[Music] hi everyone thanks for coming uh I'm Sammy and this is drive it like you hacked it um this is a basically a fun talk i' I've just been continuously working on and improving um as I'm doing research in a couple of different areas um a couple really fun areas for me have been uh vehicles um Vehicles radio hardware and uh we're going to focus a little bit on some of that stuff which is really fun to me um we'll cover some web stuff as well and try to bring it all together in a fun way so we all love Nicholas Cage right yeah okay I love Nicholas Cage so I saw Gone in 60 seconds it's like one of my favorite movies so I've spent my entire life trying to be like him um so as Gone in 60 Seconds happens you know basically Nick Cage is going around stealing cars I hope I didn't spoil that for anyone but uh to do that the first thing you need to do is you need to get into a garage which has like some really cool cars so in the last year I've been looking at how can I break into garages like how do garages work and garages uh are pretty cool we all have sort of we've all seen the clicker right little garage clicker all right I have one here so I started learning about how these things worked and my goal was to break into my own garage um I have like a I'm in a condo unit so there's a bunch of different cars down there and I wanted to see how this thing works so I started learning a little bit about radio frequency and how um radios and communicating with devices like garage door openers works so the first thing we're going to basically go in depth here and I'm going to show you how how this stuff works we'll actually do some live demonstrations um the first thing you do when learning about something with radio is there's something really cool any device in the US that transmits that actually transmits radio frequency has to have an FCC ID so if you actually pull out your phone all of our phones actually will have an FCC ID on the back here so like on my iPhone I I see an FCC ID so same thing with this garage door opener which opens my garage so what we can do is we can actually take one of these things and open up our garage um and if we look at the FC C ID the cool thing about the FCC is what they do is they regulate uh Transmission in the US so if you want to transmit on a radio frequency the FCC has to allow that device or manufacturer to do it um and what we can do is all of the information about that ID is actually public information so you can actually go to the fcc's website which is really really hard to use um and search for one of these IDs fortunately someone named Dominic spill has created a website called fcc.io which I use all the time and basically on fcc.io you can just typee in the identifier back on either this garage door opener or your garage door itself or your phone so if you actually pull out your phone and you can look up the FCC ID and you can learn all about what your phone transmits on it's actually very cool um and inside of there we'll see a few things so the first thing we see is uh often you'll see pictures of the actual device both the outside on the left here and the inside so you'll actually see inside of that circuit um this is really cool if you're trying to look up information on say a device that you don't necessarily have access to or a device that might be out of your price range or uh a device that's not released yet right something that's coming out you can actually go here and you can learn a ton of information you could probably produce you know vulner you can probably discover vulnerabilities or issues with the device before it even comes out it's pretty incredible so here's an example of actually my garage door door opener I looked it up and the first thing we see here is we see kind of like where it came from it came from China obviously um and you also see the the range here the frequency range so this is the frequency that it communicates on and on this one it says the lower frequency is 390 MHz and the upper is 390 MHz so that means this communicates on one one frequency 390 MHz which is pretty cool um so what else we see on on the FCC we see stuff like uh they have a cover letter always a nice little formal letter they write um external photos like we saw internal photos couple different things one of the the more interesting areas is the um the test report so what the FCC does is they hire someone to come out and actually test your device because the thing with the with frequencies is we're essentially sharing the Spectrum like you don't want a device to just constantly transmit out and prevent other devices from working for example if I just held this garage door thing if this were just transmitting all the time it may prevent other garage door uh openers from working um and you wouldn't want to interfere with say someone across the street so they do all these tests to ensure that it transmits on the frequencies it's allowed to not more powerful than it should uh so on and so forth so if we pull this up we can see like the internal report we can actually often see um a a spectr graph of actually recording of that uh of the radio signal transmitted by the device and there are some different devices I use to actually uh listen to this kind of stuff one of the devices really cool um it's hack RF uh it's capable of receiving and trans transmitting from 1 MHz all the way up to 6 GHz really wide range totally open source open Hardware couple hundred dollars um it can also transmit which is really interesting people have done some really crazy stuff with this thing uh for example spoofing GPS I mean people have literally spoofed GPS using this device or similar devices and have made ships go off course ships literally going off course because what are they depending on they're depending on GPS how's the GPS work it's from radio signals getting sent from satellites down to the Earth and we're using that to like figure out where we are and someone comes along and transmits a signal and you think you're somewhere else or you think you're just going somewhere else