GSM board, a phono GSM board. I used Mallory which is an open source SSL man in the
32:21
middle tool kit. I DNS spoofed API.GM.com. And the reason I only did that was instead of man in the middling all traffic, if you open up any other ‑‑ let's say you open up Safari or app store or something like that, I don't want you ‑‑ I still want it to work. I don't want a man in the middle of that because then it will either not work or get certificate warnings. So now if I can get you on to my
32:42
Wi‑Fi network, I can do this. I also use the IP tables and alpha cards for Wi‑Fi monitor mode, edit max Wi‑Fi dongle and a SIM card that you can put into the GSM board. And the nice thing is you can get prepaid SIM cards. T‑Mobile has a 2G network that you can get a prepaid SIM card. So if
33:03
you're a criminal, you wouldn't have to give up any information. You just get prepaid everything. Now one way I could potentially actually do this attack is by creating this device and then putting it under somebody's car. Then what I could do is create a network. So what's a network that I can probably get them to use? I thought, well, by
33:22
default, I'll just use ATT Wi‑Fi. That's a Starbucks network. So if you've ever connected your phone to ATT Wi‑Fi, you will connect to my device. As I woke up this morning, I saw ATT Wi‑Fi in the hotel. I also saw NSA honeypot number 42. Which is funny because clearly NSA
33:42
honeypot was probably somebody's like phone and ATT Wi‑Fi was probably the NSA honeypot. Now that's cool but there's no guarantee that they're going to jump on to Wi‑Fi. Maybe they've never been to Starbucks. Maybe they're more coffee bean person. Instead what I've done is I now
34:02
sniff for probe requests. So using the alpha card, we can actually see probe requests from your phone. Whenever your phone is somewhere new, it will actually send out Wi‑Fi probe requests to networks it's connected to in the past saying hey, I connected here. Are you there? So I can actually see the name of a network that you've connected to in the past and on the fly generate that Wi‑Fi network. So
34:23
as soon as you go up to your car where I've left this device underneath, then your phone sends a probe request. My device says oh, okay, I'll make a Wi‑Fi network with that name in addition to ATT Wi‑Fi, your phone jumps on, I SL man in the middle, I automatically acquire credentials from remote
34:40
link if you ever open the app and indefinitely I then have access to your car. Here's the hardware I used. And again you see raspberry pie, the alpha, Wi‑Fi dongle and a phone on a GSM board. And this device I called own star. Tested
35:02
it on my friend's bolt here. Actually a really cool car. I'm pretty happy with that. Let's see if that works. Oh, yeah, it says like only remote start when it is safe and legal. Which is true. You should only do that. Fortunately I
35:25
reached out to GM before releasing any details of this and they were actually ‑‑ while it was very difficult to get to anyone who knew anything about security or technology, I was going through support like oh, man, they're just trying to tell me no, sir, no, sir, your password is safe. Your password is safe. Trying to escalate from support at GM is
35:44
impossible. However, I finally got to a cyber security executive over there and it sounds like, hey, he was awesome, very easy to work with. They fixed it within days. I was really happy about that. They did a great job. Within a day just mentioning that this was going to be part of my talk, they
36:01
already resolved it on about 3 million remote link apps. So what did we learn? A, validate your certs. Like always validate a certificate from a CA. Now if you don't trust the Hong Kong post office which has a certificate, which
36:21
is a certificate authority by the way and is trusted in most browsers, if you don't trust them, use your own certificate. Use certificate pinning. That way you're only ‑‑ you will only ever use your certificate. You'll ignore, even if the CA, even if they're assigned or thought or Hong Kong says, yeah, this certificate is legit, your device, your
36:41
mobile app will ignore it and only use yours. Also, hash your passwords with a random salt. Always assume that the network you're on is hostile. Because someone here is going to make that network hostile if it wasn't before. It doesn't matter if you're on a mobile network. Doesn't matter if it's cellular. Doesn't matter if it's Wi‑Fi. You are ‑‑ it is a hostile
37:01
network. So sweet. We did that. You know, that affected Chevy, Cadillac, GMC, Buick. There's one other thing I want to go talk briefly about. And that's key fobs. Which are pretty cool. Most people have a key fob, right? Raise your hand if you have one of these car key fobs that unlocks
37:22
and does cool stuff with your car. Sweet. Hold on, hold on. Scanning. Scanning. Amplification. So here's one that I took a look at. I took a look at a couple. This is called the NM95HS01 or 02 from National Semiconductor, now part of TI. It's called the high security rolling code
37:40
generator. And this is a signal. Now if you remember there's a lot more like bursts of data here. Also it's modulated a little bit differently. So with our previous garage signal, we learned that one was like a long signal was one and a short was zero. We'll talk about that in a sec. But what is a rolling code? Let's understand what a rolling code is. So let's say you have a car key.
