Cheap hardware can mess up with the security of rf remote locks that use “secure” rolling code system… for example open car door.
Posted from WordPress for Android
Cheap hardware can mess up with the security of rf remote locks that use “secure” rolling code system… for example open car door.
Posted from WordPress for Android
7 Comments
Tomi Engdahl says:
Meet RollJam, the $30 device that jimmies car and garage doors
Widely used keyless entry systems can be hacked in seconds with wallet-sized device.
http://arstechnica.com/security/2015/08/meet-rolljam-the-30-device-that-jimmies-car-and-garage-doors/
Over the past decade, keyless entry systems have largely displaced traditional physical keys as the means for locking and unlocking cars and garages around the world. Just push a button and the electronic devices transmit a secret code that activates or deactivates the lock, saving people the hassle of manually controlling it.
Now, serial hacker Samy Kamkar has devised RollJam, a $30 device that steals the secret codes so attackers can use them to gain unauthorized access to a car or garage. It works against a variety of market-leading chips, including the KeeLoq access control system from Microchip Technology Inc. and the High Security Rolling Code generator made by National Semiconductor. RollJam is capable of opening electronic locks on cars from Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar. It also works against a variety of garage-door openers, including the rolling code garage door opener made by King Cobra.
Jam, steal, replay
RollJam uses a clever hack to exploit this system whenever it’s within range of a key and lock. The device contains two radios. The first jams the airwaves to prevent the lock from receiving the rolling code sent by the electronic key. Since the car or garage door doesn’t unlock, a user almost certainly will press the lock or unlock button again. Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code. Because the code was never received by the lock, it remains valid. By replaying it later—say, after the car owner has locked the car and walked away—RollJam is able to unlock the car or garage. Kamkar said he has tested the device on several makes of cars and all were susceptible.
The reason many electronic locks are vulnerable to RollJam is that the rolling codes are invalidated only after it or a subsequent rolling code is received. Devices like the RSA SecurID, by contrast, cause validation codes to expire after a specific amount of time.
At the moment, RollJam is about the size of a wallet, but with additional work it could be the size of a car key.
Tomi Engdahl says:
This Hacker’s Tiny Device Unlocks Cars And Opens Garages
http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/
The next time you press your wireless key fob to unlock your car, if you find that it doesn’t beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Samy Kamkar may be using a clever radio hack to intercept and record your wireless key’s command. And when that hacker walks up to your vehicle a few minutes, hours, or days later, it won’t even take those two button presses to get inside.
At the hacker conference DefCon in Las Vegas tomorrow, Kamkar plans to present the details of a gadget he’s developed called “RollJam.” The $32 radio device, smaller than a cell phone, is designed to defeat the “rolling codes” security used in not only most modern cars and trucks’ keyless entry systems, but also in their alarm systems and in modern garage door openers. The technique, long understood but easier than ever to pull off with Kamkar’s attack, lets an intruder break into cars without a trace, turn off their alarms and effortlessly access garages.
ollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage, where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victim’s fob to open that car or garage again at will. “Every garage that has a wireless remote, and virtually every car that has a wireless key can be broken into,” says Kamkar.
Tomi Engdahl says:
This $30 device defeats almost any keyless car or garage door
http://www.engadget.com/2015/08/10/hacking-device-lets-thieves-open-your-car/
Car makers came up with “rolling code” after thieves figured out how to wirelessly steal codes from early keyless devices. The system works by changing the passkey every time you use a fob, preventing it from being used a second time. In theory, that makes any stolen code useless to an attacker. As with many of his hacks, Kamkar’s workaround is simple yet ingenious. Rolljam blocks the remote signal from reaching the vehicle with a pair of radios, then uses a third one to record the wireless code.
Naturally, the mark will try to use the fob again, and once again, Rolljam will jam the signal and steal the second code. But this time, Kamkar’s device will re-transmit the first code and unlock the car, so the victim thinks everything’s alright. Since your vehicle didn’t receive the second code, however, it can now be used by a thieves to steal your car anytime they want. If the device is placed in proximity of a car or garage, it can keep stealing and retransmitting codes, ensuring it always has a fresh, working one.
My own car is fully susceptible to this attack. I don’t think that’s right when we know this is solvable.
Tomi Engdahl says:
RollJam — $30 Device That Unlocks Almost Any Car And Garage Door
Saturday, August 08, 2015 Khyati Jain
http://thehackernews.com/2015/08/rolljam-unlock-car-garage.html
Tomi Engdahl says:
Can other people unlock my car door with their remote?
http://electronics.howstuffworks.com/gadgets/automotive/unlock-car-door-remote1.htm
Rolling Codes and Encryption
Modern keyless entry system broadcast on a frequency between 300 and 400 MHz (megahertz). But if your keyfob sent out just a single signal, then every fob would open every car of that make and model. To ensure that no one can use his or her fob to open your car door, it’s necessary produce a signal that is unique to every car.