I mean the the amount of dependency that we have on these radio signals is massive and it's growing every single day so this is another reason that this is like such an interesting thing and and I'm so interested in this right now and now hacker F you may say okay well I don't know anything about radio and I know very little about radio personally but uh you can do some pretty simple things for example if you're dealing with something that uses a fixed transmission um something that where it's like a password so if you open your garage door opener a lot of our garage door openers basically have a bunch of dip switches which is essentially a password and that opens your garage now if you don't know someone's like if I were trying to exploit someone's garage and trying to break in what I might do is I might um record that signal and replay it and hacker F can do that now not all devices are capable of recording and replaying uh often you need to know a lot more information about the signal which we'll learn in a bit but with literally two commands you can record and then replay kind of like recording a you know taking a microphone and a speaker um and re reproducing some signal now this will work in some scenarios not in all scenarios for example cars we'll use something called rolling codes we'll go over that later where the password's changing kind of like uh Google Authenticator or TFA right you might get uh a tofa is essentially a rolling code where every time you get a new identifier or a new password to log into something another device I use is rtlsdr this thing's awesome I have it right here um it's basically uh another antenna it's a soft SDR means software Divine radio um RTL it's from realtech and software divined radio is well hacker f is also a software defined radio it allows you to use software and inexpensive Hardware to analyze the radio spectrum and also often transmit rtlsdr is great because it's like $20 on Amazon so you can go right now for 20 bucks get into it you know start learning um and you can do so much you can see planes going overhead there's actually uh someone in La who did who has been recording planes so it's public transmission whenever a plane is flying it's sending radio signal of where it is of its GPS coordinates and information about it um its unique name and he started mapping it out just as a hobby and he found that there's these planes that are just circling over La they're just going in circles right they lift off they fly around and then they Circle why are their planes circling over LA and he started look what's that correct FBI planes he's a guy who discovered that these are FBI planes going around probably using something like Stingray to listen to our phone calls and text messages um so always say high FBI when you pick up the phone um so rtlsdr is another really cool example he did that with rtlsdr it's a $20 device you can use free software open source software on your computer computer no matter you know in any major operating system um G new radio this is like a this is a fun although complicated piece of software um that it's probably not complicated it's just really hard for me to learn um so I'm still trying to figure out how to use this thing but it allows you to take radio signals or actually any signal technically you can just pipe audio into it and you can manipulate it you can run different filters on it and extract information or transmit information so this is another really useful tool um gqrx this is an awesome tool we'll actually use this in a minute uh I'll show you how it works basically this allows us to see a waterfall view of the spectrum of the radio spectrum so we can say all right I want to see from 300 to 301 MHz I want to see everything that happens on there um this would allow you to make let's say you have a device and you don't have the FCC ID or let's say you don't have access to a device let's say you're outside of something and you have a black box or you know someone's driving up to their garage and they're about to hit a button but you don't know what frequency their device is using you can can use this to essentially watch watch a waterfall of radio frequencies and you will see when there is something with a high amplitude when there is essentially a signal that's getting transmitted it's really cool um this is for Linux and OSX only uh if you're on Windows you can also get sdrsharp it's another uh similar tool to do the same thing very cool um and the cool thing is I mean there are people out there like on Reddit there's a there's a subreddit called rtlsdr and you can actually go on there and people are just looking at the Spectrum because all these radio frequencies out there and we have no idea what a lot of them are right A lot of these you know this is this is something that's invisible right it's essentially invisible to us and um usually when there's something invisible like people just assume it's secure because we can't see it we don't know how it works and more and more people are now playing in this area and researching and trying to find what are all these invisible signals and a lot of it lacks security I mean it's it's really interesting some of the stuff that's coming out of here RTL FM um this is like a command line tool that allow allows you to record signals with the rtlsdr so these are some of the tools that I use um the presentation will be available uh online so if you guys want to grab it and and do any research in here you you'll you'll have access to all of that so let's go back to this FCC report um there are three things I usually look at when I'm looking at an FCC report for um for a device uh internal photos because that allows me to see inside if I can see inside I might be able to make out the chip that's being used uh if I look at the chip I can probably look up data sheets available for that chip and I can learn all about what the chip is doing the frequency it communicates on the modulation all sorts of information about it um I can look at the test report as well and the test report will