38:04
Essentially it has a PRNG or a pseudo random number generator inside. And the same number PRNG is in your car. So when you hit this button, it will send a code to that car. Now the next time you hit that button on your key, it will send the next code in the PRNG based off your initial C. Now as long as both the car and the key
38:24
have the same seed, what will happen is the car will continue down that logical progression of the seed and you'll always match up. However, if you have the key in your pocket and you accidentally press it, you'll then be out of sync with the car. So the car also has
38:43
an allowance. So the car will allow something like 200 to 1,000 additional codes. That may seem like a lot, but fortunately most rolling code systems use such a large key space that 1,000 is really negligible. I'm seeing typically like 40 to 60 some bits for the rolling codes. So that 1,000
39:02
doesn't really help us. It helps us guess a little bit, but not much. We're not going to guess that code in this lifetime unless we have maybe a cryptographic attack on the rolling code. So it hits a button, sends the code, hit the button again, sends the next code. If you don't know the rolling code, you are not going to figure out what those numbers are unless you find some attack. So this prevents a replay attack. A replay attack is when we can sniff and
39:23
replay the same signal. So if you recall with our fixed code garages, if we sniff the signal, we can replay it later. It's kind of irrelevant because it only takes us eight seconds to brute force every garage out there. But this prevents replay attacks. Now one thing you can do about replaying rolling codes is you can actually capture a signal
39:42
while the remote is out of range and use that. So if I broke into your home, pressed your remote control and recorded that, I can then go to your car and unlock it for example. This is super lame because we actually need physical access to the device. And also, as soon as the key is pressed again, let's say the owner of the car goes to the
40:01
car and locks or unlocks, that will actually invalidate all previous codes. So what if there was another way that we could get that code, get that code from the user? And I found, and this has been basically known and talked about for years and years and years and years. And I've never seen actually demonstrated, I've never seen any code or
40:21
examples, legitimate examples of this. What if we jammed the signal? What if I'm at your car and I'm jamming that, let's say it's 350 megahertz and I'm jamming that signal. So when the user goes to their car and they hit unlock, the signal sends, my jamming device is sending a signal as well and the car won't hear it because now it's seeing so
40:40
much data. Simultaneously, what I can do is I found that most, when I say most, I mean every vehicle I've tested. We'll just say virtually all vehicles have essentially a receive window of a frequency that they're looking at. So if your key is 315 megahertz and your car is listening on
41:00
315 megahertz, technically it's actually listening probably between 314.5 and 315.5. So this is a receive window of about a 1 megahertz. 500 kilohertz plus or minus from the primary frequency. Now if I'm jamming somewhere in that frequency range, your car won't be able to listen to what I'm, listen to the key. So I jam that signal and you
41:23
hit the car, you hit the key and then I have a receiver as well. And my receiver has a nice, has a good chip and has a much tighter receive bandwidth. So my filter bandwidth is so much smaller that I'm evading or I'm avoiding any of the jamming signal. And I see your key code, your rolling code very clearly. So I now have a
41:42
rolling code that your car didn't hear. And I can use that at my leisure because they're not expiring. Now let's say I stop jamming and now I have this code and I'm happy. Well what will happen is the user will be like okay well that didn't work so they hit unlock again and it works and they drive away. My code is now invalidated. So again it will invalidate as soon as another code, a future code has
42:04
been set. All previous codes are invalidated. So instead what if I jam twice? What do you do when your button doesn't work on your car key? You hit it again. Now I have two codes. So with two codes we have, I now have two codes.
42:23
And then I stop jamming and I replay the first one. Because we automate this, this happens in under a second. So you go to your car, you hit unlock, that didn't work. You hit unlock, the device within a second stops jamming, plays the first one, leaves me with a future code that the car has not heard. This applies to garages as well. Any garage with
42:41
rolling codes. So we've now covered all of garages. So we can just jam, listen, jam, listen, replay the first code, abuse the next code later on. This is pretty incredible because it means I can go to your car later and do whatever I want to it. Depending on, when I say do whatever I want,
43:01
based off the key. Another thing I've found is that this works on remote start vehicles. So keys with remote start and remote start kits. This works. One thing I found that, so people have described this attack, another issue I found is that let's say you want to steal stuff from their car. You want to go up to their car and break in. Well,
43:22
if they hit lock, if the last thing they hit was lock and you, the last signal you'll have is a lock signal. So if you replay that, all you're going to do is lock the car. Well, I found most signals actually have the data field separate from the rolling code. So as long as you know the rolling code, you can change that lock signal and weaponize
43:41
it into an unlock signal and open their car. This is roll jam. This is a device I'll be releasing the full source and I probably won't be putting any specific cars in it, implementing any cars, but this is a device that you can use two CC1101 chips and a TC3.1. One will actually do
44:04
the jamming and do the replaying whenever you hit the button or you can use an actual remote to trigger it. So if you put this under a vehicle, for example, and it will perform this full attack. I think that's about it. I'm out of time. It's worked on every car I tested. It felt really
44:24
good. The basic lessons, encrypt or hash your button. Use an HMAC to prevent bit flipping if encrypted. Use a time-based algorithm. We've had these RSA secure ID key fobs that would have a rolling code for at least 20 years. I
44:41
couldn't find how old they were. I was trying to look. I could not find. Now we have dual key lock, which came out this year, or I'm sorry, last year, which also solves this. This has been an issue that we've known about for over 20 years. It's been solved 20 years ago yet virtually every manufacturer is still implementing this off poor implementation. Another way is to use a challenge response. So
45:01
use a transceiver rather than just transmitting, you'll say, I want to unlock. The car will say, okay, here's my challenge and your key can receive that and respond appropriately. That's the best way to handle this stuff. I'll be releasing this stuff shortly. Thank you so much.