Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)
23
Breaking RF Unlock Codes They said it couldn’t be done
-
Upload
archwisp -
Category
Technology
-
view
345 -
download
5
description
Attacking the rolling code cryptography used in remote entry systems to unlock cars
Transcript of Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)
Breaking RF Unlock Codes
They said it couldn’t be done
Bryan C. Geraghty
@archwisp
Security Consultant, Security PS
Over the next 15 minutes…
My Goal
My Prior Knowledge
The Target
Attack Hardware
Attack Software
Signal Analysis
Cracking
LIVE DEMO
What’s Next?
The Goal
Unlock a car by forging a radio frequency signal
A jamming & replay attack has already been published
I will not be talking about that
This attack exploits the predictability of unlock codes
This is not a man-in-the-middle attack
I have not found any published research on this
Disclaimer
I have not completely broken the codes… yet
I will not be releasing any of my code… yet
I will not be disclosing car models… yet
Prior Knowledge
Before starting on this project, I had done:
A lot of programming
No work with RF whatsoever
Some cryptanalysis
A little bit of research on RF signal analysis
I submitted my proposal for this project in June 2014
The Target
Most modern vehicles can be unlocked with a key fob
Sends a code that unlocks the car
Rolling code system mitigates replay attacks
Attack Hardware
Software Defined Radio Receiver RTL2832 w/R820T
Adafruit - $22.50
RF Link Transmitter - 315MHz
WRL-10535
Sparkfun - $3.95
Total: $26.45
Attack Hardware (Alternate)
HackRF One
SDR Transceiver
SparkFun - $299.95
Attack Software
SDRSharp
SDR Tuner
Capture data
FREE!
Custom Code
Frame Dumper
Demodulator
Encoder
Signal Generator
TIME!
Signal Analysis
Find and capture the signal
Signal Analysis
Yay! I captured some funny sounds! Now what?
Signal Analysis
Dump MSB from one channel of WAV frame data
Signal Analysis
Identify threshold value for binary conversion
Threshold:
If the hex value is
greater than 32, it
gets converted to
a 1. Otherwise, it
gets converted to
a 0.
Signal Analysis
Pulse-width demodulate the binary data
Another
Threshold:
If the pulse is longer
than 28 bits, it gets
converted to a 1.
Otherwise, it gets
converted to a 0.
Signal Analysis
Hex encode the binary data for analysis
Signal Analysis
Capture samples!
Signal Analysis
Analyze the samples
Cracking
I identified a bunch of patterns
I wrote some code to:
Identify more patterns
Generate signals using these patterns
Compare them to sample signals
I’ve gotten very close
Let’s see how close…
LIVE DEMO
Let’s hope this works…
Just in case the demo didn’t work…
What’s Next?
Keep trying!
Find a PRF cracking expert
Collect hardware not attached to cars
Collect samples from more vehicles
Remote Start!
Thank you
![Planar VM Series Displays · 2019-07-19 · Header Monitor ID Category Page Length Control Data[0] Data[1] Checksum Description 0x21 0x01 0x00 0x00 0x04 0x01 0x00 0x03 0x26 If the](https://static.fdocuments.in/doc/165x107/5f673a563c870d32c072eb03/planar-vm-series-displays-2019-07-19-header-monitor-id-category-page-length-control.jpg)