will often provide some useful information such as what frequencies it uses perhaps what modulation um and then also the user manual there's always like incredible pieces of information in user manuals that I find uh a friend of me a friend of mine was at Coachella and he's like yeah I came back to my car and all my windows were were down um and I was like was anything stolen he's like no luckily they like well so he's like someone broke into my car and didn't take anything I was like H that seems weird so I looked up the FCC ID I was like maybe someone hacked his Dev his like radio thing uh or his his car key um and I looked it looked it up and I looked at the user manual and it's just a section of how the car key operates and everything about the car key and apparently if you hold one of the buttons down for enough seconds all of your windows just roll down um I haven't told him I'm going to use it against him so so here's an example of a test report from a from my garage door opener you can we can see something called the the frequency is 390 MHz we see the modulation type is ask or ask we'll go over that in a second here and a couple other things about the device um so let's talk about modulation a little bit uh who here has listened to the radio okay cool um younger people may not know what that is uh it's like Spotify um so we now have things there there's different types of modulation it's basically how we encode data in a signal there's ask which is amplitude shift keying there's FSK frequency shift keying and psk phase shift keing these are common modulation schemes that are used now these are specifically for Digital Data when you're trying to communicate digital information over uh over the radio spectrum now ask is actually a type of amplitude modulation amplitude modulation is am it's literally AM radio when you're listening to your AM radio your radio is taking the radio spectrum at Whatever frequency you're listening to um let's say 200 khz and it the amplitude which is essentially if you're listening to let's say a sound file right the amplitude is the volume it's essentially how strong that volume is the amplitude defines where what kind of sound you're hearing or what frequency the sound is at frequency shift keying is frequency modulation or FM so FM radio when you're listening to 102.7 you're actually listening to 102.7 MHz and we can use that we can see that in rtlsdr and the frequency is actually not 102.7 it's actually a range so it's actually more like 102.5 to 102.9 and the frequency changes depending on where uh you know what that sound what that frequency should be so in something like rtlsdr we can also if we don't know what uh device is transmitting we can look at it here and on the left we see that there's kind of like two signals coming whenever I hit a button so that's probably something called 2fk or frequency shift keying where the frequency is changing and because it's digital it's just ones or zeros so left or right means one or zero and then on the right we have ask which is amplitude shift ging where it's just either there's a signal or there's not a signal which represents a one or a zero so why don't we actually why don't we actually see what this looks like um I am going to open gqrx X and I'm going to use this rtlsdr just so we can take a quick look let's see if this works here all right so awesome so we can see here I'm at 300 MHz which is what this garage door opener is at and whenever I press we can see data so that's pretty cool like if if I didn't know what frequency it was at we could like go searching through you know we could go to let's say um here we have we have actual stations right so I'm at 100 MHz now so we can actually see FM radio stations and I could actually demodulate this data I let's see if that even works dmod so we'd have to tune oh yeah so we can actually tune to different stations here that's my jam right there all right cool um cool so we actually know that this is at 300 MHz now um this is really cool we can demodulate this data right in here um so now that we know it's at again we'll we'll look at it once more here 300 me yep 300 MHz and because it looks like it's just one signal going turning on and off that tells me it's probably amplitude shift keying or am amplitude modulation so we can then use rtfm so let me quit that uh let's see here find my windows all right so I mean that's going to be hard to see but here I'll just record it first so I'll say uh RTL 300 test. wve I'll press this once or twice great contrl C and what this actually does is this produces an audio file a wave file that we can then inspect so I'm going to pull this up in audacity a free audio tool uh let me find the file here and I'll will throw this in here all right cool so this is audacity so here we can see I click I hit it twice I hit it once here and then once here so let's take a look at what this signal actually looks like zoom in it looks like it's a repeating signal it looks like the same information now who is open one of these garage doors and had to like set the dip switches you had to do that all right so so we've seen those usually it's like 10 or 12 dip switches so let's zoom in can you guess what these relate to so if I open mine right here this thing is impossible to open all right no I got it I'll uh I'll tell you what I have here I have on and off dip switches mine is on on off on let's just zoom in so we can see if there's any correlation at all on on off on off on off off off off so basically we're seeing amplitude we're actually seeing a signal in this case it looks like a long signal followed by nothing long is a one and a short signal followed by nothing is a zero so literally just by using this $20 device I've recorded and I now know the code to my garage door you could go around like recording code like just like in Gone in 60 Seconds right they go up to the garage they use their little device which probably didn't exist and they are able to record the code like that's so interesting all right so let's go back to uh oh man I can't