This is where rolling codes, also known as hopping codes, come in. Whenever you press the button to unlock your car, the exact frequency transmitted by the fob is changed, and the receiver inside the car only grabs onto that particular signal. In other words, the code “rolls” or “hops” each time you use it. A controller chip inside the car receives the signal and is responsible for changing the code each time the lock or unlock button is pushed.
Before this rolling code system was developed, thieves were able to use electronic devices called “code grabbers” to lock onto your keyfob’s unique signal. With rolling codes, the signal is unique every time, rendering a code grabber device useless [source: Lake].
In addition, the code is stored inside the car, not within the keyfob. A thief would need to break into the car to access the code, which defeats the purpose of getting it in the first place.
The numbers generated when the code hops is random. However, in theory, an astute hacker dead-set on stealing your car could find a way to anticipate the next code in the sequence. For this reason, the codes are encrypted as well, making each electronic keyfob have billions of possible codes.
However, no security system is totally foolproof. In 2007, a group of researchers discovered vulnerability in the algorithm used by nearly every car manufacturer to encrypt their security codes. With this vulnerability, they found they were able to unlock any car made by that automaker with the keyfob from just one of them [source: Zetter].
Tomi Engdahl says:
RF Hacking: How-To Bypass Rolling Codes
http://hackaday.com/2016/03/06/rf-hacking-how-to-bypass-rolling-codes/
The RF signal transmitted from a modern key fob and received by the associated vehicle is only used once. If the vehicle sees the same code again it rejects the command, however there is a loophole in those carefully chosen words. The code must be received by the vehicle’s computer before it can be added to the list of spent codes. [AndrewMohawk] goes through the process of intercepting a code sent from a key fob transmitter and preventing the vehicle from receiving it in a thorough post to his blog. You can see this attack working in his studio quality reenactment video after the break.
[Andrew] uses the YARD Stick One (YS1) which is a sub-GHz wireless tool that is controlled from a computer.
Bypassing Rolling Code Systems
http://andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/
This blog post will discuss the implementation of Codegrabbing / RollJam, just one method of attacking AM/OOK systems that implement rolling codes (such as keeloq) — these systems are commonly found on modern vehicles and entry systems such as gates and garages. This technique has been used and spoken about for a number of years (Marko Wolf describes it in “Security Engineering for Vehicular IT Systems” from 2009).
However the advancement in easy to use and cheap hardware has made this a readily available research path for almost anyone. Samy Kamkar showed it at Defcon 2015, you can read about that and his device at http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/.
For this post already knowing the basics of AM/OOK and retransmitting these codes is pretty useful. If you are unsure feel free to check out the previous entries on Hacking fixed key remotes with (only) RFCat
YARD Stick One
YARD Stick One is a sub-1 GHz wireless test tool controlled by your computer.
https://greatscottgadgets.com/yardstickone/
YARD Stick One (Yet Another Radio Dongle) can transmit or receive digital wireless signals at frequencies below 1 GHz. It uses the same radio circuit as the popular IM-Me. The radio functions that are possible by customizing IM-Me firmware are now at your fingertips when you attach YARD Stick One to a computer via USB.
YARD Stick One comes with RfCat firmware installed, courtesy of atlas. RfCat allows you to control the wireless transceiver from an interactive Python shell or your own program running on your computer.
Hacking fixed key remotes with (only) RFCat
https://andrewmohawk.com/2015/08/31/hacking-fixed-key-remotes-with-only-rfcat/
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers find 24 cars from 19 manufacturers vulnerable to radio amplification attack that extends range of key fobs to open cars, start ignitions
Radio Attack Lets Hackers Steal 24 Different Car Models
http://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/
For years, car owners with keyless entry systems have reported thieves approaching their vehicles with mysterious devices and effortlessly opening them in seconds. After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times‘ former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car’s keyless entry system into thinking the key was in the thieves’ hand. He eventually resorted to keeping his keys in the freezer.
Now a group of German vehicle security researchers has released new findings about the extent of that wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops.
“This clear vulnerability in [wireless] keys facilitates the work of thieves immensely,” reads a post in German about the researchers’ findings on the ADAC website. “The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.”
That car key hack is far from new: Swiss researchers published a paper detailing a similar amplification attack as early as 2011.
list of vulnerable vehicles from their findings, which focused on European models:
The ADAC researchers pulled off the attack by building a pair of radio devices; one is meant to be held a few feet from the victim’s car, while the other is placed near the victim’s key fob.
The full attack uses only a few cheap chips, batteries, a radio transmitter, and an antenna, the ADAC researchers say