see anything all right I like I like where he's going with that all right let's see if I can figure out how to open I can't I'm not mirroring here show all windows man enhance all right back to the slideshow Okay cool so we just just saw gqrx and we saw this right so we actually analyzed that signal we saw it was just a repeating signal it repeats a bunch of times because amplitude shift King like if you've ever listened to am the audio sucks audio quality sucks it's it's very easy to it's the most inexpensive way to transmit information um but it's also the most prone to interference um people sniffing you can really sniff anything though so someone had a good suggestion what if we brute force that um how long would it take well if we take a look at these different garage doors uh there's a couple different things um some are 8 Bits some are 10 bits 12 bits uh right there's just on and off so I recorded this one and it looked like it was 2 milliseconds per bit with a 2 millisecond delay for each bit um and it sent five signals per transmission minimum so if we calculate that uh for all the possible garage doors that I've looked at that use fixed codes it looks like it would take about 29 29 and a half minutes to Brute Force so basically 30 minutes to root Force someone's garage which is pretty insane um so I was looking at this and I was like well can I do this a little faster because I have stuff to do I can't just sit outside of people's homes 30 minutes and do this and uh I was looking and I saw okay well if it's repeating the signal what if we stop repeating the signal like it's repeating just so that it can be more successful but for the most most part we're not going to have interference so if we actually take out the repetition we can actually reduce it to 6 minutes to Brute Force any fixed code garage that's pretty cool but looking at this further I saw that there was basically this massive period of weight uh of delay between every time it sends a signal so I was curious what if I took out that delay where it's sending one signal followed by like one password followed by another password instead of a delay in between them what if I just sent password password password password and that worked it opened my garage so that reduced it down to 3 minutes to open any fix code garage and then I was thinking how does it know where one password begins and one password ends um what if it's using something called a bitshift register now a bit shift register is basically a register where you you pull in data one bit at a time and as it's essentially it performs a test let's say it's a four-bit register it looks at the four bits and it performs a test is this the correct four bit if not it then takes one bit off pops one off and then shifts one in well if that's the case you wouldn't actually need to test all possible codes you could actually just pop for example if I used let's say let's say I'm looking at this is a two bit code let's say we're just looking at a two bit code right here 0 0 0 1 1 1 1 0 those are the four options that's a total of eight bits however if we create something called the de de Bruin sequence um de Bruin is a mathematician who discovered this algorithm to efficiently produce all possible codes over that overlap so if if we overlap these we can say 0 01 1 0 now if we put them in B shift register we get 0 0 as the first two bits and if we move over just one bit then we get 01 move over one bit we get one one and then the last one zero so we've actually gotten all eight bits out of a five bit sequence now if we do that with every 8 to 12 bit code we actually reduce this down to 8 seconds to Brute Force any fixed code garage between eight and 12 bits long eight seconds yeah um TV begone uh all the all of the infrared codes that are are basically public information for all the televisions um TV begon you could do that but TV begon specifically turns off TVs so if you were brute forcing what you'd actually end up doing is like changing the volume changing the import Source doing all this other stuff um TV begon specifically has programmed all of the IR codes for for most of the different televisions but you could definitely do something similar because you will hit the off code at some point right so at this point we have 8 seconds now this is just how to transmit rtlsdr does not actually transmit this is just an assumption of how we can uh uh mess with with this garage so now we need a device to to actually transmit um one device I'm a fan of is this yard stick one also by Michael Osman um this has a nice radio chip for both receiving and transmitting it's not software defined radio software defined radio allows you to take a very a signal you know nothing about and then perform all the modulation demodulation and um accessing and reading it in software this is all Hardware there there's pros and cons the the con the major con of something like this is that if you don't know what the signal is if you don't know if it's frequency modulated or amplitude modulated or the frequency this is not going to be too helpful because you have to tell this you have to tell this Hardware I know it's FSK I know it's on this frequency see I know it's this data rate and show me the data or transmit the data but if you know what you're looking for or you know what you want to transmit you can use this device and you there's a python interface that you can use um by something called rfcat and there's a another device that um that I like to use from this from one of the most amazing technological companies of our time Mattel so Mattel creates all sorts of awesome toys for children and one of their devices one of their toys is called the Mattel ime um this is a texting device for uh twins to basically communicate with each other without being on the internet where creepy creepy people hang out so with ime you can actually text someone and it wirelessly transmits to a little dongle on on a USB stick and then it goes over the internet to your friend who also has one of those USB dongles and then wirelessly transmits to the this little device to the ime um the service is no longer active they don't sell these anymore so you can get them off eBay for like $10 $20 and a couple of people have found that inside of this device is a really cool chipset from Texas Instruments and it's a sub gigz transceiver that means it can receive and transmit on virtually any frequency under 1 GHz which is actually amazing if you try to build a device like this yourself it might cost hundreds of dollars thanks to Mattel and massive production you can get it for like 10 bucks on eBay so uh Travis Goodspeed and some other people found out that you can connect to the back of this thing and reprogram it and do whatever you want with that transceiver so this is the device I chose to use for transmitting across all the different garage frequencies performing this attack and this is a I call this the open sesame attack um let's see if it oh no oh no how do we get this to there should be a video here oh I'm sorry so that's an example of the open sesame just running on my friend's garage um it takes a total a max amount of 8 seconds which on average is 4 seconds so awesome uh one one step down um so I've released almost everything to do this um obviously I don't want people to breaking into people's garages so I did not I bricked the code so that it would not work however I released most of it so that people could understand understand how this type of attack works and also how to how to prevent it uh unfortunately since I did that the prices have raised of the ime um so if you do want one reach out to me I I'll I'd be happy to send you one if you're going to do some research in this area because I bought them before they they became kind of ridiculously priced so some lessons here don't use a ridiculously small key space just because it's invisible right just because it's over radio and people aren't looking doesn't mean people aren't going to look right at some point people will look they will understand the technology uh your proprietary you know method is not going to help you so you know have there's plenty of information on this um require a preamble or sync word which is basically something that says the password's about to start that would prevent the de bruy attack where you can actually have all of these passwords sort of rolling over each other and then rolling codes that's another thing we'll talk about um rolling codes will prevent this type of attack so now we're inside of the garage and there's some cool stuff we can do here one thing that happening is all of our cars are becoming connected so great um so a lot of new cars now have all sorts of different radios inside besides the AM FM serus XM radios um they have some other things they often have GSM uh they'll have GPS receivers and they'll communicate with the internet who has OnStar OnStar yeah so okay a lot of you have OnStar and aren't raising your hand that's okay um so actually any GM vehicle GMC bu Cadillac actually has OnStar built-in now now you know whether you activate or not it's irrelevant uh you actually have these features and those features are connected to the computer of the car the ECU and the various other our cars are no longer cars they're they're no longer mechanical Vehicles right they're now essentially uh computer with wheels um so the computer controls so much I mean we have so many awesome features coming out in our vehicles like assisted Park um and all of these things if if there's something called assisted Park that means the vehicle the vehicle's computer has control of the wheel where before it used to be simply mechanical um now it's a computer that's actually able to turn your wheel so OnStar has a very cool feature uh they have an IOS and Android app so a friend of mine had actually with the same car he he had he had OnStar and I was playing with this stuff and he said you can play with my vehicle if you want so I was playing with the app I download OnStar um it does some cool stuff lets you see where your car is um lets you do a couple things there's a key fob access you can lock you can unlock remote start uh hit the horns and lights I tried that a few times while he was driving but uh they they fortunately they don't allow you to activate the horn and lights while you're driving which is smart um so I thought okay I'll I'll check out this communication I assume it's encrypted um with SSL so I'll install my own CA uh you know my own certificate Authority on my phone and I'll sniff the traffic you know lo and behold it wasn't crypted um I installed the CA and or or I I usually have my own certificate Authority installed on my on my mobile device and I started sniffing and because I was do using my own CA I could actually perform SSL man- in-the-middle attack um again this is only on my own my own device I can't do this on someone else's because they don't have my certificate Authority installed my certificate Authority tells my phone that oh Samy's you know House of Cards CA is a legitimate Authority you can use his key instead of the legitimate GM or OnStar uh SSL key so once I decrypted the the traffic I saw you know nice htps requests and plain text I saw some Bas 64 pulled out the b 64 and of course the password and username are right there like okay so make sure to not use you know the OnStar app on a uh Network that you don't trust uh but as long as as long as you don't have someone's CA they shouldn't be able to decrypt that traffic um and then I realized I had just reset my iPhone I forgot like something happened and I reset it so I actually didn't have my certificate Authority installed which means the app allowed an invalid certificate authority to decrypt traffic even though it had no recognition it had no idea who sami's House of Cards was so the GM app was not looking at an SSL CA it was blindly it will take accept any SSL key that means as long as you have someone on your Wi-Fi network which is very easy to do and they open that app you can decrypt all of their traffic for that app I thought wow like this is this is absolutely insane um so I like how can I exploit this and I created a device um with a Raspberry Pi computer uh a phone a GSM board um mallerie which is an open source uh SSL man INE middle attack software some DNS spoofing so that the user wouldn't actually detect anything so I only took over api. gm.com so anyone using OnStar but all of their other traffic would still continue to go through the correct servers and correct SSL certificates uh and a couple other things like a Alpha wireless card and then I thought okay how do I attack my friend how do I get him to jump onto my network now fortunately you can do things like you can use your own uh or you can use common Wi-Fi network names like ATT Wi-Fi or Starbucks um things that you know that they might be on but there's actually something pretty cool here another thing that are phones do is they send out probe requests so if your phone doesn't see your network it will actually send out probe requests saying hey I'm looking for a network in this case named tadong is there a network name to dong out here and you can say yes it actually tells you the network name it's looking for and with that information you can generate a network on the Fly which it will then join assuming that it's the correct Network it's actually our phones our devices our computers or laptops none of them actually look at the MAC address they're only looking at the network name now this is only for open networks if if your phone has only connected to encrypted networks fortunately this attack will not work but I'm assuming almost everyone has at least connected to One open um un encrypted Network before at Wii allones at Wi-Fi on almost all iPhones absolutely net gear links this I mean you can and the cool thing is you can just launch all of them right so if if you come near my house you may actually just see like 10 different network names for all the common ones so with under $100 we have um a little device that I threw under my friend's car and uh was able to you know at some point let's see OnStar yes this this is an app called OnStar now so here I am and and once I acquired his credentials I was then able to unlock his car remote start it and basically do anything to his car at that point um and then I tested BMW which also did not check SSL certificates and I checked Mercedes-Benz which did not check SSL certificates and then I tested Chrysler Jeep which did not test SSL certificates this is a massive issue in virtually every I'd say this was like five out of 10 of the uh car apps that have the ability to unlock a vehicle right I only cared about the apps that actually did something you know important five of 10 did not perform SSL CA validation so the lesson's here if you're going to do this either validate certificates from a CA which actually I wouldn't necessarily suggest anymore um the nice thing about CA is you can like turn off your keys if they ever get stolen however there are a lot of certificate authorities out there for example like I don't know you wouldn't want the Hong Kong you know post to be releasing CA or releasing keys for you but they have that full capability they can say they own gmail.com if they want um and we've seen we've seen Cas get hacked before um or accidental keys for gmail.com get released before so better yet you certificate pinning this way your the the app that you release has a key in it you have that key those are the only people who know about this key no one else can you know avoid that um also hash the passwords like don't just B 64 everything right hash your passwords use assault make it difficult even if someone does obtain this information who knows how someone will break into your device sometime in the future there will be new attacks they will extract information in different ways and always assume you're on a hostile Network just always assume that so now we've broken into some cars um we'll go through this uh now there's another interesting thing that I've seen a lot of these vehicles use and a lot of the key fobs they all use something called rolling codes so rolling code is like we talked about before with the ca uh the code actually changes every time kind of like tofa you get a different SMS message or your Google Authenticator sends you a different number every time and that's great that's actually a really good way to prevent an attack like the key like the garage door attack right open sesame where we have a fixed code also rolling codes are much much longer they're not like silly 12- bit codes that you can break in a couple of seconds so that's a that's a nice thing I'll quickly run through some um Hardware attacks that uh if you're ever looking at Hardware that you don't know some of the devices I was looking at I was actually finding that they would actually Mark the chip off they would actually scratch off the name so I couldn't look up the data sheet and see what what it was using um so in that case what I use is I use a couple of things I use a logic analyzer logic analyzer just looks at looks at information looks at digital information going on a wire so you can connect pins to each of these pins um I use these SMD micro these micro probes so I can connect to like really small uh really small pins off of chips uh I also use a a multimeter um you can measure voltage with the multimeter off different different pins on a chip and when I'm looking at a chip that I don't know anything about I'll start mapping it out I can use the multimeter to find the ground and to find power so I can mark all the ground and Power power pins um also I can use the logic analyzer and I can look for certain things that look like a clock signal a clock signal will just look like a square wave or pulsewidth modulation um once I do that if I know what frequency it's communicating on which I should be able to learn with something like an rtlsdr or hackrf I can then download all the data sheets I can find for something that does that let's say it's communicating on 2.4 GHz I will download all the data sheets of transceivers on 2.4 GHz and then I'll take all their pinout pages and I'll look at them and I'll compare do any look similar to what I have do any have the same number of pins do any have the grounds in the same places the voltage in the same places the clock in the same place and if so I've now discovered what chip that that device is being used despite them trying to you know scratch it off um using the logic analyzer and data sheet I can see how that chip is communicating with the device what commands it's sending then I'll learn all sorts of other information like if there's encryption uh I might learn a key I might learn you know what's what it's using um I can extract all the serial communication how it communicates with that device and I can then build an interception device um which is pretty fun so uh at this point let's take a look at my car um my car uses something called rolling codes now if you look at this there's a ton more data in this code so this would actually take years and years and years to brute force uh and it's only good once so as soon as you use this code it will never work again again so when I hit the kick clicker on my car to unlock that code is used and my car knows that this code is no longer valid which is great so let's understand how rolling codes work there's basically a random number generator in your car and in your key and they're synced um there's actually like a rolling window so when you press the unlock button your car expects that unique identifier that unique code but now that the car is heard it it says I will never accept that again so if someone was sitting out if Nicholas Cage was outside of your home and he like sniffs this identifier and he tries to use it later on to replay it's not going to work because the car says oh I've seen that code before I will not accept it I will only accept the next code um and there's a rolling window so in case you know in case the the key is in your in your pocket and you hit it a bunch of times out of range of the car then you go back to the car the car will say oh you're actually out of range but it's okay you know you're you're in the future right you're not using a past code you're just a little bit in the future you probably hit the button accidentally a few times that's okay now that's only a small window so it's it's hard to uh use that to attack so I was trying to find ways of replaying rolling codes of attacking that the only you know the major way I could think of was the only way is to capture a signal while you're out of range of the car so if you like break into someone's house take their car hit the button record it and then go back later and then replay it now all of most cars these days also use this for starting the vehicle as well so these attacks are actually not only for unlocking vehicles but Al also starting um now this is is a really lame attack I think if you're in their house and you have access to their key you should just take it um so how can we how can we get around this what if we Jam what if we Jam the code now again these keys are inexpensive so they're I mean they'll charge you like $300 to buy one but they're actually really cheap um so it's it's actually very easy to interfere with this communication so when someone hits their button if you're actually transmitting as well in fact if you even have the same a similar key and you hold down the unlock or lock button of your key while someone tries to unlock their car they won't be able to unlock their car you can actually do this for kind of a wide range um it's kind of funny to watch uh but you can basically easily interfere with this communication so so worst case scenario they might have to like pull out their key now who has hit their button of their key and it didn't work once that happens right and you just hit it again and it typically works right there was some interference or you didn't hold it long enough so what if I Jam just slightly off just slightly off the frequency and I also listen I also use a similar device to listen I can actually be very specific and listen to just that signal and listen to their code and ignore my jamming because I know where I'm jamming I can ignore that piece of the the signal the problem is once I've recorded that signal that the car is not heard I can use that signal now I can use it to unlock however they're going to keep hitting it until it works and when it works when the car does hear their unlock code all previous codes get disabled so the code that I've acquired is now no longer useful however as we're human we all follow a simple pattern if I jam and I listen and I get one code and I keep jamming so you go up to your car you you hit unlock it doesn't work you hit unlock again it doesn't work two times in a row but I've listened to both codes and I've extracted those two passwords I now take those two and I only replay the first one so now the carard does on the lock on the second time but I'm using the first code so later on when you go home and you lock your car I still have an unused future code that I can unlock your vehicle because there's actually no timing right it's all about just the order of the sequence of these codes so you can essentially trick the user by playing the first one on their second time and of course you can automate this um so this is an attack I call roll Jam I've demonstrated with about 30 in hardware and there's so many other attacks in this area I mean it's such I think it's such an exciting area because you have cars coming out this year in 2016 that will actually communicate with other vehicles on the road it's called v2v so there's so much other radio communication that's going to be happening um you know cars are able to use ultrasound to see if there's something in front of them but what if you send your own ultrasound right what I mean you can generate ultrasound it's just sound at a higher frequency what if you send that to a vehicle you can make it believe that someone is in front of you you can you can send communication to cars saying that it's it's really rainy so slow down you just make everyone slow down around you I mean you can do all sorts of stuff um it's crazy and it's scary and it's exciting uh there's so so many other interesting attacks um I was also looking at my at my car and I found that if they're locking the vehicle if they're hitting lock lock lock and I record that data or inter interfere with that data well I can't use a lock to like that's no good I can't what what fun is locking their car however I found in the signal as I was looking at the data sheet I found that the rolling code is one part and then the command is the second part so I could change the command from Lock to unlock and use the same code as long as I jammed and interfered their lock command then I can use that lock command to unlock so even though it hit they hit lock later on I come over I S I send an unlock just by changing that bit because it's just a command not tied to the code in any way um here's the the device itself I tested on a lot of cars it unlocked a lot of cars and it was beautiful um lessons I mean in you know encrypt hash those buttons together so if if you're sending a lock command for example and of course this this works anywhere this will work on HTTP like you should use these same uh these same methods um encrypt that encrypt or hash that communication together right hash the key hash the key with the uh command um use hmax uh time based algorithms there's actually something called uh I mean we've had secure ID for 20 years now right those RSA RSA tokens which uh are essentially 2fa we've had those for 20 years and every 2015 car I've attacked has had this issue um we can implement this stuff this stuff exists we know about these we know about these problems and we know how to solve them um also you can do challenge response with transceivers rather than just cheap receivers so there ways of fixing this um and you know that that's that's about it that's that's what I have for you um thanks so much for coming I hope you guys enjoyed it and uh happy to take any questions thanks yeah yes did you report any of those apps that accepted I reported all of them yeah communicated with what did they do they fortunately they all came out with new apps um well the first one GM did not re reach out I mean it was impossible to contact them they had no like uh uh um they had no way for researchers to reach them uh so I called them I went to the support I escalated I emailed uh I went through their website I mean literally never heard back and then uh I then I released a demonstration I didn't release the code or anything uh and then I got called the you know like within 24 hours and then bz BMW Etc they all did fix I mean everything everyone fixed it within a few days which is great because it just an app update yes reports you file uh none of them had none of them had Bounty programs or none of them had security presences that I could actually communicate with it was literally I mean literally all of these companies I had to just uh they had no security response right this is this is new areas at least for the vehicles um now GM does now GM does have a security program I'm sure they do yes and correct because so this is the this is the device um I have actually a new device I've created that's smaller and cheaper this is $30 and you put it under their car so it always has the next code oh I see yeah so you just it literally they have to press the button twice every time and we adapt pretty quickly we just get used to it right now you just hit it twice like works the second time every time what's that absolutely that's a great idea yeah actually you could do that so you only need to inconvenience them once that's a good point I didn't think of that successful field test that correct yes many many field tests you'll actually see the the lot is like half empty now thanks for [Laughter] coming any other questions yes sure yeah I mean the amplification attack is really interesting right a lot of us have keys that we keep in our vehicle or we keep in our pocket and we can go up to our car pull the door and it'll send a signal out that our key detects and then it will perform a challenge response back right and for starting the car it actually uses the signal strength so it knows that you're in the car so if the signal strength is too low it says oh you're outside of the car I'm not going to start the vehicle you have to be inside the car but as you say you can perform an amplification attack where you actually let's say you have two people right and you go up to the car you pull the door it sends the signal your device amplifies that signal or sends it wirelessly somewhere else that gets retransmitted near the door or near the near the person's car key in a restaurant or outside of their house and yeah you can then unlock and start their vehicle and drive away and vehicles cannot stop if they detect the keys no longer in the car it would' be too dangerous right if you're on the freeway or something what happens so the car will continue to go and you take it to your Chop Shop yes that's correct uh all of them do have some amount of timing um but it's lacks enough that you can perform the attack in every case that I've seen yes yes um no I know yeah I mean they're all you know Vehicles they're all using some of the same chipsets from the same companies um so it's all the same attack yeah yeah yeah absolutely you know I mean I feel like this is you know I think we were talking about it earlier like this is the web 10 years ago right 10 15 years ago everything had xss everything had SQL you know sqli everything had RFI now only most things have xss and sqi and RFI so I think in another 10 years hopefully we'll have a lot more hardware and radio security I hope so yeah I suspect we will yeah uh that was a different that was someone else yeah yeah yes what security people no no seriously I don't think they have security people I think that's a new thing right yes Le Scag oh interesting wow I didn't know that that's very cool awesome yeah yeah okay well thanks so much everyone all right [Music]